Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/heimdal/lib/krb5/pac.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 26.2 KB

Line
1	/*
2	* Copyright (c) 2006 - 2007 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "krb5_locl.h"
35	#include <wind.h>
36
37	struct PAC_INFO_BUFFER {
38	uint32_t type;
39	uint32_t buffersize;
40	uint32_t offset_hi;
41	uint32_t offset_lo;
42	};
43
44	struct PACTYPE {
45	uint32_t numbuffers;
46	uint32_t version;
47	struct PAC_INFO_BUFFER buffers[1];
48	};
49
50	struct krb5_pac_data {
51	struct PACTYPE *pac;
52	krb5_data data;
53	struct PAC_INFO_BUFFER *server_checksum;
54	struct PAC_INFO_BUFFER *privsvr_checksum;
55	struct PAC_INFO_BUFFER *logon_name;
56	};
57
58	#define PAC_ALIGNMENT 8
59
60	#define PACTYPE_SIZE 8
61	#define PAC_INFO_BUFFER_SIZE 16
62
63	#define PAC_SERVER_CHECKSUM 6
64	#define PAC_PRIVSVR_CHECKSUM 7
65	#define PAC_LOGON_NAME 10
66	#define PAC_CONSTRAINED_DELEGATION 11
67
68	#define CHECK(r,f,l) \
69	do { \
70	if (((r) = f ) != 0) { \
71	krb5_clear_error_message(context); \
72	goto l; \
73	} \
74	} while(0)
75
76	static const char zeros[PAC_ALIGNMENT] = { 0 };
77
78	/*
79	*
80	*/
81
82	krb5_error_code
83	krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
84	krb5_pac *pac)
85	{
86	krb5_error_code ret;
87	krb5_pac p;
88	krb5_storage *sp = NULL;
89	uint32_t i, tmp, tmp2, header_end;
90
91	p = calloc(1, sizeof(*p));
92	if (p == NULL) {
93	ret = ENOMEM;
94	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
95	goto out;
96	}
97
98	sp = krb5_storage_from_readonly_mem(ptr, len);
99	if (sp == NULL) {
100	ret = ENOMEM;
101	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
102	goto out;
103	}
104	krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
105
106	CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
107	CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
108	if (tmp < 1) {
109	ret = EINVAL; /* Too few buffers */
110	krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
111	goto out;
112	}
113	if (tmp2 != 0) {
114	ret = EINVAL; /* Wrong version */
115	krb5_set_error_message(context, ret,
116	N_("PAC have wrong version %d", ""),
117	(int)tmp2);
118	goto out;
119	}
120
121	p->pac = calloc(1,
122	sizeof(p->pac) + (sizeof(p->pac->buffers[0]) (tmp - 1)));
123	if (p->pac == NULL) {
124	ret = ENOMEM;
125	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
126	goto out;
127	}
128
129	p->pac->numbuffers = tmp;
130	p->pac->version = tmp2;
131
132	header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
133	if (header_end > len) {
134	ret = EINVAL;
135	goto out;
136	}
137
138	for (i = 0; i < p->pac->numbuffers; i++) {
139	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
140	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
141	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
142	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
143
144	/* consistency checks */
145	if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
146	ret = EINVAL;
147	krb5_set_error_message(context, ret,
148	N_("PAC out of allignment", ""));
149	goto out;
150	}
151	if (p->pac->buffers[i].offset_hi) {
152	ret = EINVAL;
153	krb5_set_error_message(context, ret,
154	N_("PAC high offset set", ""));
155	goto out;
156	}
157	if (p->pac->buffers[i].offset_lo > len) {
158	ret = EINVAL;
159	krb5_set_error_message(context, ret,
160	N_("PAC offset off end", ""));
161	goto out;
162	}
163	if (p->pac->buffers[i].offset_lo < header_end) {
164	ret = EINVAL;
165	krb5_set_error_message(context, ret,
166	N_("PAC offset inside header: %lu %lu", ""),
167	(unsigned long)p->pac->buffers[i].offset_lo,
168	(unsigned long)header_end);
169	goto out;
170	}
171	if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
172	ret = EINVAL;
173	krb5_set_error_message(context, ret, N_("PAC length off end", ""));
