2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <krb5-v4compat.h>
38 RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $");
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
52 _kdc_maybe_version4(unsigned char *buf, int len)
54 return len > 0 && *buf == 4;
58 make_err_reply(krb5_context context, krb5_data *reply,
59 int code, const char *msg)
61 _krb5_krb_cr_err_reply(context, "", "", "",
62 kdc_time, code, msg, reply);
65 struct valid_princ_ctx {
66 krb5_kdc_configuration *config;
71 valid_princ(krb5_context context,
75 struct valid_princ_ctx *ctx = funcctx;
80 ret = krb5_unparse_name(context, princ, &s);
83 ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent);
85 kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
86 krb5_get_err_text (context, ret));
90 kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
92 _kdc_free_ent(context, ent);
97 _kdc_db_fetch4(krb5_context context,
98 krb5_kdc_configuration *config,
99 const char *name, const char *instance, const char *realm,
105 struct valid_princ_ctx ctx;
110 ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
111 valid_princ, &ctx, 0, &p);
114 ret = _kdc_db_fetch(context, config, p, flags, ent);
115 krb5_free_principal(context, p);
119 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
122 * Process the v4 request in `buf, len' (received from `addr'
123 * (with string `from').
124 * Return an error code and a reply in `reply'.
128 _kdc_do_version4(krb5_context context,
129 krb5_kdc_configuration *config,
134 struct sockaddr_in *addr)
138 hdb_entry_ex *client = NULL, *server = NULL;
143 char *name = NULL, *inst = NULL, *realm = NULL;
144 char *sname = NULL, *sinst = NULL;
148 char client_name[256];
149 char server_name[256];
151 if(!config->enable_v4) {
152 kdc_log(context, config, 0,
153 "Rejected version 4 request from %s", from);
154 make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
158 sp = krb5_storage_from_mem(buf, len);
159 RCHECK(krb5_ret_int8(sp, &pvno), out);
161 kdc_log(context, config, 0,
162 "Protocol version mismatch (krb4) (%d)", pvno);
163 make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
166 RCHECK(krb5_ret_int8(sp, &msg_type), out);
170 case AUTH_MSG_KDC_REQUEST: {
171 krb5_data ticket, cipher;
172 krb5_keyblock session;
174 krb5_data_zero(&ticket);
175 krb5_data_zero(&cipher);
177 RCHECK(krb5_ret_stringz(sp, &name), out1);
178 RCHECK(krb5_ret_stringz(sp, &inst), out1);
179 RCHECK(krb5_ret_stringz(sp, &realm), out1);
180 RCHECK(krb5_ret_int32(sp, &req_time), out1);
182 req_time = swap32(req_time);
183 RCHECK(krb5_ret_uint8(sp, &life), out1);
184 RCHECK(krb5_ret_stringz(sp, &sname), out1);
185 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
186 snprintf (client_name, sizeof(client_name),
187 "%s.%s@%s", name, inst, realm);
188 snprintf (server_name, sizeof(server_name),
189 "%s.%s@%s", sname, sinst, config->v4_realm);
191 kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
192 client_name, from, server_name);
194 ret = _kdc_db_fetch4(context, config, name, inst, realm,
195 HDB_F_GET_CLIENT, &client);
197 kdc_log(context, config, 0, "Client not found in database: %s: %s",
198 client_name, krb5_get_err_text(context, ret));
199 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
200 "principal unknown");
203 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
204 HDB_F_GET_SERVER, &server);
206 kdc_log(context, config, 0, "Server not found in database: %s: %s",
207 server_name, krb5_get_err_text(context, ret));
208 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
209 "principal unknown");
213 ret = _kdc_check_flags (context, config,
218 /* good error code? */
219 make_err_reply(context, reply, KERB_ERR_NAME_EXP,
220 "operation not allowed");
225 * There's no way to do pre-authentication in v4 and thus no
226 * good error code to return if preauthentication is required.
