17c478bd9Sstevel@tonic-gate /*
2*5e01956fSGlenn Barry * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
37c478bd9Sstevel@tonic-gate */
47c478bd9Sstevel@tonic-gate
5159d09a2SMark Phalan #include "k5-int.h"
67c478bd9Sstevel@tonic-gate #include "cleanup.h"
7159d09a2SMark Phalan #include "auth_con.h"
87c478bd9Sstevel@tonic-gate
97c478bd9Sstevel@tonic-gate #include <stddef.h> /* NULL */
107c478bd9Sstevel@tonic-gate #include <stdlib.h> /* malloc */
117c478bd9Sstevel@tonic-gate #include <errno.h> /* ENOMEM */
127c478bd9Sstevel@tonic-gate
137c478bd9Sstevel@tonic-gate /*-------------------- decrypt_credencdata --------------------*/
147c478bd9Sstevel@tonic-gate
157c478bd9Sstevel@tonic-gate /*
167c478bd9Sstevel@tonic-gate * decrypt the enc_part of a krb5_cred
177c478bd9Sstevel@tonic-gate */
187c478bd9Sstevel@tonic-gate /*ARGSUSED*/
197c478bd9Sstevel@tonic-gate static krb5_error_code
decrypt_credencdata(krb5_context context,krb5_cred * pcred,krb5_keyblock * pkeyblock,krb5_cred_enc_part * pcredenc)20159d09a2SMark Phalan decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc)
217c478bd9Sstevel@tonic-gate {
227c478bd9Sstevel@tonic-gate krb5_cred_enc_part * ppart = NULL;
237c478bd9Sstevel@tonic-gate krb5_error_code retval;
247c478bd9Sstevel@tonic-gate krb5_data scratch;
257c478bd9Sstevel@tonic-gate
267c478bd9Sstevel@tonic-gate scratch.length = pcred->enc_part.ciphertext.length;
277c478bd9Sstevel@tonic-gate if (!(scratch.data = (char *)malloc(scratch.length)))
287c478bd9Sstevel@tonic-gate return ENOMEM;
297c478bd9Sstevel@tonic-gate
307c478bd9Sstevel@tonic-gate if (pkeyblock != NULL) {
317c478bd9Sstevel@tonic-gate if ((retval = krb5_c_decrypt(context, pkeyblock,
327c478bd9Sstevel@tonic-gate KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0,
337c478bd9Sstevel@tonic-gate &pcred->enc_part, &scratch)))
347c478bd9Sstevel@tonic-gate goto cleanup;
357c478bd9Sstevel@tonic-gate } else {
36159d09a2SMark Phalan /* Solaris Kerberos */
377c478bd9Sstevel@tonic-gate (void) memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length);
387c478bd9Sstevel@tonic-gate }
397c478bd9Sstevel@tonic-gate
407c478bd9Sstevel@tonic-gate /* now decode the decrypted stuff */
417c478bd9Sstevel@tonic-gate if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
427c478bd9Sstevel@tonic-gate goto cleanup;
437c478bd9Sstevel@tonic-gate
447c478bd9Sstevel@tonic-gate *pcredenc = *ppart;
457c478bd9Sstevel@tonic-gate retval = 0;
467c478bd9Sstevel@tonic-gate
477c478bd9Sstevel@tonic-gate cleanup:
487c478bd9Sstevel@tonic-gate if (ppart != NULL) {
497c478bd9Sstevel@tonic-gate memset(ppart, 0, sizeof(*ppart));
507c478bd9Sstevel@tonic-gate krb5_xfree(ppart);
517c478bd9Sstevel@tonic-gate }
52159d09a2SMark Phalan /* Solaris Kerberos */
537c478bd9Sstevel@tonic-gate (void) memset(scratch.data, 0, scratch.length);
547c478bd9Sstevel@tonic-gate krb5_xfree(scratch.data);
557c478bd9Sstevel@tonic-gate
567c478bd9Sstevel@tonic-gate return retval;
577c478bd9Sstevel@tonic-gate }
587c478bd9Sstevel@tonic-gate /*----------------------- krb5_rd_cred_basic -----------------------*/
597c478bd9Sstevel@tonic-gate
607c478bd9Sstevel@tonic-gate static krb5_error_code
krb5_rd_cred_basic(krb5_context context,krb5_data * pcreddata,krb5_keyblock * pkeyblock,krb5_replay_data * replaydata,krb5_creds *** pppcreds)61159d09a2SMark Phalan krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, krb5_keyblock *pkeyblock, krb5_replay_data *replaydata, krb5_creds ***pppcreds)
627c478bd9Sstevel@tonic-gate {
637c478bd9Sstevel@tonic-gate krb5_error_code retval;
647c478bd9Sstevel@tonic-gate krb5_cred * pcred;
