Mercurial > illumos > onarm

annotate usr/src/cmd/krb5/krb5kdc/kdc_preauth.c @ 0:c9caec207d52 b86

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial porting based on b86
author Koji Uno <koji.uno@sun.com>
date Tue, 02 Jun 2009 18:56:50 +0900
parents
children 1a15d5aaf794
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
2 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
3 * Use is subject to license terms.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
4 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
5
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
6 #pragma ident "@(#)kdc_preauth.c 1.11 06/09/27 SMI"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
7
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
8 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
9 * kdc/kdc_preauth.c
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
10 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
11 * Copyright 1995, 2003 by the Massachusetts Institute of Technology.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
12 * All Rights Reserved.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
13 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
14 * Export of this software from the United States of America may
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
15 * require a specific license from the United States Government.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
16 * It is the responsibility of any person or organization contemplating
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
17 * export to obtain such a license before exporting.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
18 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
19 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
20 * distribute this software and its documentation for any purpose and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
21 * without fee is hereby granted, provided that the above copyright
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
22 * notice appear in all copies and that both that copyright notice and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
23 * this permission notice appear in supporting documentation, and that
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
24 * the name of M.I.T. not be used in advertising or publicity pertaining
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
25 * to distribution of the software without specific, written prior
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
26 * permission. Furthermore if you modify this software you must label
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
27 * your software as modified software and not distribute it in such a
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
28 * fashion that it might be confused with the original M.I.T. software.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
29 * M.I.T. makes no representations about the suitability of
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
30 * this software for any purpose. It is provided "as is" without express
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
31 * or implied warranty.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
32 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
33 * Preauthentication routines for the KDC.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
34 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
35
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
36 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
37 * Copyright (C) 1998 by the FundsXpress, INC.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
38 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
39 * All rights reserved.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
40 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
41 * Export of this software from the United States of America may require
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
42 * a specific license from the United States Government. It is the
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
43 * responsibility of any person or organization contemplating export to
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
44 * obtain such a license before exporting.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
45 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
46 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
47 * distribute this software and its documentation for any purpose and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
48 * without fee is hereby granted, provided that the above copyright
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
49 * notice appear in all copies and that both that copyright notice and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
50 * this permission notice appear in supporting documentation, and that
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
51 * the name of FundsXpress. not be used in advertising or publicity pertaining
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
52 * to distribution of the software without specific, written prior
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
53 * permission. FundsXpress makes no representations about the suitability of
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
54 * this software for any purpose. It is provided "as is" without express
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
55 * or implied warranty.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
56 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
57 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
58 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
59 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
60 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
61
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
62 #include "k5-int.h"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
63 #include "kdc_util.h"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
64 #include "extern.h"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
65 #include "com_err.h"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
66 #include <assert.h>
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
67 #include <stdio.h>
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
68 #include "adm_proto.h"
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
69 #include <libintl.h>
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
70 #include <syslog.h>
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
71
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
72 #include <assert.h>
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
73
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
74 /* XXX This is ugly and should be in a header file somewhere */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
75 #ifndef KRB5INT_DES_TYPES_DEFINED
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
76 #define KRB5INT_DES_TYPES_DEFINED
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
77 typedef unsigned char des_cblock[8]; /* crypto-block size */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
78 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
79 typedef des_cblock mit_des_cblock;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
80 extern void mit_des_fixup_key_parity (mit_des_cblock );
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
81 extern int mit_des_is_weak_key (mit_des_cblock );
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
82
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
83 typedef krb5_error_code (*verify_proc)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
84 (krb5_context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
85 krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
86 krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
87
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
88 typedef krb5_error_code (*edata_proc)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
89 (krb5_context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
90 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
91 krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
92
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
93 typedef krb5_error_code (*return_proc)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
94 (krb5_context, krb5_pa_data * padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
95 krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
96 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
97 krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
98 krb5_keyblock *encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
99 krb5_pa_data **send_pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
100
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
101 typedef struct _krb5_preauth_systems {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
102 char * name;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
103 int type;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
104 int flags;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
105 edata_proc get_edata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
106 verify_proc verify_padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
107 return_proc return_padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
108 } krb5_preauth_systems;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
109
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
110 static krb5_error_code verify_enc_timestamp
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
111 (krb5_context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
112 krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
113 krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
114
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
115 static krb5_error_code get_etype_info
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
116 (krb5_context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
117 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
118 krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
119 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
120 get_etype_info2(krb5_context context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
121 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
122 krb5_pa_data *pa_data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
123 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
124 return_etype_info2(krb5_context, krb5_pa_data * padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
125 krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
126 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
127 krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
128 krb5_keyblock *encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
129 krb5_pa_data **send_pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
130
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
131 static krb5_error_code return_pw_salt
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
132 (krb5_context, krb5_pa_data * padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
133 krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
134 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
135 krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
136 krb5_keyblock *encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
137 krb5_pa_data **send_pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
138
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
139 /* SAM preauth support */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
140 static krb5_error_code verify_sam_response
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
141 (krb5_context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
142 krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
143 krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
144
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
145 static krb5_error_code get_sam_edata
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
146 (krb5_context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
147 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
148 krb5_pa_data *data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
149 static krb5_error_code return_sam_data
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
150 (krb5_context, krb5_pa_data * padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
151 krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
152 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
153 krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
154 krb5_keyblock *encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
155 krb5_pa_data **send_pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
156 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
157 * Preauth property flags
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
158 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
159 #define PA_HARDWARE 0x00000001
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
160 #define PA_REQUIRED 0x00000002
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
161 #define PA_SUFFICIENT 0x00000004
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
162 /* Not really a padata, so don't include it in the etype list*/
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
163 #define PA_PSEUDO 0x00000008
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
164
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
165 static krb5_preauth_systems preauth_systems[] = {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
166 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
167 "timestamp",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
168 KRB5_PADATA_ENC_TIMESTAMP,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
169 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
170 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
171 verify_enc_timestamp,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
172 0
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
173 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
174 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
175 "etype-info",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
176 KRB5_PADATA_ETYPE_INFO,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
177 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
178 get_etype_info,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
179 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
180 0
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
181 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
182 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
183 "etype-info2",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
184 KRB5_PADATA_ETYPE_INFO2,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
185 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
186 get_etype_info2,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
187 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
188 return_etype_info2
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
189 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
