2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <krb5-v4compat.h>
44 return ((x
<< 24) & 0xff000000) |
45 ((x
<< 8) & 0xff0000) |
52 _kdc_maybe_version4(unsigned char *buf
, int len
)
54 return len
> 0 && *buf
== 4;
58 make_err_reply(krb5_context context
, krb5_data
*reply
,
59 int code
, const char *msg
)
61 _krb5_krb_cr_err_reply(context
, "", "", "",
62 kdc_time
, code
, msg
, reply
);
65 struct valid_princ_ctx
{
66 krb5_kdc_configuration
*config
;
71 valid_princ(krb5_context context
,
75 struct valid_princ_ctx
*ctx
= funcctx
;
80 ret
= krb5_unparse_name(context
, princ
, &s
);
83 ret
= _kdc_db_fetch(context
, ctx
->config
, princ
, ctx
->flags
, NULL
, &ent
);
85 kdc_log(context
, ctx
->config
, 7, "Lookup %s failed: %s", s
,
86 krb5_get_err_text (context
, ret
));
90 kdc_log(context
, ctx
->config
, 7, "Lookup %s succeeded", s
);
92 _kdc_free_ent(context
, ent
);
97 _kdc_db_fetch4(krb5_context context
,
98 krb5_kdc_configuration
*config
,
99 const char *name
, const char *instance
, const char *realm
,
105 struct valid_princ_ctx ctx
;
110 ret
= krb5_425_conv_principal_ext2(context
, name
, instance
, realm
,
111 valid_princ
, &ctx
, 0, &p
);
114 ret
= _kdc_db_fetch(context
, config
, p
, flags
, NULL
, ent
);
115 krb5_free_principal(context
, p
);
119 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
122 * Process the v4 request in `buf, len' (received from `addr'
123 * (with string `from').
124 * Return an error code and a reply in `reply'.
128 _kdc_do_version4(krb5_context context
,
129 krb5_kdc_configuration
*config
,
134 struct sockaddr_in
*addr
)
137 krb5_error_code ret
= EINVAL
;
138 hdb_entry_ex
*client
= NULL
, *server
= NULL
;
143 char *name
= NULL
, *inst
= NULL
, *realm
= NULL
;
144 char *sname
= NULL
, *sinst
= NULL
;
148 char client_name
[256];
149 char server_name
[256];
151 if(!config
->enable_v4
) {
152 kdc_log(context
, config
, 0,
153 "Rejected version 4 request from %s", from
);
154 make_err_reply(context
, reply
, KRB4ET_KDC_GEN_ERR
,
155 "Function not enabled");
159 sp
= krb5_storage_from_mem(buf
, len
);
160 RCHECK(krb5_ret_int8(sp
, &pvno
), out
);
162 kdc_log(context
, config
, 0,
163 "Protocol version mismatch (krb4) (%d)", pvno
);
164 make_err_reply(context
, reply
, KRB4ET_KDC_PKT_VER
, "protocol mismatch");
165 ret
= KRB4ET_KDC_PKT_VER
;
168 RCHECK(krb5_ret_int8(sp
, &msg_type
), out
);
172 case AUTH_MSG_KDC_REQUEST
: {
173 krb5_data ticket
, cipher
;
174 krb5_keyblock session
;
176 krb5_data_zero(&ticket
);
177 krb5_data_zero(&cipher
);
179 RCHECK(krb5_ret_stringz(sp
, &name
), out1
);
180 RCHECK(krb5_ret_stringz(sp
, &inst
), out1
);
181 RCHECK(krb5_ret_stringz(sp
, &realm
), out1
);
182 RCHECK(krb5_ret_int32(sp
, &req_time
), out1
);
184 req_time
= swap32(req_time
);
185 RCHECK(krb5_ret_uint8(sp
, &life
), out1
);
186 RCHECK(krb5_ret_stringz(sp
, &sname
), out1
);
187 RCHECK(krb5_ret_stringz(sp
, &sinst
), out1
);
188 snprintf (client_name
, sizeof(client_name
),
189 "%s.%s@%s", name
, inst
, realm
);
190 snprintf (server_name
, sizeof(server_name
),
191 "%s.%s@%s", sname
, sinst
, config
->v4_realm
);
