1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
|
/*
* lib/krb4/prot_kdc.c
*
* Copyright 1985--1988, 2000, 2001 by the Massachusetts Institute of
* Technology. All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
* Contains the protocol encoders and decoders used by the KDC.
*/
#include "krb.h"
#include "prot.h"
#include <string.h>
#include "port-sockets.h"
/*
* encode_kdc_reply
*
* Encodes a reply from the KDC to the client.
*
* Returns KRB4PROT_OK on success, non-zero on failure.
*
* Caller is responsible for cleaning up OUTBUF.
*
* This packet layout description was originally in cr_auth_repl.c:
*
* variable
* type or constant data
* ---- ----------- ----
* unsigned char KRB_PROT_VERSION protocol version number
*
* unsigned char AUTH_MSG_KDC_REPLY protocol message type
*
* [least significant HOST_BYTE_ORDER sender's (server's) byte
* bit of above field] order
*
* string pname principal's name
*
* string pinst principal's instance
*
* string prealm principal's realm
*
* unsigned long time_ws client's timestamp
*
* unsigned char n number of tickets
*
* unsigned long x_date expiration date
*
* unsigned char kvno master key version
*
* short cipher->length cipher length
*
* binary cipher->dat cipher data
*/
int KRB5_CALLCONV
krb4prot_encode_kdc_reply(char *pname, char *pinst, char *prealm,
long time_ws,
int n, /* Number of tickets; 0 for krb4 (!) */
unsigned long x_date, /* exp date */
int kvno,
KTEXT cipher, /* encrypted ticket */
int chklen, /* check input str len? */
int le, /* little-endian? */
KTEXT outbuf)
{
unsigned char *p;
int ret;
p = outbuf->dat;
/* This is really crusty. */
if (n != 0)
*p++ = 3;
else
*p++ = KRB_PROT_VERSION;
/* little-endianness based on input, usually big-endian, though. */
*p++ = AUTH_MSG_KDC_REPLY | !!le;
ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen,
outbuf, &p);
if (ret)
return ret;
/* Check lengths */
if (cipher->length > 65535 || cipher->length < 0)
return KRB4PROT_ERR_OVERRUN;
if ((sizeof(outbuf->dat) - (p - outbuf->dat)
< (4 /* timestamp */
+ 1 /* num of tickets */
+ 4 /* exp date */
+ 1 /* kvno */
+ 2 /* cipher->length */
+ cipher->length))) /* cipher->dat */
return KRB4PROT_ERR_OVERRUN;
/* Workstation timestamp */
KRB4_PUT32(p, time_ws, le);
/* Number of tickets */
*p++ = n;
/* Expiration date */
KRB4_PUT32(p, x_date, le);
/* Now send the ciphertext and info to help decode it */
*p++ = kvno;
KRB4_PUT16(p, cipher->length, le);
memcpy(p, cipher->dat, (size_t)cipher->length);
p += cipher->length;
/* And return the packet */
outbuf->length = p - outbuf->dat;
return KRB4PROT_OK;
}
/*
* encode_ciph
*
* Encodes a "cipher" that is to be included in a KDC reply message.
*
* Caller is responsible for cleaning up CIPH.
*
* Returns KRB4PROT_OK on success, non-zero on failure.
*
* Packet format below is originally from cr_ciph.c:
*
* variable
* type or constant data
* ---- ----------- ----
* 8 bytes session session key for client, service
*
* string service service name
*
* string instance service instance
*
* string realm KDC realm
*
* unsigned char life ticket lifetime
*
* unsigned char kvno service key version number
*
* unsigned char tkt->length length of following ticket
*
* data tkt->dat ticket for service
*
* 4 bytes kdc_time KDC's timestamp
*
* <=7 bytes null null pad to 8 byte multiple
*/
int KRB5_CALLCONV
krb4prot_encode_ciph(C_Block session,
char *name, char *inst, char *realm,
unsigned long life, int kvno,
KTEXT tkt, /* ticket */
unsigned long kdc_time,
int chklen, /* check str lens? */
int le, /* little-endian? */
KTEXT ciph) /* output buffer */
{
unsigned char *p;
int ret;
p = ciph->dat;
/*
* Assume that there will be >= 8 bytes in a KTEXT. If there
* aren't, we have worse problems.
