Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "krb5_locl.h"
35 :
36 : static krb5_error_code
37 46470 : add_auth_data(krb5_context context,
38 : AuthorizationData *src,
39 : AuthorizationData **dst)
40 : {
41 46470 : krb5_error_code ret = 0;
42 1658 : size_t i;
43 :
44 46470 : if (*dst == NULL &&
45 46470 : (*dst = calloc(1, sizeof(**dst))) == NULL)
46 0 : return krb5_enomem(context);
47 92940 : for (i = 0; ret == 0 && i < src->len; i++)
48 46470 : ret = add_AuthorizationData(*dst, &src->val[i]);
49 44812 : return ret;
50 : }
51 :
52 : static krb5_error_code
53 24121 : add_etypelist(krb5_context context,
54 : krb5_authdata *auth_data)
55 : {
56 1035 : AuthorizationDataElement ade;
57 1035 : EtypeList etypes;
58 1035 : krb5_error_code ret;
59 1035 : krb5_data e;
60 24121 : size_t len = 0;
61 :
62 24121 : ret = _krb5_init_etype(context, KRB5_PDU_NONE,
63 : &etypes.len, &etypes.val,
64 : NULL);
65 24121 : if (ret)
66 0 : return ret;
67 :
68 24121 : ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
69 24121 : if (ret) {
70 0 : free_EtypeList(&etypes);
71 0 : return ret;
72 : }
73 24121 : if(e.length != len)
74 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
75 24121 : free_EtypeList(&etypes);
76 :
77 24121 : ade.ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
78 24121 : ade.ad_data = e;
79 :
80 24121 : ret = add_AuthorizationData(auth_data, &ade);
81 :
82 24121 : krb5_data_free(&e);
83 :
84 24121 : return ret;
85 : }
86 :
87 : static krb5_error_code
88 24121 : add_ap_options(krb5_context context,
89 : krb5_authdata *auth_data)
90 : {
91 1035 : krb5_error_code ret;
92 1035 : AuthorizationDataElement ade;
93 1035 : krb5_boolean require_cb;
94 1035 : uint8_t ap_options[4];
95 :
96 24121 : require_cb = krb5_config_get_bool_default(context, NULL, FALSE,
97 : "libdefaults",
98 : "client_aware_channel_bindings",
99 : NULL);
100 :
101 24121 : if (!require_cb)
102 23086 : return 0;
103 :
104 0 : ap_options[0] = (KERB_AP_OPTIONS_CBT >> 0 ) & 0xFF;
105 0 : ap_options[1] = (KERB_AP_OPTIONS_CBT >> 8 ) & 0xFF;
106 0 : ap_options[2] = (KERB_AP_OPTIONS_CBT >> 16) & 0xFF;
107 0 : ap_options[3] = (KERB_AP_OPTIONS_CBT >> 24) & 0xFF;
108 :
109 0 : ade.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
110 0 : ade.ad_data.length = sizeof(ap_options);
111 0 : ade.ad_data.data = ap_options;
112 :
113 0 : ret = add_AuthorizationData(auth_data, &ade);
114 :
115 0 : return ret;
116 : }
117 :
118 : static krb5_error_code
119 24121 : make_ap_authdata(krb5_context context,
120 : krb5_authdata **auth_data)
121 : {
122 1035 : krb5_error_code ret;
123 1035 : AuthorizationData ad;
124 1035 : krb5_data ir;
125 1035 : size_t len;
126 :
127 24121 : ad.len = 0;
128 24121 : ad.val = NULL;
129 :
130 24121 : ret = add_etypelist(context, &ad);
131 24121 : if (ret)
132 0 : return ret;
133 :
134 : /*
135 : * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
136 : * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
137 : * bundle it together with etypes.