190 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
191 "pw-salt",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
192 KRB5_PADATA_PW_SALT,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
193 PA_PSEUDO, /* Don't include this in the error list */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
194 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
195 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
196 return_pw_salt
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
197 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
198 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
199 "sam-response",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
200 KRB5_PADATA_SAM_RESPONSE,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
201 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
202 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
203 verify_sam_response,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
204 return_sam_data
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
205 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
206 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
207 "sam-challenge",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
208 KRB5_PADATA_SAM_CHALLENGE,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
209 PA_HARDWARE, /* causes get_preauth_hint_list to use this */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
210 get_sam_edata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
211 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
212 0
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
213 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
214 { "[end]", -1,}
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
215 };
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
216
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
217 #define MAX_PREAUTH_SYSTEMS (sizeof(preauth_systems)/sizeof(preauth_systems[0]))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
218
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
219 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
220 find_pa_system(int type, krb5_preauth_systems **preauth)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
221 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
222 krb5_preauth_systems *ap = preauth_systems;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
223
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
224 while ((ap->type != -1) && (ap->type != type))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
225 ap++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
226 if (ap->type == -1)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
227 return(KRB5_PREAUTH_BAD_TYPE);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
228 *preauth = ap;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
229 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
230 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
231
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
232 const char *missing_required_preauth(krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
233 krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
234 krb5_enc_tkt_part *enc_tkt_reply)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
235 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
236 #if 0
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
237 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
238 * If this is the pwchange service, and the pre-auth bit is set,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
239 * allow it even if the HW preauth would normally be required.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
240 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
241 * Sandia national labs wanted this for some strange reason... we
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
242 * leave it disabled normally.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
243 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
244 if (isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE) &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
245 isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
246 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
247 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
248
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
249 #ifdef DEBUG
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
250 krb5_klog_syslog (LOG_DEBUG,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
251 "client needs %spreauth, %shw preauth; request has %spreauth, %shw preauth",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
252 isflagset (client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) ? "" : "no ",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
253 isflagset (client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) ? "" : "no ",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
254 isflagset (enc_tkt_reply->flags, TKT_FLG_PRE_AUTH) ? "" : "no ",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
255 isflagset (enc_tkt_reply->flags, TKT_FLG_HW_AUTH) ? "" : "no ");
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
256 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
257
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
258 if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
259 !isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
260 return "NEEDED_PREAUTH";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
261
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
262 if (isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
263 !isflagset(enc_tkt_reply->flags, TKT_FLG_HW_AUTH))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
264 return "NEEDED_HW_PREAUTH";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
265
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
266 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
267 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
268
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
269 void get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
270 krb5_db_entry *server, krb5_data *e_data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
271 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
272 int hw_only;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
273 krb5_preauth_systems *ap;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
274 krb5_pa_data **pa_data, **pa;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
275 krb5_data *edat;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
276 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
277
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
278 /* Zero these out in case we need to abort */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
279 e_data->length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
280 e_data->data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
281
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
282 hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
283 pa_data = malloc(sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
284 if (pa_data == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
285 return;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
286 memset(pa_data, 0, sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
287 pa = pa_data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
288
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
289 for (ap = preauth_systems; ap->type != -1; ap++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
290 if (hw_only && !(ap->flags & PA_HARDWARE))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
291 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
292 if (ap->flags & PA_PSEUDO)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
293 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
294 *pa = malloc(sizeof(krb5_pa_data));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
295 if (*pa == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
296 goto errout;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
297 memset(*pa, 0, sizeof(krb5_pa_data));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
298 (*pa)->magic = KV5M_PA_DATA;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
299 (*pa)->pa_type = ap->type;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
300 if (ap->get_edata) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
301 retval = (ap->get_edata)(kdc_context, request, client, server, *pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
302 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
303 /* just failed on this type, continue */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
304 free(*pa);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
305 *pa = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
306 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
307 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
308 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
309 pa++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
310 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
311 if (pa_data[0] == 0) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
312 krb5_klog_syslog (LOG_INFO,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
313 "%spreauth required but hint list is empty",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
314 hw_only ? "hw" : "");
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
315 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
316 retval = encode_krb5_padata_sequence((const krb5_pa_data **) pa_data,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
317 &edat);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
318 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
319 goto errout;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
320 *e_data = *edat;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
321 free(edat);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
322
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
323 errout:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
324 krb5_free_pa_data(kdc_context, pa_data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
325 return;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
326 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
327
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
328 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
329 * This routine is called to verify the preauthentication information
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
330 * for a V5 request.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
331 *
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
332 * Returns 0 if the pre-authentication is valid, non-zero to indicate
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
333 * an error code of some sort.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
334 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
335
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
336 krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
337 check_padata (krb5_context context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
338 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
339 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
340 krb5_error_code retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
341 krb5_pa_data **padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
342 krb5_preauth_systems *pa_sys;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
343 int pa_ok = 0, pa_found = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
344
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
345 if (request->padata == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
346 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
347
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
348 #ifdef DEBUG
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
349 krb5_klog_syslog (LOG_DEBUG, "checking padata");
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
350 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
351 for (padata = request->padata; *padata; padata++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
352 #ifdef DEBUG
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
353 krb5_klog_syslog (LOG_DEBUG, ".. pa_type 0x%x", (*padata)->pa_type);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
354 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
355 if (find_pa_system((*padata)->pa_type, &pa_sys))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
356 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
357 #ifdef DEBUG
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
358 krb5_klog_syslog (LOG_DEBUG, ".. pa_type %s", pa_sys->name);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
359 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
360 if (pa_sys->verify_padata == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
361 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
362 pa_found++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
363 retval = pa_sys->verify_padata(context, client, request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
364 enc_tkt_reply, *padata);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
365 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
366 krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
367 pa_sys->name, error_message (retval));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
368 if (pa_sys->flags & PA_REQUIRED) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
369 pa_ok = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
370 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
371 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
372 } else {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
373 #ifdef DEBUG
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
374 krb5_klog_syslog (LOG_DEBUG, ".. .. ok");
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
375 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
376 pa_ok = 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
377 if (pa_sys->flags & PA_SUFFICIENT)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
378 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
379 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
380 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
381 if (pa_ok)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
382 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
383
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
384 /* pa system was not found, but principal doesn't require preauth */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
385 if (!pa_found &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
386 !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
387 !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
388 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
389
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
390 if (!pa_found)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
391 krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
392 error_message (retval));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
