| blob | b3aba45d1b3dc3cab1ea8d9eb61ab09e2f219c90 |
1 /*
2 * Copyright 2000, International Business Machines Corporation and others.
3 * All Rights Reserved.
4 *
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
8 */
10 #include <afsconfig.h>
11 #include <afs/param.h>
13 #include <roken.h>
15 #include <afs/stds.h>
17 #include <windows.h>
18 #include <rpc.h>
19 #include <afs/kautils.h>
20 #include <afs/cm.h>
21 #include <afs/cm_config.h>
22 #include <afs/krb.h>
23 #include <afs/krb_prot.h>
24 #include <rx/rxkad.h>
25 #include <crypt.h>
26 #include <hcrypto/des.h>
31 static long
33 {
35 }
41 {
56 }
57 }
68 afs_int32
73 {
77 }
79 afs_int32
84 {
110 code =
112 }
116 }
121 /* encrypt password, both ways */
125 /* set port number */
135 code =
150 /* Would like to use Vice ID's; using raw names for now. */
164 code =
175 else
177 }
180 }
182 /*
183 * krb_get_in_tkt()
184 *
185 * This code is descended from kerberos files krb_get_in_tkt.c and
186 * send_to_kdc.c, and one.c.
187 */
189 /*
190 * definition of variable set to 1.
191 * used in krb_conf.h to determine host byte order.
192 */
195 #define HOST_BYTE_ORDER (* (char *) &krbONE)
196 #define MSB_FIRST 0
197 #define LSB_FIRST 1
199 /*
200 * Copyright 1986, 1987, 1988 by the Massachusetts Institute
201 * of Technology.
202 *
203 * For copying and distribution information, please see the file
204 * <mit-cpyright.h>.
205 */
211 /*
212 * The kaserver defines these error codes *privately*. So we redefine them
213 * here, with a slight name change to show that they really are kaserver
214 * errors.
215 */
216 #define KERB_KA_ERR_BAD_MSG_TYPE 99
217 #define KERB_KA_ERR_BAD_LIFETIME 98
218 #define KERB_KA_ERR_NONNULL_REALM 97
219 #define KERB_KA_ERR_PKT_LENGTH 96
220 #define KERB_KA_ERR_TEXT_LENGTH 95
222 static void
224 {
227 }
229 static void
231 {
233 }
238 /*
239 * The following routine has been hacked to make it work for two different
240 * possible string-to-key algorithms. This is a minimal displacement
241 * of the code.
242 */
244 /*
245 * krb_get_in_tkt() gets a ticket for a given principal to use a given
246 * service and stores the returned ticket and session key for future
247 * use.
248 *
249 * The "user", "instance", and "realm" arguments give the identity of
250 * the client who will use the ticket. The "service" and "sinstance"
251 * arguments give the identity of the server that the client wishes
252 * to use. (The realm of the server is the same as the Kerberos server
253 * to whom the request is sent.) The "life" argument indicates the
254 * desired lifetime of the ticket; the "key_proc" argument is a pointer
255 * to the routine used for getting the client's private key to decrypt
256 * the reply from Kerberos. The "decrypt_proc" argument is a pointer
257 * to the routine used to decrypt the reply from Kerberos; and "arg"
258 * is an argument to be passed on to the "key_proc" routine.
259 *
260 * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it
261 * returns an error code: If an AUTH_MSG_ERR_REPLY packet is returned
262 * by Kerberos, then the error code it contains is returned. Other
263 * error codes returned by this routine include INTK_PROT to indicate
264 * wrong protocol version, INTK_BADPW to indicate bad password (if
265 * decrypted ticket didn't make sense), INTK_ERR if the ticket was for
266 * the wrong server or the ticket store couldn't be initialized.
