search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This commit was manufactured by cvs2svn to create tag
[heimdal.git] / kdc / kerberos4.c
blob36737731b365c555f25783539cc8fc802a3a70fb
1 /*
2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 RCSID("$Id$");
37
38 #ifdef KRB4
39
40 #ifndef swap32
41 static u_int32_t
42 swap32(u_int32_t x)
43 {
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
46 ((x >> 8) & 0xff00) |
47 ((x >> 24) & 0xff);
48 }
49 #endif /* swap32 */
50
51 int
52 maybe_version4(unsigned char *buf, int len)
53 {
54 return len > 0 && *buf == 4;
55 }
56
57 static void
58 make_err_reply(krb5_data *reply, int code, const char *msg)
59 {
60 KTEXT_ST er;
61
62 /* name, instance and realm are not checked in most (all?)
63 implementations; msg is also never used, but we send it anyway
64 (for debugging purposes) */
65
66 if(msg == NULL)
67 msg = krb_get_err_text(code);
68 cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
69 krb5_data_copy(reply, er.dat, er.length);
70 }
71
72 static krb5_boolean
73 valid_princ(krb5_context context, krb5_principal princ)
74 {
75 krb5_error_code ret;
76 char *s;
77 hdb_entry *ent;
78
79 ret = krb5_unparse_name(context, princ, &s);
80 if (ret)
81 return FALSE;
82 ret = db_fetch(princ, &ent);
83 if (ret) {
84 kdc_log(7, "Lookup %s failed: %s", s,
85 krb5_get_err_text (context, ret));
86 free(s);
87 return FALSE;
88 }
89 kdc_log(7, "Lookup %s succeeded", s);
90 free(s);
91 free_ent(ent);
92 return TRUE;
93 }
94
95 krb5_error_code
96 db_fetch4(const char *name, const char *instance, const char *realm,
97 hdb_entry **ent)
98 {
99 krb5_principal p;
100 krb5_error_code ret;
101
102 ret = krb5_425_conv_principal_ext(context, name, instance, realm,
103 valid_princ, 0, &p);
104 if(ret)
105 return ret;
106 ret = db_fetch(p, ent);
107 krb5_free_principal(context, p);
108 return ret;
109 }
110
111 krb5_error_code
112 get_des_key(hdb_entry *principal, krb5_boolean is_server,
113 krb5_boolean prefer_afs_key, Key **ret_key)
114 {
115 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
116 int i;
117 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
118 ETYPE_DES_CBC_MD4,
119 ETYPE_DES_CBC_CRC };
120
121 for(i = 0;
122 i < sizeof(etypes)/sizeof(etypes[0])
123 && (v5_key == NULL || v4_key == NULL ||
124 afs_key == NULL || server_key == NULL);
125 ++i) {
126 Key *key = NULL;
127 while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
128 if(key->salt == NULL) {
129 if(v5_key == NULL)
130 v5_key = key;
131 } else if(key->salt->type == hdb_pw_salt &&
132 key->salt->salt.length == 0) {
133 if(v4_key == NULL)
134 v4_key = key;
135 } else if(key->salt->type == hdb_afs3_salt) {
136 if(afs_key == NULL)
137 afs_key = key;
138 } else if(server_key == NULL)
139 server_key = key;
140 }
141 }
142
143 if(prefer_afs_key) {
144 if(afs_key)
145 *ret_key = afs_key;
146 else if(v4_key)
147 *ret_key = v4_key;
148 else if(v5_key)
149 *ret_key = v5_key;
150 else if(is_server && server_key)
151 *ret_key = server_key;
152 else
153 return KERB_ERR_NULL_KEY;
154 } else {
155 if(v4_key)
156 *ret_key = v4_key;
157 else if(afs_key)
158 *ret_key = afs_key;
159 else if(v5_key)
160 *ret_key = v5_key;
161 else if(is_server && server_key)
162 *ret_key = server_key;
163 else
164 return KERB_ERR_NULL_KEY;
165 }
166
167 if((*ret_key)->key.keyvalue.length == 0)
168 return KERB_ERR_NULL_KEY;
169 return 0;
170 }
171
172 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
173
174 /*
175 * Process the v4 request in `buf, len' (received from `addr'
176 * (with string `from').
