root/source4/heimdal/kdc/kerberos4.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. swap32
  2. _kdc_maybe_version4
  3. make_err_reply
  4. valid_princ
  5. _kdc_db_fetch4
  6. _kdc_do_version4
  7. _kdc_encode_v4_ticket
  8. _kdc_get_des_key

   1 /*
   2  * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33 
  34 #include "kdc_locl.h"
  35 
  36 #include <krb5-v4compat.h>
  37 
  38 RCSID("$Id$");
  39 
  40 #ifndef swap32
  41 static uint32_t
  42 swap32(uint32_t x)
     /* [<][>][^][v][top][bottom][index][help] */
  43 {
  44     return ((x << 24) & 0xff000000) |
  45         ((x << 8) & 0xff0000) |
  46         ((x >> 8) & 0xff00) |
  47         ((x >> 24) & 0xff);
  48 }
  49 #endif /* swap32 */
  50 
  51 int
  52 _kdc_maybe_version4(unsigned char *buf, int len)
     /* [<][>][^][v][top][bottom][index][help] */
  53 {
  54     return len > 0 && *buf == 4;
  55 }
  56 
  57 static void
  58 make_err_reply(krb5_context context, krb5_data *reply,
     /* [<][>][^][v][top][bottom][index][help] */
  59                int code, const char *msg)
  60 {
  61     _krb5_krb_cr_err_reply(context, "", "", "",
  62                            kdc_time, code, msg, reply);
  63 }
  64 
  65 struct valid_princ_ctx {
  66     krb5_kdc_configuration *config;
  67     unsigned flags;
  68 };
  69 
  70 static krb5_boolean
  71 valid_princ(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  72             void *funcctx,
  73             krb5_principal princ)
  74 {
  75     struct valid_princ_ctx *ctx = funcctx;
  76     krb5_error_code ret;
  77     char *s;
  78     hdb_entry_ex *ent;
  79 
  80     ret = krb5_unparse_name(context, princ, &s);
  81     if (ret)
  82         return FALSE;
  83     ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
  84     if (ret) {
  85         kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
  86                 krb5_get_err_text (context, ret));
  87         free(s);
  88         return FALSE;
  89     }
  90     kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
  91     free(s);
  92     _kdc_free_ent(context, ent);
  93     return TRUE;
  94 }
  95 
  96 krb5_error_code
  97 _kdc_db_fetch4(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  98                krb5_kdc_configuration *config,
  99                const char *name, const char *instance, const char *realm,
 100                unsigned flags,
 101                hdb_entry_ex **ent)
 102 {
 103     krb5_principal p;
 104     krb5_error_code ret;
 105     struct valid_princ_ctx ctx;
 106 
 107     ctx.config = config;
 108     ctx.flags = flags;
 109 
 110     ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
 111                                        valid_princ, &ctx, 0, &p);
 112     if(ret)
 113         return ret;
 114     ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
 115     krb5_free_principal(context, p);
 116     return ret;
 117 }
 118 
 119 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
 120 
 121 /*
 122  * Process the v4 request in `buf, len' (received from `addr'
 123  * (with string `from').
 124  * Return an error code and a reply in `reply'.
