Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

ticket.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 23.0 KB

Line
1	/*
2	* Copyright (c) 1997 - 2001 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in the
17	* documentation and/or other materials provided with the distribution.
18	*
19	* 3. Neither the name of the Institute nor the names of its contributors
20	* may be used to endorse or promote products derived from this software
21	* without specific prior written permission.
22	*
23	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33	* SUCH DAMAGE.
34	*/
35
36	#include "krb5_locl.h"
37
38	/**
39	* Free ticket and content
40	*
41	* @param context a Kerberos 5 context
42	* @param ticket ticket to free
43	*
44	* @return Returns 0 to indicate success. Otherwise an kerberos et
45	* error code is returned, see krb5_get_error_message().
46	*
47	* @ingroup krb5
48	*/
49
50	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
51	krb5_free_ticket(krb5_context context,
52	krb5_ticket *ticket)
53	{
54	free_EncTicketPart(&ticket->ticket);
55	krb5_free_principal(context, ticket->client);
56	krb5_free_principal(context, ticket->server);
57	free(ticket);
58	return 0;
59	}
60
61	/**
62	* Copy ticket and content
63	*
64	* @param context a Kerberos 5 context
65	* @param from ticket to copy
66	* @param to new copy of ticket, free with krb5_free_ticket()
67	*
68	* @return Returns 0 to indicate success. Otherwise an kerberos et
69	* error code is returned, see krb5_get_error_message().
70	*
71	* @ingroup krb5
72	*/
73
74	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
75	krb5_copy_ticket(krb5_context context,
76	const krb5_ticket *from,
77	krb5_ticket **to)
78	{
79	krb5_error_code ret;
80	krb5_ticket *tmp;
81
82	*to = NULL;
83	tmp = malloc(sizeof(*tmp));
84	if(tmp == NULL) {
85	krb5_set_error_message(context, ENOMEM,
86	N_("malloc: out of memory", ""));
87	return ENOMEM;
88	}
89	if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){
90	free(tmp);
91	return ret;
92	}
93	ret = krb5_copy_principal(context, from->client, &tmp->client);
94	if(ret){
95	free_EncTicketPart(&tmp->ticket);
96	free(tmp);
97	return ret;
98	}
99	ret = krb5_copy_principal(context, from->server, &tmp->server);
100	if(ret){
101	krb5_free_principal(context, tmp->client);
102	free_EncTicketPart(&tmp->ticket);
103	free(tmp);
104	return ret;
105	}
106	*to = tmp;
107	return 0;
108	}
109
110	/**
111	* Return client principal in ticket
112	*
113	* @param context a Kerberos 5 context
114	* @param ticket ticket to copy
115	* @param client client principal, free with krb5_free_principal()
116	*
117	* @return Returns 0 to indicate success. Otherwise an kerberos et
118	* error code is returned, see krb5_get_error_message().
119	*
120	* @ingroup krb5
121	*/
122
123	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
124	krb5_ticket_get_client(krb5_context context,
125	const krb5_ticket *ticket,
126	krb5_principal *client)
127	{
128	return krb5_copy_principal(context, ticket->client, client);
129	}
130
131	/**
132	* Return server principal in ticket
133	*
134	* @param context a Kerberos 5 context
135	* @param ticket ticket to copy
136	* @param server server principal, free with krb5_free_principal()
137	*
138	* @return Returns 0 to indicate success. Otherwise an kerberos et
139	* error code is returned, see krb5_get_error_message().
