summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/kaserver.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/kaserver.c')
-rw-r--r--source4/heimdal/kdc/kaserver.c955
1 files changed, 0 insertions, 955 deletions
diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c
deleted file mode 100644
index 827205a805..0000000000
--- a/source4/heimdal/kdc/kaserver.c
+++ /dev/null
@@ -1,955 +0,0 @@
-/*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-#ifdef KRB4
-
-#include <krb5-v4compat.h>
-#include <rx.h>
-
-#define KA_AUTHENTICATION_SERVICE 731
-#define KA_TICKET_GRANTING_SERVICE 732
-#define KA_MAINTENANCE_SERVICE 733
-
-#define AUTHENTICATE_OLD 1
-#define CHANGEPASSWORD 2
-#define GETTICKET_OLD 3
-#define SETPASSWORD 4
-#define SETFIELDS 5
-#define CREATEUSER 6
-#define DELETEUSER 7
-#define GETENTRY 8
-#define LISTENTRY 9
-#define GETSTATS 10
-#define DEBUG 11
-#define GETPASSWORD 12
-#define GETRANDOMKEY 13
-#define AUTHENTICATE 21
-#define AUTHENTICATE_V2 22
-#define GETTICKET 23
-
-/* XXX - Where do we get these? */
-
-#define RXGEN_OPCODE (-455)
-
-#define KADATABASEINCONSISTENT (180480L)
-#define KAEXIST (180481L)
-#define KAIO (180482L)
-#define KACREATEFAIL (180483L)
-#define KANOENT (180484L)
-#define KAEMPTY (180485L)
-#define KABADNAME (180486L)
-#define KABADINDEX (180487L)
-#define KANOAUTH (180488L)
-#define KAANSWERTOOLONG (180489L)
-#define KABADREQUEST (180490L)
-#define KAOLDINTERFACE (180491L)
-#define KABADARGUMENT (180492L)
-#define KABADCMD (180493L)
-#define KANOKEYS (180494L)
-#define KAREADPW (180495L)
-#define KABADKEY (180496L)
-#define KAUBIKINIT (180497L)
-#define KAUBIKCALL (180498L)
-#define KABADPROTOCOL (180499L)
-#define KANOCELLS (180500L)
-#define KANOCELL (180501L)
-#define KATOOMANYUBIKS (180502L)
-#define KATOOMANYKEYS (180503L)
-#define KABADTICKET (180504L)
-#define KAUNKNOWNKEY (180505L)
-#define KAKEYCACHEINVALID (180506L)
-#define KABADSERVER (180507L)
-#define KABADUSER (180508L)
-#define KABADCPW (180509L)
-#define KABADCREATE (180510L)
-#define KANOTICKET (180511L)
-#define KAASSOCUSER (180512L)
-#define KANOTSPECIAL (180513L)
-#define KACLOCKSKEW (180514L)
-#define KANORECURSE (180515L)
-#define KARXFAIL (180516L)
-#define KANULLPASSWORD (180517L)
-#define KAINTERNALERROR (180518L)
-#define KAPWEXPIRED (180519L)
-#define KAREUSED (180520L)
-#define KATOOSOON (180521L)
-#define KALOCKED (180522L)
-
-
-static krb5_error_code
-decode_rx_header (krb5_storage *sp,
- struct rx_header *h)
-{
- krb5_error_code ret;
-
- ret = krb5_ret_uint32(sp, &h->epoch);
- if (ret) return ret;
- ret = krb5_ret_uint32(sp, &h->connid);
- if (ret) return ret;
- ret = krb5_ret_uint32(sp, &h->callid);
- if (ret) return ret;
- ret = krb5_ret_uint32(sp, &h->seqno);
- if (ret) return ret;
- ret = krb5_ret_uint32(sp, &h->serialno);
- if (ret) return ret;
- ret = krb5_ret_uint8(sp, &h->type);
- if (ret) return ret;
- ret = krb5_ret_uint8(sp, &h->flags);
- if (ret) return ret;
- ret = krb5_ret_uint8(sp, &h->status);
- if (ret) return ret;
- ret = krb5_ret_uint8(sp, &h->secindex);
- if (ret) return ret;
- ret = krb5_ret_uint16(sp, &h->reserved);
- if (ret) return ret;
- ret = krb5_ret_uint16(sp, &h->serviceid);
- if (ret) return ret;
-
- return 0;
-}
-
-static krb5_error_code
-encode_rx_header (struct rx_header *h,
- krb5_storage *sp)
-{
- krb5_error_code ret;
-
- ret = krb5_store_uint32(sp, h->epoch);
- if (ret) return ret;
- ret = krb5_store_uint32(sp, h->connid);
- if (ret) return ret;
- ret = krb5_store_uint32(sp, h->callid);
- if (ret) return ret;
- ret = krb5_store_uint32(sp, h->seqno);
- if (ret) return ret;
- ret = krb5_store_uint32(sp, h->serialno);
- if (ret) return ret;
- ret = krb5_store_uint8(sp, h->type);
- if (ret) return ret;