174	goto out;
175	}
176
177	/* let save pointer to data we need later */
178	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
179	if (p->server_checksum) {
180	ret = EINVAL;
181	krb5_set_error_message(context, ret,
182	N_("PAC have two server checksums", ""));
183	goto out;
184	}
185	p->server_checksum = &p->pac->buffers[i];
186	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
187	if (p->privsvr_checksum) {
188	ret = EINVAL;
189	krb5_set_error_message(context, ret,
190	N_("PAC have two KDC checksums", ""));
191	goto out;
192	}
193	p->privsvr_checksum = &p->pac->buffers[i];
194	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
195	if (p->logon_name) {
196	ret = EINVAL;
197	krb5_set_error_message(context, ret,
198	N_("PAC have two logon names", ""));
199	goto out;
200	}
201	p->logon_name = &p->pac->buffers[i];
202	}
203	}
204
205	ret = krb5_data_copy(&p->data, ptr, len);
206	if (ret)
207	goto out;
208
209	krb5_storage_free(sp);
210
211	*pac = p;
212	return 0;
213
214	out:
215	if (sp)
216	krb5_storage_free(sp);
217	if (p) {
218	if (p->pac)
219	free(p->pac);
220	free(p);
221	}
222	*pac = NULL;
223
224	return ret;
225	}
226
227	krb5_error_code
228	krb5_pac_init(krb5_context context, krb5_pac *pac)
229	{
230	krb5_error_code ret;
231	krb5_pac p;
232
233	p = calloc(1, sizeof(*p));
234	if (p == NULL) {
235	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
236	return ENOMEM;
237	}
238
239	p->pac = calloc(1, sizeof(*p->pac));
240	if (p->pac == NULL) {
241	free(p);
242	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
243	return ENOMEM;
244	}
245
246	ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
247	if (ret) {
248	free (p->pac);
249	free(p);
250	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
251	return ret;
252	}
253
254
255	*pac = p;
256	return 0;
257	}
258
259	krb5_error_code
260	krb5_pac_add_buffer(krb5_context context, krb5_pac p,
261	uint32_t type, const krb5_data *data)
262	{
263	krb5_error_code ret;
264	void *ptr;
265	size_t len, offset, header_end, old_end;
266	uint32_t i;
267
268	len = p->pac->numbuffers;
269
270	ptr = realloc(p->pac,
271	sizeof(p->pac) + (sizeof(p->pac->buffers[0]) len));
272	if (ptr == NULL) {
273	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
274	return ENOMEM;
275	}
276	p->pac = ptr;
277
278	for (i = 0; i < len; i++)
279	p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
280
281	offset = p->data.length + PAC_INFO_BUFFER_SIZE;
282
283	p->pac->buffers[len].type = type;
284	p->pac->buffers[len].buffersize = data->length;
285	p->pac->buffers[len].offset_lo = offset;
286	p->pac->buffers[len].offset_hi = 0;
287
288	old_end = p->data.length;
289	len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE;
290	if (len < p->data.length) {
291	krb5_set_error_message(context, EINVAL, "integer overrun");
292	return EINVAL;
293	}
294
295	/* align to PAC_ALIGNMENT */
296	len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
297
298	ret = krb5_data_realloc(&p->data, len);
299	if (ret) {
300	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
301	return ret;
302	}
303
304	/*
305	* make place for new PAC INFO BUFFER header
306	*/
307	header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
308	memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
309	(unsigned char *)p->data.data + header_end ,
310	old_end - header_end);
311	memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
312
313	/*
314	* copy in new data part
315	*/
316
317	memcpy((unsigned char *)p->data.data + offset,
318	data->data, data->length);
319	memset((unsigned char *)p->data.data + offset + data->length,
320	0, p->data.length - offset - data->length);
321
322	p->pac->numbuffers += 1;
323
324	return 0;
325	}
326
327	/**
328	* Get the PAC buffer of specific type from the pac.
