/* * Copyright (c) 1997 - 2006 Kungliga Tekniska H�gskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "kdc_locl.h" #include <krb5-v4compat.h> RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $"); #ifndef swap32 static uint32_t swap32(uint32_t x) { return ((x << 24) & 0xff000000) | ((x << 8) & 0xff0000) | ((x >> 8) & 0xff00) | ((x >> 24) & 0xff); } #endif /* swap32 */ int _kdc_maybe_version4(unsigned char *buf, int len) { return len > 0 && *buf == 4; } static void make_err_reply(krb5_context context, krb5_data *reply, int code, const char *msg) { _krb5_krb_cr_err_reply(context, "", "", "", kdc_time, code, msg, reply); } struct valid_princ_ctx { krb5_kdc_configuration *config; unsigned flags; }; static krb5_boolean valid_princ(krb5_context context, void *funcctx, krb5_principal princ) { struct valid_princ_ctx *ctx = funcctx; krb5_error_code ret; char *s; hdb_entry_ex *ent; ret = krb5_unparse_name(context, princ, &s); if (ret) return FALSE; ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent); if (ret) { kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s, krb5_get_err_text (context, ret)); free(s); return FALSE; } kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s); free(s); _kdc_free_ent(context, ent); return TRUE; } krb5_error_code _kdc_db_fetch4(krb5_context context, krb5_kdc_configuration *config, const char *name, const char *instance, const char *realm, unsigned flags, hdb_entry_ex **ent) { krb5_principal p; krb5_error_code ret; struct valid_princ_ctx ctx; ctx.config = config; ctx.flags = flags; ret = krb5_425_conv_principal_ext2(context, name, instance, realm, valid_princ, &ctx, 0, &p); if(ret) return ret; ret = _kdc_db_fetch(context, config, p, flags, NULL, ent); krb5_free_principal(context, p); return ret; } #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;} /* * Process the v4 request in `buf, len' (received from `addr' * (with string `from'). * Return an error code and a reply in `reply'. */ krb5_error_code _kdc_do_version4(krb5_context context, krb5_kdc_configuration *config, unsigned char *buf, size_t len, krb5_data *reply, const char *from, struct sockaddr_in *addr) { krb5_storage *sp; krb5_error_code ret; hdb_entry_ex *client = NULL, *server = NULL; Key *ckey, *skey; int8_t pvno; int8_t msg_type; int lsb; char *name = NULL, *inst = NULL, *realm = NULL; char *sname = NULL, *sinst = NULL; int32_t req_time; time_t max_life; uint8_t life; char client_name[256]; char server_name[256]; if(!config->enable_v4) { kdc_log(context, config, 0, "Rejected version 4 request from %s", from); make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR, "Function not enabled"); return 0; } sp = krb5_storage_from_mem(buf, len); RCHECK(krb5_ret_int8(sp, &pvno), out); if(pvno != 4){ kdc_log(context, config, 0, "Protocol version mismatch (krb4) (%d)", pvno); make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch"); goto out; } RCHECK(krb5_ret_int8(sp, &msg_type), out); lsb = msg_type & 1; msg_type &= ~1; switch(msg_type){ case AUTH_MSG_KDC_REQUEST: { krb5_data ticket, cipher; krb5_keyblock session; krb5_data_zero(&ticket); krb5_data_zero(&cipher); RCHECK(krb5_ret_stringz(sp, &name), out1); RCHECK(krb5_ret_stringz(sp, &inst), out1); RCHECK(krb5_ret_stringz(sp, &realm), out1); RCHECK(krb5_ret_int32(sp, &req_time), out1); if(lsb) req_time = swap32(req_time); RCHECK(krb5_ret_uint8(sp, &life), out1); RCHECK(krb5_ret_stringz(sp, &sname), out1); RCHECK(krb5_ret_stringz(sp, &sinst), out1); snprintf (client_name, sizeof(client_name), "%s.%s@%s", name, inst, realm); snprintf (server_name, sizeof(server_name), "%s.