138 : */
139 24121 : ret = add_ap_options(context, &ad);
140 24121 : if (ret) {
141 0 : free_AuthorizationData(&ad);
142 0 : return ret;
143 : }
144 :
145 24121 : ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad, &len, ret);
146 24121 : if (ret) {
147 0 : free_AuthorizationData(&ad);
148 0 : return ret;
149 : }
150 24121 : if(ir.length != len)
151 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
152 :
153 24121 : ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
154 : auth_data);
155 :
156 24121 : free_AuthorizationData(&ad);
157 24121 : krb5_data_free(&ir);
158 :
159 24121 : return ret;
160 : }
161 :
162 : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
163 76960 : _krb5_build_authenticator (krb5_context context,
164 : krb5_auth_context auth_context,
165 : krb5_enctype enctype,
166 : krb5_creds *cred,
167 : Checksum *cksum,
168 : krb5_data *result,
169 : krb5_key_usage usage)
170 : {
171 2693 : Authenticator auth;
172 76960 : u_char *buf = NULL;
173 2693 : size_t buf_size;
174 76960 : size_t len = 0;
175 2693 : krb5_error_code ret;
176 2693 : krb5_crypto crypto;
177 :
178 76960 : memset(&auth, 0, sizeof(auth));
179 :
180 76960 : auth.authenticator_vno = 5;
181 76960 : ret = copy_Realm(&cred->client->realm, &auth.crealm);
182 76960 : if (ret)
183 0 : goto fail;
184 76960 : ret = copy_PrincipalName(&cred->client->name, &auth.cname);
185 76960 : if (ret)
186 0 : goto fail;
187 :
188 76960 : krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
189 :
190 76960 : ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
191 76960 : if(ret)
192 0 : goto fail;
193 :
194 76960 : if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
195 24250 : if(auth_context->local_seqnumber == 0)
196 24250 : krb5_generate_seq_number (context,
197 24250 : &cred->session,
198 : &auth_context->local_seqnumber);
199 24250 : ALLOC(auth.seq_number, 1);
200 24250 : if(auth.seq_number == NULL) {
201 0 : ret = krb5_enomem(context);
202 0 : goto fail;
203 : }
204 24250 : *auth.seq_number = auth_context->local_seqnumber;
205 : } else
206 52710 : auth.seq_number = NULL;
207 76960 : auth.authorization_data = NULL;
208 :
209 76960 : if (cksum) {
210 76882 : ALLOC(auth.cksum, 1);
211 76882 : if (auth.cksum == NULL) {
212 0 : ret = krb5_enomem(context);
213 0 : goto fail;
214 : }
215 76882 : ret = copy_Checksum(cksum, auth.cksum);
216 76882 : if (ret)
217 0 : goto fail;
218 :
219 76882 : if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
220 : /*
221 : * This is not GSS-API specific, we only enable it for
222 : * GSS for now
223 : */
224 24121 : ret = make_ap_authdata(context, &auth.authorization_data);
225 24121 : if (ret)
226 0 : goto fail;
227 : }
228 : }
229 :
230 : /* Copy other authz data from auth_context */
231 76960 : if (auth_context->auth_data) {
232 46470 : ret = add_auth_data(context, auth_context->auth_data, &auth.authorization_data);
233 46470 : if (ret)
234 0 : goto fail;
235 : }
236 :
237 : /* XXX - Copy more to auth_context? */
238 :
239 76960 : auth_context->authenticator->ctime = auth.ctime;
240 76960 : auth_context->authenticator->cusec = auth.cusec;
241 :
242 76960 : ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
243 76960 : if (ret)
244 0 : goto fail;
245 76960 : if(buf_size != len)
246 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
247 :
248 76960 : ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
249 76960 : if (ret)
250 0 : goto fail;
251 76960 : ret = krb5_encrypt (context,
252 : crypto,
253 : usage /* KRB5_KU_AP_REQ_AUTH */,
254 : buf,
255 : len,
256 : result);
257 76960 : krb5_crypto_destroy(context, crypto);
258 :
259 76960 : if (ret)
260 0 : goto fail;
261 :
262 76960 : fail:
263 76960 : free_Authenticator (&auth);
264 76960 : free (buf);
265 :
266 76960 : return ret;
267 : }
|