benny/wmic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

wmi-1.3.16 from opsview.com

Browse Source
This commit is contained in:
Are Casilla
2019-02-16 00:16:52 +01:00
parent 163fdd3d1b
commit 17b3af2911
2146 changed files with 678824 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Samba/source/heimdal/kdc/524.c
+400
View File
@@ -0,0 +1,400 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: 524.c,v 1.40 2006/10/06 17:06:30 lha Exp $");
#include <krb5-v4compat.h>
/*
* fetch the server from `t', returning the name in malloced memory in
* `spn' and the entry itself in `server'
*/
static krb5_error_code
fetch_server (krb5_context context,
krb5_kdc_configuration *config,
const Ticket *t,
char **spn,
hdb_entry_ex **server,
const char *from)
{
krb5_error_code ret;
krb5_principal sprinc;
ret = _krb5_principalname2krb5_principal(context, &sprinc,
t->sname, t->realm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = krb5_unparse_name(context, sprinc, spn);
if (ret) {
krb5_free_principal(context, sprinc);
kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER,
NULL, server);
krb5_free_principal(context, sprinc);
if (ret) {
kdc_log(context, config, 0,
"Request to convert ticket from %s for unknown principal %s: %s",
from, *spn, krb5_get_err_text(context, ret));
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
return ret;
}
return 0;
}
static krb5_error_code
log_524 (krb5_context context,
krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *from,
const char *spn)
{
krb5_principal client;
char *cpn;
krb5_error_code ret;
ret = _krb5_principalname2krb5_principal(context, &client,
et->cname, et->crealm);
if (ret) {
kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
krb5_get_err_text (context, ret));
return ret;
}
ret = krb5_unparse_name(context, client, &cpn);
if (ret) {
krb5_free_principal(context, client);
kdc_log(context, config, 0, "krb5_unparse_name: %s",
krb5_get_err_text (context, ret));
return ret;
}
kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
free(cpn);
krb5_free_principal(context, client);
return 0;
}
static krb5_error_code
verify_flags (krb5_context context,
krb5_kdc_configuration *config,
const EncTicketPart *et,
const char *spn)
{
if(et->endtime < kdc_time){
kdc_log(context, config, 0, "Ticket expired (%s)", spn);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
if(et->flags.invalid){
kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
return KRB5KRB_AP_ERR_TKT_NYV;
}
return 0;
}
/*
* set the `et->caddr' to the most appropriate address to use, where
* `addr' is the address the request was received from.
*/
static krb5_error_code
set_address (krb5_context context,
krb5_kdc_configuration *config,
EncTicketPart *et,
struct sockaddr *addr,
const char *from)
{
krb5_error_code ret;
krb5_address *v4_addr;
v4_addr = malloc (sizeof(*v4_addr));
if (v4_addr == NULL)
return ENOMEM;
ret = krb5_sockaddr2address(context, addr, v4_addr);
if(ret) {
free (v4_addr);
kdc_log(context, config, 0, "Failed to convert address (%s)", from);
return ret;
}
if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
kdc_log(context, config, 0, "Incorrect network address (%s)", from);
krb5_free_address(context, v4_addr);
free (v4_addr);
return KRB5KRB_AP_ERR_BADADDR;
}
if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
/* we need to collapse the addresses in the ticket to a
single address; best guess is to use the address the
connection came from */
if (et->caddr != NULL) {
free_HostAddresses(et->caddr);
} else {
et->caddr = malloc (sizeof (*et->caddr));
if (et->caddr == NULL) {
krb5_free_address(context, v4_addr);
free(v4_addr);
return ENOMEM;
}
}
et->caddr->val = v4_addr;
et->caddr->len = 1;
} else {
krb5_free_address(context, v4_addr);
free(v4_addr);
}
return 0;
}
static krb5_error_code
encrypt_v4_ticket(krb5_context context,
krb5_kdc_configuration *config,
void *buf,
size_t len,
krb5_keyblock *skey,
EncryptedData *reply)
{
krb5_crypto crypto;
krb5_error_code ret;
ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
if (ret) {
free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
return ret;
}
ret = krb5_encrypt_EncryptedData(context,
crypto,
KRB5_KU_TICKET,
buf,
len,
0,
reply);
krb5_crypto_destroy(context, crypto);
if(ret) {
kdc_log(context, config, 0, "Failed to encrypt data: %s",
krb5_get_err_text(context, ret));
return ret;
}
return 0;
}
static krb5_error_code
encode_524_response(krb5_context context,
krb5_kdc_configuration *config,
const char *spn, const EncTicketPart et,
const Ticket *t, hdb_entry_ex *server,
EncryptedData *ticket, int *kvno)
{
krb5_error_code ret;
int use_2b;
size_t len;
use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL);
if(use_2b) {
ASN1_MALLOC_ENCODE(EncryptedData,
ticket->cipher.data, ticket->cipher.length,
&t->enc_part, &len, ret);
if (ret) {
kdc_log(context, config, 0,
"Failed to encode v4 (2b) ticket (%s)", spn);
return ret;
}
ticket->etype = 0;
ticket->kvno = NULL;
*kvno = 213; /* 2b's use this magic kvno */
} else {
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
Key *skey;
if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
t->realm);
return KRB5KDC_ERR_POLICY;
}
ret = _kdc_encode_v4_ticket(context, config,
buf + sizeof(buf) - 1, sizeof(buf),
&et, &t->sname, &len);
if(ret){
kdc_log(context, config, 0,
"Failed to encode v4 ticket (%s)", spn);
return ret;
}
ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(context, config, 0,
"no suitable DES key for server (%s)", spn);
return ret;
}
ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
&skey->key, ticket);
if(ret){
kdc_log(context, config, 0,
"Failed to encrypt v4 ticket (%s)", spn);
return ret;
}
*kvno = server->entry.kvno;
}
return 0;
}
/*
* process a 5->4 request, based on `t', and received `from, addr',
* returning the reply in `reply'
*/
krb5_error_code
_kdc_do_524(krb5_context context,
krb5_kdc_configuration *config,
const Ticket *t, krb5_data *reply,
const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
krb5_crypto crypto;
hdb_entry_ex *server = NULL;
Key *skey;
krb5_data et_data;
EncTicketPart et;
EncryptedData ticket;
krb5_storage *sp;
char *spn = NULL;
unsigned char buf[MAX_KTXT_LEN + 4 * 4];
size_t len;
int kvno = 0;
if(!config->enable_524) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Rejected ticket conversion request from %s", from);
goto out;
}
ret = fetch_server (context, config, t, &spn, &server, from);
if (ret) {
goto out;
}
ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey);
if(ret){
kdc_log(context, config, 0,
"No suitable key found for server (%s) from %s", spn, from);
goto out;
}
ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
if (ret) {
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_TICKET,
&t->enc_part,
&et_data);
krb5_crypto_destroy(context, crypto);
if(ret){
kdc_log(context, config, 0,
"Failed to decrypt ticket from %s for %s", from, spn);
goto out;
}
ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
&et, &len);
krb5_data_free(&et_data);
if(ret){
kdc_log(context, config, 0,
"Failed to decode ticket from %s for %s", from, spn);
goto out;
}
ret = log_524 (context, config, &et, from, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = verify_flags (context, config, &et, spn);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = set_address (context, config, &et, addr, from);
if (ret) {
free_EncTicketPart(&et);
goto out;
}
ret = encode_524_response(context, config, spn, et, t,
server, &ticket, &kvno);
free_EncTicketPart(&et);
out:
/* make reply */
memset(buf, 0, sizeof(buf));
sp = krb5_storage_from_mem(buf, sizeof(buf));
if (sp) {
krb5_store_int32(sp, ret);
if(ret == 0){
krb5_store_int32(sp, kvno);
krb5_store_data(sp, ticket.cipher);
/* Aargh! This is coded as a KTEXT_ST. */
krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
krb5_store_int32(sp, 0); /* mbz */
free_EncryptedData(&ticket);
}
ret = krb5_storage_to_data(sp, reply);
reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
krb5_storage_free(sp);
} else
krb5_data_zero(reply);
if(spn)
free(spn);
if(server)
_kdc_free_ent (context, server);
return ret;
}
Samba/source/heimdal/kdc/default_config.c
+62
View File
@@ -0,0 +1,62 @@
/*
* Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
/*
* Setup some of the defaults for the KDC configuration.
