static krb5_boolean get_config_bool (krb5_context context, const char *realm, const char *name) { return krb5_config_get_bool (context, NULL, "realms", realm, name, NULL) || krb5_config_get_bool (context, NULL, "libdefaults", name, NULL); }
static krb5_error_code encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t, hdb_entry *server, EncryptedData *ticket, int *kvno) { krb5_error_code ret; int use_2b; size_t len; use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL); if(use_2b) { ASN1_MALLOC_ENCODE(EncryptedData, ticket->cipher.data, ticket->cipher.length, &t->enc_part, &len, ret); if (ret) { kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn); return ret; } ticket->etype = 0; ticket->kvno = NULL; *kvno = 213; /* 2b's use this magic kvno */ } else { unsigned char buf[MAX_KTXT_LEN + 4 * 4]; Key *skey; if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, t->realm); return KRB5KDC_ERR_POLICY; } ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), &et, &t->sname, &len); if(ret){ kdc_log(0, "Failed to encode v4 ticket (%s)", spn); return ret; } ret = get_des_key(server, TRUE, FALSE, &skey); if(ret){ kdc_log(0, "no suitable DES key for server (%s)", spn); return ret; } ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, &skey->key, ticket); if(ret){ kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn); return ret; } *kvno = server->kvno; } return 0; }
static int client_setup(krb5_context *ctx, int *argc, char **argv) { int optidx = 0; int port = 0; int status; setprogname (argv[0]); status = krb5_init_context (ctx); if (status) errx(1, "krb5_init_context failed: %d", status); forwardable = krb5_config_get_bool (*ctx, NULL, "libdefaults", "forwardable", NULL); if (getarg (args, num_args, *argc, argv, &optidx)) usage(1, args, num_args); if(help_flag) usage (0, args, num_args); if(version_flag) { print_version(NULL); exit(0); } if(port_str) { struct servent *s = roken_getservbyname(port_str, "tcp"); if(s) port = s->s_port; else { char *ptr; port = strtol (port_str, &ptr, 10); if (port == 0 && ptr == port_str) errx (1, "Bad port `%s'", port_str); port = htons(port); } } if (port == 0) port = krb5_getportbyname (*ctx, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(*argc - optidx < 1) usage(1, args, num_args); *argc = optidx; return port; }
static krb5_boolean fail_verify_is_ok (krb5_context context, krb5_verify_init_creds_opt *options) { if ((options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL && options->ap_req_nofail != 0) || krb5_config_get_bool (context, NULL, "libdefaults", "verify_ap_req_nofail", NULL)) return FALSE; else return TRUE; }
krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal(krb5_context context, const char *name, const char *instance, const char *realm, krb5_principal *princ) { krb5_boolean resolve = krb5_config_get_bool(context, NULL, "libdefaults", "v4_instance_resolve", NULL); return krb5_425_conv_principal_ext(context, name, instance, realm, NULL, resolve, princ); }
krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv, int *optidx) { krb5_kdc_configuration *config; krb5_error_code ret; const char *p; *optidx = 0; while(getarg(args, num_args, argc, argv, optidx)) warnx("error at argument `%s'", argv[*optidx]); if(help_flag) usage (0); if (version_flag) { print_version(NULL); exit(0); } if (builtin_hdb_flag) { char *list; ret = hdb_list_builtin(context, &list); if (ret) krb5_err(context, 1, ret, "listing builtin hdb backends"); printf("builtin hdb backends: %s\n", list); free(list); exit(0); } { char **files; int aret; if (config_file == NULL) { aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); if (aret == -1 || config_file == NULL) errx(1, "out of memory"); } ret = krb5_prepend_config_files_default(config_file, &files); if (ret) krb5_err(context, 1, ret, "getting configuration files"); ret = krb5_set_config_files(context, files); krb5_free_config_files(files); if(ret) krb5_err(context, 1, ret, "reading configuration files"); } ret = krb5_kdc_get_config(context, &config); if (ret) krb5_err(context, 1, ret, "krb5_kdc_default_config"); kdc_openlog(context, "kdc", config); ret = krb5_kdc_set_dbinfo(context, config); if (ret) krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo"); if(max_request_str) max_request_tcp = max_request_udp = parse_bytes(max_request_str, NULL); if(max_request_tcp == 0){ p = krb5_config_get_string (context, NULL, "kdc", "max-request", NULL); if(p) max_request_tcp = max_request_udp = parse_bytes(p, NULL); } if(require_preauth != -1) config->require_preauth = require_preauth; if(port_str == NULL){ p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); if (p != NULL) port_str = strdup(p); } explicit_addresses.len = 0; if (addresses_str.num_strings) { int i; for (i = 0; i < addresses_str.num_strings; ++i) add_one_address (context, addresses_str.strings[i], i == 0); free_getarg_strings (&addresses_str); } else { char **foo = krb5_config_get_strings (context, NULL, "kdc", "addresses", NULL); if (foo != NULL) { add_one_address (context, *foo++, TRUE); while (*foo) add_one_address (context, *foo++, FALSE); } } if(enable_http == -1) enable_http = krb5_config_get_bool(context, NULL, "kdc", "enable-http", NULL); if(request_log == NULL) request_log = krb5_config_get_string(context, NULL, "kdc", "kdc-request-log", NULL); if (krb5_config_get_string(context, NULL, "kdc", "enforce-transited-policy", NULL)) krb5_errx(context, 1, "enforce-transited-policy deprecated, " "use [kdc]transited-policy instead"); #ifdef SUPPORT_DETACH if(detach_from_console == -1) detach_from_console = krb5_config_get_bool_default(context, NULL, DETACH_IS_DEFAULT, "kdc", "detach", NULL); #endif /* SUPPORT_DETACH */ if(max_request_tcp == 0) max_request_tcp = 64 * 1024; if(max_request_udp == 0) max_request_udp = 64 * 1024; if (port_str == NULL) port_str = "+"; if(disable_des == -1) disable_des = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", "disable-des", NULL); if(disable_des) { krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); } krb5_kdc_windc_init(context); krb5_kdc_pkinit_config(context, config); return config; }
int _krb5_extract_ticket(krb5_context context, krb5_kdc_rep *rep, krb5_creds *creds, krb5_keyblock *key, krb5_const_pointer keyseed, krb5_key_usage key_usage, krb5_addresses *addrs, unsigned nonce, unsigned flags, krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg) { krb5_error_code ret; krb5_principal tmp_principal; size_t len = 0; time_t tmp_time; krb5_timestamp sec_now; /* decrypt */ if (decrypt_proc == NULL) decrypt_proc = decrypt_tkt; ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); if (ret) goto out; /* save session key */ creds->session.keyvalue.length = 0; creds->session.keyvalue.data = NULL; creds->session.keytype = rep->enc_part.key.keytype; ret = krb5_data_copy (&creds->session.keyvalue, rep->enc_part.key.keyvalue.data, rep->enc_part.key.keyvalue.length); if (ret) { krb5_clear_error_message(context); goto out; } /* compare client and save */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, rep->kdc_rep.cname, rep->kdc_rep.crealm); if (ret) goto out; /* check client referral and save principal */ /* anonymous here ? */ if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { ret = check_client_referral(context, rep, creds->client, tmp_principal, &creds->session); if (ret) { krb5_free_principal (context, tmp_principal); goto out; } } krb5_free_principal (context, creds->client); creds->client = tmp_principal; /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, rep->kdc_rep.ticket.sname, rep->kdc_rep.ticket.realm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ ret = check_server_referral(context, rep, flags, creds->server, tmp_principal, &creds->session); if (ret) { krb5_free_principal (context, tmp_principal); goto out; } } krb5_free_principal(context, creds->server); creds->server = tmp_principal; /* verify names */ if(flags & EXTRACT_TICKET_MATCH_REALM){ const char *srealm = krb5_principal_get_realm(context, creds->server); const char *crealm = krb5_principal_get_realm(context, creds->client); if (strcmp(rep->enc_part.srealm, srealm) != 0 || strcmp(rep->enc_part.srealm, crealm) != 0) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_clear_error_message(context); goto out; } } /* compare nonces */ if (nonce != (unsigned)rep->enc_part.nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } /* set kdc-offset */ krb5_timeofday (context, &sec_now); if (rep->enc_part.flags.initial && (flags & EXTRACT_TICKET_TIMESYNC) && context->kdc_sec_offset == 0 && krb5_config_get_bool (context, NULL, "libdefaults", "kdc_timesync", NULL)) { context->kdc_sec_offset = rep->enc_part.authtime - sec_now; krb5_timeofday (context, &sec_now); } /* check all times */ if (rep->enc_part.starttime) { tmp_time = *rep->enc_part.starttime; } else tmp_time = rep->enc_part.authtime; if (creds->times.starttime == 0 && abs(tmp_time - sec_now) > context->max_skew) { ret = KRB5KRB_AP_ERR_SKEW; krb5_set_error_message (context, ret, N_("time skew (%d) larger than max (%d)", ""), abs(tmp_time - sec_now), (int)context->max_skew); goto out; } if (creds->times.starttime != 0 && tmp_time != creds->times.starttime) { krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_MODIFIED; goto out; } creds->times.starttime = tmp_time; if (rep->enc_part.renew_till) { tmp_time = *rep->enc_part.renew_till; } else tmp_time = 0; if (creds->times.renew_till != 0 && tmp_time > creds->times.renew_till) { krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_MODIFIED; goto out; } creds->times.renew_till = tmp_time; creds->times.authtime = rep->enc_part.authtime; if (creds->times.endtime != 0 && rep->enc_part.endtime > creds->times.endtime) { krb5_clear_error_message (context); ret = KRB5KRB_AP_ERR_MODIFIED; goto out; } creds->times.endtime = rep->enc_part.endtime; if(rep->enc_part.caddr) krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); else if(addrs) krb5_copy_addresses (context, addrs, &creds->addresses); else { creds->addresses.len = 0; creds->addresses.val = NULL; } creds->flags.b = rep->enc_part.flags; creds->authdata.len = 0; creds->authdata.val = NULL; /* extract ticket */ ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, &rep->kdc_rep.ticket, &len, ret); if(ret) goto out; if (creds->ticket.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); creds->second_ticket.length = 0; creds->second_ticket.data = NULL; out: memset (rep->enc_part.key.keyvalue.data, 0, rep->enc_part.key.keyvalue.length); return ret; }
krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv) { krb5_kdc_configuration *config; krb5_error_code ret; int optidx = 0; const char *p; while(getarg(args, num_args, argc, argv, &optidx)) warnx("error at argument `%s'", argv[optidx]); if(help_flag) usage (0); if (version_flag) { print_version(NULL); exit(0); } if (builtin_hdb_flag) { char *list; ret = hdb_list_builtin(context, &list); if (ret) krb5_err(context, 1, ret, "listing builtin hdb backends"); printf("builtin hdb backends: %s\n", list); free(list); exit(0); } argc -= optidx; argv += optidx; if (argc != 0) usage(1); { char **files; if (config_file == NULL) { asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); if (config_file == NULL) errx(1, "out of memory"); } ret = krb5_prepend_config_files_default(config_file, &files); if (ret) krb5_err(context, 1, ret, "getting configuration files"); ret = krb5_set_config_files(context, files); krb5_free_config_files(files); if(ret) krb5_err(context, 1, ret, "reading configuration files"); } ret = krb5_kdc_get_config(context, &config); if (ret) krb5_err(context, 1, ret, "krb5_kdc_default_config"); kdc_openlog(context, "kdc", config); ret = krb5_kdc_set_dbinfo(context, config); if (ret) krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo"); if(max_request_str) max_request_tcp = max_request_udp = parse_bytes(max_request_str, NULL); if(max_request_tcp == 0){ p = krb5_config_get_string (context, NULL, "kdc", "max-request", NULL); if(p) max_request_tcp = max_request_udp = parse_bytes(p, NULL); } if(require_preauth != -1) config->require_preauth = require_preauth; if(port_str == NULL){ p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); if (p != NULL) port_str = strdup(p); } explicit_addresses.len = 0; if (addresses_str.num_strings) { int i; for (i = 0; i < addresses_str.num_strings; ++i) add_one_address (context, addresses_str.strings[i], i == 0); free_getarg_strings (&addresses_str); } else { char **foo = krb5_config_get_strings (context, NULL, "kdc", "addresses", NULL); if (foo != NULL) { add_one_address (context, *foo++, TRUE); while (*foo) add_one_address (context, *foo++, FALSE); } } if(enable_v4 != -1) config->enable_v4 = enable_v4; if(enable_v4_cross_realm != -1) config->enable_v4_cross_realm = enable_v4_cross_realm; if(enable_524 != -1) config->enable_524 = enable_524; if(enable_http == -1) enable_http = krb5_config_get_bool(context, NULL, "kdc", "enable-http", NULL); if(request_log == NULL) request_log = krb5_config_get_string(context, NULL, "kdc", "kdc-request-log", NULL); if (krb5_config_get_string(context, NULL, "kdc", "enforce-transited-policy", NULL)) krb5_errx(context, 1, "enforce-transited-policy deprecated, " "use [kdc]transited-policy instead"); if (enable_kaserver != -1) config->enable_kaserver = enable_kaserver; #ifdef SUPPORT_DETACH if(detach_from_console == -1) detach_from_console = krb5_config_get_bool_default(context, NULL, DETACH_IS_DEFAULT, "kdc", "detach", NULL); #endif /* SUPPORT_DETACH */ if(max_request_tcp == 0) max_request_tcp = 64 * 1024; if(max_request_udp == 0) max_request_udp = 64 * 1024; if (port_str == NULL) port_str = "+"; if (v4_realm) config->v4_realm = v4_realm; if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)) krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured"); if(disable_des == -1) disable_des = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", "disable-des", NULL); if(disable_des) { krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); kdc_log(context, config, 0, "DES was disabled, turned off Kerberos V4, 524 " "and kaserver"); config->enable_v4 = 0; config->enable_524 = 0; config->enable_kaserver = 0; } krb5_kdc_windc_init(context); #ifdef PKINIT #ifdef __APPLE__ config->enable_pkinit = 1; if (config->pkinit_kdc_identity == NULL) { if (config->pkinit_kdc_friendly_name == NULL) config->pkinit_kdc_friendly_name = strdup("O=System Identity,CN=com.apple.kerberos.kdc"); config->pkinit_kdc_identity = strdup("KEYCHAIN:"); } if (config->pkinit_kdc_anchors == NULL) config->pkinit_kdc_anchors = strdup("KEYCHAIN:"); #endif /* __APPLE__ */ if (config->enable_pkinit) { if (config->pkinit_kdc_identity == NULL) krb5_errx(context, 1, "pkinit enabled but no identity"); if (config->pkinit_kdc_anchors == NULL) krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); krb5_kdc_pk_initialize(context, config, config->pkinit_kdc_identity, config->pkinit_kdc_anchors, config->pkinit_kdc_cert_pool, config->pkinit_kdc_revoke); } #endif /* PKINIT */ return config; }