393 /* The following switch statement allows us
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
394 * to return some preauth system errors back to the client.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
395 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
396 switch(retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
397 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
398 case KRB5KRB_AP_ERR_SKEW:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
399 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
400 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
401 return KRB5KDC_ERR_PREAUTH_FAILED;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
402 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
403 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
404
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
405 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
406 * return_padata creates any necessary preauthentication
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
407 * structures which should be returned by the KDC to the client
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
408 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
409 krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
410 return_padata(krb5_context context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
411 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
412 krb5_key_data *client_key, krb5_keyblock *encrypting_key)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
413 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
414 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
415 krb5_pa_data ** padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
416 krb5_pa_data ** send_pa_list;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
417 krb5_pa_data ** send_pa;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
418 krb5_pa_data * pa = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
419 krb5_preauth_systems * ap;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
420 int size = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
421
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
422 for (ap = preauth_systems; ap->type != -1; ap++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
423 if (ap->return_padata)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
424 size++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
425 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
426
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
427 if ((send_pa_list = malloc((size+1) * sizeof(krb5_pa_data *))) == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
428 return ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
429
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
430 send_pa = send_pa_list;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
431 *send_pa = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
432
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
433 for (ap = preauth_systems; ap->type != -1; ap++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
434 if (ap->return_padata == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
435 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
436 pa = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
437 if (request->padata) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
438 for (padata = request->padata; *padata; padata++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
439 if ((*padata)->pa_type == ap->type) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
440 pa = *padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
441 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
442 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
443 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
444 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
445 if ((retval = ap->return_padata(context, pa, client, request, reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
446 client_key, encrypting_key, send_pa)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
447 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
448
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
449 if (*send_pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
450 send_pa++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
451 *send_pa = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
452 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
453
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
454 retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
455
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
456 if (send_pa_list[0]) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
457 reply->padata = send_pa_list;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
458 send_pa_list = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
459 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
460
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
461 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
462 if (send_pa_list)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
463 krb5_free_pa_data(context, send_pa_list);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
464 return (retval);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
465 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
466
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
467 static krb5_boolean
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
468 enctype_requires_etype_info_2(krb5_enctype enctype)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
469 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
470 switch(enctype) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
471 case ENCTYPE_DES_CBC_CRC:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
472 case ENCTYPE_DES_CBC_MD4:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
473 case ENCTYPE_DES_CBC_MD5:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
474 case ENCTYPE_DES3_CBC_SHA1:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
475 case ENCTYPE_DES3_CBC_RAW:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
476 case ENCTYPE_ARCFOUR_HMAC:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
477 case ENCTYPE_ARCFOUR_HMAC_EXP :
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
478 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
479 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
480 if (krb5_c_valid_enctype(enctype))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
481 return 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
482 else return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
483 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
484 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
485
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
486 static krb5_boolean
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
487 request_contains_enctype (krb5_context context, const krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
488 krb5_enctype enctype)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
489 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
490 int i;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
491 for (i =0; i < request->nktypes; i++)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
492 if (request->ktype[i] == enctype)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
493 return 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
494 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
495 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
496
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
497
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
498 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
499 verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
500 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
501 krb5_pa_data *pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
502 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
503 krb5_pa_enc_ts * pa_enc = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
504 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
505 krb5_data scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
506 krb5_data enc_ts_data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
507 krb5_enc_data *enc_data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
508 krb5_keyblock key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
509 krb5_key_data * client_key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
510 krb5_int32 start;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
511 krb5_timestamp timenow;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
512 krb5_error_code decrypt_err;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
513
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
514 (void) memset(&key, 0, sizeof(krb5_keyblock));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
515 scratch.data = (char *) pa->contents;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
516 scratch.length = pa->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
517
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
518 enc_ts_data.data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
519
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
520 if ((retval = decode_krb5_enc_data(&scratch, &enc_data)) != 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
521 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
522
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
523 enc_ts_data.length = enc_data->ciphertext.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
524 if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
525 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
526
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
527 start = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
528 decrypt_err = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
529 while (1) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
530 if ((retval = krb5_dbe_search_enctype(context, client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
531 &start, enc_data->enctype,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
532 -1, 0, &client_key)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
533 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
534
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
535 if ((retval = krb5_dbekd_decrypt_key_data(context, &master_keyblock,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
536 client_key, &key, NULL)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
537 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
538
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
539 key.enctype = enc_data->enctype;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
540
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
541 retval = krb5_c_decrypt(context, &key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
542 0, enc_data, &enc_ts_data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
543 krb5_free_keyblock_contents(context, &key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
544 if (retval == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
545 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
546 else
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
547 decrypt_err = retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
548 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
549
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
550 if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
551 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
552
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
553 if ((retval = krb5_timeofday(context, &timenow)) != 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
554 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
555
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
556 if (labs(timenow - pa_enc->patimestamp) > context->clockskew) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
557 retval = KRB5KRB_AP_ERR_SKEW;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
558 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
559 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
560
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
561 setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
562
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
563 retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
564
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
565 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
566 if (enc_data) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
567 krb5_free_data_contents(context, &enc_data->ciphertext);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
568 free(enc_data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
569 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
570 krb5_free_data_contents(context, &enc_ts_data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
571 if (pa_enc)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
572 free(pa_enc);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
573 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
574 * If we get NO_MATCHING_KEY and decryption previously failed, and
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
575 * we failed to find any other keys of the correct enctype after
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
576 * that failed decryption, it probably means that the password was
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
577 * incorrect.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
578 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
579 if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
580 retval = decrypt_err;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
581 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
582 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
583
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
584 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
585 _make_etype_info_entry(krb5_context context,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
586 krb5_kdc_req *request, krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
587 krb5_enctype etype, krb5_etype_info_entry **entry,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
588 int etype_info2)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
589 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
590 krb5_data salt;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
591 krb5_etype_info_entry * tmp_entry;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
592 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
593
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
594 if ((tmp_entry = malloc(sizeof(krb5_etype_info_entry))) == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
595 return ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
596
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
597 salt.data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
598
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
599 tmp_entry->magic = KV5M_ETYPE_INFO_ENTRY;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
