2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 RCSID("$Id: kerberos4.c,v 1.41 2002/04/18 16:08:24 joda Exp $");
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
52 maybe_version4(unsigned char *buf, int len)
54 return len > 0 && *buf == 4;
58 make_err_reply(krb5_data *reply, int code, const char *msg)
62 /* name, instance and realm are not checked in most (all?)
63 implementations; msg is also never used, but we send it anyway
64 (for debugging purposes) */
67 msg = krb_get_err_text(code);
68 cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
69 krb5_data_copy(reply, er.dat, er.length);
73 valid_princ(krb5_context context, krb5_principal princ)
79 ret = krb5_unparse_name(context, princ, &s);
82 ret = db_fetch(princ, &ent);
84 kdc_log(7, "Lookup %s failed: %s", s,
85 krb5_get_err_text (context, ret));
89 kdc_log(7, "Lookup %s succeeded", s);
96 db_fetch4(const char *name, const char *instance, const char *realm,
102 ret = krb5_425_conv_principal_ext(context, name, instance, realm,
106 ret = db_fetch(p, ent);
107 krb5_free_principal(context, p);
112 get_des_key(hdb_entry *principal, krb5_boolean is_server,
113 krb5_boolean prefer_afs_key, Key **ret_key)
115 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
117 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
122 i < sizeof(etypes)/sizeof(etypes[0])
123 && (v5_key == NULL || v4_key == NULL ||
124 afs_key == NULL || server_key == NULL);
127 while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
128 if(key->salt == NULL) {
131 } else if(key->salt->type == hdb_pw_salt &&
132 key->salt->salt.length == 0) {
135 } else if(key->salt->type == hdb_afs3_salt) {
138 } else if(server_key == NULL)
150 else if(is_server && server_key)
151 *ret_key = server_key;
153 return KERB_ERR_NULL_KEY;
161 else if(is_server && server_key)
162 *ret_key = server_key;
164 return KERB_ERR_NULL_KEY;
167 if((*ret_key)->key.keyvalue.length == 0)
168 return KERB_ERR_NULL_KEY;
172 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
175 * Process the v4 request in `buf, len' (received from `addr'
176 * (with string `from').
177 * Return an error code and a reply in `reply'.
181 do_version4(unsigned char *buf,
185 struct sockaddr_in *addr)
189 hdb_entry *client = NULL, *server = NULL;
194 char *name = NULL, *inst = NULL, *realm = NULL;
195 char *sname = NULL, *sinst = NULL;
199 char client_name[256];
200 char server_name[256];
203 kdc_log(0, "Rejected version 4 request from %s", from);
204 make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
208 sp = krb5_storage_from_mem(buf, len);
209 RCHECK(krb5_ret_int8(sp, &pvno), out);
211 kdc_log(0, "Protocol version mismatch (%d)", pvno);
212 make_err_reply(reply, KDC_PKT_VER, NULL);
215 RCHECK(krb5_ret_int8(sp, &msg_type), out);
219 case AUTH_MSG_KDC_REQUEST:
220 RCHECK(krb5_ret_stringz(sp, &name), out1);
221 RCHECK(krb5_ret_stringz(sp, &inst), out1);
222 RCHECK(krb5_ret_stringz(sp, &realm), out1);
223 RCHECK(krb5_ret_int32(sp, &req_time), out1);
225 req_time = swap32(req_time);
226 RCHECK(krb5_ret_int8(sp, &life), out1);
227 RCHECK(krb5_ret_stringz(sp, &sname), out1);
228 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
229 snprintf (client_name, sizeof(client_name),
230 "%s.%s@%s", name, inst, realm);
231 snprintf (server_name, sizeof(server_name),
232 "%s.%s@%s", sname, sinst, v4_realm);
234 kdc_log(0, "AS-REQ %s from %s for %s",
235 client_name, from, server_name);
237 ret = db_fetch4(name, inst, realm, &client);
239 kdc_log(0, "Client not found in database: %s: %s",
240 client_name, krb5_get_err_text(context, ret));
241 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
244 ret = db_fetch4(sname, sinst, v4_realm, &server);
246 kdc_log(0, "Server not found in database: %s: %s",
247 server_name, krb5_get_err_text(context, ret));
248 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
252 ret = check_flags (client, client_name,
256 /* good error code? */
257 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
262 * There's no way to do pre-authentication in v4 and thus no
263 * good error code to return if preauthentication is required.