140	*
141	* @ingroup krb5
142	*/
143
144	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
145	krb5_ticket_get_server(krb5_context context,
146	const krb5_ticket *ticket,
147	krb5_principal *server)
148	{
149	return krb5_copy_principal(context, ticket->server, server);
150	}
151
152	/**
153	* Return end time of ticket
154	*
155	* @param context a Kerberos 5 context
156	* @param ticket ticket to copy
157	*
158	* @return end time of ticket
159	*
160	* @ingroup krb5
161	*/
162
163	KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
164	krb5_ticket_get_endtime(krb5_context context,
165	const krb5_ticket *ticket)
166	{
167	return ticket->ticket.endtime;
168	}
169
170	/**
171	* Get the flags from the Kerberos ticket
172	*
173	* @param context Kerberos context
174	* @param ticket Kerberos ticket
175	*
176	* @return ticket flags
177	*
178	* @ingroup krb5_ticket
179	*/
180	KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
181	krb5_ticket_get_flags(krb5_context context,
182	const krb5_ticket *ticket)
183	{
184	return TicketFlags2int(ticket->ticket.flags);
185	}
186
187	static int
188	find_type_in_ad(krb5_context context,
189	int type,
190	krb5_data *data,
191	krb5_boolean *found,
192	krb5_boolean failp,
193	krb5_keyblock *sessionkey,
194	const AuthorizationData *ad,
195	int level)
196	{
197	krb5_error_code ret = 0;
198	int i;
199
200	if (level > 9) {
201	ret = ENOENT; /* XXX */
202	krb5_set_error_message(context, ret,
203	N_("Authorization data nested deeper "
204	"then %d levels, stop searching", ""),
205	level);
206	goto out;
207	}
208
209	/*
210	* Only copy out the element the first time we get to it, we need
211	* to run over the whole authorization data fields to check if
212	* there are any container clases we need to care about.
213	*/
214	for (i = 0; i < ad->len; i++) {
215	if (!*found && ad->val[i].ad_type == type) {
216	ret = der_copy_octet_string(&ad->val[i].ad_data, data);
217	if (ret) {
218	krb5_set_error_message(context, ret,
219	N_("malloc: out of memory", ""));
220	goto out;
221	}
222	*found = TRUE;
223	continue;
224	}
225	switch (ad->val[i].ad_type) {
226	case KRB5_AUTHDATA_IF_RELEVANT: {
227	AuthorizationData child;
228	ret = decode_AuthorizationData(ad->val[i].ad_data.data,
229	ad->val[i].ad_data.length,
230	&child,
231	NULL);
232	if (ret) {
233	krb5_set_error_message(context, ret,
234	N_("Failed to decode "
235	"IF_RELEVANT with %d", ""),
236	(int)ret);
237	goto out;
238	}
239	ret = find_type_in_ad(context, type, data, found, FALSE,
240	sessionkey, &child, level + 1);
241	free_AuthorizationData(&child);
242	if (ret)
243	goto out;
244	break;
245	}
246	#if 0 /* XXX test */
247	case KRB5_AUTHDATA_KDC_ISSUED: {
248	AD_KDCIssued child;
249
250	ret = decode_AD_KDCIssued(ad->val[i].ad_data.data,
251	ad->val[i].ad_data.length,
252	&child,
253	NULL);
254	if (ret) {
255	krb5_set_error_message(context, ret,
256	N_("Failed to decode "
257	"AD_KDCIssued with %d", ""),
258	ret);
259	goto out;
260	}
261	if (failp) {
262	krb5_boolean valid;
263	krb5_data buf;
264	size_t len;
265
266	ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length,
267	&child.elements, &len, ret);
268	if (ret) {
269	free_AD_KDCIssued(&child);
270	krb5_clear_error_message(context);
271	goto out;
272	}
273	if(buf.length != len)
274	krb5_abortx(context, "internal error in ASN.1 encoder");
275
276	ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf,
277	&child.ad_checksum, &valid);
278	krb5_data_free(&buf);
279	if (ret) {
280	free_AD_KDCIssued(&child);
281	goto out;
282	}
283	if (!valid) {
284	krb5_clear_error_message(context);
285	ret = ENOENT;
286	free_AD_KDCIssued(&child);
287	goto out;
288	}
289	}
290	ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
291	&child.elements, level + 1);
292	free_AD_KDCIssued(&child);
293	if (ret)
294	goto out;
295	break;
296	}
297	#endif
298	case KRB5_AUTHDATA_AND_OR:
299	if (!failp)
300	break;
301	ret = ENOENT; /* XXX */
302	krb5_set_error_message(context, ret,
303	N_("Authorization data contains "
304	"AND-OR element that is unknown to the "
305	"application", ""));
306	goto out;
307	default:
308	if (!failp)
309	break;
310	ret = ENOENT; /* XXX */
311	krb5_set_error_message(context, ret,
312	N_("Authorization data contains "
313	"unknown type (%d) ", ""),
314	ad->val[i].ad_type);
315	goto out;
316	}
317	}
318	out:
319	if (ret) {
320	if (*found) {
321	krb5_data_free(data);
322	*found = 0;
323	}
324	}
325	return ret;
326	}
327
328	/**
329	* Extract the authorization data type of type from the ticket. Store
330	* the field in data. This function is to use for kerberos
331	* applications.
