1 /*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska H�gskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 #include <krb5-v4compat.h>
37
38 RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $");
39
40 #ifndef swap32
41 static uint32_t
swap32(uint32_t x)42 swap32(uint32_t x)
43 {
44 return ((x << 24) & 0xff000000) |
45 ((x << 8) & 0xff0000) |
46 ((x >> 8) & 0xff00) |
47 ((x >> 24) & 0xff);
48 }
49 #endif /* swap32 */
50
51 int
_kdc_maybe_version4(unsigned char * buf,int len)52 _kdc_maybe_version4(unsigned char *buf, int len)
53 {
54 return len > 0 && *buf == 4;
55 }
56
57 static void
make_err_reply(krb5_context context,krb5_data * reply,int code,const char * msg)58 make_err_reply(krb5_context context, krb5_data *reply,
59 int code, const char *msg)
60 {
61 _krb5_krb_cr_err_reply(context, "", "", "",
62 kdc_time, code, msg, reply);
63 }
64
65 struct valid_princ_ctx {
66 krb5_kdc_configuration *config;
67 unsigned flags;
68 };
69
70 static krb5_boolean
valid_princ(krb5_context context,void * funcctx,krb5_principal princ)71 valid_princ(krb5_context context,
72 void *funcctx,
73 krb5_principal princ)
74 {
75 struct valid_princ_ctx *ctx = funcctx;
76 krb5_error_code ret;
77 char *s;
78 hdb_entry_ex *ent;
79
80 ret = krb5_unparse_name(context, princ, &s);
81 if (ret)
82 return FALSE;
83 ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
84 if (ret) {
85 kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
86 krb5_get_err_text (context, ret));
87 free(s);
88 return FALSE;
89 }
90 kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
91 free(s);
92 _kdc_free_ent(context, ent);
93 return TRUE;
94 }
95
96 krb5_error_code
_kdc_db_fetch4(krb5_context context,krb5_kdc_configuration * config,const char * name,const char * instance,const char * realm,unsigned flags,hdb_entry_ex ** ent)97 _kdc_db_fetch4(krb5_context context,
98 krb5_kdc_configuration *config,
99 const char *name, const char *instance, const char *realm,
100 unsigned flags,
101 hdb_entry_ex **ent)
102 {
103 krb5_principal p;
104 krb5_error_code ret;
105 struct valid_princ_ctx ctx;
106
107 ctx.config = config;
108 ctx.flags = flags;
109
110 ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
111 valid_princ, &ctx, 0, &p);
112 if(ret)
113 return ret;
114 ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
115 krb5_free_principal(context, p);
116 return ret;
117 }
118
119 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
120
121 /*
122 * Process the v4 request in `buf, len' (received from `addr'
123 * (with string `from').
124 * Return an error code and a reply in `reply'.
125 */
126
127 krb5_error_code
_kdc_do_version4(krb5_context context,krb5_kdc_configuration * config,unsigned char * buf,size_t len,krb5_data * reply,const char * from,struct sockaddr_in * addr)128 _kdc_do_version4(krb5_context context,
129 krb5_kdc_configuration *config,
130 unsigned char *buf,
131 size_t len,
132 krb5_data *reply,
133 const char *from,
134 struct sockaddr_in *addr)
135 {
136 krb5_storage *sp;
137 krb5_error_code ret;
138 hdb_entry_ex *client = NULL, *server = NULL;