329	*
330	* @param context Kerberos 5 context.
331	* @param p the pac structure returned by krb5_pac_parse().
332	* @param type type of buffer to get
333	* @param data return data, free with krb5_data_free().
334	*
335	* @return Returns 0 to indicate success. Otherwise an kerberos et
336	* error code is returned, see krb5_get_error_message().
337	*
338	* @ingroup krb5_pac
339	*/
340
341	krb5_error_code
342	krb5_pac_get_buffer(krb5_context context, krb5_pac p,
343	uint32_t type, krb5_data *data)
344	{
345	krb5_error_code ret;
346	uint32_t i;
347
348	for (i = 0; i < p->pac->numbuffers; i++) {
349	const size_t len = p->pac->buffers[i].buffersize;
350	const size_t offset = p->pac->buffers[i].offset_lo;
351
352	if (p->pac->buffers[i].type != type)
353	continue;
354
355	ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
356	if (ret) {
357	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
358	return ret;
359	}
360	return 0;
361	}
362	krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
363	(unsigned long)type);
364	return ENOENT;
365	}
366
367	/*
368	*
369	*/
370
371	krb5_error_code
372	krb5_pac_get_types(krb5_context context,
373	krb5_pac p,
374	size_t *len,
375	uint32_t **types)
376	{
377	size_t i;
378
379	types = calloc(p->pac->numbuffers, sizeof(types));
380	if (*types == NULL) {
381	*len = 0;
382	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
383	return ENOMEM;
384	}
385	for (i = 0; i < p->pac->numbuffers; i++)
386	(*types)[i] = p->pac->buffers[i].type;
387	*len = p->pac->numbuffers;
388
389	return 0;
390	}
391
392	/*
393	*
394	*/
395
396	void
397	krb5_pac_free(krb5_context context, krb5_pac pac)
398	{
399	krb5_data_free(&pac->data);
400	free(pac->pac);
401	free(pac);
402	}
403
404	/*
405	*
406	*/
407
408	static krb5_error_code
409	verify_checksum(krb5_context context,
410	const struct PAC_INFO_BUFFER *sig,
411	const krb5_data *data,
412	void *ptr, size_t len,
413	const krb5_keyblock *key)
414	{
415	krb5_crypto crypto = NULL;
416	krb5_storage *sp = NULL;
417	uint32_t type;
418	krb5_error_code ret;
419	Checksum cksum;
420
421	memset(&cksum, 0, sizeof(cksum));
422
423	sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
424	sig->buffersize);
425	if (sp == NULL) {
426	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
427	return ENOMEM;
428	}
429	krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
430
431	CHECK(ret, krb5_ret_uint32(sp, &type), out);
432	cksum.cksumtype = type;
433	cksum.checksum.length =
434	sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
435	cksum.checksum.data = malloc(cksum.checksum.length);
436	if (cksum.checksum.data == NULL) {
437	ret = ENOMEM;
438	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
439	goto out;
440	}
441	ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
442	if (ret != cksum.checksum.length) {
443	ret = EINVAL;
444	krb5_set_error_message(context, ret, "PAC checksum missing checksum");
445	goto out;
446	}
447
448	if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
449	ret = EINVAL;
450	krb5_set_error_message(context, ret, "Checksum type %d not keyed",
451	cksum.cksumtype);
452	goto out;
453	}
454
455	ret = krb5_crypto_init(context, key, 0, &crypto);
456	if (ret)
457	goto out;
458
459	ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
460	ptr, len, &cksum);
461	free(cksum.checksum.data);
462	krb5_crypto_destroy(context, crypto);
463	krb5_storage_free(sp);
464
465	return ret;
466
467	out:
468	if (cksum.checksum.data)
469	free(cksum.checksum.data);