657c478bd9Sstevel@tonic-gate krb5_int32 ncreds;
667c478bd9Sstevel@tonic-gate krb5_int32 i = 0;
677c478bd9Sstevel@tonic-gate krb5_cred_enc_part encpart;
687c478bd9Sstevel@tonic-gate
697c478bd9Sstevel@tonic-gate /* decode cred message */
707c478bd9Sstevel@tonic-gate if ((retval = decode_krb5_cred(pcreddata, &pcred)))
717c478bd9Sstevel@tonic-gate return retval;
727c478bd9Sstevel@tonic-gate
73159d09a2SMark Phalan /* Solaris Kerberos */
747c478bd9Sstevel@tonic-gate (void) memset(&encpart, 0, sizeof(encpart));
757c478bd9Sstevel@tonic-gate
767c478bd9Sstevel@tonic-gate if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
777c478bd9Sstevel@tonic-gate goto cleanup_cred;
787c478bd9Sstevel@tonic-gate
79159d09a2SMark Phalan
807c478bd9Sstevel@tonic-gate replaydata->timestamp = encpart.timestamp;
817c478bd9Sstevel@tonic-gate replaydata->usec = encpart.usec;
827c478bd9Sstevel@tonic-gate replaydata->seq = encpart.nonce;
837c478bd9Sstevel@tonic-gate
847c478bd9Sstevel@tonic-gate /*
857c478bd9Sstevel@tonic-gate * Allocate the list of creds. The memory is allocated so that
867c478bd9Sstevel@tonic-gate * krb5_free_tgt_creds can be used to free the list.
877c478bd9Sstevel@tonic-gate */
887c478bd9Sstevel@tonic-gate for (ncreds = 0; pcred->tickets[ncreds]; ncreds++);
897c478bd9Sstevel@tonic-gate
907c478bd9Sstevel@tonic-gate if ((*pppcreds =
917c478bd9Sstevel@tonic-gate (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) *
927c478bd9Sstevel@tonic-gate (ncreds + 1)))) == NULL) {
937c478bd9Sstevel@tonic-gate retval = ENOMEM;
947c478bd9Sstevel@tonic-gate goto cleanup_cred;
957c478bd9Sstevel@tonic-gate }
967c478bd9Sstevel@tonic-gate (*pppcreds)[0] = NULL;
977c478bd9Sstevel@tonic-gate
987c478bd9Sstevel@tonic-gate /*
997c478bd9Sstevel@tonic-gate * For each credential, create a strcture in the list of
1007c478bd9Sstevel@tonic-gate * credentials and copy the information.
1017c478bd9Sstevel@tonic-gate */
1027c478bd9Sstevel@tonic-gate while (i < ncreds) {
1037c478bd9Sstevel@tonic-gate krb5_cred_info * pinfo;
1047c478bd9Sstevel@tonic-gate krb5_creds * pcur;
1057c478bd9Sstevel@tonic-gate krb5_data * pdata;
1067c478bd9Sstevel@tonic-gate
1077c478bd9Sstevel@tonic-gate if ((pcur = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) {
1087c478bd9Sstevel@tonic-gate retval = ENOMEM;
1097c478bd9Sstevel@tonic-gate goto cleanup;
1107c478bd9Sstevel@tonic-gate }
1117c478bd9Sstevel@tonic-gate
1127c478bd9Sstevel@tonic-gate (*pppcreds)[i] = pcur;
1137c478bd9Sstevel@tonic-gate (*pppcreds)[i+1] = 0;
1147c478bd9Sstevel@tonic-gate pinfo = encpart.ticket_info[i++];
115159d09a2SMark Phalan /* Solaris Kerberos */
1167c478bd9Sstevel@tonic-gate (void) memset(pcur, 0, sizeof(krb5_creds));
1177c478bd9Sstevel@tonic-gate
1187c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(context, pinfo->client,
1197c478bd9Sstevel@tonic-gate &pcur->client)))
1207c478bd9Sstevel@tonic-gate goto cleanup;
1217c478bd9Sstevel@tonic-gate
1227c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(context, pinfo->server,
1237c478bd9Sstevel@tonic-gate &pcur->server)))
1247c478bd9Sstevel@tonic-gate goto cleanup;
1257c478bd9Sstevel@tonic-gate
1267c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_keyblock_contents(context, pinfo->session,
1277c478bd9Sstevel@tonic-gate &pcur->keyblock)))
1287c478bd9Sstevel@tonic-gate goto cleanup;
1297c478bd9Sstevel@tonic-gate
1307c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_addresses(context, pinfo->caddrs,
1317c478bd9Sstevel@tonic-gate &pcur->addresses)))
1327c478bd9Sstevel@tonic-gate goto cleanup;
1337c478bd9Sstevel@tonic-gate
