1 2 /* 3 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan 4 * (Royal Institute of Technology, Stockholm, Sweden). 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * 3. Neither the name of the Institute nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include "krb5_locl.h" 36 37 static krb5_error_code 38 decrypt_tkt_enc_part (krb5_context context, 39 krb5_keyblock *key, 40 EncryptedData *enc_part, 41 EncTicketPart *decr_part) 42 { 43 krb5_error_code ret; 44 krb5_data plain; 45 size_t len; 46 krb5_crypto crypto; 47 48 ret = krb5_crypto_init(context, key, 0, &crypto); 49 if (ret) 50 return ret; 51 ret = krb5_decrypt_EncryptedData (context, 52 crypto, 53 KRB5_KU_TICKET, 54 enc_part, 55 &plain); 56 krb5_crypto_destroy(context, crypto); 57 if (ret) 58 return ret; 59 60 ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len); 61 if (ret) 62 krb5_set_error_message(context, ret, 63 N_("Failed to decode encrypted " 64 "ticket part", "")); 65 krb5_data_free (&plain); 66 return ret; 67 } 68 69 static krb5_error_code 70 decrypt_authenticator (krb5_context context, 71 EncryptionKey *key, 72 EncryptedData *enc_part, 73 Authenticator *authenticator, 74 krb5_key_usage usage) 75 { 76 krb5_error_code ret; 77 krb5_data plain; 78 size_t len; 79 krb5_crypto crypto; 80 81 ret = krb5_crypto_init(context, key, 0, &crypto); 82 if (ret) 83 return ret; 84 ret = krb5_decrypt_EncryptedData (context, 85 crypto, 86 usage /* KRB5_KU_AP_REQ_AUTH */, 87 enc_part, 88 &plain); 89 /* for backwards compatibility, also try the old usage */ 90 if (ret && usage == KRB5_KU_TGS_REQ_AUTH) 91 ret = krb5_decrypt_EncryptedData (context, 92 crypto, 93 KRB5_KU_AP_REQ_AUTH, 94 enc_part, 95 &plain); 96 krb5_crypto_destroy(context, crypto); 97 if (ret) 98 return ret; 99 100 ret = decode_Authenticator(plain.data, plain.length, 101 authenticator, &len); 102 krb5_data_free (&plain); 103 return ret; 104 } 105 106 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 107 krb5_decode_ap_req(krb5_context context, 108 const krb5_data *inbuf, 109 krb5_ap_req *ap_req) 110 { 111 krb5_error_code ret; 112 size_t len; 113 ret = decode_AP_REQ(inbuf->data, inbuf->length, ap_req, &len); 114 if (ret) 115 return ret; 116 if (ap_req->pvno != 5){ 117 free_AP_REQ(ap_req); 118 krb5_clear_error_message (context); 119 return KRB5KRB_AP_ERR_BADVERSION; 120 } 121 if (ap_req->msg_type != krb_ap_req){ 122 free_AP_REQ(ap_req); 123 krb5_clear_error_message (context); 124 return KRB5KRB_AP_ERR_MSG_TYPE; 125 } 126 if (ap_req->ticket.tkt_vno != 5){ 127 free_AP_REQ(ap_req); 128 krb5_clear_error_message (context); 129 return KRB5KRB_AP_ERR_BADVERSION; 130 } 131 return 0; 132 } 133 134 static krb5_error_code 135 check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) 136 { 137 char **realms; 138 unsigned int num_realms, n; 139 krb5_error_code ret; 140 141 /* 142 * Windows 2000 and 2003 uses this inside their TGT so it's normaly 143 * not seen by others, however, samba4 joined with a Windows AD as 144 * a Domain Controller gets exposed to this. 145 */ 146 if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) 147 return 0; 148 149 if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) 150 return KRB5KDC_ERR_TRTYPE_NOSUPP; 151 152 if(enc->transited.contents.length == 0) 153 return 0; 154 155 ret = krb5_domain_x500_decode(context, enc->transited.contents, 156 &realms, &num_realms, 157 enc->crealm, 158 ticket->realm); 159 if(ret) 160 return ret; 161 ret = krb5_check_transited(context, enc->crealm, 162 ticket->realm, 163 realms, num_realms, NULL); 164 for (n = 0; n < num_realms; n++) 165 free(realms[n]); 166 free(realms); 167 return ret; 168 } 169 170 static krb5_error_code 171 