193 kdc_log(context
, config
, 0, "AS-REQ (krb4) %s from %s for %s",
194 client_name
, from
, server_name
);
196 ret
= _kdc_db_fetch4(context
, config
, name
, inst
, realm
,
197 HDB_F_GET_CLIENT
, &client
);
199 kdc_log(context
, config
, 0, "Client not found in database: %s: %s",
200 client_name
, krb5_get_err_text(context
, ret
));
201 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
,
202 "principal unknown");
205 ret
= _kdc_db_fetch4(context
, config
, sname
, sinst
, config
->v4_realm
,
206 HDB_F_GET_SERVER
, &server
);
208 kdc_log(context
, config
, 0, "Server not found in database: %s: %s",
209 server_name
, krb5_get_err_text(context
, ret
));
210 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
,
211 "principal unknown");
215 ret
= _kdc_check_flags (context
, config
,
220 /* good error code? */
221 make_err_reply(context
, reply
, KRB4ET_KDC_NAME_EXP
,
222 "operation not allowed");
226 if (config
->enable_v4_per_principal
&&
227 client
->entry
.flags
.allow_kerberos4
== 0)
229 kdc_log(context
, config
, 0,
230 "Per principal Kerberos 4 flag not turned on for %s",
232 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
233 "allow kerberos4 flag required");
238 * There's no way to do pre-authentication in v4 and thus no
239 * good error code to return if preauthentication is required.
242 if (config
->require_preauth
243 || client
->entry
.flags
.require_preauth
244 || server
->entry
.flags
.require_preauth
) {
245 kdc_log(context
, config
, 0,
246 "Pre-authentication required for v4-request: "
248 client_name
, server_name
);
249 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
254 ret
= _kdc_get_des_key(context
, client
, FALSE
, FALSE
, &ckey
);
256 kdc_log(context
, config
, 0, "no suitable DES key for client");
257 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
258 "no suitable DES key for client");
262 ret
= _kdc_get_des_key(context
, server
, TRUE
, FALSE
, &skey
);
264 kdc_log(context
, config
, 0, "no suitable DES key for server");
265 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
266 "no suitable DES key for server");
270 max_life
= _krb5_krb_life_to_time(0, life
);
271 if(client
->entry
.max_life
)
272 max_life
= min(max_life
, *client
->entry
.max_life
);
273 if(server
->entry
.max_life
)
274 max_life
= min(max_life
, *server
->entry
.max_life
);
276 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
278 ret
= krb5_generate_random_keyblock(context
,
282 make_err_reply(context
, reply
, KFAILURE
,
283 "Not enough random i KDC");
287 ret
= _krb5_krb_create_ticket(context
,
292 addr
->sin_addr
.s_addr
,
301 krb5_free_keyblock_contents(context
, &session
);
302 make_err_reply(context
, reply
, KFAILURE
,
303 "failed to create v4 ticket");
307 ret
= _krb5_krb_create_ciph(context
,
313 server
->entry
.kvno
% 255,
318 krb5_free_keyblock_contents(context
, &session
);
319 krb5_data_free(&ticket
);
321 make_err_reply(context
, reply
, KFAILURE
,
322 "Failed to create v4 cipher");
326 ret
= _krb5_krb_create_auth_reply(context
,
332 client
->entry
.pw_end
? *client
->entry
.pw_end
: 0,
333 client
->entry
.kvno