1347c478bd9Sstevel@tonic-gate if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata)))
1357c478bd9Sstevel@tonic-gate goto cleanup;
1367c478bd9Sstevel@tonic-gate
1377c478bd9Sstevel@tonic-gate pcur->ticket = *pdata;
1387c478bd9Sstevel@tonic-gate krb5_xfree(pdata);
1397c478bd9Sstevel@tonic-gate
1407c478bd9Sstevel@tonic-gate
1417c478bd9Sstevel@tonic-gate pcur->is_skey = FALSE;
1427c478bd9Sstevel@tonic-gate pcur->magic = KV5M_CREDS;
1437c478bd9Sstevel@tonic-gate pcur->times = pinfo->times;
1447c478bd9Sstevel@tonic-gate pcur->ticket_flags = pinfo->flags;
1457c478bd9Sstevel@tonic-gate pcur->authdata = NULL; /* not used */
146159d09a2SMark Phalan /* Solaris Kerberos */
1477c478bd9Sstevel@tonic-gate (void) memset(&pcur->second_ticket, 0, sizeof(pcur->second_ticket));
1487c478bd9Sstevel@tonic-gate }
1497c478bd9Sstevel@tonic-gate
1507c478bd9Sstevel@tonic-gate /*
1517c478bd9Sstevel@tonic-gate * NULL terminate the list
1527c478bd9Sstevel@tonic-gate */
1537c478bd9Sstevel@tonic-gate (*pppcreds)[i] = NULL;
1547c478bd9Sstevel@tonic-gate
1557c478bd9Sstevel@tonic-gate cleanup:
1567c478bd9Sstevel@tonic-gate if (retval)
1577c478bd9Sstevel@tonic-gate krb5_free_tgt_creds(context, *pppcreds);
1587c478bd9Sstevel@tonic-gate
1597c478bd9Sstevel@tonic-gate cleanup_cred:
1607c478bd9Sstevel@tonic-gate krb5_free_cred(context, pcred);
1617c478bd9Sstevel@tonic-gate krb5_free_cred_enc_part(context, &encpart);
1627c478bd9Sstevel@tonic-gate
1637c478bd9Sstevel@tonic-gate return retval;
1647c478bd9Sstevel@tonic-gate }
1657c478bd9Sstevel@tonic-gate
1667c478bd9Sstevel@tonic-gate /*----------------------- krb5_rd_cred -----------------------*/
1677c478bd9Sstevel@tonic-gate
1687c478bd9Sstevel@tonic-gate
1697c478bd9Sstevel@tonic-gate /*
1707c478bd9Sstevel@tonic-gate * This functions takes as input an KRB_CRED message, validates it, and
1717c478bd9Sstevel@tonic-gate * outputs the nonce and an array of the forwarded credentials.
1727c478bd9Sstevel@tonic-gate */
1737c478bd9Sstevel@tonic-gate krb5_error_code KRB5_CALLCONV
krb5_rd_cred(krb5_context context,krb5_auth_context auth_context,krb5_data * pcreddata,krb5_creds *** pppcreds,krb5_replay_data * outdata)174159d09a2SMark Phalan krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pcreddata, krb5_creds ***pppcreds, krb5_replay_data *outdata)
1757c478bd9Sstevel@tonic-gate {
1767c478bd9Sstevel@tonic-gate krb5_error_code retval;
1777c478bd9Sstevel@tonic-gate krb5_keyblock * keyblock;
1787c478bd9Sstevel@tonic-gate krb5_replay_data replaydata;
1797c478bd9Sstevel@tonic-gate
1807c478bd9Sstevel@tonic-gate /* Get keyblock */
1817c478bd9Sstevel@tonic-gate if ((keyblock = auth_context->recv_subkey) == NULL)
1827c478bd9Sstevel@tonic-gate keyblock = auth_context->keyblock;
1837c478bd9Sstevel@tonic-gate
1847c478bd9Sstevel@tonic-gate if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
1857c478bd9Sstevel@tonic-gate (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
1867c478bd9Sstevel@tonic-gate (outdata == NULL))
1877c478bd9Sstevel@tonic-gate /* Need a better error */
1887c478bd9Sstevel@tonic-gate return KRB5_RC_REQUIRED;
1897c478bd9Sstevel@tonic-gate
1907c478bd9Sstevel@tonic-gate if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
1917c478bd9Sstevel@tonic-gate (auth_context->rcache == NULL))
1927c478bd9Sstevel@tonic-gate return KRB5_RC_REQUIRED;
1937c478bd9Sstevel@tonic-gate
194159d09a2SMark Phalan
195*5e01956fSGlenn Barry /*
196*5e01956fSGlenn Barry * If decrypting with the first keyblock we try fails, perhaps the
1977c478bd9Sstevel@tonic-gate * credentials are stored in the session key so try decrypting with
1987c478bd9Sstevel@tonic-gate * that.
