summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-09-20 23:18:34 -0700
committerAndrew Bartlett <abartlet@samba.org>2009-11-13 23:19:05 +1100
commit5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094 (patch)
tree82c3416f2211df07d5fe1e58ee6639f09e465a60 /source4/heimdal/kdc
parent12205347163b55e79651921c6858c4d04e1faa51 (diff)
downloadsamba-5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094.tar.gz
samba-5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094.tar.bz2
samba-5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094.zip
s4:heimdal: import lorikeet-heimdal-200909210500 (commit 290db8d23647a27c39b97c189a0b2ef6ec21ca69)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/digest.c214
-rw-r--r--source4/heimdal/kdc/kdc_locl.h3
-rw-r--r--source4/heimdal/kdc/kerberos5.c1
-rw-r--r--source4/heimdal/kdc/krb5tgs.c25
4 files changed, 145 insertions, 98 deletions
diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c
index d13507fc1f..1a383fa205 100644
--- a/source4/heimdal/kdc/digest.c
+++ b/source4/heimdal/kdc/digest.c
@@ -613,7 +613,7 @@ _kdc_do_digest(krb5_context context,
}
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
- MD5_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char id;
@@ -642,11 +642,15 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto out;
- MD5_Init(&ctx);
- MD5_Update(&ctx, &id, 1);
- MD5_Update(&ctx, password, strlen(password));
- MD5_Update(&ctx, serverNonce.data, serverNonce.length);
- MD5_Final(md, &ctx);
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, &id, 1);
+ EVP_DigestUpdate(ctx, password, strlen(password));
+ EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
+ EVP_MD_CTX_destroy(ctx);
hex_encode(md, sizeof(md), &mdx);
if (mdx == NULL) {
@@ -669,7 +673,7 @@ _kdc_do_digest(krb5_context context,
}
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
- MD5_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char *A1, *A2;
@@ -694,49 +698,54 @@ _kdc_do_digest(krb5_context context,
if (ret)
goto failed;
- MD5_Init(&ctx);
- MD5_Update(&ctx, ireq.u.digestRequest.username,
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.username,
strlen(ireq.u.digestRequest.username));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.realm,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.realm,
strlen(*ireq.u.digestRequest.realm));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, password, strlen(password));
- MD5_Final(md, &ctx);
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, password, strlen(password));
+ EVP_DigestFinal_ex(ctx, md, NULL);
- MD5_Init(&ctx);
- MD5_Update(&ctx, md, sizeof(md));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, md, sizeof(md));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
if (ireq.u.digestRequest.authid) {
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.authid,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.authid,
strlen(*ireq.u.digestRequest.authid));
}
- MD5_Final(md, &ctx);
+ EVP_DigestFinal_ex(ctx, md, NULL);
hex_encode(md, sizeof(md), &A1);
if (A1 == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
+ EVP_MD_CTX_destroy(ctx);
goto failed;
}
- MD5_Init(&ctx);
- MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.uri,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx,
+ "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
- MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
+ EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
- MD5_Final(md, &ctx);
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
hex_encode(md, sizeof(md), &A2);
if (A2 == NULL) {
ret = ENOMEM;
@@ -745,24 +754,26 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- MD5_Init(&ctx);
- MD5_Update(&ctx, A1, strlen(A2));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, A1, strlen(A2));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.clientNonce,
strlen(*ireq.u.digestRequest.clientNonce));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, *ireq.u.digestRequest.qop,
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, *ireq.u.digestRequest.qop,
strlen(*ireq.u.digestRequest.qop));
- MD5_Update(&ctx, ":", 1);
- MD5_Update(&ctx, A2, strlen(A2));
+ EVP_DigestUpdate(ctx, ":", 1);
+ EVP_DigestUpdate(ctx, A2, strlen(A2));
+
+ EVP_DigestFinal_ex(ctx, md, NULL);
- MD5_Final(md, &ctx);
+ EVP_MD_CTX_destroy(ctx);
