kerberos4.c revision 55682
1/* 2 * Copyright (c) 1997 - 1999 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "kdc_locl.h" 35 36RCSID("$Id: kerberos4.c,v 1.24 1999/12/02 17:04:59 joda Exp $"); 37 38#ifdef KRB4 39 40#include "kerberos4.h" 41 42#ifndef swap32 43static u_int32_t 44swap32(u_int32_t x) 45{ 46 return ((x << 24) & 0xff000000) | 47 ((x << 8) & 0xff0000) | 48 ((x >> 8) & 0xff00) | 49 ((x >> 24) & 0xff); 50} 51#endif /* swap32 */ 52 53int 54maybe_version4(unsigned char *buf, int len) 55{ 56 return len > 0 && *buf == 4; 57} 58 59static void 60make_err_reply(krb5_data *reply, int code, const char *msg) 61{ 62 KTEXT_ST er; 63 64 /* name, instance and realm is not checked in most (all?) version 65 implementations; msg is also never used, but we send it anyway 66 (for debugging purposes) */ 67 68 if(msg == NULL) 69 msg = krb_get_err_text(code); 70 cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg); 71 krb5_data_copy(reply, er.dat, er.length); 72} 73 74static krb5_boolean 75valid_princ(krb5_context context, krb5_principal princ) 76{ 77 char *s; 78 hdb_entry *ent; 79 krb5_unparse_name(context, princ, &s); 80 ent = db_fetch(princ); 81 if(ent == NULL){ 82 kdc_log(7, "Lookup %s failed", s); 83 free(s); 84 return 0; 85 } 86 kdc_log(7, "Lookup %s succeeded", s); 87 free(s); 88 hdb_free_entry(context, ent); 89 free(ent); 90 return 1; 91} 92 93hdb_entry* 94db_fetch4(const char *name, const char *instance, const char *realm) 95{ 96 krb5_principal p; 97 hdb_entry *ent; 98 krb5_error_code ret; 99 100 ret = krb5_425_conv_principal_ext(context, name, instance, realm, 101 valid_princ, 0, &p); 102 if(ret) 103 return NULL; 104 ent = db_fetch(p); 105 krb5_free_principal(context, p); 106 return ent; 107} 108 109krb5_error_code 110get_des_key(hdb_entry *principal, Key **key) 111{ 112 krb5_error_code ret; 113 114 ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD5, key); 115 if(ret) 116 ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_MD4, key); 117 if(ret) 118 ret = hdb_enctype2key(context, principal, ETYPE_DES_CBC_CRC, key); 119 if(ret) 120 return ret; 121 if ((*key)->key.keyvalue.length == 0) 122 return KERB_ERR_NULL_KEY; 123 return 0; 124} 125 126#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;} 127 128krb5_error_code 129do_version4(unsigned char *buf, 130 size_t len, 131 krb5_data *reply, 132 const char *from, 133 struct sockaddr_in *addr) 134{ 135 krb5_storage *sp; 136 krb5_error_code ret; 137 hdb_entry *client = NULL, *server = NULL; 138 Key *ckey, *skey; 139 int8_t pvno; 140 int8_t msg_type; 141 int lsb; 142 char *name = NULL, *inst = NULL, *realm = NULL; 143 char *sname = NULL, *sinst = NULL; 144 int32_t req_time; 145 time_t max_life; 146 u_int8_t life; 147 148 sp = krb5_storage_from_mem(buf, len); 149 RCHECK(krb5_ret_int8(sp, &pvno), out); 150 if(pvno != 4){ 151 kdc_log(0, "Protocol version mismatch (%d)", pvno); 152 make_err_reply(reply, KDC_PKT_VER, NULL); 153 goto out; 154 } 155 RCHECK(krb5_ret_int8(sp, &msg_type), out); 156 lsb = msg_type & 1; 157 msg_type &= ~1; 158 switch(msg_type){ 159 case AUTH_MSG_KDC_REQUEST: 160 RCHECK(krb5_ret_stringz(sp, &name), out1); 161 RCHECK(krb5_ret_stringz(sp, &inst), out1); 162 RCHECK(krb5_ret_stringz(sp, &realm), out1); 163 RCHECK(krb5_ret_int32(sp, &req_time), out1); 164 if(lsb) 165 req_time = swap32(req_time); 166 RCHECK(krb5_ret_int8(sp, &life), out1); 167 RCHECK(krb5_ret_stringz(sp, &sname), out1); 168 RCHECK(krb5_ret_stringz(sp, &sinst), out1); 169 kdc_log(0, "AS-REQ %s.