1997c478bd9Sstevel@tonic-gate */
2007c478bd9Sstevel@tonic-gate if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
2017c478bd9Sstevel@tonic-gate &replaydata, pppcreds))) {
2027c478bd9Sstevel@tonic-gate if ((retval = krb5_rd_cred_basic(context, pcreddata,
2037c478bd9Sstevel@tonic-gate auth_context->keyblock,
2047c478bd9Sstevel@tonic-gate &replaydata, pppcreds))) {
2057c478bd9Sstevel@tonic-gate return retval;
2067c478bd9Sstevel@tonic-gate }
2077c478bd9Sstevel@tonic-gate }
2087c478bd9Sstevel@tonic-gate
2097c478bd9Sstevel@tonic-gate if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
2107c478bd9Sstevel@tonic-gate krb5_donot_replay replay;
2117c478bd9Sstevel@tonic-gate
212*5e01956fSGlenn Barry if ((retval = krb5int_check_clockskew(context, replaydata.timestamp)))
2137c478bd9Sstevel@tonic-gate goto error;
2147c478bd9Sstevel@tonic-gate
2157c478bd9Sstevel@tonic-gate if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr,
2167c478bd9Sstevel@tonic-gate "_forw", &replay.client)))
2177c478bd9Sstevel@tonic-gate goto error;
2187c478bd9Sstevel@tonic-gate
2197c478bd9Sstevel@tonic-gate replay.server = ""; /* XXX */
2207c478bd9Sstevel@tonic-gate replay.cusec = replaydata.usec;
2217c478bd9Sstevel@tonic-gate replay.ctime = replaydata.timestamp;
2227c478bd9Sstevel@tonic-gate if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
2237c478bd9Sstevel@tonic-gate krb5_xfree(replay.client);
2247c478bd9Sstevel@tonic-gate goto error;
2257c478bd9Sstevel@tonic-gate }
2267c478bd9Sstevel@tonic-gate krb5_xfree(replay.client);
2277c478bd9Sstevel@tonic-gate }
2287c478bd9Sstevel@tonic-gate
2297c478bd9Sstevel@tonic-gate if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
2307c478bd9Sstevel@tonic-gate if (auth_context->remote_seq_number != replaydata.seq) {
2317c478bd9Sstevel@tonic-gate retval = KRB5KRB_AP_ERR_BADORDER;
2327c478bd9Sstevel@tonic-gate goto error;
2337c478bd9Sstevel@tonic-gate }
2347c478bd9Sstevel@tonic-gate auth_context->remote_seq_number++;
2357c478bd9Sstevel@tonic-gate }
2367c478bd9Sstevel@tonic-gate
2377c478bd9Sstevel@tonic-gate if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
2387c478bd9Sstevel@tonic-gate (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
2397c478bd9Sstevel@tonic-gate outdata->timestamp = replaydata.timestamp;
2407c478bd9Sstevel@tonic-gate outdata->usec = replaydata.usec;
2417c478bd9Sstevel@tonic-gate outdata->seq = replaydata.seq;
2427c478bd9Sstevel@tonic-gate }
2437c478bd9Sstevel@tonic-gate
244159d09a2SMark Phalan error:;
2457c478bd9Sstevel@tonic-gate if (retval) {
2467c478bd9Sstevel@tonic-gate krb5_free_tgt_creds(context, *pppcreds);
2477c478bd9Sstevel@tonic-gate *pppcreds = NULL;
2487c478bd9Sstevel@tonic-gate }
2497c478bd9Sstevel@tonic-gate return retval;
2507c478bd9Sstevel@tonic-gate }
251159d09a2SMark Phalan
252