139 Key *ckey, *skey;
140 int8_t pvno;
141 int8_t msg_type;
142 int lsb;
143 char *name = NULL, *inst = NULL, *realm = NULL;
144 char *sname = NULL, *sinst = NULL;
145 int32_t req_time;
146 time_t max_life;
147 uint8_t life;
148 char client_name[256];
149 char server_name[256];
150
151 if(!config->enable_v4) {
152 kdc_log(context, config, 0,
153 "Rejected version 4 request from %s", from);
154 make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
155 return 0;
156 }
157
158 sp = krb5_storage_from_mem(buf, len);
159 RCHECK(krb5_ret_int8(sp, &pvno), out);
160 if(pvno != 4){
161 kdc_log(context, config, 0,
162 "Protocol version mismatch (krb4) (%d)", pvno);
163 make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
164 goto out;
165 }
166 RCHECK(krb5_ret_int8(sp, &msg_type), out);
167 lsb = msg_type & 1;
168 msg_type &= ~1;
169 switch(msg_type){
170 case AUTH_MSG_KDC_REQUEST: {
171 krb5_data ticket, cipher;
172 krb5_keyblock session;
173
174 krb5_data_zero(&ticket);
175 krb5_data_zero(&cipher);
176
177 RCHECK(krb5_ret_stringz(sp, &name), out1);
178 RCHECK(krb5_ret_stringz(sp, &inst), out1);
179 RCHECK(krb5_ret_stringz(sp, &realm), out1);
180 RCHECK(krb5_ret_int32(sp, &req_time), out1);
181 if(lsb)
182 req_time = swap32(req_time);
183 RCHECK(krb5_ret_uint8(sp, &life), out1);
184 RCHECK(krb5_ret_stringz(sp, &sname), out1);
185 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
186 snprintf (client_name, sizeof(client_name),
187 "%s.%s@%s", name, inst, realm);
188 snprintf (server_name, sizeof(server_name),
189 "%s.%s@%s", sname, sinst, config->v4_realm);
190
191 kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
192 client_name, from, server_name);
193
194 ret = _kdc_db_fetch4(context, config, name, inst, realm,
195 HDB_F_GET_CLIENT, &client);
196 if(ret) {
197 kdc_log(context, config, 0, "Client not found in database: %s: %s",
198 client_name, krb5_get_err_text(context, ret));
199 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
200 "principal unknown");
201 goto out1;
202 }
203 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
204 HDB_F_GET_SERVER, &server);
205 if(ret){
206 kdc_log(context, config, 0, "Server not found in database: %s: %s",
207 server_name, krb5_get_err_text(context, ret));
208 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
209 "principal unknown");
210 goto out1;
211 }
212
213 ret = _kdc_check_flags (context, config,
214 client, client_name,
215 server, server_name,
216 TRUE);
217 if (ret) {
218 /* good error code? */
219 make_err_reply(context, reply, KERB_ERR_NAME_EXP,
220 "operation not allowed");
221 goto out1;
222 }
223
224 if (config->enable_v4_per_principal &&
225 client->entry.flags.allow_kerberos4 == 0)
226 {
227 kdc_log(context, config, 0,
228 "Per principal Kerberos 4 flag not turned on for %s",
229 client_name);
230 make_err_reply(context, reply, KERB_ERR_NULL_KEY,
231 "allow kerberos4 flag required");
232 goto out1;
233 }
234
235 /*
236 * There's no way to do pre-authentication in v4 and thus no
237 * good error code to return if preauthentication is required.
