oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

move _krb5_extract_ticket to ticket.c

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24296 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-01-11 21:51:09 +00:00
parent f002e0df4c
commit c4609275b0
1 changed files with 0 additions and 473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

473
lib/krb5/get_in_tkt.c
View File

@@ -38,479 +38,6 @@ RCSID("$Id$");
#undef __attribute__
#define __attribute__(x)
static krb5_error_code
check_server_referral(krb5_context context,
krb5_kdc_rep *rep,
unsigned flags,
krb5_const_principal requested,
krb5_const_principal returned,
krb5_keyblock * key)
{
krb5_error_code ret;
PA_ServerReferralData ref;
krb5_crypto session;
EncryptedData ed;
size_t len;
krb5_data data;
PA_DATA *pa;
int i = 0, cmp;
if (rep->kdc_rep.padata == NULL)
goto noreferral;
pa = krb5_find_padata(rep->kdc_rep.padata->val,
rep->kdc_rep.padata->len,
KRB5_PADATA_SERVER_REFERRAL, &i);
if (pa == NULL)
goto noreferral;
memset(&ed, 0, sizeof(ed));
memset(&ref, 0, sizeof(ref));
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&ed, &len);
if (ret)
return ret;
if (len != pa->padata_value.length) {
free_EncryptedData(&ed);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Referral EncryptedData wrong for realm %s",
"realm"), requested->realm);
return KRB5KRB_AP_ERR_MODIFIED;
}
ret = krb5_crypto_init(context, key, 0, &session);
if (ret) {
free_EncryptedData(&ed);
return ret;
}
ret = krb5_decrypt_EncryptedData(context, session,
KRB5_KU_PA_SERVER_REFERRAL,
&ed, &data);
free_EncryptedData(&ed);
krb5_crypto_destroy(context, session);
if (ret)
return ret;
ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len);
if (ret) {
krb5_data_free(&data);
return ret;
}
krb5_data_free(&data);
if (strcmp(requested->realm, returned->realm) != 0) {
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("server ref realm mismatch, "
"requested realm %s got back %s", ""),
requested->realm, returned->realm);
return KRB5KRB_AP_ERR_MODIFIED;
}
if (returned->name.name_string.len == 2 &&
strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
{
const char *realm = returned->name.name_string.val[1];
if (ref.referred_realm == NULL
|| strcmp(*ref.referred_realm, realm) != 0)
{
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("tgt returned with wrong ref", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
} else if (krb5_principal_compare(context, returned, requested) == 0) {
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("req princ no same as returned", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
if (ref.requested_principal_name) {
cmp = _krb5_principal_compare_PrincipalName(context,
requested,
ref.requested_principal_name);
if (!cmp) {
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("referred principal not same "
"as requested", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
} else if (flags & EXTRACT_TICKET_AS_REQ) {
free_PA_ServerReferralData(&ref);
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Requested principal missing on AS-REQ", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
free_PA_ServerReferralData(&ref);
return ret;
noreferral:
if (krb5_principal_compare(context, requested, returned) == FALSE) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Not same server principal returned "
"as requested", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
return 0;
}
/*
* Verify referral data
*/
static krb5_error_code
check_client_referral(krb5_context context,
krb5_kdc_rep *rep,
krb5_const_principal requested,
krb5_const_principal mapped,
krb5_keyblock const * key)
{
krb5_error_code ret;
PA_ClientCanonicalized canon;
krb5_crypto crypto;
krb5_data data;
PA_DATA *pa;
size_t len;
int i = 0;
if (rep->kdc_rep.padata == NULL)
goto noreferral;
pa = krb5_find_padata(rep->kdc_rep.padata->val,
rep->kdc_rep.padata->len,
KRB5_PADATA_CLIENT_CANONICALIZED, &i);
if (pa == NULL)
goto noreferral;
ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
pa->padata_value.length,
&canon, &len);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode ClientCanonicalized "
"from realm %s", ""), requested->realm);
return ret;
}
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
if (ret) {
free_PA_ClientCanonicalized(&canon);
return ret;
}
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(data.data);
free_PA_ClientCanonicalized(&canon);
return ret;
}
ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
data.data, data.length,
&canon.canon_checksum);
krb5_crypto_destroy(context, crypto);
free(data.data);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to verify client canonicalized "
"data from realm %s", ""),
requested->realm);
free_PA_ClientCanonicalized(&canon);
return ret;
}
if (!_krb5_principal_compare_PrincipalName(context,
requested,
&canon.names.requested_name))
{
free_PA_ClientCanonicalized(&canon);
krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
N_("Requested name doesn't match"
" in client referral", ""));
return KRB5_PRINC_NOMATCH;
}
if (!_krb5_principal_compare_PrincipalName(context,
mapped,
&canon.names.mapped_name))
{
free_PA_ClientCanonicalized(&canon);
krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
