xref: /netbsd-src/crypto/external/bsd/heimdal/dist/lib/krb5/rd_cred.c (revision 241bea01a19bbb306af27777a870b86d41cb3fda)
1 /*	$NetBSD: rd_cred.c,v 1.3 2019/12/15 22:50:50 christos Exp $	*/
2 
3 /*
4  * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 
38 static krb5_error_code
compare_addrs(krb5_context context,krb5_address * a,krb5_address * b,const char * message)39 compare_addrs(krb5_context context,
40 	      krb5_address *a,
41 	      krb5_address *b,
42 	      const char *message)
43 {
44     char a_str[64], b_str[64];
45     size_t len;
46 
47     if(krb5_address_compare (context, a, b))
48 	return 0;
49 
50     krb5_print_address (a, a_str, sizeof(a_str), &len);
51     krb5_print_address (b, b_str, sizeof(b_str), &len);
52     krb5_set_error_message(context, KRB5KRB_AP_ERR_BADADDR,
53 			   "%s: %s != %s", message, b_str, a_str);
54     return KRB5KRB_AP_ERR_BADADDR;
55 }
56 
57 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_cred(krb5_context context,krb5_auth_context auth_context,krb5_data * in_data,krb5_creds *** ret_creds,krb5_replay_data * outdata)58 krb5_rd_cred(krb5_context context,
59 	     krb5_auth_context auth_context,
60 	     krb5_data *in_data,
61 	     krb5_creds ***ret_creds,
62 	     krb5_replay_data *outdata)
63 {
64     krb5_error_code ret;
65     size_t len;
66     KRB_CRED cred;
67     EncKrbCredPart enc_krb_cred_part;
68     krb5_data enc_krb_cred_part_data;
69     krb5_crypto crypto;
70     size_t i;
71 
72     memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
73     krb5_data_zero(&enc_krb_cred_part_data);
74 
75     if ((auth_context->flags &
76 	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
77 	outdata == NULL)
78 	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
79 
80     *ret_creds = NULL;
81 
82     ret = decode_KRB_CRED(in_data->data, in_data->length,
83 			  &cred, &len);
84     if(ret) {
85 	krb5_clear_error_message(context);
86 	return ret;
87     }
88 
89     if (cred.pvno != 5) {
90 	ret = KRB5KRB_AP_ERR_BADVERSION;
91 	krb5_clear_error_message (context);
92 	goto out;
93     }
94 
95     if (cred.msg_type != krb_cred) {
96 	ret = KRB5KRB_AP_ERR_MSG_TYPE;
97 	krb5_clear_error_message (context);
98 	goto out;
99     }
100 
101     if (cred.enc_part.etype == (krb5_enctype)ETYPE_NULL) {
102 	/* DK: MIT GSS-API Compatibility */
103 	enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
104 	enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
105     } else {
106 	/* Try both subkey and session key.
107 	 *
108 	 * RFC4120 claims we should use the session key, but Heimdal
109 	 * before 0.8 used the remote subkey if it was send in the
110 	 * auth_context.
111 	 */
112 
113 	if (auth_context->remote_subkey) {
114 	    ret = krb5_crypto_init(context, auth_context->remote_subkey,
115 				   0, &crypto);
116 	    if (ret)
117 		goto out;
118 
119 	    ret = krb5_decrypt_EncryptedData(context,
120 					     crypto,
121 					     KRB5_KU_KRB_CRED,
122 					     &cred.enc_part,
123 					     &enc_krb_cred_part_data);
124 
125 	    krb5_crypto_destroy(context, crypto);
126 	}
127 
128 	/*
129 	 * If there was not subkey, or we failed using subkey,
130 	 * retry using the session key
131 	 */
132 	if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
133 	{
134 
135 	    ret = krb5_crypto_init(context, auth_context->keyblock,
136 				   0, &crypto);
137 
138 	    if (ret)
139 		goto out;
140 
141 	    ret = krb5_decrypt_EncryptedData(context,
142 					     crypto,
143 					     KRB5_KU_KRB_CRED,
144 					     &cred.enc_part,
145 					     &enc_krb_cred_part_data);
146 
147 	    krb5_crypto_destroy(context, crypto);
148 	}
149 	if (ret)
150 	    goto out;
151     }
152 
153     ret = decode_EncKrbCredPart(enc_krb_cred_part_data.data,
154 				enc_krb_cred_part_data.length,
155 				&enc_krb_cred_part,
156 				&len);
157     if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data)
158 	krb5_data_free(&enc_krb_cred_part_data);
159     if (ret) {
160 	krb5_set_error_message(context, ret,
161 			       N_("Failed to decode "
162 				  "encrypte credential part", ""));
163 	goto out;
164     }
165 
166     /* check sender address */
167 
168     if (enc_krb_cred_part.s_address
169 	&& auth_context->remote_address
170 	&& auth_context->remote_port) {
171 	krb5_address *a;
172 
173 	ret = krb5_make_addrport (context, &a,
174 				  auth_context->remote_address,
175 				  auth_context->remote_port);
176 	if (ret)
177 	    goto out;
178 
179 
180 	ret = compare_addrs(context, a, enc_krb_cred_part.s_address,
181 			    N_("sender address is wrong "
182 			       "in received creds", ""));
183 	krb5_free_address(context, a);
184 	free(a);
185 	if(ret)
186 	    goto out;
187     }
188 
189     /* check receiver address */
190 
191     if (enc_krb_cred_part.r_address
