2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 #define KA_AUTHENTICATION_SERVICE 731
42 #define KA_TICKET_GRANTING_SERVICE 732
43 #define KA_MAINTENANCE_SERVICE 733
45 #define AUTHENTICATE_OLD 1
46 #define CHANGEPASSWORD 2
47 #define GETTICKET_OLD 3
56 #define GETPASSWORD 12
57 #define GETRANDOMKEY 13
58 #define AUTHENTICATE 21
59 #define AUTHENTICATE_V2 22
62 /* XXX - Where do we get these? */
64 #define RXGEN_OPCODE (-455)
66 #define KADATABASEINCONSISTENT (180480L)
67 #define KAEXIST (180481L)
68 #define KAIO (180482L)
69 #define KACREATEFAIL (180483L)
70 #define KANOENT (180484L)
71 #define KAEMPTY (180485L)
72 #define KABADNAME (180486L)
73 #define KABADINDEX (180487L)
74 #define KANOAUTH (180488L)
75 #define KAANSWERTOOLONG (180489L)
76 #define KABADREQUEST (180490L)
77 #define KAOLDINTERFACE (180491L)
78 #define KABADARGUMENT (180492L)
79 #define KABADCMD (180493L)
80 #define KANOKEYS (180494L)
81 #define KAREADPW (180495L)
82 #define KABADKEY (180496L)
83 #define KAUBIKINIT (180497L)
84 #define KAUBIKCALL (180498L)
85 #define KABADPROTOCOL (180499L)
86 #define KANOCELLS (180500L)
87 #define KANOCELL (180501L)
88 #define KATOOMANYUBIKS (180502L)
89 #define KATOOMANYKEYS (180503L)
90 #define KABADTICKET (180504L)
91 #define KAUNKNOWNKEY (180505L)
92 #define KAKEYCACHEINVALID (180506L)
93 #define KABADSERVER (180507L)
94 #define KABADUSER (180508L)
95 #define KABADCPW (180509L)
96 #define KABADCREATE (180510L)
97 #define KANOTICKET (180511L)
98 #define KAASSOCUSER (180512L)
99 #define KANOTSPECIAL (180513L)
100 #define KACLOCKSKEW (180514L)
101 #define KANORECURSE (180515L)
102 #define KARXFAIL (180516L)
103 #define KANULLPASSWORD (180517L)
104 #define KAINTERNALERROR (180518L)
105 #define KAPWEXPIRED (180519L)
106 #define KAREUSED (180520L)
107 #define KATOOSOON (180521L)
108 #define KALOCKED (180522L)
111 decode_rx_header (krb5_storage
*sp
,
114 krb5_ret_int32(sp
, &h
->epoch
);
115 krb5_ret_int32(sp
, &h
->connid
);
116 krb5_ret_int32(sp
, &h
->callid
);
117 krb5_ret_int32(sp
, &h
->seqno
);
118 krb5_ret_int32(sp
, &h
->serialno
);
119 krb5_ret_int8(sp
, &h
->type
);
120 krb5_ret_int8(sp
, &h
->flags
);
121 krb5_ret_int8(sp
, &h
->status
);
122 krb5_ret_int8(sp
, &h
->secindex
);
123 krb5_ret_int16(sp
, &h
->reserved
);
124 krb5_ret_int16(sp
, &h
->serviceid
);
128 encode_rx_header (struct rx_header
*h
,
131 krb5_store_int32(sp
, h
->epoch
);
132 krb5_store_int32(sp
, h
->connid
);
133 krb5_store_int32(sp
, h
->callid
);
134 krb5_store_int32(sp
, h
->seqno
);
135 krb5_store_int32(sp
, h
->serialno
);
136 krb5_store_int8(sp
, h
->type
);
137 krb5_store_int8(sp
, h
->flags
);
138 krb5_store_int8(sp
, h
->status
);
139 krb5_store_int8(sp
, h
->secindex
);
140 krb5_store_int16(sp
, h
->reserved
);
141 krb5_store_int16(sp
, h
->serviceid
);
145 init_reply_header (struct rx_header
*hdr
,
146 struct rx_header
*reply_hdr
,
150 reply_hdr
->epoch
= hdr
->epoch
;
151 reply_hdr
->connid
= hdr
->connid
;
152 reply_hdr
->callid
= hdr
->callid
;
153 reply_hdr
->seqno
= 1;
154 reply_hdr
->serialno
= 1;
155 reply_hdr
->type
= type
;
156 reply_hdr
->flags