find_etypelist(krb5_context context, 172 krb5_auth_context auth_context, 173 EtypeList *etypes) 174 { 175 krb5_error_code ret; 176 krb5_authdata *ad; 177 krb5_authdata adIfRelevant; 178 unsigned i; 179 180 memset(&adIfRelevant, 0, sizeof(adIfRelevant)); 181 182 etypes->len = 0; 183 etypes->val = NULL; 184 185 ad = auth_context->authenticator->authorization_data; 186 if (ad == NULL) 187 return 0; 188 189 for (i = 0; i < ad->len; i++) { 190 if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) { 191 ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data, 192 ad->val[i].ad_data.length, 193 &adIfRelevant, 194 NULL); 195 if (ret) 196 return ret; 197 198 if (adIfRelevant.len == 1 && 199 adIfRelevant.val[0].ad_type == 200 KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) { 201 break; 202 } 203 free_AD_IF_RELEVANT(&adIfRelevant); 204 adIfRelevant.len = 0; 205 } 206 } 207 208 if (adIfRelevant.len == 0) 209 return 0; 210 211 ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data, 212 adIfRelevant.val[0].ad_data.length, 213 etypes, 214 NULL); 215 if (ret) 216 krb5_clear_error_message(context); 217 218 free_AD_IF_RELEVANT(&adIfRelevant); 219 220 return ret; 221 } 222 223 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 224 krb5_decrypt_ticket(krb5_context context, 225 Ticket *ticket, 226 krb5_keyblock *key, 227 EncTicketPart *out, 228 krb5_flags flags) 229 { 230 EncTicketPart t; 231 krb5_error_code ret; 232 ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t); 233 if (ret) 234 return ret; 235 236 { 237 krb5_timestamp now; 238 time_t start = t.authtime; 239 240 krb5_timeofday (context, &now); 241 if(t.starttime) 242 start = *t.starttime; 243 if(start - now > context->max_skew 244 || (t.flags.invalid 245 && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { 246 free_EncTicketPart(&t); 247 krb5_clear_error_message (context); 248 return KRB5KRB_AP_ERR_TKT_NYV; 249 } 250 if(now - t.endtime > context->max_skew) { 251 free_EncTicketPart(&t); 252 krb5_clear_error_message (context); 253 return KRB5KRB_AP_ERR_TKT_EXPIRED; 254 } 255 256 if(!t.flags.transited_policy_checked) { 257 ret = check_transited(context, ticket, &t); 258 if(ret) { 259 free_EncTicketPart(&t); 260 return ret; 261 } 262 } 263 } 264 265 if(out) 266 *out = t; 267 else 268 free_EncTicketPart(&t); 269 return 0; 270 } 271 272 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 273 krb5_verify_authenticator_checksum(krb5_context context, 274 krb5_auth_context ac, 275 void *data, 276 size_t len) 277 { 278 krb5_error_code ret; 279 krb5_keyblock *key; 280 krb5_authenticator authenticator; 281 krb5_crypto crypto; 282 283 ret = krb5_auth_con_getauthenticator (context, 284 ac, 285 &authenticator); 286 if(ret) 287 return ret; 288 if(authenticator->cksum == NULL) { 289 krb5_free_authenticator(context, &authenticator); 290 return -17; 291 } 292 ret = krb5_auth_con_getkey(context, ac, &key); 293 if(ret) { 294 krb5_free_authenticator(context, &authenticator); 295 return ret; 296 } 297 ret = krb5_crypto_init(context, key, 0, &crypto); 298 if(ret) 299 goto out; 300 ret = krb5_verify_checksum (context, 301 crypto, 302 KRB5_KU_AP_REQ_AUTH_CKSUM, 303 data, 304 len, 305 authenticator->cksum); 306 krb5_crypto_destroy(context, crypto); 307 out: 308 krb5_free_authenticator(context, &authenticator); 309 krb5_free_keyblock(context, key); 310 return ret; 311 } 312 313 314 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 315 krb5_verify_ap_req(krb5_context context, 316 krb5_auth_context *auth_context, 317 krb5_ap_req *ap_req, 318 krb5_const_principal server, 319 krb5_keyblock *keyblock, 320 krb5_flags flags, 321 krb5_flags *ap_req_options, 322 krb5_ticket **ticket) 323 { 324 return krb5_verify_ap_req2 (context, 325 auth_context, 326 ap_req, 327 server, 328 keyblock, 329 flags, 330 ap_req_options, 331 ticket, 332 KRB5_KU_AP_REQ_AUTH); 333 } 334 335 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 336 krb5_verify_ap_req2(krb5_context context, 337 krb5_auth_context *auth_context, 338 krb5_ap_req *ap_req, 339 krb5_const_principal server, 340 krb5_keyblock *keyblock, 341 krb5_flags flags, 342 krb5_flags *ap_req_options, 343 krb5_ticket **ticket, 344 krb5_key_usage usage) 345 { 346 krb5_ticket *t; 347 krb5_auth_context ac; 348 krb5_error_code ret; 349 EtypeList etypes; 350 351 if (ticket) 352 *ticket = NULL; 353 354 if (auth_context && *auth_context) { 355 ac = *auth_context; 356 } else { 357 ret = krb5_auth_con_init (context, &ac); 358 if (ret) 359 return ret; 360 } 361 362 t = calloc(1, sizeof(*t)); 363 if (t == NULL) { 364 ret = ENOMEM; 365 krb5_clear_error_message (context); 366 goto out; 367 } 368 369 if (ap_req->ap_options.use_session_key && ac->keyblock){ 370 ret = krb5_decrypt_ticket(context, &ap_req->ticket, 371 ac->keyblock, 372 &t->ticket, 373 flags); 374 krb5_free_keyblock(context, ac->keyblock); 375 ac->keyblock = NULL; 376 }else 377 ret = krb5_decrypt_ticket(context, &ap_req->ticket, 378 keyblock, 379 &t->ticket, 380 flags); 381 382 if(ret) 383 goto out; 384 385 ret = _krb5_principalname2krb5_principal(context, 386 &t->server, 387 ap_req->ticket.sname, 388 ap_req->ticket.realm); 389 if (ret) goto out; 390 ret = _krb5_principalname2krb5_principal(context, 391 &t->client, 392 t->ticket.cname, 393 t->ticket.crealm); 394 if (ret) goto out; 395 396 ret = decrypt_authenticator (context, 397 &t->ticket.key, 398 &ap_req->authenticator, 399 ac->authenticator, 400 usage); 401 if (ret) 402 goto out; 403 404 { 405 krb5_principal p1, p2; 406 krb5_boolean res; 407 408 _krb5_principalname2krb5_principal(context, 409 &p1, 410 ac->authenticator->cname, 411 ac->authenticator->crealm); 412 _krb5_principalname2krb5_principal(context, 413 &p2, 414 t->ticket.cname, 415 t->ticket.crealm); 416 res = krb5_principal_compare (context, p1, p2); 417 krb5_free_principal (context, p1); 418 krb5_free_principal (context, p2); 419 if (!res) { 420 ret = KRB5KRB_AP_ERR_BADMATCH; 421 krb5_clear_error_message (context); 422 goto out; 423 } 424 } 425 426 /* check addresses */ 427 428 if (t->ticket.caddr 429 && ac->remote_address 430 && !krb5_address_search (context, 431 ac->remote_address, 432 t->ticket.caddr)) { 433 ret = KRB5KRB_AP_ERR_BADADDR; 434 krb5_clear_error_message (context); 435 goto out; 436 } 437 438 /* check timestamp in authenticator */ 439 { 440 krb5_timestamp now; 441 442 krb5_timeofday (context, &now); 443 444 if (abs(ac->authenticator->ctime - now) > context->max_skew) { 445 ret = KRB5KRB_AP_ERR_SKEW; 446 krb5_clear_error_message (context); 447 goto out; 448 } 449 } 450 451 if (ac->authenticator->seq_number) 452 krb5_auth_con_setremoteseqnumber(context, ac, 453 *ac->authenticator->seq_number); 454 455 /* XXX - Xor sequence numbers */ 456 457 if (ac->authenticator->subkey) { 458 ret = krb5_auth_con_setremotesubkey(context, ac, 459 ac->authenticator->subkey); 460 if (ret) 461 goto out; 462 } 463 464 ret = find_etypelist(context, ac, &etypes); 465 if (ret) 466 goto out; 467 468 ac->keytype = ETYPE_NULL; 469 470 if (etypes.val) { 471 size_t i; 472 473 for (i = 0; i < etypes.len; i++) { 474 if (krb5_enctype_valid(context, etypes.val[i]) == 0) { 475 ac->keytype = etypes.val[i]; 476 break; 477 } 478 } 479 } 480 481 /* save key */ 482 ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); 483 if (ret) goto out; 484 485 if (ap_req_options) { 486 *ap_req_options = 0; 487 if (ac->keytype != ETYPE_NULL) 488 *ap_req_options |= AP_OPTS_USE_SUBKEY; 489 if (ap_req->ap_options.use_session_key) 490 *ap_req_options |= AP_OPTS_USE_SESSION_KEY; 491 if (ap_req->ap_options.mutual_required) 492 *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; 493 } 494 495 if(ticket) 496 *ticket = t; 497 else 498 krb5_free_ticket (context, t); 499 if (auth_context) { 500 if (*auth_context == NULL) 501 *auth_context = ac; 502 } else 503 krb5_auth_con_free (context, ac); 504 free_EtypeList(&etypes); 505 return 0; 506 out: 507 if (t) 508 krb5_free_ticket (context, t); 509 if (auth_context == NULL || *auth_context == NULL) 510 krb5_auth_con_free (context, ac); 511 return ret; 512 } 513 514 /* 515 * 516 */ 517 518 struct krb5_rd_req_in_ctx_data { 519 krb5_keytab keytab; 520 krb5_keyblock *keyblock; 521 krb5_boolean check_pac; 522 }; 523 524 struct krb5_rd_req_out_ctx_data { 525 krb5_keyblock *keyblock; 526 krb5_flags ap_req_options; 527 krb5_ticket *ticket; 528 krb5_principal server; 529 }; 530 531 /** 532 * Allocate a krb5_rd_req_in_ctx as an input parameter to 533 * krb5_rd_req_ctx(). The caller should free the context with 534 * krb5_rd_req_in_ctx_free() when done with the context. 535 * 536 * @param context Keberos 5 context. 537 * @param ctx in ctx to krb5_rd_req_ctx(). 538 * 539 * @return Kerberos 5 error code, see krb5_get_error_message(). 540 * 541 * @ingroup krb5_auth 542 */ 543 544 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 545 krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) 546 { 547 *ctx = calloc(1, sizeof(**ctx)); 548 if (*ctx == NULL) { 549 krb5_set_error_message(context, ENOMEM, 550 N_("malloc: out of memory", "")); 551 return ENOMEM; 552 } 553 (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0; 554 return 0; 555 } 556 557 /** 558 * Set the keytab that krb5_rd_req_ctx() will use. 559 * 560 * @param context Keberos 5 context. 561 * @param in in ctx to krb5_rd_req_ctx(). 562 * @param keytab keytab that krb5_rd_req_ctx() will use, only copy the 563 * pointer, so the caller must free they keytab after 564 * krb5_rd_req_in_ctx_free() is called. 565 * 566 * @return Kerberos 5 error code, see krb5_get_error_message(). 567 * 568 * @ingroup krb5_auth 569 */ 570 571 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 572 krb5_rd_req_in_set_keytab(krb5_context context, 573 krb5_rd_req_in_ctx in, 574 krb5_keytab keytab) 575 { 576 in->keytab = keytab; 577 return 0; 578 } 579 580 /** 581 * Set if krb5_rq_red() is going to check the Windows PAC or not 582 * 583 * @param context Keberos 5 context. 584 * @param in krb5_rd_req_in_ctx to check the option on. 585 * @param flag flag to select if to check the pac (TRUE) or not (FALSE). 586 * 587 * @return Kerberos 5 error code, see krb5_get_error_message(). 588 * 589 * @ingroup krb5_auth 590 */ 591 592 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 593 krb5_rd_req_in_set_pac_check(krb5_context context, 594 krb5_rd_req_in_ctx in, 595 krb5_boolean flag) 596 { 597 in->check_pac = flag; 598 return 0; 599 } 600 601 602 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 603 krb5_rd_req_in_set_keyblock(krb5_context context, 604 krb5_rd_req_in_ctx in, 605 krb5_keyblock *keyblock) 606 { 607 in->keyblock = keyblock; /* XXX should make copy */ 608 return 0; 609 } 610 611 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 612 krb5_rd_req_out_get_ap_req_options(krb5_context context, 613 krb5_rd_req_out_ctx out, 614 krb5_flags *ap_req_options) 615 { 616 *ap_req_options = out->ap_req_options; 617 return 0; 618 } 619 620 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 621 krb5_rd_req_out_get_ticket(krb5_context context, 622 krb5_rd_req_out_ctx out, 623 