search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
*** empty log message ***
[heimdal.git] / kdc / kaserver.c
blob8a3da9a5b8dd8094b5108dfdf77348b9921232bd
1 /*
2 * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 RCSID("$Id$");
37
38 #ifdef KASERVER
39
40 #include "kerberos4.h"
41 #include <rx.h>
42
43 #define KA_AUTHENTICATION_SERVICE 731
44 #define KA_TICKET_GRANTING_SERVICE 732
45 #define KA_MAINTENANCE_SERVICE 733
46
47 #define AUTHENTICATE_OLD 1
48 #define CHANGEPASSWORD 2
49 #define GETTICKET_OLD 3
50 #define SETPASSWORD 4
51 #define SETFIELDS 5
52 #define CREATEUSER 6
53 #define DELETEUSER 7
54 #define GETENTRY 8
55 #define LISTENTRY 9
56 #define GETSTATS 10
57 #define DEBUG 11
58 #define GETPASSWORD 12
59 #define GETRANDOMKEY 13
60 #define AUTHENTICATE 21
61 #define AUTHENTICATE_V2 22
62 #define GETTICKET 23
63
64 /* XXX - Where do we get these? */
65
66 #define RXGEN_OPCODE (-455)
67
68 #define KADATABASEINCONSISTENT (180480L)
69 #define KAEXIST (180481L)
70 #define KAIO (180482L)
71 #define KACREATEFAIL (180483L)
72 #define KANOENT (180484L)
73 #define KAEMPTY (180485L)
74 #define KABADNAME (180486L)
75 #define KABADINDEX (180487L)
76 #define KANOAUTH (180488L)
77 #define KAANSWERTOOLONG (180489L)
78 #define KABADREQUEST (180490L)
79 #define KAOLDINTERFACE (180491L)
80 #define KABADARGUMENT (180492L)
81 #define KABADCMD (180493L)
82 #define KANOKEYS (180494L)
83 #define KAREADPW (180495L)
84 #define KABADKEY (180496L)
85 #define KAUBIKINIT (180497L)
86 #define KAUBIKCALL (180498L)
87 #define KABADPROTOCOL (180499L)
88 #define KANOCELLS (180500L)
89 #define KANOCELL (180501L)
90 #define KATOOMANYUBIKS (180502L)
91 #define KATOOMANYKEYS (180503L)
92 #define KABADTICKET (180504L)
93 #define KAUNKNOWNKEY (180505L)
94 #define KAKEYCACHEINVALID (180506L)
95 #define KABADSERVER (180507L)
96 #define KABADUSER (180508L)
97 #define KABADCPW (180509L)
98 #define KABADCREATE (180510L)
99 #define KANOTICKET (180511L)
100 #define KAASSOCUSER (180512L)
101 #define KANOTSPECIAL (180513L)
102 #define KACLOCKSKEW (180514L)
103 #define KANORECURSE (180515L)
104 #define KARXFAIL (180516L)
105 #define KANULLPASSWORD (180517L)
106 #define KAINTERNALERROR (180518L)
107 #define KAPWEXPIRED (180519L)
108 #define KAREUSED (180520L)
109 #define KATOOSOON (180521L)
110 #define KALOCKED (180522L)
111
112 static void
113 decode_rx_header (krb5_storage *sp,
114 struct rx_header *h)
115 {
116 krb5_ret_int32(sp, &h->epoch);
117 krb5_ret_int32(sp, &h->connid);
118 krb5_ret_int32(sp, &h->callid);
119 krb5_ret_int32(sp, &h->seqno);
120 krb5_ret_int32(sp, &h->serialno);
121 krb5_ret_int8(sp, &h->type);
122 krb5_ret_int8(sp, &h->flags);
123 krb5_ret_int8(sp, &h->status);
124 krb5_ret_int8(sp, &h->secindex);
125 krb5_ret_int16(sp, &h->reserved);
126 krb5_ret_int16(sp, &h->serviceid);
127 }
128
129 static void
130 encode_rx_header (struct rx_header *h,
131 krb5_storage *sp)
132 {
133 krb5_store_int32(sp, h->epoch);
134 krb5_store_int32(sp, h->connid);
135 krb5_store_int32(sp, h->callid);
136 krb5_store_int32(sp, h->seqno);
137 krb5_store_int32(sp, h->serialno);
138 krb5_store_int8(sp, h->type);
139 krb5_store_int8(sp, h->flags);
140 krb5_store_int8(sp, h->status);
141 krb5_store_int8(sp, h->secindex);
