search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / crypto / dist / heimdal / kdc / kerberos4.c
blobda283c5357df331df49759ec417dee54377ba0f8
1 /*
2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 #include <krb5-v4compat.h>
37
38 __RCSID("$Heimdal: kerberos4.c 21577 2007-07-16 08:14:06Z lha $"
39 "$NetBSD$");
40
41 #ifndef swap32
42 static uint32_t
43 swap32(uint32_t x)
44 {
45 return ((x << 24) & 0xff000000) |
46 ((x << 8) & 0xff0000) |
47 ((x >> 8) & 0xff00) |
48 ((x >> 24) & 0xff);
49 }
50 #endif /* swap32 */
51
52 int
53 _kdc_maybe_version4(unsigned char *buf, int len)
54 {
55 return len > 0 && *buf == 4;
56 }
57
58 static void
59 make_err_reply(krb5_context context, krb5_data *reply,
60 int code, const char *msg)
61 {
62 _krb5_krb_cr_err_reply(context, "", "", "",
63 kdc_time, code, msg, reply);
64 }
65
66 struct valid_princ_ctx {
67 krb5_kdc_configuration *config;
68 unsigned flags;
69 };
70
71 static krb5_boolean
72 valid_princ(krb5_context context,
73 void *funcctx,
74 krb5_principal princ)
75 {
76 struct valid_princ_ctx *ctx = funcctx;
77 krb5_error_code ret;
78 char *s;
79 hdb_entry_ex *ent;
80
81 ret = krb5_unparse_name(context, princ, &s);
82 if (ret)
83 return FALSE;
84 ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, NULL, &ent);
85 if (ret) {
86 kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
87 krb5_get_err_text (context, ret));
88 free(s);
89 return FALSE;
90 }
91 kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
92 free(s);
93 _kdc_free_ent(context, ent);
94 return TRUE;
95 }
96
97 krb5_error_code
98 _kdc_db_fetch4(krb5_context context,
99 krb5_kdc_configuration *config,
100 const char *name, const char *instance, const char *realm,
101 unsigned flags,
102 hdb_entry_ex **ent)
103 {
104 krb5_principal p;
105 krb5_error_code ret;
106 struct valid_princ_ctx ctx;
107
108 ctx.config = config;
109 ctx.flags = flags;
110
111 ret = krb5_425_conv_principal_ext2(context, name, instance, realm,
112 valid_princ, &ctx, 0, &p);
113 if(ret)
114 return ret;
115 ret = _kdc_db_fetch(context, config, p, flags, NULL, ent);
116 krb5_free_principal(context, p);
117 return ret;
118 }
119
120 #define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;}
121
122 /*
123 * Process the v4 request in `buf, len' (received from `addr'
124 * (with string `from').
125 * Return an error code and a reply in `reply'.