krb5_ticket **ticket) 624 { 625 return krb5_copy_ticket(context, out->ticket, ticket); 626 } 627 628 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 629 krb5_rd_req_out_get_keyblock(krb5_context context, 630 krb5_rd_req_out_ctx out, 631 krb5_keyblock **keyblock) 632 { 633 return krb5_copy_keyblock(context, out->keyblock, keyblock); 634 } 635 636 /** 637 * Get the principal that was used in the request from the 638 * client. Might not match whats in the ticket if krb5_rd_req_ctx() 639 * searched in the keytab for a matching key. 640 * 641 * @param context a Kerberos 5 context. 642 * @param out a krb5_rd_req_out_ctx from krb5_rd_req_ctx(). 643 * @param principal return principal, free with krb5_free_principal(). 644 * 645 * @ingroup krb5_auth 646 */ 647 648 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 649 krb5_rd_req_out_get_server(krb5_context context, 650 krb5_rd_req_out_ctx out, 651 krb5_principal *principal) 652 { 653 return krb5_copy_principal(context, out->server, principal); 654 } 655 656 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 657 krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) 658 { 659 free(ctx); 660 } 661 662 /** 663 * Free the krb5_rd_req_out_ctx. 664 * 665 * @param context Keberos 5 context. 666 * @param ctx krb5_rd_req_out_ctx context to free. 667 * 668 * @ingroup krb5_auth 669 */ 670 671 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 672 krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) 673 { 674 if (ctx->ticket) 675 krb5_free_ticket(context, ctx->ticket); 676 if (ctx->keyblock) 677 krb5_free_keyblock(context, ctx->keyblock); 678 if (ctx->server) 679 krb5_free_principal(context, ctx->server); 680 free(ctx); 681 } 682 683 /* 684 * 685 */ 686 687 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 688 krb5_rd_req(krb5_context context, 689 krb5_auth_context *auth_context, 690 const krb5_data *inbuf, 691 krb5_const_principal server, 692 krb5_keytab keytab, 693 krb5_flags *ap_req_options, 694 krb5_ticket **ticket) 695 { 696 krb5_error_code ret; 697 krb5_rd_req_in_ctx in; 698 krb5_rd_req_out_ctx out; 699 700 ret = krb5_rd_req_in_ctx_alloc(context, &in); 701 if (ret) 702 return ret; 703 704 ret = krb5_rd_req_in_set_keytab(context, in, keytab); 705 if (ret) { 706 krb5_rd_req_in_ctx_free(context, in); 707 return ret; 708 } 709 710 ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); 711 krb5_rd_req_in_ctx_free(context, in); 712 if (ret) 713 return ret; 714 715 if (ap_req_options) 716 *ap_req_options = out->ap_req_options; 717 if (ticket) { 718 ret = krb5_copy_ticket(context, out->ticket, ticket); 719 if (ret) 720 goto out; 721 } 722 723 out: 724 krb5_rd_req_out_ctx_free(context, out); 725 return ret; 726 } 727 728 /* 729 * 730 */ 731 732 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 733 krb5_rd_req_with_keyblock(krb5_context context, 734 krb5_auth_context *auth_context, 735 const krb5_data *inbuf, 736 krb5_const_principal server, 737 krb5_keyblock *keyblock, 738 krb5_flags *ap_req_options, 739 krb5_ticket **ticket) 740 { 741 krb5_error_code ret; 742 krb5_rd_req_in_ctx in; 743 krb5_rd_req_out_ctx out; 744 745 ret = krb5_rd_req_in_ctx_alloc(context, &in); 746 if (ret) 747 return ret; 748 749 ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); 750 if (ret) { 751 krb5_rd_req_in_ctx_free(context, in); 752 return ret; 753 } 754 755 ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); 756 krb5_rd_req_in_ctx_free(context, in); 757 if (ret) 758 return ret; 759 760 if (ap_req_options) 761 *ap_req_options = out->ap_req_options; 762 if (ticket) { 763 ret = krb5_copy_ticket(context, out->ticket, ticket); 764 if (ret) 765 goto out; 766 } 767 768 out: 769 