% 256,
336 krb5_data_free(&cipher
);
341 case AUTH_MSG_APPL_REQUEST
: {
342 struct _krb5_krb_auth_data ad
;
349 krb5_principal tgt_princ
= NULL
;
350 hdb_entry_ex
*tgt
= NULL
;
352 time_t max_end
, actual_end
, issue_time
;
354 memset(&ad
, 0, sizeof(ad
));
355 krb5_data_zero(&auth
);
357 RCHECK(krb5_ret_int8(sp
, &kvno
), out2
);
358 RCHECK(krb5_ret_stringz(sp
, &realm
), out2
);
360 ret
= krb5_425_conv_principal(context
, "krbtgt", realm
,
364 kdc_log(context
, config
, 0,
365 "Converting krbtgt principal (krb4): %s",
366 krb5_get_err_text(context
, ret
));
367 make_err_reply(context
, reply
, KFAILURE
,
368 "Failed to convert v4 principal (krbtgt)");
372 ret
= _kdc_db_fetch(context
, config
, tgt_princ
,
373 HDB_F_GET_KRBTGT
, NULL
, &tgt
);
376 s
= kdc_log_msg(context
, config
, 0, "Ticket-granting ticket not "
377 "found in database (krb4): krbtgt.%s@%s: %s",
378 realm
, config
->v4_realm
,
379 krb5_get_err_text(context
, ret
));
380 make_err_reply(context
, reply
, KFAILURE
, s
);
385 if(tgt
->entry
.kvno
% 256 != kvno
){
386 kdc_log(context
, config
, 0,
387 "tgs-req (krb4) with old kvno %d (current %d) for "
388 "krbtgt.%s@%s", kvno
, tgt
->entry
.kvno
% 256,
389 realm
, config
->v4_realm
);
390 make_err_reply(context
, reply
, KRB4ET_KDC_AUTH_EXP
,
391 "old krbtgt kvno used");
395 ret
= _kdc_get_des_key(context
, tgt
, TRUE
, FALSE
, &tkey
);
397 kdc_log(context
, config
, 0,
398 "no suitable DES key for krbtgt (krb4)");
399 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
400 "no suitable DES key for krbtgt");
404 RCHECK(krb5_ret_int8(sp
, &ticket_len
), out2
);
405 RCHECK(krb5_ret_int8(sp
, &req_len
), out2
);
407 pos
= krb5_storage_seek(sp
, ticket_len
+ req_len
, SEEK_CUR
);
412 if (config
->check_ticket_addresses
)
413 address
= addr
->sin_addr
.s_addr
;
417 ret
= _krb5_krb_rd_req(context
, &auth
, "krbtgt", realm
,
419 address
, &tkey
->key
, &ad
);
421 kdc_log(context
, config
, 0, "krb_rd_req: %d", ret
);
422 make_err_reply(context
, reply
, ret
, "failed to parse request");
426 RCHECK(krb5_ret_int32(sp
, &req_time
), out2
);
428 req_time
= swap32(req_time
);
429 RCHECK(krb5_ret_uint8(sp
, &life
), out2
);
430 RCHECK(krb5_ret_stringz(sp
, &sname
), out2
);
431 RCHECK(krb5_ret_stringz(sp
, &sinst
), out2
);
432 snprintf (server_name
, sizeof(server_name
),
434 sname
, sinst
, config
->v4_realm
);
435 snprintf (client_name
, sizeof(client_name
),
437 ad
.pname
, ad
.pinst
, ad
.prealm
);
439 kdc_log(context
, config
, 0, "TGS-REQ (krb4) %s from %s for %s",
440 client_name
, from
, server_name
);
442 if(strcmp(ad
.prealm
, realm
)){
443 kdc_log(context
, config
, 0,
444 "Can't hop realms (krb4) %s -> %s", realm
, ad
.prealm
);
445 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
,
450 if (!config
->enable_v4_cross_realm
&& strcmp(realm
, config
->v4_realm
) != 0) {
451 kdc_log(context
, config
, 0,
452 "krb4 Cross-realm %s -> %s disabled",
453 realm
, config
->v4_realm
);
454 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
,
459 if(strcmp(sname
, "changepw") == 0){
460 kdc_log(context
, config
, 0,
461 "Bad request for changepw ticket (krb4)");
