oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Update to use new db format. Better checking of flags and such. More

Browse Source 
logging.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2523 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-07-23 02:11:03 +00:00
parent 70923893dd
commit dfe65c8320
1 changed files with 133 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

235
kdc/kerberos5.c
View File

@@ -53,15 +53,15 @@ as_rep(krb5_context context,
KDCOptions f = b->kdc_options; KDCOptions f = b->kdc_options;
hdb_entry *client = NULL, *server = NULL; hdb_entry *client = NULL, *server = NULL;
int etype; int etype;
EncTicketPart *et = calloc(1, sizeof(*et)); EncTicketPart et;
EncKDCRepPart *ek = calloc(1, sizeof(*ek)); EncKDCRepPart ek;
krb5_principal client_princ, server_princ; krb5_principal client_princ, server_princ;
char *client_name, *server_name; char *client_name, *server_name;
krb5_error_code ret = 0; krb5_error_code ret = 0;
const char *e_text = NULL; const char *e_text = NULL;
int i; int i;
krb5_keyblock *ckey, *skey; Key *ckey, *skey;
if(b->sname == NULL){ if(b->sname == NULL){
server_name = "<unknown server>"; server_name = "<unknown server>";
@@ -101,10 +101,45 @@ as_rep(krb5_context context,
} }
if(!client->flags.client){
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal may not act as client -- %s", client_name);
goto out;
}
if(!server->flags.server){
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Principal (%s) may not act as server -- %s",
server_name, client_name);
goto out;
}
/* Find appropriate key */
for(i = 0; i < b->etype.len; i++){
ret = hdb_etype2key(context, client, b->etype.val[i], &ckey);
if(ret)
continue;
ret = hdb_etype2key(context, server, b->etype.val[i], &skey);
if(ret)
continue;
break;
}
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
kdc_log(0, "No support for etypes -- %s", client_name);
goto out;
}
etype = b->etype.val[i];
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
if(req->padata){ if(req->padata){
int i; int i;
PA_DATA *pa; PA_DATA *pa;
int found_pa = 0; int found_pa = 0;
kdc_log(5, "Looking for pa-data -- %s", client_name);
for(i = 0; i < req->padata->len; i++){ for(i = 0; i < req->padata->len; i++){
PA_DATA *pa = &req->padata->val[i]; PA_DATA *pa = &req->padata->val[i];
if(pa->padata_type == pa_enc_timestamp){ if(pa->padata_type == pa_enc_timestamp){
@@ -114,6 +149,7 @@ as_rep(krb5_context context,
size_t len; size_t len;
EncryptedData enc_data; EncryptedData enc_data;
kdc_log(5, "Found pa-enc-timestamp -- %s", client_name);
found_pa = 1; found_pa = 1;
ret = decode_EncryptedData(pa->padata_value.data, ret = decode_EncryptedData(pa->padata_value.data,
@@ -130,7 +166,7 @@ as_rep(krb5_context context,
enc_data.cipher.data, enc_data.cipher.data,
enc_data.cipher.length, enc_data.cipher.length,
enc_data.etype, enc_data.etype,
&client->keyblock, &ckey->key,
&ts_data); &ts_data);
free_EncryptedData(&enc_data); free_EncryptedData(&enc_data);
if(ret){ if(ret){
@@ -163,15 +199,20 @@ as_rep(krb5_context context,
kdc_log(0, "Too large time skew -- %s", client_name); kdc_log(0, "Too large time skew -- %s", client_name);
goto out2; goto out2;
} }
et->flags.pre_authent = 1; et.flags.pre_authent = 1;
kdc_log(2, "Pre-authentication succeded -- %s", client_name); kdc_log(2, "Pre-authentication succeded -- %s", client_name);
break; break;
} else {
kdc_log(5, "Found pa-data of type %d -- %s",
pa->padata_type, client_name);
} }
} }
/* XXX */ /* XXX */
if(found_pa == 0 && require_enc_timestamp) if(found_pa == 0 && require_enc_timestamp)
goto use_pa; goto use_pa;
if(et->flags.pre_authent == 0){ /* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */
if(et.flags.pre_authent == 0){
