summaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorSam Hartman <hartmans@mit.edu>2010-10-01 17:12:26 +0000
committerSam Hartman <hartmans@mit.edu>2010-10-01 17:12:26 +0000
commit97023f5f10fb091225ad131a0b35f1d91cd12b1e (patch)
tree4e37135602650a44898f2c4b684337211644f80b /src/lib
parenta9a153eb38d1b1f3ee2b6860de3de4eba48bbbeb (diff)
Remove support for the old pa-sam-challenge and pa-sam-response
preauth type per discussion on krbdev. The pa-sam-challenge-2 code remains in the client. preauth: remove pa-sam-challenge git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24403 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/krb5/krb/preauth2.c341
1 files changed, 46 insertions, 295 deletions
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index c07fc46da..5d7d2448c 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -721,295 +721,6 @@ pa_enc_timestamp(krb5_context context, krb5_kdc_req *request,
return(0);
}
-static char *
-sam_challenge_banner(krb5_int32 sam_type)
-{
- char *label;
-
- switch (sam_type) {
- case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */
- label = "Challenge for Enigma Logic mechanism";
- break;
- case PA_SAM_TYPE_DIGI_PATH: /* Digital Pathways */
- case PA_SAM_TYPE_DIGI_PATH_HEX: /* Digital Pathways */
- label = "Challenge for Digital Pathways mechanism";
- break;
- case PA_SAM_TYPE_ACTIVCARD_DEC: /* Digital Pathways */
- case PA_SAM_TYPE_ACTIVCARD_HEX: /* Digital Pathways */
- label = "Challenge for Activcard mechanism";
- break;
- case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */
- label = "Challenge for Enhanced S/Key mechanism";
- break;
- case PA_SAM_TYPE_SKEY: /* Traditional S/Key */
- label = "Challenge for Traditional S/Key mechanism";
- break;
- case PA_SAM_TYPE_SECURID: /* Security Dynamics */
- label = "Challenge for Security Dynamics mechanism";
- break;
- case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */
- label = "Challenge for Security Dynamics mechanism";
- break;
- default:
- label = "Challenge from authentication server";
- break;
- }
-
- return(label);
-}
-
-/* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */
-
-#define SAMDATA(kdata, str, maxsize) \
- (int)((kdata.length)? \
- ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \
- strlen(str)), \
- (kdata.length)? \
- ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str)
-
-/* XXX Danger! This code is not in sync with the kerberos-password-02
- draft. This draft cannot be implemented as written. This code is
- compatible with earlier versions of mit krb5 and cygnus kerbnet. */
-
-static krb5_error_code
-pa_sam(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata,
- krb5_pa_data **out_padata, krb5_data *salt, krb5_data *s2kparams,
- krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter,
- void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data)
-{
- krb5_error_code ret;
- krb5_data tmpsam;
- char name[100], banner[100];
- char prompt[100], response[100];
- krb5_data response_data;
- krb5_prompt kprompt;
- krb5_prompt_type prompt_type;
- krb5_data defsalt;
- krb5_sam_challenge *sam_challenge = 0;
- krb5_sam_response sam_response;
- /* these two get encrypted and stuffed in to sam_response */
- krb5_enc_sam_response_enc enc_sam_response_enc;
- krb5_data * scratch;
- krb5_pa_data * pa;
-
- if (prompter == NULL)
- return EIO;
-
- tmpsam.length = in_padata->length;
- tmpsam.data = (char *) in_padata->contents;
- if ((ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge)))
- return(ret);
-
- if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(KRB5_SAM_UNSUPPORTED);
- }
-
- /* If we need the password from the user (USE_SAD_AS_KEY not set), */
- /* then get it here. Exception for "old" KDCs with CryptoCard */
- /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */
-
- if (!(sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) ||
- (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) {