267 *
268 * The format of the message sent to Kerberos is as follows:
269 *
270 * Size Variable Field
271 * ---- -------- -----
272 *
273 * 1 byte KRB_PROT_VERSION protocol version number
274 * 1 byte AUTH_MSG_KDC_REQUEST | message type
275 * HOST_BYTE_ORDER local byte order in lsb
276 * string user client's name
277 * string instance client's instance
278 * string realm client's realm
279 * 4 bytes tlocal.tv_sec timestamp in seconds
280 * 1 byte life desired lifetime
281 * string service service's name
282 * string sinstance service's instance
283 */
285 /*
286 * Check_response is a support routine for krb_get_in_tkt.
287 *
288 * Check the response with the supplied key. If the key is apparently
289 * wrong, return INTK_BADPW, otherwise zero.
290 */
291 static
294 {
295 DES_key_schedule key_s;
305 /* copy information from return packet into "cip" */
309 /* decrypt ticket */
314 /* Skip session key */
317 /* Check and extract server's name */
320 }
326 /* Check and extract server's instance */
329 }
335 /* Check and extract server's realm */
338 }
344 /* Ignore ticket lifetime, server key version */
347 /* Extract and check ticket length */
353 }
355 /* Check returned server name, instance, and realm fields */
356 /*
357 * 7/23/98 - Deleting realm check. This allows cell name to differ
358 * from realm name.
359 */
360 #ifdef REALMCHECK
363 #else
365 #endif
366 /* not what we asked for: assume decryption failed */
368 }
371 }
373 /*
374 * The old kaserver (pre 3.4) returned zero error codes sometimes, leaving
375 * the kaserver error code in a string in the text of the error message.
376 * The new one does the same, but returns KDC_GEN_ERR rather than zero.
377 * We try to extract the actual error code.
378 */
380 static int
382 {
389 }
390 }
394 }
397 }
399 static int
415 {
416 KTEXT_ST pkt_st;
418 KTEXT_ST rpkt_st;
420 KTEXT_ST cip_st;
422 KTEXT_ST tkt_st;
440 afs_uint32 rep_err_code;
441 afs_uint32 exp_date;
442 afs_uint32 kdc_time;
444 /* BUILD REQUEST PACKET */
446 /* Set up the fixed part of the packet */
451 /* Now for the variable info */
459 #ifndef WIN32
464 /* timestamp */
474 }
475 }
486 /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */
490 }
492 /* check packet version of the returned packet */
496 /* Check byte order */
500 swap_bytes++;
501 }
510 /* kaservers return bogus error codes in different ways, so map it
511 * from the error text if this is the case */
513 reasonp);
517 }
519 /* get the principal's expiration date */
524 /* Extract length. This will be re-extracted in check_response, below */
527 /* Length of zero seems to correspond to no principal (with kaserver) */
530 }
534 * currently defined for INTK_ */
535 }
537 /*
538 * Check the response against both possible keys, and use the one
539 * that works.
540 */
544 }
546 /*
547 * EXTRACT INFORMATION FROM RETURN PACKET
548 *
549 * Some of the fields, below are already checked for integrity by
550 * check_response.
551 */
554 /* extract session key */
558 /* extract server's name */
563 /* extract server's instance */
568 /* extract server's realm */
573 /* extract ticket lifetime, server key version, ticket length */
574 /* be sure to avoid sign extension on lifetime! */
580 /* extract ticket itself */
584 /* check KDC time stamp */
594 * code */
595 }
597 /* copy out results; if *ticketpp is non-null, the caller has already
598 * allocated the buffer for us.
599 */
612 }
614 /*
615 *
616 * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
617 *
618 * For copying and distribution information, please see the file
619 * <mit-cpyright.h>.
620 */
622 #define S_AD_SZ sizeof(struct sockaddr_in)
626 /* CLIENT_KRB_TIMEOUT indicates the time to wait before
627 * retrying a server. It's defined in "krb.h".
628 */
633 /*
634 * This file contains two routines, send_to_kdc() and send_recv().
635 * send_recv() is a static routine used by send_to_kdc().