- ret = krb5_store_uint8(sp, h->flags);
- if (ret) return ret;
- ret = krb5_store_uint8(sp, h->status);
- if (ret) return ret;
- ret = krb5_store_uint8(sp, h->secindex);
- if (ret) return ret;
- ret = krb5_store_uint16(sp, h->reserved);
- if (ret) return ret;
- ret = krb5_store_uint16(sp, h->serviceid);
- if (ret) return ret;
-
- return 0;
-}
-
-static void
-init_reply_header (struct rx_header *hdr,
- struct rx_header *reply_hdr,
- u_char type,
- u_char flags)
-{
- reply_hdr->epoch = hdr->epoch;
- reply_hdr->connid = hdr->connid;
- reply_hdr->callid = hdr->callid;
- reply_hdr->seqno = 1;
- reply_hdr->serialno = 1;
- reply_hdr->type = type;
- reply_hdr->flags = flags;
- reply_hdr->status = 0;
- reply_hdr->secindex = 0;
- reply_hdr->reserved = 0;
- reply_hdr->serviceid = hdr->serviceid;
-}
-
-/*
- * Create an error `reply´ using for the packet `hdr' with the error
- * `error´ code.
- */
-static void
-make_error_reply (struct rx_header *hdr,
- uint32_t error,
- krb5_data *reply)
-
-{
- struct rx_header reply_hdr;
- krb5_error_code ret;
- krb5_storage *sp;
-
- init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
- sp = krb5_storage_emem();
- if (sp == NULL)
- return;
- ret = encode_rx_header (&reply_hdr, sp);
- if (ret)
- return;
- krb5_store_int32(sp, error);
- krb5_storage_to_data (sp, reply);
- krb5_storage_free (sp);
-}
-
-static krb5_error_code
-krb5_ret_xdr_data(krb5_storage *sp,
- krb5_data *data)
-{
- int ret;
- int size;
- ret = krb5_ret_int32(sp, &size);
- if(ret)
- return ret;
- if(size < 0)
- return ERANGE;
- data->length = size;
- if (size) {
- u_char foo[4];
- size_t pad = (4 - size % 4) % 4;
-
- data->data = malloc(size);
- if (data->data == NULL)
- return ENOMEM;
- ret = krb5_storage_read(sp, data->data, size);
- if(ret != size)
- return (ret < 0)? errno : KRB5_CC_END;
- if (pad) {
- ret = krb5_storage_read(sp, foo, pad);
- if (ret != pad)
- return (ret < 0)? errno : KRB5_CC_END;
- }
- } else
- data->data = NULL;
- return 0;
-}
-
-static krb5_error_code
-krb5_store_xdr_data(krb5_storage *sp,
- krb5_data data)
-{
- u_char zero[4] = {0, 0, 0, 0};
- int ret;
- size_t pad;
-
- ret = krb5_store_int32(sp, data.length);
- if(ret < 0)
- return ret;
- ret = krb5_storage_write(sp, data.data, data.length);
- if(ret != data.length){
- if(ret < 0)
- return errno;
- return KRB5_CC_END;
- }
- pad = (4 - data.length % 4) % 4;
- if (pad) {
- ret = krb5_storage_write(sp, zero, pad);
- if (ret != pad) {
- if (ret < 0)
- return errno;
- return KRB5_CC_END;
- }
- }
- return 0;
-}
-
-
-static krb5_error_code
-create_reply_ticket (krb5_context context,
- struct rx_header *hdr,
- Key *skey,
- char *name, char *instance, char *realm,
- struct sockaddr_in *addr,
- int life,
- int kvno,
- int32_t max_seq_len,
- const char *sname, const char *sinstance,
- uint32_t challenge,
- const char *label,
- krb5_keyblock *key,
- krb5_data *reply)
-{
- krb5_error_code ret;
- krb5_data ticket;
- krb5_keyblock session;
- krb5_storage *sp;
- krb5_data enc_data;
- struct rx_header reply_hdr;
- char zero[8];
- size_t pad;
- unsigned fyrtiosjuelva;
-
- /* create the ticket */
-
- krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session);
-
- _krb5_krb_create_ticket(context,
- 0,
- name,
- instance,
- realm,
- addr->sin_addr.s_addr,
- &session,
- life,
- kdc_time,
- sname,
- sinstance,
- &skey->key,
- &ticket);
-
- /* create the encrypted part of the reply */
- sp = krb5_storage_emem ();
- krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
- fyrtiosjuelva &= 0xffffffff;
- krb5_store_int32 (sp, fyrtiosjuelva);
- krb5_store_int32 (sp, challenge);
- krb5_storage_write (sp, session.keyvalue.data, 8);
- krb5_free_keyblock_contents(context, &session);
- krb5_store_int32 (sp, kdc_time);