600 tmp_entry->etype = etype;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
601 tmp_entry->length = KRB5_ETYPE_NO_SALT;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
602 tmp_entry->salt = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
603 tmp_entry->s2kparams.data = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
604 tmp_entry->s2kparams.length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
605 retval = get_salt_from_key(context, request->client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
606 client_key, &salt);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
607 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
608 goto fail;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
609 if (etype_info2 && client_key->key_data_ver > 1 &&
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
610 client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
611 switch (etype) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
612 case ENCTYPE_DES_CBC_CRC:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
613 case ENCTYPE_DES_CBC_MD4:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
614 case ENCTYPE_DES_CBC_MD5:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
615 tmp_entry->s2kparams.data = malloc(1);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
616 if (tmp_entry->s2kparams.data == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
617 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
618 goto fail;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
619 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
620 tmp_entry->s2kparams.length = 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
621 tmp_entry->s2kparams.data[0] = 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
622 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
623 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
624 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
625 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
626 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
627
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
628 if (salt.length >= 0) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
629 tmp_entry->length = salt.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
630 tmp_entry->salt = (unsigned char *) salt.data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
631 salt.data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
632 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
633 *entry = tmp_entry;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
634 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
635
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
636 fail:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
637 if (tmp_entry) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
638 if (tmp_entry->s2kparams.data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
639 free(tmp_entry->s2kparams.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
640 free(tmp_entry);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
641 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
642 if (salt.data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
643 free(salt.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
644 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
645 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
646 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
647 * This function returns the etype information for a particular
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
648 * client, to be passed back in the preauth list in the KRB_ERROR
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
649 * message. It supports generating both etype_info and etype_info2
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
650 * as most of the work is the same.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
651 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
652 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
653 etype_info_helper(krb5_context context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
654 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
655 krb5_pa_data *pa_data, int etype_info2)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
656 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
657 krb5_etype_info_entry ** entry = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
658 krb5_key_data *client_key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
659 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
660 krb5_data * scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
661 krb5_enctype db_etype;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
662 int i = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
663 int start = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
664 int seen_des = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
665
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
666 entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
667 if (entry == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
668 return ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
669 entry[0] = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
670
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
671 while (1) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
672 retval = krb5_dbe_search_enctype(context, client, &start, -1,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
673 -1, 0, &client_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
674 if (retval == KRB5_KDB_NO_MATCHING_KEY)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
675 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
676 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
677 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
678 db_etype = client_key->key_data_type[0];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
679 if (db_etype == ENCTYPE_DES_CBC_MD4)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
680 db_etype = ENCTYPE_DES_CBC_MD5;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
681
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
682 if (request_contains_enctype(context, request, db_etype)) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
683 assert(etype_info2 ||
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
684 !enctype_requires_etype_info_2(db_etype));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
685 if ((retval = _make_etype_info_entry(context, request, client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
686 db_etype, &entry[i], etype_info2)) != 0) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
687 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
688 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
689 entry[i+1] = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
690 i++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
691 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
692
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
693 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
694 * If there is a des key in the kdb, try the "similar" enctypes,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
695 * avoid duplicate entries.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
696 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
697 if (!seen_des) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
698 switch (db_etype) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
699 case ENCTYPE_DES_CBC_MD5:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
700 db_etype = ENCTYPE_DES_CBC_CRC;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
701 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
702 case ENCTYPE_DES_CBC_CRC:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
703 db_etype = ENCTYPE_DES_CBC_MD5;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
704 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
705 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
706 continue;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
707
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
708 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
709 if (request_contains_enctype(context, request, db_etype)) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
710 if ((retval = _make_etype_info_entry(context, request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
711 client_key, db_etype, &entry[i], etype_info2)) != 0) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
712 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
713 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
714 entry[i+1] = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
715 i++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
716 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
717 seen_des++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
718 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
719 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
720 if (etype_info2)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
721 retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
722 &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
723 else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
724 &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
725 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
726 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
727 pa_data->contents = (unsigned char *)scratch->data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
728 pa_data->length = scratch->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
729 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
730 * note, don't free scratch->data as it is in use (don't use
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
731 * krb5_free_data() either).
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
732 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
733 free(scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
734
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
735 retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
736
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
737 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
738 if (entry)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
739 krb5_free_etype_info(context, entry);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
740 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
741 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
742
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
743 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
744 get_etype_info(krb5_context context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
745 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
746 krb5_pa_data *pa_data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
747 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
748 int i;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
749 for (i=0; i < request->nktypes; i++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
750 if (enctype_requires_etype_info_2(request->ktype[i]))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
751 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
752 * skip this
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
753 * type*/
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
754 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
755 return etype_info_helper(context, request, client, server, pa_data, 0);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
756 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
757
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
758 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
759 get_etype_info2(krb5_context context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
760 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
761 krb5_pa_data *pa_data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
762 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
763 return etype_info_helper( context, request, client, server, pa_data, 1);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
764 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
765
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
766 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
767 return_etype_info2(krb5_context context, krb5_pa_data * padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
768 krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
769 krb5_kdc_req *request, krb5_kdc_rep *reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
770 krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
771 krb5_keyblock *encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
772 krb5_pa_data **send_pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
773 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
774 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
775 krb5_pa_data *tmp_padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
776 krb5_etype_info_entry **entry = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
777 krb5_data *scratch = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
778 tmp_padata = malloc( sizeof(krb5_pa_data));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
779 if (tmp_padata == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
780 return ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
781 tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
782 entry = malloc(2 * sizeof(krb5_etype_info_entry *));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
783 if (entry == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
784 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
785 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
786 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
787 entry[0] = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
788 entry[1] = NULL;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
789 /* using encrypting_key->enctype as this is specified in rfc4120 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
790 retval = _make_etype_info_entry(context, request, client_key, encrypting_key->enctype,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
791 entry, 1);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
792 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
793 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
794 retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
795 if (retval)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
796 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
797 tmp_padata->contents = (uchar_t *)scratch->data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
798 tmp_padata->length = scratch->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
799 *send_pa = tmp_padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
800
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
801 /* For cleanup - we no longer own the contents of the krb5_data
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
802 * only to pointer to the krb5_data
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
803 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
804 scratch->data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
805
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
806 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
807 if (entry)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
808 krb5_free_etype_info(context, entry);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
809 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
810 if (tmp_padata)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
811 free(tmp_padata);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
812 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
813 if (scratch)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
814 krb5_free_data(context, scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
815 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
816 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
817
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
818
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
819 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
820 return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
821 krb5_db_entry *client, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
822 krb5_kdc_rep *reply, krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
823 krb5_keyblock *encrypting_key, krb5_pa_data **send_pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
824 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
825 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
826 krb5_pa_data * padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
827 krb5_data * scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
828 krb5_data salt_data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
829 int i;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
830
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
831 for (i = 0; i < request->nktypes; i++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
832 if (enctype_requires_etype_info_2(request->ktype[i]))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
833 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
834 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
835 if (client_key->key_data_ver == 1 ||
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
836 client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
837 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
838
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
839 if ((padata = malloc(sizeof(krb5_pa_data))) == NULL)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
840 return ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
841 padata->magic = KV5M_PA_DATA;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
842 padata->pa_type = KRB5_PADATA_PW_SALT;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
843
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
844 switch (client_key->key_data_type[1]) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
845 case KRB5_KDB_SALTTYPE_V4:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
846 /* send an empty (V4) salt */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
847 padata->contents = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
848 padata->length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
849 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
850 case KRB5_KDB_SALTTYPE_NOREALM:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
851 if ((retval = krb5_principal2salt_norealm(kdc_context,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
852 request->client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
853 &salt_data)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
854 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
855 padata->contents = (krb5_octet *)salt_data.data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
856 padata->length = salt_data.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
857 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
858 case KRB5_KDB_SALTTYPE_AFS3:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
859 /* send an AFS style realm-based salt */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
860 /* for now, just pass the realm back and let the client
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
861 do the work. In the future, add a kdc configuration
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
862 variable that specifies the old cell name. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
863 padata->pa_type = KRB5_PADATA_AFS3_SALT;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
864 /* it would be just like ONLYREALM, but we need to pass the 0 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
865 scratch = krb5_princ_realm(kdc_context, request->client);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
866 if ((padata->contents = malloc(scratch->length+1)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
867 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
868 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
869 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
870 memcpy(padata->contents, scratch->data, scratch->length);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
871 padata->length = scratch->length+1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
872 padata->contents[scratch->length] = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
873 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
874 case KRB5_KDB_SALTTYPE_ONLYREALM:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
875 scratch = krb5_princ_realm(kdc_context, request->client);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
876 if ((padata->contents = malloc(scratch->length)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
877 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
878 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
879 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
880 memcpy(padata->contents, scratch->data, scratch->length);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
881 padata->length = scratch->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
882 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
883 case KRB5_KDB_SALTTYPE_SPECIAL:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
884 if ((padata->contents = malloc(client_key->key_data_length[1]))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
885 == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
886 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
887 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
888 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
889 memcpy(padata->contents, client_key->key_data_contents[1],
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
890 client_key->key_data_length[1]);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
891 padata->length = client_key->key_data_length[1];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
892 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
893 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
894 free(padata);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
895 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
896 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
897
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
898 *send_pa = padata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
899 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
900
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
901 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
902 free(padata);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
903 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
904 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
905
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
906 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
907 return_sam_data(krb5_context context, krb5_pa_data *in_padata,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
908 krb5_db_entry *client, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
909 krb5_kdc_rep *reply, krb5_key_data *client_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
910 krb5_keyblock *encrypting_key, krb5_pa_data **send_pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
911 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
912 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
913 krb5_data scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
914 int i;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
915
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
916 krb5_sam_response *sr = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
917 krb5_predicted_sam_response *psr = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
918
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
919 if (in_padata == 0)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
920 return 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
921
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
922 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
923 * We start by doing the same thing verify_sam_response() does:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
924 * extract the psr from the padata (which is an sr). Nothing
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
925 * here should generate errors! We've already successfully done
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
926 * all this once.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
927 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
928
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
929 scratch.data = (char *) in_padata->contents; /* SUNWresync121 XXX */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
930 scratch.length = in_padata->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
931
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
932 if ((retval = decode_krb5_sam_response(&scratch, &sr))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
933 com_err("krb5kdc", retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
934 gettext("return_sam_data(): decode_krb5_sam_response failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
935 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
936 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
937
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
938 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
939 krb5_enc_data tmpdata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
940
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
941 tmpdata.enctype = ENCTYPE_UNKNOWN;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
942 tmpdata.ciphertext = sr->sam_track_id;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
943
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
944 scratch.length = tmpdata.ciphertext.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
945 if ((scratch.data = (char *) malloc(scratch.length)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
946 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
947 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
948 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
949
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
950 if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
951 &tmpdata, &scratch))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
952 com_err("krb5kdc", retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
953 gettext("return_sam_data(): decrypt track_id failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
954 free(scratch.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
955 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
956 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
957 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
958
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
959 if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
960 com_err("krb5kdc", retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
961 gettext(
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
962 "return_sam_data(): decode_krb5_predicted_sam_response failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
963 free(scratch.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
964 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
965 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
966
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
967 /* We could use sr->sam_flags, but it may be absent or altered. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
968 if (psr->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
969 com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
970 gettext("Unsupported SAM flag must-pk-encrypt-sad"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
971 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
972 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
973 if (psr->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
974 /* No key munging */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
975 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
976 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
977 if (psr->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
978 /* Use sam_key instead of client key */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
979 krb5_free_keyblock_contents(context, encrypting_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
980 krb5_copy_keyblock_contents(context, &psr->sam_key, encrypting_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
981 /* XXX Attach a useful pa_data */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
982 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
983 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
984
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
985 /* Otherwise (no flags set), we XOR the keys */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
986 /* XXX The passwords-04 draft is underspecified here wrt different
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
987 key types. We will do what I hope to get into the -05 draft. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
988 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
989 krb5_octet *p = encrypting_key->contents;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
990 krb5_octet *q = psr->sam_key.contents;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
991 int length = ((encrypting_key->length < psr->sam_key.length)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
992 ? encrypting_key->length
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
993 : psr->sam_key.length);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
994
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
995 for (i = 0; i < length; i++)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
996 p[i] ^= q[i];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
997 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
998
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
