int
tkt_MakeTicket(char *ticket, int *ticketLen, struct ktc_encryptionKey *key,
char *name, char *inst, char *cell, afs_uint32 start,
afs_uint32 end, struct ktc_encryptionKey *sessionKey,
afs_uint32 host, char *sname, char *sinst)
{
int code;
union Key_schedule_safe schedule;
*ticketLen = 0; /* in case we return early */
code =
assemble_athena_ticket(ticket, ticketLen, name, inst, cell, host,
sessionKey, start, end, sname, sinst);
*ticketLen = round_up_to_ebs(*ticketLen); /* round up */
if (code)
return -1;
/* encrypt ticket */
if ((code = key_sched(ktc_to_cblock(key), schedule.schedule))) {
printf("In tkt_MakeTicket: key_sched returned %d\n", code);
return RXKADBADKEY;
}
pcbc_encrypt(ticket, ticket, *ticketLen, schedule.schedule, ktc_to_cblockptr(key), ENCRYPT);
return 0;
}
int desInitKey( CRYPT_INFO *cryptInfo )
{
/* Call the libdes key schedule code. Returns with -1 if the key parity
is wrong, -2 if a weak key is used */
if( key_sched( ( C_Block * ) cryptInfo->userKey,
*( ( Key_schedule * ) cryptInfo->key ) ) )
return( CRYPT_BADPARM );
return( CRYPT_OK );
}
static void convert_passwd(char *buf, char *newpwd, const int keyfd)
{
uint8_t key[HEXPASSWDLEN];
Key_schedule schedule;
unsigned int i, j;
if (!newpwd) {
/* convert to binary */
for (i = j = 0; i < sizeof(key); i += 2, j++)
buf[j] = (unhex(buf[i]) << 4) | unhex(buf[i + 1]);
if (j <= DES_KEY_SZ)
memset(buf + j, 0, sizeof(key) - j);
}
if (keyfd > -1) {
lseek(keyfd, 0, SEEK_SET);
read(keyfd, key, sizeof(key));
/* convert to binary */
for (i = j = 0; i < sizeof(key); i += 2, j++)
key[j] = (unhex(key[i]) << 4) | unhex(key[i + 1]);
if (j <= DES_KEY_SZ)
memset(key + j, 0, sizeof(key) - j);
key_sched((C_Block *) key, schedule);
memset(key, 0, sizeof(key));
if (newpwd) {
ecb_encrypt((C_Block *) newpwd, (C_Block *) newpwd, schedule,
DES_ENCRYPT);
} else {
/* decrypt the password */
ecb_encrypt((C_Block *) buf, (C_Block *) buf, schedule, DES_DECRYPT);
}
memset(&schedule, 0, sizeof(schedule));
}
if (newpwd) {
const unsigned char hextable[] = "0123456789ABCDEF";
/* convert to hex */
for (i = j = 0; i < DES_KEY_SZ; i++, j += 2) {
buf[j] = hextable[(newpwd[i] & 0xF0) >> 4];
buf[j + 1] = hextable[newpwd[i] & 0x0F];
}
}
}
static int desTestLoop( DES_TEST *testData, int iterations, int operation )
{
BYTE temp[ DES_BLOCKSIZE ];
BYTE key[ DES_EXPANDED_KEYSIZE ];
int i;
for( i = 0; i < iterations; i++ )
{
memcpy( temp, testData[ i ].plaintext, DES_BLOCKSIZE );
key_sched( ( C_Block * ) testData[ i ].key,
*( ( Key_schedule * ) key ) );
des_ecb_encrypt( ( C_Block * ) temp, ( C_Block * ) temp,
*( ( Key_schedule * ) key ), operation );
if( memcmp( testData[ i ].ciphertext, temp, DES_BLOCKSIZE ) )
return( CRYPT_ERROR );
}
return( CRYPT_OK );
}
int krb_sendauth_udpchk(long options, LONG checksum, MSG_DAT *msg_data,
CREDENTIALS* cred, Key_schedule *schedule, struct sockaddr_in *laddr,
struct sockaddr_in *faddr, LPSTR packet)
{
int cc;
long tkt_len;
u_long cksum;
u_char priv_buf[1024];
/* mutual authentication, if desired */
if (options & KOPT_DO_MUTUAL) {
/* get the length of the reply */
bcopy(packet,(char*) &tkt_len, sizeof(tkt_len));
tkt_len = ntohl((unsigned long) tkt_len);
/* if the length is negative, the server failed to recognize us
*/
if ((tkt_len < 0) || (tkt_len > sizeof(priv_buf)))
return (KFAILURE); /* XXX */
/* read the reply... */
bcopy(packet+sizeof(tkt_len), (char *)priv_buf,
(int) tkt_len);
/* ...and decrypt it */
#ifndef NOENCRYPTION
key_sched(cred->session, *schedule);
#endif /* !NOENCRYPTION */
if (cc = krb_rd_priv(priv_buf, (unsigned long) tkt_len, *schedule,
cred->session, faddr, laddr, msg_data))
return (cc);
/* fetch the (modified) checksum */
(void) bcopy((char *)msg_data->app_data, (char *)&cksum,
sizeof(cksum));
cksum = ntohl(cksum);
/* if it doesn't match, fail */
if (cksum != checksum + 1)
return (KFAILURE); /* XXX */
}
return (KSUCCESS);
}
int
tkt_DecodeTicket(char *asecret, afs_int32 ticketLen,
struct ktc_encryptionKey *key, char *name, char *inst,
char *cell, struct ktc_encryptionKey *sessionKey, afs_int32 * host,
afs_uint32 * start, afs_uint32 * end)