- krb5_store_int32 (sp, kdc_time + _krb5_krb_life_to_time (0, life));
- krb5_store_int32 (sp, kvno);
- krb5_store_int32 (sp, ticket.length);
- krb5_store_stringz (sp, name);
- krb5_store_stringz (sp, instance);
-#if 1 /* XXX - Why shouldn't the realm go here? */
- krb5_store_stringz (sp, "");
-#else
- krb5_store_stringz (sp, realm);
-#endif
- krb5_store_stringz (sp, sname);
- krb5_store_stringz (sp, sinstance);
- krb5_storage_write (sp, ticket.data, ticket.length);
- krb5_storage_write (sp, label, strlen(label));
-
- /* pad to DES block */
- memset (zero, 0, sizeof(zero));
- pad = (8 - krb5_storage_seek (sp, 0, SEEK_CUR) % 8) % 8;
- krb5_storage_write (sp, zero, pad);
-
- krb5_storage_to_data (sp, &enc_data);
- krb5_storage_free (sp);
-
- if (enc_data.length > max_seq_len) {
- krb5_data_free (&enc_data);
- make_error_reply (hdr, KAANSWERTOOLONG, reply);
- return 0;
- }
-
- /* encrypt it */
- {
- DES_key_schedule schedule;
- DES_cblock deskey;
-
- memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
- DES_set_key_unchecked (&deskey, &schedule);
- DES_pcbc_encrypt (enc_data.data,
- enc_data.data,
- enc_data.length,
- &schedule,
- &deskey,
- DES_ENCRYPT);
- memset (&schedule, 0, sizeof(schedule));
- memset (&deskey, 0, sizeof(deskey));
- }
-
- /* create the reply packet */
- init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
- sp = krb5_storage_emem ();
- ret = encode_rx_header (&reply_hdr, sp);
- krb5_store_int32 (sp, max_seq_len);
- krb5_store_xdr_data (sp, enc_data);
- krb5_data_free (&enc_data);
- krb5_storage_to_data (sp, reply);
- krb5_storage_free (sp);
- return 0;
-}
-
-static krb5_error_code
-unparse_auth_args (krb5_storage *sp,
- char **name,
- char **instance,
- time_t *start_time,
- time_t *end_time,
- krb5_data *request,
- int32_t *max_seq_len)
-{
- krb5_data data;
- int32_t tmp;
-
- krb5_ret_xdr_data (sp, &data);
- *name = malloc(data.length + 1);
- if (*name == NULL)
- return ENOMEM;
- memcpy (*name, data.data, data.length);
- (*name)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, &data);
- *instance = malloc(data.length + 1);
- if (*instance == NULL) {
- free (*name);
- return ENOMEM;
- }
- memcpy (*instance, data.data, data.length);
- (*instance)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_int32 (sp, &tmp);
- *start_time = tmp;
- krb5_ret_int32 (sp, &tmp);
- *end_time = tmp;
- krb5_ret_xdr_data (sp, request);
- krb5_ret_int32 (sp, max_seq_len);
- /* ignore the rest */
- return 0;
-}
-
-static void
-do_authenticate (krb5_context context,
- krb5_kdc_configuration *config,
- struct rx_header *hdr,
- krb5_storage *sp,
- struct sockaddr_in *addr,
- const char *from,
- krb5_data *reply)
-{
- krb5_error_code ret;
- char *name = NULL;
- char *instance = NULL;
- time_t start_time;
- time_t end_time;
- krb5_data request;
- int32_t max_seq_len;
- hdb_entry_ex *client_entry = NULL;
- hdb_entry_ex *server_entry = NULL;
- Key *ckey = NULL;
- Key *skey = NULL;
- krb5_storage *reply_sp;
- time_t max_life;
- uint8_t life;
- int32_t chal;
- char client_name[256];
- char server_name[256];
-
- krb5_data_zero (&request);
-
- ret = unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
- &request, &max_seq_len);
- if (ret != 0 || request.length < 8) {
- make_error_reply (hdr, KABADREQUEST, reply);
- goto out;
- }
-
- snprintf (client_name, sizeof(client_name), "%s.%s@%s",
- name, instance, config->v4_realm);
- snprintf (server_name, sizeof(server_name), "%s.%s@%s",
- "krbtgt", config->v4_realm, config->v4_realm);
-
- kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
- client_name, from, server_name);
-
- ret = _kdc_db_fetch4 (context, config, name, instance,
- config->v4_realm, HDB_F_GET_CLIENT,
- &client_entry);
- if (ret) {
