2 * Copyright (c) 1997 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Kungliga Tekniska
20 * Högskolan and its contributors.
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
45 #include "kerberos4.h"
50 return (x
<< 24) & 0xff000000 |
57 maybe_version4(unsigned char *buf
, int len
)
59 return len
> 0 && *buf
== 4;
63 make_err_reply(krb5_data
*reply
, int code
, const char *msg
)
67 /* name, instance and realm is not checked in most (all?) version
68 implementations; msg is also never used, but we send it anyway
69 (for debugging purposes) */
72 msg
= krb_get_err_text(code
);
73 cr_err_reply(&er
, "", "", "", kdc_time
, code
, (char*)msg
);
74 krb5_data_copy(reply
, er
.dat
, er
.length
);
78 valid_princ(krb5_context context
, krb5_principal princ
)
82 krb5_unparse_name(context
, princ
, &s
);
83 ent
= db_fetch(princ
);
85 kdc_log(7, "Lookup %s failed", s
);
89 kdc_log(7, "Lookup %s succeeded", s
);
91 hdb_free_entry(context
, ent
);
97 db_fetch4(const char *name
, const char *instance
, const char *realm
)
103 ret
= krb5_425_conv_principal_ext(context
, name
, instance
, realm
,
108 krb5_free_principal(context
, p
);
112 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
115 do_version4(unsigned char *buf
,
119 struct sockaddr_in
*addr
)
123 hdb_entry
*client
= NULL
, *server
= NULL
;
124 Key
*ckey
, *skey
, *ekey
;
128 char *name
= NULL
, *inst
= NULL
, *realm
= NULL
;
129 char *sname
= NULL
, *sinst
= NULL
;
134 sp
= krb5_storage_from_mem(buf
, len
);
135 RCHECK(krb5_ret_int8(sp
, &pvno
), out
);
137 kdc_log(0, "Protocol version mismatch (%d)", pvno
);
138 make_err_reply(reply
, KDC_PKT_VER
, NULL
);
141 RCHECK(krb5_ret_int8(sp
, &msg_type
), out
);
145 case AUTH_MSG_KDC_REQUEST
:
146 RCHECK(krb5_ret_stringz(sp
, &name
), out1
);
147 RCHECK(krb5_ret_stringz(sp
, &inst
), out1
);
148 RCHECK(krb5_ret_stringz(sp
, &realm
), out1
);
149 RCHECK(krb5_ret_int32(sp
, &req_time
), out1
);
151 req_time
= swap32(req_time
);
152 RCHECK(krb5_ret_int8(sp
, &life
), out1
);
153 RCHECK(krb5_ret_stringz(sp
, &sname
), out1
);
154 RCHECK(krb5_ret_stringz(sp
, &sinst
), out1
);
155 kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s",
156 name
, inst
, realm
, from
, sname
, sinst
);
158 client
= db_fetch4(name
, inst
, realm
);
160 kdc_log(0, "Client not found in database: %s.%s@%s",
162 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, NULL
);
165 server
= db_fetch4(sname
, sinst
, v4_realm
);
167 kdc_log(0, "Server not found in database: %s.%s@%s",
168 sname
, sinst
, v4_realm
);
169 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, NULL
);
173 ret
= hdb_keytype2key(context
, client
, KEYTYPE_DES
, &ckey
);
175 kdc_log(0, "%s", krb5_get_err_text(context
, ret
));
177 make_err_reply(reply
, KDC_NULL_KEY
,
178 "No DES key in database (client)");
183 /* this is not necessary with the new code in libkrb */
184 /* find a properly salted key */
185 while(ckey
->salt
== NULL
|| ckey
->salt
->salt
.length
!= 0)
186 ret
= hdb_next_keytype2key(context
, client
, KEYTYPE_DES
, &ckey
);
188 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
190 make_err_reply(reply
, KDC_NULL_KEY
,
191 "No version-4 salted key in database");
196 ret
= hdb_keytype2key(context
, server
, KEYTYPE_DES
, &skey
);
198 kdc_log(0, "%s", krb5_get_err_text(context
, ret
));
200 make_err_reply(reply
, KDC_NULL_KEY
,
201 "No DES key in database (server)");
205 max_life
= krb_life_to_time(0, life
);
207 max_life
= min(max_life
, *client
->max_life
);
209 max_life