= flags
;
157 reply_hdr
->status
= 0;
158 reply_hdr
->secindex
= 0;
159 reply_hdr
->reserved
= 0;
160 reply_hdr
->serviceid
= hdr
->serviceid
;
164 make_error_reply (struct rx_header
*hdr
,
170 struct rx_header reply_hdr
;
172 init_reply_header (hdr
, &reply_hdr
, HT_ABORT
, HF_LAST
);
173 sp
= krb5_storage_emem();
174 encode_rx_header (&reply_hdr
, sp
);
175 krb5_store_int32(sp
, ret
);
176 krb5_storage_to_data (sp
, reply
);
177 krb5_storage_free (sp
);
180 static krb5_error_code
181 krb5_ret_xdr_data(krb5_storage
*sp
,
186 ret
= krb5_ret_int32(sp
, &size
);
194 size_t pad
= (4 - size
% 4) % 4;
196 data
->data
= malloc(size
);
197 if (data
->data
== NULL
)
199 ret
= krb5_storage_read(sp
, data
->data
, size
);
201 return (ret
< 0)? errno
: KRB5_CC_END
;
203 ret
= krb5_storage_read(sp
, foo
, pad
);
205 return (ret
< 0)? errno
: KRB5_CC_END
;
212 static krb5_error_code
213 krb5_store_xdr_data(krb5_storage
*sp
,
216 u_char zero
[4] = {0, 0, 0, 0};
220 ret
= krb5_store_int32(sp
, data
.length
);
223 ret
= krb5_storage_write(sp
, data
.data
, data
.length
);
224 if(ret
!= data
.length
){
229 pad
= (4 - data
.length
% 4) % 4;
231 ret
= krb5_storage_write(sp
, zero
, pad
);
242 static krb5_error_code
243 create_reply_ticket (struct rx_header
*hdr
,
245 char *name
, char *instance
, char *realm
,
246 struct sockaddr_in
*addr
,
250 const char *sname
, const char *sinstance
,
260 des_key_schedule schedule
;
261 struct rx_header reply_hdr
;
264 unsigned fyrtiosjuelva
;
266 /* create the ticket */
268 des_new_random_key(&session
);
270 krb_create_ticket (&ticket
, 0, name
, instance
, realm
,
271 addr
->sin_addr
.s_addr
,
272 &session
, life
, kdc_time
,
273 sname
, sinstance
, skey
->key
.keyvalue
.data
);
275 /* create the encrypted part of the reply */
276 sp
= krb5_storage_emem ();
277 krb5_generate_random_block(&fyrtiosjuelva
, sizeof(fyrtiosjuelva
));
278 fyrtiosjuelva
&= 0xffffffff;
279 krb5_store_int32 (sp
, fyrtiosjuelva
);
280 krb5_store_int32 (sp
, challenge
);
281 krb5_storage_write (sp
, session
, 8);
282 memset (&session
, 0, sizeof(session
));
283 krb5_store_int32 (sp
, kdc_time
);
284 krb5_store_int32 (sp
, kdc_time
+ krb_life_to_time (0, life
));
285 krb5_store_int32 (sp
, kvno
);
286 krb5_store_int32 (sp
, ticket
.length
);
287 krb5_store_stringz (sp
, name
);
288 krb5_store_stringz (sp
, instance
);
289 #if 1 /* XXX - Why shouldn't the realm go here? */
290 krb5_store_stringz (sp
, "");
292 krb5_store_stringz (sp
, realm
);
294 krb5_store_stringz (sp
, sname
);
295 krb5_store_stringz (sp
, sinstance
);
296 krb5_storage_write (sp
, ticket
.dat
, ticket
.length
);
297 krb5_storage_write (sp
, label
, strlen(label
));
299 /* pad to DES block */
300 memset (zero
, 0, sizeof(zero
));
301 pad
= (8 - krb5_storage_seek (sp
, 0, SEEK_CUR
) % 8) % 8;
302 krb5_storage_write (sp
, zero
, pad
);
304 krb5_storage_to_data (sp
, &enc_data
);
305 krb5_storage_free (sp
);
307 if (enc_data
.length
> max_seq_len
) {
308 krb5_data_free (&enc_data
);
309 make_error_reply (hdr
, KAANSWERTOOLONG
, reply
);
314 des_set_key (key
, schedule
);
315 des_pcbc_encrypt (enc_data
