2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 RCSID("$Id: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $");
44 return ((x
<< 24) & 0xff000000) |
45 ((x
<< 8) & 0xff0000) |
52 maybe_version4(unsigned char *buf
, int len
)
54 return len
> 0 && *buf
== 4;
58 make_err_reply(krb5_data
*reply
, int code
, const char *msg
)
62 /* name, instance and realm are not checked in most (all?)
63 implementations; msg is also never used, but we send it anyway
64 (for debugging purposes) */
67 msg
= krb_get_err_text(code
);
68 cr_err_reply(&er
, "", "", "", kdc_time
, code
, (char*)msg
);
69 krb5_data_copy(reply
, er
.dat
, er
.length
);
73 valid_princ(krb5_context context
, krb5_principal princ
)
79 ret
= krb5_unparse_name(context
, princ
, &s
);
82 ret
= db_fetch(princ
, &ent
);
84 kdc_log(7, "Lookup %s failed: %s", s
,
85 krb5_get_err_text (context
, ret
));
89 kdc_log(7, "Lookup %s succeeded", s
);
96 db_fetch4(const char *name
, const char *instance
, const char *realm
,
102 ret
= krb5_425_conv_principal_ext(context
, name
, instance
, realm
,
106 ret
= db_fetch(p
, ent
);
107 krb5_free_principal(context
, p
);
111 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
114 * Process the v4 request in `buf, len' (received from `addr'
115 * (with string `from').
116 * Return an error code and a reply in `reply'.
120 do_version4(unsigned char *buf
,
124 struct sockaddr_in
*addr
)
128 hdb_entry
*client
= NULL
, *server
= NULL
;
133 char *name
= NULL
, *inst
= NULL
, *realm
= NULL
;
134 char *sname
= NULL
, *sinst
= NULL
;
136 time_t max_life
, max_end
, actual_end
, issue_time
;
138 char client_name
[256];
139 char server_name
[256];
142 kdc_log(0, "Rejected version 4 request from %s", from
);
143 make_err_reply(reply
, KDC_GEN_ERR
, "function not enabled");
147 sp
= krb5_storage_from_mem(buf
, len
);
148 RCHECK(krb5_ret_int8(sp
, &pvno
), out
);
150 kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno
);
151 make_err_reply(reply
, KDC_PKT_VER
, NULL
);
154 RCHECK(krb5_ret_int8(sp
, &msg_type
), out
);
158 case AUTH_MSG_KDC_REQUEST
:
159 RCHECK(krb5_ret_stringz(sp
, &name
), out1
);
160 RCHECK(krb5_ret_stringz(sp
, &inst
), out1
);
161 RCHECK(krb5_ret_stringz(sp
, &realm
), out1
);
162 RCHECK(krb5_ret_int32(sp
, &req_time
), out1
);
164 req_time
= swap32(req_time
);
165 RCHECK(krb5_ret_int8(sp
, &life
), out1
);
166 RCHECK(krb5_ret_stringz(sp
, &sname
), out1
);
167 RCHECK(krb5_ret_stringz(sp
, &sinst
), out1
);
168 snprintf (client_name
, sizeof(client_name
),
169 "%s.%s@%s", name
, inst
, realm
);
170 snprintf (server_name
, sizeof(server_name
),
171 "%s.%s@%s", sname
, sinst
, v4_realm
);
173 kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
174 client_name
, from
, server_name
);
176 ret
= db_fetch4(name
, inst
, realm
, &client
);
178 kdc_log(0, "Client not found in database: %s: %s",
179 client_name
, krb5_get_err_text(context
, ret
));
180 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, NULL
);
183 ret
= db_fetch4(sname
, sinst
, v4_realm
, &server
);
185 kdc_log(0, "Server not found in database: %s: %s",
186 server_name
, krb5_get_err_text(context
, ret
));
187 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, NULL
);
191 ret
= check_flags (client
, client_name
,
195 /* good error code? */
196 make_err_reply(reply
, KERB_ERR_NAME_EXP
, NULL
);
201 * There's no way to do pre-authentication in v4 and thus no
202 * good error code to return if preauthentication is required.
206 || client
->flags
.require_preauth
207 || server
->flags
.require_preauth
) {
209 "Pre-authentication required for v4-request: "
211 client_name
, server_name
);
212 make_err_reply(reply
, KERB_ERR_NULL_KEY
, NULL
);
216 ret
= get_des_key(client
, FALSE
, FALSE
, &ckey
);
218 kdc_log(0, "no suitable DES key for client");
219 make_err_reply(reply
, KDC_NULL_KEY
,
220 "no suitable DES key for client");
225 /* this is not necessary with the new code in libkrb */
226 /* find a properly salted key */
227 while(ckey
->salt
== NULL
|| ckey
->salt
->salt
.length
!= 0)
228 ret
= hdb_next_keytype2key(context
, client
, KEYTYPE_DES
, &ckey
);
230 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
232 make_err_reply(reply
, KDC_NULL_KEY
,
233 "No version-4 salted key in database");
238 ret
= get_des_key(server
, TRUE
, FALSE
, &skey
);
240 kdc_log(0, "no suitable DES key for server");
242 make_err_reply(reply
, KDC_NULL_KEY
,
243 "no suitable DES key for server");
247 max_life
= krb_life_to_time(0, life
);
249 max_life
= min(max_life
, *client
->max_life
);
251 max_life
= min(max_life
, *server
->max_life
);
253 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
256 KTEXT_ST cipher
, ticket
;
260 des_new_random_key(&session
);
262 krb_create_ticket(&ticket
, 0, name
, inst
, v4_realm
,
263 addr
->sin_addr
.s_addr
, session
, life
, kdc_time
,
264 sname
, sinst
, skey
->key
.keyvalue
.data
);
266 create_ciph(&cipher
, session
, sname
, sinst
, v4_realm
,
267 life
, server
->kvno
% 256, &ticket
, kdc_time
,
268 ckey
->key
.keyvalue
.data
);
269 memset(&session
, 0, sizeof(session
));
270 r
= create_auth_reply(name
, inst
, realm
, req_time
, 0,
271 client
->pw_end
? *client
->pw_end
: 0,
272 client
->kvno
% 256, &cipher
);
273 krb5_data_copy(reply
, r
->dat
, r
->length
);
274 memset(&cipher
, 0, sizeof(cipher
));
275 memset(&ticket
, 0, sizeof(ticket
));
279 case AUTH_MSG_APPL_REQUEST
: {
286 krb5_principal tgt_princ
= NULL
;
287 hdb_entry
*tgt
= NULL
;
290 RCHECK(krb5_ret_int8(sp
, &kvno
), out2
);
291 RCHECK(krb5_ret_stringz(sp
, &realm
), out2
);
293 ret
= krb5_425_conv_principal(context
, "krbtgt", realm
, v4_realm
,
296 kdc_log(0, "Converting krbtgt principal (krb4): %s",
297 krb5_get_err_text(context
, ret
));
298 make_err_reply(reply
, KFAILURE
,
299 "Failed to convert v4 principal (krbtgt)");
303 ret
= db_fetch(tgt_princ
, &tgt
);
306 s
= kdc_log_msg(0, "Ticket-granting ticket not "
307 "found in database (krb4): krbtgt.%s@%s: %s",
309 krb5_get_err_text(context
, ret
));
310 make_err_reply(reply
, KFAILURE
, s
);
315 if(tgt
->kvno
% 256 != kvno
){
316 kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
317 "krbtgt.%s@%s", kvno
, tgt
->kvno
% 256, realm
, v4_realm
);
318 make_err_reply(reply
, KDC_AUTH_EXP
,
319 "old krbtgt kvno used");
323 ret
= get_des_key(tgt
, TRUE
, FALSE
, &tkey
);
325 kdc_log(0, "no suitable DES key for krbtgt (krb4)");
327 make_err_reply(reply
, KDC_NULL_KEY
,
328 "no suitable DES key for krbtgt");
332 RCHECK(krb5_ret_int8(sp
, &ticket_len
), out2
);
333 RCHECK(krb5_ret_int8(sp
, &req_len
), out2
);
335 pos
= krb5_storage_seek(sp
, ticket_len
+ req_len
, SEEK_CUR
);
337 memset(&auth
, 0, sizeof(auth
));
338 memcpy(&auth
.dat
, buf
, pos
);
340 krb_set_key(tkey
->key
.keyvalue
.data
, 0);
342 krb_ignore_ip_address
= !check_ticket_addresses
;
344 ret
= krb_rd_req(&auth
, "krbtgt", realm
,
345 addr
->sin_addr
.s_addr
, &ad
, 0);
347 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret
));
348 make_err_reply(reply
, ret
, NULL
);
352 RCHECK(krb5_ret_int32(sp
, &req_time
), out2
);
354 req_time
= swap32(req_time
);
355 RCHECK(krb5_ret_int8(sp
, &life
), out2
);
356 RCHECK(krb5_ret_stringz(sp
, &sname
), out2
);
357 RCHECK(krb5_ret_stringz(sp
, &sinst
), out2
);
358 snprintf (server_name
, sizeof(server_name
),
360 sname
, sinst
, v4_realm
);
362 kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s",
363 ad
.pname
, ad
.pinst
, ad
.prealm
, from
, server_name
);
365 if(strcmp(ad
.prealm
, realm
)){
366 kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm
, ad
.prealm
);
367 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
,
372 if (!enable_v4_cross_realm
&& strcmp(realm
, v4_realm
) != 0) {
373 kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm
, v4_realm
);
374 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
,
379 if(strcmp(sname
, "changepw") == 0){
380 kdc_log(0, "Bad request for changepw ticket (krb4)");
381 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
,
382 "Can't authorize password change based on TGT");
387 ret
= db_fetch4(ad
.pname
, ad
.pinst
, ad
.prealm
, &client
);
390 s
= kdc_log_msg(0, "Client not found in database: (krb4) "
392 ad
.pname
, ad
.pinst
, ad
.prealm
,
393 krb5_get_err_text(context
, ret
));
394 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, s
);
400 ret
= db_fetch4(sname
, sinst
, v4_realm
, &server
);
403 s
= kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
404 server_name
, krb5_get_err_text(context
, ret
));
405 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, s
);
410 ret
= check_flags (NULL
, NULL
,
414 /* good error code? */
415 make_err_reply(reply
, KERB_ERR_NAME_EXP
, NULL
);
419 ret
= get_des_key(server
, TRUE
, FALSE
, &skey
);
421 kdc_log(0, "no suitable DES key for server (krb4)");
423 make_err_reply(reply
, KDC_NULL_KEY
,
424 "no suitable DES key for server");
428 max_end
= krb_life_to_time(ad
.time_sec
, ad
.life
);
429 max_end
= min(max_end
, krb_life_to_time(kdc_time
, life
));
430 life
= min(life
, krb_time_to_life(kdc_time
, max_end
));
432 issue_time
= kdc_time
;
433 actual_end
= krb_life_to_time(issue_time
, life
);
434 while (actual_end
> max_end
&& life
> 1) {
435 /* move them into the next earlier lifetime bracket */
437 actual_end
= krb_life_to_time(issue_time
, life
);
439 if (actual_end
> max_end
) {
440 /* if life <= 1 and it's still too long, backdate the ticket */
441 issue_time
-= actual_end
- max_end
;
445 KTEXT_ST cipher
, ticket
;
448 des_new_random_key(&session
);
450 krb_create_ticket(&ticket
, 0, ad
.pname
, ad
.pinst
, ad
.prealm
,
451 addr
->sin_addr
.s_addr
, &session
, life
,
453 sname
, sinst
, skey
->key
.keyvalue
.data
);
455 create_ciph(&cipher
, session
, sname
, sinst
, v4_realm
,
456 life
, server
->kvno
% 256, &ticket
,
457 issue_time
, &ad
.session
);
459 memset(&session
, 0, sizeof(session
));
460 memset(ad
.session
, 0, sizeof(ad
.session
));
462 r
= create_auth_reply(ad
.pname
, ad
.pinst
, ad
.prealm
,
463 req_time
, 0, 0, 0, &cipher
);
464 krb5_data_copy(reply
, r
->dat
, r
->length
);
465 memset(&cipher
, 0, sizeof(cipher
));
466 memset(&ticket
, 0, sizeof(ticket
));
470 krb5_free_principal(context
, tgt_princ
);
476 case AUTH_MSG_ERR_REPLY
:
479 kdc_log(0, "Unknown message type (krb4): %d from %s",
482 make_err_reply(reply
, KFAILURE
, "Unknown message type");
499 krb5_storage_free(sp
);
505 #include <krb5-v4compat.h>
510 encode_v4_ticket(void *buf
, size_t len
, const EncTicketPart
*et
,
511 const PrincipalName
*service
, size_t *size
)
515 char name
[40], inst
[40], realm
[40];
516 char sname
[40], sinst
[40];
519 krb5_principal princ
;
520 principalname2krb5_principal(&princ
,
523 ret
= krb5_524_conv_principal(context
,
528 krb5_free_principal(context
, princ
);
532 principalname2krb5_principal(&princ
,
536 ret
= krb5_524_conv_principal(context
,
541 krb5_free_principal(context
, princ
);
546 sp
= krb5_storage_emem();
548 krb5_store_int8(sp
, 0); /* flags */
549 krb5_store_stringz(sp
, name
);
550 krb5_store_stringz(sp
, inst
);
551 krb5_store_stringz(sp
, realm
);
553 unsigned char tmp
[4] = { 0, 0, 0, 0 };
556 for(i
= 0; i
< et
->caddr
->len
; i
++)
557 if(et
->caddr
->val
[i
].addr_type
== AF_INET
&&
558 et
->caddr
->val
[i
].address
.length
== 4){
559 memcpy(tmp
, et
->caddr
->val
[i
].address
.data
, 4);
563 krb5_storage_write(sp
, tmp
, sizeof(tmp
));
566 if((et
->key
.keytype
!= ETYPE_DES_CBC_MD5
&&
567 et
->key
.keytype
!= ETYPE_DES_CBC_MD4
&&
568 et
->key
.keytype
!= ETYPE_DES_CBC_CRC
) ||
569 et
->key
.keyvalue
.length
!= 8)
571 krb5_storage_write(sp
, et
->key
.keyvalue
.data
, 8);
574 time_t start
= et
->starttime
? *et
->starttime
: et
->authtime
;
575 krb5_store_int8(sp
, krb_time_to_life(start
, et
->endtime
));
576 krb5_store_int32(sp
, start
);
579 krb5_store_stringz(sp
, sname
);
580 krb5_store_stringz(sp
, sinst
);
584 krb5_storage_to_data(sp
, &data
);
585 krb5_storage_free(sp
);
586 *size
= (data
.length
+ 7) & ~7; /* pad to 8 bytes */
589 memset((unsigned char*)buf
- *size
+ 1, 0, *size
);
590 memcpy((unsigned char*)buf
- *size
+ 1, data
.data
, data
.length
);
591 krb5_data_free(&data
);
597 get_des_key(hdb_entry
*principal
, krb5_boolean is_server
,
598 krb5_boolean prefer_afs_key
, Key
**ret_key
)
600 Key
*v5_key
= NULL
, *v4_key
= NULL
, *afs_key
= NULL
, *server_key
= NULL
;
602 krb5_enctype etypes
[] = { ETYPE_DES_CBC_MD5
,
607 i
< sizeof(etypes
)/sizeof(etypes
[0])
608 && (v5_key
== NULL
|| v4_key
== NULL
||
609 afs_key
== NULL
|| server_key
== NULL
);
612 while(hdb_next_enctype2key(context
, principal
, etypes
[i
], &key
) == 0) {
613 if(key
->salt
== NULL
) {
616 } else if(key
->salt
->type
== hdb_pw_salt
&&
617 key
->salt
->salt
.length
== 0) {
620 } else if(key
->salt
->type
== hdb_afs3_salt
) {
623 } else if(server_key
== NULL
)
635 else if(is_server
&& server_key
)
636 *ret_key
= server_key
;
638 return KERB_ERR_NULL_KEY
;
646 else if(is_server
&& server_key
)
647 *ret_key
= server_key
;
649 return KERB_ERR_NULL_KEY
;
652 if((*ret_key
)->key
.keyvalue
.length
== 0)
653 return KERB_ERR_NULL_KEY
;