= min(max_life
, *server
->max_life
);
211 life
= krb_time_to_life(kdc_time
, kdc_time
+ max_life
);
214 KTEXT_ST cipher
, ticket
;
218 des_new_random_key(&session
);
219 ekey
= unseal_key(skey
);
221 krb_create_ticket(&ticket
, 0, name
, inst
, v4_realm
,
222 addr
->sin_addr
.s_addr
, session
, life
, kdc_time
,
223 sname
, sinst
, ekey
->key
.keyvalue
.data
);
226 ekey
= unseal_key(ckey
);
227 create_ciph(&cipher
, session
, sname
, sinst
, v4_realm
,
228 life
, server
->kvno
, &ticket
, kdc_time
,
229 ekey
->key
.keyvalue
.data
);
231 memset(&session
, 0, sizeof(session
));
232 r
= create_auth_reply(name
, inst
, realm
, req_time
, 0,
233 client
->pw_end
? *client
->pw_end
: 0,
234 client
->kvno
, &cipher
);
235 krb5_data_copy(reply
, r
->dat
, r
->length
);
236 memset(&cipher
, 0, sizeof(cipher
));
237 memset(&ticket
, 0, sizeof(ticket
));
241 case AUTH_MSG_APPL_REQUEST
: {
248 krb5_principal tgt_princ
= NULL
;
249 hdb_entry
*tgt
= NULL
;
252 RCHECK(krb5_ret_int8(sp
, &kvno
), out2
);
253 RCHECK(krb5_ret_stringz(sp
, &realm
), out2
);
255 ret
= krb5_425_conv_principal(context
, "krbtgt", realm
, v4_realm
,
258 kdc_log(0, "Converting krbtgt principal: %s",
259 krb5_get_err_text(context
, ret
));
260 make_err_reply(reply
, KFAILURE
,
261 "Failed to convert v4 principal (krbtgt)");
265 tgt
= db_fetch(tgt_princ
);
268 s
= kdc_log_msg(0, "Ticket-granting ticket not "
269 "found in database: krbtgt.%s@%s",
271 make_err_reply(reply
, KFAILURE
, s
);
276 if(tgt
->kvno
!= kvno
){
280 ret
= hdb_keytype2key(context
, tgt
, KEYTYPE_DES
, &tkey
);
282 kdc_log(0, "%s", krb5_get_err_text(context
, ret
));
284 make_err_reply(reply
, KDC_NULL_KEY
,
285 "No DES key in database (krbtgt)");
290 RCHECK(krb5_ret_int8(sp
, &ticket_len
), out2
);
291 RCHECK(krb5_ret_int8(sp
, &req_len
), out2
);
293 pos
= sp
->seek(sp
, ticket_len
+ req_len
, SEEK_CUR
);
295 memset(&auth
, 0, sizeof(auth
));
296 memcpy(&auth
.dat
, buf
, pos
);
298 ekey
= unseal_key(tkey
);
299 krb_set_key(ekey
->key
.keyvalue
.data
, 0);
303 e
= krb_rd_req(&auth
, "krbtgt", realm
,
304 addr
->sin_addr
.s_addr
, &ad
, 0);
306 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(e
));
307 make_err_reply(reply
, ret
, NULL
);
312 RCHECK(krb5_ret_int32(sp
, &req_time
), out2
);
314 req_time
= swap32(req_time
);
315 RCHECK(krb5_ret_int8(sp
, &life
), out2
);
316 RCHECK(krb5_ret_stringz(sp
, &sname
), out2
);
317 RCHECK(krb5_ret_stringz(sp
, &sinst
), out2
);
318 kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s",
319 ad
.pname
, ad
.pinst
, ad
.prealm
, from
, sname
, sinst
);
321 if(strcmp(ad
.prealm
, realm
)){
322 kdc_log(0, "Can't hop realms %s -> %s", realm
, ad
.prealm
);
323 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
,
328 if(strcmp(sname
, "changepw") == 0){
329 kdc_log(0, "Bad request for changepw ticket");
330 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
,
331 "Can't authorize password change based on TGT");
336 client
= db_fetch4(ad
.pname
, ad
.pinst
, ad
.prealm
);
339 s
= kdc_log_msg(0, "Client not found in database: %s.%s@%s",
340 ad
.pname
, ad
.pinst
, ad
.prealm
);
341 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, s
);
347 server
= db_fetch4(sname
, sinst
, v4_realm
);
350 s
= kdc_log_msg(0, "Server not found in database: %s.%s@%s",
351 sname
, sinst
, v4_realm
);
352 make_err_reply(reply
, KERB_ERR_PRINCIPAL_UNKNOWN
, s
);
357 ret
= hdb_keytype2key(context
, server
, KEYTYPE_DES
, &skey
);
359 kdc_log(0, "%s", krb5_get_err_text(context