229 if (config->require_preauth
230 || client->entry.flags.require_preauth
231 || server->entry.flags.require_preauth) {
232 kdc_log(context, config, 0,
233 "Pre-authentication required for v4-request: "
235 client_name, server_name);
236 make_err_reply(context, reply, KERB_ERR_NULL_KEY,
241 ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
243 kdc_log(context, config, 0, "no suitable DES key for client");
244 make_err_reply(context, reply, KDC_NULL_KEY,
245 "no suitable DES key for client");
250 /* this is not necessary with the new code in libkrb */
251 /* find a properly salted key */
252 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
253 ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
255 kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
257 make_err_reply(context, reply, KDC_NULL_KEY,
258 "No version-4 salted key in database");
263 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
265 kdc_log(context, config, 0, "no suitable DES key for server");
267 make_err_reply(context, reply, KDC_NULL_KEY,
268 "no suitable DES key for server");
272 max_life = _krb5_krb_life_to_time(0, life);
273 if(client->entry.max_life)
274 max_life = min(max_life, *client->entry.max_life);
275 if(server->entry.max_life)
276 max_life = min(max_life, *server->entry.max_life);
278 life = krb_time_to_life(kdc_time, kdc_time + max_life);
280 ret = krb5_generate_random_keyblock(context,
284 make_err_reply(context, reply, KFAILURE,
285 "Not enough random i KDC");
289 ret = _krb5_krb_create_ticket(context,
294 addr->sin_addr.s_addr,
303 krb5_free_keyblock_contents(context, &session);
304 make_err_reply(context, reply, KFAILURE,
305 "failed to create v4 ticket");
309 ret = _krb5_krb_create_ciph(context,
315 server->entry.kvno % 255,
320 krb5_free_keyblock_contents(context, &session);
321 krb5_data_free(&ticket);
323 make_err_reply(context, reply, KFAILURE,
324 "Failed to create v4 cipher");
328 ret = _krb5_krb_create_auth_reply(context,
334 client->entry.pw_end ? *client->entry.pw_end : 0,
335 client->entry.kvno % 256,
338 krb5_data_free(&cipher);
343 case AUTH_MSG_APPL_REQUEST: {
344 struct _krb5_krb_auth_data ad;
351 krb5_principal tgt_princ = NULL;
352 hdb_entry_ex *tgt = NULL;
354 time_t max_end, actual_end, issue_time;
356 memset(&ad, 0, sizeof(ad));
357 krb5_data_zero(&auth);
359 RCHECK(krb5_ret_int8(sp, &kvno), out2);
360 RCHECK(krb5_ret_stringz(sp, &realm), out2);
362 ret = krb5_425_conv_principal(context, "krbtgt", realm,
366 kdc_log(context, config, 0,
367 "Converting krbtgt principal (krb4): %s",
368 krb5_get_err_text(context, ret));
369 make_err_reply(context, reply, KFAILURE,
370 "Failed to convert v4 principal (krbtgt)");
374 ret = _kdc_db_fetch(context, config, tgt_princ,
375 HDB_F_GET_KRBTGT, &tgt);
378 s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
379 "found in database (krb4): krbtgt.%s@%s: %s",
380 realm, config->v4_realm,
381 krb5_get_err_text(context, ret));
382 make_err_reply(context, reply, KFAILURE, s);
387 if(tgt->entry.kvno % 256 != kvno){
388 kdc_log(context, config, 0,
389 "tgs-req (krb4) with old kvno %d (current %d) for "
390 "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
391 realm, config->v4_realm);
392 make_err_reply(context, reply, KDC_AUTH_EXP,
393 "old krbtgt kvno used");
397 ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
399 kdc_log(context, config, 0,
400 "no suitable DES key for krbtgt (krb4)");
402 make_err_reply(context, reply, KDC_NULL_KEY,
403 "no suitable DES key for krbtgt");
407 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
408 RCHECK(krb5_ret_int8(sp, &req_len), out2);
410 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
415 if (config->check_ticket_addresses)
416 address = addr->sin_addr.s_addr;
420 ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
422 address, &tkey->key, &ad);
424 kdc_log(context, config, 0, "krb_rd_req: %d", ret);
425 make_err_reply(context, reply, ret, "failed to parse request");
429 RCHECK(krb5_ret_int32(sp, &req_time), out2);
431 req_time = swap32(req_time);
432 RCHECK(krb5_ret_uint8(sp, &life), out2);
433 RCHECK(krb5_ret_stringz(sp, &sname), out2);
434 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
435 snprintf (server_name, sizeof(server_name),
437 sname, sinst, config->v4_realm);
438 snprintf (client_name, sizeof(client_name),
440 ad.pname, ad.pinst, ad.prealm);
442 kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
443 client_name, from, server_name);
445 if(strcmp(ad.prealm, realm)){
446 kdc_log(context, config, 0,
447 "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
448 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
453 if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
454 kdc_log(context, config, 0,
455 "krb4 Cross-realm %s -> %s disabled",
456 realm, config->v4_realm);
457 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
462 if(strcmp(sname, "changepw") == 0){
463 kdc_log(context, config, 0,
464 "Bad request for changepw ticket (krb4)");
465 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
466 "Can't authorize password change based on TGT");
470 ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
471 HDB_F_GET_CLIENT, &client);
472 if(ret && ret != HDB_ERR_NOENTRY) {
474 s = kdc_log_msg(context, config, 0,
475 "Client not found in database: (krb4) %s: %s",
476 client_name, krb5_get_err_text(context, ret));
477 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