126 */
127
128 krb5_error_code
129 _kdc_do_version4(krb5_context context,
130 krb5_kdc_configuration *config,
131 unsigned char *buf,
132 size_t len,
133 krb5_data *reply,
134 const char *from,
135 struct sockaddr_in *addr)
136 {
137 krb5_storage *sp;
138 krb5_error_code ret;
139 hdb_entry_ex *client = NULL, *server = NULL;
140 Key *ckey, *skey;
141 int8_t pvno;
142 int8_t msg_type;
143 int lsb;
144 char *name = NULL, *inst = NULL, *realm = NULL;
145 char *sname = NULL, *sinst = NULL;
146 int32_t req_time;
147 time_t max_life;
148 uint8_t life;
149 char client_name[256];
150 char server_name[256];
151
152 if(!config->enable_v4) {
153 kdc_log(context, config, 0,
154 "Rejected version 4 request from %s", from);
155 make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
156 "Function not enabled");
157 return 0;
158 }
159
160 sp = krb5_storage_from_mem(buf, len);
161 RCHECK(krb5_ret_int8(sp, &pvno), out);
162 if(pvno != 4){
163 kdc_log(context, config, 0,
164 "Protocol version mismatch (krb4) (%d)", pvno);
165 make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
166 goto out;
167 }
168 RCHECK(krb5_ret_int8(sp, &msg_type), out);
169 lsb = msg_type & 1;
170 msg_type &= ~1;
171 switch(msg_type){
172 case AUTH_MSG_KDC_REQUEST: {
173 krb5_data ticket, cipher;
174 krb5_keyblock session;
175
176 krb5_data_zero(&ticket);
177 krb5_data_zero(&cipher);
178
179 RCHECK(krb5_ret_stringz(sp, &name), out1);
180 RCHECK(krb5_ret_stringz(sp, &inst), out1);
181 RCHECK(krb5_ret_stringz(sp, &realm), out1);
182 RCHECK(krb5_ret_int32(sp, &req_time), out1);
183 if(lsb)
184 req_time = swap32(req_time);
185 RCHECK(krb5_ret_uint8(sp, &life), out1);
186 RCHECK(krb5_ret_stringz(sp, &sname), out1);
187 RCHECK(krb5_ret_stringz(sp, &sinst), out1);
188 snprintf (client_name, sizeof(client_name),
189 "%s.%s@%s", name, inst, realm);
190 snprintf (server_name, sizeof(server_name),
191 "%s.%s@%s", sname, sinst, config->v4_realm);
192
193 kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
194 client_name, from, server_name);
195
196 ret = _kdc_db_fetch4(context, config, name, inst, realm,
197 HDB_F_GET_CLIENT, &client);
198 if(ret) {
199 kdc_log(context, config, 0, "Client not found in database: %s: %s",
200 client_name, krb5_get_err_text(context, ret));
201 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
202 "principal unknown");
203 goto out1;
204 }
205 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
206 HDB_F_GET_SERVER, &server);
207 if(ret){
208 kdc_log(context, config, 0, "Server not found in database: %s: %s",
209 server_name, krb5_get_err_text(context, ret));
210 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
211 "principal unknown");
212 goto out1;
213 }
214
215 ret = _kdc_check_flags (context, config,
216 client, client_name,
217 server, server_name,
218 TRUE);
219 if (ret) {
220 /* good error code? */
221 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
222 "operation not allowed");
223 goto out1;
224 }
225
226 if (config->enable_v4_per_principal &&
227 client->entry.flags.allow_kerberos4 == 0)
228 {
229 kdc_log(context, config, 0,
230 "Per principal Kerberos 4 flag not turned on for %s",
231 client_name);
232 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
233 "allow kerberos4 flag required");
234 goto out1;
235 }
236
237 /*
238 * There's no way to do pre-authentication in v4 and thus no
239 * good error code to return if preauthentication is required.
240 */
241
242 if (config->require_preauth
243 || client->entry.flags.require_preauth
244 || server->entry.flags.require_preauth) {
245 kdc_log(context, config, 0,
246 "Pre-authentication required for v4-request: "
247 "%s for %s",