*
* Note: Caller must also fill in:
* - db
* - num_db
* - logf
*
*/
void
krb5_kdc_default_config(krb5_kdc_configuration *config)
{
memset(config, 0, sizeof(*config));
config->require_preauth = TRUE;
config->kdc_warn_pwexpire = 0;
config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */
config->check_ticket_addresses = TRUE;
config->allow_null_ticket_addresses = TRUE;
config->allow_anonymous = FALSE;
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
config->enable_v4 = FALSE;
config->enable_kaserver = FALSE;
config->enable_524 = FALSE; /* overriden by enable_v4 in configure()) */
config->enable_v4_cross_realm = FALSE;
config->enable_pkinit = FALSE;
config->enable_pkinit_princ_in_cert = TRUE;
config->db = NULL;
config->num_db = 0;
config->logf = NULL;
}
Samba/source/heimdal/kdc/digest.c
+712
View File
@@ -0,0 +1,712 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
#include <digest_asn1.h>
#include <hex.h>
RCSID("$Id: digest.c,v 1.7 2006/10/22 20:11:44 lha Exp $");
krb5_error_code
_kdc_do_digest(krb5_context context,
krb5_kdc_configuration *config,
const DigestREQ *req, krb5_data *reply,
const char *from, struct sockaddr *addr)
{
krb5_error_code ret = 0;
krb5_ticket *ticket = NULL;
krb5_auth_context ac = NULL;
krb5_keytab id = NULL;
krb5_crypto crypto = NULL;
DigestReqInner ireq;
DigestRepInner r;
DigestREP rep;
krb5_flags ap_req_options;
krb5_data buf;
size_t size;
krb5_storage *sp = NULL;
Checksum res;
hdb_entry_ex *server = NULL, *user = NULL;
char *password = NULL;
krb5_data serverNonce;
if(!config->enable_digest) {
kdc_log(context, config, 0, "Rejected digest request from %s", from);
return KRB5KDC_ERR_POLICY;
}
krb5_data_zero(&buf);
krb5_data_zero(reply);
krb5_data_zero(&serverNonce);
memset(&ireq, 0, sizeof(ireq));
memset(&r, 0, sizeof(r));
memset(&rep, 0, sizeof(rep));
kdc_log(context, config, 0, "Digest request from %s", from);
ret = krb5_kt_resolve(context, "HDB:", &id);
if (ret) {
kdc_log(context, config, 0, "Can't open database for digest");
goto out;
}
ret = krb5_rd_req(context,
&ac,
&req->apReq,
NULL,
id,
&ap_req_options,
&ticket);
if (ret)
goto out;
/* check the server principal in the ticket matches digest/R@R */
{
krb5_principal principal = NULL;
const char *p, *r;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
goto out;
ret = EINVAL;
krb5_set_error_string(context, "Wrong digest server principal used");
p = krb5_principal_get_comp_string(context, principal, 0);
if (p == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, KRB5_DIGEST_NAME) != 0) {
krb5_free_principal(context, principal);
goto out;
}
p = krb5_principal_get_comp_string(context, principal, 1);
if (p == NULL) {
krb5_free_principal(context, principal);
goto out;
}
r = krb5_principal_get_realm(context, principal);
if (r == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, r) != 0) {
krb5_free_principal(context, principal);
goto out;
}
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_SERVER, NULL, &server);
if (ret)
goto out;
krb5_free_principal(context, principal);
}
/* check the client is allowed to do digest auth */
{
krb5_principal principal = NULL;
hdb_entry_ex *client;
ret = krb5_ticket_get_client(context, ticket, &principal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, principal,
HDB_F_GET_CLIENT, NULL, &client);
krb5_free_principal(context, principal);
if (ret)
goto out;
if (client->entry.flags.allow_digest == 0) {
krb5_set_error_string(context,
"Client is not permitted to use digest");
ret = KRB5KDC_ERR_POLICY;
_kdc_free_ent (context, client);
goto out;
}
_kdc_free_ent (context, client);
}
/* unpack request */
{
krb5_keyblock *key;
ret = krb5_auth_con_getremotesubkey(context, ac, &key);
if (ret)
goto out;
if (key == NULL) {
krb5_set_error_string(context, "digest: remote subkey not found");
ret = EINVAL;
goto out;
}
ret = krb5_crypto_init(context, key, 0, &crypto);
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_decrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
&req->innerReq, &buf);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
krb5_data_free(&buf);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest inner request");
goto out;
}
/*
* Process the inner request
*/
switch (ireq.element) {
case choice_DigestReqInner_init: {
unsigned char server_nonce[16], identifier;
RAND_pseudo_bytes(&identifier, sizeof(identifier));
RAND_pseudo_bytes(server_nonce, sizeof(server_nonce));
server_nonce[0] = kdc_time & 0xff;
server_nonce[1] = (kdc_time >> 8) & 0xff;
server_nonce[2] = (kdc_time >> 16) & 0xff;
server_nonce[3] = (kdc_time >> 24) & 0xff;
r.element = choice_DigestRepInner_initReply;
hex_encode(server_nonce, sizeof(server_nonce), &r.u.initReply.nonce);
if (r.u.initReply.nonce == NULL) {
krb5_set_error_string(context, "Failed to decode server nonce");
ret = ENOMEM;
goto out;
}
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
ret = krb5_store_stringz(sp, ireq.u.init.type);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
if (ireq.u.init.channel) {
char *s;
asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
ireq.u.init.channel->cb_type,
ireq.u.init.channel->cb_binding);
if (s == NULL) {
krb5_set_error_string(context, "Failed to allocate "
"channel binding");
ret = ENOMEM;
goto out;
}
free(r.u.initReply.nonce);
r.u.initReply.nonce = s;
}
ret = krb5_store_stringz(sp, r.u.initReply.nonce);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
r.u.initReply.identifier =
malloc(sizeof(*r.u.initReply.identifier));
if (r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
if (*r.u.initReply.identifier == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
ret = krb5_store_stringz(sp, *r.u.initReply.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
} else
r.u.initReply.identifier = NULL;
if (ireq.u.init.hostname) {
ret = krb5_store_stringz(sp, *ireq.u.init.hostname);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = krb5_create_checksum(context,
crypto,
KRB5_KU_DIGEST_OPAQUE,
0,
buf.data,
buf.length,
&res);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
krb5_data_free(&buf);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
free_Checksum(&res);
if (ret) {
krb5_set_error_string(context, "Failed to encode "
"checksum in digest request");
goto out;
}
if (size != buf.length)
krb5_abortx(context, "ASN1 internal error");
hex_encode(buf.data, buf.length, &r.u.initReply.opaque);
free(buf.data);
if (r.u.initReply.opaque == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
break;
}
case choice_DigestReqInner_digestRequest: {
krb5_principal clientprincipal;
HDB *db;
sp = krb5_storage_emem();
if (sp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
krb5_store_stringz(sp, ireq.u.digestRequest.type);
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
if (ireq.u.digestRequest.identifier) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
if (ireq.u.digestRequest.hostname) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
buf.length = strlen(ireq.u.digestRequest.opaque);
buf.data = malloc(buf.length);
if (buf.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
ret = hex_decode(ireq.u.digestRequest.opaque, buf.data, buf.length);
if (ret <= 0) {
krb5_set_error_string(context, "Failed to decode opaque");
ret = ENOMEM;
goto out;
}
buf.length = ret;
ret = decode_Checksum(buf.data, buf.length, &res, NULL);
free(buf.data);
if (ret) {
krb5_set_error_string(context, "Failed to decode digest Checksum");
goto out;
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
serverNonce.length = strlen(ireq.u.digestRequest.serverNonce);
serverNonce.data = malloc(serverNonce.length);
if (serverNonce.data == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
/*
* CHAP does the checksum of the raw nonce, but do it for all
* types, since we need to check the timestamp.
*/
{
ssize_t ssize;
ssize = hex_decode(ireq.u.digestRequest.serverNonce,
serverNonce.data, serverNonce.length);
if (ssize <= 0) {
krb5_set_error_string(context, "Failed to decode serverNonce");
ret = ENOMEM;
goto out;
}
serverNonce.length = ssize;
}
{
Key *key;
krb5_enctype enctype;
ret = _kdc_get_preferred_key(context,
config,
server,
"digest-service",
&enctype,
&key);
if (ret)
goto out;
ret = krb5_crypto_init(context, &key->key, 0, &crypto);
if (ret)
goto out;
}
ret = krb5_verify_checksum(context, crypto,
KRB5_KU_DIGEST_OPAQUE,
buf.data, buf.length, &res);
krb5_crypto_destroy(context, crypto);
crypto = NULL;
if (ret)
goto out;
/* verify time */
{
unsigned char *p = serverNonce.data;
uint32_t t;
if (serverNonce.length < 4) {
krb5_set_error_string(context, "server nonce too short");
ret = EINVAL;
goto out;
}
t = p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
if (abs((kdc_time & 0xffffffff) - t) > context->max_skew) {
krb5_set_error_string(context, "time screw in server nonce ");
ret = EINVAL;
goto out;
}
}
/* get username */
ret = krb5_parse_name(context,
ireq.u.digestRequest.username,
&clientprincipal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, &db, &user);
krb5_free_principal(context, clientprincipal);
if (ret)
goto out;
ret = hdb_entry_get_password(context, db, &user->entry, &password);
if (ret || password == NULL) {
if (ret == 0) {
ret = EINVAL;
krb5_set_error_string(context, "password missing");
}
goto out;
}
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char id;
if (ireq.u.digestRequest.identifier == NULL) {
krb5_set_error_string(context, "Identifier missing "
"from CHAP request");
ret = EINVAL;
goto out;
}
if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
krb5_set_error_string(context, "failed to decode identifier");
ret = EINVAL;
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, &id, 1);
MD5_Update(&ctx, password, strlen(password));
MD5_Update(&ctx, serverNonce.data, serverNonce.length);
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
if (r.u.response.responseData == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *A1, *A2;
if (ireq.u.digestRequest.nonceCount == NULL)
goto out;
if (ireq.u.digestRequest.clientNonce == NULL)
goto out;
if (ireq.u.digestRequest.qop == NULL)
goto out;
if (ireq.u.digestRequest.realm == NULL)
goto out;
MD5_Init(&ctx);
MD5_Update(&ctx, ireq.u.digestRequest.username,
strlen(ireq.u.digestRequest.username));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.realm,
strlen(*ireq.u.digestRequest.realm));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, password, strlen(password));
MD5_Final(md, &ctx);
MD5_Init(&ctx);
MD5_Update(&ctx, md, sizeof(md));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
if (ireq.u.digestRequest.authid) {
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.authid,
strlen(*ireq.u.digestRequest.authid));
}
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A1);
if (A1 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, "AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
MD5_Update(&ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
MD5_Update(&ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
MD5_Final(md, &ctx);
hex_encode(md, sizeof(md), &A2);
if (A2 == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
free(A1);
goto out;
}
MD5_Init(&ctx);
MD5_Update(&ctx, A1, strlen(A2));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, ireq.u.digestRequest.serverNonce,
strlen(ireq.u.digestRequest.serverNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.nonceCount,
strlen(*ireq.u.digestRequest.nonceCount));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.clientNonce,
strlen(*ireq.u.digestRequest.clientNonce));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, *ireq.u.digestRequest.qop,
strlen(*ireq.u.digestRequest.qop));
MD5_Update(&ctx, ":", 1);
MD5_Update(&ctx, A2, strlen(A2));
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
free(A1);
free(A2);
if (r.u.response.responseData == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
} else {
r.element = choice_DigestRepInner_error;
asprintf(&r.u.error.reason, "unsupported digest type %s",
ireq.u.digestRequest.type);
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.error.code = EINVAL;
}
break;
}
default:
r.element = choice_DigestRepInner_error;
r.u.error.reason = strdup("unknown operation");
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
ret = ENOMEM;
goto out;
}
r.u.error.code = EINVAL;
break;
}
ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode inner digest reply");
goto out;
}
if (size != buf.length)
krb5_abortx(context, "ASN1 internal error");
krb5_auth_con_addflags(context, ac, KRB5_AUTH_CONTEXT_USE_SUBKEY, NULL);
ret = krb5_mk_rep (context, ac, &rep.apRep);
if (ret)
goto out;
{
krb5_keyblock *key;
ret = krb5_auth_con_getlocalsubkey(context, ac, &key);
if (ret)
goto out;
ret = krb5_crypto_init(context, key, 0, &crypto);
krb5_free_keyblock (context, key);
if (ret)
goto out;
}
ret = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_DIGEST_ENCRYPT,
buf.data, buf.length, 0,
&rep.innerRep);
ASN1_MALLOC_ENCODE(DigestREP, reply->data, reply->length, &rep, &size, ret);
if (ret) {
krb5_set_error_string(context, "Failed to encode digest reply");
goto out;
}
if (size != reply->length)
krb5_abortx(context, "ASN1 internal error");
out:
if (ac)
krb5_auth_con_free(context, ac);
if (ret)
krb5_warn(context, ret, "Digest request from %s failed", from);
if (ticket)
krb5_free_ticket(context, ticket);
if (id)
krb5_kt_close(context, id);
if (crypto)
krb5_crypto_destroy(context, crypto);
if (sp)
krb5_storage_free(sp);
if (user)
_kdc_free_ent (context, user);
if (server)
_kdc_free_ent (context, server);
if (password) {
memset(password, 0, strlen(password));
free (password);
}
krb5_data_free(&buf);
krb5_data_free(&serverNonce);
free_DigestREP(&rep);
free_DigestRepInner(&r);
free_DigestReqInner(&ireq);
return ret;
}
Samba/source/heimdal/kdc/headers.h
+102
View File
@@ -0,0 +1,102 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id: headers.h,v 1.18 2006/10/17 02:22:17 lha Exp $
*/
#ifndef __HEADERS_H__
#define __HEADERS_H__
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <signal.h>
#include <stdarg.h>
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
#ifdef HAVE_SYS_SOCKET_H
#include <sys/socket.h>
#endif
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN6_H
#include <netinet/in6.h>
#endif
#ifdef HAVE_NETINET6_IN6_H
#include <netinet6/in6.h>
#endif
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
#ifdef HAVE_LIBUTIL_H
#include <libutil.h>
#endif
#include <err.h>
#include <roken.h>
#include <getarg.h>
#include <base64.h>
#include <parse_units.h>
#include <krb5.h>
#include <krb5_locl.h>
#include <digest_asn1.h>
#include <hdb.h>
#include <hdb_err.h>
#include <der.h>
#undef ALLOC
#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
#undef ALLOC_SEQ
#define ALLOC_SEQ(X, N) do { (X)->len = (N); \
(X)->val = calloc((X)->len, sizeof(*(X)->val)); } while(0)
#endif /* __HEADERS_H__ */
Samba/source/heimdal/kdc/kaserver.c
+942
View File
@@ -0,0 +1,942 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: kaserver.c,v 1.36 2006/08/23 11:43:44 lha Exp $");
#include <krb5-v4compat.h>
#include <rx.h>
#define KA_AUTHENTICATION_SERVICE 731
#define KA_TICKET_GRANTING_SERVICE 732
#define KA_MAINTENANCE_SERVICE 733
#define AUTHENTICATE_OLD 1
#define CHANGEPASSWORD 2
#define GETTICKET_OLD 3
#define SETPASSWORD 4
#define SETFIELDS 5
#define CREATEUSER 6
#define DELETEUSER 7
#define GETENTRY 8
#define LISTENTRY 9
#define GETSTATS 10
#define DEBUG 11
#define GETPASSWORD 12
#define GETRANDOMKEY 13
#define AUTHENTICATE 21
#define AUTHENTICATE_V2 22
#define GETTICKET 23
/* XXX - Where do we get these? */
#define RXGEN_OPCODE (-455)
#define KADATABASEINCONSISTENT (180480L)
#define KAEXIST (180481L)
#define KAIO (180482L)
#define KACREATEFAIL (180483L)
#define KANOENT (180484L)
#define KAEMPTY (180485L)
#define KABADNAME (180486L)
#define KABADINDEX (180487L)
#define KANOAUTH (180488L)
#define KAANSWERTOOLONG (180489L)
#define KABADREQUEST (180490L)
#define KAOLDINTERFACE (180491L)
#define KABADARGUMENT (180492L)
#define KABADCMD (180493L)
#define KANOKEYS (180494L)
#define KAREADPW (180495L)
#define KABADKEY (180496L)
#define KAUBIKINIT (180497L)
#define KAUBIKCALL (180498L)
#define KABADPROTOCOL (180499L)
#define KANOCELLS (180500L)
#define KANOCELL (180501L)
#define KATOOMANYUBIKS (180502L)
#define KATOOMANYKEYS (180503L)
#define KABADTICKET (180504L)
#define KAUNKNOWNKEY (180505L)
#define KAKEYCACHEINVALID (180506L)
#define KABADSERVER (180507L)
#define KABADUSER (180508L)
#define KABADCPW (180509L)
#define KABADCREATE (180510L)
#define KANOTICKET (180511L)
#define KAASSOCUSER (180512L)
#define KANOTSPECIAL (180513L)
#define KACLOCKSKEW (180514L)
#define KANORECURSE (180515L)
#define KARXFAIL (180516L)
#define KANULLPASSWORD (180517L)
#define KAINTERNALERROR (180518L)
#define KAPWEXPIRED (180519L)
#define KAREUSED (180520L)
#define KATOOSOON (180521L)
#define KALOCKED (180522L)
static krb5_error_code
decode_rx_header (krb5_storage *sp,
struct rx_header *h)
{
krb5_error_code ret;
ret = krb5_ret_uint32(sp, &h->epoch);
if (ret) return ret;
ret = krb5_ret_uint32(sp, &h->connid);
if (ret) return ret;
ret = krb5_ret_uint32(sp, &h->callid);
if (ret) return ret;
ret = krb5_ret_uint32(sp, &h->seqno);
if (ret) return ret;
ret = krb5_ret_uint32(sp, &h->serialno);
if (ret) return ret;
ret = krb5_ret_uint8(sp, &h->type);
if (ret) return ret;
ret = krb5_ret_uint8(sp, &h->flags);
if (ret) return ret;
ret = krb5_ret_uint8(sp, &h->status);
if (ret) return ret;
ret = krb5_ret_uint8(sp, &h->secindex);
if (ret) return ret;
ret = krb5_ret_uint16(sp, &h->reserved);
if (ret) return ret;
ret = krb5_ret_uint16(sp, &h->serviceid);
if (ret) return ret;
return 0;
}
static krb5_error_code
encode_rx_header (struct rx_header *h,
krb5_storage *sp)
{
krb5_error_code ret;
ret = krb5_store_uint32(sp, h->epoch);
if (ret) return ret;
ret = krb5_store_uint32(sp, h->connid);
if (ret) return ret;
ret = krb5_store_uint32(sp, h->callid);
if (ret) return ret;
ret = krb5_store_uint32(sp, h->seqno);
if (ret) return ret;
ret = krb5_store_uint32(sp, h->serialno);
if (ret) return ret;
ret = krb5_store_uint8(sp, h->type);
if (ret) return ret;
ret = krb5_store_uint8(sp, h->flags);
if (ret) return ret;
ret = krb5_store_uint8(sp, h->status);
if (ret) return ret;
ret = krb5_store_uint8(sp, h->secindex);
if (ret) return ret;
ret = krb5_store_uint16(sp, h->reserved);
if (ret) return ret;
ret = krb5_store_uint16(sp, h->serviceid);
if (ret) return ret;
return 0;
}
static void
init_reply_header (struct rx_header *hdr,
struct rx_header *reply_hdr,
u_char type,
u_char flags)
{
reply_hdr->epoch = hdr->epoch;
reply_hdr->connid = hdr->connid;
reply_hdr->callid = hdr->callid;
reply_hdr->seqno = 1;
reply_hdr->serialno = 1;
reply_hdr->type = type;
reply_hdr->flags = flags;
reply_hdr->status = 0;
reply_hdr->secindex = 0;
reply_hdr->reserved = 0;
reply_hdr->serviceid = hdr->serviceid;
}
static void
make_error_reply (struct rx_header *hdr,
uint32_t ret,
krb5_data *reply)
{
krb5_storage *sp;
struct rx_header reply_hdr;
init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
sp = krb5_storage_emem();
ret = encode_rx_header (&reply_hdr, sp);
krb5_store_int32(sp, ret);
krb5_storage_to_data (sp, reply);
krb5_storage_free (sp);
}
static krb5_error_code
krb5_ret_xdr_data(krb5_storage *sp,
krb5_data *data)
{
int ret;
int size;
ret = krb5_ret_int32(sp, &size);
if(ret)
return ret;
if(size < 0)
return ERANGE;
data->length = size;
if (size) {
u_char foo[4];
size_t pad = (4 - size % 4) % 4;
data->data = malloc(size);
if (data->data == NULL)
return ENOMEM;
ret = krb5_storage_read(sp, data->data, size);
if(ret != size)
return (ret < 0)? errno : KRB5_CC_END;
if (pad) {
ret = krb5_storage_read(sp, foo, pad);
if (ret != pad)
return (ret < 0)? errno : KRB5_CC_END;
}
} else
data->data = NULL;
return 0;
}
static krb5_error_code
krb5_store_xdr_data(krb5_storage *sp,
krb5_data data)
{
u_char zero[4] = {0, 0, 0, 0};
int ret;
size_t pad;
ret = krb5_store_int32(sp, data.length);
if(ret < 0)
return ret;
ret = krb5_storage_write(sp, data.data, data.length);
if(ret != data.length){
if(ret < 0)
return errno;
return KRB5_CC_END;
}
pad = (4 - data.length % 4) % 4;
if (pad) {
ret = krb5_storage_write(sp, zero, pad);
if (ret != pad) {
if (ret < 0)
return errno;
return KRB5_CC_END;
}
}
return 0;
}
static krb5_error_code
create_reply_ticket (krb5_context context,
struct rx_header *hdr,
Key *skey,
char *name, char *instance, char *realm,
struct sockaddr_in *addr,
int life,
int kvno,
int32_t max_seq_len,
const char *sname, const char *sinstance,
uint32_t challenge,
const char *label,
krb5_keyblock *key,
krb5_data *reply)
{
krb5_error_code ret;
krb5_data ticket;
krb5_keyblock session;
krb5_storage *sp;
krb5_data enc_data;
struct rx_header reply_hdr;
char zero[8];
size_t pad;
unsigned fyrtiosjuelva;
/* create the ticket */
krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session);
_krb5_krb_create_ticket(context,
0,
name,
instance,
realm,
addr->sin_addr.s_addr,
&session,
life,
kdc_time,
sname,
sinstance,
&skey->key,
&ticket);
/* create the encrypted part of the reply */
sp = krb5_storage_emem ();
krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
fyrtiosjuelva &= 0xffffffff;
krb5_store_int32 (sp, fyrtiosjuelva);
krb5_store_int32 (sp, challenge);
krb5_storage_write (sp, session.keyvalue.data, 8);
krb5_free_keyblock_contents(context, &session);
krb5_store_int32 (sp, kdc_time);
krb5_store_int32 (sp, kdc_time + _krb5_krb_life_to_time (0, life));
krb5_store_int32 (sp, kvno);
krb5_store_int32 (sp, ticket.length);
krb5_store_stringz (sp, name);
krb5_store_stringz (sp, instance);
#if 1 /* XXX - Why shouldn't the realm go here? */
krb5_store_stringz (sp, "");
#else
krb5_store_stringz (sp, realm);
#endif
krb5_store_stringz (sp, sname);
krb5_store_stringz (sp, sinstance);
krb5_storage_write (sp, ticket.data, ticket.length);
krb5_storage_write (sp, label, strlen(label));
/* pad to DES block */
memset (zero, 0, sizeof(zero));
pad = (8 - krb5_storage_seek (sp, 0, SEEK_CUR) % 8) % 8;
krb5_storage_write (sp, zero, pad);
krb5_storage_to_data (sp, &enc_data);
krb5_storage_free (sp);
if (enc_data.length > max_seq_len) {
krb5_data_free (&enc_data);
make_error_reply (hdr, KAANSWERTOOLONG, reply);
return 0;
}
/* encrypt it */
{
DES_key_schedule schedule;
DES_cblock deskey;
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
DES_set_key (&deskey, &schedule);
DES_pcbc_encrypt (enc_data.data,
enc_data.data,
enc_data.length,
&schedule,
&deskey,
DES_ENCRYPT);
memset (&schedule, 0, sizeof(schedule));
memset (&deskey, 0, sizeof(deskey));
}
/* create the reply packet */
init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
sp = krb5_storage_emem ();
ret = encode_rx_header (&reply_hdr, sp);
krb5_store_int32 (sp, max_seq_len);
krb5_store_xdr_data (sp, enc_data);
krb5_data_free (&enc_data);
krb5_storage_to_data (sp, reply);
krb5_storage_free (sp);
return 0;
}
static krb5_error_code
unparse_auth_args (krb5_storage *sp,
char **name,
char **instance,
time_t *start_time,
time_t *end_time,
krb5_data *request,
int32_t *max_seq_len)
{
krb5_data data;
int32_t tmp;
krb5_ret_xdr_data (sp, &data);
*name = malloc(data.length + 1);
if (*name == NULL)
return ENOMEM;
memcpy (*name, data.data, data.length);
(*name)[data.length] = '\0';
krb5_data_free (&data);
krb5_ret_xdr_data (sp, &data);
*instance = malloc(data.length + 1);
if (*instance == NULL) {
free (*name);
return ENOMEM;
}
memcpy (*instance, data.data, data.length);
(*instance)[data.length] = '\0';
krb5_data_free (&data);
krb5_ret_int32 (sp, &tmp);
*start_time = tmp;
krb5_ret_int32 (sp, &tmp);
*end_time = tmp;
krb5_ret_xdr_data (sp, request);
krb5_ret_int32 (sp, max_seq_len);
/* ignore the rest */
return 0;
}
static void
do_authenticate (krb5_context context,
krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp,
struct sockaddr_in *addr,
const char *from,
krb5_data *reply)
{
krb5_error_code ret;
char *name = NULL;
char *instance = NULL;
time_t start_time;
time_t end_time;
krb5_data request;
int32_t max_seq_len;
hdb_entry_ex *client_entry = NULL;
hdb_entry_ex *server_entry = NULL;
Key *ckey = NULL;
Key *skey = NULL;
krb5_storage *reply_sp;
time_t max_life;
uint8_t life;
int32_t chal;
char client_name[256];
char server_name[256];
krb5_data_zero (&request);
ret = unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
&request, &max_seq_len);
if (ret != 0 || request.length < 8) {
make_error_reply (hdr, KABADREQUEST, reply);
goto out;
}
snprintf (client_name, sizeof(client_name), "%s.%s@%s",
name, instance, config->v4_realm);
snprintf (server_name, sizeof(server_name), "%s.%s@%s",
"krbtgt", config->v4_realm, config->v4_realm);
kdc_log(context, config, 0, "AS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name);
ret = _kdc_db_fetch4 (context, config, name, instance,
config->v4_realm, HDB_F_GET_CLIENT,
&client_entry);
if (ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = _kdc_db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm,
HDB_F_GET_KRBTGT, &server_entry);
if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = _kdc_check_flags (context, config,
client_entry, client_name,
server_entry, server_name,
TRUE);
if (ret) {
make_error_reply (hdr, KAPWEXPIRED, reply);
goto out;
}
/* find a DES key */
ret = _kdc_get_des_key(context, client_entry, FALSE, TRUE, &ckey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for client");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
/* find a DES key */
ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
{
DES_cblock key;
DES_key_schedule schedule;
/* try to decode the `request' */
memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
DES_set_key (&key, &schedule);
DES_pcbc_encrypt (request.data,
request.data,
request.length,
&schedule,
&key,
DES_DECRYPT);
memset (&schedule, 0, sizeof(schedule));
memset (&key, 0, sizeof(key));
}
/* check for the magic label */
if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
kdc_log(context, config, 0, "preauth failed for %s", client_name);
make_error_reply (hdr, KABADREQUEST, reply);
goto out;
}
reply_sp = krb5_storage_from_mem (request.data, 4);
krb5_ret_int32 (reply_sp, &chal);
krb5_storage_free (reply_sp);
if (abs(chal - kdc_time) > context->max_skew) {
make_error_reply (hdr, KACLOCKSKEW, reply);
goto out;
}
/* life */
max_life = end_time - kdc_time;
/* end_time - kdc_time can sometimes be non-positive due to slight
time skew between client and server. Let's make sure it is postive */
if(max_life < 1)
max_life = 1;
if (client_entry->entry.max_life)
max_life = min(max_life, *client_entry->entry.max_life);
if (server_entry->entry.max_life)
max_life = min(max_life, *server_entry->entry.max_life);
life = krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (context,
hdr, skey,
name, instance, config->v4_realm,
addr, life, server_entry->entry.kvno,
max_seq_len,
"krbtgt", config->v4_realm,
chal + 1, "tgsT",
&ckey->key, reply);
out:
if (request.length) {
memset (request.data, 0, request.length);
krb5_data_free (&request);
}
if (name)
free (name);
if (instance)
free (instance);
if (client_entry)
_kdc_free_ent (context, client_entry);
if (server_entry)
_kdc_free_ent (context, server_entry);
}
static krb5_error_code
unparse_getticket_args (krb5_storage *sp,
int *kvno,
char **auth_domain,
krb5_data *ticket,
char **name,
char **instance,
krb5_data *times,
int32_t *max_seq_len)
{
krb5_data data;
int32_t tmp;
krb5_ret_int32 (sp, &tmp);
*kvno = tmp;
krb5_ret_xdr_data (sp, &data);
*auth_domain = malloc(data.length + 1);
if (*auth_domain == NULL)
return ENOMEM;
memcpy (*auth_domain, data.data, data.length);
(*auth_domain)[data.length] = '\0';
krb5_data_free (&data);
krb5_ret_xdr_data (sp, ticket);
krb5_ret_xdr_data (sp, &data);
*name = malloc(data.length + 1);
if (*name == NULL) {
free (*auth_domain);
return ENOMEM;
}
memcpy (*name, data.data, data.length);
(*name)[data.length] = '\0';
krb5_data_free (&data);
krb5_ret_xdr_data (sp, &data);
*instance = malloc(data.length + 1);
if (*instance == NULL) {
free (*auth_domain);
free (*name);
return ENOMEM;
}
memcpy (*instance, data.data, data.length);
(*instance)[data.length] = '\0';
krb5_data_free (&data);
krb5_ret_xdr_data (sp, times);
krb5_ret_int32 (sp, max_seq_len);
/* ignore the rest */
return 0;
}
static void
do_getticket (krb5_context context,
krb5_kdc_configuration *config,