free(A1);
free(A2);
@@ -793,7 +804,7 @@ _kdc_do_digest(krb5_context context,
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
- SHA_CTX ctx;
+ EVP_MD_CTX *ctx;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -820,8 +831,10 @@ _kdc_do_digest(krb5_context context,
else
username++;
+ ctx = EVP_MD_CTX_create();
+
/* ChallangeHash */
- SHA1_Init(&ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
{
ssize_t ssize;
krb5_data clientNonce;
@@ -830,7 +843,9 @@ _kdc_do_digest(krb5_context context,
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
+ krb5_set_error_message(context, ret,
+ "malloc: out of memory");
+ EVP_MD_CTX_destroy(ctx);
goto out;
}
@@ -840,14 +855,18 @@ _kdc_do_digest(krb5_context context,
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
+ EVP_MD_CTX_destroy(ctx);
goto out;
}
- SHA1_Update(&ctx, clientNonce.data, ssize);
+ EVP_DigestUpdate(ctx, clientNonce.data, ssize);
free(clientNonce.data);
}
- SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
- SHA1_Update(&ctx, username, strlen(username));
- SHA1_Final(challange, &ctx);
+ EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
+ EVP_DigestUpdate(ctx, username, strlen(username));
+
+ EVP_DigestFinal_ex(ctx, challange, NULL);
+
+ EVP_MD_CTX_destroy(ctx);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
@@ -904,34 +923,39 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
+ EVP_MD_CTX *ctx;
+
+ ctx = EVP_MD_CTX_create();
/* hashhash */
{
- MD4_CTX hctx;
-
- MD4_Init(&hctx);
- MD4_Update(&hctx, key->key.keyvalue.data,
- key->key.keyvalue.length);
- MD4_Final(hashhash, &hctx);
+ EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+ EVP_DigestUpdate(ctx,
+ key->key.keyvalue.data,
+ key->key.keyvalue.length);
+ EVP_DigestFinal_ex(ctx, hashhash, NULL);
}
/* GenerateAuthenticatorResponse */
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, hashhash, sizeof(hashhash));
- SHA1_Update(&ctx, answer.data, answer.length);
- SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
- SHA1_Final(md, &ctx);
-
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, md, sizeof(md));
- SHA1_Update(&ctx, challange, 8);
- SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
- SHA1_Final(md, &ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
+ EVP_DigestUpdate(ctx, answer.data, answer.length);
+ EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
+ sizeof(ms_chap_v2_magic1));
+ EVP_DigestFinal_ex(ctx, md, NULL);
+
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, md, sizeof(md));
+ EVP_DigestUpdate(ctx, challange, 8);
+ EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
+ sizeof(ms_chap_v2_magic2));
+ EVP_DigestFinal_ex(ctx, md, NULL);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
+ EVP_MD_CTX_destroy(ctx);
ret = ENOMEM;
goto out;
}
@@ -940,19 +964,23 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
+ EVP_MD_CTX_destroy(ctx);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
- SHA1_Init(&ctx);
- SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
- SHA1_Update(&ctx, answer.data, answer.length);
- SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
- SHA1_Final(md, &ctx);
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hashhash, 16);
+ EVP_DigestUpdate(ctx, answer.data, answer.length);
+ EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
+ sizeof(ms_rfc3079_magic1));
+ EVP_DigestFinal_ex(ctx, md, NULL);
free(answer.data);
+ EVP_MD_CTX_destroy(ctx);
+
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));
if (r.u.response.session_key == NULL) {
@@ -1237,7 +1265,7 @@ _kdc_do_digest(krb5_context context,
if (flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char sessionhash[MD5_DIGEST_LENGTH];
- MD5_CTX md5ctx;
+ EVP_MD_CTX *ctx;
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
@@ -1252,11 +1280,17 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- MD5_Init(&md5ctx);
- MD5_Update(&md5ctx, challange, sizeof(challange));
- MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
- MD5_Final(sessionhash, &md5ctx);
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+
+ EVP_DigestUpdate(ctx, challange, sizeof(challange));
+ EVP_DigestUpdate(ctx, ireq.u.ntlmRequest.lm.data, 8);
+ EVP_DigestFinal_ex(ctx, sessionhash, NULL);
memcpy(challange, sessionhash, sizeof(challange));
+
+ EVP_MD_CTX_destroy(ctx);
+
} else {
