/* Return true if there is a valid error packet formed in the error_blob */
static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
{
bool ret;
int kret;
DATA_BLOB error_bytes;
krb5_data k5_error_bytes, k5_error_blob;
ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
&error_bytes);
if (!ret) {
return false;
}
k5_error_bytes.data = error_bytes.data;
k5_error_bytes.length = error_bytes.length;
kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
result_code, NULL, &k5_error_bytes,
NULL, NULL, NULL, NULL, &k5_error_blob);
if (kret) {
return false;
}
*error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
krb5_data_free(&k5_error_blob);
if (!error_blob->data) {
return false;
}
return true;
}
static void
send_error(krb5_context context, krb5_creds *my_creds, int fd, char *err_text,
krb5_error_code err_code)
{
krb5_error error;
const char *text;
krb5_data outbuf;
memset(&error, 0, sizeof(error));
krb5_us_timeofday(context, &error.ctime, &error.cusec);
error.server = my_creds->server;
error.client = my_principal;
error.error = err_code - ERROR_TABLE_BASE_krb5;
if (error.error > 127)
error.error = KRB_ERR_GENERIC;
text = (err_text != NULL) ? err_text : error_message(err_code);
error.text.length = strlen(text) + 1;
error.text.data = strdup(text);
if (error.text.data) {
if (!krb5_mk_error(context, &error, &outbuf)) {
(void)krb5_write_message(context, &fd, &outbuf);
krb5_free_data_contents(context, &outbuf);
}
free(error.text.data);
}
}
OM_uint32
_gsskrb5_error_token(OM_uint32 *minor_status,
gss_OID mech,
krb5_context context,
krb5_error_code error_code,
krb5_data *e_data,
krb5_principal server,
gss_buffer_t output_token)
{
krb5_error_code ret;
krb5_data outbuf;
ret = krb5_mk_error(context, error_code, NULL, e_data, NULL,
server, NULL, NULL, &outbuf);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5_encapsulate(minor_status,
&outbuf,
output_token,
"\x03\x00",
mech);
krb5_data_free (&outbuf);
if (ret)
return ret;
*minor_status = 0;
return GSS_S_COMPLETE;
}
static krb5_error_code
make_too_big_error (krb5_data **out)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch;
*out = NULL;
memset(&errpkt, 0, sizeof(errpkt));
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
if (retval)
return retval;
errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
errpkt.server = tgs_server;
errpkt.client = NULL;
errpkt.text.length = 0;
errpkt.text.data = 0;
errpkt.e_data.length = 0;
errpkt.e_data.data = 0;
scratch = malloc(sizeof(*scratch));
if (scratch == NULL)
return ENOMEM;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
if (retval) {
free(scratch);
return retval;
}
*out = scratch;
return 0;
}
static krb5_error_code
prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
int error, krb5_pa_data **e_data, krb5_boolean typed_e_data,
krb5_principal canon_client, krb5_data **response,
const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch = NULL, *e_data_asn1 = NULL, *fast_edata = NULL;
kdc_realm_t *kdc_active_realm = rstate->realm_data;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
if (retval)
return retval;
errpkt.error = error;
errpkt.server = request->server;
errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
request->client;
errpkt.text = string2data((char *)status);
if (e_data != NULL) {
if (typed_e_data)
retval = encode_krb5_typed_data(e_data, &e_data_asn1);
else
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
if (retval)
goto cleanup;
errpkt.e_data = *e_data_asn1;
} else
errpkt.e_data = empty_data();
retval = kdc_fast_handle_error(kdc_context, rstate, request, e_data,
&errpkt, &fast_edata);
if (retval)
goto cleanup;
if (fast_edata != NULL)
errpkt.e_data = *fast_edata;
scratch = k5alloc(sizeof(*scratch), &retval);
if (scratch == NULL)
goto cleanup;
if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
errpkt.client = (krb5_principal)krb5_anonymous_principal();
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
if (retval)
goto cleanup;
*response = scratch;
scratch = NULL;
cleanup:
krb5_free_data(kdc_context, fast_edata);
krb5_free_data(kdc_context, e_data_asn1);
free(scratch);
return retval;
}
static OM_uint32
send_error_token(OM_uint32 *minor_status,
krb5_context context,
krb5_error_code kret,
krb5_principal server,
krb5_data *indata,
gss_buffer_t output_token)
{
krb5_principal ap_req_server = NULL;
krb5_error_code ret;
krb5_data outbuf;
/* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which
tells windows to try again with the corrected timestamp. See
[MS-KILE] 2.2.1 KERB-ERROR-DATA */
krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") };
/* build server from request if the acceptor had not selected one */
if (server == NULL) {
AP_REQ ap_req;
ret = krb5_decode_ap_req(context, indata, &ap_req);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _krb5_principalname2krb5_principal(context,
&ap_req_server,
ap_req.ticket.sname,
ap_req.ticket.realm);
free_AP_REQ(&ap_req);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
server = ap_req_server;
}
ret = krb5_mk_error(context, kret, NULL, &e_data, NULL,
server, NULL, NULL, &outbuf);
if (ap_req_server)
krb5_free_principal(context, ap_req_server);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = _gsskrb5_encapsulate(minor_status,
&outbuf,
output_token,
"\x03\x00",
GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
return ret;
*minor_status = 0;
return GSS_S_CONTINUE_NEEDED;
}
krb5_error_code smb_krb5_mk_error(krb5_context context,
krb5_error_code error_code,
const krb5_principal server,
krb5_data *reply)
{
#ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */
/*
* The MIT interface is *terrible*.
* We have to construct this ourselves...
*/
krb5_error e;
memset(&e, 0, sizeof(e));
krb5_us_timeofday(context, &e.stime, &e.susec);
e.server = server;
#if defined(krb5_err_base)
e.error = error_code - krb5_err_base;
#elif defined(ERROR_TABLE_BASE_krb5)
e.error = error_code - ERROR_TABLE_BASE_krb5;
#else
e.error = error_code; /* Almost certainly wrong, but what can we do... ? */
#endif
return krb5_mk_error(context, &e, reply);
#else /* Heimdal. */
return krb5_mk_error(context,
error_code,
NULL,
NULL, /* e_data */
NULL,
server,
NULL,
NULL,
reply);
#endif
}
static krb5_error_code
prepare_error_tgs (struct kdc_request_state *state,
krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval = 0;
krb5_data *scratch;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = NULL;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = NULL;
if (state)
retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
if (retval) {
free(scratch);
free(errpkt.text.data);
return retval;
}
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
static void
reply_error (krb5_realm realm,
int s,
struct sockaddr *sa,
int sa_size,
krb5_error_code error_code,
uint16_t result_code,
const char *expl)
{
krb5_error_code ret;
krb5_data error_data;
krb5_data e_data;
krb5_principal server = NULL;
if (make_result(&e_data, result_code, expl))
return;
if (realm) {
ret = krb5_make_principal (context, &server, realm,
"kadmin", "changepw", NULL);
if (ret) {
krb5_data_free (&e_data);
return;
}
}
ret = krb5_mk_error (context,
error_code,
NULL,
&e_data,
NULL,
server,
NULL,
NULL,
&error_data);
if (server)
krb5_free_principal(context, server);
krb5_data_free (&e_data);
if (ret) {
krb5_warn (context, ret, "Could not even generate error reply");
return;
}
send_reply (s, sa, sa_size, NULL, &error_data);
krb5_data_free (&error_data);
}
static krb5_error_code
prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
const char *ident, krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = 0;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = malloc(errpkt.text.length)))
return ENOMEM;
(void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = 0;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
static NTSTATUS kdc_proxy_unavailable_error(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *out)
{
int kret;
krb5_data k5_error_blob;
kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
KRB5KDC_ERR_SVC_UNAVAILABLE, NULL, NULL,
NULL, NULL, NULL, NULL, &k5_error_blob);
if (kret != 0) {
DEBUG(2,(__location__ ": Unable to form krb5 error reply\n"));
return NT_STATUS_INTERNAL_ERROR;
}
*out = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
krb5_data_free(&k5_error_blob);
if (!out->data) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/*
* Parse the IAKERB token in input_token and send the contained KDC
* request to the KDC for the realm.
*
* Wrap the KDC reply in output_token.
*/
static krb5_error_code
iakerb_acceptor_step(iakerb_ctx_id_t ctx,
int initialContextToken,
const gss_buffer_t input_token,
gss_buffer_t output_token)
{
krb5_error_code code;
krb5_data request = empty_data(), reply = empty_data();
krb5_data realm = empty_data();
OM_uint32 tmp;
int tcp_only, use_master;
krb5_ui_4 kdc_code;
output_token->length = 0;
output_token->value = NULL;
if (ctx->count >= IAKERB_MAX_HOPS) {
code = KRB5_KDC_UNREACH;
goto cleanup;
}
code = iakerb_parse_token(ctx, initialContextToken, input_token, &realm,
NULL, &request);
if (code != 0)
goto cleanup;
if (realm.length == 0 || request.length == 0) {
code = KRB5_BAD_MSIZE;
goto cleanup;
}
code = iakerb_save_token(ctx, input_token);
if (code != 0)
goto cleanup;
for (tcp_only = 0; tcp_only <= 1; tcp_only++) {
use_master = 0;
code = krb5_sendto_kdc(ctx->k5c, &request, &realm,
&reply, &use_master, tcp_only);
if (code == 0 && krb5_is_krb_error(&reply)) {
krb5_error *error;
code = decode_krb5_error(&reply, &error);
if (code != 0)
goto cleanup;
kdc_code = error->error;
krb5_free_error(ctx->k5c, error);
if (kdc_code == KRB_ERR_RESPONSE_TOO_BIG) {
krb5_free_data_contents(ctx->k5c, &reply);
reply = empty_data();
continue;
}
}
break;
}
if (code == KRB5_KDC_UNREACH || code == KRB5_REALM_UNKNOWN) {
krb5_error error;
memset(&error, 0, sizeof(error));
if (code == KRB5_KDC_UNREACH)
error.error = KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE;
else if (code == KRB5_REALM_UNKNOWN)
error.error = KRB_AP_ERR_IAKERB_KDC_NOT_FOUND;
code = krb5_mk_error(ctx->k5c, &error, &reply);
if (code != 0)
goto cleanup;
} else if (code != 0)
goto cleanup;
code = iakerb_make_token(ctx, &realm, NULL, &reply, 0, output_token);
if (code != 0)
goto cleanup;
code = iakerb_save_token(ctx, output_token);
if (code != 0)
goto cleanup;
ctx->count++;
cleanup:
if (code != 0)
gss_release_buffer(&tmp, output_token);
/* request is a pointer into input_token, no need to free */
krb5_free_data_contents(ctx->k5c, &realm);
krb5_free_data_contents(ctx->k5c, &reply);
return code;
}
static krb5_error_code
prepare_error_tgs (struct kdc_request_state *state,
krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
krb5_data **response, const char *status,
krb5_pa_data **e_data)
{
krb5_error errpkt;
krb5_error_code retval = 0;
krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = NULL;
errpkt.text.length = strlen(status);
if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
if (e_data != NULL) {
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
if (retval) {
free(scratch);
free(errpkt.text.data);
return retval;
}
errpkt.e_data = *e_data_asn1;
} else
errpkt.e_data = empty_data();
if (state) {
retval = kdc_fast_handle_error(kdc_context, state, request, e_data,
&errpkt, &fast_edata);
}
if (retval) {
free(scratch);
free(errpkt.text.data);
krb5_free_data(kdc_context, e_data_asn1);
return retval;
}
if (fast_edata)
errpkt.e_data = *fast_edata;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
krb5_free_data(kdc_context, e_data_asn1);
krb5_free_data(kdc_context, fast_edata);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
krb5_error_code
_kdc_tgs_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
krb5_data *data,
const char *from,
struct sockaddr *from_addr,
int datagram_reply)
{
AuthorizationData *auth_data = NULL;
krb5_error_code ret;
int i = 0;
const PA_DATA *tgs_req;
hdb_entry_ex *krbtgt = NULL;
krb5_ticket *ticket = NULL;
const char *e_text = NULL;
krb5_enctype krbtgt_etype = ETYPE_NULL;
time_t *csec = NULL;
int *cusec = NULL;
if(req->padata == NULL){
ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
kdc_log(context, config, 0,
"TGS-REQ from %s without PA-DATA", from);
goto out;
}
tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 0,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
}
ret = tgs_parse_request(context, config,
&req->req_body, tgs_req,
&krbtgt,
&krbtgt_etype,
&ticket,
&e_text,
from, from_addr,
&csec, &cusec,
&auth_data);
if (ret) {
kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from);
goto out;
}
ret = tgs_build_reply(context,
config,
req,
&req->req_body,
krbtgt,
krbtgt_etype,
ticket,
data,
from,
&e_text,
auth_data,
from_addr,
datagram_reply);
if (ret) {
kdc_log(context, config, 0,
"Failed building TGS-REP to %s", from);
goto out;
}
/* */
if (datagram_reply && data->length > config->max_datagram_reply_length) {
krb5_data_free(data);
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
e_text = "Reply packet too large";
}
out:
if(ret && data->data == NULL){
krb5_mk_error(context,
ret,
NULL,
NULL,
NULL,
NULL,
csec,
cusec,
data);
}
free(csec);
free(cusec);
if (ticket)
krb5_free_ticket(context, ticket);
if(krbtgt)
_kdc_free_ent(context, krbtgt);
if (auth_data) {
free_AuthorizationData(auth_data);
free(auth_data);
}
return 0;
}
static krb5_error_code
prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request,
krb5_db_entry *local_tgt, int error, krb5_pa_data **e_data_in,
krb5_boolean typed_e_data, krb5_principal canon_client,
krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch = NULL, *e_data_asn1 = NULL, *fast_edata = NULL;
krb5_pa_data **e_data = NULL, *cookie = NULL;
kdc_realm_t *kdc_active_realm = rstate->realm_data;
size_t count;
if (e_data_in != NULL) {
/* Add a PA-FX-COOKIE to e_data_in. e_data is a shallow copy
* containing aliases. */
for (count = 0; e_data_in[count] != NULL; count++);
e_data = calloc(count + 2, sizeof(*e_data));
if (e_data == NULL)
return ENOMEM;
memcpy(e_data, e_data_in, count * sizeof(*e_data));
retval = kdc_fast_make_cookie(kdc_context, rstate, local_tgt,
request->client, &cookie);
e_data[count] = cookie;
}
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
if (retval)
goto cleanup;
errpkt.error = error;
errpkt.server = request->server;
errpkt.client = (error == KDC_ERR_WRONG_REALM) ? canon_client :
request->client;
errpkt.text = string2data((char *)status);
if (e_data != NULL) {
if (typed_e_data)
retval = encode_krb5_typed_data(e_data, &e_data_asn1);
else
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
if (retval)
goto cleanup;
errpkt.e_data = *e_data_asn1;
} else
errpkt.e_data = empty_data();
retval = kdc_fast_handle_error(kdc_context, rstate, request, e_data,
&errpkt, &fast_edata);
if (retval)
goto cleanup;
if (fast_edata != NULL)
errpkt.e_data = *fast_edata;
scratch = k5alloc(sizeof(*scratch), &retval);
if (scratch == NULL)
goto cleanup;
if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
errpkt.client = (krb5_principal)krb5_anonymous_principal();
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
if (retval)
goto cleanup;
*response = scratch;
scratch = NULL;
cleanup:
krb5_free_data(kdc_context, fast_edata);
krb5_free_data(kdc_context, e_data_asn1);
free(scratch);
free(e_data);
if (cookie != NULL)
free(cookie->contents);
free(cookie);
return retval;
}
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
const krb5_data *req_buffer,
krb5_data *reply,
const char *from,
struct sockaddr *from_addr,
int datagram_reply)
{
KDC_REQ_BODY *b = &req->req_body;
AS_REP rep;
KDCOptions f = b->kdc_options;
hdb_entry_ex *client = NULL, *server = NULL;
krb5_enctype cetype, setype, sessionetype;
krb5_data e_data;
EncTicketPart et;
EncKDCRepPart ek;
krb5_principal client_princ = NULL, server_princ = NULL;
char *client_name = NULL, *server_name = NULL;
krb5_error_code ret = 0;
const char *e_text = NULL;
krb5_crypto crypto;
Key *ckey, *skey;
EncryptionKey *reply_key;
int flags = 0;
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
memset(&rep, 0, sizeof(rep));
krb5_data_zero(&e_data);
if (f.canonicalize)
flags |= HDB_F_CANON;
if(b->sname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No server in request";
} else{
ret = _krb5_principalname2krb5_principal (context,
&server_princ,
*(b->sname),
b->realm);
if (ret == 0)
ret = krb5_unparse_name(context, server_princ, &server_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed server name from %s", from);
goto out;
}
if(b->cname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
if (b->cname->name_string.len != 1) {
kdc_log(context, config, 0,
"AS-REQ malformed canon request from %s, "
"enterprise name with %d name components",
from, b->cname->name_string.len);
ret = KRB5_PARSE_MALFORMED;
goto out;
}
ret = krb5_parse_name(context, b->cname->name_string.val[0],
&client_princ);
if (ret)
goto out;
} else {
ret = _krb5_principalname2krb5_principal (context,
&client_princ,
*(b->cname),
b->realm);
if (ret)
goto out;
}
ret = krb5_unparse_name(context, client_princ, &client_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed client name from %s", from);
goto out;
}
kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT | flags, NULL, &client);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret));
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_db_fetch(context, config, server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
NULL, &server);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
krb5_get_err_text(context, ret));
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_windc_client_access(context, client, req);
if(ret)
goto out;
ret = _kdc_check_flags(context, config,
client, client_name,
server, server_name,
TRUE);
if(ret)
goto out;
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
if(req->padata){
int i;
const PA_DATA *pa;
int found_pa = 0;
log_patypes(context, config, req->padata);
#ifdef PKINIT
kdc_log(context, config, 5,
"Looking for PKINIT pa-data -- %s", client_name);
e_text = "No PKINIT PA found";
i = 0;
if ((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ)))
;
if (pa == NULL) {
i = 0;
if((pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN)))
;
}
if (pa) {
char *client_cert = NULL;
ret = _kdc_pk_rd_padata(context, config, req, pa, &pkp);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5,
"Failed to decode PKINIT PA-DATA -- %s",
client_name);
goto ts_enc;
}
if (ret == 0 && pkp == NULL)
goto ts_enc;
ret = _kdc_pk_check_client(context,
config,
client,
pkp,
&client_cert);
if (ret) {
e_text = "PKINIT certificate not allowed to "
"impersonate principal";
_kdc_pk_free_client_param(context, pkp);
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto out;
}
found_pa = 1;
et.flags.pre_authent = 1;
kdc_log(context, config, 0,
"PKINIT pre-authentication succeeded -- %s using %s",
client_name, client_cert);
free(client_cert);
if (pkp)
goto preauth_done;
}
ts_enc:
#endif
kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
client_name);
i = 0;
e_text = "No ENC-TS found";
while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
krb5_data ts_data;
PA_ENC_TS_ENC p;
size_t len;
EncryptedData enc_data;
Key *pa_key;
char *str;
found_pa = 1;
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
&len);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s",
client_name);
goto out;
}
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
char *estr;
e_text = "No key matches pa-data";
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if(krb5_enctype_to_string(context, enc_data.etype, &estr))
estr = NULL;
if(estr == NULL)
kdc_log(context, config, 5,
"No client key matching pa-data (%d) -- %s",
enc_data.etype, client_name);
else
kdc_log(context, config, 5,
"No client key matching pa-data (%s) -- %s",
estr, client_name);
free(estr);
free_EncryptedData(&enc_data);
continue;
}
try_next_key:
ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
if (ret) {
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
free_EncryptedData(&enc_data);
continue;
}
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_PA_ENC_TIMESTAMP,
&enc_data,
&ts_data);
krb5_crypto_destroy(context, crypto);
if(ret){
krb5_error_code ret2;
ret2 = krb5_enctype_to_string(context,
pa_key->key.keytype, &str);
if (ret2)
str = NULL;
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
client_name,
str ? str : "unknown enctype",
krb5_get_err_text(context, ret));
free(str);
if(hdb_next_enctype2key(context, &client->entry,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
e_text = "Failed to decrypt PA-DATA";
free_EncryptedData(&enc_data);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
continue;
}
free_EncryptedData(&enc_data);
ret = decode_PA_ENC_TS_ENC(ts_data.data,
ts_data.length,
&p,
&len);
krb5_data_free(&ts_data);
if(ret){
e_text = "Failed to decode PA-ENC-TS-ENC";
ret = KRB5KDC_ERR_PREAUTH_FAILED;
kdc_log(context, config,
5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name);
continue;
}
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
ret = KRB5KRB_AP_ERR_SKEW;
kdc_log(context, config, 0,
"Too large time skew, "
"client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
client_name);
#if 0
/* This code is from samba, needs testing */
/*
* the following is needed to make windows clients
* to retry using the timestamp in the error message
*
* this is maybe a bug in windows to not trying when e_text
* is present...
*/
e_text = NULL;
#else
e_text = "Too large time skew";
#endif
goto out;
}
et.flags.pre_authent = 1;
ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str);
if (ret)
str = NULL;
kdc_log(context, config, 2,
"ENC-TS Pre-authentication succeeded -- %s using %s",
client_name, str ? str : "unknown enctype");
free(str);
break;
}
#ifdef PKINIT
preauth_done:
#endif
if(found_pa == 0 && config->require_preauth)
goto use_pa;
/* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */
if(found_pa && et.flags.pre_authent == 0){
kdc_log(context, config, 0, "%s -- %s", e_text, client_name);
e_text = NULL;
goto out;
}
}else if (config->require_preauth
|| client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) {
METHOD_DATA method_data;
PA_DATA *pa;
unsigned char *buf;
size_t len;
use_pa:
method_data.len = 0;
method_data.val = NULL;
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#ifdef PKINIT
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ_WIN;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#endif
/*
* RFC4120 requires:
* - If the client only knows about old enctypes, then send
* both info replies (we send 'info' first in the list).
* - If the client is 'modern', because it knows about 'new'
* enctype types, then only send the 'info2' reply.
*/
/* XXX check ret */
if (only_older_enctype_p(req))
ret = get_pa_etype_info(context, config,
&method_data, &client->entry,
b->etype.val, b->etype.len);
/* XXX check ret */
ret = get_pa_etype_info2(context, config, &method_data,
&client->entry, b->etype.val, b->etype.len);
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data);
e_data.data = buf;
e_data.length = len;
e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
kdc_log(context, config, 0,
"No preauth found, returning PREAUTH-REQUIRED -- %s",
client_name);
goto out;
}
/*
* Find the client key (for preauth ENC-TS verification and reply
* encryption). Then the best encryption type for the KDC and
* last the best session key that shared between the client and
* KDC runtime enctypes.
*/
ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
&ckey, &cetype);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) has no support for etypes", client_name);
goto out;
}
ret = _kdc_get_preferred_key(context, config,
server, server_name,
&setype, &skey);
if(ret)
goto out;
/*
* Select a session enctype from the list of the crypto systems
* supported enctype, is supported by the client and is one of the
* enctype of the enctype of the krbtgt.
*
* The later is used as a hint what enctype all KDC are supporting
* to make sure a newer version of KDC wont generate a session
* enctype that and older version of a KDC in the same realm can't
* decrypt.
*
* But if the KDC admin is paranoid and doesn't want to have "no
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
{
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int i, j;
p = krb5_kerberos_enctypes(context);
sessionetype = ETYPE_NULL;
for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
Key *dummy;
/* check with client */
if (p[i] != b->etype.val[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check with krbtgt */
ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
if (ret)
continue;
sessionetype = p[i];
}
}
/* if krbtgt had no shared keys with client, pick clients best */
if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
sessionetype = clientbest;
} else if (sessionetype == ETYPE_NULL) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC"
"to use for the session key",
client_name, from);
goto out;
}
}
log_as_req(context, config, cetype, setype, b);
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
goto out;
}
rep.pvno = 5;
rep.msg_type = krb_as_rep;
copy_Realm(&client->entry.principal->realm, &rep.crealm);
if (f.request_anonymous)
_kdc_make_anonymous_principalname (&rep.cname);
else
_krb5_principal2principalname(&rep.cname,
client->entry.principal);
rep.ticket.tkt_vno = 5;
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname,
server->entry.principal);
/* java 1.6 expects the name to be the same type, lets allow that
* uncomplicated name-types. */
#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
rep.ticket.sname.name_type = b->sname->name_type;
#undef CNT
et.flags.initial = 1;
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
et.flags.forwardable = f.forwardable;
else if (f.forwardable) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->entry.flags.postdate && server->entry.flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be postdatable -- %s", client_name);
goto out;
}
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0,
"Bad address list requested -- %s", client_name);
goto out;
}
ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
if (ret)
goto out;
copy_PrincipalName(&rep.cname, &et.cname);
copy_Realm(&rep.crealm, &et.crealm);
{
time_t start;
time_t t;
start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
ALLOC(et.starttime);
start = *et.starttime = *req->req_body.from;
et.flags.invalid = 1;
et.flags.postdated = 1; /* XXX ??? */
}
_kdc_fix_time(&b->till);
t = *b->till;
/* be careful not overflowing */
if(client->entry.max_life)
t = start + min(t - start, *client->entry.max_life);
if(server->entry.max_life)
t = start + min(t - start, *server->entry.max_life);
#if 0
t = min(t, start + realm->max_life);
#endif
et.endtime = t;
if(f.renewable_ok && et.endtime < *b->till){
f.renewable = 1;
if(b->rtime == NULL){
ALLOC(b->rtime);
*b->rtime = 0;
}
if(*b->rtime < *b->till)
*b->rtime = *b->till;
}
if(f.renewable && b->rtime){
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(client->entry.max_renew)
t = start + min(t - start, *client->entry.max_renew);
if(server->entry.max_renew)
t = start + min(t - start, *server->entry.max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
ALLOC(et.renew_till);
*et.renew_till = t;
et.flags.renewable = 1;
}
}
if (f.request_anonymous)
et.flags.anonymous = 1;
if(b->addresses){
ALLOC(et.caddr);
copy_HostAddresses(b->addresses, et.caddr);
}
et.transited.tr_type = DOMAIN_X500_COMPRESS;
krb5_data_zero(&et.transited.contents);
copy_EncryptionKey(&et.key, &ek.key);
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
* incapable of correctly decoding SEQUENCE OF's of zero length.
*
* To fix this, always send at least one no-op last_req
*
* If there's a pw_end or valid_end we will use that,
* otherwise just a dummy lr.
*/
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
if (ek.last_req.val == NULL) {
ret = ENOMEM;
goto out;
}
ek.last_req.len = 0;
if (client->entry.pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) {
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
++ek.last_req.len;
}
if (client->entry.valid_end) {
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
++ek.last_req.len;
}
if (ek.last_req.len == 0) {
ek.last_req.val[ek.last_req.len].lr_type = LR_NONE;
ek.last_req.val[ek.last_req.len].lr_value = 0;
++ek.last_req.len;
}
ek.nonce = b->nonce;
if (client->entry.valid_end || client->entry.pw_end) {
ALLOC(ek.key_expiration);
if (client->entry.valid_end) {
if (client->entry.pw_end)
*ek.key_expiration = min(*client->entry.valid_end,
*client->entry.pw_end);
else
*ek.key_expiration = *client->entry.valid_end;
} else
*ek.key_expiration = *client->entry.pw_end;
} else
ek.key_expiration = NULL;
ek.flags = et.flags;
ek.authtime = et.authtime;
if (et.starttime) {
ALLOC(ek.starttime);
*ek.starttime = *et.starttime;
}
ek.endtime = et.endtime;
if (et.renew_till) {
ALLOC(ek.renew_till);
*ek.renew_till = *et.renew_till;
}
copy_Realm(&rep.ticket.realm, &ek.srealm);
copy_PrincipalName(&rep.ticket.sname, &ek.sname);
if(et.caddr){
ALLOC(ek.caddr);
copy_HostAddresses(et.caddr, ek.caddr);
}
ALLOC(rep.padata);
rep.padata->len = 0;
rep.padata->val = NULL;
reply_key = &ckey->key;
#if PKINIT
if (pkp) {
ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
req, req_buffer,
&reply_key, rep.padata);
if (ret)
goto out;
ret = _kdc_add_inital_verified_cas(context,
config,
pkp,
&et);
if (ret)
goto out;
}
#endif
set_salt_padata (rep.padata, ckey->salt);
/* Add signing of alias referral */
if (f.canonicalize) {
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
krb5_crypto crypto;
size_t len;
memset(&canon, 0, sizeof(canon));
canon.names.requested_name = *b->cname;
canon.names.real_name = client->entry.principal->name;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
if (ret) {
free(data.data);
goto out;
}
ret = krb5_create_checksum(context, crypto,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
krb5_crypto_destroy(context, crypto);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
&canon, &len, ret);
free_Checksum(&canon.canon_checksum);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
pa.padata_value = data;
ret = add_METHOD_DATA(rep.padata, &pa);
free(data.data);
if (ret)
goto out;
}
if (rep.padata->len == 0) {
free(rep.padata);
rep.padata = NULL;
}
/* Add the PAC */
if (send_pac_p(context, req)) {
krb5_pac p = NULL;
krb5_data data;
ret = _kdc_pac_generate(context, client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
client_name);
goto out;
}
if (p != NULL) {
ret = _krb5_pac_sign(context, p, et.authtime,
client->entry.principal,
&skey->key, /* Server key */
&skey->key, /* FIXME: should be krbtgt key */
&data);
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
client_name);
goto out;
}
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
krb5_data_free(&data);
if (ret)
goto out;
}
}
_kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
et.endtime, et.renew_till);
/* do this as the last thing since this signs the EncTicketPart */
ret = _kdc_add_KRB5SignedPath(context,
config,
server,
setype,
NULL,
NULL,
&et);
if (ret)
goto out;
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, setype, server->entry.kvno,
&skey->key, client->entry.kvno,
reply_key, &e_text, reply);
free_EncTicketPart(&et);
free_EncKDCRepPart(&ek);
if (ret)
goto out;
/* */
if (datagram_reply && reply->length > config->max_datagram_reply_length) {
krb5_data_free(reply);
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
e_text = "Reply packet too large";
}
out:
free_AS_REP(&rep);
if(ret){
krb5_mk_error(context,
ret,
e_text,
(e_data.data ? &e_data : NULL),
client_princ,
server_princ,
NULL,
NULL,
reply);
ret = 0;
}
#ifdef PKINIT
if (pkp)
_kdc_pk_free_client_param(context, pkp);
#endif
if (e_data.data)
free(e_data.data);
if (client_princ)
krb5_free_principal(context, client_princ);
free(client_name);
if (server_princ)
krb5_free_principal(context, server_princ);
free(server_name);
if(client)
_kdc_free_ent(context, client);
if(server)
_kdc_free_ent(context, server);
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_recvauth_match_version(krb5_context context,
krb5_auth_context *auth_context,
krb5_pointer p_fd,
krb5_boolean (*match_appl_version)(const void *,
const char*),
const void *match_data,
krb5_principal server,
int32_t flags,
krb5_keytab keytab,
krb5_ticket **ticket)
{
krb5_error_code ret;
const char *version = KRB5_SENDAUTH_VERSION;
char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
char *her_appl_version;
u_int32_t len;
u_char repl;
krb5_data data;
krb5_flags ap_options;
ssize_t n;
/*
* If there are no addresses in auth_context, get them from `fd'.
*/
if (*auth_context == NULL) {
ret = krb5_auth_con_init (context, auth_context);
if (ret)
return ret;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
*auth_context,
p_fd);
if (ret)
return ret;
if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_string (context, "read: %s", strerror(errno));
return ret;
}
if (n == 0) {
krb5_clear_error_string (context);
return KRB5_SENDAUTH_BADAUTHVERS;
}
len = ntohl(len);
if (len != sizeof(her_version)
|| krb5_net_read (context, p_fd, her_version, len) != len
|| strncmp (version, her_version, len)) {
repl = 1;
krb5_net_write (context, p_fd, &repl, 1);
krb5_clear_error_string (context);
return KRB5_SENDAUTH_BADAUTHVERS;
}
}
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_string (context, "read: %s", strerror(errno));
return ret;
}
if (n == 0) {
krb5_clear_error_string (context);
return KRB5_SENDAUTH_BADAPPLVERS;
}
len = ntohl(len);
her_appl_version = malloc (len);
if (her_appl_version == NULL) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_string (context, "malloc: out of memory");
return ENOMEM;
}
if (krb5_net_read (context, p_fd, her_appl_version, len) != len
|| !(*match_appl_version)(match_data, her_appl_version)) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_string (context, "wrong sendauth version (%s)",
her_appl_version);
free (her_appl_version);
return KRB5_SENDAUTH_BADAPPLVERS;
}
free (her_appl_version);
repl = 0;
if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
ret = errno;
krb5_set_error_string (context, "write: %s", strerror(errno));
return ret;
}
krb5_data_zero (&data);
ret = krb5_read_message (context, p_fd, &data);
if (ret)
return ret;
ret = krb5_rd_req (context,
auth_context,
&data,
server,
keytab,
&ap_options,
ticket);
krb5_data_free (&data);
if (ret) {
krb5_data error_data;
krb5_error_code ret2;
ret2 = krb5_mk_error (context,
ret,
NULL,
NULL,
NULL,
server,
NULL,
NULL,
&error_data);
if (ret2 == 0) {
krb5_write_message (context, p_fd, &error_data);
krb5_data_free (&error_data);
}
return ret;
}
len = 0;
if (krb5_net_write (context, p_fd, &len, 4) != 4) {
ret = errno;
krb5_set_error_string (context, "write: %s", strerror(errno));
return ret;
}
if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
ret = krb5_mk_rep (context, *auth_context, &data);
if (ret)
return ret;
ret = krb5_write_message (context, p_fd, &data);
if (ret)
return ret;
krb5_data_free (&data);
}
return 0;
}
static krb5_error_code
process_chpw_request(krb5_context context, void *server_handle, char *realm,
krb5_keytab keytab, const krb5_fulladdr *local_faddr,
const krb5_fulladdr *remote_faddr, krb5_data *req,
krb5_data *rep)
{
krb5_error_code ret;
char *ptr;
unsigned int plen, vno;
krb5_data ap_req, ap_rep = empty_data();
krb5_data cipher = empty_data(), clear = empty_data();
krb5_auth_context auth_context = NULL;
krb5_principal changepw = NULL;
krb5_principal client, target = NULL;
krb5_ticket *ticket = NULL;
krb5_replay_data replay;
krb5_error krberror;
int numresult;
char strresult[1024];
char *clientstr = NULL, *targetstr = NULL;
const char *errmsg = NULL;
size_t clen;
char *cdots;
struct sockaddr_storage ss;
socklen_t salen;
char addrbuf[100];
krb5_address *addr = remote_faddr->address;
*rep = empty_data();
if (req->length < 4) {
/* either this, or the server is printing bad messages,
or the caller passed in garbage */
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated", sizeof(strresult));
goto bailout;
}
ptr = req->data;
/* verify length */
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
if (plen != req->length) {
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request length was inconsistent",
sizeof(strresult));
goto bailout;
}
/* verify version number */
vno = (*ptr++ & 0xff) ;
vno = (vno<<8) | (*ptr++ & 0xff);
if (vno != 1 && vno != RFC3244_VERSION) {
ret = KRB5KDC_ERR_BAD_PVNO;
numresult = KRB5_KPASSWD_BAD_VERSION;
snprintf(strresult, sizeof(strresult),
"Request contained unknown protocol version number %d", vno);
goto bailout;
}
/* read, check ap-req length */
ap_req.length = (*ptr++ & 0xff);
ap_req.length = (ap_req.length<<8) | (*ptr++ & 0xff);
if (ptr + ap_req.length >= req->data + req->length) {
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Request was truncated in AP-REQ",
sizeof(strresult));
goto bailout;
}
/* verify ap_req */
ap_req.data = ptr;
ptr += ap_req.length;
ret = krb5_auth_con_init(context, &auth_context);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed initializing auth context",
sizeof(strresult));
goto chpwfail;
}
ret = krb5_auth_con_setflags(context, auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed initializing auth context",
sizeof(strresult));
goto chpwfail;
}
ret = krb5_build_principal(context, &changepw, strlen(realm), realm,
"kadmin", "changepw", NULL);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed building kadmin/changepw principal",
sizeof(strresult));
goto chpwfail;
}
ret = krb5_rd_req(context, &auth_context, &ap_req, changepw, keytab,
NULL, &ticket);
if (ret) {
numresult = KRB5_KPASSWD_AUTHERROR;
strlcpy(strresult, "Failed reading application request",
sizeof(strresult));
goto chpwfail;
}
/* construct the ap-rep */
ret = krb5_mk_rep(context, auth_context, &ap_rep);
if (ret) {
numresult = KRB5_KPASSWD_AUTHERROR;
strlcpy(strresult, "Failed replying to application request",
sizeof(strresult));
goto chpwfail;
}
/* decrypt the ChangePasswdData */
cipher.length = (req->data + req->length) - ptr;
cipher.data = ptr;
/*
* Don't set a remote address in auth_context before calling krb5_rd_priv,
* so that we can work against clients behind a NAT. Reflection attacks
* aren't a concern since we use sequence numbers and since our requests
* don't look anything like our responses. Also don't set a local address,
* since we don't know what interface the request was received on.
*/
ret = krb5_rd_priv(context, auth_context, &cipher, &clear, &replay);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed decrypting request", sizeof(strresult));
goto chpwfail;
}
client = ticket->enc_part2->client;
/* decode ChangePasswdData for setpw requests */
if (vno == RFC3244_VERSION) {
krb5_data *clear_data;
ret = decode_krb5_setpw_req(&clear, &clear_data, &target);
if (ret != 0) {
numresult = KRB5_KPASSWD_MALFORMED;
strlcpy(strresult, "Failed decoding ChangePasswdData",
sizeof(strresult));
goto chpwfail;
}
zapfree(clear.data, clear.length);
clear = *clear_data;
free(clear_data);
if (target != NULL) {
ret = krb5_unparse_name(context, target, &targetstr);
if (ret != 0) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed unparsing target name for log",
sizeof(strresult));
goto chpwfail;
}
}
}
ret = krb5_unparse_name(context, client, &clientstr);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed unparsing client name for log",
sizeof(strresult));
goto chpwfail;
}
/* for cpw, verify that this is an AS_REQ ticket */
if (vno == 1 &&
(ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) {
numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
strlcpy(strresult, "Ticket must be derived from a password",
sizeof(strresult));
goto chpwfail;
}
/* change the password */
ptr = k5memdup0(clear.data, clear.length, &ret);
ret = schpw_util_wrapper(server_handle, client, target,
(ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0,
ptr, NULL, strresult, sizeof(strresult));
if (ret)
errmsg = krb5_get_error_message(context, ret);
/* zap the password */
zapfree(clear.data, clear.length);
zapfree(ptr, clear.length);
clear = empty_data();
clen = strlen(clientstr);
trunc_name(&clen, &cdots);
switch (addr->addrtype) {
case ADDRTYPE_INET: {
struct sockaddr_in *sin = ss2sin(&ss);
sin->sin_family = AF_INET;
memcpy(&sin->sin_addr, addr->contents, addr->length);
sin->sin_port = htons(remote_faddr->port);
salen = sizeof(*sin);
break;
}
case ADDRTYPE_INET6: {
struct sockaddr_in6 *sin6 = ss2sin6(&ss);
sin6->sin6_family = AF_INET6;
memcpy(&sin6->sin6_addr, addr->contents, addr->length);
sin6->sin6_port = htons(remote_faddr->port);
salen = sizeof(*sin6);
break;
}
default: {
struct sockaddr *sa = ss2sa(&ss);
sa->sa_family = AF_UNSPEC;
salen = sizeof(*sa);
break;
}
}
if (getnameinfo(ss2sa(&ss), salen,
addrbuf, sizeof(addrbuf), NULL, 0,
NI_NUMERICHOST | NI_NUMERICSERV) != 0)
strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
if (vno == RFC3244_VERSION) {
size_t tlen;
char *tdots;
const char *targetp;
if (target == NULL) {
tlen = clen;
tdots = cdots;
targetp = targetstr;
} else {
tlen = strlen(targetstr);
trunc_name(&tlen, &tdots);
targetp = clientstr;
}
krb5_klog_syslog(LOG_NOTICE, _("setpw request from %s by %.*s%s for "
"%.*s%s: %s"), addrbuf, (int) clen,
clientstr, cdots, (int) tlen, targetp, tdots,
errmsg ? errmsg : "success");
} else {
krb5_klog_syslog(LOG_NOTICE, _("chpw request from %s for %.*s%s: %s"),
addrbuf, (int) clen, clientstr, cdots,
errmsg ? errmsg : "success");
}
switch (ret) {
case KADM5_AUTH_CHANGEPW:
numresult = KRB5_KPASSWD_ACCESSDENIED;
break;
case KADM5_PASS_Q_TOOSHORT:
case KADM5_PASS_REUSE:
case KADM5_PASS_Q_CLASS:
case KADM5_PASS_Q_DICT:
case KADM5_PASS_Q_GENERIC:
case KADM5_PASS_TOOSOON:
numresult = KRB5_KPASSWD_SOFTERROR;
break;
case 0:
numresult = KRB5_KPASSWD_SUCCESS;
strlcpy(strresult, "", sizeof(strresult));
break;
default:
numresult = KRB5_KPASSWD_HARDERROR;
break;
}
chpwfail:
ret = alloc_data(&clear, 2 + strlen(strresult));
if (ret)
goto bailout;
ptr = clear.data;
*ptr++ = (numresult>>8) & 0xff;
*ptr++ = numresult & 0xff;
memcpy(ptr, strresult, strlen(strresult));
cipher = empty_data();
if (ap_rep.length) {
ret = krb5_auth_con_setaddrs(context, auth_context,
local_faddr->address, NULL);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult,
"Failed storing client and server internet addresses",
sizeof(strresult));
} else {
ret = krb5_mk_priv(context, auth_context, &clear, &cipher,
&replay);
if (ret) {
numresult = KRB5_KPASSWD_HARDERROR;
strlcpy(strresult, "Failed encrypting reply",
sizeof(strresult));
}
}
}
/* if no KRB-PRIV was constructed, then we need a KRB-ERROR.
if this fails, just bail. there's nothing else we can do. */
if (cipher.length == 0) {
/* clear out ap_rep now, so that it won't be inserted in the
reply */
if (ap_rep.length) {
free(ap_rep.data);
ap_rep = empty_data();
}
krberror.ctime = 0;
krberror.cusec = 0;
krberror.susec = 0;
ret = krb5_timeofday(context, &krberror.stime);
if (ret)
goto bailout;
/* this is really icky. but it's what all the other callers
to mk_error do. */
krberror.error = ret;
krberror.error -= ERROR_TABLE_BASE_krb5;
if (krberror.error < 0 || krberror.error > KRB_ERR_MAX)
krberror.error = KRB_ERR_GENERIC;
krberror.client = NULL;
ret = krb5_build_principal(context, &krberror.server,
strlen(realm), realm,
"kadmin", "changepw", NULL);
if (ret)
goto bailout;
krberror.text.length = 0;
krberror.e_data = clear;
ret = krb5_mk_error(context, &krberror, &cipher);
krb5_free_principal(context, krberror.server);
if (ret)
goto bailout;
}
/* construct the reply */
ret = alloc_data(rep, 6 + ap_rep.length + cipher.length);
if (ret)
goto bailout;
ptr = rep->data;
/* length */
*ptr++ = (rep->length>>8) & 0xff;
*ptr++ = rep->length & 0xff;
/* version == 0x0001 big-endian */
*ptr++ = 0;
*ptr++ = 1;
/* ap_rep length, big-endian */
*ptr++ = (ap_rep.length>>8) & 0xff;
*ptr++ = ap_rep.length & 0xff;
/* ap-rep data */
if (ap_rep.length) {
memcpy(ptr, ap_rep.data, ap_rep.length);
ptr += ap_rep.length;
}
/* krb-priv or krb-error */
memcpy(ptr, cipher.data, cipher.length);
bailout:
krb5_auth_con_free(context, auth_context);
krb5_free_principal(context, changepw);
krb5_free_ticket(context, ticket);
free(ap_rep.data);
free(clear.data);
free(cipher.data);
krb5_free_principal(context, target);
krb5_free_unparsed_name(context, targetstr);
krb5_free_unparsed_name(context, clientstr);
krb5_free_error_message(context, errmsg);
return ret;
}
/**
* Perform the server side of the sendauth protocol like krb5_recvauth(), but support
* a user-specified callback, \a match_appl_version, to perform the match of the application
* version \a match_data.
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_recvauth_match_version(krb5_context context,
krb5_auth_context *auth_context,
krb5_pointer p_fd,
krb5_boolean (*match_appl_version)(const void *,
const char*),
const void *match_data,
krb5_principal server,
int32_t flags,
krb5_keytab keytab,
krb5_ticket **ticket)
{
krb5_error_code ret;
const char *version = KRB5_SENDAUTH_VERSION;
char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
char *her_appl_version;
uint32_t len;
u_char repl;
krb5_data data;
krb5_flags ap_options;
ssize_t n;
/*
* If there are no addresses in auth_context, get them from `fd'.
*/
if (*auth_context == NULL) {
ret = krb5_auth_con_init (context, auth_context);
if (ret)
return ret;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
*auth_context,
p_fd);
if (ret)
return ret;
/*
* Expect SENDAUTH protocol version.
*/
if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_message(context, ret, "read: %s", strerror(ret));
return ret;
}
if (n == 0) {
krb5_set_error_message(context, KRB5_SENDAUTH_BADAUTHVERS,
N_("Failed to receive sendauth data", ""));
return KRB5_SENDAUTH_BADAUTHVERS;
}
len = ntohl(len);
if (len != sizeof(her_version)
|| krb5_net_read (context, p_fd, her_version, len) != len
|| strncmp (version, her_version, len)) {
repl = 1;
krb5_net_write (context, p_fd, &repl, 1);
krb5_clear_error_message (context);
return KRB5_SENDAUTH_BADAUTHVERS;
}
}
/*
* Expect application protocol version.
*/
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_message(context, ret, "read: %s", strerror(ret));
return ret;
}
if (n == 0) {
krb5_clear_error_message (context);
return KRB5_SENDAUTH_BADAPPLVERS;
}
len = ntohl(len);
her_appl_version = malloc (len);
if (her_appl_version == NULL) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
if (krb5_net_read (context, p_fd, her_appl_version, len) != len
|| !(*match_appl_version)(match_data, her_appl_version)) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS,
N_("wrong sendauth application version (%s)", ""),
her_appl_version);
free (her_appl_version);
return KRB5_SENDAUTH_BADAPPLVERS;
}
free (her_appl_version);
/*
* Send OK.
*/
repl = 0;
if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
ret = errno;
krb5_set_error_message(context, ret, "write: %s", strerror(ret));
return ret;
}
/*
* Until here, the fields in the message were in cleartext and unauthenticated.
* From now on, Kerberos kicks in.
*/
/*
* Expect AP_REQ.
*/
krb5_data_zero (&data);
ret = krb5_read_message (context, p_fd, &data);
if (ret)
return ret;
ret = krb5_rd_req (context,
auth_context,
&data,
server,
keytab,
&ap_options,
ticket);
krb5_data_free (&data);
if (ret) {
krb5_data error_data;
krb5_error_code ret2;
ret2 = krb5_mk_error (context,
ret,
NULL,
NULL,
NULL,
server,
NULL,
NULL,
&error_data);
if (ret2 == 0) {
krb5_write_message (context, p_fd, &error_data);
krb5_data_free (&error_data);
}
return ret;
}
/*
* Send OK.