*/
memcpy(p, session, 8);
p += 8;
ret = krb4prot_encode_naminstrlm(name, inst, realm, chklen,
ciph, &p);
if (ret)
return ret;
if (tkt->length > 255 || tkt->length < 0)
return KRB4PROT_ERR_OVERRUN;
if ((sizeof(ciph->dat) - (p - ciph->dat)) / 8
< (1 /* life */
+ 1 /* kvno */
+ 1 /* tkt->length */
+ tkt->length /* tkt->dat */
+ 4 /* kdc_time */
+ 7) / 8) /* roundoff */
return KRB4PROT_ERR_OVERRUN;
*p++ = life;
*p++ = kvno;
*p++ = tkt->length;
memcpy(p, tkt->dat, (size_t)tkt->length);
p += tkt->length;
KRB4_PUT32(p, kdc_time, le);
/* Guarantee null pad to multiple of 8 bytes */
memset(p, 0, 7);
ciph->length = (((p - ciph->dat) + 7) / 8) * 8;
return KRB4PROT_OK;
}
/*
* encode_tkt
*
* Encode ticket to include in a "cipher". Does not encrypt.
*
* Caller is responsible for cleaning TKT.
*
* The length of the ticket is a multiple of
* eight bytes and is in tkt->length.
*
* If the ticket is not a multiple of eight bytes long, the ticket
* will contain nulls.
*
* Returns KRB4PROT_OK on success, non-zero on failure.
*
* The following packet layout is from cr_tkt.c:
*
* variable
* type or constant data
* ---- ----------- ----
* unsigned char flags namely, HOST_BYTE_ORDER
*
* string pname client's name
*
* string pinstance client's instance
*
* string prealm client's realm
*
* 4 bytes paddress client's address
*
* 8 bytes session session key
*
* 1 byte life ticket lifetime
*
* 4 bytes time_sec KDC timestamp
*
* string sname service's name
*
* string sinstance service's instance
*
* <=7 bytes null null pad to 8 byte multiple
*/
int KRB5_CALLCONV
krb4prot_encode_tkt(unsigned int flags,
char *pname, char *pinst, char *prealm,
unsigned long paddress,
char *session,
int life, long time_sec,
char *sname, char *sinst,
int chklen, /* check str lens? */
int le, /* little-endian? */
KTEXT tkt) /* output buf */
{
struct in_addr paddr;
unsigned char *p;
size_t snamelen, sinstlen;
/* Be really paranoid. */
if (sizeof(paddr.s_addr) != 4)
return KFAILURE;
p = tkt->dat;
/*
* Assume at least one byte in a KTEXT. If not, we have bigger
* problems. Also, bitwise-OR in the little-endian flag.
*/
*p++ = flags | !!le;
if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen,
tkt, &p))
return KFAILURE;
snamelen = strlen(sname) + 1;
sinstlen = strlen(sinst) + 1;
if (life > 255 || life < 0)
return KFAILURE;
if (chklen && (snamelen > ANAME_SZ || sinstlen > INST_SZ))
return KFAILURE;
if ((sizeof(tkt->dat) - (p - tkt->dat)) / 8
< (4 /* address */
+ 8 /* session */
+ 1 /* life */
+ 4 /* issue time */
+ snamelen + sinstlen
+ 7) / 8) /* roundoff */
return KFAILURE;
paddr.s_addr = paddress;
memcpy(p, &paddr.s_addr, sizeof(paddr.s_addr));
p += sizeof(paddr.s_addr);
memcpy(p, session, 8);
p += 8;
*p++ = life;
/* issue time */
KRB4_PUT32(p, time_sec, le);
memcpy(p, sname, snamelen);
p += snamelen;
memcpy(p, sinst, sinstlen);
p += sinstlen;
/* guarantee null padded ticket to multiple of 8 bytes */
memset(p, 0, 7);
tkt->length = ((p - tkt->dat + 7) / 8) * 8;
return KSUCCESS;
}
/*
* encode_err_reply
*
* Encode an error reply message from the KDC to the client.