462 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
,
463 "Can't authorize password change based on TGT");
467 ret
= _kdc_db_fetch4(context
, config
, ad
.pname
, ad
.pinst
, ad
.prealm
,
468 HDB_F_GET_CLIENT
, &client
);
469 if(ret
&& ret
!= HDB_ERR_NOENTRY
) {
471 s
= kdc_log_msg(context
, config
, 0,
472 "Client not found in database: (krb4) %s: %s",
473 client_name
, krb5_get_err_text(context
, ret
));
474 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
, s
);
478 if (client
== NULL
&& strcmp(ad
.prealm
, config
->v4_realm
) == 0) {
480 s
= kdc_log_msg(context
, config
, 0,
481 "Local client not found in database: (krb4) "
483 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
, s
);
488 ret
= _kdc_db_fetch4(context
, config
, sname
, sinst
, config
->v4_realm
,
489 HDB_F_GET_SERVER
, &server
);
492 s
= kdc_log_msg(context
, config
, 0,
493 "Server not found in database (krb4): %s: %s",
494 server_name
, krb5_get_err_text(context
, ret
));
495 make_err_reply(context
, reply
, KRB4ET_KDC_PR_UNKNOWN
, s
);
500 ret
= _kdc_check_flags (context
, config
,
505 make_err_reply(context
, reply
, KRB4ET_KDC_NAME_EXP
,
506 "operation not allowed");
510 ret
= _kdc_get_des_key(context
, server
, TRUE
, FALSE
, &skey
);
512 kdc_log(context
, config
, 0,
513 "no suitable DES key for server (krb4)");
514 make_err_reply(context
, reply
, KRB4ET_KDC_NULL_KEY
,
515 "no suitable DES key for server");
519 max_end
= _krb5_krb_life_to_time(ad
.time_sec
, ad
.life
);
520 max_end
= min(max_end
, _krb5_krb_life_to_time(kdc_time
, life
));
521 if(server
->entry
.max_life
)
522 max_end
= min(max_end
, kdc_time
+ *server
->entry
.max_life
);
523 if(client
&& client
->entry
.max_life
)
524 max_end
= min(max_end
, kdc_time
+ *client
->entry
.max_life
);
525 life
= min(life
, krb_time_to_life(kdc_time
, max_end
));
527 issue_time
= kdc_time
;
528 actual_end
= _krb5_krb_life_to_time(issue_time
, life
);
529 while (actual_end
> max_end
&& life
> 1) {
530 /* move them into the next earlier lifetime bracket */
532 actual_end
= _krb5_krb_life_to_time(issue_time
, life
);
534 if (actual_end
> max_end
) {
535 /* if life <= 1 and it's still too long, backdate the ticket */
536 issue_time
-= actual_end
- max_end
;
540 krb5_data ticket
, cipher
;
541 krb5_keyblock session
;
543 krb5_data_zero(&ticket
);
544 krb5_data_zero(&cipher
);
546 ret
= krb5_generate_random_keyblock(context
,
550 make_err_reply(context
, reply
, KFAILURE
,
551 "Not enough random i KDC");
555 ret
= _krb5_krb_create_ticket(context
,
560 addr
->sin_addr
.s_addr
,
569 krb5_free_keyblock_contents(context
, &session
);
570 make_err_reply(context
, reply
, KFAILURE
,
571 "failed to create v4 ticket");
575 ret
= _krb5_krb_create_ciph(context
,
581 server
->entry
.kvno
% 255,
586 krb5_free_keyblock_contents(context
, &session
);
588 make_err_reply(context
, reply
, KFAILURE
,
589 "failed to create v4 cipher");
593 ret
= _krb5_krb_create_auth_reply(context
,
603 krb5_data_free(&cipher
);
606 _krb5_krb_free_auth_data(context
, &ad
);
608 krb5_free_principal(context
, tgt_princ
);
610 _kdc_free_ent(context
, tgt
);
613 case AUTH_MSG_ERR_REPLY
:
617 kdc_log(context
, config
, 0, "Unknown message type (krb4): %d from %s",
620 make_err_reply(context
, reply
, KFAILURE
, "Unknown message type");
635 _kdc_free_ent(context
, client
);
637 _kdc_free_ent(context
, server
);
638 krb5_storage_free(sp
);
643 _kdc_encode_v4_ticket(krb5_context context
,
644 krb5_kdc_configuration
*config
,
645 void *buf
, size_t len
, const EncTicketPart
*et
,
646 const PrincipalName
*service
, size_t *size
)
650 char name
[40], inst
[40], realm
[40];
651 char sname
[40], sinst
[40];
654 krb5_principal princ
;
655 _krb5_principalname2krb5_principal(context
,
659 ret
= krb5_524_conv_principal(context
,
664 krb5_free_principal(context
, princ
);
668 _krb5_principalname2krb5_principal(context
,
673 ret
= krb5_524_conv_principal(context
,
678 krb5_free_principal(context
, princ
);
683 sp
= krb5_storage_emem();
685 krb5_store_int8(sp
, 0); /* flags */
686 krb5_store_stringz(sp
, name
);
687 krb5_store_stringz(sp
, inst
);
688 krb5_store_stringz(sp
, realm
);
690 unsigned char tmp
[4] = { 0, 0, 0, 0 };
693 for(i
= 0; i
< et
->caddr
->len
; i
++)
694 if(et
->caddr
->val
[i
].addr_type
== AF_INET
&&
695 et
->caddr
->val
[i
].address
.length
== 4){
696 memcpy(tmp
, et
->caddr
->val
[i
].address
.data
, 4);
700 krb5_storage_write(sp
, tmp
, sizeof(tmp
));
703 if((et
->key
.keytype
!= ETYPE_DES_CBC_MD5
&&
704 et
->key
.keytype
!= ETYPE_DES_CBC_MD4
&&
705 et
->key
.keytype
!= ETYPE_DES_CBC_CRC
) ||
706 et
->key
.keyvalue
.length
!= 8)
708 krb5_storage_write(sp
, et
->key
.keyvalue
.data
, 8);
711 time_t start
= et
->starttime
? *et
->starttime
: et
->authtime
;
712 krb5_store_int8(sp
, krb_time_to_life(start
, et
->endtime
));
713 krb5_store_int32(sp
, start
);
716 krb5_store_stringz(sp
, sname
);
717 krb5_store_stringz(sp
, sinst
);
721 krb5_storage_to_data(sp
, &data
);
722 krb5_storage_free(sp
);
723 *size
= (data
.length
+ 7) & ~7; /* pad to 8 bytes */
726 memset((unsigned char*)buf
- *size
+ 1, 0, *size
);
727 memcpy((unsigned char*)buf
- *size
+ 1, data
.data
, data
.length
);
728 krb5_data_free(&data
);
734 _kdc_get_des_key(krb5_context context
,
735 hdb_entry_ex
*principal
, krb5_boolean is_server
,
736 krb5_boolean prefer_afs_key
, Key
**ret_key
)
738 Key
*v5_key
= NULL
, *v4_key
= NULL
, *afs_key
= NULL
, *server_key
= NULL
;
740 krb5_enctype etypes
[] = { ETYPE_DES_CBC_MD5
,
745 i
< sizeof(etypes
)/sizeof(etypes
[0])
746 && (v5_key
== NULL
|| v4_key
== NULL
||
747 afs_key
== NULL
|| server_key
== NULL
);
750 while(hdb_next_enctype2key(context
, &principal
->entry
, etypes
[i
], &key
) == 0) {
751 if(key
->salt
== NULL
) {
754 } else if(key
->salt
->type
== hdb_pw_salt
&&
755 key
->salt
->salt
.length
== 0) {
758 } else if(key
->salt
->type
== hdb_afs3_salt
) {
761 } else if(server_key
== NULL
)
773 else if(is_server
&& server_key
)
774 *ret_key
= server_key
;
776 return KRB4ET_KDC_NULL_KEY
;
784 else if(is_server
&& server_key
)
785 *ret_key
= server_key
;
787 return KRB4ET_KDC_NULL_KEY
;
790 if((*ret_key
)->key
.keyvalue
.length
== 0)
791 return KRB4ET_KDC_NULL_KEY
;