d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
acf44ec222
freebsd-dev/crypto/heimdal/kdc/524.c
Mark Murray b528cefc6b Import KTH Heimdal, which will be the core of our Kerberos5. 
Userland to follow.
2000-01-09 20:58:00 +00:00

184 lines
5.6 KiB
C
Raw Blame History

/*
* Copyright (c) 1997-1999 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: 524.c,v 1.10 1999/12/02 17:04:58 joda Exp $");
#ifdef KRB4
krb5_error_code
do_524(Ticket *t, krb5_data *reply, const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
krb5_principal sprinc = NULL;
krb5_crypto crypto;
hdb_entry *server;
Key *skey;
krb5_data et_data;
EncTicketPart et;
EncryptedData ticket;
krb5_storage *sp;
char *spn = NULL;
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
size_t len;
principalname2krb5_principal(&sprinc, t->sname, t->realm);
krb5_unparse_name(context, sprinc, &spn);
server = db_fetch(sprinc);
if(server == NULL){
kdc_log(0, "Request to convert ticket from %s for unknown principal %s",
from, spn);
goto out;
}
ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
if(ret){
kdc_log(0, "No suitable key found for server (%s) "
"when converting ticket from ", spn, from);
goto out;
}
krb5_crypto_init(context, &skey->key, 0, &crypto);
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_TICKET,
&t->enc_part,
&et_data);
krb5_crypto_destroy(context, crypto);
if(ret){
kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
goto out;
}
ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
&et, &len);
krb5_data_free(&et_data);
if(ret){
kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
goto out;
}
{
krb5_principal client;
char *cpn;
principalname2krb5_principal(&client, et.cname, et.crealm);
krb5_unparse_name(context, client, &cpn);
kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
free(cpn);
krb5_free_principal(context, client);
}
if(et.endtime < kdc_time){
kdc_log(0, "Ticket expired (%s)", spn);
free_EncTicketPart(&et);
ret = KRB5KRB_AP_ERR_TKT_EXPIRED;
goto out;
}
if(et.flags.invalid){
kdc_log(0, "Ticket not valid (%s)", spn);
free_EncTicketPart(&et);
ret = KRB5KRB_AP_ERR_TKT_NYV;
goto out;
}
{
krb5_addresses *save_caddr, new_addr;
krb5_address v4_addr;
ret = krb5_sockaddr2address(addr, &v4_addr);
if(ret) {
kdc_log(0, "Failed to convert address (%s)", spn);
free_EncTicketPart(&et);
goto out;
}
if (et.caddr && !krb5_address_search (context, &v4_addr, et.caddr)) {
kdc_log(0, "Incorrect network address (%s)", spn);
free_EncTicketPart(&et);
krb5_free_address(context, &v4_addr);
ret = KRB5KRB_AP_ERR_BADADDR;
goto out;
}
if(v4_addr.addr_type == KRB5_ADDRESS_INET) {
/* we need to collapse the addresses in the ticket to a
single address; best guess is to use the address the
connection came from */
save_caddr = et.caddr;
new_addr.len = 1;
new_addr.val = &v4_addr;
et.caddr = &new_addr;
}
ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
&et, &t->sname, &len);
if(v4_addr.addr_type == KRB5_ADDRESS_INET)
et.caddr = save_caddr;
}
free_EncTicketPart(&et);
if(ret){
kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
goto out;
}
ret = get_des_key(server, &skey);
if(ret){
kdc_log(0, "No DES key for server (%s)", spn);
goto out;
}
ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
skey->key.keyvalue.data, &ticket);
if(ret){
kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
goto out;
}
out:
/* make reply */
memset(buf, 0, sizeof(buf));
sp = krb5_storage_from_mem(buf, sizeof(buf));
krb5_store_int32(sp, ret);
if(ret == 0){
krb5_store_int32(sp, server->kvno); /* is this right? */
krb5_store_data(sp, ticket.cipher);
/* Aargh! This is coded as a KTEXT_ST. */
sp->seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
krb5_store_int32(sp, 0); /* mbz */
free_EncryptedData(&ticket);
}
ret = krb5_storage_to_data(sp, reply);
krb5_storage_free(sp);
if(spn)
free(spn);
if(sprinc)
krb5_free_principal(context, sprinc);
hdb_free_entry(context, server);
free(server);
return ret;
}
#endif
Reference in New Issue View Git Blame Copy Permalink