summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/kdc/kerberos4.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc/kerberos4.c')
-rw-r--r--crypto/heimdal/kdc/kerberos4.c563
1 files changed, 356 insertions, 207 deletions
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
index 050db5d..cbba649 100644
--- a/crypto/heimdal/kdc/kerberos4.c
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,13 +33,13 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $");
+#include <krb5-v4compat.h>
-#ifdef KRB4
+RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
#ifndef swap32
-static u_int32_t
-swap32(u_int32_t x)
+static uint32_t
+swap32(uint32_t x)
{
return ((x << 24) & 0xff000000) |
((x << 8) & 0xff0000) |
@@ -49,66 +49,74 @@ swap32(u_int32_t x)
#endif /* swap32 */
int
-maybe_version4(unsigned char *buf, int len)
+_kdc_maybe_version4(unsigned char *buf, int len)
{
return len > 0 && *buf == 4;
}
static void
-make_err_reply(krb5_data *reply, int code, const char *msg)
+make_err_reply(krb5_context context, krb5_data *reply,
+ int code, const char *msg)
{
- KTEXT_ST er;
-
- /* name, instance and realm are not checked in most (all?)
- implementations; msg is also never used, but we send it anyway
- (for debugging purposes) */
-
- if(msg == NULL)
- msg = krb_get_err_text(code);
- cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
- krb5_data_copy(reply, er.dat, er.length);
+ _krb5_krb_cr_err_reply(context, "", "", "",
+ kdc_time, code, msg, reply);
}
+struct valid_princ_ctx {
+ krb5_kdc_configuration *config;
+ unsigned flags;
+};
+
static krb5_boolean
-valid_princ(krb5_context context, krb5_principal princ)
+valid_princ(krb5_context context,
+ void *funcctx,
+ krb5_principal princ)
{
+ struct valid_princ_ctx *ctx = funcctx;
krb5_error_code ret;
char *s;
- hdb_entry *ent;
+ hdb_entry_ex *ent;
ret = krb5_unparse_name(context, princ, &s);
if (ret)
return FALSE;
- ret = db_fetch(princ, &ent);
+ ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
if (ret) {
- kdc_log(7, "Lookup %s failed: %s", s,
+ kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret));
free(s);
return FALSE;
}
- kdc_log(7, "Lookup %s succeeded", s);
+ kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
free(s);
- free_ent(ent);
+ _kdc_free_ent(context, ent);
return TRUE;
}
krb5_error_code
-db_fetch4(const char *name, const char *instance, const char *realm,
- hdb_entry **ent)
+_kdc_db_fetch4(krb5_context context,
+ krb5_kdc_configuration *config,
+ const char *name, const char *instance, const char *realm,
+ unsigned flags,
+ hdb_entry_ex **ent)
{
krb5_principal p;
krb5_error_code ret;
+ struct valid_princ_ctx ctx;
+
+ ctx.config = config;
+ ctx.flags = flags;
- ret = krb5_425_conv_principal_ext(context, name, instance, realm,
- valid_princ, 0, &p);
+ ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
+ valid_princ, &ctx, 0, &p);
if(ret)
return ret;
- ret = db_fetch(p, ent);
+ ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
krb5_free_principal(context, p);
return ret;
}
-#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
+#define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
/*
* Process the v4 request in `buf, len' (received from `addr'
@@ -117,15 +125,17 @@ db_fetch4(const char *name, const char *instance, const char *realm,
*/
krb5_error_code
-do_version4(unsigned char *buf,
- size_t len,
- krb5_data *reply,
- const char *from,
- struct sockaddr_in *addr)
+_kdc_do_version4(krb5_context context,
+ krb5_kdc_configuration *config,
+ unsigned char *buf,
+ size_t len,