999 /* Post-mixing key correction */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1000 switch (encrypting_key->enctype) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1001 case ENCTYPE_DES_CBC_CRC:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1002 case ENCTYPE_DES_CBC_MD4:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1003 case ENCTYPE_DES_CBC_MD5:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1004 case ENCTYPE_DES_CBC_RAW:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1005 mit_des_fixup_key_parity(encrypting_key->contents);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1006 if (mit_des_is_weak_key(encrypting_key->contents))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1007 ((krb5_octet *) encrypting_key->contents)[7] ^= 0xf0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1008 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1009
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1010 /* XXX case ENCTYPE_DES3_CBC_MD5: listed in 1510bis-04 draft */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1011 case ENCTYPE_DES3_CBC_SHA: /* XXX deprecated? */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1012 case ENCTYPE_DES3_CBC_RAW:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1013 case ENCTYPE_DES3_CBC_SHA1:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1014 for (i = 0; i < 3; i++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1015 mit_des_fixup_key_parity(encrypting_key->contents + i * 8);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1016 if (mit_des_is_weak_key(encrypting_key->contents + i * 8))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1017 ((krb5_octet *) encrypting_key->contents)[7 + i * 8] ^= 0xf0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1018 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1019 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1020
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1021 default:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1022 com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1023 gettext("Unimplemented keytype for SAM key mixing"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1024 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1025 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1026
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1027 /* XXX Attach a useful pa_data */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1028 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1029 if (sr)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1030 krb5_free_sam_response(context, sr);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1031 if (psr)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1032 krb5_free_predicted_sam_response(context, psr);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1033
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1034 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1035 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1036
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1037 static struct {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1038 char* name;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1039 int sam_type;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1040 } *sam_ptr, sam_inst_map[] = {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1041 #if 0 /* SUNWresync121 - unsupported hardware and kdc.log annoyance */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1042 { "SNK4", PA_SAM_TYPE_DIGI_PATH, },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1043 { "SECURID", PA_SAM_TYPE_SECURID, },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1044 { "GRAIL", PA_SAM_TYPE_GRAIL, },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1045 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1046 { 0, 0 },
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1047 };
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1048
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1049 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1050 get_sam_edata(krb5_context context, krb5_kdc_req *request,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1051 krb5_db_entry *client, krb5_db_entry *server,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1052 krb5_pa_data *pa_data)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1053 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1054 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1055 krb5_sam_challenge sc;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1056 krb5_predicted_sam_response psr;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1057 krb5_data * scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1058 krb5_keyblock encrypting_key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1059 char response[9];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1060 char inputblock[8];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1061 krb5_data predict_response;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1062
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1063 (void) memset(&encrypting_key, 0, sizeof(krb5_keyblock));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1064 (void) memset(&sc, 0, sizeof(sc));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1065 (void) memset(&psr, 0, sizeof(psr));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1066
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1067 /* Given the client name we can figure out what type of preauth
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1068 they need. The spec is currently for querying the database for
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1069 names that match the types of preauth used. Later we should
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1070 make this mapping show up in kdc.conf. In the meantime, we
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1071 hardcode the following:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1072 /SNK4 -- Digital Pathways SNK/4 preauth.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1073 /GRAIL -- experimental preauth
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1074 The first one found is used. See sam_inst_map above.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1075
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1076 For SNK4 in particular, the key in the database is the key for
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1077 the device; kadmin needs a special interface for it.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1078 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1079
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1080 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1081 int npr = 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1082 krb5_boolean more;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1083 krb5_db_entry assoc;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1084 krb5_key_data *assoc_key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1085 krb5_principal newp;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1086 int probeslot;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1087
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1088 sc.sam_type = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1089
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1090 retval = krb5_copy_principal(kdc_context, request->client, &newp);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1091 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1092 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1093 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1094 gettext("copying client name for preauth probe"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1095 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1096 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1097
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1098 probeslot = krb5_princ_size(context, newp)++;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1099 krb5_princ_name(kdc_context, newp) =
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1100 realloc(krb5_princ_name(kdc_context, newp),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1101 krb5_princ_size(context, newp) * sizeof(krb5_data));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1102
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1103 for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1104 krb5_princ_component(kdc_context,newp,probeslot)->data = sam_ptr->name;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1105 krb5_princ_component(kdc_context,newp,probeslot)->length =
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1106 strlen(sam_ptr->name);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1107 npr = 1;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1108 retval = krb5_db_get_principal(kdc_context, newp, &assoc, &npr, (uint *)&more);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1109 if(!retval && npr) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1110 sc.sam_type = sam_ptr->sam_type;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1111 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1112 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1113 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1114
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1115 krb5_princ_component(kdc_context,newp,probeslot)->data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1116 krb5_princ_component(kdc_context,newp,probeslot)->length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1117 krb5_princ_size(context, newp)--;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1118
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1119 krb5_free_principal(kdc_context, newp);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1120
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1121 /* if sc.sam_type is set, it worked */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1122 if (sc.sam_type) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1123 /* so use assoc to get the key out! */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1124 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1125 /* here's what do_tgs_req does */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1126 retval = krb5_dbe_find_enctype(kdc_context, &assoc,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1127 ENCTYPE_DES_CBC_RAW,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1128 KRB5_KDB_SALTTYPE_NORMAL,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1129 0, /* Get highest kvno */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1130 &assoc_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1131 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1132 char *sname;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1133 krb5_unparse_name(kdc_context, request->client, &sname);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1134 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1135 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1136 gettext("snk4 finding the enctype and key <%s>"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1137 sname);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1138 free(sname);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1139 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1140 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1141 /* convert server.key into a real key */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1142 retval = krb5_dbekd_decrypt_key_data(kdc_context,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1143 &master_keyblock,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1144 assoc_key, &encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1145 NULL);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1146 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1147 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1148 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1149 gettext("snk4 pulling out key entry"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1150 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1151 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1152 /* now we can use encrypting_key... */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1153 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1154 } else {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1155 /* SAM is not an option - so don't return as hint */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1156 return KRB5_PREAUTH_BAD_TYPE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1157 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1158 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1159 sc.magic = KV5M_SAM_CHALLENGE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1160 psr.sam_flags = sc.sam_flags = KRB5_SAM_USE_SAD_AS_KEY;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1161
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1162 /* Replay prevention */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1163 if ((retval = krb5_copy_principal(context, request->client, &psr.client)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1164 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1165 #ifdef USE_RCACHE
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1166 if ((retval = krb5_us_timeofday(context, &psr.stime, &psr.susec)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1167 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1168 #endif /* USE_RCACHE */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1169
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1170 switch (sc.sam_type) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1171 case PA_SAM_TYPE_GRAIL:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1172 sc.sam_type_name.data = "Experimental System";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1173 sc.sam_type_name.length = strlen(sc.sam_type_name.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1174 sc.sam_challenge_label.data = "experimental challenge label";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1175 sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1176 sc.sam_challenge.data = "12345";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1177 sc.sam_challenge.length = strlen(sc.sam_challenge.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1178
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1179 #if 0 /* Enable this to test "normal" (no flags set) mode. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1180 psr.sam_flags = sc.sam_flags = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1181 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1182
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1183 psr.magic = KV5M_PREDICTED_SAM_RESPONSE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1184 /* string2key on sc.sam_challenge goes in here */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1185 /* eblock is just to set the enctype */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1186 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1187 const krb5_enctype type = ENCTYPE_DES_CBC_MD5;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1188
