Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "krb5_locl.h"
35 :
36 : static krb5_error_code
37 48027 : add_auth_data(krb5_context context,
38 : AuthorizationData *src,
39 : AuthorizationData **dst)
40 : {
41 48027 : krb5_error_code ret = 0;
42 1672 : size_t i;
43 :
44 48027 : if (*dst == NULL &&
45 48027 : (*dst = calloc(1, sizeof(**dst))) == NULL)
46 0 : return krb5_enomem(context);
47 96054 : for (i = 0; ret == 0 && i < src->len; i++)
48 48027 : ret = add_AuthorizationData(*dst, &src->val[i]);
49 46355 : return ret;
50 : }
51 :
52 : static krb5_error_code
53 24230 : add_etypelist(krb5_context context,
54 : krb5_authdata *auth_data)
55 : {
56 1042 : AuthorizationDataElement ade;
57 1042 : EtypeList etypes;
58 1042 : krb5_error_code ret;
59 1042 : krb5_data e;
60 24230 : size_t len = 0;
61 :
62 24230 : ret = _krb5_init_etype(context, KRB5_PDU_NONE,
63 : &etypes.len, &etypes.val,
64 : NULL);
65 24230 : if (ret)
66 0 : return ret;
67 :
68 24230 : ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
69 24230 : if (ret) {
70 0 : free_EtypeList(&etypes);
71 0 : return ret;
72 : }
73 24230 : if(e.length != len)
74 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
75 24230 : free_EtypeList(&etypes);
76 :
77 24230 : ade.ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
78 24230 : ade.ad_data = e;
79 :
80 24230 : ret = add_AuthorizationData(auth_data, &ade);
81 :
82 24230 : krb5_data_free(&e);
83 :
84 24230 : return ret;
85 : }
86 :
87 : static krb5_error_code
88 24230 : add_ap_options(krb5_context context,
89 : krb5_boolean channel_bound,
90 : krb5_authdata *auth_data)
91 : {
92 1042 : krb5_error_code ret;
93 1042 : AuthorizationDataElement ade;
94 1042 : krb5_boolean require_cb;
95 1042 : uint8_t ap_options[4];
96 :
97 24230 : require_cb = krb5_config_get_bool_default(context, NULL, FALSE,
98 : "libdefaults",
99 : "client_aware_channel_bindings",
100 : NULL);
101 :
102 24230 : if (channel_bound)
103 23156 : require_cb = TRUE;
104 :
105 23188 : if (!require_cb)
106 32 : return 0;
107 :
108 24198 : ap_options[0] = (KERB_AP_OPTIONS_CBT >> 0 ) & 0xFF;
109 24198 : ap_options[1] = (KERB_AP_OPTIONS_CBT >> 8 ) & 0xFF;
110 24198 : ap_options[2] = (KERB_AP_OPTIONS_CBT >> 16) & 0xFF;
111 24198 : ap_options[3] = (KERB_AP_OPTIONS_CBT >> 24) & 0xFF;
112 :
113 24198 : ade.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
114 24198 : ade.ad_data.length = sizeof(ap_options);
115 24198 : ade.ad_data.data = ap_options;
116 :
117 24198 : ret = add_AuthorizationData(auth_data, &ade);
118 :
119 24198 : return ret;
120 : }
121 :
122 : static krb5_error_code
123 24230 : add_target_principal(krb5_context context,
124 : krb5_const_principal server,
125 : krb5_authdata *auth_data)
126 : {
127 1042 : krb5_error_code ret;
128 1042 : AuthorizationDataElement ade;
129 24230 : char *s, *s2 = NULL;
130 1042 : size_t s2_len;
131 :
132 24230 : if (server == NULL) {
133 0 : return 0;
134 : }
135 :
136 24230 : ret = krb5_unparse_name_flags(context, server,
137 : KRB5_PRINCIPAL_UNPARSE_DISPLAY,
138 : &s);
139 24230 : if (ret)
140 0 : return ret;
141 :
142 : {
143 1042 : size_t ucs2_len;
144 1042 : uint16_t *ucs2;
145 1042 : unsigned int flags;
146 :
147 24230 : ret = wind_utf8ucs2_length(s, &ucs2_len);
148 24230 : if (ret) {
149 0 : krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
150 0 : free(s);
151 0 : return ret;
152 : }
153 :
154 24230 : ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
155 24230 : if (ucs2 == NULL) {
156 0 : free(s);
157 0 : return krb5_enomem(context);
158 : }
159 :
160 24230 : ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
161 24230 : if (ret) {
162 0 : free(ucs2);
163 0 : krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
164 0 : free(s);
165 0 : return ret;
166 : } else
167 24230 : free(s);
168 :
169 24230 : s2_len = (ucs2_len + 1) * 2;
170 24230 : s2 = malloc(s2_len);
171 24230 : if (s2 == NULL) {
172 0 : free(ucs2);
173 0 : return krb5_enomem(context);
174 : }
175 :
176 24230 : flags = WIND_RW_LE;
177 24230 : ret = wind_ucs2write(ucs2, ucs2_len,
178 : &flags, s2, &s2_len);
179 24230 : free(ucs2);
180 24230 : if (ret) {
181 0 : free(s2);
182 0 : krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
183 0 : return ret;
184 : }
185 :
186 : /*
187 : * we do not want zero termination
188 : */
189 24230 : s2_len = ucs2_len * 2;
190 : }
191 :
192 24230 : ade.ad_type = KRB5_AUTHDATA_TARGET_PRINCIPAL;
193 24230 : ade.ad_data.length = s2_len;
194 24230 : ade.ad_data.data = s2;
195 :
196 24230 : ret = add_AuthorizationData(auth_data, &ade);
197 24230 : free(s2);
198 :
199 24230 : return ret;
200 : }
201 :
202 : static krb5_error_code
203 24230 : make_ap_authdata(krb5_context context,
204 : krb5_boolean channel_bound,
205 : krb5_const_principal server,
206 : krb5_authdata **auth_data)
207 : {
208 1042 : krb5_error_code ret;
209 1042 : AuthorizationData ad;
210 1042 : krb5_data ir;
211 1042 : size_t len;
212 :
213 24230 : ad.len = 0;
214 24230 : ad.val = NULL;
215 :
216 24230 : ret = add_etypelist(context, &ad);
217 24230 : if (ret)
218 0 : return ret;
219 :
220 : /*
221 : * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
222 : * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
223 : * bundle it together with etypes.
