oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Use the new Kerberos 4 functions in libkrb5 and so kerberos 4 is

Browse Source 
always compiled in (still default disabled)


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14900 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-04-23 19:57:56 +00:00
parent e54c17af6b
commit 2eb8ce2e5f
3 changed files with 220 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
kdc/config.c
View File

@@ -72,11 +72,9 @@ krb5_addresses explicit_addresses;
static int disable_des = -1; static int disable_des = -1;
#ifdef KRB4
char *v4_realm; char *v4_realm;
int enable_v4 = -1; int enable_v4 = -1;
int enable_kaserver = -1; int enable_kaserver = -1;
#endif
int enable_524 = -1; int enable_524 = -1;
int enable_v4_cross_realm = -1; int enable_v4_cross_realm = -1;
@@ -113,6 +111,7 @@ static struct getargs args[] = {
"kaserver", 'K', arg_flag, &enable_kaserver, "kaserver", 'K', arg_flag, &enable_kaserver,
"enable kaserver support" "enable kaserver support"
}, },
#endif
{ "kerberos4", 0, arg_flag, &enable_v4, { "kerberos4", 0, arg_flag, &enable_v4,
"respond to kerberos 4 requests" "respond to kerberos 4 requests"
}, },
@@ -120,7 +119,6 @@ static struct getargs args[] = {
"v4-realm", 'r', arg_string, &v4_realm, "v4-realm", 'r', arg_string, &v4_realm,
"realm to serve v4-requests for" "realm to serve v4-requests for"
}, },
#endif
{ "kerberos4-cross-realm", 0, arg_flag, { "kerberos4-cross-realm", 0, arg_flag,
&enable_v4_cross_realm, &enable_v4_cross_realm,
"respond to kerberos 4 requests from foreign realms" "respond to kerberos 4 requests from foreign realms"
@@ -349,13 +347,9 @@ configure(int argc, char **argv)
} }
} }
#ifdef KRB4
if(enable_v4 == -1) if(enable_v4 == -1)
enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc",
"enable-kerberos4", NULL); "enable-kerberos4", NULL);
#else
#define enable_v4 0
#endif
if(enable_v4_cross_realm == -1) if(enable_v4_cross_realm == -1)
enable_v4_cross_realm = enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,
@@ -399,7 +393,6 @@ configure(int argc, char **argv)
krb5_errx(context, 1, "enforce-transited-policy deprecated, " krb5_errx(context, 1, "enforce-transited-policy deprecated, "
"use [kdc]transited-policy instead"); "use [kdc]transited-policy instead");
#ifdef KRB4
if(v4_realm == NULL){ if(v4_realm == NULL){
p = krb5_config_get_string (context, NULL, p = krb5_config_get_string (context, NULL,
"kdc", "kdc",
@@ -411,6 +404,7 @@ configure(int argc, char **argv)
krb5_errx(context, 1, "out of memory"); krb5_errx(context, 1, "out of memory");
} }
} }
#ifdef KRB4
if (enable_kaserver == -1) if (enable_kaserver == -1)
enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE, enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
"kdc", "kdc",
@@ -475,15 +469,17 @@ configure(int argc, char **argv)
} }
#endif #endif
#ifdef KRB4
if(v4_realm == NULL){ if(v4_realm == NULL){
#ifdef KRB4
v4_realm = malloc(40); /* REALM_SZ */ v4_realm = malloc(40); /* REALM_SZ */
if (v4_realm == NULL) if (v4_realm == NULL)
krb5_errx(context, 1, "out of memory"); krb5_errx(context, 1, "out of memory");
krb_get_lrealm(v4_realm, 1); krb_get_lrealm(v4_realm, 1);
} #else
krb5_errx(context, 1, "No Kerberos 4 realm configured");
#endif #endif
if(disable_des == -1) }
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL, disable_des = krb5_config_get_bool_default(context, NULL,
0, 0,
"kdc", "kdc",
@@ -495,5 +491,13 @@ configure(int argc, char **argv)
krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
enable_v4 = 0;
enable_524 = 0;
#ifdef KRB4
enable_kaserver = 0;
#endif
} }
} }

4
kdc/connect.c
View File

@@ -135,11 +135,11 @@ add_standard_ports (int family)