177 * Return an error code and a reply in `reply'.
178 */
179
180 krb5_error_code
181 do_version4(unsigned char *buf,
182 size_t len,
183 krb5_data *reply,
184 const char *from,
185 struct sockaddr_in *addr)
186 {
187 krb5_storage *sp;
188 krb5_error_code ret;
189 hdb_entry *client = NULL, *server = NULL;
190 Key *ckey, *skey;
191 int8_t pvno;
192 int8_t msg_type;
193 int lsb;
194 char *name = NULL, *inst = NULL, *realm = NULL;
195 char *sname = NULL, *sinst = NULL;
196 int32_t req_time;
197 time_t max_life;
198 u_int8_t life;
199 char client_name[256];
200 char server_name[256];
201
202 if(!enable_v4) {
203 kdc_log(0, "Rejected version 4 request from %s", from);
204 make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
205 return 0;
206 }
207
208 sp = krb5_storage_from_mem(buf, len);
209 RCHECK(krb5_ret_int8(sp, &pvno), out);
210 if(pvno != 4){
211 kdc_log(0, "Protocol version mismatch (%d)", pvno);
212 make_err_reply(reply, KDC_PKT_VER, NULL);
213 goto out;
214 }
215 RCHECK(krb5_ret_int8(sp, &msg_type), out);
216 lsb = msg_type & 1;
217 msg_type &= ~1;
218 switch(msg_type){
219 case AUTH_MSG_KDC_REQUEST:
220 RCHECK(krb5_ret_stringz(sp, &name), out1);
221 RCHECK(krb5_ret_stringz(sp, &inst), out1);
222 RCHECK(krb5_ret_stringz(sp, &realm), out1);
223 RCHECK(krb5_ret_int32(sp, &req_time), out1);
224 if(lsb)
225 req_time = swap32(req_time);
226 RCHECK(krb5_ret_int8(sp, &life), out1);
227 RCHECK(krb5_ret_stringz(sp, &sname), out1);
228 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
229 snprintf (client_name, sizeof(client_name),
230 "%s.%s@%s", name, inst, realm);
231 snprintf (server_name, sizeof(server_name),
232 "%s.%s@%s", sname, sinst, v4_realm);
233
234 kdc_log(0, "AS-REQ %s from %s for %s",
235 client_name, from, server_name);
236
237 ret = db_fetch4(name, inst, realm, &client);
238 if(ret) {
239 kdc_log(0, "Client not found in database: %s: %s",
240 client_name, krb5_get_err_text(context, ret));
241 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
242 goto out1;
243 }
244 ret = db_fetch4(sname, sinst, v4_realm, &server);
245 if(ret){
246 kdc_log(0, "Server not found in database: %s: %s",
247 server_name, krb5_get_err_text(context, ret));
248 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
249 goto out1;
250 }
251
252 ret = check_flags (client, client_name,
253 server, server_name,
254 TRUE);
255 if (ret) {
256 /* good error code? */
257 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
258 goto out1;
259 }
260
261 /*
262 * There's no way to do pre-authentication in v4 and thus no
263 * good error code to return if preauthentication is required.
