diff options
| author | Chris Provenzano <proven@mit.edu> | 1995-07-27 08:44:42 +0000 |
|---|---|---|
| committer | Chris Provenzano <proven@mit.edu> | 1995-07-27 08:44:42 +0000 |
| commit | 17a888de38b276e6fc5ed4420bced0465510ee19 (patch) | |
| tree | d301b5bbec4b43153559292d651ffd65f6143de3 /src/kdc | |
| parent | 4f0debdb553c49e68b36ee4e0ece3d2f32e4ae03 (diff) | |
Use new kdb format
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6329 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/ChangeLog | 4 | ||||
| -rw-r--r-- | src/kdc/do_as_req.c | 163 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 37 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 39 | ||||
| -rw-r--r-- | src/kdc/main.c | 61 |
5 files changed, 157 insertions, 147 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index dce96117f..235e3a405 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,4 +1,8 @@ +Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu) + + * do_as_req.c do_tgs_req.c kdc_util.c main.c : Use new kdb format. + Mon Jul 17 15:13:09 EDT 1995 Paul Park (pjpark@mit.edu) * main.c - Gut KDC profile handling logic and move it to lib/kadm/ alt_prof.c because it's now used by admin and kadmin programs. diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index be7155763..de0fc9e50 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -63,39 +63,25 @@ check_padata (client, src_addr, padata, pa_id, flags) of padata. */ int *flags; { - krb5_encrypted_keyblock *enckey; - krb5_keyblock tmpkey; krb5_error_code retval; - - enckey = &(client->key); - /* Extract client key/alt_key from master key */ - - retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock,enckey,&tmpkey); - if (retval) { - krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client key: %s", - error_message(retval)); - return retval; - } - retval = krb5_verify_padata(kdc_context, *padata,client->principal, - src_addr, &tmpkey, pa_id, flags); - memset((char *)tmpkey.contents, 0, tmpkey.length); - krb5_xfree(tmpkey.contents); - if (retval && client->alt_key.length) { - /* - * If we failed, try again with the alternative key - */ - enckey = &(client->alt_key); - /* Extract client key/alt_key from master key */ - if ((retval = krb5_kdb_decrypt_key(kdc_context,&master_encblock, - enckey,&tmpkey))) { - krb5_klog_syslog( LOG_ERR, "AS_REQ: Unable to extract client alt_key: %s", - error_message(retval)); + krb5_keyblock tmpkey; + int i; + + /* Extract a client key from master key */ + for (i = 0; i < client->n_key_data; i++) { + if (retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &client->key_data[i], + &tmpkey, NULL)) { + krb5_klog_syslog(LOG_ERR,"AS_REQ: Unable to extract client key: %s", + error_message(retval)); return retval; } - retval = krb5_verify_padata(kdc_context, *padata,client->principal, + retval = krb5_verify_padata(kdc_context, *padata, client->princ, src_addr, &tmpkey, pa_id, flags); - memset((char *)tmpkey.contents, 0, tmpkey.length); - krb5_xfree(tmpkey.contents); + memset((char *)tmpkey.contents, 0, tmpkey.length); + krb5_xfree(tmpkey.contents); + if (!retval) + break; } return retval; } @@ -127,6 +113,7 @@ krb5_data **response; /* filled in with a response packet */ static krb5_principal cpw = 0; char *status; krb5_encrypt_block eblock; + int ok_key = 0; register int i; @@ -229,31 +216,51 @@ krb5_data **response; /* filled in with a response packet */ goto errout; } - for (i = 0; i < request->netypes; i++) { - krb5_keytype ok_keytype; + { /* Get a key that fits the kvno and keytype */ + int max_kvno = 0; + + /* + * First find latest key unless a kvno is specified in which + * case we should only look for those keys. + * + * Note: specifing a kvno isn't defined yet + */ + for (i = 0; i < server.n_key_data; i++) { + if (max_kvno < server.key_data[i].key_data_kvno) { + max_kvno = server.key_data[i].key_data_kvno; + } + } + + /* This will change when the etype == keytype */ + for (i = 0; i < request->netypes; i++) { + krb5_keytype ok_keytype; + int j; - if (!valid_etype(request->etype[i])) - continue; + if (!valid_etype(request->etype[i])) + continue; - if (request->etype[i] == ETYPE_DES_CBC_MD5 && - !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) - continue; + if (request->etype[i] == ETYPE_DES_CBC_MD5 && + !