+ krb5_data *reply,
+ const char *from,
+ struct sockaddr_in *addr)
{
krb5_storage *sp;
krb5_error_code ret;
- hdb_entry *client = NULL, *server = NULL;
+ hdb_entry_ex *client = NULL, *server = NULL;
Key *ckey, *skey;
int8_t pvno;
int8_t msg_type;
@@ -133,67 +143,93 @@ do_version4(unsigned char *buf,
char *name = NULL, *inst = NULL, *realm = NULL;
char *sname = NULL, *sinst = NULL;
int32_t req_time;
- time_t max_life, max_end, actual_end, issue_time;
- u_int8_t life;
+ time_t max_life;
+ uint8_t life;
char client_name[256];
char server_name[256];
- if(!enable_v4) {
- kdc_log(0, "Rejected version 4 request from %s", from);
- make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
+ if(!config->enable_v4) {
+ kdc_log(context, config, 0,
+ "Rejected version 4 request from %s", from);
+ make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
+ "Function not enabled");
return 0;
}
sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){
- kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
- make_err_reply(reply, KDC_PKT_VER, NULL);
+ kdc_log(context, config, 0,
+ "Protocol version mismatch (krb4) (%d)", pvno);
+ make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
goto out;
}
RCHECK(krb5_ret_int8(sp, &msg_type), out);
lsb = msg_type & 1;
msg_type &= ~1;
switch(msg_type){
- case AUTH_MSG_KDC_REQUEST:
+ case AUTH_MSG_KDC_REQUEST: {
+ krb5_data ticket, cipher;
+ krb5_keyblock session;
+
+ krb5_data_zero(&ticket);
+ krb5_data_zero(&cipher);
+
RCHECK(krb5_ret_stringz(sp, &name), out1);
RCHECK(krb5_ret_stringz(sp, &inst), out1);
RCHECK(krb5_ret_stringz(sp, &realm), out1);
RCHECK(krb5_ret_int32(sp, &req_time), out1);
if(lsb)
req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out1);
+ RCHECK(krb5_ret_uint8(sp, &life), out1);
RCHECK(krb5_ret_stringz(sp, &sname), out1);
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
snprintf (client_name, sizeof(client_name),
"%s.%s@%s", name, inst, realm);
snprintf (server_name, sizeof(server_name),
- "%s.%s@%s", sname, sinst, v4_realm);
+ "%s.%s@%s", sname, sinst, config->v4_realm);
- kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
+ kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
- ret = db_fetch4(name, inst, realm, &client);
+ ret = _kdc_db_fetch4(context, config, name, inst, realm,
+ HDB_F_GET_CLIENT, &client);
if(ret) {
- kdc_log(0, "Client not found in database: %s: %s",
+ kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
+ "principal unknown");
goto out1;
}
- ret = db_fetch4(sname, sinst, v4_realm, &server);
+ ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+ HDB_F_GET_SERVER, &server);
if(ret){
- kdc_log(0, "Server not found in database: %s: %s",
+ kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
+ "principal unknown");
goto out1;
}
- ret = check_flags (client, client_name,
- server, server_name,
- TRUE);
+ ret = _kdc_check_flags (context, config,
+ client, client_name,
+ server, server_name,
+ TRUE);
if (ret) {
/* good error code? */
- make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+ make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
+ "operation not allowed");
+ goto out1;
+ }
+
+ if (config->enable_v4_per_principal &&
+ client->entry.flags.allow_kerberos4 == 0)
+ {
+ kdc_log(context, config, 0,
+ "Per principal Kerberos 4 flag not turned on for %s",
+ client_name);
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
+ "allow kerberos4 flag required");
goto out1;
}
@@ -202,21 +238,22 @@ do_version4(unsigned char *buf,
* good error code to return if preauthentication is required.
