LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/krb5 - build_auth.c (source / functions) Hit Total Coverage
Test: coverage report for master 70ed9daf Lines: 101 135 74.8 %
Date: 2024-01-11 09:59:51 Functions: 5 5 100.0 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Redistribution and use in source and binary forms, with or without
       7             :  * modification, are permitted provided that the following conditions
       8             :  * are met:
       9             :  *
      10             :  * 1. Redistributions of source code must retain the above copyright
      11             :  *    notice, this list of conditions and the following disclaimer.
      12             :  *
      13             :  * 2. Redistributions in binary form must reproduce the above copyright
      14             :  *    notice, this list of conditions and the following disclaimer in the
      15             :  *    documentation and/or other materials provided with the distribution.
      16             :  *
      17             :  * 3. Neither the name of the Institute nor the names of its contributors
      18             :  *    may be used to endorse or promote products derived from this software
      19             :  *    without specific prior written permission.
      20             :  *
      21             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      22             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      23             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      24             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      25             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      26             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      27             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      28             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      29             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      30             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      31             :  * SUCH DAMAGE.
      32             :  */
      33             : 
      34             : #include "krb5_locl.h"
      35             : 
      36             : static krb5_error_code
      37       46470 : add_auth_data(krb5_context context,
      38             :               AuthorizationData *src,
      39             :               AuthorizationData **dst)
      40             : {
      41       46470 :     krb5_error_code ret = 0;
      42        1658 :     size_t i;
      43             : 
      44       46470 :     if (*dst == NULL &&
      45       46470 :         (*dst = calloc(1, sizeof(**dst))) == NULL)
      46           0 :         return krb5_enomem(context);
      47       92940 :     for (i = 0; ret == 0 && i < src->len; i++)
      48       46470 :         ret = add_AuthorizationData(*dst, &src->val[i]);
      49       44812 :     return ret;
      50             : }
      51             : 
      52             : static krb5_error_code
      53       24121 : add_etypelist(krb5_context context,
      54             :               krb5_authdata *auth_data)
      55             : {
      56        1035 :     AuthorizationDataElement ade;
      57        1035 :     EtypeList etypes;
      58        1035 :     krb5_error_code ret;
      59        1035 :     krb5_data e;
      60       24121 :     size_t len = 0;
      61             : 
      62       24121 :     ret = _krb5_init_etype(context, KRB5_PDU_NONE,
      63             :                            &etypes.len, &etypes.val,
      64             :                            NULL);
      65       24121 :     if (ret)
      66           0 :         return ret;
      67             : 
      68       24121 :     ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
      69       24121 :     if (ret) {
      70           0 :         free_EtypeList(&etypes);
      71           0 :         return ret;
      72             :     }
      73       24121 :     if(e.length != len)
      74           0 :         krb5_abortx(context, "internal error in ASN.1 encoder");
      75       24121 :     free_EtypeList(&etypes);
      76             : 
      77       24121 :     ade.ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
      78       24121 :     ade.ad_data = e;
      79             : 
      80       24121 :     ret = add_AuthorizationData(auth_data, &ade);
      81             : 
      82       24121 :     krb5_data_free(&e);
      83             : 
      84       24121 :     return ret;
      85             : }
      86             : 
      87             : static krb5_error_code
      88       24121 : add_ap_options(krb5_context context,
      89             :                krb5_authdata *auth_data)
      90             : {
      91        1035 :     krb5_error_code ret;
      92        1035 :     AuthorizationDataElement ade;
      93        1035 :     krb5_boolean require_cb;
      94        1035 :     uint8_t ap_options[4];
      95             : 
      96       24121 :     require_cb = krb5_config_get_bool_default(context, NULL, FALSE,
      97             :                                               "libdefaults",
      98             :                                               "client_aware_channel_bindings",
      99             :                                               NULL);
     100             : 
     101       24121 :     if (!require_cb)
     102       23086 :         return 0;
     103             : 
     104           0 :     ap_options[0] = (KERB_AP_OPTIONS_CBT >> 0 ) & 0xFF;
     105           0 :     ap_options[1] = (KERB_AP_OPTIONS_CBT >> 8 ) & 0xFF;
     106           0 :     ap_options[2] = (KERB_AP_OPTIONS_CBT >> 16) & 0xFF;
     107           0 :     ap_options[3] = (KERB_AP_OPTIONS_CBT >> 24) & 0xFF;
     108             : 
     109           0 :     ade.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
     110           0 :     ade.ad_data.length = sizeof(ap_options);
     111           0 :     ade.ad_data.data = ap_options;
     112             : 
     113           0 :     ret = add_AuthorizationData(auth_data, &ade);
     114             : 
     115           0 :     return ret;
     116             : }
     117             : 
     118             : static krb5_error_code
     119       24121 : make_ap_authdata(krb5_context context,
     120             :                  krb5_authdata **auth_data)
     121             : {
     122        1035 :     krb5_error_code ret;
     123        1035 :     AuthorizationData ad;
     124        1035 :     krb5_data ir;
     125        1035 :     size_t len;
     126             : 
     127       24121 :     ad.len = 0;
     128       24121 :     ad.val = NULL;
     129             : 
     130       24121 :     ret = add_etypelist(context, &ad);
     131       24121 :     if (ret)
     132           0 :         return ret;
     133             : 
     134             :     /*
     135             :      * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
     136             :      * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
     137             :      * bundle it together with etypes.