264 */
265
266 if (require_preauth
267 || client->flags.require_preauth
268 || server->flags.require_preauth) {
269 kdc_log(0,
270 "Pre-authentication required for v4-request: "
271 "%s for %s",
272 client_name, server_name);
273 make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
274 goto out1;
275 }
276
277 ret = get_des_key(client, FALSE, FALSE, &ckey);
278 if(ret){
279 kdc_log(0, "no suitable DES key for client");
280 make_err_reply(reply, KDC_NULL_KEY,
281 "no suitable DES key for client");
282 goto out1;
283 }
284
285 #if 0
286 /* this is not necessary with the new code in libkrb */
287 /* find a properly salted key */
288 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
289 ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
290 if(ret){
291 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
292 name, inst, realm);
293 make_err_reply(reply, KDC_NULL_KEY,
294 "No version-4 salted key in database");
295 goto out1;
296 }
297 #endif
298
299 ret = get_des_key(server, TRUE, FALSE, &skey);
300 if(ret){
301 kdc_log(0, "no suitable DES key for server");
302 /* XXX */
303 make_err_reply(reply, KDC_NULL_KEY,
304 "no suitable DES key for server");
305 goto out1;
306 }
307
308 max_life = krb_life_to_time(0, life);
309 if(client->max_life)
310 max_life = min(max_life, *client->max_life);
311 if(server->max_life)
312 max_life = min(max_life, *server->max_life);
313
314 life = krb_time_to_life(kdc_time, kdc_time + max_life);
315
316 {
317 KTEXT_ST cipher, ticket;
318 KTEXT r;
319 des_cblock session;
320
321 des_new_random_key(&session);
322
323 krb_create_ticket(&ticket, 0, name, inst, v4_realm,
324 addr->sin_addr.s_addr, session, life, kdc_time,
325 sname, sinst, skey->key.keyvalue.data);
326
327 create_ciph(&cipher, session, sname, sinst, v4_realm,
328 life, server->kvno % 256, &ticket, kdc_time,
329 ckey->key.keyvalue.data);
330 memset(&session, 0, sizeof(session));
331 r = create_auth_reply(name, inst, realm, req_time, 0,
332 client->pw_end ? *client->pw_end : 0,
333 client->kvno % 256, &cipher);
334 krb5_data_copy(reply, r->dat, r->length);
335 memset(&cipher, 0, sizeof(cipher));
336 memset(&ticket, 0, sizeof(ticket));
337 }
338 out1:
339 break;
340 case AUTH_MSG_APPL_REQUEST: {
341 int8_t kvno;
342 int8_t ticket_len;
343 int8_t req_len;
344 KTEXT_ST auth;
345 AUTH_DAT ad;
346 size_t pos;
347 krb5_principal tgt_princ = NULL;
348 hdb_entry *tgt = NULL;
349 Key *tkey;
350
351 RCHECK(krb5_ret_int8(sp, &kvno), out2);
352 RCHECK(krb5_ret_stringz(sp, &realm), out2);
353
354 ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
355 &tgt_princ);
356 if(ret){
357 kdc_log(0, "Converting krbtgt principal: %s",
358 krb5_get_err_text(context, ret));
359 make_err_reply(reply, KFAILURE,
360 "Failed to convert v4 principal (krbtgt)");
361 goto out2;
362 }
363
364 ret = db_fetch(tgt_princ, &tgt);
365 if(ret){
366 char *s;
367 s = kdc_log_msg(0, "Ticket-granting ticket not "
368 "found in database: krbtgt.%s@%s: %s",
369 realm, v4_realm,
370 krb5_get_err_text(context, ret));
371 make_err_reply(reply, KFAILURE, s);
372 free(s);
373 goto out2;
374 }
375
376 if(tgt->kvno % 256 != kvno){
377 kdc_log(0, "tgs-req with old kvno %d (current %d) for "
378 "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
379 make_err_reply(reply, KDC_AUTH_EXP,
380 "old krbtgt kvno used");
381 goto out2;
382 }
383
384 ret = get_des_key(tgt, TRUE, FALSE, &tkey);
385 if(ret){
386 kdc_log(0, "no suitable DES key for krbtgt");
387 /* XXX */
388 make_err_reply(reply, KDC_NULL_KEY,
389 "no suitable DES key for krbtgt");
390 goto out2;
391 }
392