*/
len = 0;
if (krb5_net_write (context, p_fd, &len, 4) != 4) {
ret = errno;
krb5_set_error_message(context, ret, "write: %s", strerror(ret));
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
/*
* If client requires mutual authentication, send AP_REP.
*/
if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
ret = krb5_mk_rep (context, *auth_context, &data);
if (ret) {
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
ret = krb5_write_message (context, p_fd, &data);
if (ret) {
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
krb5_data_free (&data);
}
return 0;
}
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
const krb5_data *req_buffer,
krb5_data *reply,
const char *from,
struct sockaddr *from_addr,
int datagram_reply)
{
KDC_REQ_BODY *b = &req->req_body;
AS_REP rep;
KDCOptions f = b->kdc_options;
hdb_entry_ex *client = NULL, *server = NULL;
HDB *clientdb;
krb5_enctype setype, sessionetype;
krb5_data e_data;
EncTicketPart et;
EncKDCRepPart ek;
krb5_principal client_princ = NULL, server_princ = NULL;
char *client_name = NULL, *server_name = NULL;
krb5_error_code ret = 0;
const char *e_text = NULL;
krb5_crypto crypto;
Key *ckey, *skey;
EncryptionKey *reply_key = NULL, session_key;
int flags = HDB_F_FOR_AS_REQ;
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
memset(&rep, 0, sizeof(rep));
memset(&session_key, 0, sizeof(session_key));
krb5_data_zero(&e_data);
ALLOC(rep.padata);
rep.padata->len = 0;
rep.padata->val = NULL;
if (f.canonicalize)
flags |= HDB_F_CANON;
if(b->sname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No server in request";
} else{
ret = _krb5_principalname2krb5_principal (context,
&server_princ,
*(b->sname),
b->realm);
if (ret == 0)
ret = krb5_unparse_name(context, server_princ, &server_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed server name from %s", from);
goto out;
}
if(b->cname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
ret = _krb5_principalname2krb5_principal (context,
&client_princ,
*(b->cname),
b->realm);
if (ret)
goto out;
ret = krb5_unparse_name(context, client_princ, &client_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed client name from %s", from);
goto out;
}
kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
/*
*
*/
if (_kdc_is_anonymous(context, client_princ)) {
if (!b->kdc_options.request_anonymous) {
kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
} else if (b->kdc_options.request_anonymous) {
kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
/*
*
*/
ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT | flags, NULL,
&clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
goto out;
} else if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_db_fetch(context, config, server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
NULL, NULL, &server);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);
goto out;
} else if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
/*
* Select a session enctype from the list of the crypto system
* supported enctypes that is supported by the client and is one of
* the enctype of the enctype of the service (likely krbtgt).
*
* The latter is used as a hint of what enctypes all KDC support,
* to make sure a newer version of KDC won't generate a session
* enctype that an older version of a KDC in the same realm can't
* decrypt.
*/
ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
client, b->etype.val, b->etype.len, &sessionetype,
NULL);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC "
"to use for the session key",
client_name, from);
goto out;
}
/*
* But if the KDC admin is paranoid and doesn't want to have "not
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
/*
* Pre-auth processing
*/
if(req->padata){
int i;
const PA_DATA *pa;
int found_pa = 0;
log_patypes(context, config, req->padata);
#ifdef PKINIT
kdc_log(context, config, 5,
"Looking for PKINIT pa-data -- %s", client_name);
e_text = "No PKINIT PA found";
i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ);
if (pa == NULL) {
i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN);
}
if (pa) {
char *client_cert = NULL;
ret = _kdc_pk_rd_padata(context, config, req, pa, client, &pkp);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5,
"Failed to decode PKINIT PA-DATA -- %s",
client_name);
goto ts_enc;
}
if (ret == 0 && pkp == NULL)
goto ts_enc;
ret = _kdc_pk_check_client(context,
config,
clientdb,
client,
pkp,
&client_cert);
if (ret) {
e_text = "PKINIT certificate not allowed to "
"impersonate principal";
_kdc_pk_free_client_param(context, pkp);
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto out;
}
found_pa = 1;
et.flags.pre_authent = 1;
kdc_log(context, config, 0,
"PKINIT pre-authentication succeeded -- %s using %s",
client_name, client_cert);
free(client_cert);
if (pkp)
goto preauth_done;
}
ts_enc:
#endif
if (client->entry.flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(context, config, 0,
"Client (%s) is locked out", client_name);
goto out;
}
kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
client_name);
i = 0;
e_text = "No ENC-TS found";
while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
krb5_data ts_data;
PA_ENC_TS_ENC p;
size_t len;
EncryptedData enc_data;
Key *pa_key;
char *str;
found_pa = 1;
if (b->kdc_options.request_anonymous) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 0, "ENC-TS doesn't support anon");
goto out;
}
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
&len);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s",
client_name);
goto out;
}
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
char *estr;
e_text = "No key matches pa-data";
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if(krb5_enctype_to_string(context, enc_data.etype, &estr))
estr = NULL;
if(estr == NULL)
kdc_log(context, config, 5,
"No client key matching pa-data (%d) -- %s",
enc_data.etype, client_name);
else
kdc_log(context, config, 5,
"No client key matching pa-data (%s) -- %s",
estr, client_name);
free(estr);
free_EncryptedData(&enc_data);
continue;
}
try_next_key:
ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(context, msg);
free_EncryptedData(&enc_data);
continue;
}
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_PA_ENC_TIMESTAMP,
&enc_data,
&ts_data);
krb5_crypto_destroy(context, crypto);
/*
* Since the user might have several keys with the same
* enctype but with diffrent salting, we need to try all
* the keys with the same enctype.
*/
if(ret){
krb5_error_code ret2;
const char *msg = krb5_get_error_message(context, ret);
ret2 = krb5_enctype_to_string(context,
pa_key->key.keytype, &str);
if (ret2)
str = NULL;
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
client_name, str ? str : "unknown enctype", msg);
krb5_free_error_message(context, msg);
free(str);
if(hdb_next_enctype2key(context, &client->entry,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
e_text = "Failed to decrypt PA-DATA";
free_EncryptedData(&enc_data);
if (clientdb->hdb_auth_status)
(clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
continue;
}
free_EncryptedData(&enc_data);
ret = decode_PA_ENC_TS_ENC(ts_data.data,
ts_data.length,
&p,
&len);
krb5_data_free(&ts_data);
if(ret){
e_text = "Failed to decode PA-ENC-TS-ENC";
ret = KRB5KDC_ERR_PREAUTH_FAILED;
kdc_log(context, config,
5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name);
continue;
}
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
ret = KRB5KRB_AP_ERR_SKEW;
kdc_log(context, config, 0,
"Too large time skew, "
"client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
client_name);
/*
* The following is needed to make windows clients to
* retry using the timestamp in the error message, if
* there is a e_text, they become unhappy.
*/
e_text = NULL;
goto out;
}
et.flags.pre_authent = 1;
set_salt_padata(rep.padata, pa_key->salt);
reply_key = &pa_key->key;
ret = krb5_enctype_to_string(context, pa_key->key.keytype, &str);
if (ret)
str = NULL;
kdc_log(context, config, 2,
"ENC-TS Pre-authentication succeeded -- %s using %s",
client_name, str ? str : "unknown enctype");
free(str);
break;
}
#ifdef PKINIT
preauth_done:
#endif
if(found_pa == 0 && config->require_preauth)
goto use_pa;
/* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */
if(found_pa && et.flags.pre_authent == 0){
kdc_log(context, config, 0, "%s -- %s", e_text, client_name);
e_text = NULL;
goto out;
}
}else if (config->require_preauth
|| b->kdc_options.request_anonymous /* hack to force anon */
|| client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) {
METHOD_DATA method_data;
PA_DATA *pa;
unsigned char *buf;
size_t len;
use_pa:
method_data.len = 0;
method_data.val = NULL;
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#ifdef PKINIT
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ_WIN;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#endif
/*
* If there is a client key, send ETYPE_INFO{,2}
*/
ret = _kdc_find_etype(context,
config->preauth_use_strongest_session_key, TRUE,
client, b->etype.val, b->etype.len, NULL, &ckey);
if (ret == 0) {
/*
* RFC4120 requires:
* - If the client only knows about old enctypes, then send
* both info replies (we send 'info' first in the list).
* - If the client is 'modern', because it knows about 'new'
* enctype types, then only send the 'info2' reply.
*
* Before we send the full list of etype-info data, we pick
* the client key we would have used anyway below, just pick
* that instead.
*/
if (older_enctype(ckey->key.keytype)) {
ret = get_pa_etype_info(context, config,
&method_data, ckey);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
}
ret = get_pa_etype_info2(context, config,
&method_data, ckey);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
}
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data);
e_data.data = buf;
e_data.length = len;
e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
kdc_log(context, config, 0,
"No preauth found, returning PREAUTH-REQUIRED -- %s",
client_name);
goto out;
}
/*
* Verify flags after the user been required to prove its identity
* with in a preauth mech.
*/
ret = _kdc_check_access(context, config, client, client_name,
server, server_name,
req, &e_data);
if(ret)
goto out;
if (clientdb->hdb_auth_status)
(clientdb->hdb_auth_status)(context, clientdb, client,
HDB_AUTH_SUCCESS);
/*
* Selelct the best encryption type for the KDC with out regard to
* the client since the client never needs to read that data.