470	if (sp)
471	krb5_storage_free(sp);
472	if (crypto)
473	krb5_crypto_destroy(context, crypto);
474	return ret;
475	}
476
477	static krb5_error_code
478	create_checksum(krb5_context context,
479	const krb5_keyblock *key,
480	void *data, size_t datalen,
481	void *sig, size_t siglen)
482	{
483	krb5_crypto crypto = NULL;
484	krb5_error_code ret;
485	Checksum cksum;
486
487	ret = krb5_crypto_init(context, key, 0, &crypto);
488	if (ret)
489	return ret;
490
491	ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
492	data, datalen, &cksum);
493	krb5_crypto_destroy(context, crypto);
494	if (ret)
495	return ret;
496
497	if (cksum.checksum.length != siglen) {
498	krb5_set_error_message(context, EINVAL, "pac checksum wrong length");
499	free_Checksum(&cksum);
500	return EINVAL;
501	}
502
503	memcpy(sig, cksum.checksum.data, siglen);
504	free_Checksum(&cksum);
505
506	return 0;
507	}
508
509
510	/*
511	*
512	*/
513
514	#define NTTIME_EPOCH 0x019DB1DED53E8000LL
515
516	static uint64_t
517	unix2nttime(time_t unix_time)
518	{
519	long long wt;
520	wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
521	return wt;
522	}
523
524	static krb5_error_code
525	verify_logonname(krb5_context context,
526	const struct PAC_INFO_BUFFER *logon_name,
527	const krb5_data *data,
528	time_t authtime,
529	krb5_const_principal principal)
530	{
531	krb5_error_code ret;
532	krb5_principal p2;
533	uint32_t time1, time2;
534	krb5_storage *sp;
535	uint16_t len;
536	char *s;
537
538	sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
539	logon_name->buffersize);
540	if (sp == NULL) {
541	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
542	return ENOMEM;
543	}
544
545	krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
546
547	CHECK(ret, krb5_ret_uint32(sp, &time1), out);
548	CHECK(ret, krb5_ret_uint32(sp, &time2), out);
549
550	{
551	uint64_t t1, t2;
552	t1 = unix2nttime(authtime);
553	t2 = ((uint64_t)time2 << 32) \| time1;
554	if (t1 != t2) {
555	krb5_storage_free(sp);
556	krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
557	return EINVAL;
558	}
559	}
560	CHECK(ret, krb5_ret_uint16(sp, &len), out);
561	if (len == 0) {
562	krb5_storage_free(sp);
563	krb5_set_error_message(context, EINVAL, "PAC logon name length missing");
564	return EINVAL;
565	}
566
567	s = malloc(len);
568	if (s == NULL) {
569	krb5_storage_free(sp);
570	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
571	return ENOMEM;
572	}
573	ret = krb5_storage_read(sp, s, len);
574	if (ret != len) {
575	krb5_storage_free(sp);
576	krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
577	return EINVAL;
578	}
579	krb5_storage_free(sp);
580	{
581	size_t ucs2len = len / 2;
582	uint16_t *ucs2;
583	size_t u8len;
584	unsigned int flags = WIND_RW_LE;
585
586	ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
587	if (ucs2 == NULL) {
588	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
589	return ENOMEM;
590	}
591	ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
592	free(s);
593	if (ret) {
594	free(ucs2);
595	krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
596	return ret;
597	}
598	ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
599	if (ret) {
600	free(ucs2);
601	krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string");
602	return ret;
603	}
604	u8len += 1; /* Add space for NUL */
605	s = malloc(u8len);
606	if (s == NULL) {
607	free(ucs2);
608	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
609	return ENOMEM;
610	}