248 client_name, server_name);
249 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
250 "preauth required");
251 goto out1;
252 }
253
254 ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
255 if(ret){
256 kdc_log(context, config, 0, "no suitable DES key for client");
257 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
258 "no suitable DES key for client");
259 goto out1;
260 }
261
262 #if 0
263 /* this is not necessary with the new code in libkrb */
264 /* find a properly salted key */
265 while(ckey->salt == NULL || ckey->salt->salt.length != 0)
266 ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey);
267 if(ret){
268 kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
269 name, inst, realm);
270 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
271 "No version-4 salted key in database");
272 goto out1;
273 }
274 #endif
275
276 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
277 if(ret){
278 kdc_log(context, config, 0, "no suitable DES key for server");
279 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
280 "no suitable DES key for server");
281 goto out1;
282 }
283
284 max_life = _krb5_krb_life_to_time(0, life);
285 if(client->entry.max_life)
286 max_life = min(max_life, *client->entry.max_life);
287 if(server->entry.max_life)
288 max_life = min(max_life, *server->entry.max_life);
289
290 life = krb_time_to_life(kdc_time, kdc_time + max_life);
291
292 ret = krb5_generate_random_keyblock(context,
293 ETYPE_DES_PCBC_NONE,
294 &session);
295 if (ret) {
296 make_err_reply(context, reply, KFAILURE,
297 "Not enough random i KDC");
298 goto out1;
299 }
300
301 ret = _krb5_krb_create_ticket(context,
302 0,
303 name,
304 inst,
305 config->v4_realm,
306 addr->sin_addr.s_addr,
307 &session,
308 life,
309 kdc_time,
310 sname,
311 sinst,
312 &skey->key,
313 &ticket);
314 if (ret) {
315 krb5_free_keyblock_contents(context, &session);
316 make_err_reply(context, reply, KFAILURE,
317 "failed to create v4 ticket");
318 goto out1;
319 }
320
321 ret = _krb5_krb_create_ciph(context,
322 &session,
323 sname,
324 sinst,
325 config->v4_realm,
326 life,
327 server->entry.kvno % 255,
328 &ticket,
329 kdc_time,
330 &ckey->key,
331 &cipher);
332 krb5_free_keyblock_contents(context, &session);
333 krb5_data_free(&ticket);
334 if (ret) {
335 make_err_reply(context, reply, KFAILURE,
336 "Failed to create v4 cipher");
337 goto out1;
338 }
339
340 ret = _krb5_krb_create_auth_reply(context,
341 name,
342 inst,
343 realm,
344 req_time,
345 0,
346 client->entry.pw_end ? *client->entry.pw_end : 0,
347 client->entry.kvno % 256,
348 &cipher,
349 reply);
350 krb5_data_free(&cipher);
351
352 out1:
353 break;
354 }
355 case AUTH_MSG_APPL_REQUEST: {
356 struct _krb5_krb_auth_data ad;
357 int8_t kvno;
358 int8_t ticket_len;
359 int8_t req_len;
360 krb5_data auth;
361 int32_t address;
362 size_t pos;
363 krb5_principal tgt_princ = NULL;
364 hdb_entry_ex *tgt = NULL;
365 Key *tkey;
366 time_t max_end, actual_end, issue_time;
367
368 memset(&ad, 0, sizeof(ad));
369 krb5_data_zero(&auth);
370
371 RCHECK(krb5_ret_int8(sp, &kvno), out2);
372 RCHECK(krb5_ret_stringz(sp, &realm), out2);
373
374 ret = krb5_425_conv_principal(context, "krbtgt", realm,
375 config->v4_realm,
376 &tgt_princ);
377 if(ret){
378 kdc_log(context, config, 0,
379 "Converting krbtgt principal (krb4): %s",
380 krb5_get_err_text(context, ret));
381 make_err_reply(context, reply, KFAILURE,
382 "Failed to convert v4 principal (krbtgt)");
383 goto out2;
384 }
385
386 ret = _kdc_db_fetch(context, config, tgt_princ,
387 HDB_F_GET_KRBTGT, NULL, &tgt);
388 if(ret){
389 char *s;
390 s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