add_port_service(family, "krb524", 4444, "udp"); add_port_service(family, "krb524", 4444, "udp");
add_port_service(family, "krb524", 4444, "tcp"); add_port_service(family, "krb524", 4444, "tcp");
} }
#ifdef KRB4
if(enable_v4) { if(enable_v4) {
add_port_service(family, "kerberos-iv", 750, "udp"); add_port_service(family, "kerberos-iv", 750, "udp");
add_port_service(family, "kerberos-iv", 750, "tcp"); add_port_service(family, "kerberos-iv", 750, "tcp");
} }
#ifdef KRB4
if (enable_kaserver) if (enable_kaserver)
add_port_service(family, "afs3-kaserver", 7004, "udp"); add_port_service(family, "afs3-kaserver", 7004, "udp");
#endif #endif
@@ -391,11 +391,11 @@ process_request(unsigned char *buf,
ret = do_524(&ticket, reply, from, addr); ret = do_524(&ticket, reply, from, addr);
free_Ticket(&ticket); free_Ticket(&ticket);
return ret; return ret;
#ifdef KRB4
} else if(maybe_version4(buf, len)){ } else if(maybe_version4(buf, len)){
*sendlength = 0; /* elbitapmoc sdrawkcab XXX */ *sendlength = 0; /* elbitapmoc sdrawkcab XXX */
do_version4(buf, len, reply, from, (struct sockaddr_in*)addr); do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
return 0; return 0;
#ifdef KRB4
} else if (enable_kaserver) { } else if (enable_kaserver) {
ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr); ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
return ret; return ret;

316
kdc/kerberos4.c
View File

@@ -33,9 +33,9 @@
#include "kdc_locl.h" #include "kdc_locl.h"
RCSID("$Id$"); #include <krb5-v4compat.h>
#ifdef KRB4 RCSID("$Id$");
#ifndef swap32 #ifndef swap32
static u_int32_t static u_int32_t
@@ -55,18 +55,11 @@ maybe_version4(unsigned char *buf, int len)
} }
static void static void
make_err_reply(krb5_data *reply, int code, const char *msg) make_err_reply(krb5_context context, krb5_data *reply,
int code, const char *msg)
{ {
KTEXT_ST er; _krb5_krb_cr_err_reply(context, "", "", "",
kdc_time, code, msg, reply);
/* name, instance and realm are not checked in most (all?)
implementations; msg is also never used, but we send it anyway
(for debugging purposes) */
if(msg == NULL)
msg = krb_get_err_text(code);
cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
krb5_data_copy(reply, er.dat, er.length);
} }
static krb5_boolean static krb5_boolean
@@ -108,7 +101,7 @@ db_fetch4(const char *name, const char *instance, const char *realm,
return ret; return ret;
} }
#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;} #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
/* /*
* Process the v4 request in `buf, len' (received from `addr' * Process the v4 request in `buf, len' (received from `addr'
@@ -133,14 +126,14 @@ do_version4(unsigned char *buf,
char *name = NULL, *inst = NULL, *realm = NULL; char *name = NULL, *inst = NULL, *realm = NULL;
char *sname = NULL, *sinst = NULL; char *sname = NULL, *sinst = NULL;
int32_t req_time; int32_t req_time;
time_t max_life, max_end, actual_end, issue_time; time_t max_life;
u_int8_t life; u_int8_t life;
char client_name[256]; char client_name[256];
char server_name[256]; char server_name[256];
if(!enable_v4) { if(!enable_v4) {
kdc_log(0, "Rejected version 4 request from %s", from); kdc_log(0, "Rejected version 4 request from %s", from);
make_err_reply(reply, KDC_GEN_ERR, "function not enabled"); make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
return 0; return 0;
} }
@@ -148,14 +141,20 @@ do_version4(unsigned char *buf,
RCHECK(krb5_ret_int8(sp, &pvno), out); RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){ if(pvno != 4){
kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno); kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
make_err_reply(reply, KDC_PKT_VER, NULL); make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
