diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-11-29 11:24:08 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-12-01 17:00:47 +1100 |
commit | c5bea98ddb2f7967df572160f639da3cba381a87 (patch) | |
tree | e5ca502195932ea7674f03a732fc26dd5427553d /source4/heimdal/kdc | |
parent | 9c84f987acb5ffc97a612839e13e8b8042e6120e (diff) | |
download | samba-c5bea98ddb2f7967df572160f639da3cba381a87.tar.gz samba-c5bea98ddb2f7967df572160f639da3cba381a87.tar.bz2 samba-c5bea98ddb2f7967df572160f639da3cba381a87.zip |
s4:heimdal: import lorikeet-heimdal-201012010201 (commit 81fe27bcc0148d410ca4617f8759b9df1a5e935c)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/default_config.c | 3 | ||||
-rw-r--r-- | source4/heimdal/kdc/kaserver.c | 955 | ||||
-rw-r--r-- | source4/heimdal/kdc/misc.c | 21 | ||||
-rw-r--r-- | source4/heimdal/kdc/process.c | 77 |
4 files changed, 7 insertions, 1049 deletions
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index 66108f4dec..e26245323c 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -296,7 +296,6 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config) } -#endif /* PKINIT */ - return 0; +#endif /* PKINIT */ } diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c deleted file mode 100644 index 827205a805..0000000000 --- a/source4/heimdal/kdc/kaserver.c +++ /dev/null @@ -1,955 +0,0 @@ -/* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kdc_locl.h" - -#ifdef KRB4 - -#include <krb5-v4compat.h> -#include <rx.h> - -#define KA_AUTHENTICATION_SERVICE 731 -#define KA_TICKET_GRANTING_SERVICE 732 -#define KA_MAINTENANCE_SERVICE 733 - -#define AUTHENTICATE_OLD 1 -#define CHANGEPASSWORD 2 -#define GETTICKET_OLD 3 -#define SETPASSWORD 4 -#define SETFIELDS 5 -#define CREATEUSER 6 -#define DELETEUSER 7 -#define GETENTRY 8 -#define LISTENTRY 9 -#define GETSTATS 10 -#define DEBUG 11 -#define GETPASSWORD 12 -#define GETRANDOMKEY 13 -#define AUTHENTICATE 21 -#define AUTHENTICATE_V2 22 -#define GETTICKET 23 - -/* XXX - Where do we get these? */ - -#define RXGEN_OPCODE (-455) - -#define KADATABASEINCONSISTENT (180480L) -#define KAEXIST (180481L) -#define KAIO (180482L) -#define KACREATEFAIL (180483L) -#define KANOENT (180484L) -#define KAEMPTY (180485L) -#define KABADNAME (180486L) -#define KABADINDEX (180487L) -#define KANOAUTH (180488L) -#define KAANSWERTOOLONG (180489L) -#define KABADREQUEST (180490L) -#define KAOLDINTERFACE (180491L) -#define KABADARGUMENT (180492L) -#define KABADCMD (180493L) -#define KANOKEYS (180494L) -#define KAREADPW (180495L) -#define KABADKEY (180496L) -#define KAUBIKINIT (180497L) -#define KAUBIKCALL (180498L) -#define KABADPROTOCOL (180499L) -#define KANOCELLS (180500L) -#define KANOCELL (180501L) -#define KATOOMANYUBIKS (180502L) -#define KATOOMANYKEYS (180503L) -#define KABADTICKET (180504L) -#define KAUNKNOWNKEY (180505L) -#define KAKEYCACHEINVALID (180506L) -#define KABADSERVER (180507L) -#define KABADUSER (180508L) -#define KABADCPW (180509L) -#define KABADCREATE (180510L) -#define KANOTICKET (180511L) -#define KAASSOCUSER (180512L) -#define KANOTSPECIAL (180513L) -#define KACLOCKSKEW (180514L) -#define KANORECURSE (180515L) -#define KARXFAIL (180516L) -#define KANULLPASSWORD (180517L) -#define KAINTERNALERROR (180518L) -#define KAPWEXPIRED (180519L) -#define KAREUSED (180520L) -#define KATOOSOON (180521L) -#define KALOCKED (180522L) - - -static krb5_error_code -decode_rx_header (krb5_storage *sp, - struct rx_header *h) -{ - krb5_error_code ret; - - ret = krb5_ret_uint32(sp, &h->epoch); - if (ret) return ret; - ret = krb5_ret_uint32(sp, &h->connid); - if (ret) return ret; - ret = krb5_ret_uint32(sp, &h->callid); - if (ret) return ret; - ret = krb5_ret_uint32(sp, &h->seqno); - if (ret) return ret; - ret = krb5_ret_uint32(sp, &h->serialno); - if (ret) return ret; - ret = krb5_ret_uint8(sp, &h->type); - if (ret) return ret; - ret = krb5_ret_uint8(sp, &h->flags); - if (ret) return ret; - ret = krb5_ret_uint8(sp, &h->status); - if (ret) return ret; - ret = krb5_ret_uint8(sp, &h->secindex); - if (ret) return ret; - ret = krb5_ret_uint16(sp, &h->reserved); - if (ret) return ret; - ret = krb5_ret_uint16(sp, &h->serviceid); - if (ret) return ret; - - return 0; -} - -static krb5_error_code -encode_rx_header (struct rx_header *h, - krb5_storage *sp) -{ - krb5_error_code ret; - - ret = krb5_store_uint32(sp, h->epoch); - if (ret) return ret; - ret = krb5_store_uint32(sp, h->connid); - if (ret) return ret; - ret = krb5_store_uint32(sp, h->callid); - if (ret) return ret; - ret = krb5_store_uint32(sp, h->seqno); - if (ret) return ret; - ret = krb5_store_uint32(sp, h->serialno); - if (ret) return ret; - ret = krb5_store_uint8(sp, h->type); - if (ret) return ret; - ret = krb5_store_uint8(sp, h->flags); - if (ret) return ret; - ret = krb5_store_uint8(sp, h->status); - if (ret) return ret; - ret = krb5_store_uint8(sp, h->secindex); - if (ret) return ret; - ret = krb5_store_uint16(sp, h->reserved); - if (ret) return ret; - ret = krb5_store_uint16(sp, h->serviceid); - if (ret) return ret; - - return 0; -} - -static void -init_reply_header (struct rx_header *hdr, - struct rx_header *reply_hdr, - u_char type, - u_char flags) -{ - reply_hdr->epoch = hdr->epoch; - reply_hdr->connid = hdr->connid; - reply_hdr->callid = hdr->callid; - reply_hdr->seqno = 1; - reply_hdr->serialno = 1; - reply_hdr->type = type; - reply_hdr->flags = flags; - reply_hdr->status = 0; - reply_hdr->secindex = 0; - reply_hdr->reserved = 0; - reply_hdr->serviceid = hdr->serviceid; -} - -/* - * Create an error `reply´ using for the packet `hdr' with the error - * `error´ code. - */ -static void -make_error_reply (struct rx_header *hdr, - uint32_t error, - krb5_data *reply) - -{ - struct rx_header reply_hdr; - krb5_error_code ret; - krb5_storage *sp; - - init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST); - sp = krb5_storage_emem(); - if (sp == NULL) - return; - ret = encode_rx_header (&reply_hdr, sp); - if (ret) - return; - krb5_store_int32(sp, error); - krb5_storage_to_data (sp, reply); - krb5_storage_free (sp); -} - -static krb5_error_code -krb5_ret_xdr_data(krb5_storage *sp, - krb5_data *data) -{ - int ret; - int size; - ret = krb5_ret_int32(sp, &size); - if(ret) - return ret; - if(size < 0) - return ERANGE; - data->length = size; - if (size) { - u_char foo[4]; - size_t pad = (4 - size % 4) % 4; - - data->data = malloc(size); - if (data->data == NULL) - return ENOMEM; - ret = krb5_storage_read(sp, data->data, size); - if(ret != size) - return (ret < 0)? errno : KRB5_CC_END; - if (pad) { - ret = krb5_storage_read(sp, foo, pad); - if (ret != pad) - return (ret < 0)? errno : KRB5_CC_END; - } - } else - data->data = NULL; - return 0; -} - -static krb5_error_code -krb5_store_xdr_data(krb5_storage *sp, - krb5_data data) -{ - u_char zero[4] = {0, 0, 0, 0}; - int ret; - size_t pad; - - ret = krb5_store_int32(sp, data.length); - if(ret < 0) - return ret; - ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; - return KRB5_CC_END; - } - pad = (4 - data.length % 4) % 4; - if (pad) { - ret = krb5_storage_write(sp, zero, pad); - if (ret != pad) { - if (ret < 0) - return errno; - return KRB5_CC_END; - } - } - return 0; -} - - -static krb5_error_code -create_reply_ticket (krb5_context context, - struct rx_header *hdr, - Key *skey, - char *name, char *instance, char *realm, - struct sockaddr_in *addr, - int life, - int kvno, - int32_t max_seq_len, - const char *sname, const