search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix
[heimdal.git] / kdc / kerberos4.c
blob3e24c6bcd6fcb65808a2644db640e06080d4ed25
1 /*
2 * Copyright (c) 1997 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Kungliga Tekniska
20 * Högskolan and its contributors.
21 *
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 */
38
39 #include "kdc_locl.h"
40
41 RCSID("$Id$");
42
43 #ifdef KRB4
44
45 #include "kerberos4.h"
46
47 static u_int32_t
48 swap32(u_int32_t x)
49 {
50 return (x << 24) & 0xff000000 |
51 (x << 8) & 0xff0000 |
52 (x >> 8) & 0xff00 |
53 (x >> 24) & 0xff;
54 }
55
56 int
57 maybe_version4(unsigned char *buf, int len)
58 {
59 return len > 0 && *buf == 4;
60 }
61
62 static void
63 make_err_reply(krb5_data *reply, int code, const char *msg)
64 {
65 KTEXT_ST er;
66
67 /* name, instance and realm is not checked in most (all?) version
68 implementations; msg is also never used, but we send it anyway
69 (for debugging purposes) */
70
71 if(msg == NULL)
72 msg = krb_get_err_text(code);
73 cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
74 krb5_data_copy(reply, er.dat, er.length);
75 }
76
77 static krb5_boolean
78 valid_princ(krb5_context context, krb5_principal princ)
79 {
80 char *s;
81 hdb_entry *ent;
82 krb5_unparse_name(context, princ, &s);
83 ent = db_fetch(princ);
84 if(ent == NULL){
85 kdc_log(7, "Lookup %s failed", s);
86 free(s);
87 return 0;
88 }
89 kdc_log(7, "Lookup %s succeeded", s);
90 free(s);
91 hdb_free_entry(context, ent);
92 free(ent);
93 return 1;
94 }
95
96 hdb_entry*
97 db_fetch4(const char *name, const char *instance, const char *realm)
98 {
99 krb5_principal p;
100 hdb_entry *ent;
101 krb5_error_code ret;
102
103 ret = krb5_425_conv_principal_ext(context, name, instance, realm,
104 valid_princ, 0, &p);
105 if(ret)
106 return NULL;
107 ent = db_fetch(p);
108 krb5_free_principal(context, p);
109 return ent;
110 }
111
112 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
113
114 krb5_error_code
115 do_version4(unsigned char *buf,
116 size_t len,
117 krb5_data *reply,
118 const char *from,
119 struct sockaddr_in *addr)
120 {
121 krb5_storage *sp;
122 krb5_error_code ret;
123 hdb_entry *client = NULL, *server = NULL;
124 Key *ckey, *skey, *ekey;
125 int8_t pvno;
126 int8_t msg_type;
127 int lsb;
128 char *name = NULL, *inst = NULL, *realm = NULL;
129 char *sname = NULL, *sinst = NULL;
130 int32_t req_time;
131 time_t max_life;
132 u_int8_t life;
133
134 sp = krb5_storage_from_mem(buf, len);
135 RCHECK(krb5_ret_int8(sp, &pvno), out);
136 if(pvno != 4){
137 kdc_log(0, "Protocol version mismatch (%d)", pvno);
138 make_err_reply(reply, KDC_PKT_VER, NULL);
139 goto out;
140 }
141 RCHECK(krb5_ret_int8(sp, &msg_type), out);
142 lsb = msg_type & 1;
143 msg_type &= ~1;
144 switch(msg_type){
145 case AUTH_MSG_KDC_REQUEST:
146 RCHECK(krb5_ret_stringz(sp, &name), out1);
147 RCHECK(krb5_ret_stringz(sp, &inst), out1);
148 RCHECK(krb5_ret_stringz(sp, &realm), out1);
149 RCHECK(krb5_ret_int32(sp, &req_time), out1);
150 if(lsb)
151 req_time = swap32(req_time);
152 RCHECK(krb5_ret_int8(sp, &life), out1);
153 RCHECK(krb5_ret_stringz(sp, &sname), out1);
154 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
155 kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s",
156 name, inst, realm, from, sname, sinst);
157
158 client = db_fetch4(name, inst, realm);
159 if(client == NULL){
160 kdc_log(0, "Client not found in database: %s.%s@%s",