393 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
394 RCHECK(krb5_ret_int8(sp, &req_len), out2);
395
396 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
397
398 memset(&auth, 0, sizeof(auth));
399 memcpy(&auth.dat, buf, pos);
400 auth.length = pos;
401 krb_set_key(tkey->key.keyvalue.data, 0);
402
403 krb_ignore_ip_address = !check_ticket_addresses;
404
405 ret = krb_rd_req(&auth, "krbtgt", realm,
406 addr->sin_addr.s_addr, &ad, 0);
407 if(ret){
408 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
409 make_err_reply(reply, ret, NULL);
410 goto out2;
411 }
412
413 RCHECK(krb5_ret_int32(sp, &req_time), out2);
414 if(lsb)
415 req_time = swap32(req_time);
416 RCHECK(krb5_ret_int8(sp, &life), out2);
417 RCHECK(krb5_ret_stringz(sp, &sname), out2);
418 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
419 snprintf (server_name, sizeof(server_name),
420 "%s.%s@%s",
421 sname, sinst, v4_realm);
422
423 kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
424 ad.pname, ad.pinst, ad.prealm, from, server_name);
425
426 if(strcmp(ad.prealm, realm)){
427 kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
428 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
429 "Can't hop realms");
430 goto out2;
431 }
432
433 if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
434 kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
435 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
436 "Can't hop realms");
437 goto out2;
438 }
439
440 if(strcmp(sname, "changepw") == 0){
441 kdc_log(0, "Bad request for changepw ticket");
442 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
443 "Can't authorize password change based on TGT");
444 goto out2;
445 }
446
447 #if 0
448 ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
449 if(ret){
450 char *s;
451 s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s",
452 ad.pname, ad.pinst, ad.prealm,
453 krb5_get_err_text(context, ret));
454 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
455 free(s);
456 goto out2;
457 }
458 #endif
459
460 ret = db_fetch4(sname, sinst, v4_realm, &server);
461 if(ret){
462 char *s;
463 s = kdc_log_msg(0, "Server not found in database: %s: %s",
464 server_name, krb5_get_err_text(context, ret));
465 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
466 free(s);
467 goto out2;
468 }
469
470 ret = check_flags (NULL, NULL,
471 server, server_name,
472 FALSE);
473 if (ret) {
474 /* good error code? */
475 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
476 goto out2;
477 }
478
479 ret = get_des_key(server, TRUE, FALSE, &skey);
480 if(ret){
481 kdc_log(0, "no suitable DES key for server");
482 /* XXX */
483 make_err_reply(reply, KDC_NULL_KEY,
484 "no suitable DES key for server");
485 goto out2;
486 }
487
488 max_life = krb_life_to_time(ad.time_sec, ad.life);
489 max_life = min(max_life, krb_life_to_time(kdc_time, life));
490 life = min(life, krb_time_to_life(kdc_time, max_life));
491 max_life = krb_life_to_time(0, life);
492 #if 0
493 if(client->max_life)
494 max_life = min(max_life, *client->max_life);
495 #endif
496 if(server->max_life)
497 max_life = min(max_life, *server->max_life);
498
499 {
500 KTEXT_ST cipher, ticket;
501 KTEXT r;
502 des_cblock session;
503 des_new_random_key(&session);
504 krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
505 addr->sin_addr.s_addr, &session, life, kdc_time,
506 sname, sinst, skey->key.keyvalue.data);
507
508 create_ciph(&cipher, session, sname, sinst, v4_realm,
509 life, server->kvno % 256, &ticket,
510 kdc_time, &ad.session);
511
512 memset(&session, 0, sizeof(session));