332	*
333	* @param context a Kerberos 5 context
334	* @param ticket Kerberos ticket
335	* @param type type to fetch
336	* @param data returned data, free with krb5_data_free()
337	*
338	* @ingroup krb5
339	*/
340
341	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
342	krb5_ticket_get_authorization_data_type(krb5_context context,
343	krb5_ticket *ticket,
344	int type,
345	krb5_data *data)
346	{
347	AuthorizationData *ad;
348	krb5_error_code ret;
349	krb5_boolean found = FALSE;
350
351	krb5_data_zero(data);
352
353	ad = ticket->ticket.authorization_data;
354	if (ticket->ticket.authorization_data == NULL) {
355	krb5_set_error_message(context, ENOENT,
356	N_("Ticket have not authorization data", ""));
357	return ENOENT; /* XXX */
358	}
359
360	ret = find_type_in_ad(context, type, data, &found, TRUE,
361	&ticket->ticket.key, ad, 0);
362	if (ret)
363	return ret;
364	if (!found) {
365	krb5_set_error_message(context, ENOENT,
366	N_("Ticket have not "
367	"authorization data of type %d", ""),
368	type);
369	return ENOENT; /* XXX */
370	}
371	return 0;
372	}
373
374	static krb5_error_code
375	check_server_referral(krb5_context context,
376	krb5_kdc_rep *rep,
377	unsigned flags,
378	krb5_const_principal requested,
379	krb5_const_principal returned,
380	krb5_keyblock * key)
381	{
382	krb5_error_code ret;
383	PA_ServerReferralData ref;
384	krb5_crypto session;
385	EncryptedData ed;
386	size_t len;
387	krb5_data data;
388	PA_DATA *pa;
389	int i = 0, cmp;
390
391	if (rep->kdc_rep.padata == NULL)
392	goto noreferral;
393
394	pa = krb5_find_padata(rep->kdc_rep.padata->val,
395	rep->kdc_rep.padata->len,
396	KRB5_PADATA_SERVER_REFERRAL, &i);
397	if (pa == NULL)
398	goto noreferral;
399
400	memset(&ed, 0, sizeof(ed));
401	memset(&ref, 0, sizeof(ref));
402
403	ret = decode_EncryptedData(pa->padata_value.data,
404	pa->padata_value.length,
405	&ed, &len);
406	if (ret)
407	return ret;
408	if (len != pa->padata_value.length) {
409	free_EncryptedData(&ed);
410	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
411	N_("Referral EncryptedData wrong for realm %s",
412	"realm"), requested->realm);
413	return KRB5KRB_AP_ERR_MODIFIED;
414	}
415
416	ret = krb5_crypto_init(context, key, 0, &session);
417	if (ret) {
418	free_EncryptedData(&ed);
419	return ret;
420	}
421
422	ret = krb5_decrypt_EncryptedData(context, session,
423	KRB5_KU_PA_SERVER_REFERRAL,
424	&ed, &data);
425	free_EncryptedData(&ed);
426	krb5_crypto_destroy(context, session);
427	if (ret)
428	return ret;
429
430	ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len);
431	if (ret) {
432	krb5_data_free(&data);
433	return ret;
434	}
435	krb5_data_free(&data);
436
437	if (strcmp(requested->realm, returned->realm) != 0) {
438	free_PA_ServerReferralData(&ref);
439	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
440	N_("server ref realm mismatch, "
441	"requested realm %s got back %s", ""),
442	requested->realm, returned->realm);
443	return KRB5KRB_AP_ERR_MODIFIED;
444	}
445
446	if (krb5_principal_is_krbtgt(context, returned)) {
447	const char *realm = returned->name.name_string.val[1];
448
449	if (ref.referred_realm == NULL
450	\|\| strcmp(*ref.referred_realm, realm) != 0)
451	{