 125  */
 126 
 127 krb5_error_code
 128 _kdc_do_version4(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 129                  krb5_kdc_configuration *config,
 130                  unsigned char *buf,
 131                  size_t len,
 132                  krb5_data *reply,
 133                  const char *from,
 134                  struct sockaddr_in *addr)
 135 {
 136     krb5_storage *sp;
 137     krb5_error_code ret = EINVAL;
 138     hdb_entry_ex *client = NULL, *server = NULL;
 139     Key *ckey, *skey;
 140     int8_t pvno;
 141     int8_t msg_type;
 142     int lsb;
 143     char *name = NULL, *inst = NULL, *realm = NULL;
 144     char *sname = NULL, *sinst = NULL;
 145     int32_t req_time;
 146     time_t max_life;
 147     uint8_t life;
 148     char client_name[256];
 149     char server_name[256];
 150 
 151     if(!config->enable_v4) {
 152         kdc_log(context, config, 0,
 153                 "Rejected version 4 request from %s", from);
 154         make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
 155                        "Function not enabled");
 156         return 0;
 157     }
 158 
 159     sp = krb5_storage_from_mem(buf, len);
 160     RCHECK(krb5_ret_int8(sp, &pvno), out);
 161     if(pvno != 4){
 162         kdc_log(context, config, 0,
 163                 "Protocol version mismatch (krb4) (%d)", pvno);
 164         make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
 165         ret = KRB4ET_KDC_PKT_VER;
 166         goto out;
 167     }
 168     RCHECK(krb5_ret_int8(sp, &msg_type), out);
 169     lsb = msg_type & 1;
 170     msg_type &= ~1;
 171     switch(msg_type){
 172     case AUTH_MSG_KDC_REQUEST: {
 173         krb5_data ticket, cipher;
 174         krb5_keyblock session;
 175         
 176         krb5_data_zero(&ticket);
 177         krb5_data_zero(&cipher);
 178 
 179         RCHECK(krb5_ret_stringz(sp, &name), out1);
 180         RCHECK(krb5_ret_stringz(sp, &inst), out1);
 181         RCHECK(krb5_ret_stringz(sp, &realm), out1);
 182         RCHECK(krb5_ret_int32(sp, &req_time), out1);
 183         if(lsb)
 184             req_time = swap32(req_time);
 185         RCHECK(krb5_ret_uint8(sp, &life), out1);
 186         RCHECK(krb5_ret_stringz(sp, &sname), out1);
 187         RCHECK(krb5_ret_stringz(sp, &sinst), out1);
 188         snprintf (client_name, sizeof(client_name),
 189                   "%s.%s@%s", name, inst, realm);
 190         snprintf (server_name, sizeof(server_name),
 191                   "%s.%s@%s", sname, sinst, config->v4_realm);
 192         
 193         kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
 194                 client_name, from, server_name);
 195 
 196         ret = _kdc_db_fetch4(context, config, name, inst, realm,
 197                              HDB_F_GET_CLIENT, &client);
 198         if(ret) {
 199             kdc_log(context, config, 0, "Client not found in database: %s: %s",
 200                     client_name, krb5_get_err_text(context, ret));
 201             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 202                            "principal unknown");
 203             goto out1;
 204         }
 205         ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
 206                              HDB_F_GET_SERVER, &server);
 207         if(ret){
 208             kdc_log(context, config, 0, "Server not found in database: %s: %s",
 209                     server_name, krb5_get_err_text(context, ret));
 210             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 211                            "principal unknown");
 212             goto out1;
 213         }
 214 
 215         ret = _kdc_check_flags (context, config,
 216                                 client, client_name,
 217                                 server, server_name,
 218                                 TRUE);
 219         if (ret) {
 220             /* good error code? */
 221             make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
 222                            "operation not allowed");
 223             goto out1;
 224         }
 225 
 226         if (config->enable_v4_per_principal &&
 227             client->entry.flags.allow_kerberos4 == 0)
 228         {
 229             kdc_log(context, config, 0,
 230                     "Per principal Kerberos 4 flag not turned on for %s",
 231                     client_name);
 232             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 233                            "allow kerberos4 flag required");
 234             goto out1;
 235         }
 236 
 237         /*
 238          * There's no way to do pre-authentication in v4 and thus no
 239          * good error code to return if preauthentication is required.