%s@%s", sname, sinst, config->v4_realm); kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s", client_name, from, server_name); ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_F_GET_CLIENT, &client); if(ret) { kdc_log(context, config, 0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "principal unknown"); goto out1; } ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, HDB_F_GET_SERVER, &server); if(ret){ kdc_log(context, config, 0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "principal unknown"); goto out1; } ret = _kdc_check_flags (context, config, client, client_name, server, server_name, TRUE); if (ret) { /* good error code? */ make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP, "operation not allowed"); goto out1; } if (config->enable_v4_per_principal && client->entry.flags.allow_kerberos4 == 0) { kdc_log(context, config, 0, "Per principal Kerberos 4 flag not turned on for %s", client_name); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "allow kerberos4 flag required"); goto out1; } /* * There's no way to do pre-authentication in v4 and thus no * good error code to return if preauthentication is required. */ if (config->require_preauth || client->entry.flags.require_preauth || server->entry.flags.require_preauth) { kdc_log(context, config, 0, "Pre-authentication required for v4-request: " "%s for %s", client_name, server_name); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "preauth required"); goto out1; } ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for client"); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for client"); goto out1; } #if 0 /* this is not necessary with the new code in libkrb */ /* find a properly salted key */ while(ckey->salt == NULL || ckey->salt->salt.length != 0) ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey); if(ret){ kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", name, inst, realm); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "No version-4 salted key in database"); goto out1; } #endif ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for server"); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out1; } max_life = _krb5_krb_life_to_time(0, life); if(client->entry.max_life) max_life = min(max_life, *client->entry.max_life); if(server->entry.max_life) max_life = min(max_life, *server->entry.max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life); ret = krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session); if (ret) { make_err_reply(context, reply, KFAILURE, "Not enough random i KDC"); goto out1; } ret = _krb5_krb_create_ticket(context, 0, name, inst, config->v4_realm, addr->sin_addr.s_addr, &session, life, kdc_time, sname, sinst, &skey->key, &ticket); if (ret) { krb5_free_keyblock_contents(context, &session); make_err_reply(context, reply, KFAILURE, "failed to create v4 ticket"); goto out1; } ret = _krb5_krb_create_ciph(context, &session, sname, sinst, config->v4_realm, life, server->entry.kvno % 255, &ticket, kdc_time, &ckey->key, &cipher); krb5_free_keyblock_contents(context, &session); krb5_data_free(&ticket); if (ret) { make_err_reply(context, reply, KFAILURE, "Failed to create v4 cipher"); goto out1; } ret = _krb5_krb_create_auth_reply(context, name, inst, realm, req_time, 0, client->entry.pw_end ? *client->entry.pw_end : 0, client->entry.kvno % 256, &cipher, reply); krb5_data_free(&cipher); out1: break; } case AUTH_MSG_APPL_REQUEST: { struct _krb5_krb_auth_data ad; int8_t kvno; int8_t ticket_len; int8_t req_len; krb5_data auth; int32_t address; size_t pos; krb5_principal tgt_princ = NULL; hdb_entry_ex *tgt = NULL; Key *tkey; time_t max_end, actual_end, issue_time; memset(&ad, 0, sizeof(ad)); krb5_data_zero(&auth); RCHECK(krb5_ret_int8(sp, &kvno), out2); RCHECK(krb5_ret_stringz(sp, &realm), out2); ret = krb5_425_conv_principal(context, "krbtgt", realm, config->v4_realm, &tgt_princ); if(ret){ kdc_log(context, config, 0, "Converting krbtgt principal (krb4): %s", krb5_get_err_text(context, ret)); make_err_reply(context, reply, KFAILURE, "Failed to convert v4 principal (krbtgt)"); goto out2; } ret = _kdc_db_fetch(context, config, tgt_princ, HDB_F_GET_KRBTGT, NULL, &tgt); if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not " "found in database (krb4): krbtgt.%s@%s: %s", realm, config->v4_realm, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KFAILURE, s); free(s); goto out2; } if(tgt->entry.kvno % 256 != kvno){ kdc_log(context, config, 0, "tgs-req (krb4) with old kvno %d (current %d) for " "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, realm, config->v4_realm); make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP, "old krbtgt kvno used"); goto out2; } ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for krbtgt (krb4)"); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for krbtgt"); goto out2; } RCHECK(krb5_ret_int8(sp, &ticket_len), out2); RCHECK(krb5_ret_int8(sp, &req_len), out2); pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR); auth.data = buf; auth.length = pos; if (config->check_ticket_addresses) address = addr->sin_addr.s_addr; else address = 0; ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, config->v4_realm, address, &tkey->key, &ad); if(ret){ kdc_log(context, config, 0, "krb_rd_req: %d", ret); make_err_reply(context, reply, ret, "failed to parse request"); goto out2; } RCHECK(krb5_ret_int32(sp, &req_time), out2); if(lsb) req_time = swap32(req_time); RCHECK(krb5_ret_uint8(sp, &life), out2); RCHECK(krb5_ret_stringz(sp, &sname), out2); RCHECK(krb5_ret_stringz(sp, &sinst), out2); snprintf (server_name, sizeof(server_name), "%s.%s@%s", sname, sinst, config->v4_realm); snprintf (client_name, sizeof(client_name), "%s.%s@%s", ad.pname, ad.pinst, ad.prealm); kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s", client_name, from, server_name); if(strcmp(ad.prealm, realm)){ kdc_log(context, config, 0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't hop realms"); goto out2; } if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) { kdc_log(context, config, 0, "krb4 Cross-realm %s -> %s disabled", realm, config->v4_realm); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't hop realms"); goto out2; } if(strcmp(sname, "changepw") == 0){ kdc_log(context, config, 0, "Bad request for changepw ticket (krb4)"); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, "Can't authorize password change based on TGT"); goto out2; } ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT, &client); if(ret && ret != HDB_ERR_NOENTRY) { char *s; s = kdc_log_msg(context, config, 0, "Client not found in database: (krb4) %s: %s", client_name, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) { char *s; s = kdc_log_msg(context, config, 0, "Local client not found in database: (krb4) " "%s", client_name); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, HDB_F_GET_SERVER, &server); if(ret){ char *s; s = kdc_log_msg(context, config, 0, "Server not found in database (krb4): %s: %s", server_name, krb5_get_err_text(context, ret)); make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s); free(s); goto out2; } ret = _kdc_check_flags (context, config, client, client_name, server, server_name, FALSE); if (ret) { make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP, "operation not allowed"); goto out2; } ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for server (krb4)"); make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, "no suitable DES key for server"); goto out2; } max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life); max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life)); if(server->entry.max_life) max_end = min(max_end, kdc_time + *server->entry.max_life); if(client && client->entry.max_life) max_end = min(max_end, kdc_time + *client->entry.max_life); life = min(life, krb_time_to_life(kdc_time, max_end)); issue_time = kdc_time; actual_end = _krb5_krb_life_to_time(issue_time, life); while (actual_end > max_end && life > 1) { /* move them into the next earlier lifetime bracket */ life--; actual_end = _krb5_krb_life_to_time(issue_time, life); } if (actual_end > max_end) { /* if life <= 1 and it's still too long, backdate the ticket */ issue_time -= actual_end - max_end; } { krb5_data ticket, cipher; krb5_keyblock session; krb5_data_zero(&ticket); krb5_data_zero(&cipher); ret = krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session); if (ret) { make_err_reply(context, reply, KFAILURE, "Not enough random i KDC"); goto out2; } ret = _krb5_krb_create_ticket(context, 0, ad.pname, ad.pinst, ad.prealm, addr->sin_addr.s_addr, &session, life, issue_time, sname, sinst, &skey->key, &ticket); if (ret) { krb5_free_keyblock_contents(context, &session); make_err_reply(context, reply, KFAILURE, "failed to create v4 ticket"); goto out2; } ret = _krb5_krb_create_ciph(context, &session, sname, sinst, config->v4_realm, life, server->entry.kvno % 255, &ticket, issue_time, &ad.session, &cipher); krb5_free_keyblock_contents(context, &session); if (ret) { make_err_reply(context, reply, KFAILURE, "failed to create v4 cipher"); goto out2; } ret = _krb5_krb_create_auth_reply(context, ad.pname, ad.pinst, ad.prealm, req_time, 0, 0, 0, &cipher, reply); krb5_data_free(&cipher); } out2: _krb5_krb_free_auth_data(context, &ad); if(tgt_princ) krb5_free_principal(context, tgt_princ); if(tgt) _kdc_free_ent(context, tgt); break; } case AUTH_MSG_ERR_REPLY: break; default: kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", msg_type, from); make_err_reply(context, reply, KFAILURE, "Unknown message type"); } out: if(name) free(name); if(inst) free(inst); if(realm) free(realm); if(sname) free(sname); if(sinst) free(sinst); if(client) _kdc_free_ent(context, client); if(server) _kdc_free_ent(context, server); krb5_storage_free(sp); return 0; } krb5_error_code _kdc_encode_v4_ticket(krb5_context context, krb5_kdc_configuration *config, void *buf, size_t len, const EncTicketPart *et, const PrincipalName *service, size_t *size) { krb5_storage *sp; krb5_error_code ret; char name[40], inst[40], realm[40]; char sname[40], sinst[40]; { krb5_principal princ; _krb5_principalname2krb5_principal(context, &princ, *service, et->crealm); ret = krb5_524_conv_principal(context, princ, sname, sinst, realm); krb5_free_principal(context, princ); if(ret) return ret; _krb5_principalname2krb5_principal(context, &princ, et->cname, et->crealm); ret = krb5_524_conv_principal(context, princ, name, inst, realm); krb5_free_principal(context, princ); } if(ret) return ret; sp = krb5_storage_emem(); krb5_store_int8(sp, 0); /* flags */ krb5_store_stringz(sp, name); krb5_store_stringz(sp, inst); krb5_store_stringz(sp, realm); { unsigned char tmp[4] = { 0, 0, 0, 0 }; int i; if(et->caddr){ for(i = 0; i < et->caddr->len; i++) if(et->caddr->val[i].addr_type == AF_INET && et->caddr->val[i].address.length == 4){ memcpy(tmp, et->caddr->val[i].address.data, 4); break; } } krb5_storage_write(sp, tmp, sizeof(tmp)); } if((et->key.keytype != ETYPE_DES_CBC_MD5 && et->key.keytype != ETYPE_DES_CBC_MD4 && et->key.keytype != ETYPE_DES_CBC_CRC) || et->key.keyvalue.length != 8) return -1; krb5_storage_write(sp, et->key.keyvalue.data, 8); { time_t start = et->starttime ? *et->starttime : et->authtime; krb5_store_int8(sp, krb_time_to_life(start, et->endtime)); krb5_store_int32(sp, start); } krb5_store_stringz(sp, sname); krb5_store_stringz(sp, sinst); { krb5_data data; krb5_storage_to_data(sp, &data); krb5_storage_free(sp); *size = (data.length + 7) & ~7; /* pad to 8 bytes */ if(*size > len) return -1; memset((unsigned char*)buf - *size + 1, 0, *size); memcpy((unsigned char*)buf - *size + 1, data.data, data.length); krb5_data_free(&data); } return 0; } krb5_error_code _kdc_get_des_key(krb5_context context, hdb_entry_ex *principal, krb5_boolean is_server, krb5_boolean prefer_afs_key, Key **ret_key) { Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL; int i; krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, ETYPE_DES_CBC_MD4, ETYPE_DES_CBC_CRC }; for(i = 0; i < sizeof(etypes)/sizeof(etypes[0]) && (v5_key == NULL || v4_key == NULL || afs_key == NULL || server_key == NULL); ++i) { Key *key = NULL; while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) { if(key->salt == NULL) { if(v5_key == NULL) v5_key = key; } else if(key->salt->type == hdb_pw_salt && key->salt->salt.length == 0) { if(v4_key == NULL) v4_key = key; } else if(key->salt->type == hdb_afs3_salt) { if(afs_key == NULL) afs_key = key; } else if(server_key == NULL) server_key = key; } } if(prefer_afs_key) { if(afs_key) *ret_key = afs_key; else if(v4_key) *ret_key = v4_key; else if(v5_key) *ret_key = v5_key; else if(is_server && server_key) *ret_key = server_key; else return KRB4ET_KDC_NULL_KEY; } else { if(v4_key) *ret_key = v4_key; else if(afs_key) *ret_key = afs_key; else if(v5_key) *ret_key = v5_key; else if(is_server && server_key) *ret_key = server_key; else return KRB4ET_KDC_NULL_KEY; } if((*ret_key)->key.keyvalue.length == 0) return KRB4ET_KDC_NULL_KEY; return 0; }