search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / crypto / dist / heimdal / kdc / 524.c
blobdf967a71a1734d0867bc4346fbef4ea9576989f5
1 /*
2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 __RCSID("$Heimdal: 524.c 18270 2006-10-06 17:06:30Z lha $"
37 "$NetBSD$");
38
39 #include <krb5-v4compat.h>
40
41 /*
42 * fetch the server from `t', returning the name in malloced memory in
43 * `spn' and the entry itself in `server'
44 */
45
46 static krb5_error_code
47 fetch_server (krb5_context context,
48 krb5_kdc_configuration *config,
49 const Ticket *t,
50 char **spn,
51 hdb_entry_ex **server,
52 const char *from)
53 {
54 krb5_error_code ret;
55 krb5_principal sprinc;
56
57 ret = _krb5_principalname2krb5_principal(context, &sprinc,
58 t->sname, t->realm);
59 if (ret) {
60 kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
61 krb5_get_err_text(context, ret));
62 return ret;
63 }
64 ret = krb5_unparse_name(context, sprinc, spn);
65 if (ret) {
66 krb5_free_principal(context, sprinc);
67 kdc_log(context, config, 0, "krb5_unparse_name: %s",
68 krb5_get_err_text(context, ret));
69 return ret;
70 }
71 ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER,
72 NULL, server);
73 krb5_free_principal(context, sprinc);
74 if (ret) {
75 kdc_log(context, config, 0,
76 "Request to convert ticket from %s for unknown principal %s: %s",
77 from, *spn, krb5_get_err_text(context, ret));
78 if (ret == HDB_ERR_NOENTRY)
79 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
80 return ret;
81 }
82 return 0;
83 }
84
85 static krb5_error_code
86 log_524 (krb5_context context,
87 krb5_kdc_configuration *config,
88 const EncTicketPart *et,
89 const char *from,
90 const char *spn)
91 {
92 krb5_principal client;
93 char *cpn;
94 krb5_error_code ret;
95
96 ret = _krb5_principalname2krb5_principal(context, &client,
97 et->cname, et->crealm);
98 if (ret) {
99 kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
100 krb5_get_err_text (context, ret));
101 return ret;
102 }
103 ret = krb5_unparse_name(context, client, &cpn);
104 if (ret) {
105 krb5_free_principal(context, client);
106 kdc_log(context, config, 0, "krb5_unparse_name: %s",
107 krb5_get_err_text (context, ret));
108 return ret;
109 }
110 kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
111 free(cpn);
112 krb5_free_principal(context, client);
113 return 0;
114 }
115
116 static krb5_error_code
117 verify_flags (krb5_context context,
118 krb5_kdc_configuration *config,
119 const EncTicketPart *et,
120 const char *spn)
121 {
122 if(et->endtime < kdc_time){
123 kdc_log(context, config, 0, "Ticket expired (%s)", spn);
124 return KRB5KRB_AP_ERR_TKT_EXPIRED;
125 }
126 if(et->flags.invalid){
127 kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
128 return KRB5KRB_AP_ERR_TKT_NYV;
129 }
130 return 0;
131 }
132
133 /*
134 * set the `et->caddr' to the most appropriate address to use, where
135 * `addr' is the address the request was received from.
136 */
137
138 static krb5_error_code
139 set_address (krb5_context context,
140 krb5_kdc_configuration *config,
141 EncTicketPart *et,
142 struct sockaddr *addr,
143 const char *from)
144 {
145 krb5_error_code ret;
146 krb5_address *v4_addr;
147
148 v4_addr = malloc (sizeof(*v4_addr));
149 if (v4_addr == NULL)
150 return ENOMEM;
151
152 ret = krb5_sockaddr2address(context, addr, v4_addr);
153 if(ret) {
154 free (v4_addr);
155 kdc_log(context, config, 0, "Failed to convert address (%s)", from);
156 return ret;
157 }
158
159 if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
160 kdc_log(context, config, 0, "Incorrect network address (%s)", from);
161 krb5_free_address(context, v4_addr);
162 free (v4_addr);
163 return KRB5KRB_AP_ERR_BADADDR;
164 }
165 if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
166 /* we need to collapse the addresses in the ticket to a
167 single address; best guess is to use the address the
168 connection came from */
169
170 if (et->caddr != NULL) {
171 free_HostAddresses(et->caddr);
172 } else {
173 et->caddr = malloc (sizeof (*et->caddr));
174 if (et->caddr == NULL) {
175 krb5_free_address(context, v4_addr);
176 free(v4_addr);
177 return ENOMEM;
178 }
179 }
180 et->caddr->val = v4_addr;
181 et->caddr->len = 1;
182 } else {
183 krb5_free_address(context, v4_addr);
184 free(v4_addr);
185 }
186 return 0;
187 }
188
189
190 static krb5_error_code
191 encrypt_v4_ticket(krb5_context context,
192 krb5_kdc_configuration *config,
193 void *buf,
194 size_t len,
195 krb5_keyblock *skey,
196 EncryptedData *reply)
197 {
198 krb5_crypto crypto;
199 krb5_error_code ret;
200 ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
201 if (ret) {
202 free(buf);
203 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
204 krb5_get_err_text(context, ret));
205 return ret;
206 }
207
208 ret = krb5_encrypt_EncryptedData(context,
209 crypto,
210 KRB5_KU_TICKET,
211 buf,
212 len,