161 name, inst, realm);
162 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
163 goto out1;
164 }
165 server = db_fetch4(sname, sinst, v4_realm);
166 if(server == NULL){
167 kdc_log(0, "Server not found in database: %s.%s@%s",
168 sname, sinst, v4_realm);
169 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
170 goto out1;
171 }
172
173 ret = hdb_keytype2key(context, client, KEYTYPE_DES, &ckey);
174 if(ret){
175 kdc_log(0, "%s", krb5_get_err_text(context, ret));
176 /* XXX */
177 make_err_reply(reply, KDC_NULL_KEY,
178 "No DES key in database (client)");
179 goto out1;
180 }
181
182 #if 0
183 /* this is not necessary with the new code in libkrb */
184 /* find a properly salted key */
185 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
186 ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
187 if(ret){
188 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
189 name, inst, realm);
190 make_err_reply(reply, KDC_NULL_KEY,
191 "No version-4 salted key in database");
192 goto out1;
193 }
194 #endif
195
196 ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
197 if(ret){
198 kdc_log(0, "%s", krb5_get_err_text(context, ret));
199 /* XXX */
200 make_err_reply(reply, KDC_NULL_KEY,
201 "No DES key in database (server)");
202 goto out1;
203 }
204
205 max_life = krb_life_to_time(0, life);
206 if(client->max_life)
207 max_life = min(max_life, *client->max_life);
208 if(server->max_life)
209 max_life = min(max_life, *server->max_life);
210
211 life = krb_time_to_life(kdc_time, kdc_time + max_life);
212
213 {
214 KTEXT_ST cipher, ticket;
215 KTEXT r;
216 des_cblock session;
217
218 des_new_random_key(&session);
219 ekey = unseal_key(skey);
220
221 krb_create_ticket(&ticket, 0, name, inst, v4_realm,
222 addr->sin_addr.s_addr, session, life, kdc_time,
223 sname, sinst, ekey->key.keyvalue.data);
224 hdb_free_key(ekey);
225
226 ekey = unseal_key(ckey);
227 create_ciph(&cipher, session, sname, sinst, v4_realm,
228 life, server->kvno, &ticket, kdc_time,
229 ekey->key.keyvalue.data);
230 hdb_free_key(ekey);
231 memset(&session, 0, sizeof(session));
232 r = create_auth_reply(name, inst, realm, req_time, 0,
233 client->pw_end ? *client->pw_end : 0,
234 client->kvno, &cipher);
235 krb5_data_copy(reply, r->dat, r->length);
236 memset(&cipher, 0, sizeof(cipher));
237 memset(&ticket, 0, sizeof(ticket));
238 }
239 out1:
240 break;
241 case AUTH_MSG_APPL_REQUEST: {
242 int8_t kvno;
243 int8_t ticket_len;
244 int8_t req_len;
245 KTEXT_ST auth;
246 AUTH_DAT ad;
247 size_t pos;
248 krb5_principal tgt_princ = NULL;
249 hdb_entry *tgt = NULL;
250 Key *tkey;
251
252 RCHECK(krb5_ret_int8(sp, &kvno), out2);
253 RCHECK(krb5_ret_stringz(sp, &realm), out2);
254
255 ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
256 &tgt_princ);
257 if(ret){
258 kdc_log(0, "Converting krbtgt principal: %s",
259 krb5_get_err_text(context, ret));
260 make_err_reply(reply, KFAILURE,
261 "Failed to convert v4 principal (krbtgt)");
262 goto out2;
263 }
264
265 tgt = db_fetch(tgt_princ);
266 if(tgt == NULL){
267 char *s;
268 s = kdc_log_msg(0, "Ticket-granting ticket not "
269 "found in database: krbtgt.%s@%s",
270 realm, v4_realm);
271 make_err_reply(reply, KFAILURE, s);
272 free(s);
273 goto out2;
274 }
275
276 if(tgt->kvno != kvno){
277 goto out2;
278 }
279
280 ret = hdb_keytype2key(context, tgt, KEYTYPE_DES, &tkey);
281 if(ret){
282 kdc_log(0, "%s", krb5_get_err_text(context, ret));