N_("Mapped name doesn't match"
" in client referral", ""));
return KRB5_PRINC_NOMATCH;
}
return 0;
noreferral:
if (krb5_principal_compare(context, requested, mapped) == FALSE) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Not same client principal returned "
"as requested", ""));
return KRB5KRB_AP_ERR_MODIFIED;
}
return 0;
}
static krb5_error_code
decrypt_tkt (krb5_context context,
krb5_keyblock *key,
krb5_key_usage usage,
krb5_const_pointer decrypt_arg,
krb5_kdc_rep *dec_rep)
{
krb5_error_code ret;
krb5_data data;
size_t size;
krb5_crypto crypto;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;
ret = krb5_decrypt_EncryptedData (context,
crypto,
usage,
&dec_rep->kdc_rep.enc_part,
&data);
krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
ret = decode_EncASRepPart(data.data,
data.length,
&dec_rep->enc_part,
&size);
if (ret)
ret = decode_EncTGSRepPart(data.data,
data.length,
&dec_rep->enc_part,
&size);
krb5_data_free (&data);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode encpart in ticket", ""));
return ret;
}
return 0;
}
int
_krb5_extract_ticket(krb5_context context,
krb5_kdc_rep *rep,
krb5_creds *creds,
krb5_keyblock *key,
krb5_const_pointer keyseed,
krb5_key_usage key_usage,
krb5_addresses *addrs,
unsigned nonce,
unsigned flags,
krb5_decrypt_proc decrypt_proc,
krb5_const_pointer decryptarg)
{
krb5_error_code ret;
krb5_principal tmp_principal;
size_t len;
time_t tmp_time;
krb5_timestamp sec_now;
/* decrypt */
if (decrypt_proc == NULL)
decrypt_proc = decrypt_tkt;
ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
if (ret)
goto out;
/* save session key */
creds->session.keyvalue.length = 0;
creds->session.keyvalue.data = NULL;
creds->session.keytype = rep->enc_part.key.keytype;
ret = krb5_data_copy (&creds->session.keyvalue,
rep->enc_part.key.keyvalue.data,
rep->enc_part.key.keyvalue.length);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
/* compare client and save */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.cname,
rep->kdc_rep.crealm);
if (ret)
goto out;
/* check client referral and save principal */
/* anonymous here ? */
if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
ret = check_client_referral(context, rep,
creds->client,
tmp_principal,
&creds->session);
if (ret) {
krb5_free_principal (context, tmp_principal);
goto out;
}
}
krb5_free_principal (context, creds->client);
creds->client = tmp_principal;
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
ret = check_server_referral(context,
rep,
flags,
creds->server,
tmp_principal,
&creds->session);
if (ret) {
krb5_free_principal (context, tmp_principal);
goto out;
}
}
krb5_free_principal(context, creds->server);
creds->server = tmp_principal;
/* verify names */
if(flags & EXTRACT_TICKET_MATCH_REALM){
const char *srealm = krb5_principal_get_realm(context, creds->server);
const char *crealm = krb5_principal_get_realm(context, creds->client);
if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
strcmp(rep->enc_part.srealm, crealm) != 0)
{
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_message(context);
goto out;
}
}
/* compare nonces */
if (nonce != rep->enc_part.nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
}
/* set kdc-offset */
krb5_timeofday (context, &sec_now);
if (rep->enc_part.flags.initial
&& context->kdc_sec_offset == 0
&& krb5_config_get_bool (context, NULL,
"libdefaults",
"kdc_timesync",
NULL)) {
context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
krb5_timeofday (context, &sec_now);
}
/* check all times */
if (rep->enc_part.starttime) {
tmp_time = *rep->enc_part.starttime;
} else
tmp_time = rep->enc_part.authtime;
if (creds->times.starttime == 0
&& abs(tmp_time - sec_now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_set_error_message (context, ret,
N_("time skew (%d) larger than max (%d)", ""),
abs(tmp_time - sec_now),
(int)context->max_skew);
goto out;
}
if (creds->times.starttime != 0
&& tmp_time != creds->times.starttime) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.starttime = tmp_time;
if (rep->enc_part.renew_till) {
tmp_time = *rep->enc_part.renew_till;
} else
tmp_time = 0;
if (creds->times.renew_till != 0
&& tmp_time > creds->times.renew_till) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.renew_till = tmp_time;
creds->times.authtime = rep->enc_part.authtime;
if (creds->times.endtime != 0
&& rep->enc_part.endtime > creds->times.endtime) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.endtime = rep->enc_part.endtime;
if(rep->enc_part.caddr)
krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
else if(addrs)
krb5_copy_addresses (context, addrs, &creds->addresses);
else {
creds->addresses.len = 0;
creds->addresses.val = NULL;
}
creds->flags.b = rep->enc_part.flags;
creds->authdata.len = 0;
creds->authdata.val = NULL;
/* extract ticket */
ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
&rep->kdc_rep.ticket, &len, ret);
if(ret)
goto out;
if (creds->ticket.length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
creds->second_ticket.length = 0;
creds->second_ticket.data = NULL;
out:
memset (rep->enc_part.key.keyvalue.data, 0,
rep->enc_part.key.keyvalue.length);
return ret;
}
#ifndef HEIMDAL_SMALLER
static krb5_error_code