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1189 if ((retval = krb5_c_string_to_key(context, type, &sc.sam_challenge,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1190 0 /* salt */, &psr.sam_key)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1191 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1192
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1193 if ((retval = encode_krb5_predicted_sam_response(&psr, &scratch)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1194 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1195
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1196 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1197 size_t enclen;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1198 krb5_enc_data tmpdata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1199
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1200 if ((retval = krb5_c_encrypt_length(context,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1201 psr_key.enctype,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1202 scratch->length, &enclen)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1203 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1204
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1205 if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1206 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1207 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1208 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1209 tmpdata.ciphertext.length = enclen;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1210
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1211 if ((retval = krb5_c_encrypt(context, &psr_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1212 /* XXX */ 0, 0, scratch, &tmpdata)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1213 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1214
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1215 sc.sam_track_id = tmpdata.ciphertext;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1216 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1217 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1218
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1219 sc.sam_response_prompt.data = "response prompt";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1220 sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1221 sc.sam_pk_for_sad.length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1222 sc.sam_nonce = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1223 /* Generate checksum */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1224 /*krb5_checksum_size(context, ctype)*/
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1225 /*krb5_calculate_checksum(context,ctype,in,in_length,seed,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1226 seed_length,outcksum) */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1227 /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1228 seed_length) */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1229 #if 0 /* XXX a) glue appears broken; b) this gives up the SAD */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1230 sc.sam_cksum.contents = (krb5_octet *)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1231 malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1232 if (sc.sam_cksum.contents == NULL) return(ENOMEM);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1233
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1234 retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1235 sc.sam_challenge.data,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1236 sc.sam_challenge.length,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1237 psr.sam_key.contents, /* key */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1238 psr.sam_key.length, /* key length */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1239 &sc.sam_cksum);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1240 if (retval) { free(sc.sam_cksum.contents); return(retval); }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1241 #endif /* 0 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1242
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1243 retval = encode_krb5_sam_challenge(&sc, &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1244 if (retval) goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1245 pa_data->magic = KV5M_PA_DATA;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1246 pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1247 pa_data->contents = (unsigned char *) scratch->data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1248 pa_data->length = scratch->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1249
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1250 retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1251 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1252 case PA_SAM_TYPE_DIGI_PATH:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1253 sc.sam_type_name.data = "Digital Pathways";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1254 sc.sam_type_name.length = strlen(sc.sam_type_name.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1255 #if 1
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1256 sc.sam_challenge_label.data = "Enter the following on your keypad";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1257 sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1258 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1259 /* generate digit string, take it mod 1000000 (six digits.) */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1260 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1261 int j;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1262 krb5_keyblock session_key;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1263 char outputblock[8];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1264 int i;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1265
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1266 (void) memset(&session_key, 0, sizeof(krb5_keyblock));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1267
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1268 (void) memset(inputblock, 0, 8);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1269
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1270 retval = krb5_c_make_random_key(kdc_context, ENCTYPE_DES_CBC_CRC,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1271 &session_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1272
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1273 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1274 /* random key failed */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1275 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1276 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1277 gettext("generating random challenge for preauth"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1278 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1279 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1280 /* now session_key has a key which we can pick bits out of */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1281 /* we need six decimal digits. Grab 6 bytes, div 2, mod 10 each. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1282 if (session_key.length != 8) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1283 retval = KRB5KDC_ERR_ETYPE_NOSUPP,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1284 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1285 retval = KRB5KDC_ERR_ETYPE_NOSUPP,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1286 gettext("keytype didn't match code expectations"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1287 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1288 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1289 for(i = 0; i<6; i++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1290 inputblock[i] = '0' + ((session_key.contents[i]/2) % 10);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1291 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1292 if (session_key.contents)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1293 krb5_free_keyblock_contents(kdc_context, &session_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1294
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1295 /* retval = krb5_finish_key(kdc_context, &eblock); */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1296 /* now we have inputblock containing the 8 byte input to DES... */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1297 sc.sam_challenge.data = inputblock;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1298 sc.sam_challenge.length = 6;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1299
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1300 encrypting_key.enctype = ENCTYPE_DES_CBC_RAW;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1301
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1302 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1303 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1304 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1305 gettext("snk4 processing key"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1306 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1307
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1308 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1309 krb5_data plain;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1310 krb5_enc_data cipher;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1311
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1312 plain.length = 8;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1313 plain.data = inputblock;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1314
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1315 /* XXX I know this is enough because of the fixed raw enctype.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1316 if it's not, the underlying code will return a reasonable
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1317 error, which should never happen */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1318 cipher.ciphertext.length = 8;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1319 cipher.ciphertext.data = outputblock;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1320
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1321 if ((retval = krb5_c_encrypt(kdc_context, &encrypting_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1322 /* XXX */ 0, 0, &plain, &cipher))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1323 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1324 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1325 gettext("snk4 response generation failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1326 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1327 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1328 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1329
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1330 /* now output block is the raw bits of the response; convert it
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1331 to display form */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1332 for (j=0; j<4; j++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1333 char n[2];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1334 int k;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1335 n[0] = outputblock[j] & 0xf;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1336 n[1] = (outputblock[j]>>4) & 0xf;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1337 for (k=0; k<2; k++) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1338 if(n[k] > 9) n[k] = ((n[k]-1)>>2);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1339 /* This is equivalent to:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1340 if(n[k]>=0xa && n[k]<=0xc) n[k] = 2;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1341 if(n[k]>=0xd && n[k]<=0xf) n[k] = 3;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1342 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1343 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1344 /* for v4, we keygen: *(j+(char*)&key1) = (n[1]<<4) | n[0]; */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1345 /* for v5, we just generate a string */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1346 response[2*j+0] = '0' + n[1];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1347 response[2*j+1] = '0' + n[0];
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1348 /* and now, response has what we work with. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1349 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1350 response[8] = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1351 predict_response.data = response;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1352 predict_response.length = 8;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1353 #if 0 /* for debugging, hack the output too! */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1354 sc.sam_challenge_label.data = response;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1355 sc.sam_challenge_label.length = strlen(sc.sam_challenge_label.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1356 #endif
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1357 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1358
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1359 psr.magic = KV5M_PREDICTED_SAM_RESPONSE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1360 /* string2key on sc.sam_challenge goes in here */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1361 /* eblock is just to set the enctype */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1362 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1363 retval = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1364 &predict_response, 0 /* salt */,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1365 &psr.sam_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1366 if (retval) goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1367
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1368 retval = encode_krb5_predicted_sam_response(&psr, &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1369 if (retval) goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1370
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1371 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1372 size_t enclen;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1373 krb5_enc_data tmpdata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1374
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1375 if ((retval = krb5_c_encrypt_length(context,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1376 psr_key.enctype,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1377 scratch->length, &enclen)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1378 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1379
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1380 if ((tmpdata.ciphertext.data = (char *) malloc(enclen)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1381 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1382 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1383 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1384 tmpdata.ciphertext.length = enclen;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1385
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1386 if ((retval = krb5_c_encrypt(context, &psr_key,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1387 /* XXX */ 0, 0, scratch, &tmpdata)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1388 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1389
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1390 sc.sam_track_id = tmpdata.ciphertext;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1391 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1392 if (retval) goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1393 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1394
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1395 sc.sam_response_prompt.data = "Enter the displayed response";
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1396 sc.sam_response_prompt.length = strlen(sc.sam_response_prompt.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1397 sc.sam_pk_for_sad.length = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1398 sc.sam_nonce = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1399 /* Generate checksum */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1400 /*krb5_checksum_size(context, ctype)*/
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1401 /*krb5_calculate_checksum(context,ctype,in,in_length,seed,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1402 seed_length,outcksum) */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1403 /*krb5_verify_checksum(context,ctype,cksum,in,in_length,seed,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1404 seed_length) */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1405 #if 0 /* XXX a) glue appears broken; b) this gives up the SAD */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1406 sc.sam_cksum.contents = (krb5_octet *)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1407 malloc(krb5_checksum_size(context, CKSUMTYPE_RSA_MD5_DES));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1408 if (sc.sam_cksum.contents == NULL) return(ENOMEM);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1409
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1410 retval = krb5_calculate_checksum(context, CKSUMTYPE_RSA_MD5_DES,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1411 sc.sam_challenge.data,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1412 sc.sam_challenge.length,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1413 psr.sam_key.contents, /* key */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1414 psr.sam_key.length, /* key length */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1415 &sc.sam_cksum);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1416 if (retval) { free(sc.sam_cksum.contents); return(retval); }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1417 #endif /* 0 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1418
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1419 retval = encode_krb5_sam_challenge(&sc, &scratch);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1420 if (retval) goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1421 pa_data->magic = KV5M_PA_DATA;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1422 pa_data->pa_type = KRB5_PADATA_SAM_CHALLENGE;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1423 pa_data->contents = (unsigned char *) scratch->data;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1424 pa_data->length = scratch->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1425
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1426 retval = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1427 break;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1428 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1429
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1430 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1431 krb5_free_keyblock_contents(context, &encrypting_key);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1432 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1433 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1434
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1435 static krb5_error_code
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1436 verify_sam_response(krb5_context context, krb5_db_entry *client,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1437 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1438 krb5_pa_data *pa)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1439 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1440 krb5_error_code retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1441 krb5_data scratch;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1442 krb5_sam_response *sr = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1443 krb5_predicted_sam_response *psr = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1444 krb5_enc_sam_response_enc *esre = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1445 krb5_timestamp timenow;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1446 char *princ_req = 0, *princ_psr = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1447
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1448 scratch.data = (char *) pa->contents;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1449 scratch.length = pa->length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1450
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1451 if ((retval = decode_krb5_sam_response(&scratch, &sr))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1452 scratch.data = 0;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1453 com_err("krb5kdc", retval, gettext("decode_krb5_sam_response failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1454 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1455 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1456
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1457 /* XXX We can only handle the challenge/response model of SAM.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1458 See passwords-04, par 4.1, 4.2 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1459 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1460 krb5_enc_data tmpdata;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1461
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1462 tmpdata.enctype = ENCTYPE_UNKNOWN;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1463 tmpdata.ciphertext = sr->sam_track_id;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1464
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1465 scratch.length = tmpdata.ciphertext.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1466 if ((scratch.data = (char *) malloc(scratch.length)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1467 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1468 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1469 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1470
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1471 if ((retval = krb5_c_decrypt(context, &psr_key, /* XXX */ 0, 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1472 &tmpdata, &scratch))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1473 com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1474 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1475 gettext("decrypt track_id failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1476 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1477 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1478 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1479
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1480 if ((retval = decode_krb5_predicted_sam_response(&scratch, &psr))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1481 com_err(gettext("krb5kdc"), retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1482 gettext("decode_krb5_predicted_sam_response failed -- replay attack?"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1483 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1484 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1485
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1486 /* Replay detection */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1487 if ((retval = krb5_unparse_name(context, request->client, &princ_req)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1488 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1489 if ((retval = krb5_unparse_name(context, psr->client, &princ_psr)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1490 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1491 if (strcmp(princ_req, princ_psr) != 0) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1492 com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1493 gettext("Principal mismatch in SAM psr! -- replay attack?"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1494 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1495 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1496
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1497 if ((retval = krb5_timeofday(context, &timenow)))
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1498 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1499
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1500 #ifdef USE_RCACHE
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1501 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1502 krb5_donot_replay rep;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1503 extern krb5_deltat rc_lifetime;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1504 /*
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1505 * Verify this response came back in a timely manner.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1506 * We do this b/c otherwise very old (expunged from the rcache)
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1507 * psr's would be able to be replayed.
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1508 */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1509 if (timenow - psr->stime > rc_lifetime) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1510 com_err("krb5kdc", retval = KRB5KDC_ERR_PREAUTH_FAILED,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1511 gettext("SAM psr came back too late! -- replay attack?"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1512 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1513 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1514
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1515 /* Now check the replay cache. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1516 rep.client = princ_psr;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1517 rep.server = "SAM/rc"; /* Should not match any principal name. */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1518 rep.ctime = psr->stime;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1519 rep.cusec = psr->susec;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1520 retval = krb5_rc_store(kdc_context, kdc_rcache, &rep);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1521 if (retval) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1522 com_err("krb5kdc", retval, gettext("SAM psr replay attack!"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1523 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1524 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1525 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1526 #endif /* USE_RCACHE */
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1527
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1528
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1529 {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1530 free(scratch.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1531 scratch.length = sr->sam_enc_nonce_or_ts.ciphertext.length;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1532 if ((scratch.data = (char *) malloc(scratch.length)) == NULL) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1533 retval = ENOMEM;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1534 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1535 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1536
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1537 if ((retval = krb5_c_decrypt(context, &psr->sam_key, /* XXX */ 0,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1538 0, &sr->sam_enc_nonce_or_ts, &scratch))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1539 com_err("krb5kdc", retval, gettext("decrypt nonce_or_ts failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1540 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1541 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1542 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1543
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1544 if ((retval = decode_krb5_enc_sam_response_enc(&scratch, &esre))) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1545 com_err("krb5kdc", retval, gettext("decode_krb5_enc_sam_response_enc failed"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1546 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1547 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1548
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1549 if (esre->sam_timestamp != sr->sam_patimestamp) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1550 retval = KRB5KDC_ERR_PREAUTH_FAILED;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1551 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1552 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1553
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1554 if (labs(timenow - sr->sam_patimestamp) > context->clockskew) {
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1555 retval = KRB5KRB_AP_ERR_SKEW;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1556 goto cleanup;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1557 }
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1558
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1559 setflag(enc_tkt_reply->flags, TKT_FLG_HW_AUTH);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1560
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1561 cleanup:
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1562 if (retval) com_err(gettext("krb5kdc"),
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1563 retval,
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1564 gettext("sam verify failure"));
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1565 if (scratch.data) free(scratch.data);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1566 if (sr) free(sr);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1567 if (psr) free(psr);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1568 if (esre) free(esre);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1569 if (princ_psr) free(princ_psr);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1570 if (princ_req) free(princ_req);
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1571
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1572 return retval;
c9caec207d52 Initial porting based on b86
Koji Uno <koji.uno@sun.com>
parents:
diff changeset
1573 }