*/
- if (require_preauth
- || client->flags.require_preauth
- || server->flags.require_preauth) {
- kdc_log(0,
+ if (config->require_preauth
+ || client->entry.flags.require_preauth
+ || server->entry.flags.require_preauth) {
+ kdc_log(context, config, 0,
"Pre-authentication required for v4-request: "
"%s for %s",
client_name, server_name);
- make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
+ "preauth required");
goto out1;
}
- ret = get_des_key(client, FALSE, FALSE, &ckey);
+ ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
if(ret){
- kdc_log(0, "no suitable DES key for client");
- make_err_reply(reply, KDC_NULL_KEY,
+ kdc_log(context, config, 0, "no suitable DES key for client");
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
"no suitable DES key for client");
goto out1;
}
@@ -225,106 +262,154 @@ do_version4(unsigned char *buf,
/* this is not necessary with the new code in libkrb */
/* find a properly salted key */
while(ckey->salt == NULL || ckey->salt->salt.length != 0)
- ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
+ ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
if(ret){
- kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
+ kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm);
- make_err_reply(reply, KDC_NULL_KEY,
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
"No version-4 salted key in database");
goto out1;
}
#endif
- ret = get_des_key(server, TRUE, FALSE, &skey);
+ ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
- kdc_log(0, "no suitable DES key for server");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
+ kdc_log(context, config, 0, "no suitable DES key for server");
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
"no suitable DES key for server");
goto out1;
}
- max_life = krb_life_to_time(0, life);
- if(client->max_life)
- max_life = min(max_life, *client->max_life);
- if(server->max_life)
- max_life = min(max_life, *server->max_life);
+ max_life = _krb5_krb_life_to_time(0, life);
+ if(client->entry.max_life)
+ max_life = min(max_life, *client->entry.max_life);
+ if(server->entry.max_life)
+ max_life = min(max_life, *server->entry.max_life);
life = krb_time_to_life(kdc_time, kdc_time + max_life);
- {
- KTEXT_ST cipher, ticket;
- KTEXT r;
- des_cblock session;
-
- des_new_random_key(&session);
-
- krb_create_ticket(&ticket, 0, name, inst, v4_realm,
- addr->sin_addr.s_addr, session, life, kdc_time,
- sname, sinst, skey->key.keyvalue.data);
+ ret = krb5_generate_random_keyblock(context,
+ ETYPE_DES_PCBC_NONE,
+ &session);
+ if (ret) {
+ make_err_reply(context, reply, KFAILURE,
+ "Not enough random i KDC");
+ goto out1;
+ }
- create_ciph(&cipher, session, sname, sinst, v4_realm,
- life, server->kvno % 256, &ticket, kdc_time,
- ckey->key.keyvalue.data);
- memset(&session, 0, sizeof(session));
- r = create_auth_reply(name, inst, realm, req_time, 0,
- client->pw_end ? *client->pw_end : 0,
- client->kvno % 256, &cipher);
- krb5_data_copy(reply, r->dat, r->length);
- memset(&cipher, 0, sizeof(cipher));
- memset(&ticket, 0, sizeof(ticket));
+ ret = _krb5_krb_create_ticket(context,
+ 0,
+ name,
+ inst,
+ config->v4_realm,
+ addr->sin_addr.s_addr,
+ &session,
+ life,
+ kdc_time,
+ sname,
+ sinst,
+ &skey->key,
+ &ticket);
+ if (ret) {
+ krb5_free_keyblock_contents(context, &session);
+ make_err_reply(context, reply, KFAILURE,
+ "failed to create v4 ticket");
+ goto out1;
+ }
+
+ ret = _krb5_krb_create_ciph(context,
+ &session,
+ sname,
+ sinst,
+ config->v4_realm,
+ life,
+ server->entry.kvno % 255,
+ &ticket,
+ kdc_time,
+ &ckey->key,
+ &cipher);
+ krb5_free_keyblock_contents(context, &session);
+ krb5_data_free(&ticket);
+ if (ret) {
+ make_err_reply(context, reply, KFAILURE,
+ "Failed to create v4 cipher");
+ goto out1;
}
+
+ ret = _krb5_krb_create_auth_reply(context,
+ name,
+ inst,
+ realm,
+ req_time,
+ 0,
+ client->entry.pw_end ? *client->entry.pw_end : 0,
+ client->entry.kvno % 256,
+ &cipher,
+ reply);
+ krb5_data_free(&cipher);
+
out1:
break;
+ }
case AUTH_MSG_APPL_REQUEST: {
+ struct _krb5_krb_auth_data ad;
int8_t kvno;
int8_t ticket_len;
int8_t req_len;
- KTEXT_ST auth;