.data
,
321 memset (&schedule
, 0, sizeof(schedule
));
323 /* create the reply packet */
324 init_reply_header (hdr
, &reply_hdr
, HT_DATA
, HF_LAST
);
325 sp
= krb5_storage_emem ();
326 encode_rx_header (&reply_hdr
, sp
);
327 krb5_store_int32 (sp
, max_seq_len
);
328 krb5_store_xdr_data (sp
, enc_data
);
329 krb5_data_free (&enc_data
);
330 krb5_storage_to_data (sp
, reply
);
331 krb5_storage_free (sp
);
335 static krb5_error_code
336 unparse_auth_args (krb5_storage
*sp
,
342 int32_t *max_seq_len
)
347 krb5_ret_xdr_data (sp
, &data
);
348 *name
= malloc(data
.length
+ 1);
351 memcpy (*name
, data
.data
, data
.length
);
352 (*name
)[data
.length
] = '\0';
353 krb5_data_free (&data
);
355 krb5_ret_xdr_data (sp
, &data
);
356 *instance
= malloc(data
.length
+ 1);
357 if (*instance
== NULL
) {
361 memcpy (*instance
, data
.data
, data
.length
);
362 (*instance
)[data
.length
] = '\0';
363 krb5_data_free (&data
);
365 krb5_ret_int32 (sp
, &tmp
);
367 krb5_ret_int32 (sp
, &tmp
);
369 krb5_ret_xdr_data (sp
, request
);
370 krb5_ret_int32 (sp
, max_seq_len
);
371 /* ignore the rest */
376 do_authenticate (struct rx_header
*hdr
,
378 struct sockaddr_in
*addr
,
383 char *instance
= NULL
;
388 hdb_entry
*client_entry
= NULL
;
389 hdb_entry
*server_entry
= NULL
;
393 des_key_schedule schedule
;
394 krb5_storage
*reply_sp
;
398 char client_name
[256];
399 char server_name
[256];
401 krb5_data_zero (&request
);
403 unparse_auth_args (sp
, &name
, &instance
, &start_time
, &end_time
,
404 &request
, &max_seq_len
);
406 snprintf (client_name
, sizeof(client_name
), "%s.%s@%s",
407 name
, instance
, v4_realm
);
409 ret
= db_fetch4 (name
, instance
, v4_realm
, &client_entry
);
411 kdc_log(0, "Client not found in database: %s: %s",
412 client_name
, krb5_get_err_text(context
, ret
));
413 make_error_reply (hdr
, KANOENT
, reply
);
417 snprintf (server_name
, sizeof(server_name
), "%s.%s@%s",
418 "krbtgt", v4_realm
, v4_realm
);
420 ret
= db_fetch4 ("krbtgt", v4_realm
, v4_realm
, &server_entry
);
422 kdc_log(0, "Server not found in database: %s: %s",
423 server_name
, krb5_get_err_text(context
, ret
));
424 make_error_reply (hdr
, KANOENT
, reply
);
428 ret
= check_flags (client_entry
, client_name
,
429 server_entry
, server_name
,
432 make_error_reply (hdr
, KAPWEXPIRED
, reply
);
437 ret
= get_des_key(client_entry
, FALSE
, TRUE
, &ckey
);
439 kdc_log(0, "no suitable DES key for client");
440 make_error_reply (hdr
, KANOKEYS
, reply
);
445 ret
= get_des_key(server_entry
, TRUE
, TRUE
, &skey
);
447 kdc_log(0, "no suitable DES key for server");
448 make_error_reply (hdr
, KANOKEYS
, reply
);
452 /* try to decode the `request' */
453 memcpy (&key
, ckey
->key
.keyvalue
.data
, sizeof(key
));
454 des_set_key (&key
, schedule
);
455 des_pcbc_encrypt (request
.data
,
461 memset (&schedule
, 0, sizeof(schedule
));
463 /* check for the magic label */
464 if (memcmp ((char *)request
.data
+ 4, "gTGS", 4) != 0) {
465 make_error_reply (hdr
, KABADREQUEST
, reply
);
469 reply_sp
= krb5_storage_from_mem (request
.data
, 4);
470 krb5_ret_int32 (reply_sp
, &chal
);
