krb5_error_code
Z_krb5_init_keyblock(krb5_context context,
krb5_enctype type,
size_t size,
krb5_keyblock **key)
{
#ifdef HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE
return krb5_init_keyblock(context, type, size, key);
#else
krb5_error_code ret;
krb5_keyblock *tmp, tmp_ss;
tmp = &tmp_ss;
*key = NULL;
Z_enctype(tmp) = type;
Z_keylen(tmp) = size;
Z_keydata(tmp) = malloc(size);
if (!Z_keydata(tmp))
return ENOMEM;
ret = krb5_copy_keyblock(context, tmp, key);
free(Z_keydata(tmp));
return ret;
#endif
}
void
ZSetSessionDES(C_Block *key) {
#ifdef HAVE_KRB5
Code_t result;
if (__Zephyr_keyblock) {
krb5_free_keyblock(Z_krb5_ctx, __Zephyr_keyblock);
__Zephyr_keyblock=NULL;
}
result = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
sizeof(C_Block),
&__Zephyr_keyblock);
if (result) /*XXX we're out of memory? */
return;
memcpy(Z_keydata(__Zephyr_keyblock), key, sizeof(C_Block));
#else
memcpy(__Zephyr_session, key, sizeof(C_Block));
#endif
}
int
_GetSecurityObject(struct afscp_cell *cell)
{
int code = ENOENT;
#ifdef HAVE_KERBEROS
krb5_context context;
krb5_creds match;
krb5_creds *cred;
krb5_ccache cc;
char **realms, *realm;
struct afsconf_cell celldata;
char localcell[MAXCELLCHARS + 1];
struct rx_securityClass *sc;
struct ktc_encryptionKey k;
int i;
rxkad_level l;
code = _GetCellInfo(cell->name, &celldata);
if (code != 0) {
goto try_anon;
}
if (authas_name[0]) {
code = _GetLocalSecurityObject(cell, authas_name, authas_inst);
if (code == 0) {
return 0;
}
}
code = krb5_init_context(&context); /* see aklog.c main() */
if (code != 0) {
goto try_anon;
}
if (cell->realm == NULL) {
realm = NULL;
code = krb5_get_host_realm(context, celldata.hostName[0], &realms);
if (code == 0) {
strlcpy(localcell, realms[0], sizeof(localcell));
krb5_free_host_realm(context, realms);
realm = localcell;
} else
goto try_anon;
} else {
realm = cell->realm;
strlcpy(localcell, realm, MAXCELLCHARS + 1);
}
if (realm)
if (realm == NULL) {
for (i = 0; (i < MAXCELLCHARS && cell->name[i]); i++) {
if (isalpha(cell->name[i]))
localcell[i] = toupper(cell->name[i]);
else
localcell[i] = cell->name[i];
}
localcell[i] = '\0';
realm = localcell;
}
cc = NULL;
code = krb5_cc_default(context, &cc);
memset(&match, 0, sizeof(match));
Z_enctype(Z_credskey(&match)) = ENCTYPE_DES_CBC_CRC;
if (code == 0)
code = krb5_cc_get_principal(context, cc, &match.client);
if (code == 0)
code = krb5_build_principal(context, &match.server,
strlen(realm), realm,
"afs", cell->name, NULL);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_principal(context, match.server);
match.server = NULL;
code = krb5_build_principal(context, &match.server,
strlen(realm), realm, "afs", NULL);
if (code == 0)
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
}
if (insecure)
l = rxkad_clear;
else
l = rxkad_crypt;
memcpy(&k.data, Z_keydata(Z_credskey(cred)), 8);
sc = (struct rx_securityClass *)rxkad_NewClientSecurityObject
(l, &k, RXKAD_TKT_TYPE_KERBEROS_V5,
cred->ticket.length, cred->ticket.data);
krb5_free_creds(context, cred);
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
cell->security = sc;
cell->scindex = 2;
return 0;
try_anon:
#endif /* HAVE_KERBEROS */
if (try_anonymous)
return _GetNullSecurityObject(cell);
else
return code;
}
Code_t
ZFormatAuthenticNoticeV5(ZNotice_t *notice,
register char *buffer,
register int buffer_len,
int *len,
krb5_keyblock *keyblock)
{
ZNotice_t newnotice;
char *ptr;
int retval, hdrlen, hdr_adj;
krb5_enctype enctype;
krb5_cksumtype cksumtype;
#ifdef HAVE_KRB4
int key_len;
#endif
char *cksum_start, *cstart, *cend;
int cksum_len;
#ifdef HAVE_KRB4
key_len = Z_keylen(keyblock);
#endif
retval = Z_ExtractEncCksum(keyblock, &enctype, &cksumtype);
if (retval)
return (ZAUTH_FAILED);
#ifdef HAVE_KRB4