goto out; goto out;
} }
RCHECK(krb5_ret_int8(sp, &msg_type), out); RCHECK(krb5_ret_int8(sp, &msg_type), out);
lsb = msg_type & 1; lsb = msg_type & 1;
msg_type &= ~1; msg_type &= ~1;
switch(msg_type){ switch(msg_type){
case AUTH_MSG_KDC_REQUEST: case AUTH_MSG_KDC_REQUEST: {
krb5_data ticket, cipher;
krb5_keyblock session;
krb5_data_zero(&ticket);
krb5_data_zero(&cipher);
RCHECK(krb5_ret_stringz(sp, &name), out1); RCHECK(krb5_ret_stringz(sp, &name), out1);
RCHECK(krb5_ret_stringz(sp, &inst), out1); RCHECK(krb5_ret_stringz(sp, &inst), out1);
RCHECK(krb5_ret_stringz(sp, &realm), out1); RCHECK(krb5_ret_stringz(sp, &realm), out1);
@@ -177,14 +176,16 @@ do_version4(unsigned char *buf,
if(ret) { if(ret) {
kdc_log(0, "Client not found in database: %s: %s", kdc_log(0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret)); client_name, krb5_get_err_text(context, ret));
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1; goto out1;
} }
ret = db_fetch4(sname, sinst, v4_realm, &server); ret = db_fetch4(sname, sinst, v4_realm, &server);
if(ret){ if(ret){
kdc_log(0, "Server not found in database: %s: %s", kdc_log(0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1; goto out1;
} }
@@ -193,7 +194,8 @@ do_version4(unsigned char *buf,
TRUE); TRUE);
if (ret) { if (ret) {
/* good error code? */ /* good error code? */
make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); make_err_reply(context, reply, KERB_ERR_NAME_EXP,
"operation not allowed");
goto out1; goto out1;
} }
@@ -209,14 +211,15 @@ do_version4(unsigned char *buf,
"Pre-authentication required for v4-request: " "Pre-authentication required for v4-request: "
"%s for %s", "%s for %s",
client_name, server_name); client_name, server_name);
make_err_reply(reply, KERB_ERR_NULL_KEY, NULL); make_err_reply(context, reply, KERB_ERR_NULL_KEY,
"preauth required");
goto out1; goto out1;
} }
ret = get_des_key(client, FALSE, FALSE, &ckey); ret = get_des_key(client, FALSE, FALSE, &ckey);
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for client"); kdc_log(0, "no suitable DES key for client");
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for client"); "no suitable DES key for client");
goto out1; goto out1;
} }
@@ -229,7 +232,7 @@ do_version4(unsigned char *buf,
if(ret){ if(ret){
kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm); name, inst, realm);
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"No version-4 salted key in database"); "No version-4 salted key in database");
goto out1; goto out1;
} }
@@ -239,12 +242,12 @@ do_version4(unsigned char *buf,
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server"); kdc_log(0, "no suitable DES key for server");
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server"); "no suitable DES key for server");
goto out1; goto out1;
} }
max_life = krb_life_to_time(0, life); max_life = _krb5_krb_life_to_time(0, life);
if(client->max_life) if(client->max_life)
max_life = min(max_life, *client->max_life); max_life = min(max_life, *client->max_life);
if(server->max_life) if(server->max_life)
@@ -252,41 +255,85 @@ do_version4(unsigned char *buf,
life = krb_time_to_life(kdc_time, kdc_time + max_life); life = krb_time_to_life(kdc_time, kdc_time + max_life);
{ ret = krb5_generate_random_keyblock(context,
KTEXT_ST cipher, ticket; ETYPE_DES_PCBC_NONE,
KTEXT r; &session);
des_cblock session; if (ret) {
make_err_reply(context, reply, KFAILURE,
des_new_random_key(&session); "Not enough random i KDC");
goto out1;
krb_create_ticket(&ticket, 0, name, inst, v4_realm,
addr->sin_addr.s_addr, session, life, kdc_time,
sname, sinst, skey->key.keyvalue.data);
create_ciph(&cipher, session, sname, sinst, v4_realm,