     138             :      */
     139       24121 :     ret = add_ap_options(context, &ad);
     140       24121 :     if (ret) {
     141           0 :         free_AuthorizationData(&ad);
     142           0 :         return ret;
     143             :     }
     144             : 
     145       24121 :     ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad, &len, ret);
     146       24121 :     if (ret) {
     147           0 :         free_AuthorizationData(&ad);
     148           0 :         return ret;
     149             :     }
     150       24121 :     if(ir.length != len)
     151           0 :         krb5_abortx(context, "internal error in ASN.1 encoder");
     152             : 
     153       24121 :     ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
     154             :                                auth_data);
     155             : 
     156       24121 :     free_AuthorizationData(&ad);
     157       24121 :     krb5_data_free(&ir);
     158             : 
     159       24121 :     return ret;
     160             : }
     161             : 
     162             : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
     163       76960 : _krb5_build_authenticator (krb5_context context,
     164             :                            krb5_auth_context auth_context,
     165             :                            krb5_enctype enctype,
     166             :                            krb5_creds *cred,
     167             :                            Checksum *cksum,
     168             :                            krb5_data *result,
     169             :                            krb5_key_usage usage)
     170             : {
     171        2693 :     Authenticator auth;
     172       76960 :     u_char *buf = NULL;
     173        2693 :     size_t buf_size;
     174       76960 :     size_t len = 0;
     175        2693 :     krb5_error_code ret;
     176        2693 :     krb5_crypto crypto;
     177             : 
     178       76960 :     memset(&auth, 0, sizeof(auth));
     179             : 
     180       76960 :     auth.authenticator_vno = 5;
     181       76960 :     ret = copy_Realm(&cred->client->realm, &auth.crealm);
     182       76960 :     if (ret)
     183           0 :         goto fail;
     184       76960 :     ret = copy_PrincipalName(&cred->client->name, &auth.cname);
     185       76960 :     if (ret)
     186           0 :         goto fail;
     187             : 
     188       76960 :     krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
     189             : 
     190       76960 :     ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
     191       76960 :     if(ret)
     192           0 :         goto fail;
     193             : 
     194       76960 :     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
     195       24250 :         if(auth_context->local_seqnumber == 0)
     196       24250 :             krb5_generate_seq_number (context,
     197       24250 :                                       &cred->session,
     198             :                                       &auth_context->local_seqnumber);
     199       24250 :         ALLOC(auth.seq_number, 1);
     200       24250 :         if(auth.seq_number == NULL) {
     201           0 :             ret = krb5_enomem(context);
     202           0 :             goto fail;
     203             :         }
     204       24250 :         *auth.seq_number = auth_context->local_seqnumber;
     205             :     } else
     206       52710 :         auth.seq_number = NULL;
     207       76960 :     auth.authorization_data = NULL;
     208             : 
     209       76960 :     if (cksum) {
     210       76882 :         ALLOC(auth.cksum, 1);
     211       76882 :         if (auth.cksum == NULL) {
     212           0 :             ret = krb5_enomem(context);
     213           0 :             goto fail;
     214             :         }
     215       76882 :         ret = copy_Checksum(cksum, auth.cksum);
     216       76882 :         if (ret)
     217           0 :             goto fail;
     218             : 
     219       76882 :         if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
     220             :             /*
     221             :              * This is not GSS-API specific, we only enable it for
     222             :              * GSS for now
     223             :              */
     224       24121 :             ret = make_ap_authdata(context, &auth.authorization_data);
     225       24121 :             if (ret)
     226           0 :                 goto fail;
     227             :         }
     228             :     }
     229             : 
     230             :     /* Copy other authz data from auth_context */
     231       76960 :     if (auth_context->auth_data) {
     232       46470 :         ret = add_auth_data(context, auth_context->auth_data, &auth.authorization_data);
     233       46470 :         if (ret)
     234           0 :             goto fail;
     235             :     }
     236             : 
     237             :     /* XXX - Copy more to auth_context? */
     238             : 
     239       76960 :     auth_context->authenticator->ctime = auth.ctime;
     240       76960 :     auth_context->authenticator->cusec = auth.cusec;
     241             : 
     242       76960 :     ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
     243       76960 :     if (ret)
     244           0 :         goto fail;
     245       76960 :     if(buf_size != len)
     246           0 :         krb5_abortx(context, "internal error in ASN.1 encoder");
     247             : 
     248       76960 :     ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
     249       76960 :     if (ret)
     250           0 :         goto fail;
     251       76960 :     ret = krb5_encrypt (context,
     252             :                         crypto,
     253             :                         usage /* KRB5_KU_AP_REQ_AUTH */,
     254             :                         buf,
     255             :                         len,
     256             :                         result);
     257       76960 :     krb5_crypto_destroy(context, crypto);
     258             : 
     259       76960 :     if (ret)
     260           0 :         goto fail;
     261             : 
     262       76960 :  fail:
     263       76960 :     free_Authenticator (&auth);
     264       76960 :     free (buf);
     265             : 
     266       76960 :     return ret;
     267             : }

Generated by: LCOV version 1.14