*/
ret = _kdc_get_preferred_key(context, config,
server, server_name,
&setype, &skey);
if(ret)
goto out;
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION;
e_text = "Bad KDC options";
kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
goto out;
}
rep.pvno = 5;
rep.msg_type = krb_as_rep;
ret = copy_Realm(&client->entry.principal->realm, &rep.crealm);
if (ret)
goto out;
ret = _krb5_principal2principalname(&rep.cname, client->entry.principal);
if (ret)
goto out;
rep.ticket.tkt_vno = 5;
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname,
server->entry.principal);
/* java 1.6 expects the name to be the same type, lets allow that
* uncomplicated name-types. */
#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
rep.ticket.sname.name_type = b->sname->name_type;
#undef CNT
et.flags.initial = 1;
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
et.flags.forwardable = f.forwardable;
else if (f.forwardable) {
e_text = "Ticket may not be forwardable";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
e_text = "Ticket may not be proxiable";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->entry.flags.postdate && server->entry.flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
e_text = "Ticket may not be postdate";
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be postdatable -- %s", client_name);
goto out;
}
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
e_text = "Bad address list in requested";
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0,
"Bad address list requested -- %s", client_name);
goto out;
}
ret = copy_PrincipalName(&rep.cname, &et.cname);
if (ret)
goto out;
ret = copy_Realm(&rep.crealm, &et.crealm);
if (ret)
goto out;
{
time_t start;
time_t t;
start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
ALLOC(et.starttime);
start = *et.starttime = *req->req_body.from;
et.flags.invalid = 1;
et.flags.postdated = 1; /* XXX ??? */
}
_kdc_fix_time(&b->till);
t = *b->till;
/* be careful not overflowing */
if(client->entry.max_life)
t = start + min(t - start, *client->entry.max_life);
if(server->entry.max_life)
t = start + min(t - start, *server->entry.max_life);
#if 0
t = min(t, start + realm->max_life);
#endif
et.endtime = t;
if(f.renewable_ok && et.endtime < *b->till){
f.renewable = 1;
if(b->rtime == NULL){
ALLOC(b->rtime);
*b->rtime = 0;
}
if(*b->rtime < *b->till)
*b->rtime = *b->till;
}
if(f.renewable && b->rtime){
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(client->entry.max_renew)
t = start + min(t - start, *client->entry.max_renew);
if(server->entry.max_renew)
t = start + min(t - start, *server->entry.max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
ALLOC(et.renew_till);
*et.renew_till = t;
et.flags.renewable = 1;
}
}
if (f.request_anonymous)
et.flags.anonymous = 1;
if(b->addresses){
ALLOC(et.caddr);
copy_HostAddresses(b->addresses, et.caddr);
}
et.transited.tr_type = DOMAIN_X500_COMPRESS;
krb5_data_zero(&et.transited.contents);
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
* incapable of correctly decoding SEQUENCE OF's of zero length.
*
* To fix this, always send at least one no-op last_req
*
* If there's a pw_end or valid_end we will use that,
* otherwise just a dummy lr.
*/
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
if (ek.last_req.val == NULL) {
ret = ENOMEM;
goto out;
}
ek.last_req.len = 0;
if (client->entry.pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) {
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
++ek.last_req.len;
}
if (client->entry.valid_end) {
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
++ek.last_req.len;
}
if (ek.last_req.len == 0) {
ek.last_req.val[ek.last_req.len].lr_type = LR_NONE;
ek.last_req.val[ek.last_req.len].lr_value = 0;
++ek.last_req.len;
}
ek.nonce = b->nonce;
if (client->entry.valid_end || client->entry.pw_end) {
ALLOC(ek.key_expiration);
if (client->entry.valid_end) {
if (client->entry.pw_end)
*ek.key_expiration = min(*client->entry.valid_end,
*client->entry.pw_end);
else
*ek.key_expiration = *client->entry.valid_end;
} else
*ek.key_expiration = *client->entry.pw_end;
} else
ek.key_expiration = NULL;
ek.flags = et.flags;
ek.authtime = et.authtime;
if (et.starttime) {
ALLOC(ek.starttime);
*ek.starttime = *et.starttime;
}
ek.endtime = et.endtime;
if (et.renew_till) {
ALLOC(ek.renew_till);
*ek.renew_till = *et.renew_till;
}
copy_Realm(&rep.ticket.realm, &ek.srealm);
copy_PrincipalName(&rep.ticket.sname, &ek.sname);
if(et.caddr){
ALLOC(ek.caddr);
copy_HostAddresses(et.caddr, ek.caddr);
}
#if PKINIT
if (pkp) {
e_text = "Failed to build PK-INIT reply";
ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
sessionetype, req, req_buffer,
&reply_key, &et.key, rep.padata);
if (ret)
goto out;
ret = _kdc_add_inital_verified_cas(context,
config,
pkp,
&et);
if (ret)
goto out;
} else
#endif
{
ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
if (ret)
goto out;
}
if (reply_key == NULL) {
e_text = "Client have no reply key";
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
ret = copy_EncryptionKey(&et.key, &ek.key);
if (ret)
goto out;
if (rep.padata->len == 0) {
free(rep.padata);
rep.padata = NULL;
}
/* Add the PAC */
if (send_pac_p(context, req)) {
krb5_pac p = NULL;
krb5_data data;
ret = _kdc_pac_generate(context, client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
client_name);
goto out;
}
if (p != NULL) {
ret = _krb5_pac_sign(context, p, et.authtime,
client->entry.principal,
&skey->key, /* Server key */
&skey->key, /* FIXME: should be krbtgt key */
&data);
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
client_name);
goto out;
}
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
krb5_data_free(&data);
if (ret)
goto out;
}
}
_kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
et.endtime, et.renew_till);
/* do this as the last thing since this signs the EncTicketPart */
ret = _kdc_add_KRB5SignedPath(context,
config,
server,
setype,
client->entry.principal,
NULL,
NULL,
&et);
if (ret)
goto out;
log_as_req(context, config, reply_key->keytype, setype, b);
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, setype, server->entry.kvno,
&skey->key, client->entry.kvno,
reply_key, 0, &e_text, reply);
free_EncTicketPart(&et);
free_EncKDCRepPart(&ek);
if (ret)
goto out;
/* */
if (datagram_reply && reply->length > config->max_datagram_reply_length) {
krb5_data_free(reply);
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
e_text = "Reply packet too large";
}
out:
free_AS_REP(&rep);
if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){
krb5_mk_error(context,
ret,
e_text,
(e_data.data ? &e_data : NULL),
client_princ,
server_princ,
NULL,
NULL,
reply);
ret = 0;
}
#ifdef PKINIT
if (pkp)
_kdc_pk_free_client_param(context, pkp);
#endif
if (e_data.data)
free(e_data.data);
if (client_princ)
krb5_free_principal(context, client_princ);
free(client_name);
if (server_princ)
krb5_free_principal(context, server_princ);
free(server_name);
if(client)
_kdc_free_ent(context, client);
if(server)
_kdc_free_ent(context, server);
return ret;
}
static krb5_error_code
process_chpw_request(krb5_context context, void *server_handle,
char *realm, int s, krb5_keytab keytab,
struct sockaddr_in *sin, krb5_data *req,
krb5_data *rep)
{
krb5_error_code ret;
char *ptr;
int plen, vno;
krb5_address local_kaddr, remote_kaddr;
int allocated_mem = 0;
krb5_data ap_req, ap_rep;
krb5_auth_context auth_context;
krb5_principal changepw;
krb5_ticket *ticket;
krb5_data cipher, clear;
struct sockaddr local_addr, remote_addr;
int addrlen;
krb5_replay_data replay;
krb5_error krberror;
int numresult;
char strresult[1024];
ret = 0;
rep->length = 0;
auth_context = NULL;
changepw = NULL;
ap_rep.length = 0;
ap_rep.data = NULL;
ticket = NULL;
clear.length = 0;
clear.data = NULL;
cipher.length = 0;
cipher.data = NULL;
if (req->length < 4) {
/*
* either this, or the server is printing bad messages,
* or the caller passed in garbage
*/
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
(void) strlcpy(strresult, "Request was truncated",
sizeof (strresult));
goto chpwfail;
}
ptr = req->data;
/*
* Verify length
*/
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
if (plen != req->length)
return (KRB5KRB_AP_ERR_MODIFIED);
/*
* Verify version number
*/
vno = (*ptr++ & 0xff);
vno = (vno<<8) | (*ptr++ & 0xff);
if (vno != 1) {
ret = KRB5KDC_ERR_BAD_PVNO;
numresult = KRB5_KPASSWD_MALFORMED;
(void) snprintf(strresult, sizeof (strresult),
"Request contained unknown protocol version number %d",
vno);
goto chpwfail;
}
/*
* Read, check ap-req length
*/
ap_req.length = (*ptr++ & 0xff);
ap_req.length = (ap_req.length<<8) | (*ptr++ & 0xff);
if (ptr + ap_req.length >= req->data + req->length) {
ret = KRB5KRB_AP_ERR_MODIFIED;
numresult = KRB5_KPASSWD_MALFORMED;
(void) strlcpy(strresult, "Request was truncated in AP-REQ",
sizeof (strresult));
goto chpwfail;
}
/*
* Verify ap_req
*/
ap_req.data = ptr;
ptr += ap_req.length;
if (ret = krb5_auth_con_init(context, &auth_context)) {
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed. "
"Failed initializing auth context: %s"),
error_message(ret));
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult, "Failed initializing auth context",
sizeof (strresult));
goto chpwfail;
}
if (ret = krb5_auth_con_setflags(context, auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed. "
"Failed setting auth "
"context flags: %s"),
error_message(ret));
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult, "Failed initializing auth context",
sizeof (strresult));
goto chpwfail;
}
if (ret = krb5_build_principal(context, &changepw, strlen(realm), realm,
"kadmin", "changepw", NULL)) {
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed "
"Failed to build kadmin/changepw "
"principal: %s"),
error_message(ret));
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed building kadmin/changepw principal",
sizeof (strresult));
goto chpwfail;
}
ret = krb5_rd_req(context, &auth_context, &ap_req, changepw, keytab,
NULL, &ticket);
if (ret) {
char kt_name[MAX_KEYTAB_NAME_LEN];
if (krb5_kt_get_name(context, keytab,
kt_name, sizeof (kt_name)))
strncpy(kt_name, "default keytab", sizeof (kt_name));
switch (ret) {
case KRB5_KT_NOTFOUND:
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed because "
"keytab entry \"kadmin/changepw\" "
"is missing from \"%s\""),
kt_name);
break;
case ENOENT:
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed because "
"keytab file \"%s\" does not exist"),
kt_name);
break;
default:
krb5_klog_syslog(LOG_ERR,
gettext("Change password request failed. "
"Failed to parse Kerberos AP_REQ message: %s"),
error_message(ret));
}
numresult = KRB5_KPASSWD_AUTHERROR;
(void) strlcpy(strresult, "Failed reading application request",
sizeof (strresult));
goto chpwfail;
}
/*
* Set up address info
*/
addrlen = sizeof (local_addr);
if (getsockname(s, &local_addr, &addrlen) < 0) {
ret = errno;
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed getting server internet address",
sizeof (strresult));
goto chpwfail;
}
/*
* Some brain-dead OS's don't return useful information from
* the getsockname call. Namely, windows and solaris.