 240          */
 241 
 242         if (config->require_preauth
 243             || client->entry.flags.require_preauth
 244             || server->entry.flags.require_preauth) {
 245             kdc_log(context, config, 0,
 246                     "Pre-authentication required for v4-request: "
 247                     "%s for %s",
 248                     client_name, server_name);
 249             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 250                            "preauth required");
 251             goto out1;
 252         }
 253 
 254         ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
 255         if(ret){
 256             kdc_log(context, config, 0, "no suitable DES key for client");
 257             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 258                            "no suitable DES key for client");
 259             goto out1;
 260         }
 261 
 262         ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 263         if(ret){
 264             kdc_log(context, config, 0, "no suitable DES key for server");
 265             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 266                            "no suitable DES key for server");
 267             goto out1;
 268         }
 269 
 270         max_life = _krb5_krb_life_to_time(0, life);
 271         if(client->entry.max_life)
 272             max_life = min(max_life, *client->entry.max_life);
 273         if(server->entry.max_life)
 274             max_life = min(max_life, *server->entry.max_life);
 275 
 276         life = krb_time_to_life(kdc_time, kdc_time + max_life);
 277 
 278         ret = krb5_generate_random_keyblock(context,
 279                                             ETYPE_DES_PCBC_NONE,
 280                                             &session);
 281         if (ret) {
 282             make_err_reply(context, reply, KFAILURE,
 283                            "Not enough random i KDC");
 284             goto out1;
 285         }
 286         
 287         ret = _krb5_krb_create_ticket(context,
 288                                       0,
 289                                       name,
 290                                       inst,
 291                                       config->v4_realm,
 292                                       addr->sin_addr.s_addr,
 293                                       &session,
 294                                       life,
 295                                       kdc_time,
 296                                       sname,
 297                                       sinst,
 298                                       &skey->key,
 299                                       &ticket);
 300         if (ret) {
 301             krb5_free_keyblock_contents(context, &session);
 302             make_err_reply(context, reply, KFAILURE,
 303                            "failed to create v4 ticket");
 304             goto out1;
 305         }
 306 
 307         ret = _krb5_krb_create_ciph(context,
 308                                     &session,
 309                                     sname,
 310                                     sinst,
 311                                     config->v4_realm,
 312                                     life,
 313                                     server->entry.kvno % 255,
 314                                     &ticket,
 315                                     kdc_time,
 316                                     &ckey->key,
 317                                     &cipher);
 318         krb5_free_keyblock_contents(context, &session);
 319         krb5_data_free(&ticket);
 320         if (ret) {
 321             make_err_reply(context, reply, KFAILURE,
 322                            "Failed to create v4 cipher");
 323             goto out1;
 324         }
 325         
 326         ret = _krb5_krb_create_auth_reply(context,
 327                                           name,
 328                                           inst,
 329                                           realm,
 330                                           req_time,
 331                                           0,
 332                                           client->entry.pw_end ? *client->entry.pw_end : 0,
 333                                           client->entry.kvno % 256,
 334                                           &cipher,
 335                                           reply);
 336         krb5_data_free(&cipher);
 337 
 338     out1:
 339         break;
 340     }
 341     case AUTH_MSG_APPL_REQUEST: {
 342         struct _krb5_krb_auth_data ad;
 343         int8_t kvno;
 344         int8_t ticket_len;
 345         int8_t req_len;
 346         krb5_data auth;
 347         int32_t address;
 348         size_t pos;
 349         krb5_principal tgt_princ = NULL;
 350         hdb_entry_ex *tgt = NULL;
 351         Key *tkey;
 352         time_t max_end, actual_end, issue_time;
 353         
 354         memset(&ad, 0, sizeof(ad));
 355         krb5_data_zero(&auth);
 356 
 357         RCHECK(krb5_ret_int8(sp, &kvno), out2);
 358         RCHECK(krb5_ret_stringz(sp, &realm), out2);
 359         
 360         ret = krb5_425_conv_principal(context, "krbtgt", realm,
 361                                       config->v4_realm,
 362                                       &tgt_princ);
 363         if(ret){
 364             kdc_log(context, config, 0,
 365                     "Converting krbtgt principal (krb4): %s",
 366                     krb5_get_err_text(context, ret));
 367             make_err_reply(context, reply, KFAILURE,
 368                            "Failed to convert v4 principal (krbtgt)");
 369             goto out2;
 370         }
 371 
 372         ret = _kdc_db_fetch(context, config, tgt_princ,