391 "found in database (krb4): krbtgt.%s@%s: %s",
392 realm, config->v4_realm,
393 krb5_get_err_text(context, ret));
394 make_err_reply(context, reply, KFAILURE, s);
395 free(s);
396 goto out2;
397 }
398
399 if(tgt->entry.kvno % 256 != kvno){
400 kdc_log(context, config, 0,
401 "tgs-req (krb4) with old kvno %d (current %d) for "
402 "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
403 realm, config->v4_realm);
404 make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
405 "old krbtgt kvno used");
406 goto out2;
407 }
408
409 ret = _kdc_get_des_key(context, tgt, TRUE, FALSE, &tkey);
410 if(ret){
411 kdc_log(context, config, 0,
412 "no suitable DES key for krbtgt (krb4)");
413 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
414 "no suitable DES key for krbtgt");
415 goto out2;
416 }
417
418 RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
419 RCHECK(krb5_ret_int8(sp, &req_len), out2);
420
421 pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
422
423 auth.data = buf;
424 auth.length = pos;
425
426 if (config->check_ticket_addresses)
427 address = addr->sin_addr.s_addr;
428 else
429 address = 0;
430
431 ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm,
432 config->v4_realm,
433 address, &tkey->key, &ad);
434 if(ret){
435 kdc_log(context, config, 0, "krb_rd_req: %d", ret);
436 make_err_reply(context, reply, ret, "failed to parse request");
437 goto out2;
438 }
439
440 RCHECK(krb5_ret_int32(sp, &req_time), out2);
441 if(lsb)
442 req_time = swap32(req_time);
443 RCHECK(krb5_ret_uint8(sp, &life), out2);
444 RCHECK(krb5_ret_stringz(sp, &sname), out2);
445 RCHECK(krb5_ret_stringz(sp, &sinst), out2);
446 snprintf (server_name, sizeof(server_name),
447 "%s.%s@%s",
448 sname, sinst, config->v4_realm);
449 snprintf (client_name, sizeof(client_name),
450 "%s.%s@%s",
451 ad.pname, ad.pinst, ad.prealm);
452
453 kdc_log(context, config, 0, "TGS-REQ (krb4) %s from %s for %s",
454 client_name, from, server_name);
455
456 if(strcmp(ad.prealm, realm)){
457 kdc_log(context, config, 0,
458 "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
459 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
460 "Can't hop realms");
461 goto out2;
462 }
463
464 if (!config->enable_v4_cross_realm && strcmp(realm, config->v4_realm) != 0) {
465 kdc_log(context, config, 0,
466 "krb4 Cross-realm %s -> %s disabled",
467 realm, config->v4_realm);
468 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
469 "Can't hop realms");
470 goto out2;
471 }
472
473 if(strcmp(sname, "changepw") == 0){
474 kdc_log(context, config, 0,
475 "Bad request for changepw ticket (krb4)");
476 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
477 "Can't authorize password change based on TGT");
478 goto out2;
479 }
480
481 ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
482 HDB_F_GET_CLIENT, &client);
483 if(ret && ret != HDB_ERR_NOENTRY) {
484 char *s;
485 s = kdc_log_msg(context, config, 0,
486 "Client not found in database: (krb4) %s: %s",
487 client_name, krb5_get_err_text(context, ret));
488 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
489 free(s);
490 goto out2;
491 }
492 if (client == NULL && strcmp(ad.prealm, config->v4_realm) == 0) {
493 char *s;
494 s = kdc_log_msg(context, config, 0,
495 "Local client not found in database: (krb4) "
496 "%s", client_name);
497 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
498 free(s);
499 goto out2;
500 }
501
502 ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
503 HDB_F_GET_SERVER, &server);
504 if(ret){
505 char *s;
506 s = kdc_log_msg(context, config, 0,
507 "Server not found in database (krb4): %s: %s",
508 server_name, krb5_get_err_text(context, ret));