, ret
));
361 make_err_reply(reply
, KDC_NULL_KEY
,
362 "Server has no DES key");
366 max_life
= krb_life_to_time(ad
.time_sec
, ad
.life
);
367 max_life
= min(max_life
, krb_life_to_time(kdc_time
, life
));
368 life
= min(life
, krb_time_to_life(kdc_time
, max_life
));
369 max_life
= krb_life_to_time(0, life
);
372 max_life
= min(max_life
, *client
->max_life
);
375 max_life
= min(max_life
, *server
->max_life
);
378 KTEXT_ST cipher
, ticket
;
381 des_new_random_key(&session
);
382 ekey
= unseal_key(skey
);
383 krb_create_ticket(&ticket
, 0, ad
.pname
, ad
.pinst
, ad
.prealm
,
384 addr
->sin_addr
.s_addr
, &session
, life
, kdc_time
,
385 sname
, sinst
, ekey
->key
.keyvalue
.data
);
388 create_ciph(&cipher
, session
, sname
, sinst
, v4_realm
,
389 life
, server
->kvno
, &ticket
,
390 kdc_time
, &ad
.session
);
392 memset(&session
, 0, sizeof(session
));
393 memset(ad
.session
, 0, sizeof(ad
.session
));
395 r
= create_auth_reply(ad
.pname
, ad
.pinst
, ad
.prealm
,
396 req_time
, 0, 0, 0, &cipher
);
397 krb5_data_copy(reply
, r
->dat
, r
->length
);
398 memset(&cipher
, 0, sizeof(cipher
));
399 memset(&ticket
, 0, sizeof(ticket
));
403 krb5_free_principal(context
, tgt_princ
);
405 hdb_free_entry(context
, tgt
);
412 case AUTH_MSG_ERR_REPLY
:
415 kdc_log(0, "Unknown message type: %d from %s",
418 make_err_reply(reply
, KFAILURE
, "Unknown message type");
432 hdb_free_entry(context
, client
);
436 hdb_free_entry(context
, server
);
439 krb5_storage_free(sp
);
444 #define ETYPE_DES_PCBC 17 /* XXX */
447 encrypt_v4_ticket(void *buf
, size_t len
, des_cblock
*key
, EncryptedData
*reply
)
449 des_key_schedule schedule
;
451 reply
->etype
= ETYPE_DES_PCBC
;
453 reply
->cipher
.length
= len
;
454 reply
->cipher
.data
= malloc(len
);
455 if(reply
->cipher
.data
== NULL
)
457 des_set_key(key
, schedule
);
458 des_pcbc_encrypt(buf
,
464 memset(schedule
, 0, sizeof(schedule
));
469 encode_v4_ticket(void *buf
, size_t len
, EncTicketPart
*et
,
470 PrincipalName
*service
, size_t *size
)
474 char name
[40], inst
[40], realm
[40];
475 char sname
[40], sinst
[40];
478 krb5_principal princ
;
479 principalname2krb5_principal(&princ
,
482 ret
= krb5_524_conv_principal(context
,
487 krb5_free_principal(context
, princ
);
491 principalname2krb5_principal(&princ
,
495 ret
= krb5_524_conv_principal(context
,
500 krb5_free_principal(context
, princ
);
505 sp
= krb5_storage_emem();
507 krb5_store_int8(sp
, 0); /* flags */
508 krb5_store_stringz(sp
, name
);
509 krb5_store_stringz(sp
, inst
);
510 krb5_store_stringz(sp
, realm
);
512 unsigned char tmp
[4] = { 0, 0, 0, 0 };
515 for(i
= 0; i
< et
->caddr
->len
; i
++)
516 if(et
->caddr
->val
[i
].addr_type
== AF_INET
&&
517 et
->caddr
->val
[i
].address
.length
== 4){
518 memcpy(tmp
, et
->caddr
->val
[i
].address
.data
, 4);
522 sp
->store(sp
, tmp
, sizeof(tmp
));
525 if(et
->key
.keytype
!= KEYTYPE_DES
||
526 et
->key
.keyvalue
.length
!= 8)
528 sp
->store(sp
, et
->key
.keyvalue
.data
, 8);
531 time_t start
= et
->starttime
? *et
->starttime
: et
->authtime
;
532 krb5_store_int8(sp
, krb_time_to_life(start
, et
->endtime
));
533 krb5_store_int32(sp
, start
);
536 krb5_store_stringz(sp
, sname
);
537 krb5_store_stringz(sp
, sinst
);
541 krb5_storage_to_data(sp
, &data
);
542 krb5_storage_free(sp
);
543 *size
= (data
.length
+ 7) & ~7; /* pad to 8 bytes */
546 memset((unsigned char*)buf
- *size
+ 1, 0, *size
);
547 memcpy((unsigned char*)buf
- *size
+ 1, data
.data
, data
.length
);
548 krb5_data_free(&data
);