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) + continue; - ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; + ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; - if (server.key.keytype == ok_keytype || - server.alt_key.keytype == ok_keytype) - break; + for (ok_key = 0; ok_key < server.n_key_data; ok_key++) { + if ((server.key_data[ok_key].key_data_kvno = max_kvno) && + (server.key_data[ok_key].key_data_type[0] == ok_keytype)) { + goto got_a_key; + } + } + } } - if (i == request->netypes) { - /* unsupported etype */ - - krb5_klog_syslog(LOG_INFO, "AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s", - fromstring, cname, sname); - retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response); - goto errout; - } + /* unsupported etype */ + krb5_klog_syslog(LOG_INFO,"AS_REQ: BAD ENCRYPTION TYPE: host %s, %s for %s", + fromstring, cname, sname); + retval = prepare_error_as(request, KDC_ERR_ETYPE_NOSUPP, response); + goto errout; + +got_a_key:; useetype = request->etype[i]; krb5_use_cstype(kdc_context, &eblock, useetype); @@ -261,8 +268,8 @@ krb5_data **response; /* filled in with a response packet */ krb5_csarray[useetype]->random_sequence, &session_key))) { /* random key failed */ - krb5_klog_syslog(LOG_INFO, "AS_REQ: RANDOM KEY FAILED: host %s, %s for %s", - fromstring, cname, sname); + krb5_klog_syslog(LOG_INFO,"AS_REQ: RANDOM KEY FAILED: host %s, %s for %s", + fromstring, cname, sname); goto errout; } @@ -406,21 +413,27 @@ krb5_data **response; /* filled in with a response packet */ /* convert server.key into a real key (it may be encrypted in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, &encrypting_key))) + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[ok_key], + &encrypting_key, NULL))) goto errout; - retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply); + retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, + &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); if (retval) goto errout; - ticket_reply.enc_part.kvno = server.kvno; + ticket_reply.enc_part.kvno = server.key_data[i].key_data_kvno; /* Start assembling the response */ reply.msg_type = KRB5_AS_REP; reply.padata = 0; - if (client.salt_type != KRB5_KDB_SALTTYPE_NORMAL) { + /* + * XXX If the client principal has more than one key we have a problem + * -- proven + */ + if (client.key_data[0].key_data_ver > 1) { padat_tmp[0] = &padat_local; padat_tmp[1] = 0; @@ -429,7 +442,7 @@ krb5_data **response; /* filled in with a response packet */ /* WARNING: sharing substructure here, but it's not a real problem, since nothing below will "pull out the rug" */ - switch (client.salt_type) { + switch (client.key_data[0].key_data_type[1]) { krb5_data *data_foo; case KRB5_KDB_SALTTYPE_V4: /* send an empty (V4) salt */ @@ -441,17 +454,17 @@ krb5_data **response; /* filled in with a response packet */ request->client, &salt_data))) goto errout; - padat_tmp[0]->length = salt_data.length; padat_tmp[0]->contents = (krb5_octet *)salt_data.data; + padat_tmp[0]->length = salt_data.length; break; case KRB5_KDB_SALTTYPE_ONLYREALM: data_foo = krb5_princ_realm(kdc_context, request->client); - padat_tmp[0]->length = data_foo->length; padat_tmp[0]->contents = (krb5_octet *)data_foo->data; + padat_tmp[0]->length = data_foo->length; break; case KRB5_KDB_SALTTYPE_SPECIAL: - padat_tmp[0]->length = client.salt_length; - padat_tmp[0]->contents = client.salt; + padat_tmp[0]->contents = client.key_data[0].key_data_contents[1]; + padat_tmp[0]->length = client.key_data[0].key_data_length[1]; break; } reply.padata = padat_tmp; @@ -479,36 +492,34 @@ krb5_data **response; /* filled in with a response packet */ /* now encode/encrypt the response */ - /* convert client.key into a real key (it may be encrypted - in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &client.key, &encrypting_key))) - goto errout; reply.enc_part.etype = useetype; - reply.enc_part.kvno = client.kvno; + reply.enc_part.kvno = client.key_data[0].key_data_kvno; + + /* convert client.key_data into a real key */ + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &client.key_data[0], + &encrypting_key, NULL))) + goto errout; + retval = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart, &eblock, &encrypting_key, &reply, response); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); if (retval) { - krb5_klog_syslog(LOG_INFO, "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)", - fromstring, cname, sname, error_message(retval)); + krb5_klog_syslog(LOG_INFO, + "AS_REQ: ENCODE_KDC_REP: host %s, %s for %s (%s)", + fromstring, cname, sname, error_message(retval)); goto errout; } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ - memset(reply.enc_part.ciphertext.data, 0, - reply.enc_part.ciphertext.length); + memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); - if (is_secondary) - krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s", - authtime, fromstring, cname, sname); - else - krb5_klog_syslog(LOG_INFO, "AS_REQ: ISSUE: authtime %d, host %s, %s for %s", - authtime, fromstring, cname, sname); + krb5_klog_syslog(LOG_INFO, "AS_REQ; ISSUE: authtime %d, host %s, %s for %s", + authtime, fromstring, cname, sname); errout: if (cname) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index f25e709dd..7afd45136 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -87,6 +87,7 @@ krb5_data **response; /* filled in with a response packet */ int errcode, errcode2; register int i; int firstpass = 1; + int ok_key_data = 0; char *status = 0; char secondary_ch; @@ -227,21 +228,21 @@ tgt_again: ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; - if (server.key.keytype == ok_keytype || - server.alt_key.keytype == ok_keytype) - break; + for (ok_key_data = 0; ok_key_data < server.n_key_data; ok_key_data++) + if (server.key_data[ok_key_data].key_data_type[0] == ok_keytype) + goto got_a_key; } - if (i == request->netypes) { - /* unsupported etype */ - status = "BAD_ENCRYPTION_TYPE"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; - } + /* unsupported etype */ + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + status = "BAD_ENCRYPTION_TYPE"; + goto cleanup; + +got_a_key:; useetype = request->etype[i]; krb5_use_cstype(kdc_context, &eblock, useetype); - - retval = krb5_random_key(kdc_context, &eblock, krb5_csarray[useetype]->random_sequence, + retval = krb5_random_key(kdc_context, &eblock, + krb5_csarray[useetype]->random_sequence, &session_key); if (retval) { /* random key failed */ @@ -427,11 +428,7 @@ tgt_again: goto cleanup; } /* scratch now has the authorization data, so we decode it */ -#ifdef KRB5_USE_ISODE - retval = decode_krb5_authdata(&scratch, request->unenc_authdata); -#else retval = decode_krb5_authdata(&scratch, &(request->unenc_authdata)); -#endif free(scratch.data); if (retval) { status = "AUTH_DECODE"; @@ -550,16 +547,18 @@ tgt_again: } else { /* convert server.key into a real key (it may be encrypted in the database) */ - if ((retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, &encrypting_key))) { + if ((retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[ok_key_data], + &encrypting_key, NULL))) { status = "CONV_KEY"; goto cleanup; } - ticket_reply.enc_part.kvno = server.kvno; + ticket_reply.enc_part.kvno = server.key_data[ok_key_data].key_data_kvno; ticket_reply.enc_part.etype = useetype; krb5_use_cstype(kdc_context, &eblock, ticket_reply.enc_part.etype); - retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, &ticket_reply); + retval = krb5_encrypt_tkt_part(kdc_context, &eblock, &encrypting_key, + &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index b044443b8..7edb14d3a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -306,7 +306,7 @@ cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); cleanup_auth_context: - /* We do not want the fre of the auth_context to close the rcache */ + /* We do not want the free of the auth_context to close the rcache */ (void) krb5_auth_con_setrcache(kdc_context, auth_context, 0); krb5_auth_con_free(kdc_context, auth_context); @@ -317,18 +317,19 @@ cleanup: krb5_error_code kdc_get_server_key(ticket, key, kvno) -krb5_ticket *ticket; -krb5_keyblock **key; -krb5_kvno *kvno; + krb5_ticket * ticket; + krb5_keyblock ** key; + krb5_kvno * kvno; { - krb5_error_code retval; - int nprincs; - krb5_db_entry server; - krb5_boolean more; + krb5_error_code retval; + krb5_db_entry server; + krb5_boolean more; + int nprincs, i, last_i; if (krb5_principal_compare(kdc_context, tgs_server, ticket->server)) { + retval = krb5_copy_keyblock(kdc_context, &tgs_key, key); *kvno = tgs_kvno; - return krb5_copy_keyblock(kdc_context, &tgs_key, key); + return retval; } else { nprincs = 1; @@ -345,20 +346,28 @@ krb5_kvno *kvno; krb5_db_free_principal(kdc_context, &server, nprincs); if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { - krb5_klog_syslog(LOG_ERR, "TGS_REQ: UNKNOWN SERVER: server='%s'", + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", sname); free(sname); } return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); } - /* convert server.key into a real key (it may be encrypted - in the database) */ + /* + * Get the latest version of the server key_data and + * convert the key into a real key (it may be encrypted in the database) + */ + for (*kvno = last_i = i = 0; i < server.n_key_data; i++) { + if (*kvno < server.key_data[i].key_data_kvno) { + *kvno = server.key_data[i].key_data_kvno; + last_i = i; + } + } if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { - retval = krb5_kdb_decrypt_key(kdc_context, &master_encblock, - &server.key, *key); + retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_encblock, + &server.key_data[last_i], + *key, NULL); } else retval = ENOMEM; - *kvno = server.kvno; krb5_db_free_principal(kdc_context, &server, nprincs); return retval; } diff --git a/src/kdc/main.c b/src/kdc/main.c index b006d8fdc..0d14c8ebf 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -361,6 +361,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, krb5_boolean db_inited; krb5_int32 ibuf; krb5_enctype etype; + int i, keyno; krb5_realm_params *rparams; kret = EINVAL; @@ -369,7 +370,6 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, if (realm) { rdp->realm_name = realm; if (!(kret = krb5_init_context(&rdp->realm_context))) { - (void) krb5_read_realm_params(rdp->realm_context, rdp->realm_name, (char *) NULL, @@ -410,6 +410,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, "kdc", def_port, KDC_PORTNAME); + /* Handle KDC secondary port */ if (rparams && rparams->realm_kdc_sport_valid) rdp->realm_sport = rparams->realm_kdc_sport; @@ -543,12 +544,15 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, com_err(progname, kret, "while fetching master entry for realm %s", realm); goto whoops; - } - else { - rdp->realm_mkvno = db_entry.kvno; - krb5_db_free_principal(rdp->realm_context, - &db_entry, - num2get); + } else { + /* Get the most recent mkvno */ + for (rdp->realm_mkvno = i = 0; i < db_entry.n_key_data; i++) { + if (rdp->realm_mkvno < db_entry.key_data[i].key_data_kvno) { + rdp->realm_mkvno = db_entry.key_data[i].key_data_kvno; + keyno = i; + } + } + krb5_db_free_principal(rdp->realm_context, &db_entry, num2get); } /* Now preprocess the master key */ @@ -595,13 +599,12 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname, com_err(progname, kret, "while fetching TGS entry for realm %s", realm); goto whoops; - } - else { - if (!(kret = krb5_kdb_decrypt_key(rdp->realm_context, - &rdp->realm_encblock, - &db_entry.key, - &rdp->realm_tgskey))) { - rdp->realm_tgskvno = db_entry.kvno; + } else { + if (!(kret = krb5_dbekd_decrypt_key_data(rdp->realm_context, + &rdp->realm_encblock, + &db_entry.key_data[keyno], + &rdp->realm_tgskey, NULL))){ + rdp->realm_tgskvno = db_entry.key_data[keyno].key_data_kvno; } krb5_db_free_principal(rdp->realm_context, &db_entry, @@ -710,16 +713,9 @@ initialize_realms(kcontext, argc, argv) case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) { - if (retval = init_realm(argv[0], - rdatap, - optarg, - db_name, - mkey_name, - mkeytype, - pport, - sport, - kdc_etype, - manual)) { + if (retval = init_realm(argv[0], rdatap, optarg, db_name, + mkey_name, mkeytype, pport, sport, + kdc_etype, manual)) { fprintf(stderr,"%s: cannot initialize realm %s\n", argv[0], optarg); exit(1); @@ -774,16 +770,8 @@ initialize_realms(kcontext, argc, argv) exit(1); } if (rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t))) { - if (retval = init_realm(argv[0], - rdatap, - lrealm, - db_name, - mkey_name, - mkeytype, - pport, - sport, - kdc_etype, - manual)) { + if (retval = init_realm(argv[0], rdatap, lrealm, db_name, mkey_name, + mkeytype, pport, sport, kdc_etype, manual)){ fprintf(stderr,"%s: cannot initialize realm %s\n", argv[0], lrealm); exit(1); @@ -797,8 +785,7 @@ initialize_realms(kcontext, argc, argv) * Now handle the replay cache. */ if (retval = kdc_initialize_rcache(kcontext, rcname)) { - com_err(argv[0], retval, - "while initializing KDC replay cache"); + com_err(argv[0], retval, "while initializing KDC replay cache"); exit(1); } @@ -813,7 +800,7 @@ finish_realms(prog) { int i; - for (i=0; i<kdc_numrealms; i++) + for (i = 0; i < kdc_numrealms; i++) finish_realm(kdc_realmlist[i]); } |