142 krb5_store_int16(sp, h->reserved);
143 krb5_store_int16(sp, h->serviceid);
144 }
145
146 static void
147 init_reply_header (struct rx_header *hdr,
148 struct rx_header *reply_hdr,
149 u_char type,
150 u_char flags)
151 {
152 reply_hdr->epoch = hdr->epoch;
153 reply_hdr->connid = hdr->connid;
154 reply_hdr->callid = hdr->callid;
155 reply_hdr->seqno = 1;
156 reply_hdr->serialno = 1;
157 reply_hdr->type = type;
158 reply_hdr->flags = flags;
159 reply_hdr->status = 0;
160 reply_hdr->secindex = 0;
161 reply_hdr->reserved = 0;
162 reply_hdr->serviceid = hdr->serviceid;
163 }
164
165 static void
166 make_error_reply (struct rx_header *hdr,
167 u_int32_t ret,
168 krb5_data *reply)
169
170 {
171 krb5_storage *sp;
172 struct rx_header reply_hdr;
173
174 init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
175 sp = krb5_storage_emem();
176 encode_rx_header (&reply_hdr, sp);
177 krb5_store_int32(sp, ret);
178 krb5_storage_to_data (sp, reply);
179 krb5_storage_free (sp);
180 }
181
182 static krb5_error_code
183 krb5_ret_xdr_data(krb5_storage *sp,
184 krb5_data *data)
185 {
186 int ret;
187 int size;
188 ret = krb5_ret_int32(sp, &size);
189 if(ret)
190 return ret;
191 data->length = size;
192 if (size) {
193 u_char foo[4];
194 size_t pad = (4 - size % 4) % 4;
195
196 data->data = malloc(size);
197 if (data->data == NULL)
198 return ENOMEM;
199 ret = sp->fetch(sp, data->data, size);
200 if(ret != size)
201 return (ret < 0)? errno : KRB5_CC_END;
202 if (pad) {
203 ret = sp->fetch(sp, foo, pad);
204 if (ret != pad)
205 return (ret < 0)? errno : KRB5_CC_END;
206 }
207 } else
208 data->data = NULL;
209 return 0;
210 }
211
212 static krb5_error_code
213 krb5_store_xdr_data(krb5_storage *sp,
214 krb5_data data)
215 {
216 u_char zero[4] = {0, 0, 0, 0};
217 int ret;
218 size_t pad;
219
220 ret = krb5_store_int32(sp, data.length);
221 if(ret < 0)
222 return ret;
223 ret = sp->store(sp, data.data, data.length);
224 if(ret != data.length){
225 if(ret < 0)
226 return errno;
227 return KRB5_CC_END;
228 }
229 pad = (4 - data.length % 4) % 4;
230 if (pad) {
231 ret = sp->store(sp, zero, pad);
232 if (ret != pad) {
233 if (ret < 0)
234 return errno;
235 return KRB5_CC_END;
236 }
237 }
238 return 0;
239 }
240
241
242 static krb5_error_code
243 create_reply_ticket (struct rx_header *hdr,
244 Key *skey,
245 char *name, char *instance, char *realm,
246 struct sockaddr_in *addr,
247 int life,
248 int kvno,
249 int32_t max_seq_len,
250 char *sname, char *sinstance,
251 u_int32_t challenge,
252 char *label,
253 des_cblock *key,
254 krb5_data *reply)
255 {
256 KTEXT_ST ticket;
257 des_cblock session;
258 krb5_storage *sp;
259 krb5_data enc_data;
260 des_key_schedule schedule;
261 struct rx_header reply_hdr;
262 des_cblock zero;
263 size_t pad;
264 unsigned fyrtiosjuelva;
265
266 /* create the ticket */
267
268 des_new_random_key(&session);
269
270 krb_create_ticket (&ticket, 0, name, instance, realm,
271 addr->sin_addr.s_addr,
272 &session, life, kdc_time,
273 sname, sinstance, skey->key.keyvalue.data);
274
275 /* create the encrypted part of the reply */
276 sp = krb5_storage_emem ();
277 krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
278 fyrtiosjuelva &= 0xffffffff;
279 krb5_store_int32 (sp, fyrtiosjuelva);