- kdc_log(context, config, 0, "Client not found in database: %s: %s",
- client_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = _kdc_db_fetch4 (context, config, "krbtgt",
- config->v4_realm, config->v4_realm,
- HDB_F_GET_KRBTGT, &server_entry);
- if (ret) {
- kdc_log(context, config, 0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = kdc_check_flags (context, config,
- client_entry, client_name,
- server_entry, server_name,
- TRUE);
- if (ret) {
- make_error_reply (hdr, KAPWEXPIRED, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = _kdc_get_des_key(context, client_entry, FALSE, TRUE, &ckey);
- if(ret){
- kdc_log(context, config, 0, "no suitable DES key for client");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
- if(ret){
- kdc_log(context, config, 0, "no suitable DES key for server");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- {
- DES_cblock key;
- DES_key_schedule schedule;
-
- /* try to decode the `request' */
- memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
- DES_set_key_unchecked (&key, &schedule);
- DES_pcbc_encrypt (request.data,
- request.data,
- request.length,
- &schedule,
- &key,
- DES_DECRYPT);
- memset (&schedule, 0, sizeof(schedule));
- memset (&key, 0, sizeof(key));
- }
-
- /* check for the magic label */
- if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
- kdc_log(context, config, 0, "preauth failed for %s", client_name);
- make_error_reply (hdr, KABADREQUEST, reply);
- goto out;
- }
-
- reply_sp = krb5_storage_from_mem (request.data, 4);
- krb5_ret_int32 (reply_sp, &chal);
- krb5_storage_free (reply_sp);
-
- if (abs(chal - kdc_time) > context->max_skew) {
- make_error_reply (hdr, KACLOCKSKEW, reply);
- goto out;
- }
-
- /* life */
- max_life = end_time - kdc_time;
- /* end_time - kdc_time can sometimes be non-positive due to slight
- time skew between client and server. Let's make sure it is postive */
- if(max_life < 1)
- max_life = 1;
- if (client_entry->entry.max_life)
- max_life = min(max_life, *client_entry->entry.max_life);
- if (server_entry->entry.max_life)
- max_life = min(max_life, *server_entry->entry.max_life);
-
- life = krb_time_to_life(kdc_time, kdc_time + max_life);
-
- create_reply_ticket (context,
- hdr, skey,
- name, instance, config->v4_realm,
- addr, life, server_entry->entry.kvno,
- max_seq_len,
- "krbtgt", config->v4_realm,
- chal + 1, "tgsT",
- &ckey->key, reply);
-
- out:
- if (request.length) {
- memset (request.data, 0, request.length);
- krb5_data_free (&request);
- }
- if (name)
- free (name);
- if (instance)
- free (instance);
- if (client_entry)
- _kdc_free_ent (context, client_entry);
- if (server_entry)
- _kdc_free_ent (context, server_entry);
-}
-
-static krb5_error_code
-unparse_getticket_args (krb5_storage *sp,
- int *kvno,
- char **auth_domain,
- krb5_data *ticket,
- char **name,
- char **instance,
- krb5_data *times,
- int32_t *max_seq_len)
-{
- krb5_data data;
- int32_t tmp;
-
- krb5_ret_int32 (sp, &tmp);
- *kvno = tmp;
-
- krb5_ret_xdr_data (sp, &data);
- *auth_domain = malloc(data.length + 1);
- if (*auth_domain == NULL)
- return ENOMEM;
- memcpy (*auth_domain, data.data, data.length);
- (*auth_domain)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, ticket);
-
- krb5_ret_xdr_data (sp, &data);
- *name = malloc(data.length + 1);
- if (*name == NULL) {
- free (*auth_domain);
- return ENOMEM;
- }
- memcpy (*name, data.data, data.length);
- (*name)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, &data);
- *instance = malloc(data.length + 1);
- if (*instance == NULL) {
- free (*auth_domain);
- free (*name);
- return ENOMEM;
- }
- memcpy (*instance, data.data, data.length);
- (*instance)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, times);
-
- krb5_ret_int32 (sp, max_seq_len);
