17c478bd9Sstevel@tonic-gate /* 2*159d09a2SMark Phalan * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate 7*159d09a2SMark Phalan #include "k5-int.h" 87c478bd9Sstevel@tonic-gate #include "cleanup.h" 9*159d09a2SMark Phalan #include "auth_con.h" 107c478bd9Sstevel@tonic-gate 117c478bd9Sstevel@tonic-gate #include <stddef.h> /* NULL */ 127c478bd9Sstevel@tonic-gate #include <stdlib.h> /* malloc */ 137c478bd9Sstevel@tonic-gate #include <errno.h> /* ENOMEM */ 147c478bd9Sstevel@tonic-gate 157c478bd9Sstevel@tonic-gate /*-------------------- decrypt_credencdata --------------------*/ 167c478bd9Sstevel@tonic-gate 177c478bd9Sstevel@tonic-gate /* 187c478bd9Sstevel@tonic-gate * decrypt the enc_part of a krb5_cred 197c478bd9Sstevel@tonic-gate */ 207c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 217c478bd9Sstevel@tonic-gate static krb5_error_code 22*159d09a2SMark Phalan decrypt_credencdata(krb5_context context, krb5_cred *pcred, krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc) 237c478bd9Sstevel@tonic-gate { 247c478bd9Sstevel@tonic-gate krb5_cred_enc_part * ppart = NULL; 257c478bd9Sstevel@tonic-gate krb5_error_code retval; 267c478bd9Sstevel@tonic-gate krb5_data scratch; 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate scratch.length = pcred->enc_part.ciphertext.length; 297c478bd9Sstevel@tonic-gate if (!(scratch.data = (char *)malloc(scratch.length))) 307c478bd9Sstevel@tonic-gate return ENOMEM; 317c478bd9Sstevel@tonic-gate 327c478bd9Sstevel@tonic-gate if (pkeyblock != NULL) { 337c478bd9Sstevel@tonic-gate if ((retval = krb5_c_decrypt(context, pkeyblock, 347c478bd9Sstevel@tonic-gate KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, 357c478bd9Sstevel@tonic-gate &pcred->enc_part, &scratch))) 367c478bd9Sstevel@tonic-gate goto cleanup; 377c478bd9Sstevel@tonic-gate } else { 38*159d09a2SMark Phalan /* Solaris Kerberos */ 397c478bd9Sstevel@tonic-gate (void) memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); 407c478bd9Sstevel@tonic-gate } 417c478bd9Sstevel@tonic-gate 427c478bd9Sstevel@tonic-gate /* now decode the decrypted stuff */ 437c478bd9Sstevel@tonic-gate if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) 447c478bd9Sstevel@tonic-gate goto cleanup; 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gate *pcredenc = *ppart; 477c478bd9Sstevel@tonic-gate retval = 0; 487c478bd9Sstevel@tonic-gate 497c478bd9Sstevel@tonic-gate cleanup: 507c478bd9Sstevel@tonic-gate if (ppart != NULL) { 517c478bd9Sstevel@tonic-gate memset(ppart, 0, sizeof(*ppart)); 527c478bd9Sstevel@tonic-gate krb5_xfree(ppart); 537c478bd9Sstevel@tonic-gate } 54*159d09a2SMark Phalan /* Solaris Kerberos */ 557c478bd9Sstevel@tonic-gate (void) memset(scratch.data, 0, scratch.length); 567c478bd9Sstevel@tonic-gate krb5_xfree(scratch.data); 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate return retval; 597c478bd9Sstevel@tonic-gate } 607c478bd9Sstevel@tonic-gate /*----------------------- krb5_rd_cred_basic -----------------------*/ 617c478bd9Sstevel@tonic-gate 627c478bd9Sstevel@tonic-gate static krb5_error_code 63*159d09a2SMark Phalan krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, krb5_keyblock *pkeyblock, krb5_replay_data *replaydata, krb5_creds ***pppcreds) 647c478bd9Sstevel@tonic-gate { 657c478bd9Sstevel@tonic-gate krb5_error_code retval; 