-
- /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */
- /* message from the KDC. If it is not set, pick an enctype that we */
- /* think the KDC will have for us. */
-
- if (*etype == 0)
- *etype = ENCTYPE_DES_CBC_CRC;
-
- if ((ret = (gak_fct)(context, request->client, *etype, prompter,
- prompter_data, salt, s2kparams, as_key,
- gak_data))) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(ret);
- }
- TRACE_PREAUTH_SAM_KEY_GAK(context, as_key);
- }
- snprintf(name, sizeof(name), "%.*s",
- SAMDATA(sam_challenge->sam_type_name, "SAM Authentication",
- sizeof(name) - 1));
-
- snprintf(banner, sizeof(banner), "%.*s",
- SAMDATA(sam_challenge->sam_challenge_label,
- sam_challenge_banner(sam_challenge->sam_type),
- sizeof(banner)-1));
-
- /* sprintf(prompt, "Challenge is [%s], %s: ", challenge, prompt); */
- snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s",
- sam_challenge->sam_challenge.length?"Challenge is [":"",
- SAMDATA(sam_challenge->sam_challenge, "", 20),
- sam_challenge->sam_challenge.length?"], ":"",
- SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55));
-
- response_data.data = response;
- response_data.length = sizeof(response);
-
- kprompt.prompt = prompt;
- kprompt.hidden = 1;
- kprompt.reply = &response_data;
- prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
-
- /* PROMPTER_INVOCATION */
- krb5int_set_prompt_types(context, &prompt_type);
- if ((ret = ((*prompter)(context, prompter_data, name,
- banner, 1, &kprompt)))) {
- krb5_free_sam_challenge(context, sam_challenge);
- krb5int_set_prompt_types(context, 0);
- return(ret);
- }
- krb5int_set_prompt_types(context, 0);
-
- enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
- if (sam_challenge->sam_nonce == 0) {
- if ((ret = krb5_us_timeofday(context,
- &enc_sam_response_enc.sam_timestamp,
- &enc_sam_response_enc.sam_usec))) {
- krb5_free_sam_challenge(context,sam_challenge);
- return(ret);
- }
-
- sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
- }
-
- /* XXX What if more than one flag is set? */
- if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
-
- /* Most of this should be taken care of before we get here. We */
- /* will need the user's password and as_key to encrypt the SAD */
- /* and we want to preserve ordering of user prompts (first */
- /* password, then SAM data) so that user's won't be confused. */
-
- if (as_key->length) {
- krb5_free_keyblock_contents(context, as_key);
- as_key->length = 0;
- }
-
- /* generate a salt using the requested principal */
-
- if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) {
- if ((ret = krb5_principal2salt(context, request->client,
- &defsalt))) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(ret);
- }
-
- salt = &defsalt;
- } else {
- defsalt.length = 0;
- }
-
- /* generate a key using the supplied password */
-
- ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5,
- (krb5_data *)gak_data, salt, as_key);
-
- if (defsalt.length)
- free(defsalt.data);
-
- if (ret) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(ret);
- }
-
- /* encrypt the passcode with the key from above */
-
- enc_sam_response_enc.sam_sad = response_data;
- } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
-
- /* process the key as password */
-
- if (as_key->length) {
- krb5_free_keyblock_contents(context, as_key);
- as_key->length = 0;
- }
-
-#if 0
- if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) {
- if (ret = krb5_principal2salt(context, request->client,
- &defsalt)) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(ret);
- }
-
- salt = &defsalt;
- } else {
- defsalt.length = 0;
- }
-#else
- defsalt.length = 0;
- salt = NULL;
-#endif
-
- /* XXX As of the passwords-04 draft, no enctype is specified,
- the server uses ENCTYPE_DES_CBC_MD5. In the future the
- server should send a PA-SAM-ETYPE-INFO containing the enctype. */
-
- ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5,