224 : */
225 24230 : ret = add_ap_options(context, channel_bound, &ad);
226 24230 : if (ret) {
227 0 : free_AuthorizationData(&ad);
228 0 : return ret;
229 : }
230 :
231 24230 : ret = add_target_principal(context, server, &ad);
232 24230 : if (ret) {
233 0 : free_AuthorizationData(&ad);
234 0 : return ret;
235 : }
236 :
237 24230 : ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad, &len, ret);
238 24230 : if (ret) {
239 0 : free_AuthorizationData(&ad);
240 0 : return ret;
241 : }
242 24230 : if(ir.length != len)
243 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
244 :
245 24230 : ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
246 : auth_data);
247 :
248 24230 : free_AuthorizationData(&ad);
249 24230 : krb5_data_free(&ir);
250 :
251 24230 : return ret;
252 : }
253 :
254 : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
255 78594 : _krb5_build_authenticator (krb5_context context,
256 : krb5_auth_context auth_context,
257 : krb5_enctype enctype,
258 : krb5_creds *cred,
259 : Checksum *cksum,
260 : krb5_boolean channel_bound,
261 : krb5_data *result,
262 : krb5_key_usage usage)
263 : {
264 2714 : Authenticator auth;
265 78594 : u_char *buf = NULL;
266 2714 : size_t buf_size;
267 78594 : size_t len = 0;
268 2714 : krb5_error_code ret;
269 2714 : krb5_crypto crypto;
270 :
271 78594 : memset(&auth, 0, sizeof(auth));
272 :
273 78594 : auth.authenticator_vno = 5;
274 78594 : ret = copy_Realm(&cred->client->realm, &auth.crealm);
275 78594 : if (ret)
276 0 : goto fail;
277 78594 : ret = copy_PrincipalName(&cred->client->name, &auth.cname);
278 78594 : if (ret)
279 0 : goto fail;
280 :
281 78594 : krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
282 :
283 78594 : ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
284 78594 : if(ret)
285 0 : goto fail;
286 :
287 78594 : if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
288 24327 : if(auth_context->local_seqnumber == 0)
289 24327 : krb5_generate_seq_number (context,
290 24327 : &cred->session,
291 : &auth_context->local_seqnumber);
292 24327 : ALLOC(auth.seq_number, 1);
293 24327 : if(auth.seq_number == NULL) {
294 0 : ret = krb5_enomem(context);
295 0 : goto fail;
296 : }
297 24327 : *auth.seq_number = auth_context->local_seqnumber;
298 : } else
299 54267 : auth.seq_number = NULL;
300 78594 : auth.authorization_data = NULL;
301 :
302 78594 : if (cksum) {
303 78516 : ALLOC(auth.cksum, 1);
304 78516 : if (auth.cksum == NULL) {
305 0 : ret = krb5_enomem(context);
306 0 : goto fail;
307 : }
308 78516 : ret = copy_Checksum(cksum, auth.cksum);
309 78516 : if (ret)
310 0 : goto fail;
311 :
312 78516 : if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
313 : /*
314 : * This is not GSS-API specific, we only enable it for
315 : * GSS for now
316 : */
317 25272 : ret = make_ap_authdata(context,
318 : channel_bound,
319 24230 : cred->server,
320 : &auth.authorization_data);
321 24230 : if (ret)
322 0 : goto fail;
323 : }
324 : }
325 :
326 : /* Copy other authz data from auth_context */
327 78594 : if (auth_context->auth_data) {
328 48027 : ret = add_auth_data(context, auth_context->auth_data, &auth.authorization_data);
329 48027 : if (ret)
330 0 : goto fail;
331 : }
332 :
333 : /* XXX - Copy more to auth_context? */
334 :
335 78594 : auth_context->authenticator->ctime = auth.ctime;
336 78594 : auth_context->authenticator->cusec = auth.cusec;
337 :
338 78594 : ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
339 78594 : if (ret)
340 0 : goto fail;
341 78594 : if(buf_size != len)
342 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
343 :
344 78594 : ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
345 78594 : if (ret)
346 0 : goto fail;
347 78594 : ret = krb5_encrypt (context,
348 : crypto,
349 : usage /* KRB5_KU_AP_REQ_AUTH */,
350 : buf,
351 : len,
352 : result);
353 78594 : krb5_crypto_destroy(context, crypto);
354 :
355 78594 : if (ret)
356 0 : goto fail;
357 :
358 78594 : fail:
359 78594 : free_Authenticator (&auth);
360 78594 : free (buf);
361 :
362 78594 : return ret;
363 : }
|