667c478bd9Sstevel@tonic-gate krb5_cred * pcred; 677c478bd9Sstevel@tonic-gate krb5_int32 ncreds; 687c478bd9Sstevel@tonic-gate krb5_int32 i = 0; 697c478bd9Sstevel@tonic-gate krb5_cred_enc_part encpart; 707c478bd9Sstevel@tonic-gate 717c478bd9Sstevel@tonic-gate /* decode cred message */ 727c478bd9Sstevel@tonic-gate if ((retval = decode_krb5_cred(pcreddata, &pcred))) 737c478bd9Sstevel@tonic-gate return retval; 747c478bd9Sstevel@tonic-gate 75*159d09a2SMark Phalan /* Solaris Kerberos */ 767c478bd9Sstevel@tonic-gate (void) memset(&encpart, 0, sizeof(encpart)); 777c478bd9Sstevel@tonic-gate 787c478bd9Sstevel@tonic-gate if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart))) 797c478bd9Sstevel@tonic-gate goto cleanup_cred; 807c478bd9Sstevel@tonic-gate 81*159d09a2SMark Phalan 827c478bd9Sstevel@tonic-gate replaydata->timestamp = encpart.timestamp; 837c478bd9Sstevel@tonic-gate replaydata->usec = encpart.usec; 847c478bd9Sstevel@tonic-gate replaydata->seq = encpart.nonce; 857c478bd9Sstevel@tonic-gate 867c478bd9Sstevel@tonic-gate /* 877c478bd9Sstevel@tonic-gate * Allocate the list of creds. The memory is allocated so that 887c478bd9Sstevel@tonic-gate * krb5_free_tgt_creds can be used to free the list. 897c478bd9Sstevel@tonic-gate */ 907c478bd9Sstevel@tonic-gate for (ncreds = 0; pcred->tickets[ncreds]; ncreds++); 917c478bd9Sstevel@tonic-gate 927c478bd9Sstevel@tonic-gate if ((*pppcreds = 937c478bd9Sstevel@tonic-gate (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * 947c478bd9Sstevel@tonic-gate (ncreds + 1)))) == NULL) { 957c478bd9Sstevel@tonic-gate retval = ENOMEM; 967c478bd9Sstevel@tonic-gate goto cleanup_cred; 977c478bd9Sstevel@tonic-gate } 987c478bd9Sstevel@tonic-gate (*pppcreds)[0] = NULL; 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate /* 1017c478bd9Sstevel@tonic-gate * For each credential, create a strcture in the list of 1027c478bd9Sstevel@tonic-gate * credentials and copy the information. 1037c478bd9Sstevel@tonic-gate */ 1047c478bd9Sstevel@tonic-gate while (i < ncreds) { 1057c478bd9Sstevel@tonic-gate krb5_cred_info * pinfo; 1067c478bd9Sstevel@tonic-gate krb5_creds * pcur; 1077c478bd9Sstevel@tonic-gate krb5_data * pdata; 1087c478bd9Sstevel@tonic-gate 1097c478bd9Sstevel@tonic-gate if ((pcur = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) { 1107c478bd9Sstevel@tonic-gate retval = ENOMEM; 1117c478bd9Sstevel@tonic-gate goto cleanup; 1127c478bd9Sstevel@tonic-gate } 1137c478bd9Sstevel@tonic-gate 1147c478bd9Sstevel@tonic-gate (*pppcreds)[i] = pcur; 1157c478bd9Sstevel@tonic-gate (*pppcreds)[i+1] = 0; 1167c478bd9Sstevel@tonic-gate pinfo = encpart.ticket_info[i++]; 117*159d09a2SMark Phalan /* Solaris Kerberos */ 1187c478bd9Sstevel@tonic-gate (void) memset(pcur, 0, sizeof(krb5_creds)); 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(context, pinfo->client, 1217c478bd9Sstevel@tonic-gate &pcur->client))) 1227c478bd9Sstevel@tonic-gate goto cleanup; 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(context, pinfo->server, 1257c478bd9Sstevel@tonic-gate &pcur->server))) 1267c478bd9Sstevel@tonic-gate goto cleanup; 1277c478bd9Sstevel@tonic-gate 1287c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, 1297c478bd9Sstevel@tonic-gate &pcur->keyblock))) 1307c478bd9Sstevel@tonic-gate goto cleanup; 1317c478bd9Sstevel@tonic-gate 