452	free_PA_ServerReferralData(&ref);
453	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
454	N_("tgt returned with wrong ref", ""));
455	return KRB5KRB_AP_ERR_MODIFIED;
456	}
457	} else if (krb5_principal_compare(context, returned, requested) == 0) {
458	free_PA_ServerReferralData(&ref);
459	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
460	N_("req princ no same as returned", ""));
461	return KRB5KRB_AP_ERR_MODIFIED;
462	}
463
464	if (ref.requested_principal_name) {
465	cmp = _krb5_principal_compare_PrincipalName(context,
466	requested,
467	ref.requested_principal_name);
468	if (!cmp) {
469	free_PA_ServerReferralData(&ref);
470	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
471	N_("referred principal not same "
472	"as requested", ""));
473	return KRB5KRB_AP_ERR_MODIFIED;
474	}
475	} else if (flags & EXTRACT_TICKET_AS_REQ) {
476	free_PA_ServerReferralData(&ref);
477	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
478	N_("Requested principal missing on AS-REQ", ""));
479	return KRB5KRB_AP_ERR_MODIFIED;
480	}
481
482	free_PA_ServerReferralData(&ref);
483
484	return ret;
485	noreferral:
486	/*
487	* Expect excact match or that we got a krbtgt
488	*/
489	if (krb5_principal_compare(context, requested, returned) != TRUE &&
490	(krb5_realm_compare(context, requested, returned) != TRUE &&
491	krb5_principal_is_krbtgt(context, returned) != TRUE))
492	{
493	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
494	N_("Not same server principal returned "
495	"as requested", ""));
496	return KRB5KRB_AP_ERR_MODIFIED;
497	}
498	return 0;
499	}
500
501
502	/*
503	* Verify referral data
504	*/
505
506
507	static krb5_error_code
508	check_client_referral(krb5_context context,
509	krb5_kdc_rep *rep,
510	krb5_const_principal requested,
511	krb5_const_principal mapped,
512	krb5_keyblock const * key)
513	{
514	krb5_error_code ret;
515	PA_ClientCanonicalized canon;
516	krb5_crypto crypto;
517	krb5_data data;
518	PA_DATA *pa;
519	size_t len;
520	int i = 0;
521
522	if (rep->kdc_rep.padata == NULL)
523	goto noreferral;
524
525	pa = krb5_find_padata(rep->kdc_rep.padata->val,
526	rep->kdc_rep.padata->len,
527	KRB5_PADATA_CLIENT_CANONICALIZED, &i);
528	if (pa == NULL)
529	goto noreferral;
530
531	ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
532	pa->padata_value.length,
533	&canon, &len);
534	if (ret) {
535	krb5_set_error_message(context, ret,
536	N_("Failed to decode ClientCanonicalized "
537	"from realm %s", ""), requested->realm);
538	return ret;
539	}
540
541	ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
542	&canon.names, &len, ret);
543	if (ret) {
544	free_PA_ClientCanonicalized(&canon);
545	return ret;
546	}
547	if (data.length != len)
548	krb5_abortx(context, "internal asn.1 error");
549
550	ret = krb5_crypto_init(context, key, 0, &crypto);
551	if (ret) {
552	free(data.data);
553	free_PA_ClientCanonicalized(&canon);
554	return ret;
555	}
556
557	ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
558	data.data, data.length,
559	&canon.canon_checksum);
560	krb5_crypto_destroy(context, crypto);
561	free(data.data);
562	if (ret) {
563	krb5_set_error_message(context, ret,
564	N_("Failed to verify client canonicalized "
565	"data from realm %s", ""),