life, server->kvno % 256, &ticket, kdc_time,
ckey->key.keyvalue.data);
memset(&session, 0, sizeof(session));
r = create_auth_reply(name, inst, realm, req_time, 0,
client->pw_end ? *client->pw_end : 0,
client->kvno % 256, &cipher);
krb5_data_copy(reply, r->dat, r->length);
memset(&cipher, 0, sizeof(cipher));
memset(&ticket, 0, sizeof(ticket));
} }
ret = _krb5_krb_create_ticket(context,
0,
name,
inst,
v4_realm,
addr->sin_addr.s_addr,
&session,
life,
kdc_time,
sname,
sinst,
&skey->key,
&ticket);
if (ret) {
krb5_free_keyblock_contents(context, &session);
make_err_reply(context, reply, KFAILURE,
"failed to create v4 ticket");
goto out1;
}
ret = _krb5_krb_create_ciph(context,
&session,
sname,
sinst,
v4_realm,
life,
server->kvno % 255,
&ticket,
kdc_time,
&ckey->key,
&cipher);
krb5_free_keyblock_contents(context, &session);
krb5_data_free(&ticket);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"Failed to create v4 cipher");
goto out1;
}
ret = _krb5_krb_create_auth_reply(context,
name,
inst,
realm,
req_time,
0,
client->pw_end ? *client->pw_end : 0,
client->kvno % 256,
&cipher,
reply);
krb5_data_free(&cipher);
out1: out1:
break; break;
}
case AUTH_MSG_APPL_REQUEST: { case AUTH_MSG_APPL_REQUEST: {
_krb5_krb_auth_data ad;
int8_t kvno; int8_t kvno;
int8_t ticket_len; int8_t ticket_len;
int8_t req_len; int8_t req_len;
KTEXT_ST auth; krb5_data auth;
AUTH_DAT ad; int32_t address;
size_t pos; size_t pos;
krb5_principal tgt_princ = NULL; krb5_principal tgt_princ = NULL;
hdb_entry *tgt = NULL; hdb_entry *tgt = NULL;
Key *tkey; Key *tkey;
time_t max_end, actual_end, issue_time;
memset(&ad, 0, sizeof(ad));
krb5_data_zero(&auth);
RCHECK(krb5_ret_int8(sp, &kvno), out2); RCHECK(krb5_ret_int8(sp, &kvno), out2);
RCHECK(krb5_ret_stringz(sp, &realm), out2); RCHECK(krb5_ret_stringz(sp, &realm), out2);
@@ -295,7 +342,7 @@ do_version4(unsigned char *buf,
if(ret){ if(ret){
kdc_log(0, "Converting krbtgt principal (krb4): %s", kdc_log(0, "Converting krbtgt principal (krb4): %s",
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, make_err_reply(context, reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)"); "Failed to convert v4 principal (krbtgt)");
goto out2; goto out2;
} }
@@ -307,7 +354,7 @@ do_version4(unsigned char *buf,
"found in database (krb4): krbtgt.%s@%s: %s", "found in database (krb4): krbtgt.%s@%s: %s",
realm, v4_realm, realm, v4_realm,
krb5_get_err_text(context, ret)); krb5_get_err_text(context, ret));
make_err_reply(reply, KFAILURE, s); make_err_reply(context, reply, KFAILURE, s);
free(s); free(s);
goto out2; goto out2;
} }
@@ -315,7 +362,7 @@ do_version4(unsigned char *buf,
if(tgt->kvno % 256 != kvno){ if(tgt->kvno % 256 != kvno){
kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for " kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
"krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm); "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
make_err_reply(reply, KDC_AUTH_EXP, make_err_reply(context, reply, KDC_AUTH_EXP,
"old krbtgt kvno used"); "old krbtgt kvno used");
goto out2; goto out2;
} }
@@ -324,7 +371,7 @@ do_version4(unsigned char *buf,
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for krbtgt (krb4)"); kdc_log(0, "no suitable DES key for krbtgt (krb4)");
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for krbtgt"); "no suitable DES key for krbtgt");
goto out2; goto out2;
} }
@@ -334,18 +381,19 @@ do_version4(unsigned char *buf,
pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR); pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
memset(&auth, 0, sizeof(auth)); auth.data = buf;
memcpy(&auth.dat, buf, pos);
auth.length = pos; auth.length = pos;
krb_set_key(tkey->key.keyvalue.data, 0);