*
* Returns KRB4PROT_OK on success, non-zero on error.
*
* The following packet layout description is from cr_err_repl.c:
*
* type variable data
* or constant
* ---- ----------- ----
* unsigned char req_ack_vno protocol version number
*
* unsigned char AUTH_MSG_ERR_REPLY protocol message type
*
* [least significant HOST_BYTE_ORDER sender's (server's) byte
* bit of above field] order
*
* string pname principal's name
*
* string pinst principal's instance
*
* string prealm principal's realm
*
* unsigned long time_ws client's timestamp
*
* unsigned long e error code
*
* string e_string error text
*/
int KRB5_CALLCONV
krb4prot_encode_err_reply(char *pname, char *pinst, char *prealm,
unsigned long time_ws,
unsigned long err, /* error code */
char *err_string, /* error text */
int chklen, /* check str lens? */
int le, /* little-endian? */
KTEXT pkt) /* output buf */
{
unsigned char *p;
size_t err_stringlen;
p = pkt->dat;
/* Assume >= 2 bytes in KTEXT. */
*p++ = KRB_PROT_VERSION;
*p++ = AUTH_MSG_ERR_REPLY | !!le;
if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen,
pkt, &p))
return KFAILURE;
err_stringlen = strlen(err_string) + 1;
if ((sizeof(pkt->dat) - (p - pkt->dat))
< (4 /* timestamp */
+ 4 /* err code */
+ err_stringlen))
return KFAILURE;
/* ws timestamp */
KRB4_PUT32(p, time_ws, le);
/* err code */
KRB4_PUT32(p, err, le);
/* err text */
memcpy(p, err_string, err_stringlen);
p += err_stringlen;
/* And return */
pkt->length = p - pkt->dat;
return KSUCCESS;
}
/*
* decode_kdc_request
*
* Decode an initial ticket request sent from the client to the KDC.
*
* Packet format is described in g_in_tkt.c.
*
* Returns KRB4PROT_OK on success, non-zero on failure.
*/
int KRB5_CALLCONV
krb4prot_decode_kdc_request(KTEXT pkt,
int *le,
char *pname, char *pinst, char *prealm,
long *req_time, int *life,
char *sname, char *sinst)
{
unsigned char *p;
int msg_type, ret, len;
p = pkt->dat;
/* Get prot vers and msg type */
if (pkt->length < 2)
return KRB4PROT_ERR_UNDERRUN;
if (*p++ != KRB_PROT_VERSION)
return KRB4PROT_ERR_PROT_VERS;
msg_type = *p++;
*le = msg_type & 1;
msg_type &= ~1;
if (msg_type != AUTH_MSG_KDC_REQUEST)
return KRB4PROT_ERR_MSG_TYPE;
ret = krb4prot_decode_naminstrlm(pkt, &p, pname, pinst, prealm);
if (ret)
return ret;
#define PKT_REMAIN (pkt->length - (p - pkt->dat))
if (PKT_REMAIN < (4 /* time */
+ 1)) /* life */
return KRB4PROT_ERR_UNDERRUN;
KRB4_GET32(*req_time, p, *le);
*life = *p++;
if (PKT_REMAIN <= 0)
return KRB4PROT_ERR_UNDERRUN;
len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1;
if (len <= 0 || len > ANAME_SZ)
return KRB4PROT_ERR_OVERRUN;
memcpy(sname, p, (size_t)len);
p += len;
if (PKT_REMAIN <= 0)
return KRB4PROT_ERR_UNDERRUN;
len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1;
if (len <= 0 || len > INST_SZ)
return KRB4PROT_ERR_OVERRUN;
memcpy(sinst, p, (size_t)len);
p += len;
/* XXX krb4 preauth? */
return KRB4PROT_OK;
}
|