%s@%s from %s for %s.%s", 170 name, inst, realm, from, sname, sinst); 171 172 client = db_fetch4(name, inst, realm); 173 if(client == NULL){ 174 kdc_log(0, "Client not found in database: %s.%s@%s", 175 name, inst, realm); 176 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); 177 goto out1; 178 } 179 server = db_fetch4(sname, sinst, v4_realm); 180 if(server == NULL){ 181 kdc_log(0, "Server not found in database: %s.%s@%s", 182 sname, sinst, v4_realm); 183 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); 184 goto out1; 185 } 186 187 ret = get_des_key(client, &ckey); 188 if(ret){ 189 kdc_log(0, "%s", krb5_get_err_text(context, ret)); 190 /* XXX */ 191 make_err_reply(reply, KDC_NULL_KEY, 192 "No DES key in database (client)"); 193 goto out1; 194 } 195 196#if 0 197 /* this is not necessary with the new code in libkrb */ 198 /* find a properly salted key */ 199 while(ckey->salt == NULL || ckey->salt->salt.length != 0) 200 ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey); 201 if(ret){ 202 kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", 203 name, inst, realm); 204 make_err_reply(reply, KDC_NULL_KEY, 205 "No version-4 salted key in database"); 206 goto out1; 207 } 208#endif 209 210 ret = get_des_key(server, &skey); 211 if(ret){ 212 kdc_log(0, "%s", krb5_get_err_text(context, ret)); 213 /* XXX */ 214 make_err_reply(reply, KDC_NULL_KEY, 215 "No DES key in database (server)"); 216 goto out1; 217 } 218 219 max_life = krb_life_to_time(0, life); 220 if(client->max_life) 221 max_life = min(max_life, *client->max_life); 222 if(server->max_life) 223 max_life = min(max_life, *server->max_life); 224 225 life = krb_time_to_life(kdc_time, kdc_time + max_life); 226 227 { 228 KTEXT_ST cipher, ticket; 229 KTEXT r; 230 des_cblock session; 231 232 des_new_random_key(&session); 233 234 krb_create_ticket(&ticket, 0, name, inst, v4_realm, 235 addr->sin_addr.s_addr, session, life, kdc_time, 236 sname, sinst, skey->key.keyvalue.data); 237 238 create_ciph(&cipher, session, sname, sinst, v4_realm, 239 life, server->kvno, &ticket, kdc_time, 240 ckey->key.keyvalue.data); 241 memset(&session, 0, sizeof(session)); 242 r = create_auth_reply(name, inst, realm, req_time, 0, 243 client->pw_end ? *client->pw_end : 0, 244 client->kvno, &cipher); 245 krb5_data_copy(reply, r->dat, r->length); 246 memset(&cipher, 0, sizeof(cipher)); 247 memset(&ticket, 0, sizeof(ticket)); 248 } 249 out1: 250 break; 251 case AUTH_MSG_APPL_REQUEST: { 252 int8_t kvno; 253 int8_t ticket_len; 254 int8_t req_len; 255 KTEXT_ST auth; 256 AUTH_DAT ad; 257 size_t pos; 258 krb5_principal tgt_princ = NULL; 259 hdb_entry *tgt = NULL; 260 Key *tkey; 261 262 RCHECK(krb5_ret_int8(sp, &kvno), out2); 263 RCHECK(krb5_ret_stringz(sp, &realm), out2); 264 265 ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm, 266 &tgt_princ); 267 if(ret){ 268 kdc_log(0, "Converting krbtgt principal: %s", 269 krb5_get_err_text(context, ret)); 270 make_err_reply(reply, KFAILURE, 271 "Failed to convert v4 principal (krbtgt)"); 272 goto out2; 273 } 274 275 tgt = db_fetch(tgt_princ); 276 if(tgt == NULL){ 277 char *s; 278 s = kdc_log_msg(0, "Ticket-granting ticket not " 279 "found in database: krbtgt.