kdc_log(0, "%s -- %s", e_text, client_name); kdc_log(0, "%s -- %s", e_text, client_name);
e_text = NULL; e_text = NULL;
goto out; goto out;
@@ -208,25 +249,6 @@ as_rep(krb5_context context,
goto out2; goto out2;
} }
/* Find appropriate key */
for(i = 0; i < b->etype.len; i++){
ret = hdb_etype2key(context, client, b->etype.val[i], &ckey);
if(ret)
continue;
ret = hdb_etype2key(context, server, b->etype.val[i], &skey);
if(ret)
continue;
break;
}
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
kdc_log(0, "No support for etypes -- %s", client_name);
goto out;
}
etype = b->etype.val[i];
kdc_log(2, "Using etype %d -- %s", etype, client_name); kdc_log(2, "Using etype %d -- %s", etype, client_name);
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
@@ -244,43 +266,61 @@ as_rep(krb5_context context,
goto out; goto out;
} }
et->flags.initial = 1; et.flags.initial = 1;
et->flags.forwardable = f.forwardable; if(client->flags.forwardable && server->flags.forwardable)
et->flags.proxiable = f.proxiable; et.flags.forwardable = f.forwardable;
et->flags.may_postdate = f.allow_postdate; else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->flags.proxiable && server->flags.proxiable)
et.flags.proxiable = f.proxiable;
else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->flags.postdate && server->flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else{
ret = KRB5KDC_ERR_POLICY;
kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
goto out;
}
krb5_generate_random_keyblock(context, ckey->keytype, &et->key); krb5_generate_random_keyblock(context, ckey->key.keytype, &et.key);
copy_PrincipalName(b->cname, &et->cname); copy_PrincipalName(b->cname, &et.cname);
copy_Realm(&b->realm, &et->crealm); copy_Realm(&b->realm, &et.crealm);
{ {
time_t start; time_t start;
time_t t; time_t t;
start = et->authtime = kdc_time; start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){ if(f.postdated && req->req_body.from){
et->starttime = malloc(sizeof(*et->starttime)); ALLOC(et.starttime);
start = *et->starttime = *req->req_body.from; start = *et.starttime = *req->req_body.from;
et->flags.invalid = 1; et.flags.invalid = 1;
et->flags.postdated = 1; /* XXX ??? */ et.flags.postdated = 1; /* XXX ??? */
kdc_log(2, "Postdated ticket requested -- %s", client_name); kdc_log(2, "Postdated ticket requested -- %s", client_name);
} }
if(b->till == 0) if(b->till == 0)
b->till = MAX_TIME; b->till = MAX_TIME;
t = b->till; t = b->till;
if(client->max_life) if(client->max_life)
t = min(t, start + client->max_life); t = min(t, start + *client->max_life);
if(server->max_life) if(server->max_life)
t = min(t, start + server->max_life); t = min(t, start + *server->max_life);
#if 0 #if 0
t = min(t, start + realm->max_life); t = min(t, start + realm->max_life);
#endif #endif
et->endtime = t; et.endtime = t;
if(f.renewable_ok && et->endtime < b->till){ if(f.renewable_ok && et.endtime < b->till){
f.renewable = 1; f.renewable = 1;
if(b->rtime == NULL){ if(b->rtime == NULL){
b->rtime = malloc(sizeof(*b->rtime)); ALLOC(b->rtime);
*b->rtime = 0; *b->rtime = 0;
} }
if(*b->rtime < b->till) if(*b->rtime < b->till)
@@ -291,58 +331,57 @@ as_rep(krb5_context context,
if(t == 0) if(t == 0)
t = MAX_TIME; t = MAX_TIME;
if(client->max_renew) if(client->max_renew)
t = min(t, start + client->max_renew); t = min(t, start + *client->max_renew);
if(server->max_renew) if(server->max_renew)
t = min(t, start + server->max_renew); t = min(t, start + *server->max_renew);
#if 0 #if 0
t = min(t, start + realm->max_renew); t = min(t, start + realm->max_renew);
#endif #endif
et->renew_till = malloc(sizeof(*et->renew_till)); ALLOC(et.renew_till);
*et->renew_till = t; *et.renew_till = t;
et->flags.renewable = 1; et.flags.renewable = 1;
