search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This commit was manufactured by cvs2svn to create tag
[heimdal.git] / kdc / kerberos4.c
blob40e967ab34fd747120511c94f2a54b28405f905f
1 /*
2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 RCSID("$Id$");
37
38 #ifdef KRB4
39
40 #ifndef swap32
41 static u_int32_t
42 swap32(u_int32_t x)
43 {
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
46 ((x >> 8) & 0xff00) |
47 ((x >> 24) & 0xff);
48 }
49 #endif /* swap32 */
50
51 int
52 maybe_version4(unsigned char *buf, int len)
53 {
54 return len > 0 && *buf == 4;
55 }
56
57 static void
58 make_err_reply(krb5_data *reply, int code, const char *msg)
59 {
60 KTEXT_ST er;
61
62 /* name, instance and realm are not checked in most (all?)
63 implementations; msg is also never used, but we send it anyway
64 (for debugging purposes) */
65
66 if(msg == NULL)
67 msg = krb_get_err_text(code);
68 cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
69 krb5_data_copy(reply, er.dat, er.length);
70 }
71
72 static krb5_boolean
73 valid_princ(krb5_context context, krb5_principal princ)
74 {
75 krb5_error_code ret;
76 char *s;
77 hdb_entry *ent;
78
79 ret = krb5_unparse_name(context, princ, &s);
80 if (ret)
81 return FALSE;
82 ret = db_fetch(princ, &ent);
83 if (ret) {
84 kdc_log(7, "Lookup %s failed: %s", s,
85 krb5_get_err_text (context, ret));
86 free(s);
87 return FALSE;
88 }
89 kdc_log(7, "Lookup %s succeeded", s);
90 free(s);
91 free_ent(ent);
92 return TRUE;
93 }
94
95 krb5_error_code
96 db_fetch4(const char *name, const char *instance, const char *realm,
97 hdb_entry **ent)
98 {
99 krb5_principal p;
100 krb5_error_code ret;
101
102 ret = krb5_425_conv_principal_ext(context, name, instance, realm,
103 valid_princ, 0, &p);
104 if(ret)
105 return ret;
106 ret = db_fetch(p, ent);
107 krb5_free_principal(context, p);
108 return ret;
109 }
110
111 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
112
113 /*
114 * Process the v4 request in `buf, len' (received from `addr'
115 * (with string `from').
116 * Return an error code and a reply in `reply'.
117 */
118
119 krb5_error_code
120 do_version4(unsigned char *buf,
121 size_t len,
122 krb5_data *reply,
123 const char *from,
124 struct sockaddr_in *addr)
125 {
126 krb5_storage *sp;
127 krb5_error_code ret;
128 hdb_entry *client = NULL, *server = NULL;
129 Key *ckey, *skey;
130 int8_t pvno;
131 int8_t msg_type;
132 int lsb;
133 char *name = NULL, *inst = NULL, *realm = NULL;
134 char *sname = NULL, *sinst = NULL;
135 int32_t req_time;
136 time_t max_life, max_end, actual_end, issue_time;
137 u_int8_t life;
138 char client_name[256];
139 char server_name[256];
140
141 if(!enable_v4) {
142 kdc_log(0, "Rejected version 4 request from %s", from);
143 make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
144 return 0;
145 }
146
147 sp = krb5_storage_from_mem(buf, len);
148 RCHECK(krb5_ret_int8(sp, &pvno), out);
149 if(pvno != 4){
150 kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
151 make_err_reply(reply, KDC_PKT_VER, NULL);
152 goto out;
153 }
154 RCHECK(krb5_ret_int8(sp, &msg_type), out);
155 lsb = msg_type & 1;
156 msg_type &= ~1;
157 switch(msg_type){
158 case AUTH_MSG_KDC_REQUEST:
159 RCHECK(krb5_ret_stringz(sp, &name), out1);
160 RCHECK(krb5_ret_stringz(sp, &inst), out1);
161 RCHECK(krb5_ret_stringz(sp, &realm), out1);
162 RCHECK(krb5_ret_int32(sp, &req_time), out1);
163 if(lsb)
164 req_time = swap32(req_time);
165 RCHECK(krb5_ret_int8(sp, &life), out1);
166 RCHECK(krb5_ret_stringz(sp, &sname), out1);
167 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
168 snprintf (client_name, sizeof(client_name),
169 "%s.%s@%s", name, inst, realm);
170 snprintf (server_name, sizeof(server_name),
171 "%s.%s@%s", sname, sinst, v4_realm);
172
173 kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
174 client_name, from, server_name);
175
176 ret = db_fetch4(name, inst, realm, &client);
177 if(ret) {
178 kdc_log(0, "Client not found in database: %s: %s",
179 client_name, krb5_get_err_text(context, ret));
180 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
181 goto out1;
182 }
183 ret = db_fetch4(sname, sinst, v4_realm, &server);
184 if(ret){
185 kdc_log(0, "Server not found in database: %s: %s",
186 server_name, krb5_get_err_text(context, ret));
187 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
188 goto out1;
189 }
190
191 ret = check_flags (client, client_name,
192 server, server_name,
193 TRUE);
194 if (ret) {
195 /* good error code? */
196 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
197 goto out1;
198 }
199
200 /*
201 * There's no way to do pre-authentication in v4 and thus no
202 * good error code to return if preauthentication is required.
203 */
204
205 if (require_preauth
206 || client->flags.require_preauth
207 || server->flags.require_preauth) {
208 kdc_log(0,
209 "Pre-authentication required for v4-request: "
210 "%s for %s",
211 client_name, server_name);
212 make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
213 goto out1;
214 }
215
216 ret = get_des_key(client, FALSE, FALSE, &ckey);
217 if(ret){
218 kdc_log(0, "no suitable DES key for client");
219 make_err_reply(reply, KDC_NULL_KEY,
220 "no suitable DES key for client");
221 goto out1;
222 }
223
224 #if 0
225 /* this is not necessary with the new code in libkrb */
226 /* find a properly salted key */
227 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
228 ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
229 if(ret){
230 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
231 name, inst, realm);
232 make_err_reply(reply, KDC_NULL_KEY,
233 "No version-4 salted key in database");
234 goto out1;
235 }
236 #endif
237
238 ret = get_des_key(server, TRUE, FALSE, &skey);
239 if(ret){
240 kdc_log(0, "no suitable DES key for server");
241 /* XXX */
242 make_err_reply(reply, KDC_NULL_KEY,
243 "no suitable DES key for server");
244 goto out1;
245 }
246
247 max_life = krb_life_to_time(0, life);
248 if(client->max_life)
249 max_life = min(max_life, *client->max_life);
250 if(server->max_life)
251 max_life = min(max_life, *server->max_life);
252
253 life = krb_time_to_life(kdc_time, kdc_time + max_life);
254
255 {
256 KTEXT_ST cipher, ticket;
257 KTEXT r;
258 des_cblock session;
259
260 des_new_random_key(&session);
261
262 krb_create_ticket(&ticket, 0, name, inst, v4_realm,
263 addr->sin_addr.s_addr, session, life, kdc_time,
264 sname, sinst, skey->key.keyvalue.data);
265
266 create_ciph(&cipher, session, sname, sinst, v4_realm,
267 life, server->kvno % 256, &ticket, kdc_time,
268 ckey->key.keyvalue.data);
269 memset(&session, 0, sizeof(session));
270 r = create_auth_reply(name, inst, realm, req_time, 0,
271 client->pw_end ? *client->pw_end : 0,
272 client->kvno % 256, &cipher);
273 krb5_data_copy(reply, r->dat, r->length);
274 memset(&cipher, 0, sizeof(cipher));
275 memset(&ticket, 0, sizeof(ticket));
276 }
277 out1:
278 break;
279 case AUTH_MSG_APPL_REQUEST: {
280 int8_t kvno;
281 int8_t ticket_len;
282 int8_t req_len;
283 KTEXT_ST auth;
284 AUTH_DAT ad;
285 size_t pos;
286 krb5_principal tgt_princ = NULL;
287 hdb_entry *tgt = NULL;
288 Key *tkey;
289
290 RCHECK(krb5_ret_int8(sp, &kvno), out2);
291 RCHECK(krb5_ret_stringz(sp, &realm), out2);
292
293 ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
294 &tgt_princ);
295 if(ret){
296 kdc_log(0, "Converting krbtgt principal (krb4): %s",
297 krb5_get_err_text(context, ret));
298 make_err_reply(reply, KFAILURE,
299 "Failed to convert v4 principal (krbtgt)");
300 goto out2;
301 }
302
303 ret = db_fetch(tgt_princ, &tgt);
304 if(ret){
305 char *s;
306 s = kdc_log_msg(0, "Ticket-granting ticket not "
307 "found in database (krb4): krbtgt.%s@%s: %s",
308 realm, v4_realm,
309 krb5_get_err_text(context, ret));
310 make_err_reply(reply, KFAILURE, s);
311 free(s);
312 goto out2;
313 }
314
315 if(tgt->kvno % 256 != kvno){
316 kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
317 "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
318 make_err_reply(reply, KDC_AUTH_EXP,
319 "old krbtgt kvno used");
320 goto out2;
321 }
322
323 ret = get_des_key(tgt, TRUE, FALSE, &tkey);
324 if(ret){
325 kdc_log(0, "no suitable DES key for krbtgt (krb4)");
326 /* XXX */
327 make_err_reply(reply, KDC_NULL_KEY,
328 "no suitable DES key for krbtgt");
329 goto out2;
330 }
331
332 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
333 RCHECK(krb5_ret_int8(sp, &req_len), out2);
334
335 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
336
337 memset(&auth, 0, sizeof(auth));
338 memcpy(&auth.dat, buf, pos);
339 auth.length = pos;
340 krb_set_key(tkey->key.keyvalue.data, 0);
341
342 krb_ignore_ip_address = !check_ticket_addresses;
343
344 ret = krb_rd_req(&auth, "krbtgt", realm,
345 addr->sin_addr.s_addr, &ad, 0);
346 if(ret){
347 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
348 make_err_reply(reply, ret, NULL);
349 goto out2;
350 }
351
352 RCHECK(krb5_ret_int32(sp, &req_time), out2);
353 if(lsb)
354 req_time = swap32(req_time);
355 RCHECK(krb5_ret_int8(sp, &life), out2);
356 RCHECK(krb5_ret_stringz(sp, &sname), out2);
357 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
358 snprintf (server_name, sizeof(server_name),
359 "%s.%s@%s",
360 sname, sinst, v4_realm);
361
362 kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s",
363 ad.pname, ad.pinst, ad.prealm, from, server_name);
364
365 if(strcmp(ad.prealm, realm)){
366 kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
367 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
368 "Can't hop realms");
369 goto out2;
370 }
371
372 if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
373 kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
374 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
375 "Can't hop realms");
376 goto out2;
377 }
378
379 if(strcmp(sname, "changepw") == 0){
380 kdc_log(0, "Bad request for changepw ticket (krb4)");
381 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
382 "Can't authorize password change based on TGT");
383 goto out2;
384 }
385
386 #if 0
387 ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
388 if(ret){
389 char *s;
390 s = kdc_log_msg(0, "Client not found in database: (krb4) "
391 "%s.%s@%s: %s",
392 ad.pname, ad.pinst, ad.prealm,
393 krb5_get_err_text(context, ret));
394 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
395 free(s);
396 goto out2;
397 }
398 #endif
399
400 ret = db_fetch4(sname, sinst, v4_realm, &server);
401 if(ret){
402 char *s;
403 s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
404 server_name, krb5_get_err_text(context, ret));
405 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
406 free(s);
407 goto out2;
408 }
409
410 ret = check_flags (NULL, NULL,
411 server, server_name,
412 FALSE);
413 if (ret) {
414 /* good error code? */
415 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
416 goto out2;
417 }
418
419 ret = get_des_key(server, TRUE, FALSE, &skey);
420 if(ret){
421 kdc_log(0, "no suitable DES key for server (krb4)");
422 /* XXX */
423 make_err_reply(reply, KDC_NULL_KEY,
424 "no suitable DES key for server");
425 goto out2;
426 }
427
428 max_end = krb_life_to_time(ad.time_sec, ad.life);
429 max_end = min(max_end, krb_life_to_time(kdc_time, life));
430 life = min(life, krb_time_to_life(kdc_time, max_end));
431
432 issue_time = kdc_time;
433 actual_end = krb_life_to_time(issue_time, life);
434 while (actual_end > max_end && life > 1) {
435 /* move them into the next earlier lifetime bracket */
436 life--;
437 actual_end = krb_life_to_time(issue_time, life);
438 }
439 if (actual_end > max_end) {
440 /* if life <= 1 and it's still too long, backdate the ticket */
441 issue_time -= actual_end - max_end;
442 }
443
444 {
445 KTEXT_ST cipher, ticket;
446 KTEXT r;
447 des_cblock session;
448 des_new_random_key(&session);
449
450 krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
451 addr->sin_addr.s_addr, &session, life,
452 issue_time,
453 sname, sinst, skey->key.keyvalue.data);
454
455 create_ciph(&cipher, session, sname, sinst, v4_realm,
456 life, server->kvno % 256, &ticket,
457 issue_time, &ad.session);
458
459 memset(&session, 0, sizeof(session));
460 memset(ad.session, 0, sizeof(ad.session));
461
462 r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
463 req_time, 0, 0, 0, &cipher);
464 krb5_data_copy(reply, r->dat, r->length);
465 memset(&cipher, 0, sizeof(cipher));
466 memset(&ticket, 0, sizeof(ticket));
467 }
468 out2:
469 if(tgt_princ)
470 krb5_free_principal(context, tgt_princ);
471 if(tgt)
472 free_ent(tgt);
473 break;
474 }
475
476 case AUTH_MSG_ERR_REPLY:
477 break;
478 default:
479 kdc_log(0, "Unknown message type (krb4): %d from %s",
480 msg_type, from);
481
482 make_err_reply(reply, KFAILURE, "Unknown message type");
483 }
484 out:
485 if(name)
486 free(name);
487 if(inst)
488 free(inst);
489 if(realm)
490 free(realm);
491 if(sname)
492 free(sname);
493 if(sinst)
494 free(sinst);
495 if(client)
496 free_ent(client);
497 if(server)
498 free_ent(server);
499 krb5_storage_free(sp);
500 return 0;
501 }
502
503 #else /* KRB4 */
504
505 #include <krb5-v4compat.h>
506
507 #endif /* KRB4 */
508
509 krb5_error_code
510 encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
511 const PrincipalName *service, size_t *size)
512 {
513 krb5_storage *sp;
514 krb5_error_code ret;
515 char name[40], inst[40], realm[40];
516 char sname[40], sinst[40];
517
518 {
519 krb5_principal princ;
520 principalname2krb5_principal(&princ,
521 *service,
522 et->crealm);
523 ret = krb5_524_conv_principal(context,
524 princ,
525 sname,
526 sinst,
527 realm);
528 krb5_free_principal(context, princ);
529 if(ret)
530 return ret;
531
532 principalname2krb5_principal(&princ,
533 et->cname,
534 et->crealm);
535
536 ret = krb5_524_conv_principal(context,
537 princ,
538 name,
539 inst,
540 realm);
541 krb5_free_principal(context, princ);
542 }
543 if(ret)
544 return ret;
545
546 sp = krb5_storage_emem();
547
548 krb5_store_int8(sp, 0); /* flags */
549 krb5_store_stringz(sp, name);
550 krb5_store_stringz(sp, inst);
551 krb5_store_stringz(sp, realm);
552 {
553 unsigned char tmp[4] = { 0, 0, 0, 0 };
554 int i;
555 if(et->caddr){
556 for(i = 0; i < et->caddr->len; i++)
557 if(et->caddr->val[i].addr_type == AF_INET &&
558 et->caddr->val[i].address.length == 4){
559 memcpy(tmp, et->caddr->val[i].address.data, 4);
560 break;
561 }
562 }
563 krb5_storage_write(sp, tmp, sizeof(tmp));
564 }
565
566 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
567 et->key.keytype != ETYPE_DES_CBC_MD4 &&
568 et->key.keytype != ETYPE_DES_CBC_CRC) ||
569 et->key.keyvalue.length != 8)
570 return -1;
571 krb5_storage_write(sp, et->key.keyvalue.data, 8);
572
573 {
574 time_t start = et->starttime ? *et->starttime : et->authtime;
575 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
576 krb5_store_int32(sp, start);
577 }
578
579 krb5_store_stringz(sp, sname);
580 krb5_store_stringz(sp, sinst);
581
582 {
583 krb5_data data;
584 krb5_storage_to_data(sp, &data);
585 krb5_storage_free(sp);
586 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
587 if(*size > len)
588 return -1;
589 memset((unsigned char*)buf - *size + 1, 0, *size);
590 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
591 krb5_data_free(&data);
592 }
593 return 0;
594 }
595
596 krb5_error_code
597 get_des_key(hdb_entry *principal, krb5_boolean is_server,
598 krb5_boolean prefer_afs_key, Key **ret_key)
599 {
600 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
601 int i;
602 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
603 ETYPE_DES_CBC_MD4,
604 ETYPE_DES_CBC_CRC };
605
606 for(i = 0;
607 i < sizeof(etypes)/sizeof(etypes[0])
608 && (v5_key == NULL || v4_key == NULL ||
609 afs_key == NULL || server_key == NULL);
610 ++i) {
611 Key *key = NULL;
612 while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
613 if(key->salt == NULL) {
614 if(v5_key == NULL)
615 v5_key = key;
616 } else if(key->salt->type == hdb_pw_salt &&
617 key->salt->salt.length == 0) {
618 if(v4_key == NULL)
619 v4_key = key;
620 } else if(key->salt->type == hdb_afs3_salt) {
621 if(afs_key == NULL)
622 afs_key = key;
623 } else if(server_key == NULL)
624 server_key = key;
625 }
626 }
627
628 if(prefer_afs_key) {
629 if(afs_key)
630 *ret_key = afs_key;
631 else if(v4_key)
632 *ret_key = v4_key;
633 else if(v5_key)
634 *ret_key = v5_key;
635 else if(is_server && server_key)
636 *ret_key = server_key;
637 else
638 return KERB_ERR_NULL_KEY;
639 } else {
640 if(v4_key)
641 *ret_key = v4_key;
642 else if(afs_key)
643 *ret_key = afs_key;
644 else if(v5_key)
645 *ret_key = v5_key;
646 else if(is_server && server_key)
647 *ret_key = server_key;
648 else
649 return KERB_ERR_NULL_KEY;
650 }
651
652 if((*ret_key)->key.keyvalue.length == 0)
653 return KERB_ERR_NULL_KEY;
654 return 0;
655 }
656
Heimdal