213 0,
214 reply);
215 krb5_crypto_destroy(context, crypto);
216 if(ret) {
217 kdc_log(context, config, 0, "Failed to encrypt data: %s",
218 krb5_get_err_text(context, ret));
219 return ret;
220 }
221 return 0;
222 }
223
224 static krb5_error_code
225 encode_524_response(krb5_context context,
226 krb5_kdc_configuration *config,
227 const char *spn, const EncTicketPart et,
228 const Ticket *t, hdb_entry_ex *server,
229 EncryptedData *ticket, int *kvno)
230 {
231 krb5_error_code ret;
232 int use_2b;
233 size_t len;
234
235 use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL);
236 if(use_2b) {
237 ASN1_MALLOC_ENCODE(EncryptedData,
238 ticket->cipher.data, ticket->cipher.length,
239 &t->enc_part, &len, ret);
240
241 if (ret) {
242 kdc_log(context, config, 0,
243 "Failed to encode v4 (2b) ticket (%s)", spn);
244 return ret;
245 }
246
247 ticket->etype = 0;
248 ticket->kvno = NULL;
249 *kvno = 213; /* 2b's use this magic kvno */
250 } else {
251 unsigned char buf[MAX_KTXT_LEN + 4 * 4];
252 Key *skey;
253
254 if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
255 kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
256 t->realm);
257 return KRB5KDC_ERR_POLICY;
258 }
259
260 ret = _kdc_encode_v4_ticket(context, config,
261 buf + sizeof(buf) - 1, sizeof(buf),
262 &et, &t->sname, &len);
263 if(ret){
264 kdc_log(context, config, 0,
265 "Failed to encode v4 ticket (%s)", spn);
266 return ret;
267 }
268 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
269 if(ret){
270 kdc_log(context, config, 0,
271 "no suitable DES key for server (%s)", spn);
272 return ret;
273 }
274 ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
275 &skey->key, ticket);
276 if(ret){
277 kdc_log(context, config, 0,
278 "Failed to encrypt v4 ticket (%s)", spn);
279 return ret;
280 }
281 *kvno = server->entry.kvno;
282 }
283
284 return 0;
285 }
286
287 /*
288 * process a 5->4 request, based on `t', and received `from, addr',
289 * returning the reply in `reply'
290 */
291
292 krb5_error_code
293 _kdc_do_524(krb5_context context,
294 krb5_kdc_configuration *config,
295 const Ticket *t, krb5_data *reply,
296 const char *from, struct sockaddr *addr)
297 {
298 krb5_error_code ret = 0;
299 krb5_crypto crypto;
300 hdb_entry_ex *server = NULL;
301 Key *skey;
302 krb5_data et_data;
303 EncTicketPart et;
304 EncryptedData ticket;
305 krb5_storage *sp;
306 char *spn = NULL;
307 unsigned char buf[MAX_KTXT_LEN + 4 * 4];
308 size_t len;
309 int kvno = 0;
310
311 if(!config->enable_524) {
312 ret = KRB5KDC_ERR_POLICY;
313 kdc_log(context, config, 0,
314 "Rejected ticket conversion request from %s", from);
315 goto out;
316 }
317
318 ret = fetch_server (context, config, t, &spn, &server, from);
319 if (ret) {
320 goto out;
321 }
322
323 ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey);
324 if(ret){
325 kdc_log(context, config, 0,
326 "No suitable key found for server (%s) from %s", spn, from);
327 goto out;
328 }
329 ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
330 if (ret) {
331 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
332 krb5_get_err_text(context, ret));
333 goto out;
334 }
335 ret = krb5_decrypt_EncryptedData (context,
336 crypto,
337 KRB5_KU_TICKET,
338 &t->enc_part,
339 &et_data);
340 krb5_crypto_destroy(context, crypto);
341 if(ret){
342 kdc_log(context, config, 0,
343 "Failed to decrypt ticket from %s for %s", from, spn);
344 goto out;
345 }
346 ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
347 &et, &len);
348 krb5_data_free(&et_data);
349 if(ret){
350 kdc_log(context, config, 0,
351 "Failed to decode ticket from %s for %s", from, spn);
352 goto out;
353 }
354
355 ret = log_524 (context, config, &et, from, spn);
356 if (ret) {
357 free_EncTicketPart(&et);
358 goto out;
359 }
360
361 ret = verify_flags (context, config, &et, spn);
362 if (ret) {
363 free_EncTicketPart(&et);
364 goto out;
365 }
366
367 ret = set_address (context, config, &et, addr, from);
368 if (ret) {
369 free_EncTicketPart(&et);
370 goto out;
371 }
372
373 ret = encode_524_response(context, config, spn, et, t,
374 server, &ticket, &kvno);
375 free_EncTicketPart(&et);
376
377 out:
378 /* make reply */
379 memset(buf, 0, sizeof(buf));
380 sp = krb5_storage_from_mem(buf, sizeof(buf));
381 if (sp) {
382 krb5_store_int32(sp, ret);
383 if(ret == 0){
384 krb5_store_int32(sp, kvno);
385 krb5_store_data(sp, ticket.cipher);
386 /* Aargh! This is coded as a KTEXT_ST. */
387 krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
388 krb5_store_int32(sp, 0); /* mbz */
389 free_EncryptedData(&ticket);
390 }
391 ret = krb5_storage_to_data(sp, reply);
392 reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
393 krb5_storage_free(sp);
394 } else
395 krb5_data_zero(reply);
396 if(spn)
397 free(spn);
398 if(server)
399 _kdc_free_ent (context, server);
400 return ret;
401 }
NetBSD on the FriendlyARM MINI2440