*/
if (((struct sockaddr_in *)&local_addr)->sin_addr.s_addr != 0) {
local_kaddr.addrtype = ADDRTYPE_INET;
local_kaddr.length = sizeof (((struct sockaddr_in *)
&local_addr)->sin_addr);
/* CSTYLED */
local_kaddr.contents = (krb5_octet *) &(((struct sockaddr_in *)&local_addr)->sin_addr);
} else {
krb5_address **addrs;
krb5_os_localaddr(context, &addrs);
local_kaddr.magic = addrs[0]->magic;
local_kaddr.addrtype = addrs[0]->addrtype;
local_kaddr.length = addrs[0]->length;
if ((local_kaddr.contents = malloc(addrs[0]->length)) == 0) {
ret = errno;
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Malloc failed for local_kaddr",
sizeof (strresult));
goto chpwfail;
}
(void) memcpy(local_kaddr.contents, addrs[0]->contents,
addrs[0]->length);
allocated_mem++;
krb5_free_addresses(context, addrs);
}
addrlen = sizeof (remote_addr);
if (getpeername(s, &remote_addr, &addrlen) < 0) {
ret = errno;
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed getting client internet address",
sizeof (strresult));
goto chpwfail;
}
remote_kaddr.addrtype = ADDRTYPE_INET;
remote_kaddr.length = sizeof (((struct sockaddr_in *)
&remote_addr)->sin_addr);
/* CSTYLED */
remote_kaddr.contents = (krb5_octet *) &(((struct sockaddr_in *)&remote_addr)->sin_addr);
remote_kaddr.addrtype = ADDRTYPE_INET;
remote_kaddr.length = sizeof (sin->sin_addr);
remote_kaddr.contents = (krb5_octet *) &sin->sin_addr;
/*
* mk_priv requires that the local address be set.
* getsockname is used for this. rd_priv requires that the
* remote address be set. recvfrom is used for this. If
* rd_priv is given a local address, and the message has the
* recipient addr in it, this will be checked. However, there
* is simply no way to know ahead of time what address the
* message will be delivered *to*. Therefore, it is important
* that either no recipient address is in the messages when
* mk_priv is called, or that no local address is passed to
* rd_priv. Both is a better idea, and I have done that. In
* summary, when mk_priv is called, *only* a local address is
* specified. when rd_priv is called, *only* a remote address
* is specified. Are we having fun yet?
*/
if (ret = krb5_auth_con_setaddrs(context, auth_context, NULL,
&remote_kaddr)) {
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed storing client internet address",
sizeof (strresult));
goto chpwfail;
}
/*
* Verify that this is an AS_REQ ticket
*/
if (!(ticket->enc_part2->flags & TKT_FLG_INITIAL)) {
numresult = KRB5_KPASSWD_AUTHERROR;
(void) strlcpy(strresult,
"Ticket must be derived from a password",
sizeof (strresult));
goto chpwfail;
}
/*
* Construct the ap-rep
*/
if (ret = krb5_mk_rep(context, auth_context, &ap_rep)) {
numresult = KRB5_KPASSWD_AUTHERROR;
(void) strlcpy(strresult,
"Failed replying to application request",
sizeof (strresult));
goto chpwfail;
}
/*
* Decrypt the new password
*/
cipher.length = (req->data + req->length) - ptr;
cipher.data = ptr;
if (ret = krb5_rd_priv(context, auth_context, &cipher,
&clear, &replay)) {
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult, "Failed decrypting request",
sizeof (strresult));
goto chpwfail;
}
/*
* Change the password
*/
if ((ptr = (char *)malloc(clear.length + 1)) == NULL) {
ret = errno;
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult, "Malloc failed for ptr",
sizeof (strresult));
goto chpwfail;
}
(void) memcpy(ptr, clear.data, clear.length);
ptr[clear.length] = '\0';
ret = (kadm5_ret_t)kadm5_chpass_principal_util(server_handle,
ticket->enc_part2->client,
ptr, NULL, strresult,
sizeof (strresult));
/*
* Zap the password
*/
(void) memset(clear.data, 0, clear.length);
(void) memset(ptr, 0, clear.length);
if (clear.data != NULL) {
krb5_xfree(clear.data);
clear.data = NULL;
}
free(ptr);
clear.length = 0;
if (ret) {
if ((ret != KADM5_PASS_Q_TOOSHORT) &&
(ret != KADM5_PASS_REUSE) &&
(ret != KADM5_PASS_Q_CLASS) &&
(ret != KADM5_PASS_Q_DICT) &&
(ret != KADM5_PASS_TOOSOON))
numresult = KRB5_KPASSWD_HARDERROR;
else
numresult = KRB5_KPASSWD_SOFTERROR;
/*
* strresult set by kadb5_chpass_principal_util()
*/
goto chpwfail;
}
/*
* Success!
*/
numresult = KRB5_KPASSWD_SUCCESS;
(void) strlcpy(strresult, "", sizeof (strresult));
chpwfail:
clear.length = 2 + strlen(strresult);
if (clear.data != NULL) {
krb5_xfree(clear.data);
clear.data = NULL;
}
if ((clear.data = (char *)malloc(clear.length)) == NULL) {
ret = errno;
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult, "Malloc failed for clear.data",
sizeof (strresult));
}
cipher.length = 0;
if (ap_rep.length) {
if (ret = krb5_auth_con_setaddrs(context, auth_context,
&local_kaddr, NULL)) {
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed storing client and server internet addresses",
sizeof (strresult));
} else {
if (ret = krb5_mk_priv(context, auth_context, &clear,
&cipher, &replay)) {
numresult = KRB5_KPASSWD_HARDERROR;
(void) strlcpy(strresult,
"Failed encrypting reply",
sizeof (strresult));
}
}
}
ptr = clear.data;
*ptr++ = (numresult>>8) & 0xff;
*ptr++ = numresult & 0xff;
(void) memcpy(ptr, strresult, strlen(strresult));
/*
* If no KRB-PRIV was constructed, then we need a KRB-ERROR.
* If this fails, just bail. There's nothing else we can do.
*/
if (cipher.length == 0) {
/*
* Clear out ap_rep now, so that it won't be inserted
* in the reply
*/
if (ap_rep.length) {
if (ap_rep.data != NULL)
krb5_xfree(ap_rep.data);
ap_rep.data = NULL;
ap_rep.length = 0;
}
krberror.ctime = 0;
krberror.cusec = 0;
krberror.susec = 0;
if (ret = krb5_timeofday(context, &krberror.stime))
goto bailout;
/*
* This is really icky. but it's what all the other callers
* to mk_error do.
*/
krberror.error = ret;
krberror.error -= ERROR_TABLE_BASE_krb5;
if (krberror.error < 0 || krberror.error > 128)
krberror.error = KRB_ERR_GENERIC;
krberror.client = NULL;
if (ret = krb5_build_principal(context, &krberror.server,
strlen(realm), realm,
"kadmin", "changepw", NULL)) {
goto bailout;
}
krberror.text.length = 0;
krberror.e_data = clear;
ret = krb5_mk_error(context, &krberror, &cipher);
krb5_free_principal(context, krberror.server);
if (ret)
goto bailout;
}
/*
* Construct the reply
*/
rep->length = 6 + ap_rep.length + cipher.length;
if ((rep->data = (char *)malloc(rep->length)) == NULL) {
ret = errno;
goto bailout;
}
ptr = rep->data;
/*
* Length
*/
*ptr++ = (rep->length>>8) & 0xff;
*ptr++ = rep->length & 0xff;
/*
* Version == 0x0001 big-endian
*/
*ptr++ = 0;
*ptr++ = 1;
/*
* ap_rep length, big-endian
*/
*ptr++ = (ap_rep.length>>8) & 0xff;
*ptr++ = ap_rep.length & 0xff;
/*
* ap-rep data
*/
if (ap_rep.length) {
(void) memcpy(ptr, ap_rep.data, ap_rep.length);
ptr += ap_rep.length;
}
/*
* krb-priv or krb-error
*/
(void) memcpy(ptr, cipher.data, cipher.length);
bailout:
if (auth_context)
krb5_auth_con_free(context, auth_context);
if (changepw)
krb5_free_principal(context, changepw);
if (ap_rep.data != NULL)
krb5_xfree(ap_rep.data);
if (ticket)
krb5_free_ticket(context, ticket);
if (clear.data != NULL)
krb5_xfree(clear.data);
if (cipher.data != NULL)
krb5_xfree(cipher.data);
if (allocated_mem)
krb5_xfree(local_kaddr.contents);
return (ret);
}