- AUTH_DAT ad;
+ krb5_data auth;
+ int32_t address;
size_t pos;
krb5_principal tgt_princ = NULL;
- hdb_entry *tgt = NULL;
+ hdb_entry_ex *tgt = NULL;
Key *tkey;
+ time_t max_end, actual_end, issue_time;
+ memset(&ad, 0, sizeof(ad));
+ krb5_data_zero(&auth);
+
RCHECK(krb5_ret_int8(sp, &kvno), out2);
RCHECK(krb5_ret_stringz(sp, &realm), out2);
- ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
+ ret = krb5_425_conv_principal(context, "krbtgt", realm,
+ config->v4_realm,
&tgt_princ);
if(ret){
- kdc_log(0, "Converting krbtgt principal (krb4): %s",
+ kdc_log(context, config, 0,
+ "Converting krbtgt principal (krb4): %s",
krb5_get_err_text(context, ret));
- make_err_reply(reply, KFAILURE,
+ make_err_reply(context, reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)");
goto out2;
}
- ret = db_fetch(tgt_princ, &tgt);
+ ret = _kdc_db_fetch(context, config, tgt_princ,
+ HDB_F_GET_KRBTGT, NULL, &tgt);
if(ret){
char *s;
- s = kdc_log_msg(0, "Ticket-granting ticket not "
+ s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
"found in database (krb4): krbtgt.%s@%s: %s",
- realm, v4_realm,
+ realm, config->v4_realm,
krb5_get_err_text(context, ret));
- make_err_reply(reply, KFAILURE, s);
+ make_err_reply(context, reply, KFAILURE, s);
free(s);
goto out2;
}
- if(tgt->kvno % 256 != kvno){
- kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
- "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
- make_err_reply(reply, KDC_AUTH_EXP,
+ if(tgt->entry.kvno % 256 != kvno){
+ kdc_log(context, config, 0,
+ "tgs-req (krb4) with old kvno %d (current %d) for "
+ "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
+ realm, config->v4_realm);
+ make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
"old krbtgt kvno used");
goto out2;
}
- ret = get_des_key(tgt, TRUE, FALSE, &tkey);
+ ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
if(ret){
- kdc_log(0, "no suitable DES key for krbtgt (krb4)");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
+ kdc_log(context, config, 0,
+ "no suitable DES key for krbtgt (krb4)");
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
"no suitable DES key for krbtgt");
goto out2;
}
@@ -334,107 +419,130 @@ do_version4(unsigned char *buf,
pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
- memset(&auth, 0, sizeof(auth));
- memcpy(&auth.dat, buf, pos);
+ auth.data = buf;
auth.length = pos;
- krb_set_key(tkey->key.keyvalue.data, 0);
- krb_ignore_ip_address = !check_ticket_addresses;
+ if (config->check_ticket_addresses)
+ address = addr->sin_addr.s_addr;
+ else
+ address = 0;
- ret = krb_rd_req(&auth, "krbtgt", realm,
- addr->sin_addr.s_addr, &ad, 0);
+ ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
+ config->v4_realm,
+ address, &tkey->key, &ad);
if(ret){
- kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
- make_err_reply(reply, ret, NULL);
+ kdc_log(context, config, 0, "krb_rd_req: %d", ret);
+ make_err_reply(context, reply, ret, "failed to parse request");
goto out2;
}
RCHECK(krb5_ret_int32(sp, &req_time), out2);
if(lsb)
req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out2);
+ RCHECK(krb5_ret_uint8(sp, &life), out2);
RCHECK(krb5_ret_stringz(sp, &sname), out2);
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
snprintf (server_name, sizeof(server_name),
"%s.%s@%s",
- sname, sinst, v4_realm);
+ sname, sinst, config->v4_realm);
+ snprintf (client_name, sizeof(client_name),
+ "%s.%s@%s",
+ ad.pname, ad.pinst, ad.prealm);
- kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s",
- ad.pname, ad.pinst, ad.prealm, from, server_name);
+ kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
+ client_name, from, server_name);
if(strcmp(ad.prealm, realm)){
- kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+ kdc_log(context, config, 0,
+ "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
"Can't hop realms");
goto out2;
}
- if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
- kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+ if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
+ kdc_log(context, config, 0,
+ "krb4 Cross-realm %s -> %s disabled",