509 make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
510 free(s);
511 goto out2;
512 }
513
514 ret = _kdc_check_flags (context, config,
515 client, client_name,
516 server, server_name,
517 FALSE);
518 if (ret) {
519 make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
520 "operation not allowed");
521 goto out2;
522 }
523
524 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
525 if(ret){
526 kdc_log(context, config, 0,
527 "no suitable DES key for server (krb4)");
528 make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
529 "no suitable DES key for server");
530 goto out2;
531 }
532
533 max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life);
534 max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life));
535 if(server->entry.max_life)
536 max_end = min(max_end, kdc_time + *server->entry.max_life);
537 if(client && client->entry.max_life)
538 max_end = min(max_end, kdc_time + *client->entry.max_life);
539 life = min(life, krb_time_to_life(kdc_time, max_end));
540
541 issue_time = kdc_time;
542 actual_end = _krb5_krb_life_to_time(issue_time, life);
543 while (actual_end > max_end && life > 1) {
544 /* move them into the next earlier lifetime bracket */
545 life--;
546 actual_end = _krb5_krb_life_to_time(issue_time, life);
547 }
548 if (actual_end > max_end) {
549 /* if life <= 1 and it's still too long, backdate the ticket */
550 issue_time -= actual_end - max_end;
551 }
552
553 {
554 krb5_data ticket, cipher;
555 krb5_keyblock session;
556
557 krb5_data_zero(&ticket);
558 krb5_data_zero(&cipher);
559
560 ret = krb5_generate_random_keyblock(context,
561 ETYPE_DES_PCBC_NONE,
562 &session);
563 if (ret) {
564 make_err_reply(context, reply, KFAILURE,
565 "Not enough random i KDC");
566 goto out2;
567 }
568
569 ret = _krb5_krb_create_ticket(context,
570 0,
571 ad.pname,
572 ad.pinst,
573 ad.prealm,
574 addr->sin_addr.s_addr,
575 &session,
576 life,
577 issue_time,
578 sname,
579 sinst,
580 &skey->key,
581 &ticket);
582 if (ret) {
583 krb5_free_keyblock_contents(context, &session);
584 make_err_reply(context, reply, KFAILURE,
585 "failed to create v4 ticket");
586 goto out2;
587 }
588
589 ret = _krb5_krb_create_ciph(context,
590 &session,
591 sname,
592 sinst,
593 config->v4_realm,
594 life,
595 server->entry.kvno % 255,
596 &ticket,
597 issue_time,
598 &ad.session,
599 &cipher);
600 krb5_free_keyblock_contents(context, &session);
601 if (ret) {
602 make_err_reply(context, reply, KFAILURE,
603 "failed to create v4 cipher");
604 goto out2;
605 }
606
607 ret = _krb5_krb_create_auth_reply(context,
608 ad.pname,
609 ad.pinst,
610 ad.prealm,
611 req_time,
612 0,
613 0,
614 0,
615 &cipher,
616 reply);
617 krb5_data_free(&cipher);
618 }
619 out2:
620 _krb5_krb_free_auth_data(context, &ad);
621 if(tgt_princ)
622 krb5_free_principal(context, tgt_princ);
623 if(tgt)
624 _kdc_free_ent(context, tgt);
625 break;
626 }
627 case AUTH_MSG_ERR_REPLY:
628 break;
629 default:
630 kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s",
631 msg_type, from);
632
633 make_err_reply(context, reply, KFAILURE, "Unknown message type");
634 }
635 out:
636 if(name)
637 free(name);
638 if(inst)
639 free(inst);
640 if(realm)
641 free(realm);
642 if(sname)
643 free(sname);
644 if(sinst)
645 free(sinst);
646 if(client)
647 _kdc_free_ent(context, client);
648 if(server)
649 _kdc_free_ent(context, server);
650 krb5_storage_free(sp);
651 return 0;
652 }
653
654 krb5_error_code
655 _kdc_encode_v4_ticket(krb5_context context,
656 krb5_kdc_configuration *config,
657 void *buf, size_t len, const EncTicketPart *et,
658 const PrincipalName *service, size_t *size)
659 {
