oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Implement krb5_mk_{1,n}cred

Browse Source
This commit is contained in:
Roland C. Dowdeswell
2019-10-29 19:10:40 +00:00
committed by Nico Williams
parent 2e0366b7a0
commit d81118cc1f
5 changed files with 330 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/krb5/Makefile.am
View File

@@ -195,6 +195,7 @@ dist_libkrb5_la_SOURCES = \
log.c \
mcache.c \
misc.c \
mk_cred.c \
mk_error.c \
mk_priv.c \
mk_rep.c \

2
lib/krb5/NTMakefile
View File

@@ -108,6 +108,7 @@ libkrb5_OBJS = \
$(OBJ)\mcache.obj \
$(OBJ)\misc.obj \
$(OBJ)\mit_glue.obj \
$(OBJ)\mk_cred.obj \
$(OBJ)\mk_error.obj \
$(OBJ)\mk_priv.obj \
$(OBJ)\mk_rep.obj \
@@ -274,6 +275,7 @@ dist_libkrb5_la_SOURCES = \
log.c \
mcache.c \
misc.c \
mk_cred.c \
mk_error.c \
mk_priv.c \
mk_rep.c \

2
lib/krb5/libkrb5-exports.def.in
View File

@@ -462,8 +462,10 @@ EXPORTS
krb5_make_addrport
krb5_make_principal
krb5_max_sockaddr_size
krb5_mk_1cred
krb5_mk_error
krb5_mk_error_ext
krb5_mk_ncred
krb5_mk_priv
krb5_mk_rep
krb5_mk_req