} }
} }
if(b->addresses){ if(b->addresses){
et->caddr = malloc(sizeof(*et->caddr)); ALLOC(et.caddr);
copy_HostAddresses(b->addresses, et->caddr); copy_HostAddresses(b->addresses, et.caddr);
} }
memset(ek, 0, sizeof(*ek)); copy_EncryptionKey(&et.key, &ek.key);
copy_EncryptionKey(&et->key, &ek->key);
/* MIT must have at least one last_req */ /* MIT must have at least one last_req */
ek->last_req.len = 1; ek.last_req.len = 1;
ek->last_req.val = malloc(sizeof(*ek->last_req.val)); ALLOC(ek.last_req.val);
ek->last_req.val->lr_type = 0; ek.last_req.val->lr_type = 0;
ek->last_req.val->lr_value = 0; ek.last_req.val->lr_value = 0;
ek->nonce = b->nonce; ek.nonce = b->nonce;
ek->flags = et->flags; ek.flags = et.flags;
ek->authtime = et->authtime; ek.authtime = et.authtime;
if (et->starttime) { if (et.starttime) {
ek->starttime = malloc(sizeof(*ek->starttime)); ALLOC(ek.starttime);
*(ek->starttime) = *(et->starttime); *ek.starttime = *et.starttime;
} else } else
ek->starttime = et->starttime; ek.starttime = et.starttime;
ek->endtime = et->endtime; ek.endtime = et.endtime;
if (et->renew_till) { if (et.renew_till) {
ek->renew_till = malloc(sizeof(*ek->renew_till)); ALLOC(ek.renew_till);
*(ek->renew_till) = *(et->renew_till); *ek.renew_till = *et.renew_till;
} else } else
ek->renew_till = et->renew_till; ek.renew_till = et.renew_till;
copy_Realm(&rep.ticket.realm, &ek->srealm); copy_Realm(&rep.ticket.realm, &ek.srealm);
copy_PrincipalName(&rep.ticket.sname, &ek->sname); copy_PrincipalName(&rep.ticket.sname, &ek.sname);
if(et->caddr){ if(et.caddr){
ek->caddr = malloc(sizeof(*ek->caddr)); ALLOC(ek.caddr);
copy_HostAddresses(et->caddr, ek->caddr); copy_HostAddresses(et.caddr, ek.caddr);
} }
{ {
unsigned char buf[1024]; /* XXX The data could be indefinite */ unsigned char buf[1024]; /* XXX The data could be indefinite */
size_t len; size_t len;
ret = encode_EncTicketPart(buf + sizeof(buf) - 1, sizeof(buf),et, &len); ret = encode_EncTicketPart(buf + sizeof(buf) - 1, sizeof(buf),
free_EncTicketPart(et); &et, &len);
free(et); free_EncTicketPart(&et);
if(ret) { if(ret) {
kdc_log(0, "Failed to encode ticket -- %s", client); kdc_log(0, "Failed to encode ticket -- %s", client);
goto out; goto out;
@@ -352,16 +391,12 @@ as_rep(krb5_context context,
buf + sizeof(buf) - len, buf + sizeof(buf) - len,
len, len,
etype, etype,
skey, &skey->key,
&rep.ticket.enc_part); &rep.ticket.enc_part);
#if 0
rep.ticket.enc_part.kvno = malloc(sizeof(*rep.ticket.enc_part.kvno));
*rep.ticket.enc_part.kvno = server.kvno;
#endif
ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf), ek, &len); ret = encode_EncASRepPart(buf + sizeof(buf) - 1, sizeof(buf),
free_EncKDCRepPart(ek); &ek, &len);
free(ek); free_EncKDCRepPart(&ek);
if(ret) { if(ret) {
kdc_log(0, "Failed to encode KDC-REP -- %s", client_name); kdc_log(0, "Failed to encode KDC-REP -- %s", client_name);
goto out; goto out;
@@ -370,17 +405,14 @@ as_rep(krb5_context context,
buf + sizeof(buf) - len, buf + sizeof(buf) - len,
len, len,
etype, etype,
ckey, &ckey->key,
&rep.enc_part); &rep.enc_part);
#if 0 if(ckey->salt){
rep.enc_part.kvno = malloc(sizeof(*rep.enc_part.kvno)); ALLOC(rep.padata);
*rep.enc_part.kvno = client.kvno;
#endif
if(client->flags.b.v4){
rep.padata = malloc(sizeof(*rep.padata));
rep.padata->len = 1; rep.padata->len = 1;
rep.padata->val = calloc(1, sizeof(*rep.padata->val)); rep.padata->val = calloc(1, sizeof(*rep.padata->val));
rep.padata->val->padata_type = pa_pw_salt; rep.padata->val->padata_type = pa_pw_salt;
copy_octet_string(ckey->salt, &rep.padata->val->padata_value);
} }
ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len); ret = encode_AS_REP(buf + sizeof(buf) - 1, sizeof(buf), &rep, &len);