struct rx_header *hdr,
krb5_storage *sp,
struct sockaddr_in *addr,
const char *from,
krb5_data *reply)
{
krb5_error_code ret;
int kvno;
char *auth_domain = NULL;
krb5_data aticket;
char *name = NULL;
char *instance = NULL;
krb5_data times;
int32_t max_seq_len;
hdb_entry_ex *server_entry = NULL;
hdb_entry_ex *client_entry = NULL;
hdb_entry_ex *krbtgt_entry = NULL;
Key *kkey = NULL;
Key *skey = NULL;
DES_cblock key;
DES_key_schedule schedule;
DES_cblock session;
time_t max_life;
int8_t life;
time_t start_time, end_time;
char server_name[256];
char client_name[256];
struct _krb5_krb_auth_data ad;
krb5_data_zero (&aticket);
krb5_data_zero (&times);
memset(&ad, 0, sizeof(ad));
unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
&name, &instance, &times, &max_seq_len);
if (times.length < 8) {
make_error_reply (hdr, KABADREQUEST, reply);
goto out;
}
snprintf (server_name, sizeof(server_name),
"%s.%s@%s", name, instance, config->v4_realm);
ret = _kdc_db_fetch4 (context, config, name, instance,
config->v4_realm, HDB_F_GET_SERVER, &server_entry);
if (ret) {
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = _kdc_db_fetch4 (context, config, "krbtgt",
config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry);
if (ret) {
kdc_log(context, config, 0,
"Server not found in database: %s.%s@%s: %s",
"krbtgt", config->v4_realm, config->v4_realm,
krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
/* find a DES key */
ret = _kdc_get_des_key(context, krbtgt_entry, TRUE, TRUE, &kkey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for krbtgt");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
/* find a DES key */
ret = _kdc_get_des_key(context, server_entry, TRUE, TRUE, &skey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for server");
make_error_reply (hdr, KANOKEYS, reply);
goto out;
}
/* decrypt the incoming ticket */
memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
/* unpack the ticket */
{
char *sname = NULL;
char *sinstance = NULL;
ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key,
config->v4_realm, &sname,
&sinstance, &ad);
if (ret) {
kdc_log(context, config, 0,
"kaserver: decomp failed for %s.%s with %d",
sname, sinstance, ret);
make_error_reply (hdr, KABADTICKET, reply);
goto out;
}
if (strcmp (sname, "krbtgt") != 0
|| strcmp (sinstance, config->v4_realm) != 0) {
kdc_log(context, config, 0, "no TGT: %s.%s for %s.%s@%s",
sname, sinstance,
ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply);
free(sname);
free(sinstance);
goto out;
}
free(sname);
free(sinstance);
if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) {
kdc_log(context, config, 0, "TGT expired: %s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
make_error_reply (hdr, KABADTICKET, reply);
goto out;
}
}
snprintf (client_name, sizeof(client_name),
"%s.%s@%s", ad.pname, ad.pinst, ad.prealm);
kdc_log(context, config, 0, "TGS-REQ (kaserver) %s from %s for %s",
client_name, from, server_name);
ret = _kdc_db_fetch4 (context, config,
ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT,
&client_entry);
if(ret && ret != HDB_ERR_NOENTRY) {
kdc_log(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret));
make_error_reply (hdr, KANOENT, reply);
goto out;
}
if (client_entry == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
kdc_log(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name);
make_error_reply (hdr, KANOENT, reply);
goto out;
}
ret = _kdc_check_flags (context, config,
client_entry, client_name,
server_entry, server_name,
FALSE);
if (ret) {
make_error_reply (hdr, KAPWEXPIRED, reply);
goto out;
}
/* decrypt the times */
memcpy(&session, ad.session.keyvalue.data, sizeof(session));
DES_set_key (&session, &schedule);
DES_ecb_encrypt (times.data,
times.data,
&schedule,
DES_DECRYPT);
memset (&schedule, 0, sizeof(schedule));
memset (&session, 0, sizeof(session));
/* and extract them */
{
krb5_storage *tsp;
int32_t tmp;
tsp = krb5_storage_from_mem (times.data, times.length);
krb5_ret_int32 (tsp, &tmp);
start_time = tmp;
krb5_ret_int32 (tsp, &tmp);
end_time = tmp;
krb5_storage_free (tsp);
}
/* life */
max_life = end_time - kdc_time;
/* end_time - kdc_time can sometimes be non-positive due to slight
time skew between client and server. Let's make sure it is postive */
if(max_life < 1)
max_life = 1;
if (krbtgt_entry->entry.max_life)
max_life = min(max_life, *krbtgt_entry->entry.max_life);
if (server_entry->entry.max_life)
max_life = min(max_life, *server_entry->entry.max_life);
/* if this is a cross realm request, the client_entry will likely
be NULL */
if (client_entry && client_entry->entry.max_life)
max_life = min(max_life, *client_entry->entry.max_life);
life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life);
create_reply_ticket (context,
hdr, skey,
ad.pname, ad.pinst, ad.prealm,
addr, life, server_entry->entry.kvno,
max_seq_len,
name, instance,
0, "gtkt",
&ad.session, reply);
out:
_krb5_krb_free_auth_data(context, &ad);
if (aticket.length) {
memset (aticket.data, 0, aticket.length);
krb5_data_free (&aticket);
}
if (times.length) {
memset (times.data, 0, times.length);
krb5_data_free (&times);
}
if (auth_domain)
free (auth_domain);
if (name)
free (name);
if (instance)
free (instance);
if (krbtgt_entry)
_kdc_free_ent (context, krbtgt_entry);
if (server_entry)
_kdc_free_ent (context, server_entry);
}
krb5_error_code
_kdc_do_kaserver(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr_in *addr)
{
krb5_error_code ret = 0;
struct rx_header hdr;
uint32_t op;
krb5_storage *sp;
if (len < RX_HEADER_SIZE)
return -1;
sp = krb5_storage_from_mem (buf, len);
ret = decode_rx_header (sp, &hdr);
if (ret)
goto out;
buf += RX_HEADER_SIZE;
len -= RX_HEADER_SIZE;
switch (hdr.type) {
case HT_DATA :
break;
case HT_ACK :
case HT_BUSY :
case HT_ABORT :
case HT_ACKALL :
case HT_CHAL :
case HT_RESP :
case HT_DEBUG :
default:
/* drop */
goto out;
}
if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
&& hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
ret = -1;
goto out;
}
ret = krb5_ret_uint32(sp, &op);
if (ret)
goto out;
switch (op) {
case AUTHENTICATE :
case AUTHENTICATE_V2 :
do_authenticate (context, config, &hdr, sp, addr, from, reply);
break;
case GETTICKET :
do_getticket (context, config, &hdr, sp, addr, from, reply);
break;
case AUTHENTICATE_OLD :
case CHANGEPASSWORD :
case GETTICKET_OLD :
case SETPASSWORD :
case SETFIELDS :
case CREATEUSER :
case DELETEUSER :
case GETENTRY :
case LISTENTRY :
case GETSTATS :
case DEBUG :
case GETPASSWORD :
case GETRANDOMKEY :
default :
make_error_reply (&hdr, RXGEN_OPCODE, reply);
break;
}
out:
krb5_storage_free (sp);
return ret;
}
Samba/source/heimdal/kdc/kdc-private.h
+235
View File
@@ -0,0 +1,235 @@
/* This is a generated file */
#ifndef __kdc_private_h__
#define __kdc_private_h__
#include <stdarg.h>
krb5_error_code
_kdc_add_KRB5SignedPath (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
hdb_entry_ex */*krbtgt*/,
krb5_enctype /*enctype*/,
krb5_const_principal /*server*/,
KRB5SignedPathPrincipals */*principals*/,
EncTicketPart */*tkt*/);
krb5_error_code
_kdc_as_rep (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REQ */*req*/,
const krb5_data */*req_buffer*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*from_addr*/,
int /*datagram_reply*/);
krb5_boolean
_kdc_check_addresses (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
HostAddresses */*addresses*/,
const struct sockaddr */*from*/);
krb5_error_code
_kdc_check_flags (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
hdb_entry_ex */*client_ex*/,
const char */*client_name*/,
hdb_entry_ex */*server_ex*/,
const char */*server_name*/,
krb5_boolean /*is_as_req*/);
krb5_error_code
_kdc_db_fetch (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
krb5_const_principal /*principal*/,
unsigned /*flags*/,
HDB **/*db*/,
hdb_entry_ex **/*h*/);
krb5_error_code
_kdc_db_fetch4 (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const char */*name*/,
const char */*instance*/,
const char */*realm*/,
unsigned /*flags*/,
hdb_entry_ex **/*ent*/);
krb5_error_code
_kdc_do_524 (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const Ticket */*t*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/);
krb5_error_code
_kdc_do_digest (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const DigestREQ */*req*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/);
krb5_error_code
_kdc_do_kaserver (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr_in */*addr*/);
krb5_error_code
_kdc_do_version4 (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr_in */*addr*/);
krb5_error_code
_kdc_encode_reply (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REP */*rep*/,
const EncTicketPart */*et*/,
EncKDCRepPart */*ek*/,
krb5_enctype /*etype*/,
int /*skvno*/,
const EncryptionKey */*skey*/,
int /*ckvno*/,
const EncryptionKey */*ckey*/,
const char **/*e_text*/,
krb5_data */*reply*/);
krb5_error_code
_kdc_encode_v4_ticket (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
void */*buf*/,
size_t /*len*/,
const EncTicketPart */*et*/,
const PrincipalName */*service*/,
size_t */*size*/);
krb5_error_code
_kdc_find_etype (
krb5_context /*context*/,
const hdb_entry_ex */*princ*/,
krb5_enctype */*etypes*/,
unsigned /*len*/,
Key **/*ret_key*/,
krb5_enctype */*ret_etype*/);
PA_DATA*
_kdc_find_padata (
KDC_REQ */*req*/,
int */*start*/,
int /*type*/);
void
_kdc_fix_time (time_t **/*t*/);
void
_kdc_free_ent (
krb5_context /*context*/,