283 /* XXX */
284 make_err_reply(reply, KDC_NULL_KEY,
285 "No DES key in database (krbtgt)");
286 goto out2;
287 }
288
289
290 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
291 RCHECK(krb5_ret_int8(sp, &req_len), out2);
292
293 pos = sp->seek(sp, ticket_len + req_len, SEEK_CUR);
294
295 memset(&auth, 0, sizeof(auth));
296 memcpy(&auth.dat, buf, pos);
297 auth.length = pos;
298 ekey = unseal_key(tkey);
299 krb_set_key(ekey->key.keyvalue.data, 0);
300 hdb_free_key(ekey);
301 {
302 int e;
303 e = krb_rd_req(&auth, "krbtgt", realm,
304 addr->sin_addr.s_addr, &ad, 0);
305 if(e){
306 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e));
307 make_err_reply(reply, ret, NULL);
308 goto out2;
309 }
310 }
311
312 RCHECK(krb5_ret_int32(sp, &req_time), out2);
313 if(lsb)
314 req_time = swap32(req_time);
315 RCHECK(krb5_ret_int8(sp, &life), out2);
316 RCHECK(krb5_ret_stringz(sp, &sname), out2);
317 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
318 kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s",
319 ad.pname, ad.pinst, ad.prealm, from, sname, sinst);
320
321 if(strcmp(ad.prealm, realm)){
322 kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
323 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
324 "Can't hop realms");
325 goto out2;
326 }
327
328 if(strcmp(sname, "changepw") == 0){
329 kdc_log(0, "Bad request for changepw ticket");
330 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
331 "Can't authorize password change based on TGT");
332 goto out2;
333 }
334
335 #if 0
336 client = db_fetch4(ad.pname, ad.pinst, ad.prealm);
337 if(client == NULL){
338 char *s;
339 s = kdc_log_msg(0, "Client not found in database: %s.%s@%s",
340 ad.pname, ad.pinst, ad.prealm);
341 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
342 free(s);
343 goto out2;
344 }
345 #endif
346
347 server = db_fetch4(sname, sinst, v4_realm);
348 if(server == NULL){
349 char *s;
350 s = kdc_log_msg(0, "Server not found in database: %s.%s@%s",
351 sname, sinst, v4_realm);
352 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
353 free(s);
354 goto out2;
355 }
356
357 ret = hdb_keytype2key(context, server, KEYTYPE_DES, &skey);
358 if(ret){
359 kdc_log(0, "%s", krb5_get_err_text(context, ret));
360 /* XXX */
361 make_err_reply(reply, KDC_NULL_KEY,
362 "Server has no DES key");
363 goto out2;
364 }
365
366 max_life = krb_life_to_time(ad.time_sec, ad.life);
367 max_life = min(max_life, krb_life_to_time(kdc_time, life));
368 life = min(life, krb_time_to_life(kdc_time, max_life));
369 max_life = krb_life_to_time(0, life);
370 #if 0
371 if(client->max_life)
372 max_life = min(max_life, *client->max_life);
373 #endif
374 if(server->max_life)
375 max_life = min(max_life, *server->max_life);
376
377 {
378 KTEXT_ST cipher, ticket;
379 KTEXT r;
380 des_cblock session;
381 des_new_random_key(&session);
382 ekey = unseal_key(skey);
383 krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
384 addr->sin_addr.s_addr, &session, life, kdc_time,
385 sname, sinst, ekey->key.keyvalue.data);
386 hdb_free_key(ekey);
387
388 create_ciph(&cipher, session, sname, sinst, v4_realm,
389 life, server->kvno, &ticket,
390 kdc_time, &ad.session);
391
392 memset(&session, 0, sizeof(session));
393 memset(ad.session, 0, sizeof(ad.session));
394
395 r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
396 req_time, 0, 0, 0, &cipher);
397 krb5_data_copy(reply, r->dat, r->length);