- &response_data, salt, as_key);
-
- if (defsalt.length)
- free(defsalt.data);
-
- if (ret) {
- krb5_free_sam_challenge(context, sam_challenge);
- return(ret);
- }
-
- enc_sam_response_enc.sam_sad.length = 0;
- } else {
- /* Eventually, combine SAD with long-term key to get
- encryption key. */
- krb5_free_sam_challenge(context, sam_challenge);
- return KRB5_PREAUTH_BAD_TYPE;
- }
-
- /* copy things from the challenge */
- sam_response.sam_nonce = sam_challenge->sam_nonce;
- sam_response.sam_flags = sam_challenge->sam_flags;
- sam_response.sam_track_id = sam_challenge->sam_track_id;
- sam_response.sam_type = sam_challenge->sam_type;
- sam_response.magic = KV5M_SAM_RESPONSE;
-
- krb5_free_sam_challenge(context, sam_challenge);
-
- /* encode the encoded part of the response */
- if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc,
- &scratch)))
- return(ret);
-
- ret = krb5_encrypt_helper(context, as_key, 0, scratch,
- &sam_response.sam_enc_nonce_or_ts);
-
- krb5_free_data(context, scratch);
-
- if (ret)
- return(ret);
-
- /* sam_enc_key is reserved for future use */
- sam_response.sam_enc_key.ciphertext.length = 0;
-
- if ((pa = malloc(sizeof(krb5_pa_data))) == NULL)
- return(ENOMEM);
-
- if ((ret = encode_krb5_sam_response(&sam_response, &scratch))) {
- free(pa);
- return(ret);
- }
-
- pa->magic = KV5M_PA_DATA;
- pa->pa_type = KRB5_PADATA_SAM_RESPONSE;
- pa->length = scratch->length;
- pa->contents = (krb5_octet *) scratch->data;
-
- *out_padata = pa;
-
- free(scratch);
-
- return(0);
-}
-
#if APPLE_PKINIT
/*
* PKINIT. One function to generate AS-REQ, one to parse AS-REP
@@ -1324,6 +1035,51 @@ error_out:
}
#endif /* APPLE_PKINIT */
+/* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */
+
+#define SAMDATA(kdata, str, maxsize) \
+ (int)((kdata.length)? \
+ ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \
+ strlen(str)), \
+ (kdata.length)? \
+ ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str)
+static char *
+sam_challenge_banner(krb5_int32 sam_type)
+{
+ char *label;
+
+ switch (sam_type) {
+ case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */
+ label = "Challenge for Enigma Logic mechanism";
+ break;
+ case PA_SAM_TYPE_DIGI_PATH: /* Digital Pathways */
+ case PA_SAM_TYPE_DIGI_PATH_HEX: /* Digital Pathways */
+ label = "Challenge for Digital Pathways mechanism";
+ break;
+ case PA_SAM_TYPE_ACTIVCARD_DEC: /* Digital Pathways */
+ case PA_SAM_TYPE_ACTIVCARD_HEX: /* Digital Pathways */
+ label = "Challenge for Activcard mechanism";
+ break;
+ case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */
+ label = "Challenge for Enhanced S/Key mechanism";
+ break;
+ case PA_SAM_TYPE_SKEY: /* Traditional S/Key */
+ label = "Challenge for Traditional S/Key mechanism";
+ break;
+ case PA_SAM_TYPE_SECURID: /* Security Dynamics */
+ label = "Challenge for Security Dynamics mechanism";
+ break;
+ case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */
+ label = "Challenge for Security Dynamics mechanism";
+ break;
+ default:
+ label = "Challenge from authentication server";
+ break;
+ }
+
+ return(label);
+}
+
static krb5_error_code
pa_sam_2(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata,
krb5_pa_data **out_padata, krb5_data *salt, krb5_data *s2kparams,
@@ -1439,7 +1195,7 @@ pa_sam_2(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata,
krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL);
/* Generate salt used by string_to_key() */
- if ((salt->length == -1) && (salt->data == NULL)) {
+ if (((int) salt->length == -1) && (salt->data == NULL)) {
if ((retval =
krb5_principal2salt(context, request->client, &defsalt))) {
krb5_free_sam_challenge_2(context, sc2);
@@ -1726,11 +1482,6 @@ static const pa_types_t pa_types[] = {
PA_REAL,
},
{
- KRB5_PADATA_SAM_CHALLENGE,
- pa_sam,
- PA_REAL,
- },
- {
KRB5_PADATA_FX_COOKIE,
pa_fx_cookie,
PA_INFO,
generated by cgit (git 2.34.1) at 2026-03-05 22:33:00 +0000