if ((config->digests_allowed & NTLM_V1) == 0) {
kdc_log(context, config, 0, "NTLM v1 not allowed");
@@ -1283,18 +1317,23 @@ _kdc_do_digest(krb5_context context,
free(answer.data);
{
- MD4_CTX ctx;
+ EVP_MD_CTX *ctx;
+
+ ctx = EVP_MD_CTX_create();
+
+ EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+ EVP_DigestUpdate(ctx,
+ key->key.keyvalue.data,
+ key->key.keyvalue.length);
+ EVP_DigestFinal_ex(ctx, sessionkey, NULL);
- MD4_Init(&ctx);
- MD4_Update(&ctx,
- key->key.keyvalue.data, key->key.keyvalue.length);
- MD4_Final(sessionkey, &ctx);
+ EVP_MD_CTX_destroy(ctx);
}
}
if (ireq.u.ntlmRequest.sessionkey) {
unsigned char masterkey[MD4_DIGEST_LENGTH];
- RC4_KEY rc4;
+ EVP_CIPHER_CTX rc4;
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
@@ -1314,12 +1353,13 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
- RC4_set_key(&rc4, sizeof(sessionkey), sessionkey);
-
- RC4(&rc4, sizeof(masterkey),
- ireq.u.ntlmRequest.sessionkey->data,
- masterkey);
- memset(&rc4, 0, sizeof(rc4));
+
+ EVP_CIPHER_CTX_init(&rc4);
+ EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
+ EVP_Cipher(&rc4,
+ masterkey, ireq.u.ntlmRequest.sessionkey->data,
+ sizeof(masterkey));
+ EVP_CIPHER_CTX_cleanup(&rc4);
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index 024937e763..f2da03b5e6 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -46,7 +46,8 @@ struct Kx509Request;
#include <kdc-private.h>
extern sig_atomic_t exit_flag;
-extern size_t max_request;
+extern size_t max_request_udp;
+extern size_t max_request_tcp;
extern const char *request_log;
extern const char *port_str;
extern krb5_addresses explicit_addresses;
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 8edc07a49b..0a9d4a5ca4 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1747,6 +1747,7 @@ _kdc_as_rep(krb5_context context,
config,
server,
setype,
+ client->entry.principal,
NULL,
NULL,
&et);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 635eb27e75..c3b0aaa89e 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -106,6 +106,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *krbtgt,
krb5_enctype enctype,
+ krb5_principal client,
krb5_const_principal server,
krb5_principals principals,
EncTicketPart *tkt)
@@ -125,8 +126,10 @@ _kdc_add_KRB5SignedPath(krb5_context context,
{
KRB5SignedPathData spd;
- spd.encticket = *tkt;
+ spd.client = client;
+ spd.authtime = tkt->authtime;
spd.delegated = principals;
+ spd.method_data = NULL;
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret);
@@ -153,6 +156,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
sp.etype = enctype;
sp.delegated = principals;
+ sp.method_data = NULL;
ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
data.data, data.length, &sp.cksum);
@@ -185,6 +189,7 @@ static krb5_error_code
check_KRB5SignedPath(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *krbtgt,
+ krb5_principal cp,
EncTicketPart *tkt,
krb5_principals *delegated,
int *signedpath)
@@ -200,7 +205,6 @@ check_KRB5SignedPath(krb5_context context,
if (ret == 0) {
KRB5SignedPathData spd;
KRB5SignedPath sp;
- AuthorizationData *ad;
size_t size;
ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
@@ -208,17 +212,13 @@ check_KRB5SignedPath(krb5_context context,
if (ret)
return ret;
- spd.encticket = *tkt;
- /* the KRB5SignedPath is the last entry */
- ad = spd.encticket.authorization_data;
- if (--ad->len == 0)
- spd.encticket.authorization_data = NULL;
+ spd.client = cp;
+ spd.authtime = tkt->authtime;
spd.delegated = sp.delegated;
+ spd.method_data = sp.method_data;
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret);
- ad->len++;
- spd.encticket.authorization_data = ad;
if (ret) {
free_KRB5SignedPath(&sp);
return ret;
@@ -244,7 +244,9 @@ check_KRB5SignedPath(krb5_context context,
free(data.data);
if (ret) {
free_KRB5SignedPath(&sp);
- return ret;
+ kdc_log(context, config, 5,
+ "KRB5SignedPath not signed correctly, not marking as signed");
+ return 0;
}
if (delegated && sp.delegated) {
@@ -884,6 +886,7 @@ tgs_make_reply(krb5_context context,
config,
krbtgt,
krbtgt_etype,
+ client_principal,
NULL,
spp,
&et);
@@ -1663,6 +1666,7 @@ server_lookup:
ret = check_KRB5SignedPath(context,
config,
krbtgt,
+ cp,
tgt,
&spp,
&signedpath);
@@ -1855,6 +1859,7 @@ server_lookup:
ret = check_KRB5SignedPath(context,
config,
krbtgt,
+ cp,
&adtkt,
NULL,
&ad_signedpath);