566	requested->realm);
567	free_PA_ClientCanonicalized(&canon);
568	return ret;
569	}
570
571	if (!_krb5_principal_compare_PrincipalName(context,
572	requested,
573	&canon.names.requested_name))
574	{
575	free_PA_ClientCanonicalized(&canon);
576	krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
577	N_("Requested name doesn't match"
578	" in client referral", ""));
579	return KRB5_PRINC_NOMATCH;
580	}
581	if (!_krb5_principal_compare_PrincipalName(context,
582	mapped,
583	&canon.names.mapped_name))
584	{
585	free_PA_ClientCanonicalized(&canon);
586	krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
587	N_("Mapped name doesn't match"
588	" in client referral", ""));
589	return KRB5_PRINC_NOMATCH;
590	}
591
592	return 0;
593
594	noreferral:
595	if (krb5_principal_compare(context, requested, mapped) == FALSE) {
596	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
597	N_("Not same client principal returned "
598	"as requested", ""));
599	return KRB5KRB_AP_ERR_MODIFIED;
600	}
601	return 0;
602	}
603
604
605	static krb5_error_code KRB5_CALLCONV
606	decrypt_tkt (krb5_context context,
607	krb5_keyblock *key,
608	krb5_key_usage usage,
609	krb5_const_pointer decrypt_arg,
610	krb5_kdc_rep *dec_rep)
611	{
612	krb5_error_code ret;
613	krb5_data data;
614	size_t size;
615	krb5_crypto crypto;
616
617	ret = krb5_crypto_init(context, key, 0, &crypto);
618	if (ret)
619	return ret;
620
621	ret = krb5_decrypt_EncryptedData (context,
622	crypto,
623	usage,
624	&dec_rep->kdc_rep.enc_part,
625	&data);
626	krb5_crypto_destroy(context, crypto);
627
628	if (ret)
629	return ret;
630
631	ret = decode_EncASRepPart(data.data,
632	data.length,
633	&dec_rep->enc_part,
634	&size);
635	if (ret)
636	ret = decode_EncTGSRepPart(data.data,
637	data.length,
638	&dec_rep->enc_part,
639	&size);
640	krb5_data_free (&data);
641	if (ret) {
642	krb5_set_error_message(context, ret,
643	N_("Failed to decode encpart in ticket", ""));
644	return ret;
645	}
646	return 0;
647	}
648
649	int
650	_krb5_extract_ticket(krb5_context context,
651	krb5_kdc_rep *rep,
652	krb5_creds *creds,
653	krb5_keyblock *key,
654	krb5_const_pointer keyseed,
655	krb5_key_usage key_usage,
656	krb5_addresses *addrs,
657	unsigned nonce,
658	unsigned flags,
659	krb5_decrypt_proc decrypt_proc,
660	krb5_const_pointer decryptarg)
661	{
662	krb5_error_code ret;
663	krb5_principal tmp_principal;
664	size_t len;
665	time_t tmp_time;
666	krb5_timestamp sec_now;
667
668	/* decrypt */
669
670	if (decrypt_proc == NULL)
671	decrypt_proc = decrypt_tkt;
672
673	ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
674	if (ret)
675	goto out;
676
677	/* save session key */
678
679	creds->session.keyvalue.length = 0;
680	creds->session.keyvalue.data = NULL;
681	creds->session.keytype = rep->enc_part.key.keytype;
682	ret = krb5_data_copy (&creds->session.keyvalue,
683	rep->enc_part.key.keyvalue.data,
684	rep->enc_part.key.keyvalue.length);
685	if (ret) {
686	krb5_clear_error_message(context);
687	goto out;
688	}
689
690	/*
691	* HACK:
692	* this is really a ugly hack, to support using the Netbios Domain Name
693	* as realm against windows KDC's, they always return the full realm
694	* based on the DNS Name.