481 if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
483 s = kdc_log_msg(context, config, 0,
484 "Local client not found in database: (krb4) "
486 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
491 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
492 HDB_F_GET_SERVER, &server);
495 s = kdc_log_msg(context, config, 0,
496 "Server not found in database (krb4): %s: %s",
497 server_name, krb5_get_err_text(context, ret));
498 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
503 ret = _kdc_check_flags (context, config,
508 /* good error code? */
509 make_err_reply(context, reply, KERB_ERR_NAME_EXP,
510 "operation not allowed");
514 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
516 kdc_log(context, config, 0,
517 "no suitable DES key for server (krb4)");
519 make_err_reply(context, reply, KDC_NULL_KEY,
520 "no suitable DES key for server");
524 max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
525 max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
526 if(server->entry.max_life)
527 max_end = min(max_end, kdc_time + *server->entry.max_life);
528 if(client && client->entry.max_life)
529 max_end = min(max_end, kdc_time + *client->entry.max_life);
530 life = min(life, krb_time_to_life(kdc_time, max_end));
532 issue_time = kdc_time;
533 actual_end = _krb5_krb_life_to_time(issue_time, life);
534 while (actual_end > max_end && life > 1) {
535 /* move them into the next earlier lifetime bracket */
537 actual_end = _krb5_krb_life_to_time(issue_time, life);
539 if (actual_end > max_end) {
540 /* if life <= 1 and it's still too long, backdate the ticket */
541 issue_time -= actual_end - max_end;
545 krb5_data ticket, cipher;
546 krb5_keyblock session;
548 krb5_data_zero(&ticket);
549 krb5_data_zero(&cipher);
551 ret = krb5_generate_random_keyblock(context,
555 make_err_reply(context, reply, KFAILURE,
556 "Not enough random i KDC");
560 ret = _krb5_krb_create_ticket(context,
565 addr->sin_addr.s_addr,
574 krb5_free_keyblock_contents(context, &session);
575 make_err_reply(context, reply, KFAILURE,
576 "failed to create v4 ticket");
580 ret = _krb5_krb_create_ciph(context,
586 server->entry.kvno % 255,
591 krb5_free_keyblock_contents(context, &session);
593 make_err_reply(context, reply, KFAILURE,
594 "failed to create v4 cipher");
598 ret = _krb5_krb_create_auth_reply(context,
608 krb5_data_free(&cipher);
611 _krb5_krb_free_auth_data(context, &ad);
613 krb5_free_principal(context, tgt_princ);
615 _kdc_free_ent(context, tgt);
618 case AUTH_MSG_ERR_REPLY:
621 kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
624 make_err_reply(context, reply, KFAILURE, "Unknown message type");
638 _kdc_free_ent(context, client);
640 _kdc_free_ent(context, server);
641 krb5_storage_free(sp);
646 _kdc_encode_v4_ticket(krb5_context context,
647 krb5_kdc_configuration *config,
648 void *buf, size_t len, const EncTicketPart *et,
649 const PrincipalName *service, size_t *size)
653 char name[40], inst[40], realm[40];
654 char sname[40], sinst[40];
657 krb5_principal princ;
658 _krb5_principalname2krb5_principal(context,
662 ret = krb5_524_conv_principal(context,
667 krb5_free_principal(context, princ);
671 _krb5_principalname2krb5_principal(context,
676 ret = krb5_524_conv_principal(context,
681 krb5_free_principal(context, princ);
686 sp = krb5_storage_emem();
688 krb5_store_int8(sp, 0); /* flags */
689 krb5_store_stringz(sp, name);
690 krb5_store_stringz(sp, inst);
691 krb5_store_stringz(sp, realm);
693 unsigned char tmp[4] = { 0, 0, 0, 0 };
696 for(i = 0; i < et->caddr->len; i++)
697 if(et->caddr->val[i].addr_type == AF_INET &&
698 et->caddr->val[i].address.length == 4){
699 memcpy(tmp, et->caddr->val[i].address.data, 4);
703 krb5_storage_write(sp, tmp, sizeof(tmp));
706 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
707 et->key.keytype != ETYPE_DES_CBC_MD4 &&
708 et->key.keytype != ETYPE_DES_CBC_CRC) ||
709 et->key.keyvalue.length != 8)
711 krb5_storage_write(sp, et->key.keyvalue.data, 8);
714 time_t start = et->starttime ? *et->starttime : et->authtime;
715 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
716 krb5_store_int32(sp, start);
719 krb5_store_stringz(sp, sname);
720 krb5_store_stringz(sp, sinst);
724 krb5_storage_to_data(sp, &data);
725 krb5_storage_free(sp);
726 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
729 memset((unsigned char*)buf - *size + 1, 0, *size);
730 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
731 krb5_data_free(&data);
737 _kdc_get_des_key(krb5_context context,
738 hdb_entry_ex *principal, krb5_boolean is_server,
739 krb5_boolean prefer_afs_key, Key **ret_key)
741 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
743 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
748 i < sizeof(etypes)/sizeof(etypes[0])
749 && (v5_key == NULL || v4_key == NULL ||
750 afs_key == NULL || server_key == NULL);
753 while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
754 if(key->salt == NULL) {
757 } else if(key->salt->type == hdb_pw_salt &&
758 key->salt->salt.length == 0) {
761 } else if(key->salt->type == hdb_afs3_salt) {
764 } else if(server_key == NULL)
776 else if(is_server && server_key)
777 *ret_key = server_key;
779 return KERB_ERR_NULL_KEY;
787 else if(is_server && server_key)
788 *ret_key = server_key;
790 return KERB_ERR_NULL_KEY;
793 if((*ret_key)->key.keyvalue.length == 0)
794 return KERB_ERR_NULL_KEY;