280 #if 0
281 krb5_store_int32 (sp, 4711); /* XXX */
282 #endif
283 krb5_store_int32 (sp, challenge);
284 sp->store (sp, session, 8);
285 memset (&session, 0, sizeof(session));
286 krb5_store_int32 (sp, kdc_time);
287 krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life));
288 krb5_store_int32 (sp, kvno);
289 krb5_store_int32 (sp, ticket.length);
290 krb5_store_stringz (sp, name);
291 krb5_store_stringz (sp, instance);
292 #if 1 /* XXX - Why shouldn't the realm go here? */
293 krb5_store_stringz (sp, "");
294 #else
295 krb5_store_stringz (sp, realm);
296 #endif
297 krb5_store_stringz (sp, sname);
298 krb5_store_stringz (sp, sinstance);
299 sp->store (sp, ticket.dat, ticket.length);
300 sp->store (sp, label, strlen(label));
301
302 /* pad to DES block */
303 memset (zero, 0, sizeof(zero));
304 pad = (8 - sp->seek (sp, 0, SEEK_CUR) % 8) % 8;
305 sp->store (sp, zero, pad);
306
307 krb5_storage_to_data (sp, &enc_data);
308 krb5_storage_free (sp);
309
310 if (enc_data.length > max_seq_len) {
311 krb5_data_free (&enc_data);
312 make_error_reply (hdr, KAANSWERTOOLONG, reply);
313 return 0;
314 }
315
316 /* encrypt it */
317 des_set_key (key, schedule);
318 des_pcbc_encrypt ((des_cblock *)enc_data.data,
319 (des_cblock *)enc_data.data,
320 enc_data.length,
321 schedule,
322 key,
323 DES_ENCRYPT);
324 memset (&schedule, 0, sizeof(schedule));
325
326 /* create the reply packet */
327 init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
328 sp = krb5_storage_emem ();
329 encode_rx_header (&reply_hdr, sp);
330 krb5_store_int32 (sp, max_seq_len);
331 krb5_store_xdr_data (sp, enc_data);
332 krb5_data_free (&enc_data);
333 krb5_storage_to_data (sp, reply);
334 krb5_storage_free (sp);
335 return 0;
336 }
337
338 static krb5_error_code
339 unparse_auth_args (krb5_storage *sp,
340 char **name,
341 char **instance,
342 time_t *start_time,
343 time_t *end_time,
344 krb5_data *request,
345 int32_t *max_seq_len)
346 {
347 krb5_data data;
348 int32_t tmp;
349
350 krb5_ret_xdr_data (sp, &data);
351 *name = malloc(data.length + 1);
352 if (*name == NULL)
353 return ENOMEM;
354 memcpy (*name, data.data, data.length);
355 (*name)[data.length] = '\0';
356 krb5_data_free (&data);
357
358 krb5_ret_xdr_data (sp, &data);
359 *instance = malloc(data.length + 1);
360 if (*instance == NULL) {
361 free (*name);
362 return ENOMEM;
363 }
364 memcpy (*instance, data.data, data.length);
365 (*instance)[data.length] = '\0';
366 krb5_data_free (&data);
367
368 krb5_ret_int32 (sp, &tmp);
369 *start_time = tmp;
370 krb5_ret_int32 (sp, &tmp);
371 *end_time = tmp;
372 krb5_ret_xdr_data (sp, request);
373 krb5_ret_int32 (sp, max_seq_len);
374 /* ignore the rest */
375 return 0;
376 }
377
378 static void
379 do_authenticate (struct rx_header *hdr,
380 krb5_storage *sp,
381 struct sockaddr_in *addr,
382 krb5_data *reply)
383 {
384 krb5_error_code ret;
385 char *name = NULL;
386 char *instance = NULL;
387 time_t start_time;
388 time_t end_time;
389 krb5_data request;
390 int32_t max_seq_len;
391 hdb_entry *client_entry = NULL;
392 hdb_entry *server_entry = NULL;
393 Key *ckey = NULL;
394 Key *skey = NULL;
395 des_cblock key;
396 des_key_schedule schedule;
397 krb5_storage *reply_sp;
398 time_t max_life;
399 u_int8_t life;
400 int32_t chal;
401
402 krb5_data_zero (&request);
403
404 unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
405 &request, &max_seq_len);
406
407 client_entry = db_fetch4 (name, instance, v4_realm);
408 if (client_entry == NULL) {
409 kdc_log(0, "Client not found in database: %s.%s@%s",
410 name, instance, v4_realm);
411 make_error_reply (hdr, KANOENT, reply);
412 goto out;
413 }
414
415 server_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
416 if (server_entry == NULL) {
417 kdc_log(0, "Server not found in database: %s.%s@%s",
418 "krbtgt", v4_realm, v4_realm);
419 make_error_reply (hdr, KANOENT, reply);
420 goto out;
421 }
422
423 /* find a DES key */
424 ret = get_des_key(client_entry, &ckey);
425 if(ret){
426 kdc_log(0, "%s", krb5_get_err_text(context, ret));
427 make_error_reply (hdr, KANOKEYS, reply);
428 goto out;
429 }
430
431 /* find a DES key */
432 ret = get_des_key(server_entry, &skey);
433 if(ret){
434 kdc_log(0, "%s", krb5_get_err_text(context, ret));
435 make_error_reply (hdr, KANOKEYS, reply);
436 goto out;
437 }
438
439 /* try to decode the `request' */
440 memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
441 des_set_key (&key, schedule);
442 des_pcbc_encrypt ((des_cblock *)request.data,
443 (des_cblock *)request.data,
444 request.length,
445 schedule,
446 &key,
447 DES_DECRYPT);
448 memset (&schedule, 0, sizeof(schedule));
449
450 /* check for the magic label */
451 if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
452 make_error_reply (hdr, KABADREQUEST, reply);
453 goto out;
454 }
455
456 reply_sp = krb5_storage_from_mem (request.data, 4);
457 krb5_ret_int32 (reply_sp, &chal);
458 krb5_storage_free (reply_sp);
459
460 /* life */
461 max_life = end_time - kdc_time;
462 if (client_entry->max_life)
463 max_life = min(max_life, *client_entry->max_life);
464 if (server_entry->max_life)
465 max_life = min(max_life, *server_entry->max_life);
466
467 life = krb_time_to_life(kdc_time, kdc_time + max_life);
468
469 create_reply_ticket (hdr, skey,
470 name, instance, v4_realm,
471 addr, life, server_entry->kvno,
472 max_seq_len,
473 "krbtgt", v4_realm,
474 chal + 1, "tgsT",
475 &key, reply);
476 memset (&key, 0, sizeof(key));
477
478 out:
479 if (request.length) {
480 memset (request.data, 0, request.length);
481 krb5_data_free (&request);
482 }
483 if (name)
484 free (name);
485 if (instance)
486 free (instance);
487 if (client_entry) {
488 hdb_free_entry (context, client_entry);
489 free (client_entry);
490 }
491 if (server_entry) {
492 hdb_free_entry (context, server_entry);
493 free (server_entry);
494 }
495 }
496
497 static krb5_error_code
498 unparse_getticket_args (krb5_storage *sp,
499 int *kvno,
500 char **auth_domain,
501 krb5_data *ticket,
502 char **name,
503 char **instance,
504 krb5_data *times,
505 int32_t *max_seq_len)
506 {
507 krb5_data data;
508 int32_t tmp;
509
510 krb5_ret_int32 (sp, &tmp);
511 *kvno = tmp;
512
513 krb5_ret_xdr_data (sp, &data);
514 *auth_domain = malloc(data.length + 1);
515 if (*auth_domain == NULL)
516 return ENOMEM;
517 memcpy (*auth_domain, data.data, data.length);
518 (*auth_domain)[data.length] = '\0';
519 krb5_data_free (&data);
520
521 krb5_ret_xdr_data (sp, ticket);
522
523 krb5_ret_xdr_data (sp, &data);