695	*/
696	flags \|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
697	flags \|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
698
699	/* compare client and save */
700	ret = _krb5_principalname2krb5_principal (context,
701	&tmp_principal,
702	rep->kdc_rep.cname,
703	rep->kdc_rep.crealm);
704	if (ret)
705	goto out;
706
707	/* check client referral and save principal */
708	/* anonymous here ? */
709	if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
710	ret = check_client_referral(context, rep,
711	creds->client,
712	tmp_principal,
713	&creds->session);
714	if (ret) {
715	krb5_free_principal (context, tmp_principal);
716	goto out;
717	}
718	}
719	krb5_free_principal (context, creds->client);
720	creds->client = tmp_principal;
721
722	/* check server referral and save principal */
723	ret = _krb5_principalname2krb5_principal (context,
724	&tmp_principal,
725	rep->kdc_rep.ticket.sname,
726	rep->kdc_rep.ticket.realm);
727	if (ret)
728	goto out;
729	if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
730	ret = check_server_referral(context,
731	rep,
732	flags,
733	creds->server,
734	tmp_principal,
735	&creds->session);
736	if (ret) {
737	krb5_free_principal (context, tmp_principal);
738	goto out;
739	}
740	}
741	krb5_free_principal(context, creds->server);
742	creds->server = tmp_principal;
743
744	/* verify names */
745	if(flags & EXTRACT_TICKET_MATCH_REALM){
746	const char *srealm = krb5_principal_get_realm(context, creds->server);
747	const char *crealm = krb5_principal_get_realm(context, creds->client);
748
749	if (strcmp(rep->enc_part.srealm, srealm) != 0 \|\|
750	strcmp(rep->enc_part.srealm, crealm) != 0)
751	{
752	ret = KRB5KRB_AP_ERR_MODIFIED;
753	krb5_clear_error_message(context);
754	goto out;
755	}
756	}
757
758	/* compare nonces */
759
760	if (nonce != rep->enc_part.nonce) {
761	ret = KRB5KRB_AP_ERR_MODIFIED;
762	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
763	goto out;
764	}
765
766	/* set kdc-offset */
767
768	krb5_timeofday (context, &sec_now);
769	if (rep->enc_part.flags.initial
770	&& (flags & EXTRACT_TICKET_TIMESYNC)
771	&& context->kdc_sec_offset == 0
772	&& krb5_config_get_bool (context, NULL,
773	"libdefaults",
774	"kdc_timesync",
775	NULL)) {
776	context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
777	krb5_timeofday (context, &sec_now);
778	}
779
780	/* check all times */
781
782	if (rep->enc_part.starttime) {
783	tmp_time = *rep->enc_part.starttime;
784	} else
785	tmp_time = rep->enc_part.authtime;
786
787	if (creds->times.starttime == 0
788	&& abs(tmp_time - sec_now) > context->max_skew) {
789	ret = KRB5KRB_AP_ERR_SKEW;
790	krb5_set_error_message (context, ret,
791	N_("time skew (%d) larger than max (%d)", ""),
792	abs(tmp_time - sec_now),
793	(int)context->max_skew);
794	goto out;
795	}
796
797	if (creds->times.starttime != 0
798	&& tmp_time != creds->times.starttime) {
799	krb5_clear_error_message (context);
800	ret = KRB5KRB_AP_ERR_MODIFIED;
801	goto out;
802	}
803
804	creds->times.starttime = tmp_time;
805
806	if (rep->enc_part.renew_till) {
807	tmp_time = *rep->enc_part.renew_till;
808	} else
809	tmp_time = 0;
810
811	if (creds->times.renew_till != 0
812	&& tmp_time > creds->times.renew_till) {
813	krb5_clear_error_message (context);
814	ret = KRB5KRB_AP_ERR_MODIFIED;
815	goto out;
816	}
817
818	creds->times.renew_till = tmp_time;
819
820	creds->times.authtime = rep->enc_part.authtime;
821
822	if (creds->times.endtime != 0
823	&& rep->enc_part.endtime > creds->times.endtime) {
824	krb5_clear_error_message (context);
825	ret = KRB5KRB_AP_ERR_MODIFIED;
826	goto out;
827	}
828
829	creds->times.endtime = rep->enc_part.endtime;
830
831	if(rep->enc_part.caddr)
832	krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
833	else if(addrs)
834	krb5_copy_addresses (context, addrs, &creds->addresses);
835	else {
836	creds->addresses.len = 0;
837	creds->addresses.val = NULL;
838	}
839	creds->flags.b = rep->enc_part.flags;
840
841	creds->authdata.len = 0;
842	creds->authdata.val = NULL;
843
844	/* extract ticket */
845	ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
846	&rep->kdc_rep.ticket, &len, ret);
847	if(ret)
848	goto out;
849	if (creds->ticket.length != len)
850	krb5_abortx(context, "internal error in ASN.1 encoder");
851	creds->second_ticket.length = 0;
852	creds->second_ticket.data = NULL;
853
854
855	out:
856	memset (rep->enc_part.key.keyvalue.data, 0,
857	rep->enc_part.key.keyvalue.length);
858	return ret;
859	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/heimdal/lib/krb5/ticket.c

Download in other formats: