int
_kafs_v4_to_kt(CREDENTIALS *c, uid_t uid, struct kafs_token *kt)
{
kt->ticket = NULL;
if (c->ticket_st.length > MAX_KTXT_LEN)
return EINVAL;
kt->ticket = malloc(c->ticket_st.length);
if (kt->ticket == NULL)
return ENOMEM;
kt->ticket_len = c->ticket_st.length;
memcpy(kt->ticket, c->ticket_st.dat, kt->ticket_len);
/*
* Build a struct ClearToken
*/
kt->ct.AuthHandle = c->kvno;
memcpy (kt->ct.HandShakeKey, c->session, sizeof(c->session));
kt->ct.ViceId = uid;
kt->ct.BeginTimestamp = c->issue_date;
kt->ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime);
_kafs_fixup_viceid(&kt->ct, uid);
return 0;
}
int
krb_mk_req(KTEXT authent,
char *service, char *instance, char *realm,
int32_t checksum)
#endif
{
CREDENTIALS cr;
KTEXT_ST req;
krb5_storage *sp;
int code;
/* XXX get user realm */
const char *myrealm = realm;
krb5_data a;
code = krb_get_cred(service, instance, realm, &cr);
if(code || time(NULL) > krb_life_to_time(cr.issue_date, cr.lifetime)){
code = get_ad_tkt((char *)service,
(char *)instance, (char *)realm, lifetime);
if(code == KSUCCESS)
code = krb_get_cred(service, instance, realm, &cr);
}
if(code)
return code;
sp = krb5_storage_emem();
krb5_store_int8(sp, KRB_PROT_VERSION);
krb5_store_int8(sp, AUTH_MSG_APPL_REQUEST);
krb5_store_int8(sp, cr.kvno);
krb5_store_stringz(sp, realm);
krb5_store_int8(sp, cr.ticket_st.length);
build_request(&req, cr.pname, cr.pinst, myrealm, checksum);
encrypt_ktext(&req, &cr.session, DES_ENCRYPT);
krb5_store_int8(sp, req.length);
krb5_storage_write(sp, cr.ticket_st.dat, cr.ticket_st.length);
krb5_storage_write(sp, req.dat, req.length);
krb5_storage_to_data(sp, &a);
krb5_storage_free(sp);
memcpy(authent->dat, a.data, a.length);
authent->length = a.length;
krb5_data_free(&a);
memset(&cr, 0, sizeof(cr));
memset(&req, 0, sizeof(req));
return KSUCCESS;
}
int
v4_prop(void *arg, struct v4_principal *p)
{
struct prop_data *pd = arg;
hdb_entry ent;
krb5_error_code ret;
memset(&ent, 0, sizeof(ent));
ret = krb5_425_conv_principal(pd->context, p->name, p->instance, v4_realm,
&ent.principal);
if(ret) {
krb5_warn(pd->context, ret,
"krb5_425_conv_principal %s.%s@%s",
p->name, p->instance, v4_realm);
return 0;
}
if(verbose_flag) {
char *s;
krb5_unparse_name_short(pd->context, ent.principal, &s);
krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s);
free(s);
}
ent.kvno = p->kvno;
ent.keys.len = 3;
ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
if(p->mkvno != -1) {
ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
*(ent.keys.val[0].mkvno) = p->mkvno;
} else
ent.keys.val[0].mkvno = NULL;
ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
krb5_data_alloc(&ent.keys.val[0].key.keyvalue, DES_KEY_SZ);
memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8);
copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
{
int life = krb_life_to_time(0, p->max_life);
if(life == NEVERDATE){
ent.max_life = NULL;
} else {
/* clean up lifetime a bit */
if(life > 86400)
life = (life + 86399) / 86400 * 86400;
else if(life > 3600)
life = (life + 3599) / 3600 * 3600;
ALLOC(ent.max_life);
*ent.max_life = life;
}
}
ALLOC(ent.valid_end);
*ent.valid_end = p->exp_date;
ret = krb5_make_principal(pd->context, &ent.created_by.principal,
v4_realm,
"kadmin",
"hprop",
NULL);
if(ret){
krb5_warn(pd->context, ret, "krb5_make_principal");
ret = 0;
goto out;
}
ent.created_by.time = time(NULL);
ALLOC(ent.modified_by);
ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance,
v4_realm, &ent.modified_by->principal);
if(ret){
krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, v4_realm);
ent.modified_by->principal = NULL;
ret = 0;
goto out;
}
ent.modified_by->time = p->mod_date;
ent.flags.forwardable = 1;
ent.flags.renewable = 1;
ent.flags.proxiable = 1;
ent.flags.postdate = 1;
ent.flags.client = 1;
ent.flags.server = 1;
/* special case password changing service */
if(strcmp(p->name, "changepw") == 0 &&
strcmp(p->instance, "kerberos") == 0) {
ent.flags.forwardable = 0;
ent.flags.renewable = 0;
ent.flags.proxiable = 0;
ent.flags.postdate = 0;
ent.flags.initial = 1;
ent.flags.change_pw = 1;
}
ret = v5_prop(pd->context, NULL, &ent, pd);
if (strcmp (p->name, "krbtgt") == 0
&& strcmp (v4_realm, p->instance) != 0) {
krb5_free_principal (pd->context, ent.principal);
ret = krb5_425_conv_principal (pd->context, p->name,
v4_realm, p->instance,
&ent.principal);
if (ret == 0)
ret = v5_prop (pd->context, NULL, &ent, pd);
}
out:
hdb_free_entry(pd->context, &ent);
return ret;
}
void
kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
{
static KTEXT_ST rpkt_st;
KTEXT rpkt = &rpkt_st;
static KTEXT_ST ciph_st;
KTEXT ciph = &ciph_st;
static KTEXT_ST tk_st;
KTEXT tk = &tk_st;
static KTEXT_ST auth_st;
KTEXT auth = &auth_st;
AUTH_DAT ad_st;
AUTH_DAT *ad = &ad_st;
static struct in_addr client_host;
static int msg_byte_order;
static int swap_bytes;
static u_char k_flags;
/* char *p_name, *instance; */
int lifetime = 0;
int i;
C_Block key;
Key_schedule key_s;
char *ptr;
krb5_keyblock k5key;
krb5_kvno kvno;
krb5_deltat sk5life, ck5life;
KRB4_32 v4endtime, v4req_end;
k5key.contents = NULL; /* in case we have to free it */
ciph->length = 0;
client_host = client->sin_addr;
/* eval macros and correct the byte order and alignment as needed */
req_version = pkt_version(pkt); /* 1 byte, version */
req_msg_type = pkt_msg_type(pkt); /* 1 byte, Kerberos msg type */
/* set these to point to something safe */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
/* check if disabled, but we tell client */
if (kdc_v4 == KDC_V4_DISABLE) {
lt = klog(L_KRB_PERR,
"KRB will not handle v4 request from %s",
inet_ntoa(client_host));
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
return;
}
/* check packet version */
if (req_version != KRB_PROT_VERSION) {
lt = klog(L_KRB_PERR,
"KRB prot version mismatch: KRB =%d request = %d",
KRB_PROT_VERSION, req_version, 0);
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
return;
}
msg_byte_order = req_msg_type & 1;
swap_bytes = 0;
if (msg_byte_order != HOST_BYTE_ORDER) {
swap_bytes++;
}
klog(L_KRB_PINFO,
"Prot version: %d, Byte order: %d, Message type: %d",
(int) req_version, msg_byte_order, req_msg_type);
switch (req_msg_type & ~1) {
case AUTH_MSG_KDC_REQUEST:
{
int req_life; /* Requested liftime */
unsigned int request_backdate = 0; /*How far to backdate
in seconds.*/
char *service; /* Service name */
char *instance; /* Service instance */
#ifdef notdef
int kerno; /* Kerberos error number */
#endif
n_auth_req++;
tk->length = 0;
k_flags = 0; /* various kerberos flags */
/* set up and correct for byte order and alignment */
req_name_ptr = (char *) pkt_a_name(pkt);
str_length_check(req_name_ptr, ANAME_SZ);
req_inst_ptr = (char *) pkt_a_inst(pkt);
str_length_check(req_inst_ptr, INST_SZ);
req_realm_ptr = (char *) pkt_a_realm(pkt);
str_length_check(req_realm_ptr, REALM_SZ);
memcpy(&req_time_ws, pkt_time_ws(pkt), sizeof(req_time_ws));
/* time has to be diddled */
if (swap_bytes) {
swap_u_long(req_time_ws);
}
ptr = (char *) pkt_time_ws(pkt) + 4;
req_life = (*ptr++) & 0xff;
service = ptr;
str_length_check(service, SNAME_SZ);
instance = ptr + strlen(service) + 1;
str_length_check(instance, INST_SZ);
rpkt = &rpkt_st;
klog(L_INI_REQ,
"Initial ticket request Host: %s User: \"%s\" \"%s\"",
inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0);
if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
&a_name_data, &k5key, 0, &ck5life))) {
kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_low = a_name_data.key_high = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
return;
}
/* don't use k5key for client */
krb5_free_keyblock_contents(kdc_context, &k5key);
tk->length = 0; /* init */
if (strcmp(service, "krbtgt"))
klog(L_NTGT_INTK,
"INITIAL request from %s.%s for %s.%s", req_name_ptr,
req_inst_ptr, service, instance, 0);
/* this does all the checking */
if ((i = check_princ(service, instance, lifetime,
&s_name_data, &k5key, 1, &sk5life))) {
kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_high = a_name_data.key_low = 0;
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
return;
}
/* Bound requested lifetime with service and user */
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
v4req_end = min(v4req_end, kerb_time.tv_sec + ck5life);
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life().
*/
if (v4endtime > v4req_end)
request_backdate = v4endtime - v4req_end;
#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
#else
/* random session key */
des_new_random_key(session_key);
#endif
/* unseal server's key from master key */
memcpy( key, &s_name_data.key_low, 4);
memcpy( ((krb5_ui_4 *) key) + 1, &s_name_data.key_high, 4);
s_name_data.key_low = s_name_data.key_high = 0;
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
/* We always issue des tickets; the 3des tickets are a broken hack*/
krb_create_ticket(tk, k_flags, a_name_data.name,
a_name_data.instance, local_realm,
client_host.s_addr, (char *) session_key,
lifetime, kerb_time.tv_sec - request_backdate,
s_name_data.name, s_name_data.instance,
key);
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
/*
* get the user's key, unseal it from the server's key, and
* use it to seal the cipher
*/
/* a_name_data.key_low a_name_data.key_high */
memcpy( key, &a_name_data.key_low, 4);
memcpy( ((krb5_ui_4 *) key) + 1, &a_name_data.key_high, 4);
a_name_data.key_low= a_name_data.key_high = 0;
/* unseal the a_name key from the master key */
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
create_ciph(ciph, session_key, s_name_data.name,
s_name_data.instance, local_realm, lifetime,
s_name_data.key_version, tk, kerb_time.tv_sec, key);
/* clear session key */
memset(session_key, 0, sizeof(session_key));
memset(key, 0, sizeof(key));
/* always send a reply packet */
rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
a_name_data.key_version, ciph);
krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
(struct sockaddr *) client, sizeof (struct sockaddr_in));
memset(&a_name_data, 0, sizeof(a_name_data));
memset(&s_name_data, 0, sizeof(s_name_data));
break;
}
case AUTH_MSG_APPL_REQUEST:
{
krb5_ui_4 time_ws; /* Workstation time */
int req_life; /* Requested liftime */
char *service; /* Service name */
char *instance; /* Service instance */
int kerno = 0; /* Kerberos error number */
unsigned int request_backdate = 0; /*How far to backdate
in seconds.*/
char tktrlm[REALM_SZ];
n_appl_req++;
tk->length = 0;
k_flags = 0; /* various kerberos flags */
auth->mbz = 0; /* pkt->mbz already zeroed */
auth->length = 4 + strlen((char *)pkt->dat + 3);
if (auth->length + 1 > MAX_KTXT_LEN) {
lt = klog(L_KRB_PERR,
"APPL request with realm length too long from %s",
inet_ntoa(client_host));
kerb_err_reply(client, pkt, RD_AP_INCON,
"realm length too long");
return;
}
auth->length += (int) *(pkt->dat + auth->length) +
(int) *(pkt->dat + auth->length + 1) + 2;
if (auth->length > MAX_KTXT_LEN) {
lt = klog(L_KRB_PERR,
"APPL request with funky tkt or req_id length from %s",
inet_ntoa(client_host));
kerb_err_reply(client, pkt, RD_AP_INCON,
"funky tkt or req_id length");
return;
}
memcpy(auth->dat, pkt->dat, auth->length);
strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ);
tktrlm[REALM_SZ-1] = '\0';
kvno = (krb5_kvno)auth->dat[2];
if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
lt = klog(L_ERR_UNK,
"Cross realm ticket from %s denied by policy,", tktrlm);
kerb_err_reply(client, pkt,
KERB_ERR_PRINCIPAL_UNKNOWN, lt);
return;
}
if (set_tgtkey(tktrlm, kvno, 0)) {
lt = klog(L_ERR_UNK,
"FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
kerb_err_reply(client, pkt,
KERB_ERR_PRINCIPAL_UNKNOWN, lt);
return;
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
if (kerno) {
if (set_tgtkey(tktrlm, kvno, 1)) {
lt = klog(L_ERR_UNK,
"FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
kerb_err_reply(client, pkt,
KERB_ERR_PRINCIPAL_UNKNOWN, lt);
return;
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
}
if (kerno) {
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
inet_ntoa(client_host), krb_get_err_text(kerno));
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
return;
}
ptr = (char *) pkt->dat + auth->length;
memcpy(&time_ws, ptr, 4);
ptr += 4;
req_life = (*ptr++) & 0xff;
service = ptr;
str_length_check(service, SNAME_SZ);
instance = ptr + strlen(service) + 1;
str_length_check(instance, INST_SZ);
klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s",
ad->pname, ad->pinst, ad->prealm,
inet_ntoa(client_host), service, instance, 0);
req_name_ptr = ad->pname;
req_inst_ptr = ad->pinst;
req_realm_ptr = ad->prealm;
if (strcmp(ad->prealm, tktrlm)) {
kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
return;
}
if (!strcmp(service, "changepw")) {
kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password changed based on TGT");
return;
}
kerno = check_princ(service, instance, req_life,
&s_name_data, &k5key, 1, &sk5life);
if (kerno) {
kerb_err_reply(client, pkt, kerno, "check_princ failed");
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
return;
}
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
v4req_end = min(v4endtime, v4req_end);
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life().
*/
if (v4endtime > v4req_end)
request_backdate = v4endtime - v4req_end;
/* unseal server's key from master key */
memcpy(key, &s_name_data.key_low, 4);
memcpy(((krb5_ui_4 *) key) + 1, &s_name_data.key_high, 4);
s_name_data.key_low = s_name_data.key_high = 0;
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
#else
/* random session key */
des_new_random_key(session_key);
#endif
/* ALways issue des tickets*/
krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
ad->prealm, client_host.s_addr,
(char *) session_key, lifetime,
kerb_time.tv_sec - request_backdate,
s_name_data.name, s_name_data.instance,
key);
krb5_free_keyblock_contents(kdc_context, &k5key);
memset(key, 0, sizeof(key));
memset(key_s, 0, sizeof(key_s));
create_ciph(ciph, session_key, service, instance,
local_realm,
lifetime, s_name_data.key_version, tk,
kerb_time.tv_sec, ad->session);
/* clear session key */
memset(session_key, 0, sizeof(session_key));
memset(ad->session, 0, sizeof(ad->session));
rpkt = create_auth_reply(ad->pname, ad->pinst,
ad->prealm, time_ws,
0, 0, 0, ciph);
krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
(struct sockaddr *) client, sizeof (struct sockaddr_in));
memset(&s_name_data, 0, sizeof(s_name_data));
break;
}
#ifdef notdef_DIE
case AUTH_MSG_DIE:
{
lt = klog(L_DEATH_REQ,
"Host: %s User: \"%s\" \"%s\" Kerberos killed",
inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0);
exit(0);
}
#endif /* notdef_DIE */
default:
{
lt = klog(L_KRB_PERR,
"Unknown message type: %d from %s port %u",
req_msg_type, inet_ntoa(client_host),
ntohs(client->sin_port));
break;
}
}
}