611	ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len);
612	free(ucs2);
613	if (ret) {
614	free(s);
615	krb5_set_error_message(context, ret, "Failed to convert to UTF-8");
616	return ret;
617	}
618	}
619	ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
620	free(s);
621	if (ret)
622	return ret;
623
624	if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) {
625	ret = EINVAL;
626	krb5_set_error_message(context, ret, "PAC logon name mismatch");
627	}
628	krb5_free_principal(context, p2);
629	return ret;
630	out:
631	return ret;
632	}
633
634	/*
635	*
636	*/
637
638	static krb5_error_code
639	build_logon_name(krb5_context context,
640	time_t authtime,
641	krb5_const_principal principal,
642	krb5_data *logon)
643	{
644	krb5_error_code ret;
645	krb5_storage *sp;
646	uint64_t t;
647	char s, s2;
648	size_t i, len;
649
650	t = unix2nttime(authtime);
651
652	krb5_data_zero(logon);
653
654	sp = krb5_storage_emem();
655	if (sp == NULL) {
656	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
657	return ENOMEM;
658	}
659	krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
660
661	CHECK(ret, krb5_store_uint32(sp, t & 0xffffffff), out);
662	CHECK(ret, krb5_store_uint32(sp, t >> 32), out);
663
664	ret = krb5_unparse_name_flags(context, principal,
665	KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s);
666	if (ret)
667	goto out;
668
669	len = strlen(s);
670
671	CHECK(ret, krb5_store_uint16(sp, len * 2), out);
672
673	#if 1 /* cheat for now */
674	s2 = malloc(len * 2);
675	if (s2 == NULL) {
676	ret = ENOMEM;
677	free(s);
678	goto out;
679	}
680	for (i = 0; i < len; i++) {
681	s2[i * 2] = s[i];
682	s2[i * 2 + 1] = 0;
683	}
684	free(s);
685	#else
686	/* write libwind code here */
687	#endif
688
689	ret = krb5_storage_write(sp, s2, len * 2);
690	free(s2);
691	if (ret != len * 2) {
692	ret = ENOMEM;
693	goto out;
694	}
695	ret = krb5_storage_to_data(sp, logon);
696	if (ret)
697	goto out;
698	krb5_storage_free(sp);
699
700	return 0;
701	out:
702	krb5_storage_free(sp);
703	return ret;
704	}
705
706
707	/**
708	* Verify the PAC.
709	*
710	* @param context Kerberos 5 context.
711	* @param pac the pac structure returned by krb5_pac_parse().
712	* @param authtime The time of the ticket the PAC belongs to.
713	* @param principal the principal to verify.
714	* @param server The service key, most always be given.
715	* @param privsvr The KDC key, may be given.
716
717	* @return Returns 0 to indicate success. Otherwise an kerberos et
718	* error code is returned, see krb5_get_error_message().
719	*
720	* @ingroup krb5_pac
721	*/
722
723	krb5_error_code
724	krb5_pac_verify(krb5_context context,
725	const krb5_pac pac,
726	time_t authtime,
727	krb5_const_principal principal,
728	const krb5_keyblock *server,
729	const krb5_keyblock *privsvr)
730	{
731	krb5_error_code ret;
732
733	if (pac->server_checksum == NULL) {
734	krb5_set_error_message(context, EINVAL, "PAC missing server checksum");
735	return EINVAL;
736	}
737	if (pac->privsvr_checksum == NULL) {
738	krb5_set_error_message(context, EINVAL, "PAC missing kdc checksum");
739	return EINVAL;
740	}
741	if (pac->logon_name == NULL) {
742	krb5_set_error_message(context, EINVAL, "PAC missing logon name");
743	return EINVAL;
744	}
745
746	ret = verify_logonname(context,
747	pac->logon_name,
748	&pac->data,
749	authtime,
750	principal);
751	if (ret)
752	return ret;
753
754	/*
755	* in the service case, clean out data option of the privsvr and
756	* server checksum before checking the checksum.
