1 #pragma ident "%Z%%M% %I% %E% SMI" 2 /* 3 * lib/krb5/krb/gc_via_tgt.c 4 * 5 * Copyright 1990,1991 by the Massachusetts Institute of Technology. 6 * All Rights Reserved. 7 * 8 * Export of this software from the United States of America may 9 * require a specific license from the United States Government. 10 * It is the responsibility of any person or organization contemplating 11 * export to obtain such a license before exporting. 12 * 13 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 14 * distribute this software and its documentation for any purpose and 15 * without fee is hereby granted, provided that the above copyright 16 * notice appear in all copies and that both that copyright notice and 17 * this permission notice appear in supporting documentation, and that 18 * the name of M.I.T. not be used in advertising or publicity pertaining 19 * to distribution of the software without specific, written prior 20 * permission. Furthermore if you modify this software you must label 21 * your software as modified software and not distribute it in such a 22 * fashion that it might be confused with the original M.I.T. software. 23 * M.I.T. makes no representations about the suitability of 24 * this software for any purpose. It is provided "as is" without express 25 * or implied warranty. 26 * 27 * 28 * Given a tkt, and a target cred, get it. 29 * Assumes that the kdc_rep has been decrypted. 30 */ 31 32 #include "k5-int.h" 33 #include "int-proto.h" 34 35 #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) 36 37 #define IS_TGS_PRINC(c, p) \ 38 ((krb5_princ_size((c), (p)) == 2) && \ 39 (krb5_princ_component((c), (p), 0)->length == \ 40 KRB5_TGS_NAME_SIZE) && \ 41 (!memcmp(krb5_princ_component((c), (p), 0)->data, \ 42 KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE))) 43 44 static krb5_error_code 45 krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, krb5_data *psectkt, krb5_creds **ppcreds) 46 { 47 krb5_error_code retval; 48 krb5_data *pdata; 49 50 if ((*ppcreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) { 51 return ENOMEM; 52 } 53 54 memset(*ppcreds, 0, sizeof(krb5_creds)); 55 56 if ((retval = krb5_copy_principal(context, pkdcrep->client, 57 &(*ppcreds)->client))) 58 goto cleanup; 59 60 if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server, 61 &(*ppcreds)->server))) 62 goto cleanup; 63 64 if ((retval = krb5_copy_keyblock_contents(context, 65 pkdcrep->enc_part2->session, 66 &(*ppcreds)->keyblock))) 67 goto cleanup; 68 69 if ((retval = krb5_copy_data(context, psectkt, &pdata))) 70 goto cleanup; 71 (*ppcreds)->second_ticket = *pdata; 72 krb5_xfree(pdata); 73 74 (*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags; 75 (*ppcreds)->times = pkdcrep->enc_part2->times; 76 (*ppcreds)->magic = KV5M_CREDS; 77 78 (*ppcreds)->authdata = NULL; /* not used */ 79 (*ppcreds)->is_skey = psectkt->length != 0; 80 81 if (pkdcrep->enc_part2->caddrs) { 82 if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, 83 &(*ppcreds)->addresses))) 84 goto cleanup_keyblock; 85 } else { 86 /* no addresses in the list means we got what we had */ 87 if ((retval = krb5_copy_addresses(context, address, 88 &(*ppcreds)->addresses))) 89 goto cleanup_keyblock; 90 } 91 92 if ((retval = encode_krb5_ticket(pkdcrep->ticket, &pdata))) 93 goto cleanup_keyblock; 94 95 (*ppcreds)->ticket = *pdata; 96 free(pdata); 97 return 0; 98 99 cleanup_keyblock: 100 krb5_free_keyblock(context, &(*ppcreds)->keyblock); 101 102 cleanup: 103 free (*ppcreds); 104 return retval; 105 } 106 107 static krb5_error_code 108 check_reply_server(krb5_context context, krb5_flags kdcoptions, 109 krb5_creds *in_cred, krb5_kdc_rep *dec_rep) 110 { 111 112 if (!krb5_principal_compare(context, dec_rep->ticket->server, 113 dec_rep->enc_part2->server)) 114 return KRB5_KDCREP_MODIFIED; 115 116 /* Reply is self-consistent. */ 117 118 if (krb5_principal_compare(context, dec_rep->ticket->server, 119 in_cred->server)) 120 return 0; 121 122 /* Server in reply differs from what we requested. */ 123 124 if (kdcoptions & KDC_OPT_CANONICALIZE) { 125 /* in_cred server differs from ticket returned, but ticket 126 returned is consistent and we requested canonicalization. */ 127 #if 0 128 #ifdef DEBUG_REFERRALS 129 printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); 130 krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); 131 krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); 132 #endif 133 #endif 134 return 0; 135 } 136 137 /* We didn't request canonicalization. */ 138 139 if (!IS_TGS_PRINC(context, in_cred->server) || 140 !IS_TGS_PRINC(context, dec_rep->ticket->server)) { 141 /* Canonicalization not requested, and not a TGS referral. */ 142 return KRB5_KDCREP_MODIFIED; 143 } 144 #if 0 145 /* 146 * Is this check needed? find_nxt_kdc() in gc_frm_kdc.c already 147 * effectively checks this. 148 */ 149 if (krb5_realm_compare(context, in_cred->client, in_cred->server) && 150 in_cred->server->data[1].length == in_cred->client->realm.length && 151 !memcmp(in_cred->client->realm.data, in_cred->server->data[1].data, 152 in_cred->client->realm.length)) { 153 /* Attempted to rewrite local TGS. */ 154 return KRB5_KDCREP_MODIFIED; 155 } 156 #endif 157 return 0; 158 } 159 160 krb5_error_code 161 krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, 162 krb5_flags kdcoptions, krb5_address *const *address, 163 krb5_creds *in_cred, krb5_creds **out_cred) 164 { 165 krb5_error_code retval; 166 krb5_kdc_rep *dec_rep; 167 krb5_error *err_reply; 168 krb5_response tgsrep; 169 krb5_enctype *enctypes = 0; 170 171 #ifdef DEBUG_REFERRALS 172 printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); 173 krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); 174 krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); 175 #endif 176 177 /* tkt->client must be equal to in_cred->client */ 178 if (!krb5_principal_compare(context, tkt->client, in_cred->client)) 179 return KRB5_PRINC_NOMATCH; 180 181 if (!tkt->ticket.length) 182 return KRB5_NO_TKT_SUPPLIED; 183 184 if ((kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) && 185 (!in_cred->second_ticket.length)) 186 return(KRB5_NO_2ND_TKT); 187 188 189 /* check if we have the right TGT */ 190 /* tkt->server must be equal to */ 191 /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ 192 /* 193 { 194 krb5_principal tempprinc; 195 if (retval = krb5_tgtname(context, 196 krb5_princ_realm(context, in_cred->server), 197 krb5_princ_realm(context, tkt->server), &tempprinc)) 198 return(retval); 199 200 if (!krb5_principal_compare(context, tempprinc, tkt->server)) { 201 krb5_free_principal(context, tempprinc); 202 return (KRB5_PRINC_NOMATCH); 203 } 204 krb5_free_principal(context, tempprinc); 205 } 206 */ 207 208 if (in_cred->keyblock.enctype) { 209 enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); 210 if (!enctypes) 211 return ENOMEM; 212 enctypes[0] = in_cred->keyblock.enctype; 213 enctypes[1] = 0; 214 } 215 216 retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, enctypes, 217 in_cred->server, address, in_cred->authdata, 218 0, /* no padata */ 219 (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) ? 220 &in_cred->second_ticket : NULL, 221 tkt, &tgsrep); 222 if (enctypes) 223 free(enctypes); 224 if (retval) { 225 #ifdef DEBUG_REFERRALS 226 printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", 227 error_message(retval)); 228 #endif 229 return retval; 230 } 231 232 switch (tgsrep.message_type) { 233 case KRB5_TGS_REP: 234 break; 235 case KRB5_ERROR: 236 default: 237 if (krb5_is_krb_error(&tgsrep.response)) 238 retval = decode_krb5_error(&tgsrep.response, &err_reply); 239 else 240 retval = KRB5KRB_AP_ERR_MSG_TYPE; 241 242 if (retval) /* neither proper reply nor error! */ 243 goto error_4; 244 245 retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; 246 247 krb5_free_error(context, err_reply); 248 goto error_4; 249 } 250 251 if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, 252 &tkt->keyblock, &dec_rep))) 253 goto error_4; 254 255 if (dec_rep->msg_type != KRB5_TGS_REP) { 256 retval = KRB5KRB_AP_ERR_MSG_TYPE; 257 goto error_3; 258 } 259 260 /* make sure the response hasn't been tampered with..... */ 261 retval = 0; 262 263 if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) 264 retval = KRB5_KDCREP_MODIFIED; 265 266 if (retval == 0) 267 retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); 268 269 if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) 270 retval = KRB5_KDCREP_MODIFIED; 271 272 if ((kdcoptions & KDC_OPT_POSTDATED) && 273 (in_cred->times.starttime != 0) && 274 (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) 275 retval = KRB5_KDCREP_MODIFIED; 276 277 if ((in_cred->times.endtime != 0) && 278 (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) 279 retval = KRB5_KDCREP_MODIFIED; 280 281 if ((kdcoptions & KDC_OPT_RENEWABLE) && 282 (in_cred->times.renew_till != 0) && 283 (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) 284 retval = KRB5_KDCREP_MODIFIED; 285 286 if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && 287 (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && 288 (in_cred->times.endtime != 0) && 289 (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) 290 retval = KRB5_KDCREP_MODIFIED; 291 292 if (retval != 0) 293 goto error_3; 294 295 if (!in_cred->times.starttime && 296 !in_clock_skew(dec_rep->enc_part2->times.starttime, 297 tgsrep.request_time)) { 298 retval = KRB5_KDCREP_SKEW; 299 goto error_3; 300 } 301 302 retval = krb5_kdcrep2creds(context, dec_rep, address, 303 &in_cred->second_ticket, out_cred); 304 305 error_3:; 306 memset(dec_rep->enc_part2->session->contents, 0, 307 dec_rep->enc_part2->session->length); 308 krb5_free_kdc_rep(context, dec_rep); 309 310 error_4:; 311 free(tgsrep.response.data); 312 #ifdef DEBUG_REFERRALS 313 printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); 314 #endif 315 return retval; 316 } 317