hdb_entry_ex */*ent*/);
krb5_error_code
_kdc_get_des_key (
krb5_context /*context*/,
hdb_entry_ex */*principal*/,
krb5_boolean /*is_server*/,
krb5_boolean /*prefer_afs_key*/,
Key **/*ret_key*/);
krb5_error_code
_kdc_get_preferred_key (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
hdb_entry_ex */*h*/,
const char */*name*/,
krb5_enctype */*enctype*/,
Key **/*key*/);
void
_kdc_log_timestamp (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const char */*type*/,
KerberosTime /*authtime*/,
KerberosTime */*starttime*/,
KerberosTime /*endtime*/,
KerberosTime */*renew_till*/);
krb5_error_code
_kdc_make_anonymous_principalname (PrincipalName */*pn*/);
int
_kdc_maybe_version4 (
unsigned char */*buf*/,
int /*len*/);
krb5_error_code
_kdc_pk_check_client (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const hdb_entry_ex */*client*/,
pk_client_params */*client_params*/,
char **/*subject_name*/);
void
_kdc_pk_free_client_param (
krb5_context /*context*/,
pk_client_params */*client_params*/);
krb5_error_code
_kdc_pk_initialize (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
const char */*user_id*/,
const char */*anchors*/,
char **/*pool*/,
char **/*revoke_list*/);
krb5_error_code
_kdc_pk_mk_pa_reply (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
pk_client_params */*client_params*/,
const hdb_entry_ex */*client*/,
const KDC_REQ */*req*/,
const krb5_data */*req_buffer*/,
krb5_keyblock **/*reply_key*/,
METHOD_DATA */*md*/);
krb5_error_code
_kdc_pk_rd_padata (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REQ */*req*/,
PA_DATA */*pa*/,
pk_client_params **/*ret_params*/);
krb5_error_code
_kdc_tgs_rep (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REQ */*req*/,
krb5_data */*data*/,
const char */*from*/,
struct sockaddr */*from_addr*/);
#endif /* __kdc_private_h__ */
Samba/source/heimdal/kdc/kdc-protos.h
+70
View File
@@ -0,0 +1,70 @@
/* This is a generated file */
#ifndef __kdc_protos_h__
#define __kdc_protos_h__
#include <stdarg.h>
#ifdef __cplusplus
extern "C" {
#endif
void
kdc_log (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
int /*level*/,
const char */*fmt*/,
...);
char*
kdc_log_msg (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
int /*level*/,
const char */*fmt*/,
...);
char*
kdc_log_msg_va (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
int /*level*/,
const char */*fmt*/,
va_list /*ap*/);
void
kdc_openlog (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/);
void
krb5_kdc_default_config (krb5_kdc_configuration */*config*/);
int
krb5_kdc_process_krb5_request (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
const char */*from*/,
struct sockaddr */*addr*/,
int /*datagram_reply*/);
int
krb5_kdc_process_request (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
unsigned char */*buf*/,
size_t /*len*/,
krb5_data */*reply*/,
krb5_boolean */*prependlength*/,
const char */*from*/,
struct sockaddr */*addr*/,
int /*datagram_reply*/);
#ifdef __cplusplus
}
#endif
#endif /* __kdc_protos_h__ */
Samba/source/heimdal/kdc/kdc.h
+90
View File
@@ -0,0 +1,90 @@
/*
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id: kdc.h,v 1.9 2006/10/09 15:34:07 lha Exp $
*/
#ifndef __KDC_H__
#define __KDC_H__
#include <krb5.h>
enum krb5_kdc_trpolicy {
TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
TRPOLICY_ALWAYS_HONOUR_REQUEST
};
typedef struct krb5_kdc_configuration {
krb5_boolean require_preauth; /* require preauth for all principals */
time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
struct HDB **db;
int num_db;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_v4_per_principal;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_pkinit;
krb5_boolean enable_pkinit_princ_in_cert;
char *pkinit_kdc_ocsp_file;
krb5_log_facility *logf;
int pkinit_dh_min_bits;
int enable_digest;
size_t max_datagram_reply_length;
} krb5_kdc_configuration;
#include <kdc-protos.h>
#endif
Samba/source/heimdal/kdc/kdc_locl.h
+70
View File
@@ -0,0 +1,70 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* $Id: kdc_locl.h,v 1.74 2005/12/12 12:23:33 lha Exp $
*/
#ifndef __KDC_LOCL_H__
#define __KDC_LOCL_H__
#include "headers.h"
#include "kdc.h"
typedef struct pk_client_params pk_client_params;
#include <kdc-private.h>
extern sig_atomic_t exit_flag;
extern size_t max_request;
extern const char *port_str;
extern krb5_addresses explicit_addresses;
extern int enable_http;
#define DETACH_IS_DEFAULT FALSE
extern int detach_from_console;
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
extern struct timeval _kdc_now;
#define kdc_time (_kdc_now.tv_sec)
void
loop(krb5_context context, krb5_kdc_configuration *config);
krb5_kdc_configuration *
configure(krb5_context context, int argc, char **argv);
#endif /* __KDC_LOCL_H__ */
Samba/source/heimdal/kdc/kerberos4.c
+808
View File
@@ -0,0 +1,808 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
#include <krb5-v4compat.h>
RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $");
#ifndef swap32
static uint32_t
swap32(uint32_t x)
{
return ((x << 24) & 0xff000000) |
((x << 8) & 0xff0000) |
((x >> 8) & 0xff00) |
((x >> 24) & 0xff);
}
#endif /* swap32 */
int
_kdc_maybe_version4(unsigned char *buf, int len)
{
return len > 0 && *buf == 4;
}
static void
make_err_reply(krb5_context context, krb5_data *reply,
int code, const char *msg)
{
_krb5_krb_cr_err_reply(context, "", "", "",
kdc_time, code, msg, reply);
}
struct valid_princ_ctx {
krb5_kdc_configuration *config;
unsigned flags;
};
static krb5_boolean
valid_princ(krb5_context context,
void *funcctx,
krb5_principal princ)
{
struct valid_princ_ctx *ctx = funcctx;
krb5_error_code ret;
char *s;
hdb_entry_ex *ent;
ret = krb5_unparse_name(context, princ, &s);
if (ret)
return FALSE;
ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
if (ret) {
kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
krb5_get_err_text (context, ret));
free(s);
return FALSE;
}
kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
free(s);
_kdc_free_ent(context, ent);
return TRUE;
}
krb5_error_code
_kdc_db_fetch4(krb5_context context,
krb5_kdc_configuration *config,
const char *name, const char *instance, const char *realm,
unsigned flags,
hdb_entry_ex **ent)
{
krb5_principal p;
krb5_error_code ret;
struct valid_princ_ctx ctx;
ctx.config = config;
ctx.flags = flags;
ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
valid_princ, &ctx, 0, &p);
if(ret)
return ret;
ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
krb5_free_principal(context, p);
return ret;
}
#define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
/*
* Process the v4 request in `buf, len' (received from `addr'
* (with string `from').
* Return an error code and a reply in `reply'.
*/
krb5_error_code
_kdc_do_version4(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr_in *addr)
{
krb5_storage *sp;
krb5_error_code ret;
hdb_entry_ex *client = NULL, *server = NULL;
Key *ckey, *skey;
int8_t pvno;
int8_t msg_type;
int lsb;
char *name = NULL, *inst = NULL, *realm = NULL;
char *sname = NULL, *sinst = NULL;
int32_t req_time;
time_t max_life;
uint8_t life;
char client_name[256];
char server_name[256];
if(!config->enable_v4) {
kdc_log(context, config, 0,
"Rejected version 4 request from %s", from);
make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
return 0;
}
sp = krb5_storage_from_mem(buf, len);
RCHECK(krb5_ret_int8(sp, &pvno), out);
if(pvno != 4){
kdc_log(context, config, 0,
"Protocol version mismatch (krb4) (%d)", pvno);
make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
goto out;
}
RCHECK(krb5_ret_int8(sp, &msg_type), out);
lsb = msg_type & 1;
msg_type &= ~1;
switch(msg_type){
case AUTH_MSG_KDC_REQUEST: {
krb5_data ticket, cipher;
krb5_keyblock session;
krb5_data_zero(&ticket);
krb5_data_zero(&cipher);
RCHECK(krb5_ret_stringz(sp, &name), out1);
RCHECK(krb5_ret_stringz(sp, &inst), out1);
RCHECK(krb5_ret_stringz(sp, &realm), out1);
RCHECK(krb5_ret_int32(sp, &req_time), out1);
if(lsb)
req_time = swap32(req_time);
RCHECK(krb5_ret_uint8(sp, &life), out1);
RCHECK(krb5_ret_stringz(sp, &sname), out1);
RCHECK(krb5_ret_stringz(sp, &sinst), out1);
snprintf (client_name, sizeof(client_name),
"%s.%s@%s", name, inst, realm);
snprintf (server_name, sizeof(server_name),
"%s.%s@%s", sname, sinst, config->v4_realm);
kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
ret = _kdc_db_fetch4(context, config, name, inst, realm,
HDB_F_GET_CLIENT, &client);
if(ret) {
kdc_log(context, config, 0, "Client not found in database: %s: %s",
client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1;
}
ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
HDB_F_GET_SERVER, &server);
if(ret){
kdc_log(context, config, 0, "Server not found in database: %s: %s",
server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"principal unknown");
goto out1;
}
ret = _kdc_check_flags (context, config,
client, client_name,
server, server_name,
TRUE);
if (ret) {
/* good error code? */
make_err_reply(context, reply, KERB_ERR_NAME_EXP,
"operation not allowed");
goto out1;
}
if (config->enable_v4_per_principal &&
client->entry.flags.allow_kerberos4 == 0)
{
kdc_log(context, config, 0,
"Per principal Kerberos 4 flag not turned on for %s",
client_name);
make_err_reply(context, reply, KERB_ERR_NULL_KEY,
"allow kerberos4 flag required");
goto out1;
}
/*
* There's no way to do pre-authentication in v4 and thus no
* good error code to return if preauthentication is required.