krb_ignore_ip_address = !check_ticket_addresses; if (check_ticket_addresses)
address = addr->sin_addr.s_addr;
else
address = 0;
ret = krb_rd_req(&auth, "krbtgt", realm, ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, v4_realm,
addr->sin_addr.s_addr, &ad, 0); address, &tkey->key, &ad);
if(ret){ if(ret){
kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret)); kdc_log(0, "krb_rd_req: %d", ret);
make_err_reply(reply, ret, NULL); make_err_reply(context, reply, ret, "failed to parse request");
goto out2; goto out2;
} }
@@ -358,53 +406,58 @@ do_version4(unsigned char *buf,
snprintf (server_name, sizeof(server_name), snprintf (server_name, sizeof(server_name),
"%s.%s@%s", "%s.%s@%s",
sname, sinst, v4_realm); sname, sinst, v4_realm);
snprintf (client_name, sizeof(client_name),
"%s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s", kdc_log(0, "TGS-REQ (krb4) %s from %s for %s",
ad.pname, ad.pinst, ad.prealm, from, server_name); client_name, from, server_name);
if(strcmp(ad.prealm, realm)){ if(strcmp(ad.prealm, realm)){
kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms"); "Can't hop realms");
goto out2; goto out2;
} }
if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms"); "Can't hop realms");
goto out2; goto out2;
} }
if(strcmp(sname, "changepw") == 0){ if(strcmp(sname, "changepw") == 0){
kdc_log(0, "Bad request for changepw ticket (krb4)"); kdc_log(0, "Bad request for changepw ticket (krb4)");
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT"); "Can't authorize password change based on TGT");
goto out2; goto out2;
} }
snprintf (client_name, sizeof(client_name),
"%s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client); ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
if(ret != HDB_ERR_NOENTRY || if(ret && ret != HDB_ERR_NOENTRY) {
(ret == HDB_ERR_NOENTRY && strcmp(ad.prealm, v4_realm) == 0)) {
char *s; char *s;
s = kdc_log_msg(0, "Client not found in database: (krb4) " s = kdc_log_msg(0, "Client not found in database: (krb4) %s: %s",
"%s.%s@%s: %s", client_name, krb5_get_err_text(context, ret));
ad.pname, ad.pinst, ad.prealm, make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
krb5_get_err_text(context, ret));
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
goto out2; goto out2;
} }
if (client == NULL && strcmp(ad.prealm, v4_realm) == 0) {
char *s;
s = kdc_log_msg(0, "Local client not found in database: (krb4) "
"%s", client_name);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
ret = db_fetch4(sname, sinst, v4_realm, &server); ret = db_fetch4(sname, sinst, v4_realm, &server);
if(ret){ if(ret){
char *s; char *s;
s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s", s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
server_name, krb5_get_err_text(context, ret)); server_name, krb5_get_err_text(context, ret));
make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s); free(s);
goto out2; goto out2;
} }
@@ -414,7 +467,8 @@ do_version4(unsigned char *buf,
FALSE); FALSE);
if (ret) { if (ret) {
/* good error code? */ /* good error code? */
make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); make_err_reply(context, reply, KERB_ERR_NAME_EXP,
"operation not allowed");
goto out2; goto out2;
} }
@@ -422,13 +476,13 @@ do_version4(unsigned char *buf,
if(ret){ if(ret){
kdc_log(0, "no suitable DES key for server (krb4)"); kdc_log(0, "no suitable DES key for server (krb4)");
/* XXX */ /* XXX */
make_err_reply(reply, KDC_NULL_KEY, make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server"); "no suitable DES key for server");
goto out2; goto out2;
} }
max_end = krb_life_to_time(ad.time_sec, ad.life); max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