- /* ignore the rest */
- return 0;
-}
-
-static void
-do_getticket (krb5_context context,
- krb5_kdc_configuration *config,
- struct rx_header *hdr,
- krb5_storage *sp,
- struct sockaddr_in *addr,
- const char *from,
- krb5_data *reply)
-{
- krb5_error_code ret;
- int kvno;
- char *auth_domain = NULL;
- krb5_data aticket;
- char *name = NULL;
- char *instance = NULL;
- krb5_data times;
- int32_t max_seq_len;
- hdb_entry_ex *server_entry = NULL;
- hdb_entry_ex *client_entry = NULL;
- hdb_entry_ex *krbtgt_entry = NULL;
- Key *kkey = NULL;
- Key *skey = NULL;
- DES_cblock key;
- DES_key_schedule schedule;
- DES_cblock session;
- time_t max_life;
- int8_t life;
- time_t start_time, end_time;
- char server_name[256];
- char client_name[256];
- struct _krb5_krb_auth_data ad;
-
- krb5_data_zero (&aticket);
- krb5_data_zero (&times);
-
- memset(&ad, 0, sizeof(ad));
-
- unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
- &name, &instance, &times, &max_seq_len);
- if (times.length < 8) {
- make_error_reply (hdr, KABADREQUEST, reply);
- goto out;
-
- }
-
- snprintf (server_name, sizeof(server_name),
- "%s.%s@%s", name, instance, config->v4_realm);
-
- ret = _kdc_db_fetch4 (context, config, name, instance,
- config->v4_realm, HDB_F_GET_SERVER, &server_entry);
- if (ret) {
- kdc_log(context, config, 0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = _kdc_db_fetch4 (context, config, "krbtgt",
- config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry);
- if (ret) {
- kdc_log(context, config, 0,
- "Server not found in database: %s.%s@%s: %s",
- "krbtgt", config->v4_realm, config->v4_realm,
- krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = _kdc_get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
- if(ret){
- kdc_log(context, config, 0, "no suitable DES key for krbtgt");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
- if(ret){
- kdc_log(context, config, 0, "no suitable DES key for server");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* decrypt the incoming ticket */
- memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
-
- /* unpack the ticket */
- {
- char *sname = NULL;
- char *sinstance = NULL;
-
- ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key,
- config->v4_realm, &sname,
- &sinstance, &ad);
- if (ret) {
- const char *msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 0,
- "kaserver: decomp failed for %s.%s with %s %d",
- msg, sname, sinstance, ret);
- krb5_free_error_message(context, msg);
- make_error_reply (hdr, KABADTICKET, reply);
- goto out;
- }
-
- if (strcmp (sname, "krbtgt") != 0
- || strcmp (sinstance, config->v4_realm) != 0) {
- kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s",
- sname, sinstance,
- ad.pname, ad.pinst, ad.prealm);
- make_error_reply (hdr, KABADTICKET, reply);
- free(sname);
- free(sinstance);
- goto out;
- }
- free(sname);
- free(sinstance);
-
- if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) {
- kdc_log(context, config, 0, "TGT expired: %s.%s@%s",
- ad.pname, ad.pinst, ad.prealm);
- make_error_reply (hdr, KABADTICKET, reply);
- goto out;
- }
- }
-
- snprintf (client_name, sizeof(client_name),
- "%s.%s@%s", ad.pname, ad.pinst, ad.prealm);
-
- kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
- client_name, from, server_name);
-
- ret = _kdc_db_fetch4 (context, config,
- ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT,
- &client_entry);
- if(ret && ret != HDB_ERR_NOENTRY) {
- kdc_log(context, config, 0,
- "Client not found in database: (krb4) %s: %s",
- client_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
- if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
- kdc_log(context, config, 0,
- "Local client not found in database: (krb4) "