 373                             HDB_F_GET_KRBTGT, NULL, &tgt);
 374         if(ret){
 375             char *s;
 376             s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
 377                             "found in database (krb4): krbtgt.%s@%s: %s",
 378                             realm, config->v4_realm,
 379                             krb5_get_err_text(context, ret));
 380             make_err_reply(context, reply, KFAILURE, s);
 381             free(s);
 382             goto out2;
 383         }
 384         
 385         if(tgt->entry.kvno % 256 != kvno){
 386             kdc_log(context, config, 0,
 387                     "tgs-req (krb4) with old kvno %d (current %d) for "
 388                     "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
 389                     realm, config->v4_realm);
 390             make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
 391                            "old krbtgt kvno used");
 392             goto out2;
 393         }
 394 
 395         ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
 396         if(ret){
 397             kdc_log(context, config, 0,
 398                     "no suitable DES key for krbtgt (krb4)");
 399             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 400                            "no suitable DES key for krbtgt");
 401             goto out2;
 402         }
 403 
 404         RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
 405         RCHECK(krb5_ret_int8(sp, &req_len), out2);
 406         
 407         pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
 408         
 409         auth.data = buf;
 410         auth.length = pos;
 411 
 412         if (config->check_ticket_addresses)
 413             address = addr->sin_addr.s_addr;
 414         else
 415             address = 0;
 416 
 417         ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
 418                                config->v4_realm,
 419                                address, &tkey->key, &ad);
 420         if(ret){
 421             kdc_log(context, config, 0, "krb_rd_req: %d", ret);
 422             make_err_reply(context, reply, ret, "failed to parse request");
 423             goto out2;
 424         }
 425         
 426         RCHECK(krb5_ret_int32(sp, &req_time), out2);
 427         if(lsb)
 428             req_time = swap32(req_time);
 429         RCHECK(krb5_ret_uint8(sp, &life), out2);
 430         RCHECK(krb5_ret_stringz(sp, &sname), out2);
 431         RCHECK(krb5_ret_stringz(sp, &sinst), out2);
 432         snprintf (server_name, sizeof(server_name),
 433                   "%s.%s@%s",
 434                   sname, sinst, config->v4_realm);
 435         snprintf (client_name, sizeof(client_name),
 436                   "%s.%s@%s",
 437                   ad.pname, ad.pinst, ad.prealm);
 438 
 439         kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
 440                 client_name, from, server_name);
 441         
 442         if(strcmp(ad.prealm, realm)){
 443             kdc_log(context, config, 0,
 444                     "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
 445             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 446                            "Can't hop realms");
 447             goto out2;
 448         }
 449 
 450         if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
 451             kdc_log(context, config, 0,
 452                     "krb4 Cross-realm %s -> %s disabled",
 453                     realm, config->v4_realm);
 454             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 455                            "Can't hop realms");
 456             goto out2;
 457         }
 458 
 459         if(strcmp(sname, "changepw") == 0){
 460             kdc_log(context, config, 0,
 461                     "Bad request for changepw ticket (krb4)");
 462             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 463                            "Can't authorize password change based on TGT");
 464             goto out2;
 465         }
 466         
 467         ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
 468                              HDB_F_GET_CLIENT, &client);
 469         if(ret && ret != HDB_ERR_NOENTRY) {
 470             char *s;
 471             s = kdc_log_msg(context, config, 0,
 472                             "Client not found in database: (krb4) %s: %s",
 473                             client_name, krb5_get_err_text(context, ret));
 474             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 475             free(s);
 476             goto out2;
 477         }
 478         if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
 479             char *s;
 480             s = kdc_log_msg(context, config, 0,
 481                             "Local client not found in database: (krb4) "
 482                             "%s", client_name);
 483             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 484             free(s);
 485             goto out2;
 486         }
 487 
 488         ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
 489                              HDB_F_GET_SERVER, &server);
 490         if(ret){
 491             char *s;
 492             s = kdc_log_msg(context, config, 0,
 493                             "Server not found in database (krb4): %s: %s",
 494                             server_name, krb5_get_err_text(context, ret));
 495             make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 496             free(s);
 497             goto out2;
 498         }
 499 
 500         ret = _kdc_check_flags (context, config,
 501                                 client, client_name,
 502                                 server, server_name,
 503                                 FALSE);