757	*/
758	{
759	krb5_data *copy;
760
761	ret = krb5_copy_data(context, &pac->data, &copy);
762	if (ret)
763	return ret;
764
765	if (pac->server_checksum->buffersize < 4)
766	return EINVAL;
767	if (pac->privsvr_checksum->buffersize < 4)
768	return EINVAL;
769
770	memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
771	0,
772	pac->server_checksum->buffersize - 4);
773
774	memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
775	0,
776	pac->privsvr_checksum->buffersize - 4);
777
778	ret = verify_checksum(context,
779	pac->server_checksum,
780	&pac->data,
781	copy->data,
782	copy->length,
783	server);
784	krb5_free_data(context, copy);
785	if (ret)
786	return ret;
787	}
788	if (privsvr) {
789	/* The priv checksum covers the server checksum */
790	ret = verify_checksum(context,
791	pac->privsvr_checksum,
792	&pac->data,
793	(char *)pac->data.data
794	+ pac->server_checksum->offset_lo + 4,
795	pac->server_checksum->buffersize - 4,
796	privsvr);
797	if (ret)
798	return ret;
799	}
800
801	return 0;
802	}
803
804	/*
805	*
806	*/
807
808	static krb5_error_code
809	fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
810	{
811	ssize_t sret;
812	size_t l;
813
814	while (len) {
815	l = len;
816	if (l > sizeof(zeros))
817	l = sizeof(zeros);
818	sret = krb5_storage_write(sp, zeros, l);
819	if (sret <= 0) {
820	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
821	return ENOMEM;
822	}
823	len -= sret;
824	}
825	return 0;
826	}
827
828	static krb5_error_code
829	pac_checksum(krb5_context context,
830	const krb5_keyblock *key,
831	uint32_t *cksumtype,
832	size_t *cksumsize)
833	{
834	krb5_cksumtype cktype;
835	krb5_error_code ret;
836	krb5_crypto crypto = NULL;
837
838	ret = krb5_crypto_init(context, key, 0, &crypto);
839	if (ret)
840	return ret;
841
842	ret = krb5_crypto_get_checksum_type(context, crypto, &cktype);
843	krb5_crypto_destroy(context, crypto);
844	if (ret)
845	return ret;
846
847	if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
848	krb5_set_error_message(context, EINVAL, "PAC checksum type is not keyed");
849	return EINVAL;
850	}
851
852	ret = krb5_checksumsize(context, cktype, cksumsize);
853	if (ret)
854	return ret;
855
856	*cksumtype = (uint32_t)cktype;
857
858	return 0;
859	}
860
861	krb5_error_code
862	_krb5_pac_sign(krb5_context context,
863	krb5_pac p,
864	time_t authtime,
865	krb5_principal principal,
866	const krb5_keyblock *server_key,
867	const krb5_keyblock *priv_key,
868	krb5_data *data)
869	{
870	krb5_error_code ret;
871	krb5_storage sp = NULL, spdata = NULL;
872	uint32_t end;
873	size_t server_size, priv_size;
874	uint32_t server_offset = 0, priv_offset = 0;
875	uint32_t server_cksumtype = 0, priv_cksumtype = 0;
876	int i, num = 0;
877	krb5_data logon, d;
878
879	krb5_data_zero(&logon);
880
881	if (p->logon_name == NULL)
882	num++;
883	if (p->server_checksum == NULL)
884	num++;
885	if (p->privsvr_checksum == NULL)
886	num++;
887
888	if (num) {
889	void *ptr;
890
891	ptr = realloc(p->pac, sizeof(p->pac) + (sizeof(p->pac->buffers[0]) (p->pac->numbuffers + num - 1)));
892	if (ptr == NULL) {
893	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
894	return ENOMEM;
895	}
896	p->pac = ptr;
897
898	if (p->logon_name == NULL) {
899	p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
900	memset(p->logon_name, 0, sizeof(*p->logon_name));
901	p->logon_name->type = PAC_LOGON_NAME;
902	}
903	if (p->server_checksum == NULL) {
904	p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
905	memset(p->server_checksum, 0, sizeof(*p->server_checksum));
906	p->server_checksum->type = PAC_SERVER_CHECKSUM;
907	}
908	if (p->privsvr_checksum == NULL) {
909	p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
910	memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
911	p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
912	}
913	}
914
915	/* Calculate LOGON NAME */
916	ret = build_logon_name(context, authtime, principal, &logon);