krb5_rd_req_out_ctx_free(context, out); 770 return ret; 771 } 772 773 /* 774 * 775 */ 776 777 static krb5_error_code 778 get_key_from_keytab(krb5_context context, 779 krb5_ap_req *ap_req, 780 krb5_const_principal server, 781 krb5_keytab keytab, 782 krb5_keyblock **out_key) 783 { 784 krb5_keytab_entry entry; 785 krb5_error_code ret; 786 int kvno; 787 krb5_keytab real_keytab; 788 789 if(keytab == NULL) 790 krb5_kt_default(context, &real_keytab); 791 else 792 real_keytab = keytab; 793 794 if (ap_req->ticket.enc_part.kvno) 795 kvno = *ap_req->ticket.enc_part.kvno; 796 else 797 kvno = 0; 798 799 ret = krb5_kt_get_entry (context, 800 real_keytab, 801 server, 802 kvno, 803 ap_req->ticket.enc_part.etype, 804 &entry); 805 if(ret == 0) { 806 ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); 807 krb5_kt_free_entry(context, &entry); 808 } 809 if(keytab == NULL) 810 krb5_kt_close(context, real_keytab); 811 812 return ret; 813 } 814 815 /** 816 * The core server function that verify application authentication 817 * requests from clients. 818 * 819 * @param context Keberos 5 context. 820 * @param auth_context the authentication context, can be NULL, then 821 * default values for the authentication context will used. 822 * @param inbuf the (AP-REQ) authentication buffer 823 * 824 * @param server the server with authenticate as, if NULL the function 825 * will try to find any available credential in the keytab 826 * that will verify the reply. The function will prefer the 827 * server the server client specified in the AP-REQ, but if 828 * there is no mach, it will try all keytab entries for a 829 * match. This have serious performance issues for larger keytabs. 830 * 831 * @param inctx control the behavior of the function, if NULL, the 832 * default behavior is used. 833 * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free(). 834 * @return Kerberos 5 error code, see krb5_get_error_message(). 835 * 836 * @ingroup krb5_auth 837 */ 838 839 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 840 krb5_rd_req_ctx(krb5_context context, 841 krb5_auth_context *auth_context, 842 const krb5_data *inbuf, 843 krb5_const_principal server, 844 krb5_rd_req_in_ctx inctx, 845 krb5_rd_req_out_ctx *outctx) 846 { 847 krb5_error_code ret; 848 krb5_ap_req ap_req; 849 krb5_rd_req_out_ctx o = NULL; 850 krb5_keytab id = NULL, keytab = NULL; 851 krb5_principal service = NULL; 852 853 *outctx = NULL; 854 855 o = calloc(1, sizeof(*o)); 856 if (o == NULL) { 857 krb5_set_error_message(context, ENOMEM, 858 N_("malloc: out of memory", "")); 859 return ENOMEM; 860 } 861 862 if (*auth_context == NULL) { 863 ret = krb5_auth_con_init(context, auth_context); 864 if (ret) 865 goto out; 866 } 867 868 ret = krb5_decode_ap_req(context, inbuf, &ap_req); 869 if(ret) 870 goto out; 871 872 /* Save that principal that was in the request */ 873 ret = _krb5_principalname2krb5_principal(context, 874 &o->server, 875 ap_req.ticket.sname, 876 ap_req.ticket.realm); 877 if (ret) 878 goto out; 879 880 if (ap_req.ap_options.use_session_key && 881 (*auth_context)->keyblock == NULL) { 882 ret = KRB5KRB_AP_ERR_NOKEY; 883 krb5_set_error_message(context, ret, 884 N_("krb5_rd_req: user to user auth " 885 "without session key given", "")); 886 goto out; 887 } 888 889 if (inctx && inctx->keytab) 890 id = inctx->keytab; 891 892 if((*auth_context)->keyblock){ 893 ret = krb5_copy_keyblock(context, 894 (*auth_context)->keyblock, 895 &o->keyblock); 896 if (ret) 897 goto out; 898 } else if(inctx && inctx->keyblock){ 899 ret = krb5_copy_keyblock(context, 900 inctx->keyblock, 901 &o->keyblock); 902 if (ret) 903 goto out; 904 } else { 905 906 if(id == NULL) { 907 krb5_kt_default(context, &keytab); 