471 krb5_storage_free (reply_sp
);
473 if (abs(chal
- kdc_time
) > context
->max_skew
) {
474 make_error_reply (hdr
, KACLOCKSKEW
, reply
);
479 max_life
= end_time
- kdc_time
;
480 /* end_time - kdc_time can sometimes be non-positive due to slight
481 time skew between client and server. Let's make sure it is postive */
484 if (client_entry
->max_life
)
485 max_life
= min(max_life
, *client_entry
->max_life
);
486 if (server_entry
->max_life
)
487 max_life
= min(max_life
, *server_entry
->max_life
);
489 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
491 create_reply_ticket (hdr
, skey
,
492 name
, instance
, v4_realm
,
493 addr
, life
, server_entry
->kvno
,
498 memset (&key
, 0, sizeof(key
));
501 if (request
.length
) {
502 memset (request
.data
, 0, request
.length
);
503 krb5_data_free (&request
);
510 free_ent (client_entry
);
512 free_ent (server_entry
);
515 static krb5_error_code
516 unparse_getticket_args (krb5_storage
*sp
,
523 int32_t *max_seq_len
)
528 krb5_ret_int32 (sp
, &tmp
);
531 krb5_ret_xdr_data (sp
, &data
);
532 *auth_domain
= malloc(data
.length
+ 1);
533 if (*auth_domain
== NULL
)
535 memcpy (*auth_domain
, data
.data
, data
.length
);
536 (*auth_domain
)[data
.length
] = '\0';
537 krb5_data_free (&data
);
539 krb5_ret_xdr_data (sp
, ticket
);
541 krb5_ret_xdr_data (sp
, &data
);
542 *name
= malloc(data
.length
+ 1);
547 memcpy (*name
, data
.data
, data
.length
);
548 (*name
)[data
.length
] = '\0';
549 krb5_data_free (&data
);
551 krb5_ret_xdr_data (sp
, &data
);
552 *instance
= malloc(data
.length
+ 1);
553 if (*instance
== NULL
) {
558 memcpy (*instance
, data
.data
, data
.length
);
559 (*instance
)[data
.length
] = '\0';
560 krb5_data_free (&data
);
562 krb5_ret_xdr_data (sp
, times
);
564 krb5_ret_int32 (sp
, max_seq_len
);
565 /* ignore the rest */
570 do_getticket (struct rx_header
*hdr
,
572 struct sockaddr_in
*addr
,
577 char *auth_domain
= NULL
;
580 char *instance
= NULL
;
583 hdb_entry
*server_entry
= NULL
;
584 hdb_entry
*krbtgt_entry
= NULL
;
588 des_key_schedule schedule
;
592 time_t start_time
, end_time
;
593 char pname
[ANAME_SZ
];
595 char prealm
[REALM_SZ
];
596 char server_name
[256];
598 krb5_data_zero (&aticket
);
599 krb5_data_zero (×
);
601 unparse_getticket_args (sp
, &kvno
, &auth_domain
, &aticket
,
602 &name
, &instance
, ×
, &max_seq_len
);
604 snprintf (server_name
, sizeof(server_name
),
605 "%s.%s@%s", name
, instance
, v4_realm
);
607 ret
= db_fetch4 (name
, instance
, v4_realm
, &server_entry
);
609 kdc_log(0, "Server not found in database: %s: %s",
610 server_name
, krb5_get_err_text(context
, ret
));
611 make_error_reply (hdr
, KANOENT
, reply
);
615 ret
= check_flags (NULL
, NULL
,
616 server_entry
, server_name
,
619 make_error_reply (hdr
, KAPWEXPIRED
, reply
);
623 ret
= db_fetch4 ("krbtgt", v4_realm
, v4_realm
, &krbtgt_entry
);
625 kdc_log(0, "Server not found in database: %s.%s@%s: %s",
626 "krbtgt", v4_realm
, v4_realm
, krb5_get_err_text(context
, ret
));
627 make_error_reply (hdr
, KANOENT
, reply
);
632 ret
= get_des_key(krbtgt_entry
, TRUE
, TRUE
, &kkey
);
634 kdc_log(0, "no suitable DES key for krbtgt");