char *sinstance, - uint32_t challenge, - const char *label, - krb5_keyblock *key, - krb5_data *reply) -{ - krb5_error_code ret; - krb5_data ticket; - krb5_keyblock session; - krb5_storage *sp; - krb5_data enc_data; - struct rx_header reply_hdr; - char zero[8]; - size_t pad; - unsigned fyrtiosjuelva; - - /* create the ticket */ - - krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session); - - _krb5_krb_create_ticket(context, - 0, - name, - instance, - realm, - addr->sin_addr.s_addr, - &session, - life, - kdc_time, - sname, - sinstance, - &skey->key, - &ticket); - - /* create the encrypted part of the reply */ - sp = krb5_storage_emem (); - krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva)); - fyrtiosjuelva &= 0xffffffff; - krb5_store_int32 (sp, fyrtiosjuelva); - krb5_store_int32 (sp, challenge); - krb5_storage_write (sp, session.keyvalue.data, 8); - krb5_free_keyblock_contents(context, &session); - krb5_store_int32 (sp, kdc_time); - krb5_store_int32 (sp, kdc_time + _krb5_krb_life_to_time (0, life)); - krb5_store_int32 (sp, kvno); - krb5_store_int32 (sp, ticket.length); - krb5_store_stringz (sp, name); - krb5_store_stringz (sp, instance); -#if 1 /* XXX - Why shouldn't the realm go here? */ - krb5_store_stringz (sp, ""); -#else - krb5_store_stringz (sp, realm); -#endif - krb5_store_stringz (sp, sname); - krb5_store_stringz (sp, sinstance); - krb5_storage_write (sp, ticket.data, ticket.length); - krb5_storage_write (sp, label, strlen(label)); - - /* pad to DES block */ - memset (zero, 0, sizeof(zero)); - pad = (8 - krb5_storage_seek (sp, 0, SEEK_CUR) % 8) % 8; - krb5_storage_write (sp, zero, pad); - - krb5_storage_to_data (sp, &enc_data); - krb5_storage_free (sp); - - if (enc_data.length > max_seq_len) { - krb5_data_free (&enc_data); - make_error_reply (hdr, KAANSWERTOOLONG, reply); - return 0; - } - - /* encrypt it */ - { - DES_key_schedule schedule; - DES_cblock deskey; - - memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); - DES_set_key_unchecked (&deskey, &schedule); - DES_pcbc_encrypt (enc_data.data, - enc_data.data, - enc_data.length, - &schedule, - &deskey, - DES_ENCRYPT); - memset (&schedule, 0, sizeof(schedule)); - memset (&deskey, 0, sizeof(deskey)); - } - - /* create the reply packet */ - init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST); - sp = krb5_storage_emem (); - ret = encode_rx_header (&reply_hdr, sp); - krb5_store_int32 (sp, max_seq_len); - krb5_store_xdr_data (sp, enc_data); - krb5_data_free (&enc_data); - krb5_storage_to_data (sp, reply); - krb5_storage_free (sp); - return 0; -} - -static krb5_error_code -unparse_auth_args (krb5_storage *sp, - char **name, - char **instance, - time_t *start_time, - time_t *end_time, - krb5_data *request, - int32_t *max_seq_len) -{ - krb5_data data; - int32_t tmp; - - krb5_ret_xdr_data (sp, &data); - *name = malloc(data.length + 1); - if (*name == NULL) - return ENOMEM; - memcpy (*name, data.data, data.length); - (*name)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, &data); - *instance = malloc(data.length + 1); - if (*instance == NULL) { - free (*name); - return ENOMEM; - } - memcpy (*instance, data.data, data.length); - (*instance)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_int32 (sp, &tmp); - *start_time = tmp; - krb5_ret_int32 (sp, &tmp); - *end_time = tmp; - krb5_ret_xdr_data (sp, request); - krb5_ret_int32 (sp, max_seq_len); - /* ignore the rest */ - return 0; -} - -static void -do_authenticate (krb5_context context, - krb5_kdc_configuration *config, - struct rx_header *hdr, - krb5_storage *sp, - struct sockaddr_in *addr, - const char *from, - krb5_data *reply) -{ - krb5_error_code ret; - char *name = NULL; - char *instance = NULL; - time_t