1327c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_addresses(context, pinfo->caddrs, 1337c478bd9Sstevel@tonic-gate &pcur->addresses))) 1347c478bd9Sstevel@tonic-gate goto cleanup; 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata))) 1377c478bd9Sstevel@tonic-gate goto cleanup; 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate pcur->ticket = *pdata; 1407c478bd9Sstevel@tonic-gate krb5_xfree(pdata); 1417c478bd9Sstevel@tonic-gate 1427c478bd9Sstevel@tonic-gate 1437c478bd9Sstevel@tonic-gate pcur->is_skey = FALSE; 1447c478bd9Sstevel@tonic-gate pcur->magic = KV5M_CREDS; 1457c478bd9Sstevel@tonic-gate pcur->times = pinfo->times; 1467c478bd9Sstevel@tonic-gate pcur->ticket_flags = pinfo->flags; 1477c478bd9Sstevel@tonic-gate pcur->authdata = NULL; /* not used */ 148*159d09a2SMark Phalan /* Solaris Kerberos */ 1497c478bd9Sstevel@tonic-gate (void) memset(&pcur->second_ticket, 0, sizeof(pcur->second_ticket)); 1507c478bd9Sstevel@tonic-gate } 1517c478bd9Sstevel@tonic-gate 1527c478bd9Sstevel@tonic-gate /* 1537c478bd9Sstevel@tonic-gate * NULL terminate the list 1547c478bd9Sstevel@tonic-gate */ 1557c478bd9Sstevel@tonic-gate (*pppcreds)[i] = NULL; 1567c478bd9Sstevel@tonic-gate 1577c478bd9Sstevel@tonic-gate cleanup: 1587c478bd9Sstevel@tonic-gate if (retval) 1597c478bd9Sstevel@tonic-gate krb5_free_tgt_creds(context, *pppcreds); 1607c478bd9Sstevel@tonic-gate 1617c478bd9Sstevel@tonic-gate cleanup_cred: 1627c478bd9Sstevel@tonic-gate krb5_free_cred(context, pcred); 1637c478bd9Sstevel@tonic-gate krb5_free_cred_enc_part(context, &encpart); 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate return retval; 1667c478bd9Sstevel@tonic-gate } 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate /*----------------------- krb5_rd_cred -----------------------*/ 1697c478bd9Sstevel@tonic-gate 1707c478bd9Sstevel@tonic-gate #define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew) 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate /* 1737c478bd9Sstevel@tonic-gate * This functions takes as input an KRB_CRED message, validates it, and 1747c478bd9Sstevel@tonic-gate * outputs the nonce and an array of the forwarded credentials. 1757c478bd9Sstevel@tonic-gate */ 1767c478bd9Sstevel@tonic-gate krb5_error_code KRB5_CALLCONV 177*159d09a2SMark Phalan krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pcreddata, krb5_creds ***pppcreds, krb5_replay_data *outdata) 1787c478bd9Sstevel@tonic-gate { 1797c478bd9Sstevel@tonic-gate krb5_error_code retval; 1807c478bd9Sstevel@tonic-gate krb5_keyblock * keyblock; 1817c478bd9Sstevel@tonic-gate krb5_replay_data replaydata; 1827c478bd9Sstevel@tonic-gate 1837c478bd9Sstevel@tonic-gate /* Get keyblock */ 1847c478bd9Sstevel@tonic-gate if ((keyblock = auth_context->recv_subkey) == NULL) 1857c478bd9Sstevel@tonic-gate keyblock = auth_context->keyblock; 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || 1887c478bd9Sstevel@tonic-gate (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && 1897c478bd9Sstevel@tonic-gate (outdata == NULL)) 1907c478bd9Sstevel@tonic-gate /* Need a better error */ 1917c478bd9Sstevel@tonic-gate return KRB5_RC_REQUIRED; 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gate if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && 1947c478bd9Sstevel@tonic-gate (auth_context->rcache == NULL)) 1957c478bd9Sstevel@tonic-gate return