Add digest acl's
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19498 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
53
kdc/digest.c
53
kdc/digest.c
@@ -37,6 +37,22 @@
|
|||||||
|
|
||||||
RCSID("$Id$");
|
RCSID("$Id$");
|
||||||
|
|
||||||
|
#define CHAP_MD5 0x10
|
||||||
|
#define DIGEST_MD5 0x08
|
||||||
|
#define NTLM_V2 0x04
|
||||||
|
#define NTLM_V1_SESSION 0x02
|
||||||
|
#define NTLM_V1 0x01
|
||||||
|
|
||||||
|
const struct units digestunits[] = {
|
||||||
|
{"chap-md5", 1U << 4},
|
||||||
|
{"digest-md5", 1U << 3},
|
||||||
|
{"ntlm-v2", 1U << 2},
|
||||||
|
{"ntlm-v1-session", 1U << 1},
|
||||||
|
{"ntlm-v1", 1U << 0},
|
||||||
|
{NULL, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
get_digest_key(krb5_context context,
|
get_digest_key(krb5_context context,
|
||||||
krb5_kdc_configuration *config,
|
krb5_kdc_configuration *config,
|
||||||
@@ -401,7 +417,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
krb5_set_error_string(context, "out of memory");
|
krb5_set_error_string(context, "out of memory");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
krb5_store_stringz(sp, ireq.u.digestRequest.type);
|
ret = krb5_store_stringz(sp, ireq.u.digestRequest.type);
|
||||||
|
if (ret) {
|
||||||
|
krb5_clear_error_string(context);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
|
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
|
||||||
if (ireq.u.digestRequest.identifier) {
|
if (ireq.u.digestRequest.identifier) {
|
||||||
@@ -532,6 +552,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
unsigned char md[MD5_DIGEST_LENGTH];
|
unsigned char md[MD5_DIGEST_LENGTH];
|
||||||
char id;
|
char id;
|
||||||
|
|
||||||
|
if ((config->digests_allowed & CHAP_MD5) == 0) {
|
||||||
|
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
if (ireq.u.digestRequest.identifier == NULL) {
|
if (ireq.u.digestRequest.identifier == NULL) {
|
||||||
krb5_set_error_string(context, "Identifier missing "
|
krb5_set_error_string(context, "Identifier missing "
|
||||||
"from CHAP request");
|
"from CHAP request");
|
||||||
@@ -563,6 +588,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
unsigned char md[MD5_DIGEST_LENGTH];
|
unsigned char md[MD5_DIGEST_LENGTH];
|
||||||
char *A1, *A2;
|
char *A1, *A2;
|
||||||
|
|
||||||
|
if ((config->digests_allowed & DIGEST_MD5) == 0) {
|
||||||
|
kdc_log(context, config, 0, "Digest SASL MD5 not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
if (ireq.u.digestRequest.nonceCount == NULL)
|
if (ireq.u.digestRequest.nonceCount == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
if (ireq.u.digestRequest.clientNonce == NULL)
|
if (ireq.u.digestRequest.clientNonce == NULL)
|
||||||
@@ -673,6 +703,12 @@ _kdc_do_digest(krb5_context context,
|
|||||||
}
|
}
|
||||||
case choice_DigestReqInner_ntlmInit:
|
case choice_DigestReqInner_ntlmInit:
|
||||||
|
|
||||||
|
if ((config->digests_allowed & (NTLM_V1|NTLM_V1_SESSION|NTLM_V2)) == 0) {
|
||||||
|
kdc_log(context, config, 0, "NTLM not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
r.element = choice_DigestRepInner_ntlmInitReply;
|
r.element = choice_DigestRepInner_ntlmInitReply;
|
||||||
|
|
||||||
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
|
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
|
||||||
@@ -852,6 +888,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
struct ntlm_buf infotarget, answer;
|
struct ntlm_buf infotarget, answer;
|
||||||
char *targetname;
|
char *targetname;
|
||||||
|
|
||||||
|
if ((config->digests_allowed & NTLM_V2) == 0) {
|
||||||
|
kdc_log(context, config, 0, "NTLM v2 not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
version = 2;
|
version = 2;
|
||||||
|
|
||||||
targetname = get_ntlm_targetname(context, client);
|
targetname = get_ntlm_targetname(context, client);
|
||||||
@@ -892,6 +933,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
char sessionhash[MD5_DIGEST_LENGTH];
|
char sessionhash[MD5_DIGEST_LENGTH];
|
||||||
MD5_CTX md5ctx;
|
MD5_CTX md5ctx;
|
||||||
|
|
||||||
|
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
|
||||||
|
kdc_log(context, config, 0, "NTLM v1-session not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
if (ireq.u.ntlmRequest.lm.length != 24) {
|
if (ireq.u.ntlmRequest.lm.length != 24) {
|
||||||
krb5_set_error_string(context, "LM hash have wrong length "
|
krb5_set_error_string(context, "LM hash have wrong length "
|
||||||
"for NTLM session key");
|
"for NTLM session key");
|
||||||
@@ -904,6 +950,11 @@ _kdc_do_digest(krb5_context context,
|
|||||||
MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
|
MD5_Update(&md5ctx, ireq.u.ntlmRequest.lm.data, 8);
|
||||||
MD5_Final(sessionhash, &md5ctx);
|
MD5_Final(sessionhash, &md5ctx);
|
||||||
memcpy(challange, sessionhash, sizeof(challange));
|
memcpy(challange, sessionhash, sizeof(challange));
|
||||||
|
} else {
|
||||||
|
if ((config->digests_allowed & NTLM_V1) == 0) {
|
||||||
|
kdc_log(context, config, 0, "NTLM v1 not allowed");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
|
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
|
||||||
|
|||||||
Reference in New Issue
Block a user