- "%s", client_name);
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = kdc_check_flags (context, config,
- client_entry, client_name,
- server_entry, server_name,
- FALSE);
- if (ret) {
- make_error_reply (hdr, KAPWEXPIRED, reply);
- goto out;
- }
-
- /* decrypt the times */
- memcpy(&session, ad.session.keyvalue.data, sizeof(session));
- DES_set_key_unchecked (&session, &schedule);
- DES_ecb_encrypt (times.data,
- times.data,
- &schedule,
- DES_DECRYPT);
- memset (&schedule, 0, sizeof(schedule));
- memset (&session, 0, sizeof(session));
-
- /* and extract them */
- {
- krb5_storage *tsp;
- int32_t tmp;
-
- tsp = krb5_storage_from_mem (times.data, times.length);
- krb5_ret_int32 (tsp, &tmp);
- start_time = tmp;
- krb5_ret_int32 (tsp, &tmp);
- end_time = tmp;
- krb5_storage_free (tsp);
- }
-
- /* life */
- max_life = end_time - kdc_time;
- /* end_time - kdc_time can sometimes be non-positive due to slight
- time skew between client and server. Let's make sure it is postive */
- if(max_life < 1)
- max_life = 1;
- if (krbtgt_entry->entry.max_life)
- max_life = min(max_life, *krbtgt_entry->entry.max_life);
- if (server_entry->entry.max_life)
- max_life = min(max_life, *server_entry->entry.max_life);
- /* if this is a cross realm request, the client_entry will likely
- be NULL */
- if (client_entry && client_entry->entry.max_life)
- max_life = min(max_life, *client_entry->entry.max_life);
-
- life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life);
-
- create_reply_ticket (context,
- hdr, skey,
- ad.pname, ad.pinst, ad.prealm,
- addr, life, server_entry->entry.kvno,
- max_seq_len,
- name, instance,
- 0, "gtkt",
- &ad.session, reply);
-
- out:
- _krb5_krb_free_auth_data(context, &ad);
- if (aticket.length) {
- memset (aticket.data, 0, aticket.length);
- krb5_data_free (&aticket);
- }
- if (times.length) {
- memset (times.data, 0, times.length);
- krb5_data_free (&times);
- }
- if (auth_domain)
- free (auth_domain);
- if (name)
- free (name);
- if (instance)
- free (instance);
- if (krbtgt_entry)
- _kdc_free_ent (context, krbtgt_entry);
- if (server_entry)
- _kdc_free_ent (context, server_entry);
-}
-
-krb5_error_code
-_kdc_do_kaserver(krb5_context context,
- krb5_kdc_configuration *config,
- unsigned char *buf,
- size_t len,
- krb5_data *reply,
- const char *from,
- struct sockaddr_in *addr)
-{
- krb5_error_code ret = 0;
- struct rx_header hdr;
- uint32_t op;
- krb5_storage *sp;
-
- if (len < RX_HEADER_SIZE)
- return -1;
- sp = krb5_storage_from_mem (buf, len);
-
- ret = decode_rx_header (sp, &hdr);
- if (ret)
- goto out;
- buf += RX_HEADER_SIZE;
- len -= RX_HEADER_SIZE;
-
- switch (hdr.type) {
- case HT_DATA :
- break;
- case HT_ACK :
- case HT_BUSY :
- case HT_ABORT :
- case HT_ACKALL :
- case HT_CHAL :
- case HT_RESP :
- case HT_DEBUG :
- default:
- /* drop */
- goto out;
- }
-
-
- if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
- && hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
- ret = -1;
- goto out;
- }
-
- ret = krb5_ret_uint32(sp, &op);
- if (ret)
- goto out;
- switch (op) {
- case AUTHENTICATE :
- case AUTHENTICATE_V2 :
- do_authenticate (context, config, &hdr, sp, addr, from, reply);
- break;
- case GETTICKET :
- do_getticket (context, config, &hdr, sp, addr, from, reply);
- break;
- case AUTHENTICATE_OLD :
- case CHANGEPASSWORD :
- case GETTICKET_OLD :
- case SETPASSWORD :
- case SETFIELDS :
- case CREATEUSER :
- case DELETEUSER :
- case GETENTRY :
- case LISTENTRY :
- case GETSTATS :
- case DEBUG :
- case GETPASSWORD :
- case GETRANDOMKEY :
- default :
- make_error_reply (&hdr, RXGEN_OPCODE, reply);
- break;
- }
-
-out:
- krb5_storage_free (sp);
- return ret;
-}
-
-#endif /* KRB4 */
generated by cgit (git 2.34.1) at 2024-06-03 02:52:52 +0000