start_time; - time_t end_time; - krb5_data request; - int32_t max_seq_len; - hdb_entry_ex *client_entry = NULL; - hdb_entry_ex *server_entry = NULL; - Key *ckey = NULL; - Key *skey = NULL; - krb5_storage *reply_sp; - time_t max_life; - uint8_t life; - int32_t chal; - char client_name[256]; - char server_name[256]; - - krb5_data_zero (&request); - - ret = unparse_auth_args (sp, &name, &instance, &start_time, &end_time, - &request, &max_seq_len); - if (ret != 0 || request.length < 8) { - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - } - - snprintf (client_name, sizeof(client_name), "%s.%s@%s", - name, instance, config->v4_realm); - snprintf (server_name, sizeof(server_name), "%s.%s@%s", - "krbtgt", config->v4_realm, config->v4_realm); - - kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s", - client_name, from, server_name); - - ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_F_GET_CLIENT, - &client_entry); - if (ret) { - kdc_log(context, config, 0, "Client not found in database: %s: %s", - client_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = _kdc_db_fetch4 (context, config, "krbtgt", - config->v4_realm, config->v4_realm, - HDB_F_GET_KRBTGT, &server_entry); - if (ret) { - kdc_log(context, config, 0, "Server not found in database: %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - TRUE); - if (ret) { - make_error_reply (hdr, KAPWEXPIRED, reply); - goto out; - } - - /* find a DES key */ - ret = _kdc_get_des_key(context, client_entry, FALSE, TRUE, &ckey); - if(ret){ - kdc_log(context, config, 0, "no suitable DES key for client"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* find a DES key */ - ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey); - if(ret){ - kdc_log(context, config, 0, "no suitable DES key for server"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - { - DES_cblock key; - DES_key_schedule schedule; - - /* try to decode the `request' */ - memcpy (&key, ckey->key.keyvalue.data, sizeof(key)); - DES_set_key_unchecked (&key, &schedule); - DES_pcbc_encrypt (request.data, - request.data, - request.length, - &schedule, - &key, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); - memset (&key, 0, sizeof(key)); - } - - /* check for the magic label */ - if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) { - kdc_log(context, config, 0, "preauth failed for %s", client_name); - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - } - - reply_sp = krb5_storage_from_mem (request.data, 4); - krb5_ret_int32 (reply_sp, &chal); - krb5_storage_free (reply_sp); - - if (abs(chal - kdc_time) > context->max_skew) { - make_error_reply (hdr, KACLOCKSKEW, reply); - goto out; - } - - /* life */ - max_life = end_time - kdc_time; - /* end_time - kdc_time can sometimes be non-positive due to slight - time skew between client and server. Let's make sure it is postive */ - if(max_life < 1) - max_life = 1; - if (client_entry->entry.max_life) - max_life = min(max_life, *client_entry->entry.max_life); - if (server_entry->entry.max_life) - max_life = min(max_life, *server_entry->entry.max_life); - - life = krb_time_to_life(kdc_time, kdc_time + max_life); - - create_reply_ticket (context, - hdr, skey, - name, instance, config->v4_realm, - addr, life, server_entry->entry.kvno, - max_seq_len, - "krbtgt", config->v4_realm, - chal + 1, "tgsT", - &ckey->key, reply); - - out: - if (request.length) { - memset (request.data, 0, request.length); - krb5_data_free (&request); - } - if (name) - free (name); - if (instance) - free (instance); - if (client_entry) - _kdc_free_ent (context, client_entry); - if (server_entry) - _kdc_free_ent (context, server_entry); -} - -static krb5_error_code -unparse_getticket_args (krb5_storage *sp, - int *kvno, - char **auth_domain, - krb5_data *ticket, - char **name, - char **instance, - krb5_data *times, - int32_t *max_seq_len) -{ - krb5_data data; - int32_t tmp; - - krb5_ret_int32 (sp, &tmp); - *kvno = tmp; - - krb5_ret_xdr_data (sp, &data); - *auth_domain = malloc(data.length + 1); - if (*auth_domain == NULL) - return ENOMEM; - memcpy (*auth_domain, data.data, data.length); - (*auth_domain)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, ticket); - - krb5_ret_xdr_data (sp, &data); - *name = malloc(data.length + 1); - if (*name == NULL) { - free (*auth_domain); - return ENOMEM; - } - memcpy (*name, data.data, data.length); - (*name)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, &data); - *instance = malloc(data.length + 1); - if (*instance == NULL) { - free (*auth_domain); - free (*name); - return ENOMEM; - } - memcpy (*instance, data.data, data.length); - (*instance)[data.length] = '\0'; - krb5_data_free (&data); - - krb5_ret_xdr_data (sp, times); - - krb5_ret_int32 (sp, max_seq_len); - /* ignore the rest */ - return 0; -} - -static void -do_getticket (krb5_context context, - krb5_kdc_configuration *config, - struct rx_header *hdr, - krb5_storage *sp, - struct sockaddr_in *addr, - const char *from, - krb5_data *reply) -{ - krb5_error_code ret; - int kvno; - char *auth_domain = NULL; - krb5_data aticket; - char *name = NULL; - char *instance = NULL; - krb5_data times; - int32_t max_seq_len; - hdb_entry_ex *server_entry = NULL; - hdb_entry_ex *client_entry = NULL; - hdb_entry_ex *krbtgt_entry = NULL; - Key *kkey = NULL; - Key *skey = NULL; - DES_cblock key; - DES_key_schedule schedule; - DES_cblock session; - time_t max_life; - int8_t life; - time_t start_time, end_time; - char server_name[256]; - char client_name[256]; - struct _krb5_krb_auth_data ad; - - krb5_data_zero (&aticket); - krb5_data_zero (×); - - memset(&ad, 0, sizeof(ad)); - - unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, - &name, &instance, ×, &max_seq_len); - if (times.length < 8) { - make_error_reply (hdr, KABADREQUEST, reply); - goto out; - - } - - snprintf (server_name, sizeof(server_name), - "%s.%s@%s", name, instance, config->v4_realm); - - ret = _kdc_db_fetch4 (context, config, name, instance, - config->v4_realm, HDB_F_GET_SERVER, &server_entry); - if (ret) { - kdc_log(context, config, 0, "Server not found in database: %s: %s", - server_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = _kdc_db_fetch4 (context, config, "krbtgt", - config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry); - if (ret) { - kdc_log(context, config, 0, - "Server not found in database: %s.%s@%s: %s", - "krbtgt", config->v4_realm, config->v4_realm, - krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - /* find a DES key */ - ret = _kdc_get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey); - if(ret){ - kdc_log(context, config, 0, "no suitable DES key for krbtgt"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* find a DES key */ - ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey); - if(ret){ - kdc_log(context, config, 0, "no suitable DES key for server"); - make_error_reply (hdr, KANOKEYS, reply); - goto out; - } - - /* decrypt the incoming ticket */ - memcpy (&key, kkey->key.keyvalue.data, sizeof(key)); - - /* unpack the ticket */ - { - char *sname = NULL; - char *sinstance = NULL; - - ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, - config->v4_realm, &sname, - &sinstance, &ad); - if (ret) { - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 0, - "kaserver: decomp failed for %s.