{
char clear_ticket[MAXKTCTICKETLEN];
char *ticket;
union Key_schedule_safe schedule;
int code;
if (ticketLen == 0)
return RXKADBADTICKET; /* no ticket */
if ((ticketLen < MINKTCTICKETLEN) || /* minimum legal ticket size */
(ticketLen > MAXKTCTICKETLEN) || /* maximum legal ticket size */
((ticketLen) % 8 != 0)) /* enc. part must be (0 mod 8) bytes */
return RXKADBADTICKET;
if (key_sched(ktc_to_cblock(key), schedule.schedule))
return RXKADBADKEY;
ticket = clear_ticket;
pcbc_encrypt(asecret, ticket, ticketLen, schedule.schedule, ktc_to_cblockptr(key), DECRYPT);
code =
decode_athena_ticket(ticket, ticketLen, name, inst, cell, host,
(struct ktc_encryptionKey *)sessionKey, start, end);
if (code)
return RXKADBADTICKET;
code = tkt_CheckTimes(*start, *end, time(0));
if (code == 0)
return RXKADNOAUTH;
else if (code == -1)
return RXKADEXPIRED;
else if (code < -1)
return RXKADBADTICKET;
return 0;
}
main()
{
struct sockaddr_in foreign;
int foreign_len = sizeof(foreign);
int rval, more;
static char name[] = "kpasswdd";
static struct rlimit rl = { 0, 0 };
progname = name;
openlog("kpasswdd", LOG_CONS | LOG_PID, LOG_AUTH);
signal(SIGHUP, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
if(setrlimit(RLIMIT_CORE, &rl) < 0) {
syslog(LOG_ERR, "setrlimit: %m");
exit(1);
}
if(getpeername(0, &foreign, &foreign_len) < 0) {
syslog(LOG_ERR,"getpeername: %m");
exit(1);
}
strcpy(inst, "*");
rval = krb_recvauth(
0L, /* !MUTUAL */
0, /* file desc */
&ticket, /* client's ticket */
SERVICE, /* expected service */
inst, /* expected instance */
&foreign, /* foreign addr */
(struct sockaddr_in *) 0,
&kdata,
"",
(bit_64 *) NULL, /* key schedule */
version
);
if(rval != KSUCCESS) {
syslog(LOG_ERR, "krb_recvauth: %s", krb_err_txt[rval]);
cleanup();
exit(1);
}
/* get master key */
if(kdb_get_master_key(0, master_key, master_key_schedule) != 0) {
syslog(LOG_ERR, "couldn't get master key");
cleanup();
exit(1);
}
mkeyversion =
kdb_get_master_key(master_key, master_key_schedule, NULL);
if(mkeyversion < 0) {
syslog(LOG_NOTICE, "couldn't verify master key");
cleanup();
exit(1);
}
/* get principal info */
rval = kerb_get_principal(
kdata.pname,
kdata.pinst,
&principal_data,
1,
&more
);
if(rval != 1 || (more != 0)) {
syslog(LOG_NOTICE, "more than 1 entry for %s.%s",
kdata.pname, kdata.pinst);
cleanup();
exit(1);
}
/* get the user's key */
bcopy(&principal_data.key_low, key, 4);
bcopy(&principal_data.key_high, ((long *) key) + 1, 4);
kdb_encrypt_key(key, key, master_key, master_key_schedule,
DECRYPT);
key_sched(key, key_schedule);
des_set_key(key, key_schedule);
/* get random key and send it over {random} Kperson */
random_key(kpwd_data.random_key);
strcpy(kpwd_data.secure_msg, SECURE_STRING);
if(des_write(0, &kpwd_data, sizeof(kpwd_data)) != sizeof(kpwd_data)) {
syslog(LOG_ERR, "error writing initial data");
cleanup();
exit(1);
}
bzero(key, sizeof(key));
bzero(key_schedule, sizeof(key_schedule));
/* now read update info: { info }Krandom */
key_sched(kpwd_data.random_key, random_sched);
des_set_key(kpwd_data.random_key, random_sched);
if(des_read(0, &ud_data, sizeof(ud_data)) != sizeof(ud_data)) {
syslog(LOG_ERR, "update aborted");
cleanup();
exit(1);
}
/* validate info string by looking at the embedded string */
if(strcmp(ud_data.secure_msg, SECURE_STRING)) {
syslog(LOG_NOTICE, "invalid update from %s",
inet_ntoa(foreign.sin_addr));
cleanup();
exit(1);
}
/* produce the new key entry in the database { key }Kmaster */
string_to_key(ud_data.pw, key);
kdb_encrypt_key(key, key,
master_key, master_key_schedule,
ENCRYPT);
bcopy(key, &principal_data.key_low, 4);
bcopy(((long *) key) + 1,
&principal_data.key_high, 4);
bzero(key, sizeof(key));
principal_data.key_version++;
if(kerb_put_principal(&principal_data, 1)) {
syslog(LOG_ERR, "couldn't write new record for %s.%s",
principal_data.name, principal_data.instance);
cleanup();
exit(1);
}
syslog(LOG_NOTICE,"wrote new password field for %s.%s from %s",
principal_data.name,
principal_data.instance,
inet_ntoa(foreign.sin_addr)
);
send_ack(0, "Update complete.\n");
cleanup();
exit(0);
}
