1 /* 2 * Copyright (c) 1997 - 2001 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "krb5_locl.h" 35 RCSID("$Id: convert_creds.c,v 1.17 2001/05/14 06:14:45 assar Exp $"); 36 37 static krb5_error_code 38 check_ticket_flags(TicketFlags f) 39 { 40 return 0; /* maybe add some more tests here? */ 41 } 42 43 /* include this here, to avoid dependencies on libkrb */ 44 45 #define MAX_KTXT_LEN 1250 46 47 #define ANAME_SZ 40 48 #define REALM_SZ 40 49 #define SNAME_SZ 40 50 #define INST_SZ 40 51 52 struct ktext { 53 unsigned int length; /* Length of the text */ 54 unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ 55 u_int32_t mbz; /* zero to catch runaway strings */ 56 }; 57 58 struct credentials { 59 char service[ANAME_SZ]; /* Service name */ 60 char instance[INST_SZ]; /* Instance */ 61 char realm[REALM_SZ]; /* Auth domain */ 62 des_cblock session; /* Session key */ 63 int lifetime; /* Lifetime */ 64 int kvno; /* Key version number */ 65 struct ktext ticket_st; /* The ticket itself */ 66 int32_t issue_date; /* The issue time */ 67 char pname[ANAME_SZ]; /* Principal's name */ 68 char pinst[INST_SZ]; /* Principal's instance */ 69 }; 70 71 72 #define TKTLIFENUMFIXED 64 73 #define TKTLIFEMINFIXED 0x80 74 #define TKTLIFEMAXFIXED 0xBF 75 #define TKTLIFENOEXPIRE 0xFF 76 #define MAXTKTLIFETIME (30*24*3600) /* 30 days */ 77 #ifndef NEVERDATE 78 #define NEVERDATE ((time_t)0x7fffffffL) 79 #endif 80 81 static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { 82 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, 83 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, 84 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, 85 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, 86 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, 87 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, 88 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, 89 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 90 }; 91 92 static int 93 _krb_time_to_life(time_t start, time_t end) 94 { 95 int i; 96 time_t life = end - start; 97 98 if (life > MAXTKTLIFETIME || life <= 0) 99 return 0; 100 #if 0 101 if (krb_no_long_lifetimes) 102 return (life + 5*60 - 1)/(5*60); 103 #endif 104 105 if (end >= NEVERDATE) 106 return TKTLIFENOEXPIRE; 107 if (life < _tkt_lifetimes[0]) 108 return (life + 5*60 - 1)/(5*60); 109 for (i=0; i<TKTLIFENUMFIXED; i++) 110 if (life <= _tkt_lifetimes[i]) 111 return i + TKTLIFEMINFIXED; 112 return 0; 113 114 } 115 116 /* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'. 117 * This is done by sending them to the 524 function in the KDC. If 118 * `in_cred' doesn't contain a DES session key, then a new one is 119 * gotten from the KDC and stored in the cred cache `ccache'. 120 */ 121 122 krb5_error_code 123 krb524_convert_creds_kdc(krb5_context context, 124 krb5_ccache ccache, 125 krb5_creds *in_cred, 126 struct credentials *v4creds) 127 { 128 krb5_error_code ret; 129 krb5_data reply; 130 krb5_storage *sp; 131 int32_t tmp; 132 krb5_data ticket; 133 char realm[REALM_SZ]; 134 krb5_creds *v5_creds = in_cred; 135 krb5_keytype keytype; 136 137 keytype = v5_creds->session.keytype; 138 139 if (keytype != ENCTYPE_DES_CBC_CRC) { 140 /* MIT krb524d doesn't like nothing but des-cbc-crc tickets, 141 so go get one */ 142 krb5_creds template; 143 144 memset (&template, 0, sizeof(template)); 145 template.session.keytype = ENCTYPE_DES_CBC_CRC; 146 ret = krb5_copy_principal (context, in_cred->client, &template.client); 147 if (ret) { 148 krb5_free_creds_contents (context, &template); 149 return ret; 150 } 151 ret = krb5_copy_principal (context, in_cred->server, &template.server); 152 if (ret) { 153 krb5_free_creds_contents (context, &template); 154 return ret; 155 } 156 157 ret = krb5_get_credentials (context, 0, ccache, 158 &template, &v5_creds); 159 krb5_free_creds_contents (context, &template); 160 if (ret) 161 return ret; 162 } 163 164 ret = check_ticket_flags(v5_creds->flags.b); 165 if(ret) 166 goto out2; 167 168 { 169 char **hostlist; 170 int port; 171 port = krb5_getportbyname (context, "krb524", "udp", 4444); 172 173 ret = krb5_get_krbhst (context, krb5_princ_realm(context, 174 v5_creds->server), 175 &hostlist); 176 if(ret) 177 goto out2; 178 179 ret = krb5_sendto (context, 180 &v5_creds->ticket, 181 hostlist, 182 port, 183 &reply); 184 if(ret == KRB5_KDC_UNREACH) { 185 port = krb5_getportbyname (context, "kerberos", "udp", 88); 186 ret = krb5_sendto (context, 187 &v5_creds->ticket, 188 hostlist, 189 port, 190 &reply); 191 } 192 krb5_free_krbhst (context, hostlist); 193 } 194 if (ret) 195 goto out2; 196 sp = krb5_storage_from_mem(reply.data, reply.length); 197 if(sp == NULL) { 198 ret = ENOMEM; 199 krb5_set_error_string (context, "malloc: out of memory"); 200 goto out2; 201 } 202 krb5_ret_int32(sp, &tmp); 203 ret = tmp; 204 if(ret == 0) { 205 memset(v4creds, 0, sizeof(*v4creds)); 206 ret = krb5_ret_int32(sp, &tmp); 207 if(ret) 208 goto out; 209 v4creds->kvno = tmp; 210 ret = krb5_ret_data(sp, &ticket); 211 if(ret) 212 goto out; 213 v4creds->ticket_st.length = ticket.length; 214 memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length); 215 krb5_data_free(&ticket); 216 ret = krb5_524_conv_principal(context, 217 v5_creds->server, 218 v4creds->service, 219 v4creds->instance, 220 v4creds->realm); 221 if(ret) 222 goto out; 223 v4creds->issue_date = v5_creds->times.authtime; 224 v4creds->lifetime = _krb_time_to_life(v4creds->issue_date, 225 v5_creds->times.endtime); 226 ret = krb5_524_conv_principal(context, v5_creds->client, 227 v4creds->pname, 228 v4creds->pinst, 229 realm); 230 if(ret) 231 goto out; 232 memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8); 233 } 234 out: 235 krb5_storage_free(sp); 236 krb5_data_free(&reply); 237 out2: 238 if (v5_creds != in_cred) 239 krb5_free_creds (context, v5_creds); 240 return ret; 241 } 242