if (key_len == 8 && (enctype == (krb5_enctype)ENCTYPE_DES_CBC_CRC ||
enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD4 ||
enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD5)) {
C_Block tmp;
memcpy(&tmp, Z_keydata(keyblock), key_len);
return ZFormatAuthenticNotice(notice, buffer, buffer_len, len,
tmp);
}
#endif
newnotice = *notice;
newnotice.z_auth = 1;
newnotice.z_authent_len = 0;
newnotice.z_ascii_authent = "";
if ((retval = Z_NewFormatRawHeader(&newnotice, buffer, buffer_len,
&hdrlen,
&cksum_start, &cksum_len, &cstart,
&cend)) != ZERR_NONE)
return (retval);
/* we know this is only called by the server */
retval = Z_InsertZcodeChecksum(keyblock, &newnotice, buffer,
cksum_start, cksum_len, cstart, cend,
buffer_len, &hdr_adj, 1);
if (retval)
return retval;
hdrlen += hdr_adj;
ptr = buffer+hdrlen;
if (newnotice.z_message_len+hdrlen > buffer_len)
return (ZERR_PKTLEN);
(void) memcpy(ptr, newnotice.z_message, newnotice.z_message_len);
*len = hdrlen+newnotice.z_message_len;
if (*len > Z_MAXPKTLEN)
return (ZERR_PKTLEN);
return (ZERR_NONE);
}
Code_t
ZCheckSrvAuthentication(ZNotice_t *notice,
struct sockaddr_in *from,
char *realm)
{
#ifdef HAVE_KRB5
unsigned char *authbuf;
krb5_principal princ;
krb5_data packet;
krb5_ticket *tkt;
char *name;
krb5_error_code result;
krb5_principal server;
krb5_keytab keytabid = 0;
krb5_auth_context authctx;
krb5_keyblock *keyblock;
krb5_enctype enctype;
krb5_cksumtype cksumtype;
krb5_data cksumbuf;
int valid;
char *cksum0_base, *cksum1_base = NULL, *cksum2_base;
char *x;
unsigned char *asn1_data, *key_data, *cksum_data;
int asn1_len, key_len, cksum0_len = 0, cksum1_len = 0, cksum2_len = 0;
KRB5_AUTH_CON_FLAGS_TYPE acflags;
#ifdef KRB5_AUTH_CON_GETAUTHENTICATOR_TAKES_DOUBLE_POINTER
krb5_authenticator *authenticator;
#define KRB5AUTHENT authenticator
#else
krb5_authenticator authenticator;
#define KRB5AUTHENT &authenticator
#endif
int len;
char *sender;
char rlmprincipal[MAX_PRINCIPAL_SIZE];
if (!notice->z_auth)
return ZAUTH_NO;
/* Check for bogus authentication data length. */
if (notice->z_authent_len <= 0) {
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: bogus authenticator length");
return ZAUTH_FAILED;
}
#ifdef HAVE_KRB4
if (notice->z_ascii_authent[0] != 'Z' && realm == NULL)
return ZCheckAuthentication4(notice, from);
#endif
len = strlen(notice->z_ascii_authent)+1;
authbuf = malloc(len);
/* Read in the authentication data. */
if (ZReadZcode((unsigned char *)notice->z_ascii_authent,
authbuf,
len, &len) == ZERR_BADFIELD) {
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: ZReadZcode: Improperly formatted field");
return ZAUTH_FAILED;
}
if (realm == NULL) {
sender = notice->z_sender;
} else {
(void) snprintf(rlmprincipal, MAX_PRINCIPAL_SIZE, "%s/%s@%s", SERVER_SERVICE,
SERVER_INSTANCE, realm);
sender = rlmprincipal;
}
packet.length = len;
packet.data = (char *)authbuf;
result = krb5_kt_resolve(Z_krb5_ctx,
keytab_file, &keytabid);
if (result) {
free(authbuf);
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_kt_resolve: %s", error_message(result));
return ZAUTH_FAILED;
}
/* HOLDING: authbuf, keytabid */
/* Create the auth context */
result = krb5_auth_con_init(Z_krb5_ctx, &authctx);
if (result) {
krb5_kt_close(Z_krb5_ctx, keytabid);
free(authbuf);
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_auth_con_init: %s", error_message(result));
return ZAUTH_FAILED;
}
/* HOLDING: authbuf, keytabid, authctx */
result = krb5_auth_con_getflags(Z_krb5_ctx, authctx, &acflags);
if (result) {
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_kt_close(Z_krb5_ctx, keytabid);
free(authbuf);
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_auth_con_getflags: %s", error_message(result));
return ZAUTH_FAILED;
}
