1 /* 2 * Copyright (c) 1997, 1999 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "krb5_locl.h" 35 RCSID("$Id: convert_creds.c,v 1.13 1999/12/02 17:05:08 joda Exp $"); 36 37 static krb5_error_code 38 check_ticket_flags(TicketFlags f) 39 { 40 return 0; /* maybe add some more tests here? */ 41 } 42 43 /* include this here, to avoid dependencies on libkrb */ 44 45 #define MAX_KTXT_LEN 1250 46 47 #define ANAME_SZ 40 48 #define REALM_SZ 40 49 #define SNAME_SZ 40 50 #define INST_SZ 40 51 52 struct ktext { 53 unsigned int length; /* Length of the text */ 54 unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ 55 u_int32_t mbz; /* zero to catch runaway strings */ 56 }; 57 58 struct credentials { 59 char service[ANAME_SZ]; /* Service name */ 60 char instance[INST_SZ]; /* Instance */ 61 char realm[REALM_SZ]; /* Auth domain */ 62 des_cblock session; /* Session key */ 63 int lifetime; /* Lifetime */ 64 int kvno; /* Key version number */ 65 struct ktext ticket_st; /* The ticket itself */ 66 int32_t issue_date; /* The issue time */ 67 char pname[ANAME_SZ]; /* Principal's name */ 68 char pinst[INST_SZ]; /* Principal's instance */ 69 }; 70 71 72 #define TKTLIFENUMFIXED 64 73 #define TKTLIFEMINFIXED 0x80 74 #define TKTLIFEMAXFIXED 0xBF 75 #define TKTLIFENOEXPIRE 0xFF 76 #define MAXTKTLIFETIME (30*24*3600) /* 30 days */ 77 #ifndef NEVERDATE 78 #define NEVERDATE ((time_t)0x7fffffffL) 79 #endif 80 81 static const int _tkt_lifetimes[TKTLIFENUMFIXED] = { 82 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, 83 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, 84 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, 85 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116, 86 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904, 87 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303, 88 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247, 89 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000 90 }; 91 92 static int 93 _krb_time_to_life(time_t start, time_t end) 94 { 95 int i; 96 time_t life = end - start; 97 98 if (life > MAXTKTLIFETIME || life <= 0) 99 return 0; 100 #if 0 101 if (krb_no_long_lifetimes) 102 return (life + 5*60 - 1)/(5*60); 103 #endif 104 105 if (end >= NEVERDATE) 106 return TKTLIFENOEXPIRE; 107 if (life < _tkt_lifetimes[0]) 108 return (life + 5*60 - 1)/(5*60); 109 for (i=0; i<TKTLIFENUMFIXED; i++) 110 if (life <= _tkt_lifetimes[i]) 111 return i + TKTLIFEMINFIXED; 112 return 0; 113 114 } 115 116 /* Convert the v5 credentials in `in_cred' to v4-dito in `v4creds'. 117 * This is done by sending them to the 524 function in the KDC. If 118 * `in_cred' doesn't contain a DES session key, then a new one is 119 * gotten from the KDC and stored in the cred cache `ccache'. 120 */ 121 122 krb5_error_code 123 krb524_convert_creds_kdc(krb5_context context, 124 krb5_ccache ccache, 125 krb5_creds *in_cred, 126 struct credentials *v4creds) 127 { 128 krb5_error_code ret; 129 krb5_data reply; 130 krb5_storage *sp; 131 int32_t tmp; 132 krb5_data ticket; 133 char realm[REALM_SZ]; 134 krb5_creds *v5_creds = in_cred; 135 krb5_keytype keytype; 136 137 ret = krb5_enctype_to_keytype (context, v5_creds->session.keytype, 138 &keytype); 139 if (ret) 140 return ret; 141 142 if (keytype != KEYTYPE_DES) { 143 krb5_creds template; 144 145 memset (&template, 0, sizeof(template)); 146 template.session.keytype = KEYTYPE_DES; 147 ret = krb5_copy_principal (context, in_cred->client, &template.client); 148 if (ret) { 149 krb5_free_creds_contents (context, &template); 150 return ret; 151 } 152 ret = krb5_copy_principal (context, in_cred->server, &template.server); 153 if (ret) { 154 krb5_free_creds_contents (context, &template); 155 return ret; 156 } 157 158 ret = krb5_get_credentials (context, 0, ccache, 159 &template, &v5_creds); 160 krb5_free_creds_contents (context, &template); 161 if (ret) 162 return ret; 163 } 164 165 ret = check_ticket_flags(v5_creds->flags.b); 166 if(ret) 167 goto out2; 168 169 ret = krb5_sendto_kdc (context, 170 &v5_creds->ticket, 171 krb5_princ_realm(context, v5_creds->server), 172 &reply); 173 if (ret) 174 goto out2; 175 sp = krb5_storage_from_mem(reply.data, reply.length); 176 if(sp == NULL) { 177 ret = ENOMEM; 178 goto out2; 179 } 180 krb5_ret_int32(sp, &tmp); 181 ret = tmp; 182 if(ret == 0) { 183 memset(v4creds, 0, sizeof(*v4creds)); 184 ret = krb5_ret_int32(sp, &tmp); 185 if(ret) goto out; 186 v4creds->kvno = tmp; 187 ret = krb5_ret_data(sp, &ticket); 188 if(ret) goto out; 189 v4creds->ticket_st.length = ticket.length; 190 memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length); 191 krb5_data_free(&ticket); 192 ret = krb5_524_conv_principal(context, 193 v5_creds->server, 194 v4creds->service, 195 v4creds->instance, 196 v4creds->realm); 197 if(ret) goto out; 198 v4creds->issue_date = v5_creds->times.authtime; 199 v4creds->lifetime = _krb_time_to_life(v4creds->issue_date, 200 v5_creds->times.endtime); 201 ret = krb5_524_conv_principal(context, v5_creds->client, 202 v4creds->pname, 203 v4creds->pinst, 204 realm); 205 if(ret) goto out; 206 memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8); 207 } 208 out: 209 krb5_storage_free(sp); 210 krb5_data_free(&reply); 211 out2: 212 if (v5_creds != in_cred) 213 krb5_free_creds (context, v5_creds); 214 return ret; 215 } 216