1 /* $NetBSD: ticket.c,v 1.6 2023/06/19 21:41:45 christos Exp $ */
2
3 /*
4 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 *
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 *
21 * 3. Neither the name of the Institute nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38 #include "krb5_locl.h"
39
40 /**
41 * Free ticket and content
42 *
43 * @param context a Kerberos 5 context
44 * @param ticket ticket to free
45 *
46 * @return Returns 0 to indicate success. Otherwise an kerberos et
47 * error code is returned, see krb5_get_error_message().
48 *
49 * @ingroup krb5
50 */
51
52 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_ticket(krb5_context context,krb5_ticket * ticket)53 krb5_free_ticket(krb5_context context,
54 krb5_ticket *ticket)
55 {
56 free_EncTicketPart(&ticket->ticket);
57 krb5_free_principal(context, ticket->client);
58 krb5_free_principal(context, ticket->server);
59 free(ticket);
60 return 0;
61 }
62
63 /**
64 * Copy ticket and content
65 *
66 * @param context a Kerberos 5 context
67 * @param from ticket to copy
68 * @param to new copy of ticket, free with krb5_free_ticket()
69 *
70 * @return Returns 0 to indicate success. Otherwise an kerberos et
71 * error code is returned, see krb5_get_error_message().
72 *
73 * @ingroup krb5
74 */
75
76 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_ticket(krb5_context context,const krb5_ticket * from,krb5_ticket ** to)77 krb5_copy_ticket(krb5_context context,
78 const krb5_ticket *from,
79 krb5_ticket **to)
80 {
81 krb5_error_code ret;
82 krb5_ticket *tmp;
83
84 *to = NULL;
85 tmp = malloc(sizeof(*tmp));
86 if (tmp == NULL)
87 return krb5_enomem(context);
88 if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){
89 free(tmp);
90 return ret;
91 }
92 ret = krb5_copy_principal(context, from->client, &tmp->client);
93 if(ret){
94 free_EncTicketPart(&tmp->ticket);
95 free(tmp);
96 return ret;
97 }
98 ret = krb5_copy_principal(context, from->server, &tmp->server);
99 if(ret){
100 krb5_free_principal(context, tmp->client);
101 free_EncTicketPart(&tmp->ticket);
102 free(tmp);
103 return ret;
104 }
105 *to = tmp;
106 return 0;
107 }
108
109 /**
110 * Return client principal in ticket
111 *
112 * @param context a Kerberos 5 context
113 * @param ticket ticket to copy
114 * @param client client principal, free with krb5_free_principal()
115 *
116 * @return Returns 0 to indicate success. Otherwise an kerberos et
117 * error code is returned, see krb5_get_error_message().
118 *
119 * @ingroup krb5
120 */
121
122 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ticket_get_client(krb5_context context,const krb5_ticket * ticket,krb5_principal * client)123 krb5_ticket_get_client(krb5_context context,
124 const krb5_ticket *ticket,
125 krb5_principal *client)
126 {
127 return krb5_copy_principal(context, ticket->client, client);
128 }
129
130 /**
131 * Return server principal in ticket
132 *
133 * @param context a Kerberos 5 context
134 * @param ticket ticket to copy
135 * @param server server principal, free with krb5_free_principal()
136 *
137 * @return Returns 0 to indicate success. Otherwise an kerberos et
138 * error code is returned, see krb5_get_error_message().
139 *
140 * @ingroup krb5
141 */
142
143 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ticket_get_server(krb5_context context,const krb5_ticket * ticket,krb5_principal * server)144 krb5_ticket_get_server(krb5_context context,
145 const krb5_ticket *ticket,
146 krb5_principal *server)
147 {
148 return krb5_copy_principal(context, ticket->server, server);
149 }
150
151 /**
152 * Return end time of ticket
153 *
154 * @param context a Kerberos 5 context
155 * @param ticket ticket to copy
156 *
157 * @return end time of ticket
158 *
159 * @ingroup krb5
160 */
161
162 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
krb5_ticket_get_endtime(krb5_context context,const krb5_ticket * ticket)163 krb5_ticket_get_endtime(krb5_context context,
164 const krb5_ticket *ticket)
165 {
166 return ticket->ticket.endtime;
167 }
168
169 /**
170 * Get the flags from the Kerberos ticket
171 *
172 * @param context Kerberos context
173 * @param ticket Kerberos ticket
174 *
175 * @return ticket flags
176 *
177 * @ingroup krb5_ticket
178 */
179 KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
krb5_ticket_get_flags(krb5_context context,const krb5_ticket * ticket)180 krb5_ticket_get_flags(krb5_context context,
181 const krb5_ticket *ticket)
182 {
183 return TicketFlags2int(ticket->ticket.flags);
184 }
185
186 static int
find_type_in_ad(krb5_context context,int type,krb5_data * data,krb5_boolean * found,krb5_boolean failp,krb5_keyblock * sessionkey,const AuthorizationData * ad,int level)187 find_type_in_ad(krb5_context context,
188 int type,
189 krb5_data *data,
190 krb5_boolean *found,
191 krb5_boolean failp,
192 krb5_keyblock *sessionkey,
193 const AuthorizationData *ad,
194 int level)
195 {
196 krb5_error_code ret = 0;
197 size_t i;
198
199 if (level > 9) {
200 ret = ENOENT; /* XXX */
201 krb5_set_error_message(context, ret,
202 N_("Authorization data nested deeper "
203 "then %d levels, stop searching", ""),
204 level);
205 goto out;
206 }
207
208 /*
209 * Only copy out the element the first time we get to it, we need
210 * to run over the whole authorization data fields to check if
211 * there are any container clases we need to care about.
212 */
213 for (i = 0; i < ad->len; i++) {
214 if (!*found && ad->val[i].ad_type == type) {
215 ret = der_copy_octet_string(&ad->val[i].ad_data, data);
216 if (ret) {
217 krb5_set_error_message(context, ret,
218 N_("malloc: out of memory", ""));
219 goto out;
220 }
221 *found = TRUE;
222 continue;
223 }
224 switch (ad->val[i].ad_type) {
225 case KRB5_AUTHDATA_IF_RELEVANT: {
226 AuthorizationData child;
227 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
228 ad->val[i].ad_data.length,
229 &child,
230 NULL);
231 if (ret) {
232 krb5_set_error_message(context, ret,
233 N_("Failed to decode "
234 "IF_RELEVANT with %d", ""),
235 (int)ret);
236 goto out;
237 }
238 ret = find_type_in_ad(context, type, data, found, FALSE,
239 sessionkey, &child, level + 1);
240 free_AuthorizationData(&child);
241 if (ret)
242 goto out;
243 break;
244 }
245 #if 0 /* XXX test */
246 case KRB5_AUTHDATA_KDC_ISSUED: {
247 AD_KDCIssued child;
248
249 ret = decode_AD_KDCIssued(ad->val[i].ad_data.data,
250 ad->val[i].ad_data.length,
251 &child,
252 NULL);
253 if (ret) {
254 krb5_set_error_message(context, ret,
255 N_("Failed to decode "
256 "AD_KDCIssued with %d", ""),
257 ret);
258 goto out;
259 }
260 if (failp) {
261 krb5_boolean valid;
262 krb5_data buf;
263 size_t len;
264
265 ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length,
266 &child.elements, &len, ret);
267 if (ret) {
268 free_AD_KDCIssued(&child);
269 krb5_clear_error_message(context);
270 goto out;
271 }
272 if(buf.length != len)
273 krb5_abortx(context, "internal error in ASN.1 encoder");
274
275 ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf,
276 &child.ad_checksum, &valid);
277 krb5_data_free(&buf);
278 if (ret) {
279 free_AD_KDCIssued(&child);
280 goto out;
281 }
282 if (!valid) {
283 krb5_clear_error_message(context);
284 ret = ENOENT;
285 free_AD_KDCIssued(&child);
286 goto out;
287 }
288 }
289 ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
290 &child.elements, level + 1);
291 free_AD_KDCIssued(&child);
292 if (ret)
293 goto out;
294 break;
295 }
296 #endif
297 case KRB5_AUTHDATA_AND_OR:
298 if (!failp)
299 break;
300 ret = ENOENT; /* XXX */
301 krb5_set_error_message(context, ret,
302 N_("Authorization data contains "
303 "AND-OR element that is unknown to the "
304 "application", ""));
305 goto out;
306 default:
307 if (!failp)
308 break;
309 ret = ENOENT; /* XXX */
310 krb5_set_error_message(context, ret,
311 N_("Authorization data contains "
312 "unknown type (%d) ", ""),
313 ad->val[i].ad_type);
314 goto out;
315 }
316 }
317 out:
318 if (ret) {
319 if (*found) {
320 krb5_data_free(data);
321 *found = 0;
322 }
323 }
324 return ret;
325 }
326
327 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_get_ad(krb5_context context,const AuthorizationData * ad,krb5_keyblock * sessionkey,int type,krb5_data * data)328 _krb5_get_ad(krb5_context context,
329 const AuthorizationData *ad,
330 krb5_keyblock *sessionkey,
331 int type,
332 krb5_data *data)
333 {
334 krb5_boolean found = FALSE;
335 krb5_error_code ret;
336
337 krb5_data_zero(data);
338
339 if (ad == NULL) {
340 krb5_set_error_message(context, ENOENT,
341 N_("No authorization data", ""));
342 return ENOENT; /* XXX */
343 }
344
345 ret = find_type_in_ad(context, type, data, &found, TRUE, sessionkey, ad, 0);
346 if (ret)
347 return ret;
348 if (!found) {
349 krb5_set_error_message(context, ENOENT,
350 N_("Have no authorization data of type %d", ""),
351 type);
352 return ENOENT; /* XXX */
353 }
354 return 0;
355 }
356
357
358 /**
359 * Extract the authorization data type of type from the ticket. Store
360 * the field in data. This function is to use for kerberos
361 * applications.
362 *
363 * @param context a Kerberos 5 context
364 * @param ticket Kerberos ticket
365 * @param type type to fetch
366 * @param data returned data, free with krb5_data_free()
367 *
368 * @ingroup krb5
369 */
370
371 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ticket_get_authorization_data_type(krb5_context context,krb5_ticket * ticket,int type,krb5_data * data)372 krb5_ticket_get_authorization_data_type(krb5_context context,
373 krb5_ticket *ticket,
374 int type,
375 krb5_data *data)
376 {
377 AuthorizationData *ad;
378 krb5_error_code ret;
379 krb5_boolean found = FALSE;
380
381 krb5_data_zero(data);
382
383 ad = ticket->ticket.authorization_data;
384 if (ticket->ticket.authorization_data == NULL) {
385 krb5_set_error_message(context, ENOENT,
386 N_("Ticket have not authorization data", ""));
387 return ENOENT; /* XXX */
388 }
389
390 ret = find_type_in_ad(context, type, data, &found, TRUE,
391 &ticket->ticket.key, ad, 0);
392 if (ret)
393 return ret;
394 if (!found) {
395 krb5_set_error_message(context, ENOENT,
396 N_("Ticket have not "
397 "authorization data of type %d", ""),
398 type);
399 return ENOENT; /* XXX */
400 }
401 return 0;
402 }
403
404 static krb5_error_code
check_server_referral(krb5_context context,krb5_kdc_rep * rep,unsigned flags,krb5_const_principal requested,krb5_const_principal returned,krb5_keyblock * key)405 check_server_referral(krb5_context context,
406 krb5_kdc_rep *rep,
407 unsigned flags,
408 krb5_const_principal requested,
409 krb5_const_principal returned,
410 krb5_keyblock * key)
411 {
412 krb5_error_code ret;
413 PA_ServerReferralData ref;
414 krb5_crypto session;
415 EncryptedData ed;
416 size_t len;
417 krb5_data data;
418 PA_DATA *pa;
419 int i = 0, cmp;
420
421 if (rep->kdc_rep.padata == NULL)
422 goto noreferral;
423
424 pa = krb5_find_padata(rep->kdc_rep.padata->val,
425 rep->kdc_rep.padata->len,
426 KRB5_PADATA_SERVER_REFERRAL, &i);
427 if (pa == NULL)
428 goto noreferral;
429
430 memset(&ed, 0, sizeof(ed));
431 memset(&ref, 0, sizeof(ref));
432
433 ret = decode_EncryptedData(pa->padata_value.data,
434 pa->padata_value.length,
435 &ed, &len);
436 if (ret)
437 return ret;
438 if (len != pa->padata_value.length) {
439 free_EncryptedData(&ed);
440 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
441 N_("Referral EncryptedData wrong for realm %s",
442 "realm"), requested->realm);
443 return KRB5KRB_AP_ERR_MODIFIED;
444 }
445
446 ret = krb5_crypto_init(context, key, 0, &session);
447 if (ret) {
448 free_EncryptedData(&ed);
449 return ret;
450 }
451
452 ret = krb5_decrypt_EncryptedData(context, session,
453 KRB5_KU_PA_SERVER_REFERRAL,
454 &ed, &data);
455 free_EncryptedData(&ed);
456 krb5_crypto_destroy(context, session);
457 if (ret)
458 return ret;
459
460 ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len);
461 if (ret) {
462 krb5_data_free(&data);
463 return ret;
464 }
465 krb5_data_free(&data);
466
467 if (strcmp(requested->realm, returned->realm) != 0) {
468 free_PA_ServerReferralData(&ref);
469 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
470 N_("server ref realm mismatch, "
471 "requested realm %s got back %s", ""),
472 requested->realm, returned->realm);
473 return KRB5KRB_AP_ERR_MODIFIED;
474 }
475
476 if (krb5_principal_is_krbtgt(context, returned)) {
477 const char *realm = returned->name.name_string.val[1];
478
479 if (ref.referred_realm == NULL
480 || strcmp(*ref.referred_realm, realm) != 0)
481 {
482 free_PA_ServerReferralData(&ref);
483 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
484 N_("tgt returned with wrong ref", ""));
485 return KRB5KRB_AP_ERR_MODIFIED;
486 }
487 } else if (krb5_principal_compare(context, returned, requested) == 0) {
488 free_PA_ServerReferralData(&ref);
489 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
490 N_("req princ no same as returned", ""));
491 return KRB5KRB_AP_ERR_MODIFIED;
492 }
493
494 if (ref.requested_principal_name) {
495 cmp = _krb5_principal_compare_PrincipalName(context,
496 requested,
497 ref.requested_principal_name);
498 if (!cmp) {
499 free_PA_ServerReferralData(&ref);
500 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
501 N_("referred principal not same "
502 "as requested", ""));
503 return KRB5KRB_AP_ERR_MODIFIED;
504 }
505 } else if (flags & EXTRACT_TICKET_AS_REQ) {
506 free_PA_ServerReferralData(&ref);
507 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
508 N_("Requested principal missing on AS-REQ", ""));
509 return KRB5KRB_AP_ERR_MODIFIED;
510 }
511
512 free_PA_ServerReferralData(&ref);
513
514 return ret;
515 noreferral:
516 /*
517 * Expect excact match or that we got a krbtgt
518 */
519 if (krb5_principal_compare(context, requested, returned) != TRUE &&
520 (krb5_realm_compare(context, requested, returned) != TRUE &&
521 krb5_principal_is_krbtgt(context, returned) != TRUE))
522 {
523 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
524 N_("Not same server principal returned "
525 "as requested", ""));
526 return KRB5KRB_AP_ERR_MODIFIED;
527 }
528 return 0;
529 }
530
531 /*
532 * Verify KDC supported anonymous if requested
533 */
534 static krb5_error_code
check_client_anonymous(krb5_context context,krb5_kdc_rep * rep,krb5_const_principal requested,krb5_const_principal mapped,krb5_boolean is_tgs_rep)535 check_client_anonymous(krb5_context context,
536 krb5_kdc_rep *rep,
537 krb5_const_principal requested,
538 krb5_const_principal mapped,
539 krb5_boolean is_tgs_rep)
540 {
541 int flags;
542
543 if (!rep->enc_part.flags.anonymous)
544 return KRB5KDC_ERR_BADOPTION;
545
546 /*
547 * Here we must validate that the AS returned a ticket of the expected type
548 * for either a fully anonymous request, or authenticated request for an
549 * anonymous ticket. If this is a TGS request, we're done. Then if the
550 * 'requested' principal was anonymous, we'll check the 'mapped' principal
551 * accordingly (without enforcing the name type and perhaps the realm).
552 * Finally, if the 'requested' principal was not anonymous, well check
553 * that the 'mapped' principal has an anonymous name and type, in a
554 * non-anonymous realm. (Should we also be checking for a realm match
555 * between the request and the mapped name in this case?)
556 */
557 if (is_tgs_rep)
558 flags = KRB5_ANON_MATCH_ANY_NONT;
559 else if (krb5_principal_is_anonymous(context, requested,
560 KRB5_ANON_MATCH_ANY_NONT))
561 flags = KRB5_ANON_MATCH_UNAUTHENTICATED | KRB5_ANON_IGNORE_NAME_TYPE;
562 else
563 flags = KRB5_ANON_MATCH_AUTHENTICATED;
564
565 if (!krb5_principal_is_anonymous(context, mapped, flags))
566 return KRB5KRB_AP_ERR_MODIFIED;
567
568 return 0;
569 }
570
571 /*
572 * Verify returned client principal name in anonymous/referral case
573 */
574
575 static krb5_error_code
check_client_mismatch(krb5_context context,krb5_kdc_rep * rep,krb5_const_principal requested,krb5_const_principal mapped,krb5_keyblock const * key)576 check_client_mismatch(krb5_context context,
577 krb5_kdc_rep *rep,
578 krb5_const_principal requested,
579 krb5_const_principal mapped,
580 krb5_keyblock const * key)
581 {
582 if (rep->enc_part.flags.anonymous) {
583 if (!krb5_principal_is_anonymous(context, mapped,
584 KRB5_ANON_MATCH_ANY_NONT)) {
585 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
586 N_("Anonymous ticket does not contain anonymous "
587 "principal", ""));
588 return KRB5KRB_AP_ERR_MODIFIED;
589 }
590 } else {
591 if (krb5_principal_compare(context, requested, mapped) == FALSE &&
592 !rep->enc_part.flags.enc_pa_rep) {
593 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
594 N_("Not same client principal returned "
595 "as requested", ""));
596 return KRB5KRB_AP_ERR_MODIFIED;
597 }
598 }
599
600 return 0;
601 }
602
603
604 static krb5_error_code KRB5_CALLCONV
decrypt_tkt(krb5_context context,krb5_keyblock * key,krb5_key_usage usage,krb5_const_pointer decrypt_arg,krb5_kdc_rep * dec_rep)605 decrypt_tkt (krb5_context context,
606 krb5_keyblock *key,
607 krb5_key_usage usage,
608 krb5_const_pointer decrypt_arg,
609 krb5_kdc_rep *dec_rep)
610 {
611 krb5_error_code ret;
612 krb5_data data;
613 size_t size;
614 krb5_crypto crypto;
615
616 ret = krb5_crypto_init(context, key, 0, &crypto);
617 if (ret)
618 return ret;
619
620 ret = krb5_decrypt_EncryptedData (context,
621 crypto,
622 usage,
623 &dec_rep->kdc_rep.enc_part,
624 &data);
625 krb5_crypto_destroy(context, crypto);
626
627 if (ret)
628 return ret;
629
630 ret = decode_EncASRepPart(data.data,
631 data.length,
632 &dec_rep->enc_part,
633 &size);
634 if (ret)
635 ret = decode_EncTGSRepPart(data.data,
636 data.length,
637 &dec_rep->enc_part,
638 &size);
639 krb5_data_free (&data);
640 if (ret) {
641 krb5_set_error_message(context, ret,
642 N_("Failed to decode encpart in ticket", ""));
643 return ret;
644 }
645 return 0;
646 }
647
648 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
_krb5_extract_ticket(krb5_context context,krb5_kdc_rep * rep,krb5_creds * creds,krb5_keyblock * key,krb5_const_pointer keyseed,krb5_key_usage key_usage,krb5_addresses * addrs,unsigned nonce,unsigned flags,krb5_data * request,krb5_decrypt_proc decrypt_proc,krb5_const_pointer decryptarg)649 _krb5_extract_ticket(krb5_context context,
650 krb5_kdc_rep *rep,
651 krb5_creds *creds,
652 krb5_keyblock *key,
653 krb5_const_pointer keyseed,
654 krb5_key_usage key_usage,
655 krb5_addresses *addrs,
656 unsigned nonce,
657 unsigned flags,
658 krb5_data *request,
659 krb5_decrypt_proc decrypt_proc,
660 krb5_const_pointer decryptarg)
661 {
662 krb5_error_code ret;
663 krb5_principal tmp_principal;
664 size_t len = 0;
665 time_t tmp_time;
666 krb5_timestamp sec_now;
667
668 /* decrypt */
669
670 if (decrypt_proc == NULL)
671 decrypt_proc = decrypt_tkt;
672
673 ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
674 if (ret)
675 goto out;
676
677 if (rep->enc_part.flags.enc_pa_rep && request) {
678 krb5_crypto crypto = NULL;
679 Checksum cksum;
680 PA_DATA *pa = NULL;
681 int idx = 0;
682
683 _krb5_debug(context, 5, "processing enc-ap-rep");
684
685 if (rep->enc_part.encrypted_pa_data == NULL ||
686 (pa = krb5_find_padata(rep->enc_part.encrypted_pa_data->val,
687 rep->enc_part.encrypted_pa_data->len,
688 KRB5_PADATA_REQ_ENC_PA_REP,
689 &idx)) == NULL)
690 {
691 _krb5_debug(context, 5, "KRB5_PADATA_REQ_ENC_PA_REP missing");
692 ret = KRB5KRB_AP_ERR_MODIFIED;
693 goto out;
694 }
695
696 ret = krb5_crypto_init(context, key, 0, &crypto);
697 if (ret)
698 goto out;
699
700 ret = decode_Checksum(pa->padata_value.data,
701 pa->padata_value.length,
702 &cksum, NULL);
703 if (ret) {
704 krb5_crypto_destroy(context, crypto);
705 goto out;
706 }
707
708 ret = krb5_verify_checksum(context, crypto,
709 KRB5_KU_AS_REQ,
710 request->data, request->length,
711 &cksum);
712 krb5_crypto_destroy(context, crypto);
713 free_Checksum(&cksum);
714 _krb5_debug(context, 5, "enc-ap-rep: %svalid", (ret == 0) ? "" : "in");
715 if (ret)
716 goto out;
717 }
718
719 /* save session key */
720
721 creds->session.keyvalue.length = 0;
722 creds->session.keyvalue.data = NULL;
723 creds->session.keytype = rep->enc_part.key.keytype;
724 ret = krb5_data_copy (&creds->session.keyvalue,
725 rep->enc_part.key.keyvalue.data,
726 rep->enc_part.key.keyvalue.length);
727 if (ret) {
728 krb5_clear_error_message(context);
729 goto out;
730 }
731
732 /* compare client and save */
733 ret = _krb5_principalname2krb5_principal(context,
734 &tmp_principal,
735 rep->kdc_rep.cname,
736 rep->kdc_rep.crealm);
737 if (ret)
738 goto out;
739
740 /* check KDC supported anonymous if it was requested */
741 if (flags & EXTRACT_TICKET_MATCH_ANON) {
742 ret = check_client_anonymous(context,rep,
743 creds->client,
744 tmp_principal,
745 request == NULL); /* is TGS */
746 if (ret) {
747 krb5_free_principal(context, tmp_principal);
748 goto out;
749 }
750 }
751
752 /* check client referral and save principal */
753 if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
754 ret = check_client_mismatch(context, rep,
755 creds->client,
756 tmp_principal,
757 &creds->session);
758 if (ret) {
759 krb5_free_principal (context, tmp_principal);
760 goto out;
761 }
762 }
763 krb5_free_principal (context, creds->client);
764 creds->client = tmp_principal;
765
766 /* check server referral and save principal */
767 ret = _krb5_principalname2krb5_principal (context,
768 &tmp_principal,
769 rep->enc_part.sname,
770 rep->enc_part.srealm);
771 if (ret)
772 goto out;
773 if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
774 ret = check_server_referral(context,
775 rep,
776 flags,
777 creds->server,
778 tmp_principal,
779 &creds->session);
780 if (ret) {
781 krb5_free_principal (context, tmp_principal);
782 goto out;
783 }
784 }
785 krb5_free_principal(context, creds->server);
786 creds->server = tmp_principal;
787
788 /* verify names */
789 if(flags & EXTRACT_TICKET_MATCH_REALM){
790 const char *srealm = krb5_principal_get_realm(context, creds->server);
791 const char *crealm = krb5_principal_get_realm(context, creds->client);
792
793 if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
794 strcmp(rep->enc_part.srealm, crealm) != 0)
795 {
796 ret = KRB5KRB_AP_ERR_MODIFIED;
797 krb5_clear_error_message(context);
798 goto out;
799 }
800 }
801
802 /* compare nonces */
803
804 if (nonce != (unsigned)rep->enc_part.nonce) {
805 ret = KRB5KRB_AP_ERR_MODIFIED;
806 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
807 goto out;
808 }
809
810 /* set kdc-offset */
811
812 krb5_timeofday (context, &sec_now);
813 if (rep->enc_part.flags.initial
814 && (flags & EXTRACT_TICKET_TIMESYNC)
815 && context->kdc_sec_offset == 0
816 && krb5_config_get_bool (context, NULL,
817 "libdefaults",
818 "kdc_timesync",
819 NULL)) {
820 context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
821 krb5_timeofday (context, &sec_now);
822 }
823
824 /* check all times */
825
826 if (rep->enc_part.starttime) {
827 tmp_time = *rep->enc_part.starttime;
828 } else
829 tmp_time = rep->enc_part.authtime;
830
831 if (creds->times.starttime == 0
832 && labs(tmp_time - sec_now) > context->max_skew) {
833 ret = KRB5KRB_AP_ERR_SKEW;
834 krb5_set_error_message (context, ret,
835 N_("time skew (%ld) larger than max (%ld)", ""),
836 labs(tmp_time - sec_now),
837 (long)context->max_skew);
838 goto out;
839 }
840
841 if (creds->times.starttime != 0
842 && tmp_time != creds->times.starttime) {
843 krb5_clear_error_message (context);
844 ret = KRB5KRB_AP_ERR_MODIFIED;
845 goto out;
846 }
847
848 creds->times.starttime = tmp_time;
849
850 if (rep->enc_part.renew_till) {
851 tmp_time = *rep->enc_part.renew_till;
852 } else
853 tmp_time = 0;
854
855 if (creds->times.renew_till != 0
856 && tmp_time > creds->times.renew_till) {
857 krb5_clear_error_message (context);
858 ret = KRB5KRB_AP_ERR_MODIFIED;
859 goto out;
860 }
861
862 creds->times.renew_till = tmp_time;
863
864 creds->times.authtime = rep->enc_part.authtime;
865
866 if (creds->times.endtime != 0
867 && rep->enc_part.endtime > creds->times.endtime) {
868 krb5_clear_error_message (context);
869 ret = KRB5KRB_AP_ERR_MODIFIED;
870 goto out;
871 }
872
873 creds->times.endtime = rep->enc_part.endtime;
874
875 if(rep->enc_part.caddr)
876 krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
877 else if(addrs)
878 krb5_copy_addresses (context, addrs, &creds->addresses);
879 else {
880 creds->addresses.len = 0;
881 creds->addresses.val = NULL;
882 }
883 creds->flags.b = rep->enc_part.flags;
884
885 creds->authdata.len = 0;
886 creds->authdata.val = NULL;
887
888 /* extract ticket */
889 ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
890 &rep->kdc_rep.ticket, &len, ret);
891 if(ret)
892 goto out;
893 if (creds->ticket.length != len)
894 krb5_abortx(context, "internal error in ASN.1 encoder");
895 creds->second_ticket.length = 0;
896 creds->second_ticket.data = NULL;
897
898
899 out:
900 memset (rep->enc_part.key.keyvalue.data, 0,
901 rep->enc_part.key.keyvalue.length);
902 return ret;
903 }
904