524 *name = malloc(data.length + 1);
525 if (*name == NULL) {
526 free (*auth_domain);
527 return ENOMEM;
528 }
529 memcpy (*name, data.data, data.length);
530 (*name)[data.length] = '\0';
531 krb5_data_free (&data);
532
533 krb5_ret_xdr_data (sp, &data);
534 *instance = malloc(data.length + 1);
535 if (*instance == NULL) {
536 free (*auth_domain);
537 free (*name);
538 return ENOMEM;
539 }
540 memcpy (*instance, data.data, data.length);
541 (*instance)[data.length] = '\0';
542 krb5_data_free (&data);
543
544 krb5_ret_xdr_data (sp, times);
545
546 krb5_ret_int32 (sp, max_seq_len);
547 /* ignore the rest */
548 return 0;
549 }
550
551 static void
552 do_getticket (struct rx_header *hdr,
553 krb5_storage *sp,
554 struct sockaddr_in *addr,
555 krb5_data *reply)
556 {
557 krb5_error_code ret;
558 int kvno;
559 char *auth_domain = NULL;
560 krb5_data aticket;
561 char *name = NULL;
562 char *instance = NULL;
563 krb5_data times;
564 int32_t max_seq_len;
565 hdb_entry *server_entry = NULL;
566 hdb_entry *krbtgt_entry = NULL;
567 Key *kkey = NULL;
568 Key *skey = NULL;
569 des_cblock key;
570 des_key_schedule schedule;
571 des_cblock session;
572 time_t max_life;
573 int8_t life;
574 time_t start_time, end_time;
575 char pname[ANAME_SZ];
576 char pinst[INST_SZ];
577 char prealm[REALM_SZ];
578
579 krb5_data_zero (&aticket);
580 krb5_data_zero (&times);
581
582 unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
583 &name, &instance, &times, &max_seq_len);
584
585 server_entry = db_fetch4 (name, instance, v4_realm);
586 if (server_entry == NULL) {
587 kdc_log(0, "Server not found in database: %s.%s@%s",
588 name, instance, v4_realm);
589 make_error_reply (hdr, KANOENT, reply);
590 goto out;
591 }
592
593 krbtgt_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm);
594 if (krbtgt_entry == NULL) {
595 kdc_log(0, "Server not found in database: %s.%s@%s",
596 "krbtgt", v4_realm, v4_realm);
597 make_error_reply (hdr, KANOENT, reply);
598 goto out;
599 }
600
601 /* find a DES key */
602 ret = get_des_key(krbtgt_entry, &kkey);
603 if(ret){
604 kdc_log(0, "%s", krb5_get_err_text(context, ret));
605 make_error_reply (hdr, KANOKEYS, reply);
606 goto out;
607 }
608
609 /* find a DES key */
610 ret = get_des_key(server_entry, &skey);
611 if(ret){
612 kdc_log(0, "%s", krb5_get_err_text(context, ret));
613 make_error_reply (hdr, KANOKEYS, reply);
614 goto out;
615 }
616
617 /* decrypt the incoming ticket */
618 memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
619
620 /* unpack the ticket */
621 {
622 KTEXT_ST ticket;
623 u_char flags;
624 int life;
625 u_int32_t time_sec;
626 char sname[ANAME_SZ];
627 char sinstance[SNAME_SZ];
628 u_int32_t paddress;
629
630 ticket.length = aticket.length;
631 memcpy (ticket.dat, aticket.data, ticket.length);
632
633 des_set_key (&key, schedule);
634 decomp_ticket (&ticket, &flags, pname, pinst, prealm,
635 &paddress, session, &life, &time_sec,
636 sname, sinstance,
637 &key, schedule);
638
639 if (strcmp (sname, "krbtgt") != 0
640 || strcmp (sinstance, v4_realm) != 0) {
641 kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
642 sname, sinstance,
643 pname, pinst, prealm);
644 make_error_reply (hdr, KABADTICKET, reply);
645 goto out;
646 }
647
648 if (kdc_time > krb_life_to_time(time_sec, life)) {
649 kdc_log(0, "TGT expired: %s.%s@%s",
650 pname, pinst, prealm);
651 make_error_reply (hdr, KABADTICKET, reply);
652 goto out;
653 }
654 }
655
656 /* decrypt the times */
657 des_set_key (&session, schedule);
658 des_ecb_encrypt (times.data,
659 times.data,
660 schedule,
661 DES_DECRYPT);
662 memset (&schedule, 0, sizeof(schedule));
663
664 /* and extract them */
665 {
666 krb5_storage *sp;
667 int32_t tmp;
668
669 sp = krb5_storage_from_mem (times.data, times.length);
670 krb5_ret_int32 (sp, &tmp);
671 start_time = tmp;
672 krb5_ret_int32 (sp, &tmp);
673 end_time = tmp;
674 krb5_storage_free (sp);
675 }
676
677 /* life */
678 max_life = end_time - kdc_time;
679 if (krbtgt_entry->max_life)
680 max_life = min(max_life, *krbtgt_entry->max_life);
681 if (server_entry->max_life)
682 max_life = min(max_life, *server_entry->max_life);
683
684 life = krb_time_to_life(kdc_time, kdc_time + max_life);
685
686 create_reply_ticket (hdr, skey,
687 pname, pinst, prealm,
688 addr, life, server_entry->kvno,
689 max_seq_len,
690 name, instance,
691 0, "gtkt",
692 &session, reply);
693 memset (&session, 0, sizeof(session));
694
695 out:
696 if (aticket.length) {
697 memset (aticket.data, 0, aticket.length);
698 krb5_data_free (&aticket);
699 }
700 if (times.length) {
701 memset (times.data, 0, times.length);
702 krb5_data_free (&times);
703 }
704 if (auth_domain)
705 free (auth_domain);
706 if (name)
707 free (name);
708 if (instance)
709 free (instance);
710 if (krbtgt_entry) {
711 hdb_free_entry (context, krbtgt_entry);
712 free (krbtgt_entry);
713 }
714 if (server_entry) {
715 hdb_free_entry (context, server_entry);
716 free (server_entry);
717 }
718 }
719
720 krb5_error_code
721 do_kaserver(unsigned char *buf,
722 size_t len,
723 krb5_data *reply,
724 const char *from,
725 struct sockaddr_in *addr)
726 {
727 krb5_error_code ret = 0;
728 struct rx_header hdr;
729 u_int32_t op;
730 krb5_storage *sp;
731
732 if (len < RX_HEADER_SIZE)
733 return -1;
734 sp = krb5_storage_from_mem (buf, len);
735
736 decode_rx_header (sp, &hdr);
737 buf += RX_HEADER_SIZE;
738 len -= RX_HEADER_SIZE;
739
740 switch (hdr.type) {
741 case HT_DATA :
742 break;
743 case HT_ACK :
744 case HT_BUSY :
745 case HT_ABORT :
746 case HT_ACKALL :
747 case HT_CHAL :
748 case HT_RESP :
749 case HT_DEBUG :
750 default:
751 /* drop */
752 goto out;
753 }
754
755
756 if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
757 && hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
758 ret = -1;
759 goto out;
760 }
761
762 krb5_ret_int32(sp, &op);
763 switch (op) {
764 case AUTHENTICATE :
765 do_authenticate (&hdr, sp, addr, reply);
766 break;
767 case GETTICKET :
768 do_getticket (&hdr, sp, addr, reply);
769 break;
770 case AUTHENTICATE_OLD :
771 case CHANGEPASSWORD :
772 case GETTICKET_OLD :
773 case SETPASSWORD :
774 case SETFIELDS :
775 case CREATEUSER :
776 case DELETEUSER :
777 case GETENTRY :
778 case LISTENTRY :
779 case GETSTATS :
780 case DEBUG :
781 case GETPASSWORD :
782 case GETRANDOMKEY :
783 case AUTHENTICATE_V2 :
784 default :
785 make_error_reply (&hdr, RXGEN_OPCODE, reply);
786 break;
787 }
788
789 out:
790 krb5_storage_free (sp);
791 return ret;
792 }
793
794 #endif /* KASERVER */
Heimdal