%s with %s %d", - msg, sname, sinstance, ret); - krb5_free_error_message(context, msg); - make_error_reply (hdr, KABADTICKET, reply); - goto out; - } - - if (strcmp (sname, "krbtgt") != 0 - || strcmp (sinstance, config->v4_realm) != 0) { - kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s", - sname, sinstance, - ad.pname, ad.pinst, ad.prealm); - make_error_reply (hdr, KABADTICKET, reply); - free(sname); - free(sinstance); - goto out; - } - free(sname); - free(sinstance); - - if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) { - kdc_log(context, config, 0, "TGT expired: %s.%s@%s", - ad.pname, ad.pinst, ad.prealm); - make_error_reply (hdr, KABADTICKET, reply); - goto out; - } - } - - snprintf (client_name, sizeof(client_name), - "%s.%s@%s", ad.pname, ad.pinst, ad.prealm); - - kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s", - client_name, from, server_name); - - ret = _kdc_db_fetch4 (context, config, - ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT, - &client_entry); - if(ret && ret != HDB_ERR_NOENTRY) { - kdc_log(context, config, 0, - "Client not found in database: (krb4) %s: %s", - client_name, krb5_get_err_text(context, ret)); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) { - kdc_log(context, config, 0, - "Local client not found in database: (krb4) " - "%s", client_name); - make_error_reply (hdr, KANOENT, reply); - goto out; - } - - ret = kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - FALSE); - if (ret) { - make_error_reply (hdr, KAPWEXPIRED, reply); - goto out; - } - - /* decrypt the times */ - memcpy(&session, ad.session.keyvalue.data, sizeof(session)); - DES_set_key_unchecked (&session, &schedule); - DES_ecb_encrypt (times.data, - times.data, - &schedule, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); - memset (&session, 0, sizeof(session)); - - /* and extract them */ - { - krb5_storage *tsp; - int32_t tmp; - - tsp = krb5_storage_from_mem (times.data, times.length); - krb5_ret_int32 (tsp, &tmp); - start_time = tmp; - krb5_ret_int32 (tsp, &tmp); - end_time = tmp; - krb5_storage_free (tsp); - } - - /* life */ - max_life = end_time - kdc_time; - /* end_time - kdc_time can sometimes be non-positive due to slight - time skew between client and server. Let's make sure it is postive */ - if(max_life < 1) - max_life = 1; - if (krbtgt_entry->entry.max_life) - max_life = min(max_life, *krbtgt_entry->entry.max_life); - if (server_entry->entry.max_life) - max_life = min(max_life, *server_entry->entry.max_life); - /* if this is a cross realm request, the client_entry will likely - be NULL */ - if (client_entry && client_entry->entry.max_life) - max_life = min(max_life, *client_entry->entry.max_life); - - life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life); - - create_reply_ticket (context, - hdr, skey, - ad.pname, ad.pinst, ad.prealm, - addr, life, server_entry->entry.kvno, - max_seq_len, - name, instance, - 0, "gtkt", - &ad.session, reply); - - out: - _krb5_krb_free_auth_data(context, &ad); - if (aticket.length) { - memset (aticket.data, 0, aticket.length); - krb5_data_free (&aticket); - } - if (times.length) { - memset (times.data, 0, times.length); - krb5_data_free (×); - } - if (auth_domain) - free (auth_domain); - if (name) - free (name); - if (instance) - free (instance); - if (krbtgt_entry) - _kdc_free_ent (context, krbtgt_entry); - if (server_entry) - _kdc_free_ent (context, server_entry); -} - -krb5_error_code -_kdc_do_kaserver(krb5_context context, - krb5_kdc_configuration *config, - unsigned char *buf, - size_t len, - krb5_data *reply, - const char *from, - struct sockaddr_in *addr) -{ - krb5_error_code ret = 0; - struct rx_header hdr; - uint32_t op; - krb5_storage *sp; - - if (len < RX_HEADER_SIZE) - return -1; - sp = krb5_storage_from_mem (buf, len); - - ret = decode_rx_header (sp, &hdr); - if (ret) - goto out; - buf += RX_HEADER_SIZE; - len -= RX_HEADER_SIZE; - - switch (hdr.type) { - case HT_DATA : - break; - case HT_ACK : - case HT_BUSY : - case HT_ABORT : - case HT_ACKALL : - case HT_CHAL : - case HT_RESP : - case HT_DEBUG : - default: - /* drop */ - goto out; - } - - - if (hdr.serviceid != KA_AUTHENTICATION_SERVICE - && hdr.serviceid != KA_TICKET_GRANTING_SERVICE) { - ret = -1; - goto out; - } - - ret = krb5_ret_uint32(sp, &op); - if (ret) - goto out; - switch (op) { - case AUTHENTICATE : - case AUTHENTICATE_V2 : - do_authenticate (context, config, &hdr, sp, addr, from, reply); - break; - case GETTICKET : - do_getticket (context, config, &hdr, sp, addr, from, reply); - break; - case AUTHENTICATE_OLD : - case CHANGEPASSWORD : - case GETTICKET_OLD : - case SETPASSWORD : - case SETFIELDS : - case CREATEUSER : - case DELETEUSER : - case GETENTRY : - case LISTENTRY : - case GETSTATS : - case DEBUG : - case GETPASSWORD : - case GETRANDOMKEY : - default : - make_error_reply (&hdr, RXGEN_OPCODE, reply); - break; - } - -out: - krb5_storage_free (sp); - return ret; -} - -#endif /* KRB4 */ diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 2e95ad2832..297fa3824b 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -91,21 +91,12 @@ _kdc_db_fetch(krb5_context context, continue; } - if (config->db[i]->hdb_fetch_kvno) { - ret = config->db[i]->hdb_fetch_kvno(context, - config->db[i], - principal, - flags | HDB_F_DECRYPT, - kvno, - ent); - } else { - flags &= ~HDB_F_KVNO_SPECIFIED; - ret = config->db[i]->hdb_fetch(context, - config->db[i], - principal, - flags | HDB_F_DECRYPT, - ent); - } + ret = config->db[i]->hdb_fetch_kvno(context, + config->db[i], + principal, + flags | HDB_F_DECRYPT, + kvno, + ent); krb5_free_principal(context, enterprise_principal); diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index d3557ee6c9..4226600331 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -161,78 +161,6 @@ kdc_kx509(krb5_context context, #endif -#ifdef KRB4 - -static krb5_error_code -kdc_524(krb5_context context, - krb5_kdc_configuration *config, - krb5_data *req_buffer, - krb5_data *reply, - const char *from, - struct sockaddr *addr, - int datagram_reply, - int *claim) -{ - krb5_error_code ret; - Ticket ticket; - size_t len; - - ret = decode_Ticket(req_buffer->data, req_buffer->length, &ticket, &len); - if (ret) - return ret; - - *claim = 1; - - ret = _kdc_do_524(context, config, &ticket, reply, from, addr); - free_Ticket(&ticket); - return ret; -} - -static krb5_error_code -kdc_krb4(krb5_context context, - krb5_kdc_configuration *config, - krb5_data *req_buffer, - krb5_data *reply, - const char *from, - struct sockaddr *addr, - int datagram_reply, - int *claim) -{ - if (_kdc_maybe_version4(req_buffer->data, req_buffer->length) == 0) - return -1; - - *claim = 1; - - return _kdc_do_version4(context, config, - req_buffer->data, req_buffer->length, - reply, from, - (struct sockaddr_in*)addr); -} - -static krb5_error_code -kdc_kaserver(krb5_context context, - krb5_kdc_configuration *config, - krb5_data *req_buffer, - krb5_data *reply, - const char *from, - struct sockaddr *addr, - int datagram_reply, - int *claim) -{ - if (config->enable_kaserver == 0) - return -1; - - *claim = 1; - - return _kdc_do_kaserver(context, config, - req_buffer->data, req_buffer->length, - reply, from, - (struct sockaddr_in*)addr); -} - -#endif /* KRB4 */ - - static struct krb5_kdc_service services[] = { { KS_KRB5, kdc_as_req }, { KS_KRB5, kdc_tgs_req }, @@ -242,11 +170,6 @@ static struct krb5_kdc_service services[] = { #ifdef KX509 { 0, kdc_kx509 }, #endif -#ifdef KRB4 - { 0, kdc_524 }, - { KS_NO_LENGTH, kdc_krb4 }, - { 0, kdc_kaserver }, -#endif { 0, NULL } }; |