*/
if (config->require_preauth
|| client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) {
kdc_log(context, config, 0,
"Pre-authentication required for v4-request: "
"%s for %s",
client_name, server_name);
make_err_reply(context, reply, KERB_ERR_NULL_KEY,
"preauth required");
goto out1;
}
ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for client");
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for client");
goto out1;
}
#if 0
/* this is not necessary with the new code in libkrb */
/* find a properly salted key */
while(ckey->salt == NULL || ckey->salt->salt.length != 0)
ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
if(ret){
kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
name, inst, realm);
make_err_reply(context, reply, KDC_NULL_KEY,
"No version-4 salted key in database");
goto out1;
}
#endif
ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(context, config, 0, "no suitable DES key for server");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server");
goto out1;
}
max_life = _krb5_krb_life_to_time(0, life);
if(client->entry.max_life)
max_life = min(max_life, *client->entry.max_life);
if(server->entry.max_life)
max_life = min(max_life, *server->entry.max_life);
life = krb_time_to_life(kdc_time, kdc_time + max_life);
ret = krb5_generate_random_keyblock(context,
ETYPE_DES_PCBC_NONE,
&session);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"Not enough random i KDC");
goto out1;
}
ret = _krb5_krb_create_ticket(context,
0,
name,
inst,
config->v4_realm,
addr->sin_addr.s_addr,
&session,
life,
kdc_time,
sname,
sinst,
&skey->key,
&ticket);
if (ret) {
krb5_free_keyblock_contents(context, &session);
make_err_reply(context, reply, KFAILURE,
"failed to create v4 ticket");
goto out1;
}
ret = _krb5_krb_create_ciph(context,
&session,
sname,
sinst,
config->v4_realm,
life,
server->entry.kvno % 255,
&ticket,
kdc_time,
&ckey->key,
&cipher);
krb5_free_keyblock_contents(context, &session);
krb5_data_free(&ticket);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"Failed to create v4 cipher");
goto out1;
}
ret = _krb5_krb_create_auth_reply(context,
name,
inst,
realm,
req_time,
0,
client->entry.pw_end ? *client->entry.pw_end : 0,
client->entry.kvno % 256,
&cipher,
reply);
krb5_data_free(&cipher);
out1:
break;
}
case AUTH_MSG_APPL_REQUEST: {
struct _krb5_krb_auth_data ad;
int8_t kvno;
int8_t ticket_len;
int8_t req_len;
krb5_data auth;
int32_t address;
size_t pos;
krb5_principal tgt_princ = NULL;
hdb_entry_ex *tgt = NULL;
Key *tkey;
time_t max_end, actual_end, issue_time;
memset(&ad, 0, sizeof(ad));
krb5_data_zero(&auth);
RCHECK(krb5_ret_int8(sp, &kvno), out2);
RCHECK(krb5_ret_stringz(sp, &realm), out2);
ret = krb5_425_conv_principal(context, "krbtgt", realm,
config->v4_realm,
&tgt_princ);
if(ret){
kdc_log(context, config, 0,
"Converting krbtgt principal (krb4): %s",
krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE,
"Failed to convert v4 principal (krbtgt)");
goto out2;
}
ret = _kdc_db_fetch(context, config, tgt_princ,
HDB_F_GET_KRBTGT, NULL, &tgt);
if(ret){
char *s;
s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
"found in database (krb4): krbtgt.%s@%s: %s",
realm, config->v4_realm,
krb5_get_err_text(context, ret));
make_err_reply(context, reply, KFAILURE, s);
free(s);
goto out2;
}
if(tgt->entry.kvno % 256 != kvno){
kdc_log(context, config, 0,
"tgs-req (krb4) with old kvno %d (current %d) for "
"krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
realm, config->v4_realm);
make_err_reply(context, reply, KDC_AUTH_EXP,
"old krbtgt kvno used");
goto out2;
}
ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
if(ret){
kdc_log(context, config, 0,
"no suitable DES key for krbtgt (krb4)");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for krbtgt");
goto out2;
}
RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
RCHECK(krb5_ret_int8(sp, &req_len), out2);
pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
auth.data = buf;
auth.length = pos;
if (config->check_ticket_addresses)
address = addr->sin_addr.s_addr;
else
address = 0;
ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
config->v4_realm,
address, &tkey->key, &ad);
if(ret){
kdc_log(context, config, 0, "krb_rd_req: %d", ret);
make_err_reply(context, reply, ret, "failed to parse request");
goto out2;
}
RCHECK(krb5_ret_int32(sp, &req_time), out2);
if(lsb)
req_time = swap32(req_time);
RCHECK(krb5_ret_uint8(sp, &life), out2);
RCHECK(krb5_ret_stringz(sp, &sname), out2);
RCHECK(krb5_ret_stringz(sp, &sinst), out2);
snprintf (server_name, sizeof(server_name),
"%s.%s@%s",
sname, sinst, config->v4_realm);
snprintf (client_name, sizeof(client_name),
"%s.%s@%s",
ad.pname, ad.pinst, ad.prealm);
kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
client_name, from, server_name);
if(strcmp(ad.prealm, realm)){
kdc_log(context, config, 0,
"Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
goto out2;
}
if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
kdc_log(context, config, 0,
"krb4 Cross-realm %s -> %s disabled",
realm, config->v4_realm);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
goto out2;
}
if(strcmp(sname, "changepw") == 0){
kdc_log(context, config, 0,
"Bad request for changepw ticket (krb4)");
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password change based on TGT");
goto out2;
}
ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
HDB_F_GET_CLIENT, &client);
if(ret && ret != HDB_ERR_NOENTRY) {
char *s;
s = kdc_log_msg(context, config, 0,
"Client not found in database: (krb4) %s: %s",
client_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
char *s;
s = kdc_log_msg(context, config, 0,
"Local client not found in database: (krb4) "
"%s", client_name);
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
HDB_F_GET_SERVER, &server);
if(ret){
char *s;
s = kdc_log_msg(context, config, 0,
"Server not found in database (krb4): %s: %s",
server_name, krb5_get_err_text(context, ret));
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
free(s);
goto out2;
}
ret = _kdc_check_flags (context, config,
client, client_name,
server, server_name,
FALSE);
if (ret) {
/* good error code? */
make_err_reply(context, reply, KERB_ERR_NAME_EXP,
"operation not allowed");
goto out2;
}
ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
if(ret){
kdc_log(context, config, 0,
"no suitable DES key for server (krb4)");
/* XXX */
make_err_reply(context, reply, KDC_NULL_KEY,
"no suitable DES key for server");
goto out2;
}
max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
if(server->entry.max_life)
max_end = min(max_end, kdc_time + *server->entry.max_life);
if(client && client->entry.max_life)
max_end = min(max_end, kdc_time + *client->entry.max_life);
life = min(life, krb_time_to_life(kdc_time, max_end));
issue_time = kdc_time;
actual_end = _krb5_krb_life_to_time(issue_time, life);
while (actual_end > max_end && life > 1) {
/* move them into the next earlier lifetime bracket */
life--;
actual_end = _krb5_krb_life_to_time(issue_time, life);
}
if (actual_end > max_end) {
/* if life <= 1 and it's still too long, backdate the ticket */
issue_time -= actual_end - max_end;
}
{
krb5_data ticket, cipher;
krb5_keyblock session;
krb5_data_zero(&ticket);
krb5_data_zero(&cipher);
ret = krb5_generate_random_keyblock(context,
ETYPE_DES_PCBC_NONE,
&session);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"Not enough random i KDC");
goto out2;
}
ret = _krb5_krb_create_ticket(context,
0,
ad.pname,
ad.pinst,
ad.prealm,
addr->sin_addr.s_addr,
&session,
life,
issue_time,
sname,
sinst,
&skey->key,
&ticket);
if (ret) {
krb5_free_keyblock_contents(context, &session);
make_err_reply(context, reply, KFAILURE,
"failed to create v4 ticket");
goto out2;
}
ret = _krb5_krb_create_ciph(context,
&session,
sname,
sinst,
config->v4_realm,
life,
server->entry.kvno % 255,
&ticket,
issue_time,
&ad.session,
&cipher);
krb5_free_keyblock_contents(context, &session);
if (ret) {
make_err_reply(context, reply, KFAILURE,
"failed to create v4 cipher");
goto out2;
}
ret = _krb5_krb_create_auth_reply(context,
ad.pname,
ad.pinst,
ad.prealm,
req_time,
0,
0,
0,
&cipher,
reply);
krb5_data_free(&cipher);
}
out2:
_krb5_krb_free_auth_data(context, &ad);
if(tgt_princ)
krb5_free_principal(context, tgt_princ);
if(tgt)
_kdc_free_ent(context, tgt);
break;
}
case AUTH_MSG_ERR_REPLY:
break;
default:
kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
msg_type, from);
make_err_reply(context, reply, KFAILURE, "Unknown message type");
}
out:
if(name)
free(name);
if(inst)
free(inst);
if(realm)
free(realm);
if(sname)
free(sname);
if(sinst)
free(sinst);
if(client)
_kdc_free_ent(context, client);
if(server)
_kdc_free_ent(context, server);
krb5_storage_free(sp);
return 0;
}
krb5_error_code
_kdc_encode_v4_ticket(krb5_context context,
krb5_kdc_configuration *config,
void *buf, size_t len, const EncTicketPart *et,
const PrincipalName *service, size_t *size)
{
krb5_storage *sp;
krb5_error_code ret;
char name[40], inst[40], realm[40];
char sname[40], sinst[40];
{