908 id = keytab; 909 } 910 if (id == NULL) 911 goto out; 912 913 if (server == NULL) { 914 ret = _krb5_principalname2krb5_principal(context, 915 &service, 916 ap_req.ticket.sname, 917 ap_req.ticket.realm); 918 if (ret) 919 goto out; 920 server = service; 921 } 922 923 ret = get_key_from_keytab(context, 924 &ap_req, 925 server, 926 id, 927 &o->keyblock); 928 if (ret) { 929 /* If caller specified a server, fail. */ 930 if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0) 931 goto out; 932 /* Otherwise, fall back to iterating over the keytab. This 933 * have serious performace issues for larger keytab. 934 */ 935 o->keyblock = NULL; 936 } 937 } 938 939 if (o->keyblock) { 940 /* 941 * We got an exact keymatch, use that. 942 */ 943 944 ret = krb5_verify_ap_req2(context, 945 auth_context, 946 &ap_req, 947 server, 948 o->keyblock, 949 0, 950 &o->ap_req_options, 951 &o->ticket, 952 KRB5_KU_AP_REQ_AUTH); 953 954 if (ret) 955 goto out; 956 957 } else { 958 /* 959 * Interate over keytab to find a key that can decrypt the request. 960 */ 961 962 krb5_keytab_entry entry; 963 krb5_kt_cursor cursor; 964 int done = 0, kvno = 0; 965 966 memset(&cursor, 0, sizeof(cursor)); 967 968 if (ap_req.ticket.enc_part.kvno) 969 kvno = *ap_req.ticket.enc_part.kvno; 970 971 ret = krb5_kt_start_seq_get(context, id, &cursor); 972 if (ret) 973 goto out; 974 975 done = 0; 976 while (!done) { 977 krb5_principal p; 978 979 ret = krb5_kt_next_entry(context, id, &entry, &cursor); 980 if (ret) { 981 _krb5_kt_principal_not_found(context, ret, id, o->server, 982 ap_req.ticket.enc_part.etype, 983 kvno); 984 goto out; 985 } 986 987 if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype) { 988 krb5_kt_free_entry (context, &entry); 989 continue; 990 } 991 992 ret = krb5_verify_ap_req2(context, 993 auth_context, 994 &ap_req, 995 server, 996 &entry.keyblock, 997 0, 998 &o->ap_req_options, 999 &o->ticket, 1000 KRB5_KU_AP_REQ_AUTH); 1001 if (ret) { 1002 krb5_kt_free_entry (context, &entry); 1003 continue; 1004 } 1005 1006 /* 1007 * Found a match, save the keyblock for PAC processing, 1008 * and update the service principal in the ticket to match 1009 * whatever is in the keytab. 1010 */ 1011 1012 ret = krb5_copy_keyblock(context, 1013 &entry.keyblock, 1014 &o->keyblock); 1015 if (ret) { 1016 krb5_kt_free_entry (context, &entry); 1017 goto out; 1018 } 1019 1020 ret = krb5_copy_principal(context, entry.principal, &p); 1021 if (ret) { 1022 krb5_kt_free_entry (context, &entry); 1023 goto out; 1024 } 1025 krb5_free_principal(context, o->ticket->server); 1026 o->ticket->server = p; 1027 1028 krb5_kt_free_entry (context, &entry); 1029 1030 done = 1; 1031 } 1032 krb5_kt_end_seq_get (context, id, &cursor); 1033 } 1034 1035 /* If there is a PAC, verify its server signature */ 1036 if (inctx == NULL || inctx->check_pac) { 1037 krb5_pac pac; 1038 krb5_data data; 1039 1040 ret = krb5_ticket_get_authorization_data_type(context, 1041 o->ticket, 1042 KRB5_AUTHDATA_WIN2K_PAC, 1043 &data); 1044 if (ret == 0) { 1045 ret = krb5_pac_parse(context, data.data, data.length, &pac); 1046 krb5_data_free(&data); 1047 if (ret) 1048 goto out; 1049 1050 ret = krb5_pac_verify(context, 1051 pac, 1052 o->ticket->ticket.authtime, 1053 o->ticket->client, 1054 o->keyblock, 1055 NULL); 1056 krb5_pac_free(context, pac); 1057 if (ret) 1058 goto out; 1059 } else 1060 ret = 0; 1061 } 1062 out: 1063 1064 if (ret || outctx == NULL) { 1065 krb5_rd_req_out_ctx_free(context, o); 1066 } else 1067 *outctx = o; 1068 1069 free_AP_REQ(&ap_req); 1070 1071 if (service) 1072 krb5_free_principal(context, service); 1073 1074 if (keytab) 1075 krb5_kt_close(context, keytab); 1076 1077 return ret; 1078 } 1079