+ realm, config->v4_realm);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
"Can't hop realms");
goto out2;
}
if(strcmp(sname, "changepw") == 0){
- kdc_log(0, "Bad request for changepw ticket (krb4)");
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+ kdc_log(context, config, 0,
+ "Bad request for changepw ticket (krb4)");
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
"Can't authorize password change based on TGT");
goto out2;
}
-#if 0
- ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
- if(ret){
+ ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
+ HDB_F_GET_CLIENT, &client);
+ if(ret && ret != HDB_ERR_NOENTRY) {
char *s;
- s = kdc_log_msg(0, "Client not found in database: (krb4) "
- "%s.%s@%s: %s",
- ad.pname, ad.pinst, ad.prealm,
- krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+ s = kdc_log_msg(context, config, 0,
+ "Client not found in database: (krb4) %s: %s",
+ client_name, krb5_get_err_text(context, ret));
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
free(s);
goto out2;
}
-#endif
-
- ret = db_fetch4(sname, sinst, v4_realm, &server);
+ if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
+ char *s;
+ s = kdc_log_msg(context, config, 0,
+ "Local client not found in database: (krb4) "
+ "%s", client_name);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
+ free(s);
+ goto out2;
+ }
+
+ ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+ HDB_F_GET_SERVER, &server);
if(ret){
char *s;
- s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
+ s = kdc_log_msg(context, config, 0,
+ "Server not found in database (krb4): %s: %s",
server_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+ make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
free(s);
goto out2;
}
- ret = check_flags (NULL, NULL,
- server, server_name,
- FALSE);
+ ret = _kdc_check_flags (context, config,
+ client, client_name,
+ server, server_name,
+ FALSE);
if (ret) {
- /* good error code? */
- make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
+ make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
+ "operation not allowed");
goto out2;
}
- ret = get_des_key(server, TRUE, FALSE, &skey);
+ ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
- kdc_log(0, "no suitable DES key for server (krb4)");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
+ kdc_log(context, config, 0,
+ "no suitable DES key for server (krb4)");
+ make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
"no suitable DES key for server");
goto out2;
}
- max_end = krb_life_to_time(ad.time_sec, ad.life);
- max_end = min(max_end, krb_life_to_time(kdc_time, life));
+ max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
+ max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
+ if(server->entry.max_life)
+ max_end = min(max_end, kdc_time + *server->entry.max_life);
+ if(client && client->entry.max_life)
+ max_end = min(max_end, kdc_time + *client->entry.max_life);
life = min(life, krb_time_to_life(kdc_time, max_end));
issue_time = kdc_time;
- actual_end = krb_life_to_time(issue_time, life);
+ actual_end = _krb5_krb_life_to_time(issue_time, life);
while (actual_end > max_end && life > 1) {
/* move them into the next earlier lifetime bracket */
life--;
- actual_end = krb_life_to_time(issue_time, life);
+ actual_end = _krb5_krb_life_to_time(issue_time, life);
}
if (actual_end > max_end) {
/* if life <= 1 and it's still too long, backdate the ticket */
@@ -442,46 +550,88 @@ do_version4(unsigned char *buf,
}
{
- KTEXT_ST cipher, ticket;
- KTEXT r;
- des_cblock session;
- des_new_random_key(&session);
-
- krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
- addr->sin_addr.s_addr, &session, life,
- issue_time,
- sname, sinst, skey->key.keyvalue.data);
-
- create_ciph(&cipher, session, sname, sinst, v4_realm,
- life, server->kvno % 256, &ticket,
- issue_time, &ad.session);
+ krb5_data ticket, cipher;
+ krb5_keyblock session;
+
+ krb5_data_zero(&ticket);
+ krb5_data_zero(&cipher);
+
+ ret = krb5_generate_random_keyblock(context,
+ ETYPE_DES_PCBC_NONE,
+ &session);
+ if (ret) {
+ make_err_reply(context, reply, KFAILURE,
+ "Not enough random i KDC");
+ goto out2;
+ }
+