 504         if (ret) {
 505             make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
 506                            "operation not allowed");
 507             goto out2;
 508         }
 509 
 510         ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 511         if(ret){
 512             kdc_log(context, config, 0,
 513                     "no suitable DES key for server (krb4)");
 514             make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 515                            "no suitable DES key for server");
 516             goto out2;
 517         }
 518 
 519         max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
 520         max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
 521         if(server->entry.max_life)
 522             max_end = min(max_end, kdc_time + *server->entry.max_life);
 523         if(client && client->entry.max_life)
 524             max_end = min(max_end, kdc_time + *client->entry.max_life);
 525         life = min(life, krb_time_to_life(kdc_time, max_end));
 526         
 527         issue_time = kdc_time;
 528         actual_end = _krb5_krb_life_to_time(issue_time, life);
 529         while (actual_end > max_end && life > 1) {
 530             /* move them into the next earlier lifetime bracket */
 531             life--;
 532             actual_end = _krb5_krb_life_to_time(issue_time, life);
 533         }
 534         if (actual_end > max_end) {
 535             /* if life <= 1 and it's still too long, backdate the ticket */
 536             issue_time -= actual_end - max_end;
 537         }
 538 
 539         {
 540             krb5_data ticket, cipher;
 541             krb5_keyblock session;
 542 
 543             krb5_data_zero(&ticket);
 544             krb5_data_zero(&cipher);
 545 
 546             ret = krb5_generate_random_keyblock(context,
 547                                                 ETYPE_DES_PCBC_NONE,
 548                                                 &session);
 549             if (ret) {
 550                 make_err_reply(context, reply, KFAILURE,
 551                                "Not enough random i KDC");
 552                 goto out2;
 553             }
 554         
 555             ret = _krb5_krb_create_ticket(context,
 556                                           0,
 557                                           ad.pname,
 558                                           ad.pinst,
 559                                           ad.prealm,
 560                                           addr->sin_addr.s_addr,
 561                                           &session,
 562                                           life,
 563                                           issue_time,
 564                                           sname,
 565                                           sinst,
 566                                           &skey->key,
 567                                           &ticket);
 568             if (ret) {
 569                 krb5_free_keyblock_contents(context, &session);
 570                 make_err_reply(context, reply, KFAILURE,
 571                                "failed to create v4 ticket");
 572                 goto out2;
 573             }
 574 
 575             ret = _krb5_krb_create_ciph(context,
 576                                         &session,
 577                                         sname,
 578                                         sinst,
 579                                         config->v4_realm,
 580                                         life,
 581                                         server->entry.kvno % 255,
 582                                         &ticket,
 583                                         issue_time,
 584                                         &ad.session,
 585                                         &cipher);
 586             krb5_free_keyblock_contents(context, &session);
 587             if (ret) {
 588                 make_err_reply(context, reply, KFAILURE,
 589                                "failed to create v4 cipher");
 590                 goto out2;
 591             }
 592         
 593             ret = _krb5_krb_create_auth_reply(context,
 594                                               ad.pname,
 595                                               ad.pinst,
 596                                               ad.prealm,
 597                                               req_time,
 598                                               0,
 599                                               0,
 600                                               0,
 601                                               &cipher,
 602                                               reply);
 603             krb5_data_free(&cipher);
 604         }
 605     out2:
 606         _krb5_krb_free_auth_data(context, &ad);
 607         if(tgt_princ)
 608             krb5_free_principal(context, tgt_princ);
 609         if(tgt)
 610             _kdc_free_ent(context, tgt);
 611         break;
 612     }
 613     case AUTH_MSG_ERR_REPLY:
 614         ret = EINVAL;
 615         break;
 616     default:
 617         kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
 618                 msg_type, from);
 619         
 620         make_err_reply(context, reply, KFAILURE, "Unknown message type");
 621         ret = EINVAL;
 622     }
 623  out:
 624     if(name)
 625         free(name);
 626     if(inst)
 627         free(inst);
 628     if(realm)
 629         free(realm);
 630     if(sname)
 631         free(sname);
 632     if(sinst)
 633         free(sinst);
 634     if(client)
 635         _kdc_free_ent(context, client);
 636     if(server)
 637         _kdc_free_ent(context, server);
 638     krb5_storage_free(sp);
 639     return ret;
 640 }
 641 