238 */
239
240 if (config->require_preauth
241 || client->entry.flags.require_preauth
242 || server->entry.flags.require_preauth) {
243 kdc_log(context, config, 0,
244 "Pre-authentication required for v4-request: "
245 "%s for %s",
246 client_name, server_name);
247 make_err_reply(context, reply, KERB_ERR_NULL_KEY,
248 "preauth required");
249 goto out1;
250 }
251
252 ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
253 if(ret){
254 kdc_log(context, config, 0, "no suitable DES key for client");
255 make_err_reply(context, reply, KDC_NULL_KEY,
256 "no suitable DES key for client");
257 goto out1;
258 }
259
260 #if 0
261 /* this is not necessary with the new code in libkrb */
262 /* find a properly salted key */
263 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
264 ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
265 if(ret){
266 kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
267 name, inst, realm);
268 make_err_reply(context, reply, KDC_NULL_KEY,
269 "No version-4 salted key in database");
270 goto out1;
271 }
272 #endif
273
274 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
275 if(ret){
276 kdc_log(context, config, 0, "no suitable DES key for server");
277 /* XXX */
278 make_err_reply(context, reply, KDC_NULL_KEY,
279 "no suitable DES key for server");
280 goto out1;
281 }
282
283 max_life = _krb5_krb_life_to_time(0, life);
284 if(client->entry.max_life)
285 max_life = min(max_life, *client->entry.max_life);
286 if(server->entry.max_life)
287 max_life = min(max_life, *server->entry.max_life);
288
289 life = krb_time_to_life(kdc_time, kdc_time + max_life);
290
291 ret = krb5_generate_random_keyblock(context,
292 ETYPE_DES_PCBC_NONE,
293 &session);
294 if (ret) {
295 make_err_reply(context, reply, KFAILURE,
296 "Not enough random i KDC");
297 goto out1;
298 }
299
300 ret = _krb5_krb_create_ticket(context,
301 0,
302 name,
303 inst,
304 config->v4_realm,
305 addr->sin_addr.s_addr,
306 &session,
307 life,
308 kdc_time,
309 sname,
310 sinst,
311 &skey->key,
312 &ticket);
313 if (ret) {
314 krb5_free_keyblock_contents(context, &session);
315 make_err_reply(context, reply, KFAILURE,
316 "failed to create v4 ticket");
317 goto out1;
318 }
319
320 ret = _krb5_krb_create_ciph(context,
321 &session,
322 sname,
323 sinst,
324 config->v4_realm,
325 life,
326 server->entry.kvno % 255,
327 &ticket,
328 kdc_time,
329 &ckey->key,
330 &cipher);
331 krb5_free_keyblock_contents(context, &session);
332 krb5_data_free(&ticket);
333 if (ret) {
334 make_err_reply(context, reply, KFAILURE,
335 "Failed to create v4 cipher");
336 goto out1;
337 }
338
339 ret = _krb5_krb_create_auth_reply(context,
340 name,
341 inst,
342 realm,
343 req_time,
344 0,
345 client->entry.pw_end ? *client->entry.pw_end : 0,
346 client->entry.kvno % 256,
347 &cipher,
348 reply);
349 krb5_data_free(&cipher);
350
351 out1:
352 break;
353 }
354 case AUTH_MSG_APPL_REQUEST: {
355 struct _krb5_krb_auth_data ad;
356 int8_t kvno;
357 int8_t ticket_len;
358 int8_t req_len;
359 krb5_data auth;
360 int32_t address;
361 size_t pos;
362 krb5_principal tgt_princ = NULL;
363 hdb_entry_ex *tgt = NULL;
364 Key *tkey;
365 time_t max_end, actual_end, issue_time;
366
367 memset(&ad, 0, sizeof(ad));
368 krb5_data_zero(&auth);
369
370 RCHECK(krb5_ret_int8(sp, &kvno), out2);
371 RCHECK(krb5_ret_stringz(sp, &realm), out2);
372
373 ret = krb5_425_conv_principal(context, "krbtgt", realm,
374 config->v4_realm,
375 &tgt_princ);
376 if(ret){
377 kdc_log(context, config, 0,
378 "Converting krbtgt principal (krb4): %s",
379 krb5_get_err_text(context, ret));
380 make_err_reply(context, reply, KFAILURE,
381 "Failed to convert v4 principal (krbtgt)");
382 goto out2;
383 }
384
385 ret = _kdc_db_fetch(context, config, tgt_princ,
386 HDB_F_GET_KRBTGT, NULL, &tgt);
387 if(ret){
388 char *s;
389 s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
390 "found in database (krb4): krbtgt.%s@%s: %s",
391 realm, config->v4_realm,
392 krb5_get_err_text(context, ret));
393 make_err_reply(context, reply, KFAILURE, s);
394 free(s);
395 goto out2;
396 }
397
398 if(tgt->entry.kvno % 256 != kvno){
399 kdc_log(context, config, 0,
400 "tgs-req (krb4) with old kvno %d (current %d) for "
401 "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
402 realm, config->v4_realm);
403 make_err_reply(context, reply, KDC_AUTH_EXP,
404 "old krbtgt kvno used");
405 goto out2;
406 }
407
408 ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
409 if(ret){
410 kdc_log(context, config, 0,
411 "no suitable DES key for krbtgt (krb4)");
412 /* XXX */
413 make_err_reply(context, reply, KDC_NULL_KEY,
414 "no suitable DES key for krbtgt");
415 goto out2;
416 }
417
418 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
419 RCHECK(krb5_ret_int8(sp, &req_len), out2);
420
421 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
422
423 auth.data = buf;
424 auth.length = pos;
425
426 if (config->check_ticket_addresses)
427 address = addr->sin_addr.s_addr;
428 else
429 address = 0;
430
431 ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
432 config->v4_realm,
433 address, &tkey->key, &ad);
434 if(ret){
435 kdc_log(context, config, 0, "krb_rd_req: %d", ret);
436 make_err_reply(context, reply, ret, "failed to parse request");
437 goto out2;
438 }
439
440 RCHECK(krb5_ret_int32(sp, &req_time), out2);
441 if(lsb)
442 req_time = swap32(req_time);
443 RCHECK(krb5_ret_uint8(sp, &life), out2);
444 RCHECK(krb5_ret_stringz(sp, &sname), out2);
445 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
446 snprintf (server_name, sizeof(server_name),
447 "%s.%s@%s",
448 sname, sinst, config->v4_realm);
449 snprintf (client_name, sizeof(client_name),
450 "%s.%s@%s",
451 ad.pname, ad.pinst, ad.prealm);
452
453 kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
454 client_name, from, server_name);
455
456 if(strcmp(ad.prealm, realm)){
457 kdc_log(context, config, 0,
458 "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
459 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
460 "Can't hop realms");
461 goto out2;
462 }
463
464 if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
465 kdc_log(context, config, 0,
466 "krb4 Cross-realm %s -> %s disabled",
467 realm, config->v4_realm);
468 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
469 "Can't hop realms");
470 goto out2;
471 }
472
473 if(strcmp(sname, "changepw") == 0){
474 kdc_log(context, config, 0,
475 "Bad request for changepw ticket (krb4)");
476 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
477 "Can't authorize password change based on TGT");
478 goto out2;
479 }
480
481 ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
482 HDB_F_GET_CLIENT, &client);
483 if(ret && ret != HDB_ERR_NOENTRY) {
484 char *s;
485 s = kdc_log_msg(context, config, 0,
486 "Client not found in database: (krb4) %s: %s",
487 client_name, krb5_get_err_text(context, ret));
488 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
489 free(s);
490 goto out2;
491 }
492 if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
493 char *s;
494 s = kdc_log_msg(context, config, 0,
495 "Local client not found in database: (krb4) "
496 "%s", client_name);
497 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
498 free(s);
499 goto out2;
500 }
501
502 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
503 HDB_F_GET_SERVER, &server);
504 if(ret){
505 char *s;
506 s = kdc_log_msg(context, config, 0,
507 "Server not found in database (krb4): %s: %s",
508 server_name, krb5_get_err_text(context, ret));
509 make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
510 free(s);
511 goto out2;
512 }
513
514 ret = _kdc_check_flags (context, config,
515 client, client_name,
516 server, server_name,
517 FALSE);
518 if (ret) {
519 /* good error code? */
520 make_err_reply(context, reply, KERB_ERR_NAME_EXP,
521 "operation not allowed");
522 goto out2;
523 }
524
525 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
526 if(ret){
527 kdc_log(context, config, 0,
528 "no suitable DES key for server (krb4)");
529 /* XXX */
530 make_err_reply(context, reply, KDC_NULL_KEY,
531 "no suitable DES key for server");
532 goto out2;
533 }
534
535 max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
536 max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
537 if(server->entry.max_life)
538 max_end = min(max_end, kdc_time + *server->entry.max_life);
539 if(client && client->entry.max_life)
540 max_end = min(max_end, kdc_time + *client->entry.max_life);
541 life = min(life, krb_time_to_life(kdc_time, max_end));
542
543 issue_time = kdc_time;
544 actual_end = _krb5_krb_life_to_time(issue_time, life);
545 while (actual_end > max_end && life > 1) {
546 /* move them into the next earlier lifetime bracket */
547 life--;
548 actual_end = _krb5_krb_life_to_time(issue_time, life);
549 }
550 if (actual_end > max_end) {
551 /* if life <= 1 and it's still too long, backdate the ticket */
552 issue_time -= actual_end - max_end;
553 }
554
555 {
556 krb5_data ticket, cipher;
557 krb5_keyblock session;
558
559 krb5_data_zero(&ticket);
560 krb5_data_zero(&cipher);
561
562 ret = krb5_generate_random_keyblock(context,
563 ETYPE_DES_PCBC_NONE,
564 &session);
565 if (ret) {
566 make_err_reply(context, reply, KFAILURE,
567 "Not enough random i KDC");
568 goto out2;
569 }
570
571 ret = _krb5_krb_create_ticket(context,
572 0,
573 ad.pname,
574 ad.pinst,
575 ad.prealm,
576 addr->sin_addr.s_addr,
577 &session,
578 life,
579 issue_time,
580 sname,
581 sinst,
582 &skey->key,
583 &ticket);
584 if (ret) {
585 krb5_free_keyblock_contents(context, &session);
586 make_err_reply(context, reply, KFAILURE,
587 "failed to create v4 ticket");
588 goto out2;
589 }
590
591 ret = _krb5_krb_create_ciph(context,
592 &session,
593 sname,
594 sinst,
595 config->v4_realm,
596 life,
597 server->entry.kvno % 255,
598 &ticket,
599 issue_time,
600 &ad.session,
601 &cipher);
602 krb5_free_keyblock_contents(context, &session);
603 if (ret) {
604 make_err_reply(context, reply, KFAILURE,
605 "failed to create v4 cipher");
606 goto out2;
607 }
608
609 ret = _krb5_krb_create_auth_reply(context,
610 ad.pname,
611 ad.pinst,
612 ad.prealm,
613 req_time,
614 0,
615 0,
616 0,
617 &cipher,
618 reply);
619 krb5_data_free(&cipher);
620 }
621 out2:
622 _krb5_krb_free_auth_data(context, &ad);
623 if(tgt_princ)
624 krb5_free_principal(context, tgt_princ);
625 if(tgt)
626 _kdc_free_ent(context, tgt);
627 break;
628 }
629 case AUTH_MSG_ERR_REPLY:
630 break;
631 default:
632 kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
633 msg_type, from);
634
635 make_err_reply(context, reply, KFAILURE, "Unknown message type");
636 }
637 out:
638 if(name)
639 free(name);
640 if(inst)
641 free(inst);
642 if(realm)
643 free(realm);
644 if(sname)
645 free(sname);
646 if(sinst)
647 free(sinst);
648 if(client)
649 _kdc_free_ent(context, client);
650 if(server)
651 _kdc_free_ent(context, server);
652 krb5_storage_free(sp);
653 return 0;
654 }
655
656 krb5_error_code
_kdc_encode_v4_ticket(krb5_context context,krb5_kdc_configuration * config,void * buf,size_t len,const EncTicketPart * et,const PrincipalName * service,size_t * size)657 _kdc_encode_v4_ticket(krb5_context context,
658 krb5_kdc_configuration *config,
659 void *buf, size_t len, const EncTicketPart *et,
660 const PrincipalName *service, size_t *size)
661 {
662 krb5_storage *sp;
663 krb5_error_code ret;
664 char name[40], inst[40], realm[40];
665 char sname[40], sinst[40];
666
667 {
668 krb5_principal princ;
669 _krb5_principalname2krb5_principal(context,
670 &princ,
671 *service,
672 et->crealm);
673 ret = krb5_524_conv_principal(context,
674 princ,
675 sname,
676 sinst,
677 realm);
678 krb5_free_principal(context, princ);
679 if(ret)
680 return ret;
681
682 _krb5_principalname2krb5_principal(context,
683 &princ,
684 et->cname,
685 et->crealm);
686
687 ret = krb5_524_conv_principal(context,
688 princ,
689 name,
690 inst,
691 realm);
692 krb5_free_principal(context, princ);
693 }
694 if(ret)
695 return ret;
696
697 sp = krb5_storage_emem();
698
699 krb5_store_int8(sp, 0); /* flags */
700 krb5_store_stringz(sp, name);
701 krb5_store_stringz(sp, inst);
702 krb5_store_stringz(sp, realm);
703 {
704 unsigned char tmp[4] = { 0, 0, 0, 0 };
705 int i;
706 if(et->caddr){
707 for(i = 0; i < et->caddr->len; i++)
708 if(et->caddr->val[i].addr_type == AF_INET &&
709 et->caddr->val[i].address.length == 4){
710 memcpy(tmp, et->caddr->val[i].address.data, 4);
711 break;
712 }
713 }
714 krb5_storage_write(sp, tmp, sizeof(tmp));
715 }
716
717 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
718 et->key.keytype != ETYPE_DES_CBC_MD4 &&
719 et->key.keytype != ETYPE_DES_CBC_CRC) ||
720 et->key.keyvalue.length != 8)
721 return -1;
722 krb5_storage_write(sp, et->key.keyvalue.data, 8);
723
724 {
725 time_t start = et->starttime ? *et->starttime : et->authtime;
726 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
727 krb5_store_int32(sp, start);
728 }
729
730 krb5_store_stringz(sp, sname);
731 krb5_store_stringz(sp, sinst);
732
733 {
734 krb5_data data;
735 krb5_storage_to_data(sp, &data);
736 krb5_storage_free(sp);
737 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
738 if(*size > len)
739 return -1;
740 memset((unsigned char*)buf - *size + 1, 0, *size);
741 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
742 krb5_data_free(&data);
743 }
744 return 0;
745 }
746
747 krb5_error_code
_kdc_get_des_key(krb5_context context,hdb_entry_ex * principal,krb5_boolean is_server,krb5_boolean prefer_afs_key,Key ** ret_key)748 _kdc_get_des_key(krb5_context context,
749 hdb_entry_ex *principal, krb5_boolean is_server,
750 krb5_boolean prefer_afs_key, Key **ret_key)
751 {
752 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
753 int i;
754 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
755 ETYPE_DES_CBC_MD4,
756 ETYPE_DES_CBC_CRC };
757
758 for(i = 0;
759 i < sizeof(etypes)/sizeof(etypes[0])
760 && (v5_key == NULL || v4_key == NULL ||
761 afs_key == NULL || server_key == NULL);
762 ++i) {
763 Key *key = NULL;
764 while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
765 if(key->salt == NULL) {
766 if(v5_key == NULL)
767 v5_key = key;
768 } else if(key->salt->type == hdb_pw_salt &&
769 key->salt->salt.length == 0) {
770 if(v4_key == NULL)
771 v4_key = key;
772 } else if(key->salt->type == hdb_afs3_salt) {
773 if(afs_key == NULL)
774 afs_key = key;
775 } else if(server_key == NULL)
776 server_key = key;
777 }
778 }
779
780 if(prefer_afs_key) {
781 if(afs_key)
782 *ret_key = afs_key;
783 else if(v4_key)
784 *ret_key = v4_key;
785 else if(v5_key)
786 *ret_key = v5_key;
787 else if(is_server && server_key)
788 *ret_key = server_key;
789 else
790 return KERB_ERR_NULL_KEY;
791 } else {
792 if(v4_key)
793 *ret_key = v4_key;
794 else if(afs_key)
795 *ret_key = afs_key;
796 else if(v5_key)
797 *ret_key = v5_key;
798 else if(is_server && server_key)
799 *ret_key = server_key;
800 else
801 return KERB_ERR_NULL_KEY;
802 }
803
804 if((*ret_key)->key.keyvalue.length == 0)
805 return KERB_ERR_NULL_KEY;
806 return 0;
807 }
808
809