%s@%s", 280 realm, v4_realm); 281 make_err_reply(reply, KFAILURE, s); 282 free(s); 283 goto out2; 284 } 285 286 if(tgt->kvno != kvno){ 287 goto out2; 288 } 289 290 ret = get_des_key(tgt, &tkey); 291 if(ret){ 292 kdc_log(0, "%s", krb5_get_err_text(context, ret)); 293 /* XXX */ 294 make_err_reply(reply, KDC_NULL_KEY, 295 "No DES key in database (krbtgt)"); 296 goto out2; 297 } 298 299 RCHECK(krb5_ret_int8(sp, &ticket_len), out2); 300 RCHECK(krb5_ret_int8(sp, &req_len), out2); 301 302 pos = sp->seek(sp, ticket_len + req_len, SEEK_CUR); 303 304 memset(&auth, 0, sizeof(auth)); 305 memcpy(&auth.dat, buf, pos); 306 auth.length = pos; 307 krb_set_key(tkey->key.keyvalue.data, 0); 308 ret = krb_rd_req(&auth, "krbtgt", realm, 309 addr->sin_addr.s_addr, &ad, 0); 310 if(ret){ 311 kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret)); 312 make_err_reply(reply, ret, NULL); 313 goto out2; 314 } 315 316 RCHECK(krb5_ret_int32(sp, &req_time), out2); 317 if(lsb) 318 req_time = swap32(req_time); 319 RCHECK(krb5_ret_int8(sp, &life), out2); 320 RCHECK(krb5_ret_stringz(sp, &sname), out2); 321 RCHECK(krb5_ret_stringz(sp, &sinst), out2); 322 kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s.%s", 323 ad.pname, ad.pinst, ad.prealm, from, sname, sinst); 324 325 if(strcmp(ad.prealm, realm)){ 326 kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm); 327 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 328 "Can't hop realms"); 329 goto out2; 330 } 331 332 if(strcmp(sname, "changepw") == 0){ 333 kdc_log(0, "Bad request for changepw ticket"); 334 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 335 "Can't authorize password change based on TGT"); 336 goto out2; 337 } 338 339#if 0 340 client = db_fetch4(ad.pname, ad.pinst, ad.prealm); 341 if(client == NULL){ 342 char *s; 343 s = kdc_log_msg(0, "Client not found in database: %s.%s@%s", 344 ad.pname, ad.pinst, ad.prealm); 345 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); 346 free(s); 347 goto out2; 348 } 349#endif 350 351 server = db_fetch4(sname, sinst, v4_realm); 352 if(server == NULL){ 353 char *s; 354 s = kdc_log_msg(0, "Server not found in database: %s.%s@%s", 355 sname, sinst, v4_realm); 356 make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); 357 free(s); 358 goto out2; 359 } 360 361 ret = get_des_key(server, &skey); 362 if(ret){ 363 kdc_log(0, "%s", krb5_get_err_text(context, ret)); 364 /* XXX */ 365 make_err_reply(reply, KDC_NULL_KEY, 366 "No DES key in database (server)"); 367 goto out2; 368 } 369 370 max_life = krb_life_to_time(ad.time_sec, ad.life); 371 max_life = min(max_life, krb_life_to_time(kdc_time, life)); 372 life = min(life, krb_time_to_life(kdc_time, max_life)); 373 max_life = krb_life_to_time(0, life); 374#if 0 375 if(client->max_life) 376 max_life = min(max_life, *client->max_life); 377#endif 378 if(server->max_life) 379 max_life = min(max_life, *server->max_life); 380 381 { 382 KTEXT_ST cipher, ticket; 383 KTEXT r; 384 des_cblock session; 385 des_new_random_key(&session); 386 krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, 387 addr->sin_addr.s_addr, &session, life, kdc_time, 388 sname, sinst, skey->key.keyvalue.data); 389 390 create_ciph(&cipher, session, sname, sinst, v4_realm, 391 life, server->kvno, &ticket, 392 kdc_time, &ad.session); 393 394 memset(&session, 0, sizeof(session)); 395 memset(ad.session, 0, sizeof(ad.session)); 396 397 r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, 398 req_time, 0, 0, 0, &cipher); 399 krb5_data_copy(reply, r->dat, r->length); 400 memset(&cipher, 0, sizeof(cipher)); 401 memset(&ticket, 0, sizeof(ticket)); 402 } 