323
lib/krb5/mk_cred.c Normal file
View File

@@ -0,0 +1,323 @@
/*
* Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5_locl.h"
#define CHECKED_ALLOC(dst) do { \
if ((ALLOC(dst, 1)) == NULL) { \
ret = krb5_enomem(context); \
goto out; \
} \
} while (0)
#define CHECKED_COPY(cp_func, dst, src) do { \
if (cp_func(src, dst)) { \
ret = krb5_enomem(context); \
goto out; \
} \
} while (0)
#define CHECKED_COPY_PPC2KCI(cp_func, dst, src) \
CHECKED_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
#define CHECKED_ALLOC_ASSIGN(dst, src) do { \
if ((ALLOC(dst, 1)) == NULL) { \
ret = krb5_enomem(context); \
goto out; \
} else \
*dst = src; \
} while (0)
#define CHECKED_ALLOC_ASSIGN_PPC2KCI(dst, src) \
CHECKED_ALLOC_ASSIGN(krb_cred_info->dst, ppcreds[i]->src)
#define CHECKED_ALLOC_COPY(cp_func, dst, src) do { \
if ((ALLOC(dst, 1)) == NULL || cp_func(src, dst)) { \
ret = krb5_enomem(context); \
goto out; \
} \
} while (0)
#define CHECKED_ALLOC_COPY_PPC2KCI(cp_func, dst, src) \
CHECKED_ALLOC_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
/**
* Make a KRB-CRED PDU with N credentials.
*
* @param context A kerberos 5 context.
* @param auth_context The auth context with the key to encrypt the out_data.
* @param ppcreds A null-terminated array of credentials to forward.
* @param ppdata The output KRB-CRED (to be freed by caller).
* @param replay_data (unused).
*
* @return Return an error code or 0.
*
* @ingroup krb5_credential
*/
/* ARGSUSED */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
krb5_creds **ppcreds, krb5_data **ppdata,
krb5_replay_data *replay_data)
{
krb5_error_code ret;
krb5_data out_data;
ret = _krb5_mk_ncred(context, auth_context, ppcreds, &out_data,
replay_data);
if (ret == 0) {
/*
* MIT allocates the return structure for no good reason. We do
* likewise as, in this case, incompatibility is the greater evil.
*/
*ppdata = calloc(1, sizeof (*ppdata));
if (*ppdata) {
**ppdata = out_data;
} else {
krb5_data_free(&out_data);
ret = krb5_enomem(context);
}
}
return ret;
}
/* ARGSUSED */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_mk_ncred(krb5_context context,
krb5_auth_context auth_context,
krb5_creds **ppcreds,
krb5_data *out_data,
krb5_replay_data *replay_data)
{
krb5_error_code ret;
EncKrbCredPart enc_krb_cred_part;
KrbCredInfo *krb_cred_info;
krb5_crypto crypto;
KRB_CRED cred;
unsigned char *buf = NULL;
size_t ncreds, i;
size_t buf_size;
size_t len;
/*
* The ownership of 'buf' is re-assigned to a containing structure
* multiple times. We enforce an invariant, either buf is non-zero
* and we own it, or buf is zero and it is freed or some structure
* owns any storage previously allocated as 'buf'.
*/
#define CHOWN_BUF(x, buf) do { (x) = (buf); (buf) = 0; } while (0)
#define DISOWN_BUF(buf) do { free(buf); (buf) = 0; } while (0)
for (ncreds = 0; ppcreds[ncreds]; ncreds++)
;
memset (&cred, 0, sizeof(cred));
cred.pvno = 5;
cred.msg_type = krb_cred;
ALLOC_SEQ(&cred.tickets, ncreds);
if (cred.tickets.val == NULL) {
ret = krb5_enomem(context);
goto out;
}
memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
ALLOC_SEQ(&enc_krb_cred_part.ticket_info, ncreds);
if (enc_krb_cred_part.ticket_info.val == NULL) {
ret = krb5_enomem(context);
goto out;
}
for (i = 0; i < ncreds; i++) {
ret = decode_Ticket(ppcreds[i]->ticket.data,
ppcreds[i]->ticket.length,
&cred.tickets.val[i],
&len);/* don't care about len */
if (ret)
goto out;
/* fill ticket_info.val[i] */
krb_cred_info = &enc_krb_cred_part.ticket_info.val[i];
CHECKED_COPY(copy_EncryptionKey,
&krb_cred_info->key, &ppcreds[i]->session);
CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, prealm, client->realm);
CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, pname, client->name);
CHECKED_ALLOC_ASSIGN_PPC2KCI(flags, flags.b);
CHECKED_ALLOC_ASSIGN_PPC2KCI(authtime, times.authtime);
CHECKED_ALLOC_ASSIGN_PPC2KCI(starttime, times.starttime);
CHECKED_ALLOC_ASSIGN_PPC2KCI(endtime, times.endtime);
CHECKED_ALLOC_ASSIGN_PPC2KCI(renew_till, times.renew_till);
CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, srealm, server->realm);
CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, sname, server->name);
CHECKED_ALLOC_COPY_PPC2KCI(copy_HostAddresses, caddr, addresses);
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_timestamp sec;
int32_t usec;
krb5_us_timeofday (context, &sec, &usec);
CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.timestamp, sec);
CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.usec, usec);
} else {
enc_krb_cred_part.timestamp = NULL;
enc_krb_cred_part.usec = NULL;
/* XXX Er, shouldn't we set the seq nums?? */
}
/* XXX: Is this needed? */
if (auth_context->local_address && auth_context->local_port) {
ret = krb5_make_addrport(context,
&enc_krb_cred_part.s_address,
auth_context->local_address,
auth_context->local_port);
if (ret)
goto out;
}
/* XXX: Is this needed? */
if (auth_context->remote_address) {
if (auth_context->remote_port) {
/*
* XXX: Should we be checking "no-addresses" for
* the receiving realm?
*/
ret = krb5_make_addrport(context,
&enc_krb_cred_part.r_address,
auth_context->remote_address,
auth_context->remote_port);
if (ret)
goto out;
} else {
/*
* XXX Ugly, make krb5_make_addrport() handle missing port
* number (i.e., port == 0), then remove this else.
*/
CHECKED_ALLOC(enc_krb_cred_part.r_address);
ret = krb5_copy_address(context, auth_context->remote_address,
enc_krb_cred_part.r_address);
if (ret)
goto out;
}
}
/* encode EncKrbCredPart */
ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
&enc_krb_cred_part, &len, ret);
if (ret)
goto out;
/**
* Some older of the MIT gssapi library used clear-text tickets
* (warped inside AP-REQ encryption), use the krb5_auth_context
* flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
* tickets. The session key is used otherwise to encrypt the
* forwarded ticket.
*/
if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
cred.enc_part.etype = KRB5_ENCTYPE_NULL;
cred.enc_part.kvno = NULL;
CHOWN_BUF(cred.enc_part.cipher.data, buf);
cred.enc_part.cipher.length = buf_size;
} else {
/*
* Here older versions then 0.7.2 of Heimdal used the local or
* remote subkey. That is wrong, the session key should be
* used. Heimdal 0.7.2 and newer have code to try both in the
* receiving end.
*/
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret)
goto out;
ret = krb5_encrypt_EncryptedData(context,
crypto,
KRB5_KU_KRB_CRED,
buf,
len,
0,
&cred.enc_part);
DISOWN_BUF(buf);
krb5_crypto_destroy(context, crypto);
}
ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
if (ret)
goto out;
CHOWN_BUF(out_data->data, buf);
out_data->length = len;
ret = 0;
out:
free_EncKrbCredPart(&enc_krb_cred_part);
free_KRB_CRED(&cred);
free(buf);
return ret;
}
/**
* Make a KRB-CRED PDU with 1 credential.
*
* @param context A kerberos 5 context.
* @param auth_context The auth context with the key to encrypt the out_data.
* @param ppcred A credential to forward.
* @param ppdata The output KRB-CRED (to be freed by caller).
* @param replay_data (unused).
*
* @return Return an error code or 0.
*
* @ingroup krb5_credential
*/
/* ARGSUSED */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
krb5_creds *ppcred, krb5_data **ppdata,
krb5_replay_data *replay_data)
{
krb5_creds *ppcreds[2] = { ppcred, NULL };
return krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
}
/* ARGSUSED */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
krb5_creds *ppcred, krb5_data *ppdata,
krb5_replay_data *replay_data)
{
krb5_creds *ppcreds[2] = { ppcred, NULL };
return _krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
}

2
lib/krb5/version-script.map
View File

@@ -451,8 +451,10 @@ HEIMDAL_KRB5_2.0 {
krb5_make_addrport;
krb5_make_principal;
krb5_max_sockaddr_size;
krb5_mk_1cred;
krb5_mk_error;
krb5_mk_error_ext;
krb5_mk_ncred;
krb5_mk_priv;
krb5_mk_rep;
krb5_mk_req;