acflags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
result = krb5_auth_con_setflags(Z_krb5_ctx, authctx, acflags);
if (result) {
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_kt_close(Z_krb5_ctx, keytabid);
free(authbuf);
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_auth_con_setflags: %s", error_message(result));
return ZAUTH_FAILED;
}
result = krb5_build_principal(Z_krb5_ctx, &server, strlen(__Zephyr_realm),
__Zephyr_realm, SERVER_SERVICE,
SERVER_INSTANCE, NULL);
if (!result) {
result = krb5_rd_req(Z_krb5_ctx, &authctx, &packet, server,
keytabid, NULL, &tkt);
krb5_free_principal(Z_krb5_ctx, server);
}
krb5_kt_close(Z_krb5_ctx, keytabid);
/* HOLDING: authbuf, authctx */
if (result) {
if (result == KRB5KRB_AP_ERR_REPEAT)
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: k5 auth failed: %s",
error_message(result));
else
syslog(LOG_WARNING,"ZCheckSrvAuthentication: k5 auth failed: %s",
error_message(result));
free(authbuf);
krb5_auth_con_free(Z_krb5_ctx, authctx);
return ZAUTH_FAILED;
}
/* HOLDING: authbuf, authctx, tkt */
if (tkt == 0 || !Z_tktprincp(tkt)) {
if (tkt)
krb5_free_ticket(Z_krb5_ctx, tkt);
free(authbuf);
krb5_auth_con_free(Z_krb5_ctx, authctx);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: No Ticket");
return ZAUTH_FAILED;
}
princ = Z_tktprinc(tkt);
if (princ == 0) {
krb5_free_ticket(Z_krb5_ctx, tkt);
free(authbuf);
krb5_auth_con_free(Z_krb5_ctx, authctx);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: No... Ticket?");
return ZAUTH_FAILED;
}
/* HOLDING: authbuf, authctx, tkt */
result = krb5_unparse_name(Z_krb5_ctx, princ, &name);
if (result) {
syslog(LOG_WARNING, "ZCheckSrvAuthentication: krb5_unparse_name failed: %s",
error_message(result));
free(authbuf);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_ticket(Z_krb5_ctx, tkt);
return ZAUTH_FAILED;
}
krb5_free_ticket(Z_krb5_ctx, tkt);
/* HOLDING: authbuf, authctx, name */
if (strcmp(name, sender)) {
syslog(LOG_WARNING, "ZCheckSrvAuthentication: name mismatch: '%s' vs '%s'",
name, sender);
krb5_auth_con_free(Z_krb5_ctx, authctx);
#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
krb5_free_unparsed_name(Z_krb5_ctx, name);
#else
free(name);
#endif
free(authbuf);
return ZAUTH_FAILED;
}
#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
krb5_free_unparsed_name(Z_krb5_ctx, name);
#else
free(name);
#endif
free(authbuf);
/* HOLDING: authctx */
/* Get an authenticator so we can get the keyblock */
result = krb5_auth_con_getauthenticator (Z_krb5_ctx, authctx,
&authenticator);
if (result) {
krb5_auth_con_free(Z_krb5_ctx, authctx);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: krb5_auth_con_getauthenticator failed: %s",
error_message(result));
return ZAUTH_FAILED;
}
/* HOLDING: authctx, authenticator */
result = krb5_auth_con_getkey(Z_krb5_ctx, authctx, &keyblock);
if (result) {
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: krb5_auth_con_getkey failed: %s",
error_message(result));
return (ZAUTH_FAILED);
}
/* HOLDING: authctx, authenticator, keyblock */
/* Figure out what checksum type to use */
key_data = Z_keydata(keyblock);
key_len = Z_keylen(keyblock);
result = Z_ExtractEncCksum(keyblock, &enctype, &cksumtype);
if (result) {
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: Z_ExtractEncCksum failed: %s",
error_message(result));
return (ZAUTH_FAILED);
}
/* HOLDING: authctx, authenticator, keyblock */
if (realm == NULL)
ZSetSession(keyblock);
/* Assemble the things to be checksummed */
/* first part is from start of packet through z_default_format:
* - z_version
* - z_num_other_fields
* - z_kind
* - z_uid
* - z_port
* - z_auth
* - z_authent_len
* - z_ascii_authent
* - z_class
* - z_class_inst
* - z_opcode
* - z_sender
* - z_recipient
* - z_default_format
*/