+ ret = _krb5_krb_create_ticket(context,
+ 0,
+ ad.pname,
+ ad.pinst,
+ ad.prealm,
+ addr->sin_addr.s_addr,
+ &session,
+ life,
+ issue_time,
+ sname,
+ sinst,
+ &skey->key,
+ &ticket);
+ if (ret) {
+ krb5_free_keyblock_contents(context, &session);
+ make_err_reply(context, reply, KFAILURE,
+ "failed to create v4 ticket");
+ goto out2;
+ }
+
+ ret = _krb5_krb_create_ciph(context,
+ &session,
+ sname,
+ sinst,
+ config->v4_realm,
+ life,
+ server->entry.kvno % 255,
+ &ticket,
+ issue_time,
+ &ad.session,
+ &cipher);
+ krb5_free_keyblock_contents(context, &session);
+ if (ret) {
+ make_err_reply(context, reply, KFAILURE,
+ "failed to create v4 cipher");
+ goto out2;
+ }
- memset(&session, 0, sizeof(session));
- memset(ad.session, 0, sizeof(ad.session));
-
- r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
- req_time, 0, 0, 0, &cipher);
- krb5_data_copy(reply, r->dat, r->length);
- memset(&cipher, 0, sizeof(cipher));
- memset(&ticket, 0, sizeof(ticket));
+ ret = _krb5_krb_create_auth_reply(context,
+ ad.pname,
+ ad.pinst,
+ ad.prealm,
+ req_time,
+ 0,
+ 0,
+ 0,
+ &cipher,
+ reply);
+ krb5_data_free(&cipher);
}
out2:
+ _krb5_krb_free_auth_data(context, &ad);
if(tgt_princ)
krb5_free_principal(context, tgt_princ);
if(tgt)
- free_ent(tgt);
+ _kdc_free_ent(context, tgt);
break;
}
-
case AUTH_MSG_ERR_REPLY:
break;
default:
- kdc_log(0, "Unknown message type (krb4): %d from %s",
+ kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
msg_type, from);
- make_err_reply(reply, KFAILURE, "Unknown message type");
+ make_err_reply(context, reply, KFAILURE, "Unknown message type");
}
-out:
+ out:
if(name)
free(name);
if(inst)
@@ -493,22 +643,18 @@ out:
if(sinst)
free(sinst);
if(client)
- free_ent(client);
+ _kdc_free_ent(context, client);
if(server)
- free_ent(server);
+ _kdc_free_ent(context, server);
krb5_storage_free(sp);
return 0;
}
-#else /* KRB4 */
-
-#include <krb5-v4compat.h>
-
-#endif /* KRB4 */
-
krb5_error_code
-encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
- const PrincipalName *service, size_t *size)
+_kdc_encode_v4_ticket(krb5_context context,
+ krb5_kdc_configuration *config,
+ void *buf, size_t len, const EncTicketPart *et,
+ const PrincipalName *service, size_t *size)
{
krb5_storage *sp;
krb5_error_code ret;
@@ -517,9 +663,10 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
{
krb5_principal princ;
- principalname2krb5_principal(&princ,
- *service,
- et->crealm);
+ _krb5_principalname2krb5_principal(context,
+ &princ,
+ *service,
+ et->crealm);
ret = krb5_524_conv_principal(context,
princ,
sname,
@@ -529,9 +676,10 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
if(ret)
return ret;
- principalname2krb5_principal(&princ,
- et->cname,
- et->crealm);
+ _krb5_principalname2krb5_principal(context,
+ &princ,
+ et->cname,
+ et->crealm);
ret = krb5_524_conv_principal(context,
princ,
@@ -594,8 +742,9 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
}
krb5_error_code
-get_des_key(hdb_entry *principal, krb5_boolean is_server,
- krb5_boolean prefer_afs_key, Key **ret_key)
+_kdc_get_des_key(krb5_context context,
+ hdb_entry_ex *principal, krb5_boolean is_server,
+ krb5_boolean prefer_afs_key, Key **ret_key)
{
Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
int i;
@@ -609,7 +758,7 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
afs_key == NULL || server_key == NULL);
++i) {
Key *key = NULL;
- while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
+ while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
if(key->salt == NULL) {
if(v5_key == NULL)
v5_key = key;
@@ -635,7 +784,7 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
else if(is_server && server_key)
*ret_key = server_key;
else
- return KERB_ERR_NULL_KEY;
+ return KRB4ET_KDC_NULL_KEY;
} else {
if(v4_key)
*ret_key = v4_key;
@@ -646,11 +795,11 @@ get_des_key(hdb_entry *principal, krb5_boolean is_server,
else if(is_server && server_key)
*ret_key = server_key;
else
- return KERB_ERR_NULL_KEY;
+ return KRB4ET_KDC_NULL_KEY;
}
if((*ret_key)->key.keyvalue.length == 0)
- return KERB_ERR_NULL_KEY;
+ return KRB4ET_KDC_NULL_KEY;
return 0;
}
OpenPOWER on IntegriCloud