917	if (ret)
918	goto out;
919
920	/* Set lengths for checksum */
921	ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
922	if (ret)
923	goto out;
924	ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
925	if (ret)
926	goto out;
927
928	/* Encode PAC */
929	sp = krb5_storage_emem();
930	if (sp == NULL) {
931	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
932	return ENOMEM;
933	}
934	krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
935
936	spdata = krb5_storage_emem();
937	if (spdata == NULL) {
938	krb5_storage_free(sp);
939	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
940	return ENOMEM;
941	}
942	krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
943
944	CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
945	CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
946
947	end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
948
949	for (i = 0; i < p->pac->numbuffers; i++) {
950	uint32_t len;
951	size_t sret;
952	void *ptr = NULL;
953
954	/* store data */
955
956	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
957	len = server_size + 4;
958	server_offset = end + 4;
959	CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
960	CHECK(ret, fill_zeros(context, spdata, server_size), out);
961	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
962	len = priv_size + 4;
963	priv_offset = end + 4;
964	CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
965	CHECK(ret, fill_zeros(context, spdata, priv_size), out);
966	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
967	len = krb5_storage_write(spdata, logon.data, logon.length);
968	if (logon.length != len) {
969	ret = EINVAL;
970	goto out;
971	}
972	} else {
973	len = p->pac->buffers[i].buffersize;
974	ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
975
976	sret = krb5_storage_write(spdata, ptr, len);
977	if (sret != len) {
978	ret = ENOMEM;
979	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
980	goto out;
981	}
982	/* XXX if not aligned, fill_zeros */
983	}
984
985	/* write header */
986	CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
987	CHECK(ret, krb5_store_uint32(sp, len), out);
988	CHECK(ret, krb5_store_uint32(sp, end), out);
989	CHECK(ret, krb5_store_uint32(sp, 0), out);
990
991	/* advance data endpointer and align */
992	{
993	int32_t e;
994
995	end += len;
996	e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
997	if (end != e) {
998	CHECK(ret, fill_zeros(context, spdata, e - end), out);
999	}
1000	end = e;
1001	}
1002
1003	}
1004
1005	/* assert (server_offset != 0 && priv_offset != 0); */
1006
1007	/* export PAC */
1008	ret = krb5_storage_to_data(spdata, &d);
1009	if (ret) {
1010	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1011	goto out;
1012	}
1013	ret = krb5_storage_write(sp, d.data, d.length);
1014	if (ret != d.length) {
1015	krb5_data_free(&d);
1016	ret = ENOMEM;
1017	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1018	goto out;
1019	}
1020	krb5_data_free(&d);
1021
1022	ret = krb5_storage_to_data(sp, &d);
1023	if (ret) {
1024	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1025	goto out;
1026	}
1027
1028	/* sign */
1029
1030	ret = create_checksum(context, server_key,
1031	d.data, d.length,
1032	(char *)d.data + server_offset, server_size);
1033	if (ret) {
1034	krb5_data_free(&d);
1035	goto out;
1036	}
1037
1038	ret = create_checksum(context, priv_key,
1039	(char *)d.data + server_offset, server_size,
1040	(char *)d.data + priv_offset, priv_size);
1041	if (ret) {
1042	krb5_data_free(&d);
1043	goto out;
1044	}
1045
1046	/* done */
1047	*data = d;
1048
1049	krb5_data_free(&logon);
1050	krb5_storage_free(sp);
1051	krb5_storage_free(spdata);
1052
1053	return 0;
1054	out:
1055	krb5_data_free(&logon);
1056	if (sp)
1057	krb5_storage_free(sp);
1058	if (spdata)
1059	krb5_storage_free(spdata);
1060	return ret;
1061	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: