2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 #include <krb5-v4compat.h>
41 #define KA_AUTHENTICATION_SERVICE 731
42 #define KA_TICKET_GRANTING_SERVICE 732
43 #define KA_MAINTENANCE_SERVICE 733
45 #define AUTHENTICATE_OLD 1
46 #define CHANGEPASSWORD 2
47 #define GETTICKET_OLD 3
56 #define GETPASSWORD 12
57 #define GETRANDOMKEY 13
58 #define AUTHENTICATE 21
59 #define AUTHENTICATE_V2 22
62 /* XXX - Where do we get these? */
64 #define RXGEN_OPCODE (-455)
66 #define KADATABASEINCONSISTENT (180480L)
67 #define KAEXIST (180481L)
68 #define KAIO (180482L)
69 #define KACREATEFAIL (180483L)
70 #define KANOENT (180484L)
71 #define KAEMPTY (180485L)
72 #define KABADNAME (180486L)
73 #define KABADINDEX (180487L)
74 #define KANOAUTH (180488L)
75 #define KAANSWERTOOLONG (180489L)
76 #define KABADREQUEST (180490L)
77 #define KAOLDINTERFACE (180491L)
78 #define KABADARGUMENT (180492L)
79 #define KABADCMD (180493L)
80 #define KANOKEYS (180494L)
81 #define KAREADPW (180495L)
82 #define KABADKEY (180496L)
83 #define KAUBIKINIT (180497L)
84 #define KAUBIKCALL (180498L)
85 #define KABADPROTOCOL (180499L)
86 #define KANOCELLS (180500L)
87 #define KANOCELL (180501L)
88 #define KATOOMANYUBIKS (180502L)
89 #define KATOOMANYKEYS (180503L)
90 #define KABADTICKET (180504L)
91 #define KAUNKNOWNKEY (180505L)
92 #define KAKEYCACHEINVALID (180506L)
93 #define KABADSERVER (180507L)
94 #define KABADUSER (180508L)
95 #define KABADCPW (180509L)
96 #define KABADCREATE (180510L)
97 #define KANOTICKET (180511L)
98 #define KAASSOCUSER (180512L)
99 #define KANOTSPECIAL (180513L)
100 #define KACLOCKSKEW (180514L)
101 #define KANORECURSE (180515L)
102 #define KARXFAIL (180516L)
103 #define KANULLPASSWORD (180517L)
104 #define KAINTERNALERROR (180518L)
105 #define KAPWEXPIRED (180519L)
106 #define KAREUSED (180520L)
107 #define KATOOSOON (180521L)
108 #define KALOCKED (180522L)
111 static krb5_error_code
112 decode_rx_header (krb5_storage
*sp
,
117 ret
= krb5_ret_uint32(sp
, &h
->epoch
);
119 ret
= krb5_ret_uint32(sp
, &h
->connid
);
121 ret
= krb5_ret_uint32(sp
, &h
->callid
);
123 ret
= krb5_ret_uint32(sp
, &h
->seqno
);
125 ret
= krb5_ret_uint32(sp
, &h
->serialno
);
127 ret
= krb5_ret_uint8(sp
, &h
->type
);
129 ret
= krb5_ret_uint8(sp
, &h
->flags
);
131 ret
= krb5_ret_uint8(sp
, &h
->status
);
133 ret
= krb5_ret_uint8(sp
, &h
->secindex
);
135 ret
= krb5_ret_uint16(sp
, &h
->reserved
);
137 ret
= krb5_ret_uint16(sp
, &h
->serviceid
);
143 static krb5_error_code
144 encode_rx_header (struct rx_header
*h
,
149 ret
= krb5_store_uint32(sp
, h
->epoch
);
151 ret
= krb5_store_uint32(sp
, h
->connid
);
153 ret
= krb5_store_uint32(sp
, h
->callid
);
155 ret
= krb5_store_uint32(sp
, h
->seqno
);
157 ret
= krb5_store_uint32(sp
, h
->serialno
);
159 ret
= krb5_store_uint8(sp
, h
->type
);
161 ret
= krb5_store_uint8(sp
, h
->flags
);
163 ret
= krb5_store_uint8(sp
, h
->status
);
165 ret
= krb5_store_uint8(sp
, h
->secindex
);
167 ret
= krb5_store_uint16(sp
, h
->reserved
);
169 ret
= krb5_store_uint16(sp
, h
->serviceid
);
176 init_reply_header (struct rx_header
*hdr
,
177 struct rx_header
*reply_hdr
,
181 reply_hdr
->epoch
= hdr
->epoch
;
182 reply_hdr
->connid
= hdr
->connid
;
183 reply_hdr
->callid
= hdr
->callid
;
184 reply_hdr
->seqno
= 1;
185 reply_hdr
->serialno
= 1;
186 reply_hdr
->type
= type
;
187 reply_hdr
->flags
= flags
;
188 reply_hdr
->status
= 0;
189 reply_hdr
->secindex
= 0;
190 reply_hdr
->reserved
= 0;
191 reply_hdr
->serviceid
= hdr
->serviceid
;
195 * Create an error `reply´ using for the packet `hdr' with the error
199 make_error_reply (struct rx_header
*hdr
,
204 struct rx_header reply_hdr
;
208 init_reply_header (hdr
, &reply_hdr
, HT_ABORT
, HF_LAST
);
209 sp
= krb5_storage_emem();
212 ret
= encode_rx_header (&reply_hdr
, sp
);
215 krb5_store_int32(sp
, error
);
216 krb5_storage_to_data (sp
, reply
);
217 krb5_storage_free (sp
);
220 static krb5_error_code
221 krb5_ret_xdr_data(krb5_storage
*sp
,
226 ret
= krb5_ret_int32(sp
, &size
);
234 size_t pad
= (4 - size
% 4) % 4;
236 data
->data
= malloc(size
);
237 if (data
->data
== NULL
)
239 ret
= krb5_storage_read(sp
, data
->data
, size
);
241 return (ret
< 0)? errno
: KRB5_CC_END
;
243 ret
= krb5_storage_read(sp
, foo
, pad
);
245 return (ret
< 0)? errno
: KRB5_CC_END
;
252 static krb5_error_code
253 krb5_store_xdr_data(krb5_storage
*sp
,
256 u_char zero
[4] = {0, 0, 0, 0};
260 ret
= krb5_store_int32(sp
, data
.length
);
263 ret
= krb5_storage_write(sp
, data
.data
, data
.length
);
264 if(ret
!= data
.length
){
269 pad
= (4 - data
.length
% 4) % 4;
271 ret
= krb5_storage_write(sp
, zero
, pad
);
282 static krb5_error_code
283 create_reply_ticket (krb5_context context
,
284 struct rx_header
*hdr
,
286 char *name
, char *instance
, char *realm
,
287 struct sockaddr_in
*addr
,
291 const char *sname
, const char *sinstance
,
299 krb5_keyblock session
;
302 struct rx_header reply_hdr
;
305 unsigned fyrtiosjuelva
;
307 /* create the ticket */
309 krb5_generate_random_keyblock(context
, ETYPE_DES_PCBC_NONE
, &session
);
311 _krb5_krb_create_ticket(context
,
316 addr
->sin_addr
.s_addr
,
325 /* create the encrypted part of the reply */
326 sp
= krb5_storage_emem ();
327 krb5_generate_random_block(&fyrtiosjuelva
, sizeof(fyrtiosjuelva
));
328 fyrtiosjuelva
&= 0xffffffff;
329 krb5_store_int32 (sp
, fyrtiosjuelva
);
330 krb5_store_int32 (sp
, challenge
);
331 krb5_storage_write (sp
, session
.keyvalue
.data
, 8);
332 krb5_free_keyblock_contents(context
, &session
);
333 krb5_store_int32 (sp
, kdc_time
);
334 krb5_store_int32 (sp
, kdc_time
+ _krb5_krb_life_to_time (0, life
));
335 krb5_store_int32 (sp
, kvno
);
336 krb5_store_int32 (sp
, ticket
.length
);
337 krb5_store_stringz (sp
, name
);
338 krb5_store_stringz (sp
, instance
);
339 #if 1 /* XXX - Why shouldn't the realm go here? */
340 krb5_store_stringz (sp
, "");
342 krb5_store_stringz (sp
, realm
);
344 krb5_store_stringz (sp
, sname
);
345 krb5_store_stringz (sp
, sinstance
);
346 krb5_storage_write (sp
, ticket
.data
, ticket
.length
);
347 krb5_storage_write (sp
, label
, strlen(label
));
349 /* pad to DES block */
350 memset (zero
, 0, sizeof(zero
));
351 pad
= (8 - krb5_storage_seek (sp
, 0, SEEK_CUR
) % 8) % 8;
352 krb5_storage_write (sp
, zero
, pad
);
354 krb5_storage_to_data (sp
, &enc_data
);
355 krb5_storage_free (sp
);
357 if (enc_data
.length
> max_seq_len
) {
358 krb5_data_free (&enc_data
);
359 make_error_reply (hdr
, KAANSWERTOOLONG
, reply
);
365 DES_key_schedule schedule
;
368 memcpy (&deskey
, key
->keyvalue
.data
, sizeof(deskey
));
369 DES_set_key_unchecked (&deskey
, &schedule
);
370 DES_pcbc_encrypt (enc_data
.data
,
376 memset (&schedule
, 0, sizeof(schedule
));
377 memset (&deskey
, 0, sizeof(deskey
));
380 /* create the reply packet */
381 init_reply_header (hdr
, &reply_hdr
, HT_DATA
, HF_LAST
);
382 sp
= krb5_storage_emem ();
383 ret
= encode_rx_header (&reply_hdr
, sp
);
384 krb5_store_int32 (sp
, max_seq_len
);
385 krb5_store_xdr_data (sp
, enc_data
);
386 krb5_data_free (&enc_data
);
387 krb5_storage_to_data (sp
, reply
);
388 krb5_storage_free (sp
);
392 static krb5_error_code
393 unparse_auth_args (krb5_storage
*sp
,
399 int32_t *max_seq_len
)
404 krb5_ret_xdr_data (sp
, &data
);
405 *name
= malloc(data
.length
+ 1);
408 memcpy (*name
, data
.data
, data
.length
);
409 (*name
)[data
.length
] = '\0';
410 krb5_data_free (&data
);
412 krb5_ret_xdr_data (sp
, &data
);
413 *instance
= malloc(data
.length
+ 1);
414 if (*instance
== NULL
) {
418 memcpy (*instance
, data
.data
, data
.length
);
419 (*instance
)[data
.length
] = '\0';
420 krb5_data_free (&data
);
422 krb5_ret_int32 (sp
, &tmp
);
424 krb5_ret_int32 (sp
, &tmp
);
426 krb5_ret_xdr_data (sp
, request
);
427 krb5_ret_int32 (sp
, max_seq_len
);
428 /* ignore the rest */
433 do_authenticate (krb5_context context
,
434 krb5_kdc_configuration
*config
,
435 struct rx_header
*hdr
,
437 struct sockaddr_in
*addr
,
443 char *instance
= NULL
;
448 hdb_entry_ex
*client_entry
= NULL
;
449 hdb_entry_ex
*server_entry
= NULL
;
452 krb5_storage
*reply_sp
;
456 char client_name
[256];
457 char server_name
[256];
459 krb5_data_zero (&request
);
461 ret
= unparse_auth_args (sp
, &name
, &instance
, &start_time
, &end_time
,
462 &request
, &max_seq_len
);
463 if (ret
!= 0 || request
.length
< 8) {
464 make_error_reply (hdr
, KABADREQUEST
, reply
);
468 snprintf (client_name
, sizeof(client_name
), "%s.%s@%s",
469 name
, instance
, config
->v4_realm
);
470 snprintf (server_name
, sizeof(server_name
), "%s.%s@%s",
471 "krbtgt", config
->v4_realm
, config
->v4_realm
);
473 kdc_log(context
, config
, 0, "AS-REQ (kaserver) %s from %s for %s",
474 client_name
, from
, server_name
);
476 ret
= _kdc_db_fetch4 (context
, config
, name
, instance
,
477 config
->v4_realm
, HDB_F_GET_CLIENT
,
480 kdc_log(context
, config
, 0, "Client not found in database: %s: %s",
481 client_name
, krb5_get_err_text(context
, ret
));
482 make_error_reply (hdr
, KANOENT
, reply
);
486 ret
= _kdc_db_fetch4 (context
, config
, "krbtgt",
487 config
->v4_realm
, config
->v4_realm
,
488 HDB_F_GET_KRBTGT
, &server_entry
);
490 kdc_log(context
, config
, 0, "Server not found in database: %s: %s",
491 server_name
, krb5_get_err_text(context
, ret
));
492 make_error_reply (hdr
, KANOENT
, reply
);
496 ret
= _kdc_check_flags (context
, config
,
497 client_entry
, client_name
,
498 server_entry
, server_name
,
501 make_error_reply (hdr
, KAPWEXPIRED
, reply
);
506 ret
= _kdc_get_des_key(context
, client_entry
, FALSE
, TRUE
, &ckey
);
508 kdc_log(context
, config
, 0, "no suitable DES key for client");
509 make_error_reply (hdr
, KANOKEYS
, reply
);
514 ret
= _kdc_get_des_key(context
, server_entry
, TRUE
, TRUE
, &skey
);
516 kdc_log(context
, config
, 0, "no suitable DES key for server");
517 make_error_reply (hdr
, KANOKEYS
, reply
);
523 DES_key_schedule schedule
;
525 /* try to decode the `request' */
526 memcpy (&key
, ckey
->key
.keyvalue
.data
, sizeof(key
));
527 DES_set_key_unchecked (&key
, &schedule
);
528 DES_pcbc_encrypt (request
.data
,
534 memset (&schedule
, 0, sizeof(schedule
));
535 memset (&key
, 0, sizeof(key
));
538 /* check for the magic label */
539 if (memcmp ((char *)request
.data
+ 4, "gTGS", 4) != 0) {
540 kdc_log(context
, config
, 0, "preauth failed for %s", client_name
);
541 make_error_reply (hdr
, KABADREQUEST
, reply
);
545 reply_sp
= krb5_storage_from_mem (request
.data
, 4);
546 krb5_ret_int32 (reply_sp
, &chal
);
547 krb5_storage_free (reply_sp
);
549 if (abs(chal
- kdc_time
) > context
->max_skew
) {
550 make_error_reply (hdr
, KACLOCKSKEW
, reply
);
555 max_life
= end_time
- kdc_time
;
556 /* end_time - kdc_time can sometimes be non-positive due to slight
557 time skew between client and server. Let's make sure it is postive */
560 if (client_entry
->entry
.max_life
)
561 max_life
= min(max_life
, *client_entry
->entry
.max_life
);
562 if (server_entry
->entry
.max_life
)
563 max_life
= min(max_life
, *server_entry
->entry
.max_life
);
565 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
567 create_reply_ticket (context
,
569 name
, instance
, config
->v4_realm
,
570 addr
, life
, server_entry
->entry
.kvno
,
572 "krbtgt", config
->v4_realm
,
577 if (request
.length
) {
578 memset (request
.data
, 0, request
.length
);
579 krb5_data_free (&request
);
586 _kdc_free_ent (context
, client_entry
);
588 _kdc_free_ent (context
, server_entry
);
591 static krb5_error_code
592 unparse_getticket_args (krb5_storage
*sp
,
599 int32_t *max_seq_len
)
604 krb5_ret_int32 (sp
, &tmp
);
607 krb5_ret_xdr_data (sp
, &data
);
608 *auth_domain
= malloc(data
.length
+ 1);
609 if (*auth_domain
== NULL
)
611 memcpy (*auth_domain
, data
.data
, data
.length
);
612 (*auth_domain
)[data
.length
] = '\0';
613 krb5_data_free (&data
);
615 krb5_ret_xdr_data (sp
, ticket
);
617 krb5_ret_xdr_data (sp
, &data
);
618 *name
= malloc(data
.length
+ 1);
623 memcpy (*name
, data
.data
, data
.length
);
624 (*name
)[data
.length
] = '\0';
625 krb5_data_free (&data
);
627 krb5_ret_xdr_data (sp
, &data
);
628 *instance
= malloc(data
.length
+ 1);
629 if (*instance
== NULL
) {
634 memcpy (*instance
, data
.data
, data
.length
);
635 (*instance
)[data
.length
] = '\0';
636 krb5_data_free (&data
);
638 krb5_ret_xdr_data (sp
, times
);
640 krb5_ret_int32 (sp
, max_seq_len
);
641 /* ignore the rest */
646 do_getticket (krb5_context context
,
647 krb5_kdc_configuration
*config
,
648 struct rx_header
*hdr
,
650 struct sockaddr_in
*addr
,
656 char *auth_domain
= NULL
;
659 char *instance
= NULL
;
662 hdb_entry_ex
*server_entry
= NULL
;
663 hdb_entry_ex
*client_entry
= NULL
;
664 hdb_entry_ex
*krbtgt_entry
= NULL
;
668 DES_key_schedule schedule
;
672 time_t start_time
, end_time
;
673 char server_name
[256];
674 char client_name
[256];
675 struct _krb5_krb_auth_data ad
;
677 krb5_data_zero (&aticket
);
678 krb5_data_zero (×
);
680 memset(&ad
, 0, sizeof(ad
));
682 unparse_getticket_args (sp
, &kvno
, &auth_domain
, &aticket
,
683 &name
, &instance
, ×
, &max_seq_len
);
684 if (times
.length
< 8) {
685 make_error_reply (hdr
, KABADREQUEST
, reply
);
690 snprintf (server_name
, sizeof(server_name
),
691 "%s.%s@%s", name
, instance
, config
->v4_realm
);
693 ret
= _kdc_db_fetch4 (context
, config
, name
, instance
,
694 config
->v4_realm
, HDB_F_GET_SERVER
, &server_entry
);
696 kdc_log(context
, config
, 0, "Server not found in database: %s: %s",
697 server_name
, krb5_get_err_text(context
, ret
));
698 make_error_reply (hdr
, KANOENT
, reply
);
702 ret
= _kdc_db_fetch4 (context
, config
, "krbtgt",
703 config
->v4_realm
, config
->v4_realm
, HDB_F_GET_KRBTGT
, &krbtgt_entry
);
705 kdc_log(context
, config
, 0,
706 "Server not found in database: %s.%s@%s: %s",
707 "krbtgt", config
->v4_realm
, config
->v4_realm
,
708 krb5_get_err_text(context
, ret
));
709 make_error_reply (hdr
, KANOENT
, reply
);
714 ret
= _kdc_get_des_key(context
, krbtgt_entry
, TRUE
, TRUE
, &kkey
);
716 kdc_log(context
, config
, 0, "no suitable DES key for krbtgt");
717 make_error_reply (hdr
, KANOKEYS
, reply
);
722 ret
= _kdc_get_des_key(context
, server_entry
, TRUE
, TRUE
, &skey
);
724 kdc_log(context
, config
, 0, "no suitable DES key for server");
725 make_error_reply (hdr
, KANOKEYS
, reply
);
729 /* decrypt the incoming ticket */
730 memcpy (&key
, kkey
->key
.keyvalue
.data
, sizeof(key
));
732 /* unpack the ticket */
735 char *sinstance
= NULL
;
737 ret
= _krb5_krb_decomp_ticket(context
, &aticket
, &kkey
->key
,
738 config
->v4_realm
, &sname
,
741 kdc_log(context
, config
, 0,
742 "kaserver: decomp failed for %s.%s with %d",
743 sname
, sinstance
, ret
);
744 make_error_reply (hdr
, KABADTICKET
, reply
);
748 if (strcmp (sname
, "krbtgt") != 0
749 || strcmp (sinstance
, config
->v4_realm
) != 0) {
750 kdc_log(context
, config
, 0, "no TGT: %s.%s for %s.%s@%s",
752 ad
.pname
, ad
.pinst
, ad
.prealm
);
753 make_error_reply (hdr
, KABADTICKET
, reply
);
761 if (kdc_time
> _krb5_krb_life_to_time(ad
.time_sec
, ad
.life
)) {
762 kdc_log(context
, config
, 0, "TGT expired: %s.%s@%s",
763 ad
.pname
, ad
.pinst
, ad
.prealm
);
764 make_error_reply (hdr
, KABADTICKET
, reply
);
769 snprintf (client_name
, sizeof(client_name
),
770 "%s.%s@%s", ad
.pname
, ad
.pinst
, ad
.prealm
);
772 kdc_log(context
, config
, 0, "TGS-REQ (kaserver) %s from %s for %s",
773 client_name
, from
, server_name
);
775 ret
= _kdc_db_fetch4 (context
, config
,
776 ad
.pname
, ad
.pinst
, ad
.prealm
, HDB_F_GET_CLIENT
,
778 if(ret
&& ret
!= HDB_ERR_NOENTRY
) {
779 kdc_log(context
, config
, 0,
780 "Client not found in database: (krb4) %s: %s",
781 client_name
, krb5_get_err_text(context
, ret
));
782 make_error_reply (hdr
, KANOENT
, reply
);
785 if (client_entry
== NULL
&& strcmp(ad
.prealm
, config
->v4_realm
) == 0) {
786 kdc_log(context
, config
, 0,
787 "Local client not found in database: (krb4) "
789 make_error_reply (hdr
, KANOENT
, reply
);
793 ret
= _kdc_check_flags (context
, config
,
794 client_entry
, client_name
,
795 server_entry
, server_name
,
798 make_error_reply (hdr
, KAPWEXPIRED
, reply
);
802 /* decrypt the times */
803 memcpy(&session
, ad
.session
.keyvalue
.data
, sizeof(session
));
804 DES_set_key_unchecked (&session
, &schedule
);
805 DES_ecb_encrypt (times
.data
,
809 memset (&schedule
, 0, sizeof(schedule
));
810 memset (&session
, 0, sizeof(session
));
812 /* and extract them */
817 tsp
= krb5_storage_from_mem (times
.data
, times
.length
);
818 krb5_ret_int32 (tsp
, &tmp
);
820 krb5_ret_int32 (tsp
, &tmp
);
822 krb5_storage_free (tsp
);
826 max_life
= end_time
- kdc_time
;
827 /* end_time - kdc_time can sometimes be non-positive due to slight
828 time skew between client and server. Let's make sure it is postive */
831 if (krbtgt_entry
->entry
.max_life
)
832 max_life
= min(max_life
, *krbtgt_entry
->entry
.max_life
);
833 if (server_entry
->entry
.max_life
)
834 max_life
= min(max_life
, *server_entry
->entry
.max_life
);
835 /* if this is a cross realm request, the client_entry will likely
837 if (client_entry
&& client_entry
->entry
.max_life
)
838 max_life
= min(max_life
, *client_entry
->entry
.max_life
);
840 life
= _krb5_krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
842 create_reply_ticket (context
,
844 ad
.pname
, ad
.pinst
, ad
.prealm
,
845 addr
, life
, server_entry
->entry
.kvno
,
852 _krb5_krb_free_auth_data(context
, &ad
);
853 if (aticket
.length
) {
854 memset (aticket
.data
, 0, aticket
.length
);
855 krb5_data_free (&aticket
);
858 memset (times
.data
, 0, times
.length
);
859 krb5_data_free (×
);
868 _kdc_free_ent (context
, krbtgt_entry
);
870 _kdc_free_ent (context
, server_entry
);
874 _kdc_do_kaserver(krb5_context context
,
875 krb5_kdc_configuration
*config
,
880 struct sockaddr_in
*addr
)
882 krb5_error_code ret
= 0;
883 struct rx_header hdr
;
887 if (len
< RX_HEADER_SIZE
)
889 sp
= krb5_storage_from_mem (buf
, len
);
891 ret
= decode_rx_header (sp
, &hdr
);
894 buf
+= RX_HEADER_SIZE
;
895 len
-= RX_HEADER_SIZE
;
913 if (hdr
.serviceid
!= KA_AUTHENTICATION_SERVICE
914 && hdr
.serviceid
!= KA_TICKET_GRANTING_SERVICE
) {
919 ret
= krb5_ret_uint32(sp
, &op
);
924 case AUTHENTICATE_V2
:
925 do_authenticate (context
, config
, &hdr
, sp
, addr
, from
, reply
);
928 do_getticket (context
, config
, &hdr
, sp
, addr
, from
, reply
);
930 case AUTHENTICATE_OLD
:
931 case CHANGEPASSWORD
:
944 make_error_reply (&hdr
, RXGEN_OPCODE
, reply
);
949 krb5_storage_free (sp
);