 642 krb5_error_code
 643 _kdc_encode_v4_ticket(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 644                       krb5_kdc_configuration *config,
 645                       void *buf, size_t len, const EncTicketPart *et,
 646                       const PrincipalName *service, size_t *size)
 647 {
 648     krb5_storage *sp;
 649     krb5_error_code ret;
 650     char name[40], inst[40], realm[40];
 651     char sname[40], sinst[40];
 652 
 653     {
 654         krb5_principal princ;
 655         _krb5_principalname2krb5_principal(context,
 656                                            &princ,
 657                                            *service,
 658                                            et->crealm);
 659         ret = krb5_524_conv_principal(context,
 660                                       princ,
 661                                       sname,
 662                                       sinst,
 663                                       realm);
 664         krb5_free_principal(context, princ);
 665         if(ret)
 666             return ret;
 667 
 668         _krb5_principalname2krb5_principal(context,
 669                                            &princ,
 670                                            et->cname,
 671                                            et->crealm);
 672                                 
 673         ret = krb5_524_conv_principal(context,
 674                                       princ,
 675                                       name,
 676                                       inst,
 677                                       realm);
 678         krb5_free_principal(context, princ);
 679     }
 680     if(ret)
 681         return ret;
 682 
 683     sp = krb5_storage_emem();
 684 
 685     krb5_store_int8(sp, 0); /* flags */
 686     krb5_store_stringz(sp, name);
 687     krb5_store_stringz(sp, inst);
 688     krb5_store_stringz(sp, realm);
 689     {
 690         unsigned char tmp[4] = { 0, 0, 0, 0 };
 691         int i;
 692         if(et->caddr){
 693             for(i = 0; i < et->caddr->len; i++)
 694                 if(et->caddr->val[i].addr_type == AF_INET &&
 695                    et->caddr->val[i].address.length == 4){
 696                     memcpy(tmp, et->caddr->val[i].address.data, 4);
 697                     break;
 698                 }
 699         }
 700         krb5_storage_write(sp, tmp, sizeof(tmp));
 701     }
 702 
 703     if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
 704         et->key.keytype != ETYPE_DES_CBC_MD4 &&
 705         et->key.keytype != ETYPE_DES_CBC_CRC) ||
 706        et->key.keyvalue.length != 8)
 707         return -1;
 708     krb5_storage_write(sp, et->key.keyvalue.data, 8);
 709 
 710     {
 711         time_t start = et->starttime ? *et->starttime : et->authtime;
 712         krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
 713         krb5_store_int32(sp, start);
 714     }
 715 
 716     krb5_store_stringz(sp, sname);
 717     krb5_store_stringz(sp, sinst);
 718 
 719     {
 720         krb5_data data;
 721         krb5_storage_to_data(sp, &data);
 722         krb5_storage_free(sp);
 723         *size = (data.length + 7) & ~7; /* pad to 8 bytes */
 724         if(*size > len)
 725             return -1;
 726         memset((unsigned char*)buf - *size + 1, 0, *size);
 727         memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
 728         krb5_data_free(&data);
 729     }
 730     return 0;
 731 }
 732 
 733 krb5_error_code
 734 _kdc_get_des_key(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 735                  hdb_entry_ex *principal, krb5_boolean is_server,
 736                  krb5_boolean prefer_afs_key, Key **ret_key)
 737 {
 738     Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
 739     int i;
 740     krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
 741                               ETYPE_DES_CBC_MD4,
 742                               ETYPE_DES_CBC_CRC };
 743 
 744     for(i = 0;
 745         i < sizeof(etypes)/sizeof(etypes[0])
 746             && (v5_key == NULL || v4_key == NULL ||
 747                 afs_key == NULL || server_key == NULL);
 748         ++i) {
 749         Key *key = NULL;
 750         while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
 751             if(key->salt == NULL) {
 752                 if(v5_key == NULL)
 753                     v5_key = key;
 754             } else if(key->salt->type == hdb_pw_salt &&
 755                       key->salt->salt.length == 0) {
 756                 if(v4_key == NULL)
 757                     v4_key = key;
 758             } else if(key->salt->type == hdb_afs3_salt) {
 759                 if(afs_key == NULL)
 760                     afs_key = key;
 761             } else if(server_key == NULL)
 762                 server_key = key;
 763         }
 764     }
 765 
 766     if(prefer_afs_key) {
 767         if(afs_key)
 768             *ret_key = afs_key;
 769         else if(v4_key)
 770             *ret_key = v4_key;
 771         else if(v5_key)
 772             *ret_key = v5_key;
 773         else if(is_server && server_key)
 774             *ret_key = server_key;
 775         else
 776             return KRB4ET_KDC_NULL_KEY;
 777     } else {
 778         if(v4_key)
 779             *ret_key = v4_key;
 780         else if(afs_key)
 781             *ret_key = afs_key;
 782         else  if(v5_key)
 783             *ret_key = v5_key;
 784         else if(is_server && server_key)
 785             *ret_key = server_key;
 786         else
 787             return KRB4ET_KDC_NULL_KEY;
 788     }
 789 
 790     if((*ret_key)->key.keyvalue.length == 0)
 791         return KRB4ET_KDC_NULL_KEY;
 792     return 0;
 793 }
 794 

/* [<][>][^][v][top][bottom][index][help] */