KRB5_RC_REQUIRED; 1967c478bd9Sstevel@tonic-gate 197*159d09a2SMark Phalan 198*159d09a2SMark Phalan /* If decrypting with the first keyblock we try fails, perhaps the 1997c478bd9Sstevel@tonic-gate * credentials are stored in the session key so try decrypting with 2007c478bd9Sstevel@tonic-gate * that. 2017c478bd9Sstevel@tonic-gate */ 2027c478bd9Sstevel@tonic-gate if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock, 2037c478bd9Sstevel@tonic-gate &replaydata, pppcreds))) { 2047c478bd9Sstevel@tonic-gate if ((retval = krb5_rd_cred_basic(context, pcreddata, 2057c478bd9Sstevel@tonic-gate auth_context->keyblock, 2067c478bd9Sstevel@tonic-gate &replaydata, pppcreds))) { 2077c478bd9Sstevel@tonic-gate return retval; 2087c478bd9Sstevel@tonic-gate } 2097c478bd9Sstevel@tonic-gate } 2107c478bd9Sstevel@tonic-gate 2117c478bd9Sstevel@tonic-gate if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { 2127c478bd9Sstevel@tonic-gate krb5_donot_replay replay; 2137c478bd9Sstevel@tonic-gate krb5_timestamp currenttime; 2147c478bd9Sstevel@tonic-gate 2157c478bd9Sstevel@tonic-gate if ((retval = krb5_timeofday(context, ¤ttime))) 2167c478bd9Sstevel@tonic-gate goto error; 2177c478bd9Sstevel@tonic-gate 2187c478bd9Sstevel@tonic-gate if (!in_clock_skew(replaydata.timestamp)) { 2197c478bd9Sstevel@tonic-gate retval = KRB5KRB_AP_ERR_SKEW; 2207c478bd9Sstevel@tonic-gate goto error; 2217c478bd9Sstevel@tonic-gate } 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, 2247c478bd9Sstevel@tonic-gate "_forw", &replay.client))) 2257c478bd9Sstevel@tonic-gate goto error; 2267c478bd9Sstevel@tonic-gate 2277c478bd9Sstevel@tonic-gate replay.server = ""; /* XXX */ 2287c478bd9Sstevel@tonic-gate replay.cusec = replaydata.usec; 2297c478bd9Sstevel@tonic-gate replay.ctime = replaydata.timestamp; 2307c478bd9Sstevel@tonic-gate if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { 2317c478bd9Sstevel@tonic-gate krb5_xfree(replay.client); 2327c478bd9Sstevel@tonic-gate goto error; 2337c478bd9Sstevel@tonic-gate } 2347c478bd9Sstevel@tonic-gate krb5_xfree(replay.client); 2357c478bd9Sstevel@tonic-gate } 2367c478bd9Sstevel@tonic-gate 2377c478bd9Sstevel@tonic-gate if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { 2387c478bd9Sstevel@tonic-gate if (auth_context->remote_seq_number != replaydata.seq) { 2397c478bd9Sstevel@tonic-gate retval = KRB5KRB_AP_ERR_BADORDER; 2407c478bd9Sstevel@tonic-gate goto error; 2417c478bd9Sstevel@tonic-gate } 2427c478bd9Sstevel@tonic-gate auth_context->remote_seq_number++; 2437c478bd9Sstevel@tonic-gate } 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gate if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || 2467c478bd9Sstevel@tonic-gate (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { 2477c478bd9Sstevel@tonic-gate outdata->timestamp = replaydata.timestamp; 2487c478bd9Sstevel@tonic-gate outdata->usec = replaydata.usec; 2497c478bd9Sstevel@tonic-gate outdata->seq = replaydata.seq; 2507c478bd9Sstevel@tonic-gate } 2517c478bd9Sstevel@tonic-gate 252*159d09a2SMark Phalan error:; 2537c478bd9Sstevel@tonic-gate if (retval) { 2547c478bd9Sstevel@tonic-gate krb5_free_tgt_creds(context, *pppcreds); 2557c478bd9Sstevel@tonic-gate *pppcreds = NULL; 2567c478bd9Sstevel@tonic-gate } 2577c478bd9Sstevel@tonic-gate return retval; 2587c478bd9Sstevel@tonic-gate } 259*159d09a2SMark Phalan 260