636 */
638 /*
639 * send_to_kdc() sends a message to the Kerberos authentication
640 * server(s) in the given realm and returns the reply message.
641 * The "pkt" argument points to the message to be sent to Kerberos;
642 * the "rpkt" argument will be filled in with Kerberos' reply.
643 * The "realm" argument indicates the realm of the Kerberos server(s)
644 * to transact with. If the realm is null, the local realm is used.
645 *
646 * If more than one Kerberos server is known for a given realm,
647 * different servers will be queried until one of them replies.
648 * Several attempts (retries) are made for each server before
649 * giving up entirely.
650 *
651 * If an answer was received from a Kerberos host, KSUCCESS is
652 * returned. The following errors can be returned:
653 *
654 * SKDC_CANT - can't get local realm
655 * - can't find "kerberos" in /etc/services database
656 * - can't open socket
657 * - can't bind socket
658 * - all ports in use
659 * - couldn't find any Kerberos host
660 *
661 * SKDC_RETRY - couldn't get an answer from any Kerberos server,
662 * after several retries
663 */
674 static void
676 {
678 }
680 int
682 {
687 /* add host to list */
690 krb_nhosts++;
692 /* copy in the data */
696 }
698 static
700 KTEXT pkt;
701 KTEXT rpkt;
702 {
703 SOCKET f;
715 }
716 /* from now on, exit through rtn label for cleanup */
718 /* compute # of retries */
719 /* The SMB client seems to time out after 60 seconds. */
721 /* Leave ourselves some margin for fooling around
722 * timeAvail -= 10;
723 * /* How long does one iteration take? */
725 /* How many iters? */
727 /* No more than max */
730 /* At least one */
734 /* retry each host in sequence */
743 }
744 }
745 }
749 rtn:
753 }
755 /*
756 * try to send out and receive message.
757 * return 1 on success, 0 on failure
758 */
760 static
762 KTEXT pkt;
763 KTEXT rpkt;
764 SOCKET f;
766 {
767 fd_set readfds;
776 else
779 }
786 }
790 }
794 /* select - either recv is ready, or timeout */
795 /* see if timeout or error or wrong descriptor */
801 }
803 }
812 }
816 }
818 }
820 /*
821 *
822 * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
823 * of Technology.
824 *
825 * For copying and distribution information, please see the file
826 * <mit-copyright.h>.
827 */
829 /*
830 * This routine takes a reply packet from the Kerberos ticket-granting
831 * service and returns a pointer to the beginning of the ciphertext in it.
832 *
833 * See "krb_prot.h" for packet format.
834 */
836 static KTEXT
838 {
841 /* Skip a few more fields */
844 /* And return the pointer */
846 }
848 /*
849 *
850 * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
851 * of Technology.
852 *
853 * For copying and distribution information, please see the file
854 * <mit-copyright.h>.
855 */
857 /*
858 * Given a pointer to an AUTH_MSG_KDC_REPLY packet, return the length of
859 * its ciphertext portion. The external variable "swap_bytes" is assumed
860 * to have been set to indicate whether or not the packet is in local
861 * byte order. pkt_clen() takes this into account when reading the
862 * ciphertext length out of the packet.
863 */
865 static int
867 {
868 afs_uint16 temp;
870 /* Start of ticket list */
874 /* Finally the length */
878 }
882 }
885 }
887 /* This defines the Andrew string_to_key function. It accepts a password
888 string as input and converts its via a one-way encryption algorithm to a DES
889 encryption key. It is compatible with the original Andrew authentication
890 service password database. */
892 static void
897 {
916 /* crypt only considers the first 8 characters of password but for some
917 * reason returns eleven characters of result (plus the two salt chars). */
921 /* parity is inserted into the LSB so leftshift each byte up one bit. This
922 * allows ascii characters with a zero MSB to retain as much significance
923 * as possible. */
924 {
931 }
932 }
934 }
937 static void
942 {
943 DES_key_schedule schedule;
967 }