403 out2: 404 if(tgt_princ) 405 krb5_free_principal(context, tgt_princ); 406 if(tgt){ 407 hdb_free_entry(context, tgt); 408 free(tgt); 409 } 410 411 break; 412 } 413 414 case AUTH_MSG_ERR_REPLY: 415 break; 416 default: 417 kdc_log(0, "Unknown message type: %d from %s", 418 msg_type, from); 419 420 make_err_reply(reply, KFAILURE, "Unknown message type"); 421 } 422out: 423 if(name) 424 free(name); 425 if(inst) 426 free(inst); 427 if(realm) 428 free(realm); 429 if(sname) 430 free(sname); 431 if(sinst) 432 free(sinst); 433 if(client){ 434 hdb_free_entry(context, client); 435 free(client); 436 } 437 if(server){ 438 hdb_free_entry(context, server); 439 free(server); 440 } 441 krb5_storage_free(sp); 442 return 0; 443} 444 445 446#define ETYPE_DES_PCBC 17 /* XXX */ 447 448krb5_error_code 449encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply) 450{ 451 des_key_schedule schedule; 452 453 reply->etype = ETYPE_DES_PCBC; 454 reply->kvno = NULL; 455 reply->cipher.length = len; 456 reply->cipher.data = malloc(len); 457 if(len != 0 && reply->cipher.data == NULL) 458 return ENOMEM; 459 des_set_key(key, schedule); 460 des_pcbc_encrypt(buf, 461 reply->cipher.data, 462 len, 463 schedule, 464 key, 465 DES_ENCRYPT); 466 memset(schedule, 0, sizeof(schedule)); 467 return 0; 468} 469 470krb5_error_code 471encode_v4_ticket(void *buf, size_t len, EncTicketPart *et, 472 PrincipalName *service, size_t *size) 473{ 474 krb5_storage *sp; 475 krb5_error_code ret; 476 char name[40], inst[40], realm[40]; 477 char sname[40], sinst[40]; 478 479 { 480 krb5_principal princ; 481 principalname2krb5_principal(&princ, 482 *service, 483 et->crealm); 484 ret = krb5_524_conv_principal(context, 485 princ, 486 sname, 487 sinst, 488 realm); 489 krb5_free_principal(context, princ); 490 if(ret) 491 return ret; 492 493 principalname2krb5_principal(&princ, 494 et->cname, 495 et->crealm); 496 497 ret = krb5_524_conv_principal(context, 498 princ, 499 name, 500 inst, 501 realm); 502 krb5_free_principal(context, princ); 503 } 504 if(ret) 505 return ret; 506 507 sp = krb5_storage_emem(); 508 509 krb5_store_int8(sp, 0); /* flags */ 510 krb5_store_stringz(sp, name); 511 krb5_store_stringz(sp, inst); 512 krb5_store_stringz(sp, realm); 513 { 514 unsigned char tmp[4] = { 0, 0, 0, 0 }; 515 int i; 516 if(et->caddr){ 517 for(i = 0; i < et->caddr->len; i++) 518 if(et->caddr->val[i].addr_type == AF_INET && 519 et->caddr->val[i].address.length == 4){ 520 memcpy(tmp, et->caddr->val[i].address.data, 4); 521 break; 522 } 523 } 524 sp->store(sp, tmp, sizeof(tmp)); 525 } 526 527 if((et->key.keytype != ETYPE_DES_CBC_MD5 && 528 et->key.keytype != ETYPE_DES_CBC_MD4 && 529 et->key.keytype != ETYPE_DES_CBC_CRC) || 530 et->key.keyvalue.length != 8) 531 return -1; 532 sp->store(sp, et->key.keyvalue.data, 8); 533 534 { 535 time_t start = et->starttime ? *et->starttime : et->authtime; 536 krb5_store_int8(sp, krb_time_to_life(start, et->endtime)); 537 krb5_store_int32(sp, start); 538 } 539 540 krb5_store_stringz(sp, sname); 541 krb5_store_stringz(sp, sinst); 542 543 { 544 krb5_data data; 545 krb5_storage_to_data(sp, &data); 546 krb5_storage_free(sp); 547 *size = (data.length + 7) & ~7; /* pad to 8 bytes */ 548 if(*size > len) 549 return -1; 550 memset((unsigned char*)buf - *size + 1, 0, *size); 551 memcpy((unsigned char*)buf - *size + 1, data.data, data.length); 552 krb5_data_free(&data); 553 } 554 return 0; 555} 556 557#endif /* KRB4 */ 558