192 	&& auth_context->local_address) {
193 	if(auth_context->local_port &&
194 	   enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) {
195 	    krb5_address *a;
196 	    ret = krb5_make_addrport (context, &a,
197 				      auth_context->local_address,
198 				      auth_context->local_port);
199 	    if (ret)
200 		goto out;
201 
202 	    ret = compare_addrs(context, a, enc_krb_cred_part.r_address,
203 				N_("receiver address is wrong "
204 				   "in received creds", ""));
205 	    krb5_free_address(context, a);
206 	    free(a);
207 	    if(ret)
208 		goto out;
209 	} else {
210 	    ret = compare_addrs(context, auth_context->local_address,
211 				enc_krb_cred_part.r_address,
212 				N_("receiver address is wrong "
213 				   "in received creds", ""));
214 	    if(ret)
215 		goto out;
216 	}
217     }
218 
219     /* check timestamp */
220     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
221 	krb5_timestamp sec;
222 
223 	krb5_timeofday (context, &sec);
224 
225 	if (enc_krb_cred_part.timestamp == NULL ||
226 	    enc_krb_cred_part.usec      == NULL ||
227 	    labs(*enc_krb_cred_part.timestamp - sec)
228 	    > context->max_skew) {
229 	    krb5_clear_error_message (context);
230 	    ret = KRB5KRB_AP_ERR_SKEW;
231 	    goto out;
232 	}
233     }
234 
235     if ((auth_context->flags &
236 	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
237 	/* if these fields are not present in the cred-part, silently
238            return zero */
239 	memset(outdata, 0, sizeof(*outdata));
240 	if(enc_krb_cred_part.timestamp)
241 	    outdata->timestamp = *enc_krb_cred_part.timestamp;
242 	if(enc_krb_cred_part.usec)
243 	    outdata->usec = *enc_krb_cred_part.usec;
244 	if(enc_krb_cred_part.nonce)
245 	    outdata->seq = *enc_krb_cred_part.nonce;
246     }
247 
248     /* Convert to NULL terminated list of creds */
249 
250     *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1,
251 			sizeof(**ret_creds));
252 
253     if (*ret_creds == NULL) {
254 	ret = krb5_enomem(context);
255 	goto out;
256     }
257 
258     for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
259 	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
260 	krb5_creds *creds;
261 
262 	creds = calloc(1, sizeof(*creds));
263 	if(creds == NULL) {
264 	    ret = krb5_enomem(context);
265 	    goto out;
266 	}
267 
268 	ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
269 			   &cred.tickets.val[i], &len, ret);
270 	if (ret) {
271 	    free(creds);
272 	    goto out;
273 	}
274 	if(creds->ticket.length != len)
275 	    krb5_abortx(context, "internal error in ASN.1 encoder");
276 	ret = copy_EncryptionKey (&kci->key, &creds->session);
277 	if (ret) {
278 	    krb5_free_creds(context, creds);
279 	    goto out;
280 	}
281 	if (kci->prealm && kci->pname)
282 	    _krb5_principalname2krb5_principal (context,
283 						&creds->client,
284 						*kci->pname,
285 						*kci->prealm);
286 	if (kci->flags)
287 	    creds->flags.b = *kci->flags;
288 	if (kci->authtime)
289 	    creds->times.authtime = *kci->authtime;
290 	if (kci->starttime)
291 	    creds->times.starttime = *kci->starttime;
292 	if (kci->endtime)
293 	    creds->times.endtime = *kci->endtime;
294 	if (kci->renew_till)
295 	    creds->times.renew_till = *kci->renew_till;
296 	if (kci->srealm && kci->sname)
297 	    _krb5_principalname2krb5_principal (context,
298 						&creds->server,
299 						*kci->sname,
300 						*kci->srealm);
301 	if (kci->caddr)
302 	    krb5_copy_addresses (context,
303 				 kci->caddr,
304 				 &creds->addresses);
305 
306 	(*ret_creds)[i] = creds;
307 
308     }
309     (*ret_creds)[i] = NULL;
310 
311     free_KRB_CRED (&cred);
312     free_EncKrbCredPart(&enc_krb_cred_part);
313 
314     return 0;
315 
316   out:
317     free_EncKrbCredPart(&enc_krb_cred_part);
318     free_KRB_CRED (&cred);
319     if(*ret_creds) {
320 	for(i = 0; (*ret_creds)[i]; i++)
321 	    krb5_free_creds(context, (*ret_creds)[i]);
322 	free(*ret_creds);
323 	*ret_creds = NULL;
324     }
325     return ret;
326 }
327 
328 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_cred2(krb5_context context,krb5_auth_context auth_context,krb5_ccache ccache,krb5_data * in_data)329 krb5_rd_cred2 (krb5_context      context,
330 	       krb5_auth_context auth_context,
331 	       krb5_ccache       ccache,
332 	       krb5_data         *in_data)
333 {
334     krb5_error_code ret;
335     krb5_creds **creds;
336     int i;
337 
338     ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
339     if(ret)
340 	return ret;
341 
342     /* Store the creds in the ccache */
343 
344     for(i = 0; creds && creds[i]; i++) {
345 	krb5_cc_store_cred(context, ccache, creds[i]);
346 	krb5_free_creds(context, creds[i]);
347     }
348     free(creds);
349     return 0;
350 }
351