@@ -506,7 +538,7 @@ check_tgs_flags(krb5_context context, KDC_REQ_BODY *b,
return KRB5KDC_ERR_BADOPTION; return KRB5KDC_ERR_BADOPTION;
} }
et->flags.renewable = 1; et->flags.renewable = 1;
et->renew_till = malloc(sizeof(*et->renew_till)); ALLOC(et->renew_till);
*et->renew_till = *b->rtime; *et->renew_till = *b->rtime;
} }
if(f.renew){ if(f.renew){
@@ -538,7 +570,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
krb5_error_code ret; krb5_error_code ret;
int i; int i;
krb5_enctype etype; krb5_enctype etype;
krb5_keyblock *skey; Key *skey;
/* Find appropriate key */ /* Find appropriate key */
for(i = 0; i < b->etype.len; i++){ for(i = 0; i < b->etype.len; i++){
@@ -563,7 +595,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
et.authtime = tgt->authtime; et.authtime = tgt->authtime;
et.endtime = tgt->endtime; et.endtime = tgt->endtime;
et.starttime = malloc(sizeof(*et.starttime)); ALLOC(et.starttime);
*et.starttime = kdc_time; *et.starttime = kdc_time;
ret = check_tgs_flags(context, b, tgt, &et); ret = check_tgs_flags(context, b, tgt, &et);
@@ -585,24 +617,24 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
time_t life; time_t life;
life = et.endtime - *et.starttime; life = et.endtime - *et.starttime;
if(client->max_life) if(client->max_life)
life = min(life, client->max_life); life = min(life, *client->max_life);
if(server->max_life) if(server->max_life)
life = min(life, server->max_life); life = min(life, *server->max_life);
et.endtime = *et.starttime + life; et.endtime = *et.starttime + life;
} }
if(f.renewable_ok && tgt->flags.renewable && if(f.renewable_ok && tgt->flags.renewable &&
et.renew_till == NULL && et.endtime < b->till){ et.renew_till == NULL && et.endtime < b->till){
et.flags.renewable = 1; et.flags.renewable = 1;
et.renew_till = malloc(sizeof(*et.renew_till)); ALLOC(et.renew_till);
*et.renew_till = b->till; *et.renew_till = b->till;
} }
if(et.renew_till){ if(et.renew_till){
time_t renew; time_t renew;
renew = *et.renew_till - et.authtime; renew = *et.renew_till - et.authtime;
if(client->max_renew) if(client->max_renew)
renew = min(renew, client->max_renew); renew = min(renew, *client->max_renew);
if(server->max_renew) if(server->max_renew)
renew = min(renew, server->max_renew); renew = min(renew, *server->max_renew);
*et.renew_till = et.authtime + renew; *et.renew_till = et.authtime + renew;
} }
@@ -630,7 +662,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
/* XXX Check enc-authorization-data */ /* XXX Check enc-authorization-data */
krb5_generate_random_keyblock(context, krb5_generate_random_keyblock(context,
skey->keytype, skey->key.keytype,
&et.key); &et.key);
et.crealm = tgt->crealm; et.crealm = tgt->crealm;
et.cname = tgt->cname; et.cname = tgt->cname;
@@ -650,7 +682,6 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
ek.renew_till = et.renew_till; ek.renew_till = et.renew_till;
ek.srealm = rep.ticket.realm; ek.srealm = rep.ticket.realm;
ek.sname = rep.ticket.sname; ek.sname = rep.ticket.sname;
ek.caddr = et.caddr;
{ {
unsigned char buf[1024]; /* XXX The data could be indefinite */ unsigned char buf[1024]; /* XXX The data could be indefinite */
@@ -664,7 +695,7 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, EncTicketPart *tgt,
} }
krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len, krb5_encrypt_EncryptedData(context, buf + sizeof(buf) - len, len,
etype, etype,
skey, &skey->key,
&rep.ticket.enc_part); &rep.ticket.enc_part);
ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1, ret = encode_EncTGSRepPart(buf + sizeof(buf) - 1,
@@ -814,7 +845,7 @@ tgs_rep2(krb5_context context,
&ac, &ac,
&ap_req, &ap_req,
princ, princ,
&krbtgt->keyblock, &krbtgt->keys.val[0].key, /* XXX */
&ap_req_options, &ap_req_options,
&ticket); &ticket);