267 || client->flags.require_preauth
268 || server->flags.require_preauth) {
270 "Pre-authentication required for v4-request: "
272 client_name, server_name);
273 make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
277 ret = get_des_key(client, FALSE, FALSE, &ckey);
279 kdc_log(0, "no suitable DES key for client");
280 make_err_reply(reply, KDC_NULL_KEY,
281 "no suitable DES key for client");
286 /* this is not necessary with the new code in libkrb */
287 /* find a properly salted key */
288 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
289 ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
291 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
293 make_err_reply(reply, KDC_NULL_KEY,
294 "No version-4 salted key in database");
299 ret = get_des_key(server, TRUE, FALSE, &skey);
301 kdc_log(0, "no suitable DES key for server");
303 make_err_reply(reply, KDC_NULL_KEY,
304 "no suitable DES key for server");
308 max_life = krb_life_to_time(0, life);
310 max_life = min(max_life, *client->max_life);
312 max_life = min(max_life, *server->max_life);
314 life = krb_time_to_life(kdc_time, kdc_time + max_life);
317 KTEXT_ST cipher, ticket;
321 des_new_random_key(&session);
323 krb_create_ticket(&ticket, 0, name, inst, v4_realm,
324 addr->sin_addr.s_addr, session, life, kdc_time,
325 sname, sinst, skey->key.keyvalue.data);
327 create_ciph(&cipher, session, sname, sinst, v4_realm,
328 life, server->kvno % 256, &ticket, kdc_time,
329 ckey->key.keyvalue.data);
330 memset(&session, 0, sizeof(session));
331 r = create_auth_reply(name, inst, realm, req_time, 0,
332 client->pw_end ? *client->pw_end : 0,
333 client->kvno % 256, &cipher);
334 krb5_data_copy(reply, r->dat, r->length);
335 memset(&cipher, 0, sizeof(cipher));
336 memset(&ticket, 0, sizeof(ticket));
340 case AUTH_MSG_APPL_REQUEST: {
347 krb5_principal tgt_princ = NULL;
348 hdb_entry *tgt = NULL;
351 RCHECK(krb5_ret_int8(sp, &kvno), out2);
352 RCHECK(krb5_ret_stringz(sp, &realm), out2);
354 ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
357 kdc_log(0, "Converting krbtgt principal: %s",
358 krb5_get_err_text(context, ret));
359 make_err_reply(reply, KFAILURE,
360 "Failed to convert v4 principal (krbtgt)");
364 ret = db_fetch(tgt_princ, &tgt);
367 s = kdc_log_msg(0, "Ticket-granting ticket not "
368 "found in database: krbtgt.%s@%s: %s",
370 krb5_get_err_text(context, ret));
371 make_err_reply(reply, KFAILURE, s);
376 if(tgt->kvno % 256 != kvno){
377 kdc_log(0, "tgs-req with old kvno %d (current %d) for "
378 "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
379 make_err_reply(reply, KDC_AUTH_EXP,
380 "old krbtgt kvno used");
384 ret = get_des_key(tgt, TRUE, FALSE, &tkey);
386 kdc_log(0, "no suitable DES key for krbtgt");
388 make_err_reply(reply, KDC_NULL_KEY,
389 "no suitable DES key for krbtgt");
393 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
394 RCHECK(krb5_ret_int8(sp, &req_len), out2);
396 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
398 memset(&auth, 0, sizeof(auth));
399 memcpy(&auth.dat, buf, pos);
401 krb_set_key(tkey->key.keyvalue.data, 0);
403 krb_ignore_ip_address = !check_ticket_addresses;
405 ret = krb_rd_req(&auth, "krbtgt", realm,
406 addr->sin_addr.s_addr, &ad, 0);
408 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
409 make_err_reply(reply, ret, NULL);
413 RCHECK(krb5_ret_int32(sp, &req_time), out2);
415 req_time = swap32(req_time);
416 RCHECK(krb5_ret_int8(sp, &life), out2);
417 RCHECK(krb5_ret_stringz(sp, &sname), out2);
418 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
419 snprintf (server_name, sizeof(server_name),
421 sname, sinst, v4_realm);
423 kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
424 ad.pname, ad.pinst, ad.prealm, from, server_name);
426 if(strcmp(ad.prealm, realm)){
427 kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
428 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
433 if(strcmp(sname, "changepw") == 0){
434 kdc_log(0, "Bad request for changepw ticket");
435 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
