diff options
author | dfr <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
---|---|---|
committer | dfr <dfr@FreeBSD.org> | 2008-05-07 13:39:42 +0000 |
commit | 51b6601db456e699ea5d4843cbc7239ee92d9c13 (patch) | |
tree | 4dbb862199a916e3ffe75f1cb08703ec0e662ffc /crypto/heimdal/lib/krb5/rd_cred.c | |
parent | 2565fa13487d5bfc858144e431e3dfd7ffa5200e (diff) | |
download | FreeBSD-src-51b6601db456e699ea5d4843cbc7239ee92d9c13.zip FreeBSD-src-51b6601db456e699ea5d4843cbc7239ee92d9c13.tar.gz |
Vendor import of Heimdal 1.1
Diffstat (limited to 'crypto/heimdal/lib/krb5/rd_cred.c')
-rw-r--r-- | crypto/heimdal/lib/krb5/rd_cred.c | 188 |
1 files changed, 117 insertions, 71 deletions
diff --git a/crypto/heimdal/lib/krb5/rd_cred.c b/crypto/heimdal/lib/krb5/rd_cred.c index 4a7d74c..c3f7322 100644 --- a/crypto/heimdal/lib/krb5/rd_cred.c +++ b/crypto/heimdal/lib/krb5/rd_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,14 +33,32 @@ #include <krb5_locl.h> -RCSID("$Id: rd_cred.c,v 1.18 2002/09/04 16:26:05 joda Exp $"); +RCSID("$Id: rd_cred.c 20304 2007-04-11 11:15:05Z lha $"); -krb5_error_code +static krb5_error_code +compare_addrs(krb5_context context, + krb5_address *a, + krb5_address *b, + const char *message) +{ + char a_str[64], b_str[64]; + size_t len; + + if(krb5_address_compare (context, a, b)) + return 0; + + krb5_print_address (a, a_str, sizeof(a_str), &len); + krb5_print_address (b, b_str, sizeof(b_str), &len); + krb5_set_error_string(context, "%s: %s != %s", message, b_str, a_str); + return KRB5KRB_AP_ERR_BADADDR; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *in_data, krb5_creds ***ret_creds, - krb5_replay_data *out_data) + krb5_replay_data *outdata) { krb5_error_code ret; size_t len; @@ -50,12 +68,21 @@ krb5_rd_cred(krb5_context context, krb5_crypto crypto; int i; + memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); + + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + outdata == NULL) + return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */ + *ret_creds = NULL; ret = decode_KRB_CRED(in_data->data, in_data->length, &cred, &len); - if(ret) + if(ret) { + krb5_clear_error_string(context); return ret; + } if (cred.pvno != 5) { ret = KRB5KRB_AP_ERR_BADVERSION; @@ -70,28 +97,53 @@ krb5_rd_cred(krb5_context context, } if (cred.enc_part.etype == ETYPE_NULL) { - /* DK: MIT GSS-API Compatibility */ - enc_krb_cred_part_data.length = cred.enc_part.cipher.length; - enc_krb_cred_part_data.data = cred.enc_part.cipher.data; + /* DK: MIT GSS-API Compatibility */ + enc_krb_cred_part_data.length = cred.enc_part.cipher.length; + enc_krb_cred_part_data.data = cred.enc_part.cipher.data; } else { - if (auth_context->remote_subkey) + /* Try both subkey and session key. + * + * RFC4120 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + */ + + if (auth_context->remote_subkey) { ret = krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto); - else + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } + + /* + * If there was not subkey, or we failed using subkey, + * retry using the session key + */ + if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + { + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - /* DK: MIT rsh */ - if (ret) - goto out; - - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_CRED, - &cred.enc_part, - &enc_krb_cred_part_data); - - krb5_crypto_destroy(context, crypto); + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } if (ret) goto out; } @@ -101,6 +153,8 @@ krb5_rd_cred(krb5_context context, enc_krb_cred_part_data.length, &enc_krb_cred_part, &len); + if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data) + krb5_data_free(&enc_krb_cred_part_data); if (ret) goto out; @@ -110,7 +164,6 @@ krb5_rd_cred(krb5_context context, && auth_context->remote_address && auth_context->remote_port) { krb5_address *a; - int cmp; ret = krb5_make_addrport (context, &a, auth_context->remote_address, @@ -119,18 +172,12 @@ krb5_rd_cred(krb5_context context, goto out; - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.s_address); - - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, a, enc_krb_cred_part.s_address, + "sender address is wrong in received creds"); + krb5_free_address(context, a); + free(a); + if(ret) goto out; - } } /* check receiver address */ @@ -140,32 +187,24 @@ krb5_rd_cred(krb5_context context, if(auth_context->local_port && enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) { krb5_address *a; - int cmp; ret = krb5_make_addrport (context, &a, auth_context->local_address, auth_context->local_port); if (ret) goto out; - cmp = krb5_address_compare (context, - a, - enc_krb_cred_part.r_address); - krb5_free_address (context, a); - free (a); - - if (cmp == 0) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, a, enc_krb_cred_part.r_address, + "receiver address is wrong in received creds"); + krb5_free_address(context, a); + free(a); + if(ret) goto out; - } } else { - if(!krb5_address_compare (context, - auth_context->local_address, - enc_krb_cred_part.r_address)) { - krb5_clear_error_string (context); - ret = KRB5KRB_AP_ERR_BADADDR; + ret = compare_addrs(context, auth_context->local_address, + enc_krb_cred_part.r_address, + "receiver address is wrong in received creds"); + if(ret) goto out; - } } } @@ -185,25 +224,23 @@ krb5_rd_cred(krb5_context context, } } - if(out_data != NULL) { + if ((auth_context->flags & + (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) { + /* if these fields are not present in the cred-part, silently + return zero */ + memset(outdata, 0, sizeof(*outdata)); if(enc_krb_cred_part.timestamp) - out_data->timestamp = *enc_krb_cred_part.timestamp; - else - out_data->timestamp = 0; + outdata->timestamp = *enc_krb_cred_part.timestamp; if(enc_krb_cred_part.usec) - out_data->usec = *enc_krb_cred_part.usec; - else - out_data->usec = 0; + outdata->usec = *enc_krb_cred_part.usec; if(enc_krb_cred_part.nonce) - out_data->seq = *enc_krb_cred_part.nonce; - else - out_data->seq = 0; + outdata->seq = *enc_krb_cred_part.nonce; } /* Convert to NULL terminated list of creds */ *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, - sizeof(**ret_creds)); + sizeof(**ret_creds)); if (*ret_creds == NULL) { ret = ENOMEM; @@ -214,7 +251,6 @@ krb5_rd_cred(krb5_context context, for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) { KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i]; krb5_creds *creds; - size_t len; creds = calloc(1, sizeof(*creds)); if(creds == NULL) { @@ -225,15 +261,18 @@ krb5_rd_cred(krb5_context context, ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, &cred.tickets.val[i], &len, ret); - if (ret) + if (ret) { + free(creds); goto out; + } if(creds->ticket.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); copy_EncryptionKey (&kci->key, &creds->session); if (kci->prealm && kci->pname) - principalname2krb5_principal (&creds->client, - *kci->pname, - *kci->prealm); + _krb5_principalname2krb5_principal (context, + &creds->client, + *kci->pname, + *kci->prealm); if (kci->flags) creds->flags.b = *kci->flags; if (kci->authtime) @@ -245,9 +284,10 @@ krb5_rd_cred(krb5_context context, if (kci->renew_till) creds->times.renew_till = *kci->renew_till; if (kci->srealm && kci->sname) - principalname2krb5_principal (&creds->server, - *kci->sname, - *kci->srealm); + _krb5_principalname2krb5_principal (context, + &creds->server, + *kci->sname, + *kci->srealm); if (kci->caddr) krb5_copy_addresses (context, kci->caddr, @@ -257,19 +297,25 @@ krb5_rd_cred(krb5_context context, } (*ret_creds)[i] = NULL; + + free_KRB_CRED (&cred); + free_EncKrbCredPart(&enc_krb_cred_part); + return 0; -out: + out: + free_EncKrbCredPart(&enc_krb_cred_part); free_KRB_CRED (&cred); if(*ret_creds) { for(i = 0; (*ret_creds)[i]; i++) krb5_free_creds(context, (*ret_creds)[i]); free(*ret_creds); + *ret_creds = NULL; } return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred2 (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, |