1 /* $NetBSD: rd_req.c,v 1.1.1.2 2014/04/24 12:45:51 pettai Exp $ */ 2 3 4 /* 5 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan 6 * (Royal Institute of Technology, Stockholm, Sweden). 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 20 * 3. Neither the name of the Institute nor the names of its contributors 21 * may be used to endorse or promote products derived from this software 22 * without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37 #include "krb5_locl.h" 38 39 static krb5_error_code 40 decrypt_tkt_enc_part (krb5_context context, 41 krb5_keyblock *key, 42 EncryptedData *enc_part, 43 EncTicketPart *decr_part) 44 { 45 krb5_error_code ret; 46 krb5_data plain; 47 size_t len; 48 krb5_crypto crypto; 49 50 ret = krb5_crypto_init(context, key, 0, &crypto); 51 if (ret) 52 return ret; 53 ret = krb5_decrypt_EncryptedData (context, 54 crypto, 55 KRB5_KU_TICKET, 56 enc_part, 57 &plain); 58 krb5_crypto_destroy(context, crypto); 59 if (ret) 60 return ret; 61 62 ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len); 63 if (ret) 64 krb5_set_error_message(context, ret, 65 N_("Failed to decode encrypted " 66 "ticket part", "")); 67 krb5_data_free (&plain); 68 return ret; 69 } 70 71 static krb5_error_code 72 decrypt_authenticator (krb5_context context, 73 EncryptionKey *key, 74 EncryptedData *enc_part, 75 Authenticator *authenticator, 76 krb5_key_usage usage) 77 { 78 krb5_error_code ret; 79 krb5_data plain; 80 size_t len; 81 krb5_crypto crypto; 82 83 ret = krb5_crypto_init(context, key, 0, &crypto); 84 if (ret) 85 return ret; 86 ret = krb5_decrypt_EncryptedData (context, 87 crypto, 88 usage /* KRB5_KU_AP_REQ_AUTH */, 89 enc_part, 90 &plain); 91 /* for backwards compatibility, also try the old usage */ 92 if (ret && usage == KRB5_KU_TGS_REQ_AUTH) 93 ret = krb5_decrypt_EncryptedData (context, 94 crypto, 95 KRB5_KU_AP_REQ_AUTH, 96 enc_part, 97 &plain); 98 krb5_crypto_destroy(context, crypto); 99 if (ret) 100 return ret; 101 102 ret = decode_Authenticator(plain.data, plain.length, 103 authenticator, &len); 104 krb5_data_free (&plain); 105 return ret; 106 } 107 108 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 109 krb5_decode_ap_req(krb5_context context, 110 const krb5_data *inbuf, 111 krb5_ap_req *ap_req) 112 { 113 krb5_error_code ret; 114 size_t len; 115 ret = decode_AP_REQ(inbuf->data, inbuf->length, ap_req, &len); 116 if (ret) 117 return ret; 118 if (ap_req->pvno != 5){ 119 free_AP_REQ(ap_req); 120 krb5_clear_error_message (context); 121 return KRB5KRB_AP_ERR_BADVERSION; 122 } 123 if (ap_req->msg_type != krb_ap_req){ 124 free_AP_REQ(ap_req); 125 krb5_clear_error_message (context); 126 return KRB5KRB_AP_ERR_MSG_TYPE; 127 } 128 if (ap_req->ticket.tkt_vno != 5){ 129 free_AP_REQ(ap_req); 130 krb5_clear_error_message (context); 131 return KRB5KRB_AP_ERR_BADVERSION; 132 } 133 return 0; 134 } 135 136 static krb5_error_code 137 check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) 138 { 139 char **realms; 140 unsigned int num_realms, n; 141 krb5_error_code ret; 142 143 /* 144 * Windows 2000 and 2003 uses this inside their TGT so it's normaly 145 * not seen by others, however, samba4 joined with a Windows AD as 146 * a Domain Controller gets exposed to this. 147 */ 148 if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) 149 return 0; 150 151 if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) 152 return KRB5KDC_ERR_TRTYPE_NOSUPP; 153 154 if(enc->transited.contents.length == 0) 155 return 0; 156 157 ret = krb5_domain_x500_decode(context, enc->transited.contents, 158 &realms, &num_realms, 159 enc->crealm, 160 ticket->realm); 161 if(ret) 162 return ret; 163 ret = krb5_check_transited(context, enc->crealm, 164 ticket->realm, 165 realms, num_realms, NULL); 166 for (n = 0; n < num_realms; n++) 167 free(realms[n]); 168 free(realms); 169 return ret; 170 } 171 172 static krb5_error_code 173 find_etypelist(krb5_context context, 174 krb5_auth_context auth_context, 175 EtypeList *etypes) 176 { 177 krb5_error_code ret; 178 krb5_authdata *ad; 179 krb5_authdata adIfRelevant; 180 unsigned i; 181 182 memset(&adIfRelevant, 0, sizeof(adIfRelevant)); 183 184 etypes->len = 0; 185 etypes->val = NULL; 186 187 ad = auth_context->authenticator->authorization_data; 188 if (ad == NULL) 189 return 0; 190 191 for (i = 0; i < ad->len; i++) { 192 if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) { 193 ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data, 194 ad->val[i].ad_data.length, 195 &adIfRelevant, 196 NULL); 197 if (ret) 198 return ret; 199 200 if (adIfRelevant.len == 1 && 201 adIfRelevant.val[0].ad_type == 202 KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) { 203 break; 204 } 205 free_AD_IF_RELEVANT(&adIfRelevant); 206 adIfRelevant.len = 0; 207 } 208 } 209 210 if (adIfRelevant.len == 0) 211 return 0; 212 213 ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data, 214 adIfRelevant.val[0].ad_data.length, 215 etypes, 216 NULL); 217 if (ret) 218 krb5_clear_error_message(context); 219 220 free_AD_IF_RELEVANT(&adIfRelevant); 221 222 return ret; 223 } 224 225 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 226 krb5_decrypt_ticket(krb5_context context, 227 Ticket *ticket, 228 krb5_keyblock *key, 229 EncTicketPart *out, 230 krb5_flags flags) 231 { 232 EncTicketPart t; 233 krb5_error_code ret; 234 ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t); 235 if (ret) 236 return ret; 237 238 { 239 krb5_timestamp now; 240 time_t start = t.authtime; 241 242 krb5_timeofday (context, &now); 243 if(t.starttime) 244 start = *t.starttime; 245 if(start - now > context->max_skew 246 || (t.flags.invalid 247 && !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) { 248 free_EncTicketPart(&t); 249 krb5_clear_error_message (context); 250 return KRB5KRB_AP_ERR_TKT_NYV; 251 } 252 if(now - t.endtime > context->max_skew) { 253 free_EncTicketPart(&t); 254 krb5_clear_error_message (context); 255 return KRB5KRB_AP_ERR_TKT_EXPIRED; 256 } 257 258 if(!t.flags.transited_policy_checked) { 259 ret = check_transited(context, ticket, &t); 260 if(ret) { 261 free_EncTicketPart(&t); 262 return ret; 263 } 264 } 265 } 266 267 if(out) 268 *out = t; 269 else 270 free_EncTicketPart(&t); 271 return 0; 272 } 273 274 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 275 krb5_verify_authenticator_checksum(krb5_context context, 276 krb5_auth_context ac, 277 void *data, 278 size_t len) 279 { 280 krb5_error_code ret; 281 krb5_keyblock *key; 282 krb5_authenticator authenticator; 283 krb5_crypto crypto; 284 285 ret = krb5_auth_con_getauthenticator (context, 286 ac, 287 &authenticator); 288 if(ret) 289 return ret; 290 if(authenticator->cksum == NULL) { 291 krb5_free_authenticator(context, &authenticator); 292 return -17; 293 } 294 ret = krb5_auth_con_getkey(context, ac, &key); 295 if(ret) { 296 krb5_free_authenticator(context, &authenticator); 297 return ret; 298 } 299 ret = krb5_crypto_init(context, key, 0, &crypto); 300 if(ret) 301 goto out; 302 ret = krb5_verify_checksum (context, 303 crypto, 304 KRB5_KU_AP_REQ_AUTH_CKSUM, 305 data, 306 len, 307 authenticator->cksum); 308 krb5_crypto_destroy(context, crypto); 309 out: 310 krb5_free_authenticator(context, &authenticator); 311 krb5_free_keyblock(context, key); 312 return ret; 313 } 314 315 316 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 317 krb5_verify_ap_req(krb5_context context, 318 krb5_auth_context *auth_context, 319 krb5_ap_req *ap_req, 320 krb5_const_principal server, 321 krb5_keyblock *keyblock, 322 krb5_flags flags, 323 krb5_flags *ap_req_options, 324 krb5_ticket **ticket) 325 { 326 return krb5_verify_ap_req2 (context, 327 auth_context, 328 ap_req, 329 server, 330 keyblock, 331 flags, 332 ap_req_options, 333 ticket, 334 KRB5_KU_AP_REQ_AUTH); 335 } 336 337 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 338 krb5_verify_ap_req2(krb5_context context, 339 krb5_auth_context *auth_context, 340 krb5_ap_req *ap_req, 341 krb5_const_principal server, 342 krb5_keyblock *keyblock, 343 krb5_flags flags, 344 krb5_flags *ap_req_options, 345 krb5_ticket **ticket, 346 krb5_key_usage usage) 347 { 348 krb5_ticket *t; 349 krb5_auth_context ac; 350 krb5_error_code ret; 351 EtypeList etypes; 352 353 if (ticket) 354 *ticket = NULL; 355 356 if (auth_context && *auth_context) { 357 ac = *auth_context; 358 } else { 359 ret = krb5_auth_con_init (context, &ac); 360 if (ret) 361 return ret; 362 } 363 364 t = calloc(1, sizeof(*t)); 365 if (t == NULL) { 366 ret = ENOMEM; 367 krb5_clear_error_message (context); 368 goto out; 369 } 370 371 if (ap_req->ap_options.use_session_key && ac->keyblock){ 372 ret = krb5_decrypt_ticket(context, &ap_req->ticket, 373 ac->keyblock, 374 &t->ticket, 375 flags); 376 krb5_free_keyblock(context, ac->keyblock); 377 ac->keyblock = NULL; 378 }else 379 ret = krb5_decrypt_ticket(context, &ap_req->ticket, 380 keyblock, 381 &t->ticket, 382 flags); 383 384 if(ret) 385 goto out; 386 387 ret = _krb5_principalname2krb5_principal(context, 388 &t->server, 389 ap_req->ticket.sname, 390 ap_req->ticket.realm); 391 if (ret) goto out; 392 ret = _krb5_principalname2krb5_principal(context, 393 &t->client, 394 t->ticket.cname, 395 t->ticket.crealm); 396 if (ret) goto out; 397 398 ret = decrypt_authenticator (context, 399 &t->ticket.key, 400 &ap_req->authenticator, 401 ac->authenticator, 402 usage); 403 if (ret) 404 goto out; 405 406 { 407 krb5_principal p1, p2; 408 krb5_boolean res; 409 410 _krb5_principalname2krb5_principal(context, 411 &p1, 412 ac->authenticator->cname, 413 ac->authenticator->crealm); 414 _krb5_principalname2krb5_principal(context, 415 &p2, 416 t->ticket.cname, 417 t->ticket.crealm); 418 res = krb5_principal_compare (context, p1, p2); 419 krb5_free_principal (context, p1); 420 krb5_free_principal (context, p2); 421 if (!res) { 422 ret = KRB5KRB_AP_ERR_BADMATCH; 423 krb5_clear_error_message (context); 424 goto out; 425 } 426 } 427 428 /* check addresses */ 429 430 if (t->ticket.caddr 431 && ac->remote_address 432 && !krb5_address_search (context, 433 ac->remote_address, 434 t->ticket.caddr)) { 435 ret = KRB5KRB_AP_ERR_BADADDR; 436 krb5_clear_error_message (context); 437 goto out; 438 } 439 440 /* check timestamp in authenticator */ 441 { 442 krb5_timestamp now; 443 444 krb5_timeofday (context, &now); 445 446 if (abs(ac->authenticator->ctime - now) > context->max_skew) { 447 ret = KRB5KRB_AP_ERR_SKEW; 448 krb5_clear_error_message (context); 449 goto out; 450 } 451 } 452 453 if (ac->authenticator->seq_number) 454 krb5_auth_con_setremoteseqnumber(context, ac, 455 *ac->authenticator->seq_number); 456 457 /* XXX - Xor sequence numbers */ 458 459 if (ac->authenticator->subkey) { 460 ret = krb5_auth_con_setremotesubkey(context, ac, 461 ac->authenticator->subkey); 462 if (ret) 463 goto out; 464 } 465 466 ret = find_etypelist(context, ac, &etypes); 467 if (ret) 468 goto out; 469 470 ac->keytype = ETYPE_NULL; 471 472 if (etypes.val) { 473 size_t i; 474 475 for (i = 0; i < etypes.len; i++) { 476 if (krb5_enctype_valid(context, etypes.val[i]) == 0) { 477 ac->keytype = etypes.val[i]; 478 break; 479 } 480 } 481 } 482 483 /* save key */ 484 ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); 485 if (ret) goto out; 486 487 if (ap_req_options) { 488 *ap_req_options = 0; 489 if (ac->keytype != ETYPE_NULL) 490 *ap_req_options |= AP_OPTS_USE_SUBKEY; 491 if (ap_req->ap_options.use_session_key) 492 *ap_req_options |= AP_OPTS_USE_SESSION_KEY; 493 if (ap_req->ap_options.mutual_required) 494 *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; 495 } 496 497 if(ticket) 498 *ticket = t; 499 else 500 krb5_free_ticket (context, t); 501 if (auth_context) { 502 if (*auth_context == NULL) 503 *auth_context = ac; 504 } else 505 krb5_auth_con_free (context, ac); 506 free_EtypeList(&etypes); 507 return 0; 508 out: 509 if (t) 510 krb5_free_ticket (context, t); 511 if (auth_context == NULL || *auth_context == NULL) 512 krb5_auth_con_free (context, ac); 513 return ret; 514 } 515 516 /* 517 * 518 */ 519 520 struct krb5_rd_req_in_ctx_data { 521 krb5_keytab keytab; 522 krb5_keyblock *keyblock; 523 krb5_boolean check_pac; 524 }; 525 526 struct krb5_rd_req_out_ctx_data { 527 krb5_keyblock *keyblock; 528 krb5_flags ap_req_options; 529 krb5_ticket *ticket; 530 krb5_principal server; 531 }; 532 533 /** 534 * Allocate a krb5_rd_req_in_ctx as an input parameter to 535 * krb5_rd_req_ctx(). The caller should free the context with 536 * krb5_rd_req_in_ctx_free() when done with the context. 537 * 538 * @param context Keberos 5 context. 539 * @param ctx in ctx to krb5_rd_req_ctx(). 540 * 541 * @return Kerberos 5 error code, see krb5_get_error_message(). 542 * 543 * @ingroup krb5_auth 544 */ 545 546 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 547 krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx) 548 { 549 *ctx = calloc(1, sizeof(**ctx)); 550 if (*ctx == NULL) { 551 krb5_set_error_message(context, ENOMEM, 552 N_("malloc: out of memory", "")); 553 return ENOMEM; 554 } 555 (*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0; 556 return 0; 557 } 558 559 /** 560 * Set the keytab that krb5_rd_req_ctx() will use. 561 * 562 * @param context Keberos 5 context. 563 * @param in in ctx to krb5_rd_req_ctx(). 564 * @param keytab keytab that krb5_rd_req_ctx() will use, only copy the 565 * pointer, so the caller must free they keytab after 566 * krb5_rd_req_in_ctx_free() is called. 567 * 568 * @return Kerberos 5 error code, see krb5_get_error_message(). 569 * 570 * @ingroup krb5_auth 571 */ 572 573 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 574 krb5_rd_req_in_set_keytab(krb5_context context, 575 krb5_rd_req_in_ctx in, 576 krb5_keytab keytab) 577 { 578 in->keytab = keytab; 579 return 0; 580 } 581 582 /** 583 * Set if krb5_rq_red() is going to check the Windows PAC or not 584 * 585 * @param context Keberos 5 context. 586 * @param in krb5_rd_req_in_ctx to check the option on. 587 * @param flag flag to select if to check the pac (TRUE) or not (FALSE). 588 * 589 * @return Kerberos 5 error code, see krb5_get_error_message(). 590 * 591 * @ingroup krb5_auth 592 */ 593 594 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 595 krb5_rd_req_in_set_pac_check(krb5_context context, 596 krb5_rd_req_in_ctx in, 597 krb5_boolean flag) 598 { 599 in->check_pac = flag; 600 return 0; 601 } 602 603 604 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 605 krb5_rd_req_in_set_keyblock(krb5_context context, 606 krb5_rd_req_in_ctx in, 607 krb5_keyblock *keyblock) 608 { 609 in->keyblock = keyblock; /* XXX should make copy */ 610 return 0; 611 } 612 613 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 614 krb5_rd_req_out_get_ap_req_options(krb5_context context, 615 krb5_rd_req_out_ctx out, 616 krb5_flags *ap_req_options) 617 { 618 *ap_req_options = out->ap_req_options; 619 return 0; 620 } 621 622 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 623 krb5_rd_req_out_get_ticket(krb5_context context, 624 krb5_rd_req_out_ctx out, 625 krb5_ticket **ticket) 626 { 627 return krb5_copy_ticket(context, out->ticket, ticket); 628 } 629 630 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 631 krb5_rd_req_out_get_keyblock(krb5_context context, 632 krb5_rd_req_out_ctx out, 633 krb5_keyblock **keyblock) 634 { 635 return krb5_copy_keyblock(context, out->keyblock, keyblock); 636 } 637 638 /** 639 * Get the principal that was used in the request from the 640 * client. Might not match whats in the ticket if krb5_rd_req_ctx() 641 * searched in the keytab for a matching key. 642 * 643 * @param context a Kerberos 5 context. 644 * @param out a krb5_rd_req_out_ctx from krb5_rd_req_ctx(). 645 * @param principal return principal, free with krb5_free_principal(). 646 * 647 * @ingroup krb5_auth 648 */ 649 650 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 651 krb5_rd_req_out_get_server(krb5_context context, 652 krb5_rd_req_out_ctx out, 653 krb5_principal *principal) 654 { 655 return krb5_copy_principal(context, out->server, principal); 656 } 657 658 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 659 krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx) 660 { 661 free(ctx); 662 } 663 664 /** 665 * Free the krb5_rd_req_out_ctx. 666 * 667 * @param context Keberos 5 context. 668 * @param ctx krb5_rd_req_out_ctx context to free. 669 * 670 * @ingroup krb5_auth 671 */ 672 673 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 674 krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx) 675 { 676 if (ctx->ticket) 677 krb5_free_ticket(context, ctx->ticket); 678 if (ctx->keyblock) 679 krb5_free_keyblock(context, ctx->keyblock); 680 if (ctx->server) 681 krb5_free_principal(context, ctx->server); 682 free(ctx); 683 } 684 685 /* 686 * 687 */ 688 689 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 690 krb5_rd_req(krb5_context context, 691 krb5_auth_context *auth_context, 692 const krb5_data *inbuf, 693 krb5_const_principal server, 694 krb5_keytab keytab, 695 krb5_flags *ap_req_options, 696 krb5_ticket **ticket) 697 { 698 krb5_error_code ret; 699 krb5_rd_req_in_ctx in; 700 krb5_rd_req_out_ctx out; 701 702 ret = krb5_rd_req_in_ctx_alloc(context, &in); 703 if (ret) 704 return ret; 705 706 ret = krb5_rd_req_in_set_keytab(context, in, keytab); 707 if (ret) { 708 krb5_rd_req_in_ctx_free(context, in); 709 return ret; 710 } 711 712 ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); 713 krb5_rd_req_in_ctx_free(context, in); 714 if (ret) 715 return ret; 716 717 if (ap_req_options) 718 *ap_req_options = out->ap_req_options; 719 if (ticket) { 720 ret = krb5_copy_ticket(context, out->ticket, ticket); 721 if (ret) 722 goto out; 723 } 724 725 out: 726 krb5_rd_req_out_ctx_free(context, out); 727 return ret; 728 } 729 730 /* 731 * 732 */ 733 734 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 735 krb5_rd_req_with_keyblock(krb5_context context, 736 krb5_auth_context *auth_context, 737 const krb5_data *inbuf, 738 krb5_const_principal server, 739 krb5_keyblock *keyblock, 740 krb5_flags *ap_req_options, 741 krb5_ticket **ticket) 742 { 743 krb5_error_code ret; 744 krb5_rd_req_in_ctx in; 745 krb5_rd_req_out_ctx out; 746 747 ret = krb5_rd_req_in_ctx_alloc(context, &in); 748 if (ret) 749 return ret; 750 751 ret = krb5_rd_req_in_set_keyblock(context, in, keyblock); 752 if (ret) { 753 krb5_rd_req_in_ctx_free(context, in); 754 return ret; 755 } 756 757 ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out); 758 krb5_rd_req_in_ctx_free(context, in); 759 if (ret) 760 return ret; 761 762 if (ap_req_options) 763 *ap_req_options = out->ap_req_options; 764 if (ticket) { 765 ret = krb5_copy_ticket(context, out->ticket, ticket); 766 if (ret) 767 goto out; 768 } 769 770 out: 771 krb5_rd_req_out_ctx_free(context, out); 772 return ret; 773 } 774 775 /* 776 * 777 */ 778 779 static krb5_error_code 780 get_key_from_keytab(krb5_context context, 781 krb5_ap_req *ap_req, 782 krb5_const_principal server, 783 krb5_keytab keytab, 784 krb5_keyblock **out_key) 785 { 786 krb5_keytab_entry entry; 787 krb5_error_code ret; 788 int kvno; 789 krb5_keytab real_keytab; 790 791 if(keytab == NULL) 792 krb5_kt_default(context, &real_keytab); 793 else 794 real_keytab = keytab; 795 796 if (ap_req->ticket.enc_part.kvno) 797 kvno = *ap_req->ticket.enc_part.kvno; 798 else 799 kvno = 0; 800 801 ret = krb5_kt_get_entry (context, 802 real_keytab, 803 server, 804 kvno, 805 ap_req->ticket.enc_part.etype, 806 &entry); 807 if(ret) 808 goto out; 809 ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); 810 krb5_kt_free_entry (context, &entry); 811 out: 812 if(keytab == NULL) 813 krb5_kt_close(context, real_keytab); 814 815 return ret; 816 } 817 818 /** 819 * The core server function that verify application authentication 820 * requests from clients. 821 * 822 * @param context Keberos 5 context. 823 * @param auth_context the authentication context, can be NULL, then 824 * default values for the authentication context will used. 825 * @param inbuf the (AP-REQ) authentication buffer 826 * 827 * @param server the server with authenticate as, if NULL the function 828 * will try to find any available credential in the keytab 829 * that will verify the reply. The function will prefer the 830 * server the server client specified in the AP-REQ, but if 831 * there is no mach, it will try all keytab entries for a 832 * match. This have serious performance issues for larger keytabs. 833 * 834 * @param inctx control the behavior of the function, if NULL, the 835 * default behavior is used. 836 * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free(). 837 * @return Kerberos 5 error code, see krb5_get_error_message(). 838 * 839 * @ingroup krb5_auth 840 */ 841 842 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 843 krb5_rd_req_ctx(krb5_context context, 844 krb5_auth_context *auth_context, 845 const krb5_data *inbuf, 846 krb5_const_principal server, 847 krb5_rd_req_in_ctx inctx, 848 krb5_rd_req_out_ctx *outctx) 849 { 850 krb5_error_code ret; 851 krb5_ap_req ap_req; 852 krb5_rd_req_out_ctx o = NULL; 853 krb5_keytab id = NULL, keytab = NULL; 854 krb5_principal service = NULL; 855 856 *outctx = NULL; 857 858 o = calloc(1, sizeof(*o)); 859 if (o == NULL) { 860 krb5_set_error_message(context, ENOMEM, 861 N_("malloc: out of memory", "")); 862 return ENOMEM; 863 } 864 865 if (*auth_context == NULL) { 866 ret = krb5_auth_con_init(context, auth_context); 867 if (ret) 868 goto out; 869 } 870 871 ret = krb5_decode_ap_req(context, inbuf, &ap_req); 872 if(ret) 873 goto out; 874 875 /* Save that principal that was in the request */ 876 ret = _krb5_principalname2krb5_principal(context, 877 &o->server, 878 ap_req.ticket.sname, 879 ap_req.ticket.realm); 880 if (ret) 881 goto out; 882 883 if (ap_req.ap_options.use_session_key && 884 (*auth_context)->keyblock == NULL) { 885 ret = KRB5KRB_AP_ERR_NOKEY; 886 krb5_set_error_message(context, ret, 887 N_("krb5_rd_req: user to user auth " 888 "without session key given", "")); 889 goto out; 890 } 891 892 if (inctx && inctx->keytab) 893 id = inctx->keytab; 894 895 if((*auth_context)->keyblock){ 896 ret = krb5_copy_keyblock(context, 897 (*auth_context)->keyblock, 898 &o->keyblock); 899 if (ret) 900 goto out; 901 } else if(inctx && inctx->keyblock){ 902 ret = krb5_copy_keyblock(context, 903 inctx->keyblock, 904 &o->keyblock); 905 if (ret) 906 goto out; 907 } else { 908 909 if(id == NULL) { 910 krb5_kt_default(context, &keytab); 911 id = keytab; 912 } 913 if (id == NULL) 914 goto out; 915 916 if (server == NULL) { 917 ret = _krb5_principalname2krb5_principal(context, 918 &service, 919 ap_req.ticket.sname, 920 ap_req.ticket.realm); 921 if (ret) 922 goto out; 923 server = service; 924 } 925 926 ret = get_key_from_keytab(context, 927 &ap_req, 928 server, 929 id, 930 &o->keyblock); 931 if (ret) { 932 /* If caller specified a server, fail. */ 933 if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0) 934 goto out; 935 /* Otherwise, fall back to iterating over the keytab. This 936 * have serious performace issues for larger keytab. 937 */ 938 o->keyblock = NULL; 939 } 940 } 941 942 if (o->keyblock) { 943 /* 944 * We got an exact keymatch, use that. 945 */ 946 947 ret = krb5_verify_ap_req2(context, 948 auth_context, 949 &ap_req, 950 server, 951 o->keyblock, 952 0, 953 &o->ap_req_options, 954 &o->ticket, 955 KRB5_KU_AP_REQ_AUTH); 956 957 if (ret) 958 goto out; 959 960 } else { 961 /* 962 * Interate over keytab to find a key that can decrypt the request. 963 */ 964 965 krb5_keytab_entry entry; 966 krb5_kt_cursor cursor; 967 int done = 0, kvno = 0; 968 969 memset(&cursor, 0, sizeof(cursor)); 970 971 if (ap_req.ticket.enc_part.kvno) 972 kvno = *ap_req.ticket.enc_part.kvno; 973 974 ret = krb5_kt_start_seq_get(context, id, &cursor); 975 if (ret) 976 goto out; 977 978 done = 0; 979 while (!done) { 980 krb5_principal p; 981 982 ret = krb5_kt_next_entry(context, id, &entry, &cursor); 983 if (ret) { 984 _krb5_kt_principal_not_found(context, ret, id, o->server, 985 ap_req.ticket.enc_part.etype, 986 kvno); 987 goto out; 988 } 989 990 if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype) { 991 krb5_kt_free_entry (context, &entry); 992 continue; 993 } 994 995 ret = krb5_verify_ap_req2(context, 996 auth_context, 997 &ap_req, 998 server, 999 &entry.keyblock, 1000 0, 1001 &o->ap_req_options, 1002 &o->ticket, 1003 KRB5_KU_AP_REQ_AUTH); 1004 if (ret) { 1005 krb5_kt_free_entry (context, &entry); 1006 continue; 1007 } 1008 1009 /* 1010 * Found a match, save the keyblock for PAC processing, 1011 * and update the service principal in the ticket to match 1012 * whatever is in the keytab. 1013 */ 1014 1015 ret = krb5_copy_keyblock(context, 1016 &entry.keyblock, 1017 &o->keyblock); 1018 if (ret) { 1019 krb5_kt_free_entry (context, &entry); 1020 goto out; 1021 } 1022 1023 ret = krb5_copy_principal(context, entry.principal, &p); 1024 if (ret) { 1025 krb5_kt_free_entry (context, &entry); 1026 goto out; 1027 } 1028 krb5_free_principal(context, o->ticket->server); 1029 o->ticket->server = p; 1030 1031 krb5_kt_free_entry (context, &entry); 1032 1033 done = 1; 1034 } 1035 krb5_kt_end_seq_get (context, id, &cursor); 1036 } 1037 1038 /* If there is a PAC, verify its server signature */ 1039 if (inctx == NULL || inctx->check_pac) { 1040 krb5_pac pac; 1041 krb5_data data; 1042 1043 ret = krb5_ticket_get_authorization_data_type(context, 1044 o->ticket, 1045 KRB5_AUTHDATA_WIN2K_PAC, 1046 &data); 1047 if (ret == 0) { 1048 ret = krb5_pac_parse(context, data.data, data.length, &pac); 1049 krb5_data_free(&data); 1050 if (ret) 1051 goto out; 1052 1053 ret = krb5_pac_verify(context, 1054 pac, 1055 o->ticket->ticket.authtime, 1056 o->ticket->client, 1057 o->keyblock, 1058 NULL); 1059 krb5_pac_free(context, pac); 1060 if (ret) 1061 goto out; 1062 } else 1063 ret = 0; 1064 } 1065 out: 1066 1067 if (ret || outctx == NULL) { 1068 krb5_rd_req_out_ctx_free(context, o); 1069 } else 1070 *outctx = o; 1071 1072 free_AP_REQ(&ap_req); 1073 1074 if (service) 1075 krb5_free_principal(context, service); 1076 1077 if (keytab) 1078 krb5_kt_close(context, keytab); 1079 1080 return ret; 1081 } 1082