398 memset(&cipher, 0, sizeof(cipher));
399 memset(&ticket, 0, sizeof(ticket));
400 }
401 out2:
402 if(tgt_princ)
403 krb5_free_principal(context, tgt_princ);
404 if(tgt){
405 hdb_free_entry(context, tgt);
406 free(tgt);
407 }
408
409 break;
410 }
411
412 case AUTH_MSG_ERR_REPLY:
413 break;
414 default:
415 kdc_log(0, "Unknown message type: %d from %s",
416 msg_type, from);
417
418 make_err_reply(reply, KFAILURE, "Unknown message type");
419 }
420 out:
421 if(name)
422 free(name);
423 if(inst)
424 free(inst);
425 if(realm)
426 free(realm);
427 if(sname)
428 free(sname);
429 if(sinst)
430 free(sinst);
431 if(client){
432 hdb_free_entry(context, client);
433 free(client);
434 }
435 if(server){
436 hdb_free_entry(context, server);
437 free(server);
438 }
439 krb5_storage_free(sp);
440 return 0;
441 }
442
443
444 #define ETYPE_DES_PCBC 17 /* XXX */
445
446 krb5_error_code
447 encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
448 {
449 des_key_schedule schedule;
450
451 reply->etype = ETYPE_DES_PCBC;
452 reply->kvno = NULL;
453 reply->cipher.length = len;
454 reply->cipher.data = malloc(len);
455 if(reply->cipher.data == NULL)
456 return ENOMEM;
457 des_set_key(key, schedule);
458 des_pcbc_encrypt(buf,
459 reply->cipher.data,
460 len,
461 schedule,
462 key,
463 DES_ENCRYPT);
464 memset(schedule, 0, sizeof(schedule));
465 return 0;
466 }
467
468 krb5_error_code
469 encode_v4_ticket(void *buf, size_t len, EncTicketPart *et,
470 PrincipalName *service, size_t *size)
471 {
472 krb5_storage *sp;
473 krb5_error_code ret;
474 char name[40], inst[40], realm[40];
475 char sname[40], sinst[40];
476
477 {
478 krb5_principal princ;
479 principalname2krb5_principal(&princ,
480 *service,
481 et->crealm);
482 ret = krb5_524_conv_principal(context,
483 princ,
484 sname,
485 sinst,
486 realm);
487 krb5_free_principal(context, princ);
488 if(ret)
489 return ret;
490
491 principalname2krb5_principal(&princ,
492 et->cname,
493 et->crealm);
494
495 ret = krb5_524_conv_principal(context,
496 princ,
497 name,
498 inst,
499 realm);
500 krb5_free_principal(context, princ);
501 }
502 if(ret)
503 return ret;
504
505 sp = krb5_storage_emem();
506
507 krb5_store_int8(sp, 0); /* flags */
508 krb5_store_stringz(sp, name);
509 krb5_store_stringz(sp, inst);
510 krb5_store_stringz(sp, realm);
511 {
512 unsigned char tmp[4] = { 0, 0, 0, 0 };
513 int i;
514 if(et->caddr){
515 for(i = 0; i < et->caddr->len; i++)
516 if(et->caddr->val[i].addr_type == AF_INET &&
517 et->caddr->val[i].address.length == 4){
518 memcpy(tmp, et->caddr->val[i].address.data, 4);
519 break;
520 }
521 }
522 sp->store(sp, tmp, sizeof(tmp));
523 }
524
525 if(et->key.keytype != KEYTYPE_DES ||
526 et->key.keyvalue.length != 8)
527 return -1;
528 sp->store(sp, et->key.keyvalue.data, 8);
529
530 {
531 time_t start = et->starttime ? *et->starttime : et->authtime;
532 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
533 krb5_store_int32(sp, start);
534 }
535
536 krb5_store_stringz(sp, sname);
537 krb5_store_stringz(sp, sinst);
538
539 {
540 krb5_data data;
541 krb5_storage_to_data(sp, &data);
542 krb5_storage_free(sp);
543 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
544 if(*size > len)
545 return -1;
546 memset((unsigned char*)buf - *size + 1, 0, *size);
547 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
548 krb5_data_free(&data);
549 }
550 return 0;
551 }
552
553 #endif /* KRB4 */
Heimdal