635 make_error_reply (hdr
, KANOKEYS
, reply
);
640 ret
= get_des_key(server_entry
, TRUE
, TRUE
, &skey
);
642 kdc_log(0, "no suitable DES key for server");
643 make_error_reply (hdr
, KANOKEYS
, reply
);
647 /* decrypt the incoming ticket */
648 memcpy (&key
, kkey
->key
.keyvalue
.data
, sizeof(key
));
650 /* unpack the ticket */
656 char sname
[ANAME_SZ
];
657 char sinstance
[SNAME_SZ
];
660 if (aticket
.length
> sizeof(ticket
.dat
)) {
661 kdc_log(0, "ticket too long (%u > %u)",
662 (unsigned)aticket
.length
,
663 (unsigned)sizeof(ticket
.dat
));
664 make_error_reply (hdr
, KABADTICKET
, reply
);
668 ticket
.length
= aticket
.length
;
669 memcpy (ticket
.dat
, aticket
.data
, ticket
.length
);
671 des_set_key (&key
, schedule
);
672 decomp_ticket (&ticket
, &flags
, pname
, pinst
, prealm
,
673 &paddress
, session
, &life
, &time_sec
,
677 if (strcmp (sname
, "krbtgt") != 0
678 || strcmp (sinstance
, v4_realm
) != 0) {
679 kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
681 pname
, pinst
, prealm
);
682 make_error_reply (hdr
, KABADTICKET
, reply
);
686 if (kdc_time
> krb_life_to_time(time_sec
, life
)) {
687 kdc_log(0, "TGT expired: %s.%s@%s",
688 pname
, pinst
, prealm
);
689 make_error_reply (hdr
, KABADTICKET
, reply
);
694 /* decrypt the times */
695 des_set_key (&session
, schedule
);
696 des_ecb_encrypt (times
.data
,
700 memset (&schedule
, 0, sizeof(schedule
));
702 /* and extract them */
707 sp
= krb5_storage_from_mem (times
.data
, times
.length
);
708 krb5_ret_int32 (sp
, &tmp
);
710 krb5_ret_int32 (sp
, &tmp
);
712 krb5_storage_free (sp
);
716 max_life
= end_time
- kdc_time
;
717 /* end_time - kdc_time can sometimes be non-positive due to slight
718 time skew between client and server. Let's make sure it is postive */
721 if (krbtgt_entry
->max_life
)
722 max_life
= min(max_life
, *krbtgt_entry
->max_life
);
723 if (server_entry
->max_life
)
724 max_life
= min(max_life
, *server_entry
->max_life
);
726 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
728 create_reply_ticket (hdr
, skey
,
729 pname
, pinst
, prealm
,
730 addr
, life
, server_entry
->kvno
,
735 memset (&session
, 0, sizeof(session
));
738 if (aticket
.length
) {
739 memset (aticket
.data
, 0, aticket
.length
);
740 krb5_data_free (&aticket
);
743 memset (times
.data
, 0, times
.length
);
744 krb5_data_free (×
);
753 free_ent (krbtgt_entry
);
755 free_ent (server_entry
);
759 do_kaserver(unsigned char *buf
,
763 struct sockaddr_in
*addr
)
765 krb5_error_code ret
= 0;
766 struct rx_header hdr
;
770 if (len
< RX_HEADER_SIZE
)
772 sp
= krb5_storage_from_mem (buf
, len
);
774 decode_rx_header (sp
, &hdr
);
775 buf
+= RX_HEADER_SIZE
;
776 len
-= RX_HEADER_SIZE
;
794 if (hdr
.serviceid
!= KA_AUTHENTICATION_SERVICE
795 && hdr
.serviceid
!= KA_TICKET_GRANTING_SERVICE
) {
800 krb5_ret_int32(sp
, &op
);
803 do_authenticate (&hdr
, sp
, addr
, reply
);
806 do_getticket (&hdr
, sp
, addr
, reply
);
808 case AUTHENTICATE_OLD
:
809 case CHANGEPASSWORD
:
821 case AUTHENTICATE_V2
:
823 make_error_reply (&hdr
, RXGEN_OPCODE
, reply
);
828 krb5_storage_free (sp
);