436 "Can't authorize password change based on TGT");
441 ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
444 s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s",
445 ad.pname, ad.pinst, ad.prealm,
446 krb5_get_err_text(context, ret));
447 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
453 ret = db_fetch4(sname, sinst, v4_realm, &server);
456 s = kdc_log_msg(0, "Server not found in database: %s: %s",
457 server_name, krb5_get_err_text(context, ret));
458 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
463 ret = check_flags (NULL, NULL,
467 /* good error code? */
468 make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
472 ret = get_des_key(server, TRUE, FALSE, &skey);
474 kdc_log(0, "no suitable DES key for server");
476 make_err_reply(reply, KDC_NULL_KEY,
477 "no suitable DES key for server");
481 max_life = krb_life_to_time(ad.time_sec, ad.life);
482 max_life = min(max_life, krb_life_to_time(kdc_time, life));
483 life = min(life, krb_time_to_life(kdc_time, max_life));
484 max_life = krb_life_to_time(0, life);
487 max_life = min(max_life, *client->max_life);
490 max_life = min(max_life, *server->max_life);
493 KTEXT_ST cipher, ticket;
496 des_new_random_key(&session);
497 krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
498 addr->sin_addr.s_addr, &session, life, kdc_time,
499 sname, sinst, skey->key.keyvalue.data);
501 create_ciph(&cipher, session, sname, sinst, v4_realm,
502 life, server->kvno % 256, &ticket,
503 kdc_time, &ad.session);
505 memset(&session, 0, sizeof(session));
506 memset(ad.session, 0, sizeof(ad.session));
508 r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
509 req_time, 0, 0, 0, &cipher);
510 krb5_data_copy(reply, r->dat, r->length);
511 memset(&cipher, 0, sizeof(cipher));
512 memset(&ticket, 0, sizeof(ticket));
516 krb5_free_principal(context, tgt_princ);
522 case AUTH_MSG_ERR_REPLY:
525 kdc_log(0, "Unknown message type: %d from %s",
528 make_err_reply(reply, KFAILURE, "Unknown message type");
545 krb5_storage_free(sp);
550 #define ETYPE_DES_PCBC 17 /* XXX */
553 encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
555 des_key_schedule schedule;
557 reply->etype = ETYPE_DES_PCBC;
559 reply->cipher.length = len;
560 reply->cipher.data = malloc(len);
561 if(len != 0 && reply->cipher.data == NULL)
563 des_set_key(key, schedule);
564 des_pcbc_encrypt(buf,
570 memset(schedule, 0, sizeof(schedule));
575 encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
576 const PrincipalName *service, size_t *size)
580 char name[40], inst[40], realm[40];
581 char sname[40], sinst[40];
584 krb5_principal princ;
585 principalname2krb5_principal(&princ,
588 ret = krb5_524_conv_principal(context,
593 krb5_free_principal(context, princ);
597 principalname2krb5_principal(&princ,
601 ret = krb5_524_conv_principal(context,
606 krb5_free_principal(context, princ);
611 sp = krb5_storage_emem();
613 krb5_store_int8(sp, 0); /* flags */
614 krb5_store_stringz(sp, name);
615 krb5_store_stringz(sp, inst);
616 krb5_store_stringz(sp, realm);
618 unsigned char tmp[4] = { 0, 0, 0, 0 };
621 for(i = 0; i < et->caddr->len; i++)
622 if(et->caddr->val[i].addr_type == AF_INET &&
623 et->caddr->val[i].address.length == 4){
624 memcpy(tmp, et->caddr->val[i].address.data, 4);
628 krb5_storage_write(sp, tmp, sizeof(tmp));
631 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
632 et->key.keytype != ETYPE_DES_CBC_MD4 &&
633 et->key.keytype != ETYPE_DES_CBC_CRC) ||
634 et->key.keyvalue.length != 8)
636 krb5_storage_write(sp, et->key.keyvalue.data, 8);
639 time_t start = et->starttime ? *et->starttime : et->authtime;
640 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
641 krb5_store_int32(sp, start);
644 krb5_store_stringz(sp, sname);
645 krb5_store_stringz(sp, sinst);
649 krb5_storage_to_data(sp, &data);
650 krb5_storage_free(sp);
651 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
654 memset((unsigned char*)buf - *size + 1, 0, *size);
655 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
656 krb5_data_free(&data);