krb5_principal princ;
_krb5_principalname2krb5_principal(context,
&princ,
*service,
et->crealm);
ret = krb5_524_conv_principal(context,
princ,
sname,
sinst,
realm);
krb5_free_principal(context, princ);
if(ret)
return ret;
_krb5_principalname2krb5_principal(context,
&princ,
et->cname,
et->crealm);
ret = krb5_524_conv_principal(context,
princ,
name,
inst,
realm);
krb5_free_principal(context, princ);
}
if(ret)
return ret;
sp = krb5_storage_emem();
krb5_store_int8(sp, 0); /* flags */
krb5_store_stringz(sp, name);
krb5_store_stringz(sp, inst);
krb5_store_stringz(sp, realm);
{
unsigned char tmp[4] = { 0, 0, 0, 0 };
int i;
if(et->caddr){
for(i = 0; i < et->caddr->len; i++)
if(et->caddr->val[i].addr_type == AF_INET &&
et->caddr->val[i].address.length == 4){
memcpy(tmp, et->caddr->val[i].address.data, 4);
break;
}
}
krb5_storage_write(sp, tmp, sizeof(tmp));
}
if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
et->key.keytype != ETYPE_DES_CBC_MD4 &&
et->key.keytype != ETYPE_DES_CBC_CRC) ||
et->key.keyvalue.length != 8)
return -1;
krb5_storage_write(sp, et->key.keyvalue.data, 8);
{
time_t start = et->starttime ? *et->starttime : et->authtime;
krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
krb5_store_int32(sp, start);
}
krb5_store_stringz(sp, sname);
krb5_store_stringz(sp, sinst);
{
krb5_data data;
krb5_storage_to_data(sp, &data);
krb5_storage_free(sp);
*size = (data.length + 7) & ~7; /* pad to 8 bytes */
if(*size > len)
return -1;
memset((unsigned char*)buf - *size + 1, 0, *size);
memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
krb5_data_free(&data);
}
return 0;
}
krb5_error_code
_kdc_get_des_key(krb5_context context,
hdb_entry_ex *principal, krb5_boolean is_server,
krb5_boolean prefer_afs_key, Key **ret_key)
{
Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
int i;
krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
ETYPE_DES_CBC_MD4,
ETYPE_DES_CBC_CRC };
for(i = 0;
i < sizeof(etypes)/sizeof(etypes[0])
&& (v5_key == NULL || v4_key == NULL ||
afs_key == NULL || server_key == NULL);
++i) {
Key *key = NULL;
while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
if(key->salt == NULL) {
if(v5_key == NULL)
v5_key = key;
} else if(key->salt->type == hdb_pw_salt &&
key->salt->salt.length == 0) {
if(v4_key == NULL)
v4_key = key;
} else if(key->salt->type == hdb_afs3_salt) {
if(afs_key == NULL)
afs_key = key;
} else if(server_key == NULL)
server_key = key;
}
}
if(prefer_afs_key) {
if(afs_key)
*ret_key = afs_key;
else if(v4_key)
*ret_key = v4_key;
else if(v5_key)
*ret_key = v5_key;
else if(is_server && server_key)
*ret_key = server_key;
else
return KERB_ERR_NULL_KEY;
} else {
if(v4_key)
*ret_key = v4_key;
else if(afs_key)
*ret_key = afs_key;
else if(v5_key)
*ret_key = v5_key;
else if(is_server && server_key)
*ret_key = server_key;
else
return KERB_ERR_NULL_KEY;
}
if((*ret_key)->key.keyvalue.length == 0)
return KERB_ERR_NULL_KEY;
return 0;
}
Samba/source/heimdal/kdc/kerberos5.c
+1554
View File
File diff suppressed because it is too large Load Diff
Samba/source/heimdal/kdc/krb5tgs.c
+1781
View File
File diff suppressed because it is too large Load Diff
Samba/source/heimdal/kdc/log.c
+89
View File
@@ -0,0 +1,89 @@
/*
* Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: log.c,v 1.16 2005/06/30 01:52:48 lha Exp $");
void
kdc_openlog(krb5_context context,
krb5_kdc_configuration *config)
{
char **s = NULL, **p;
krb5_initlog(context, "kdc", &config->logf);
s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);
if(s == NULL)
s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
if(s){
for(p = s; *p; p++)
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
}else
krb5_addlog_dest(context, config->logf, DEFAULT_LOG_DEST);
krb5_set_warn_dest(context, config->logf);
}
char*
kdc_log_msg_va(krb5_context context,
krb5_kdc_configuration *config,
int level, const char *fmt, va_list ap)
{
char *msg;
krb5_vlog_msg(context, config->logf, &msg, level, fmt, ap);
return msg;
}
char*
kdc_log_msg(krb5_context context,
krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(context, config, level, fmt, ap);
va_end(ap);
return s;
}
void
kdc_log(krb5_context context,
krb5_kdc_configuration *config,
int level, const char *fmt, ...)
{
va_list ap;
char *s;
va_start(ap, fmt);
s = kdc_log_msg_va(context, config, level, fmt, ap);
if(s) free(s);
va_end(ap);
}
Samba/source/heimdal/kdc/misc.c
+119
View File
@@ -0,0 +1,119 @@
/*
* Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: misc.c,v 1.32 2006/08/28 14:41:49 lha Exp $");
struct timeval _kdc_now;
krb5_error_code
_kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
HDB **db,
hdb_entry_ex **h)
{
hdb_entry_ex *ent;
krb5_error_code ret = HDB_ERR_NOENTRY;
int i;
ent = calloc (1, sizeof (*ent));
if (ent == NULL)
return ENOMEM;
for(i = 0; i < config->num_db; i++) {
ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) {
kdc_log(context, config, 0, "Failed to open database: %s",
krb5_get_err_text(context, ret));
continue;
}
ret = config->db[i]->hdb_fetch(context,
config->db[i],
principal,
flags | HDB_F_DECRYPT,
ent);
config->db[i]->hdb_close(context, config->db[i]);
if(ret == 0) {
if (db)
*db = config->db[i];
*h = ent;
return 0;
}
}
free(ent);
return ret;
}
void
_kdc_free_ent(krb5_context context, hdb_entry_ex *ent)
{
hdb_free_entry (context, ent);
free (ent);
}
/*
* Use the order list of preferred encryption types and sort the
* available keys and return the most preferred key.
*/
krb5_error_code
_kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *h,
const char *name,
krb5_enctype *enctype,
Key **key)
{
const krb5_enctype *p;
krb5_error_code ret;
int i;
p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
ret = hdb_enctype2key(context, &h->entry, p[i], key);
if (ret == 0) {
*enctype = p[i];
return 0;
}
}
krb5_set_error_string(context, "No valid kerberos key found for %s", name);
return EINVAL;
}
Samba/source/heimdal/kdc/pkinit.c
Executable
+1463
View File
File diff suppressed because it is too large Load Diff
Samba/source/heimdal/kdc/process.c
+136
View File
@@ -0,0 +1,136 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
RCSID("$Id: process.c,v 1.5 2006/10/09 15:37:39 lha Exp $");
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*/
int
krb5_kdc_process_request(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
krb5_boolean *prependlength,
const char *from,
struct sockaddr *addr,
int datagram_reply)
{
KDC_REQ req;
Ticket ticket;
DigestREQ digestreq;
krb5_error_code ret;
size_t i;
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
krb5_data req_buffer;
req_buffer.data = buf;
req_buffer.length = len;
ret = _kdc_as_rep(context, config, &req, &req_buffer,
reply, from, addr, datagram_reply);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}else if(decode_Ticket(buf, len, &ticket, &i) == 0){
ret = _kdc_do_524(context, config, &ticket, reply, from, addr);
free_Ticket(&ticket);
return ret;
}else if(decode_DigestREQ(buf, len, &digestreq, &i) == 0){
ret = _kdc_do_digest(context, config, &digestreq, reply, from, addr);
free_DigestREQ(&digestreq);
return ret;
} else if(_kdc_maybe_version4(buf, len)){
*prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */
_kdc_do_version4(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return 0;
} else if (config->enable_kaserver) {
ret = _kdc_do_kaserver(context, config, buf, len, reply, from,
(struct sockaddr_in*)addr);
return ret;
}
return -1;
}
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
* sending a reply in `reply'.
*
* This only processes krb5 requests
*/
int
krb5_kdc_process_krb5_request(krb5_context context,
krb5_kdc_configuration *config,
unsigned char *buf,
size_t len,
krb5_data *reply,
const char *from,
struct sockaddr *addr,
int datagram_reply)
{
KDC_REQ req;
krb5_error_code ret;
size_t i;
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
krb5_data req_buffer;
req_buffer.data = buf;
req_buffer.length = len;
ret = _kdc_as_rep(context, config, &req, &req_buffer,
reply, from, addr, datagram_reply);
free_AS_REQ(&req);
return ret;
}else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
ret = _kdc_tgs_rep(context, config, &req, reply, from, addr);
free_TGS_REQ(&req);
return ret;
}
return -1;
}
Samba/source/heimdal/kdc/rx.h
+79
View File
@@ -0,0 +1,79 @@
/*
* Copyright (c) 1997 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */
#ifndef __RX_H__
#define __RX_H__
/* header of a RPC packet */
enum rx_header_type {
HT_DATA = 1,
HT_ACK = 2,
HT_BUSY = 3,
HT_ABORT = 4,
HT_ACKALL = 5,
HT_CHAL = 6,
HT_RESP = 7,
HT_DEBUG = 8
};
/* For flags in header */
enum rx_header_flag {
HF_CLIENT_INITIATED = 1,
HF_REQ_ACK = 2,
HF_LAST = 4,
HF_MORE = 8
};
struct rx_header {
uint32_t epoch;
uint32_t connid; /* And channel ID */
uint32_t callid;
uint32_t seqno;
uint32_t serialno;
u_char type;
u_char flags;
u_char status;
u_char secindex;
uint16_t reserved; /* ??? verifier? */
uint16_t serviceid;
/* This should be the other way around according to everything but */
/* tcpdump */
};
#define RX_HEADER_SIZE 28
#endif /* __RX_H__ */