cksum0_base = notice->z_packet;
x = notice->z_default_format;
cksum0_len = x + strlen(x) + 1 - cksum0_base;
/* second part is from z_multinotice through other fields:
* - z_multinotice
* - z_multiuid
* - z_sender_(sock)addr
* - z_charset
* - z_other_fields[]
*/
if (notice->z_num_hdr_fields > 15 ) {
cksum1_base = notice->z_multinotice;
if (notice->z_num_other_fields)
x = notice->z_other_fields[notice->z_num_other_fields - 1];
else {
/* see also ZCheckRealmAuthentication
and lib/ZCkZaut.c:ZCheckZcodeAuthentication */
/* XXXXXXXXXXXXXXXXXXXXXXX */
if (notice->z_num_hdr_fields > 16)
x = cksum1_base + strlen(cksum1_base) + 1; /* multinotice */
if (notice->z_num_hdr_fields > 17)
x = x + strlen(x) + 1; /* multiuid */
if (notice->z_num_hdr_fields > 18)
x = x + strlen(x) + 1; /* sender */
}
cksum1_len = x + strlen(x) + 1 - cksum1_base; /* charset / extra field */
}
/* last part is the message body */
cksum2_base = notice->z_message;
cksum2_len = notice->z_message_len;
/*XXX we may wish to ditch this code someday?*/
if ((!notice->z_ascii_checksum || *notice->z_ascii_checksum != 'Z') &&
key_len == 8 &&
(enctype == (krb5_enctype)ENCTYPE_DES_CBC_CRC ||
enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD4 ||
enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD5)) {
/* try old-format checksum (covers cksum0 only) */
ZChecksum_t our_checksum;
if (realm == NULL)
our_checksum = compute_checksum(notice, key_data);
else
our_checksum = compute_rlm_checksum(notice, key_data);
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
if (our_checksum == notice->z_checksum) {
return ZAUTH_YES;
} else {
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: des quad checksum mismatch");
return ZAUTH_FAILED;
}
}
/* HOLDING: authctx, authenticator */
cksumbuf.length = cksum0_len + cksum1_len + cksum2_len;
cksumbuf.data = malloc(cksumbuf.length);
if (!cksumbuf.data) {
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
syslog(LOG_ERR, "ZCheckSrvAuthentication: malloc(cksumbuf.data): %m");
return ZAUTH_FAILED;
}
/* HOLDING: authctx, authenticator, cksumbuf.data */
cksum_data = (unsigned char *)cksumbuf.data;
memcpy(cksum_data, cksum0_base, cksum0_len);
if (cksum1_len)
memcpy(cksum_data + cksum0_len, cksum1_base, cksum1_len);
memcpy(cksum_data + cksum0_len + cksum1_len,
cksum2_base, cksum2_len);
/* decode zcoded checksum */
/* The encoded form is always longer than the original */
asn1_len = strlen(notice->z_ascii_checksum) + 1;
asn1_data = malloc(asn1_len);
if (!asn1_data) {
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
free(cksumbuf.data);
syslog(LOG_ERR, "ZCheckSrvAuthentication: malloc(asn1_data): %m");
return ZAUTH_FAILED;
}
/* HOLDING: authctx, authenticator, cksumbuf.data, asn1_data */
result = ZReadZcode((unsigned char *)notice->z_ascii_checksum,
asn1_data, asn1_len, &asn1_len);
if (result != ZERR_NONE) {
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
free(asn1_data);
free(cksumbuf.data);
syslog(LOG_WARNING, "ZCheckSrvAuthentication: ZReadZcode: %s",
error_message(result));
return ZAUTH_FAILED;
}
/* HOLDING: asn1_data, cksumbuf.data, authctx, authenticator */
valid = Z_krb5_verify_cksum(keyblock, &cksumbuf, cksumtype,
Z_KEYUSAGE_CLT_CKSUM,
asn1_data, asn1_len);
/* XXX compatibility with unreleased interrealm krb5; drop in 3.1 */
if (!valid && realm)
valid = Z_krb5_verify_cksum(keyblock, &cksumbuf, cksumtype,
Z_KEYUSAGE_SRV_CKSUM,
asn1_data, asn1_len);
free(asn1_data);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
krb5_free_keyblock(Z_krb5_ctx, keyblock);
free(cksumbuf.data);
if (valid) {
return ZAUTH_YES;
} else {
syslog(LOG_DEBUG, "ZCheckSrvAuthentication: Z_krb5_verify_cksum: failed");
return ZAUTH_FAILED;
}
#else
return (notice->z_auth) ? ZAUTH_YES : ZAUTH_NO;
#endif
}