513 memset(ad.session, 0, sizeof(ad.session));
514
515 r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
516 req_time, 0, 0, 0, &cipher);
517 krb5_data_copy(reply, r->dat, r->length);
518 memset(&cipher, 0, sizeof(cipher));
519 memset(&ticket, 0, sizeof(ticket));
520 }
521 out2:
522 if(tgt_princ)
523 krb5_free_principal(context, tgt_princ);
524 if(tgt)
525 free_ent(tgt);
526 break;
527 }
528
529 case AUTH_MSG_ERR_REPLY:
530 break;
531 default:
532 kdc_log(0, "Unknown message type: %d from %s",
533 msg_type, from);
534
535 make_err_reply(reply, KFAILURE, "Unknown message type");
536 }
537 out:
538 if(name)
539 free(name);
540 if(inst)
541 free(inst);
542 if(realm)
543 free(realm);
544 if(sname)
545 free(sname);
546 if(sinst)
547 free(sinst);
548 if(client)
549 free_ent(client);
550 if(server)
551 free_ent(server);
552 krb5_storage_free(sp);
553 return 0;
554 }
555
556
557 #define ETYPE_DES_PCBC 17 /* XXX */
558
559 krb5_error_code
560 encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
561 {
562 des_key_schedule schedule;
563
564 reply->etype = ETYPE_DES_PCBC;
565 reply->kvno = NULL;
566 reply->cipher.length = len;
567 reply->cipher.data = malloc(len);
568 if(len != 0 && reply->cipher.data == NULL)
569 return ENOMEM;
570 des_set_key(key, schedule);
571 des_pcbc_encrypt(buf,
572 reply->cipher.data,
573 len,
574 schedule,
575 key,
576 DES_ENCRYPT);
577 memset(schedule, 0, sizeof(schedule));
578 return 0;
579 }
580
581 krb5_error_code
582 encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
583 const PrincipalName *service, size_t *size)
584 {
585 krb5_storage *sp;
586 krb5_error_code ret;
587 char name[40], inst[40], realm[40];
588 char sname[40], sinst[40];
589
590 {
591 krb5_principal princ;
592 principalname2krb5_principal(&princ,
593 *service,
594 et->crealm);
595 ret = krb5_524_conv_principal(context,
596 princ,
597 sname,
598 sinst,
599 realm);
600 krb5_free_principal(context, princ);
601 if(ret)
602 return ret;
603
604 principalname2krb5_principal(&princ,
605 et->cname,
606 et->crealm);
607
608 ret = krb5_524_conv_principal(context,
609 princ,
610 name,
611 inst,
612 realm);
613 krb5_free_principal(context, princ);
614 }
615 if(ret)
616 return ret;
617
618 sp = krb5_storage_emem();
619
620 krb5_store_int8(sp, 0); /* flags */
621 krb5_store_stringz(sp, name);
622 krb5_store_stringz(sp, inst);
623 krb5_store_stringz(sp, realm);
624 {
625 unsigned char tmp[4] = { 0, 0, 0, 0 };
626 int i;
627 if(et->caddr){
628 for(i = 0; i < et->caddr->len; i++)
629 if(et->caddr->val[i].addr_type == AF_INET &&
630 et->caddr->val[i].address.length == 4){
631 memcpy(tmp, et->caddr->val[i].address.data, 4);
632 break;
633 }
634 }
635 krb5_storage_write(sp, tmp, sizeof(tmp));
636 }
637
638 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
639 et->key.keytype != ETYPE_DES_CBC_MD4 &&
640 et->key.keytype != ETYPE_DES_CBC_CRC) ||
641 et->key.keyvalue.length != 8)
642 return -1;
643 krb5_storage_write(sp, et->key.keyvalue.data, 8);
644
645 {
646 time_t start = et->starttime ? *et->starttime : et->authtime;
647 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
648 krb5_store_int32(sp, start);
649 }
650
651 krb5_store_stringz(sp, sname);
652 krb5_store_stringz(sp, sinst);
653
654 {
655 krb5_data data;
656 krb5_storage_to_data(sp, &data);
657 krb5_storage_free(sp);
658 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
659 if(*size > len)
660 return -1;
661 memset((unsigned char*)buf - *size + 1, 0, *size);
662 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
663 krb5_data_free(&data);
664 }
665 return 0;
666 }
667
668 #endif /* KRB4 */
Heimdal