max_end = min(max_end, krb_life_to_time(kdc_time, life)); max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
if(server->max_life) if(server->max_life)
max_end = min(max_end, kdc_time + *server->max_life); max_end = min(max_end, kdc_time + *server->max_life);
if(client && client->max_life) if(client && client->max_life)
@@ -436,11 +490,11 @@ do_version4(unsigned char *buf,
life = min(life, krb_time_to_life(kdc_time, max_end)); life = min(life, krb_time_to_life(kdc_time, max_end));
issue_time = kdc_time; issue_time = kdc_time;
actual_end = krb_life_to_time(issue_time, life); actual_end = _krb5_krb_life_to_time(issue_time, life);
while (actual_end > max_end && life > 1) { while (actual_end > max_end && life > 1) {
/* move them into the next earlier lifetime bracket */ /* move them into the next earlier lifetime bracket */
life--; life--;
actual_end = krb_life_to_time(issue_time, life); actual_end = _krb5_krb_life_to_time(issue_time, life);
} }
if (actual_end > max_end) { if (actual_end > max_end) {
/* if life <= 1 and it's still too long, backdate the ticket */ /* if life <= 1 and it's still too long, backdate the ticket */
@@ -448,46 +502,88 @@ do_version4(unsigned char *buf,
} }
{ {
KTEXT_ST cipher, ticket; krb5_data ticket, cipher;
KTEXT r; krb5_keyblock session;
des_cblock session;
des_new_random_key(&session);
krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, krb5_data_zero(&ticket);
addr->sin_addr.s_addr, &session, life, krb5_data_zero(&cipher);
issue_time,
sname, sinst, skey->key.keyvalue.data);
create_ciph(&cipher, session, sname, sinst, v4_realm,
life, server->kvno % 256, &ticket,
issue_time, &ad.session);
memset(&session, 0, sizeof(session));
memset(ad.session, 0, sizeof(ad.session));
r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, ret = krb5_generate_random_keyblock(context,
req_time, 0, 0, 0, &cipher); ETYPE_DES_PCBC_NONE,
krb5_data_copy(reply, r->dat, r->length); &session);
memset(&cipher, 0, sizeof(cipher)); if (ret) {
memset(&ticket, 0, sizeof(ticket)); make_err_reply(context, reply, KFAILURE,
"Not enough random i KDC");
goto out2;
}
ret = _krb5_krb_create_ticket(context,
0,
ad.pname,
ad.pinst,
ad.prealm,
addr->sin_addr.s_addr,
&session,
life,
issue_time,
sname,
sinst,
&skey->key,
&ticket);
if (ret) {
krb5_free_keyblock_contents(context, &session);
make_err_reply(context, reply, KFAILURE,
"failed to create v4 ticket");
goto out2;
}
ret = _krb5_krb_create_ciph(context,
&session,
sname,
sinst,
v4_realm,
life,
server->kvno % 255,
&ticket,
issue_time,
&ad.session,
&cipher);
krb5_free_keyblock_contents(context, &session);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"failed to create v4 cipher");
goto out2;
}
ret = _krb5_krb_create_auth_reply(context,
ad.pname,
ad.pinst,
ad.prealm,
req_time,
0,
0,
0,
&cipher,
reply);
krb5_data_free(&cipher);
} }
out2: out2:
_krb5_krb_free_auth_data(context, &ad);
if(tgt_princ) if(tgt_princ)
krb5_free_principal(context, tgt_princ); krb5_free_principal(context, tgt_princ);
if(tgt) if(tgt)
free_ent(tgt); free_ent(tgt);
break; break;
} }
case AUTH_MSG_ERR_REPLY: case AUTH_MSG_ERR_REPLY:
break; break;
default: default:
kdc_log(0, "Unknown message type (krb4): %d from %s", kdc_log(0, "Unknown message type (krb4): %d from %s",
msg_type, from); msg_type, from);
make_err_reply(reply, KFAILURE, "Unknown message type"); make_err_reply(context, reply, KFAILURE, "Unknown message type");
} }
out: out:
if(name) if(name)
free(name); free(name);
if(inst) if(inst)
@@ -506,12 +602,6 @@ out:
return 0; return 0;
} }
#else /* KRB4 */
#include <krb5-v4compat.h>
#endif /* KRB4 */
krb5_error_code krb5_error_code
encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size) const PrincipalName *service, size_t *size)