660 krb5_storage *sp;
661 krb5_error_code ret;
662 char name[40], inst[40], realm[40];
663 char sname[40], sinst[40];
664
665 {
666 krb5_principal princ;
667 _krb5_principalname2krb5_principal(context,
668 &princ,
669 *service,
670 et->crealm);
671 ret = krb5_524_conv_principal(context,
672 princ,
673 sname,
674 sinst,
675 realm);
676 krb5_free_principal(context, princ);
677 if(ret)
678 return ret;
679
680 _krb5_principalname2krb5_principal(context,
681 &princ,
682 et->cname,
683 et->crealm);
684
685 ret = krb5_524_conv_principal(context,
686 princ,
687 name,
688 inst,
689 realm);
690 krb5_free_principal(context, princ);
691 }
692 if(ret)
693 return ret;
694
695 sp = krb5_storage_emem();
696
697 krb5_store_int8(sp, 0); /* flags */
698 krb5_store_stringz(sp, name);
699 krb5_store_stringz(sp, inst);
700 krb5_store_stringz(sp, realm);
701 {
702 unsigned char tmp[4] = { 0, 0, 0, 0 };
703 int i;
704 if(et->caddr){
705 for(i = 0; i < et->caddr->len; i++)
706 if(et->caddr->val[i].addr_type == AF_INET &&
707 et->caddr->val[i].address.length == 4){
708 memcpy(tmp, et->caddr->val[i].address.data, 4);
709 break;
710 }
711 }
712 krb5_storage_write(sp, tmp, sizeof(tmp));
713 }
714
715 if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
716 et->key.keytype != ETYPE_DES_CBC_MD4 &&
717 et->key.keytype != ETYPE_DES_CBC_CRC) ||
718 et->key.keyvalue.length != 8)
719 return -1;
720 krb5_storage_write(sp, et->key.keyvalue.data, 8);
721
722 {
723 time_t start = et->starttime ? *et->starttime : et->authtime;
724 krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
725 krb5_store_int32(sp, start);
726 }
727
728 krb5_store_stringz(sp, sname);
729 krb5_store_stringz(sp, sinst);
730
731 {
732 krb5_data data;
733 krb5_storage_to_data(sp, &data);
734 krb5_storage_free(sp);
735 *size = (data.length + 7) & ~7; /* pad to 8 bytes */
736 if(*size > len)
737 return -1;
738 memset((unsigned char*)buf - *size + 1, 0, *size);
739 memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
740 krb5_data_free(&data);
741 }
742 return 0;
743 }
744
745 krb5_error_code
746 _kdc_get_des_key(krb5_context context,
747 hdb_entry_ex *principal, krb5_boolean is_server,
748 krb5_boolean prefer_afs_key, Key **ret_key)
749 {
750 Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
751 int i;
752 krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
753 ETYPE_DES_CBC_MD4,
754 ETYPE_DES_CBC_CRC };
755
756 for(i = 0;
757 i < sizeof(etypes)/sizeof(etypes[0])
758 && (v5_key == NULL || v4_key == NULL ||
759 afs_key == NULL || server_key == NULL);
760 ++i) {
761 Key *key = NULL;
762 while(hdb_next_enctype2key(context, &principal->entry, etypes[i], &key) == 0) {
763 if(key->salt == NULL) {
764 if(v5_key == NULL)
765 v5_key = key;
766 } else if(key->salt->type == hdb_pw_salt &&
767 key->salt->salt.length == 0) {
768 if(v4_key == NULL)
769 v4_key = key;
770 } else if(key->salt->type == hdb_afs3_salt) {
771 if(afs_key == NULL)
772 afs_key = key;
773 } else if(server_key == NULL)
774 server_key = key;
775 }
776 }
777
778 if(prefer_afs_key) {
779 if(afs_key)
780 *ret_key = afs_key;
781 else if(v4_key)
782 *ret_key = v4_key;
783 else if(v5_key)
784 *ret_key = v5_key;
785 else if(is_server && server_key)
786 *ret_key = server_key;
787 else
788 return KRB4ET_KDC_NULL_KEY;
789 } else {
790 if(v4_key)
791 *ret_key = v4_key;
792 else if(afs_key)
793 *ret_key = afs_key;
794 else if(v5_key)
795 *ret_key = v5_key;
796 else if(is_server && server_key)
797 *ret_key = server_key;
798 else
799 return KRB4ET_KDC_NULL_KEY;
800 }
801
802 if((*ret_key)->key.keyvalue.length == 0)
803 return KRB4ET_KDC_NULL_KEY;
804 return 0;
805 }
806
NetBSD on the FriendlyARM MINI2440