![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to kerberos.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / kerberos|
Return to kerberos.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / kerberos |
1.1 ! root 1: /* ! 2: * $Source: /usr/src/kerberosIV/kerberos/RCS/kerberos.c,v $ ! 3: * $Author: kfall $ ! 4: * ! 5: * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute ! 6: * of Technology. ! 7: * ! 8: * For copying and distribution information, please see the file ! 9: * <mit-copyright.h>. ! 10: */ ! 11: ! 12: #ifndef lint ! 13: static char *rcsid_kerberos_c = ! 14: "$Header: /usr/src/kerberosIV/kerberos/RCS/kerberos.c,v 4.20 90/06/25 20:59:31 kfall Exp $"; ! 15: #endif lint ! 16: ! 17: #include <mit-copyright.h> ! 18: #include <stdio.h> ! 19: #include <sys/types.h> ! 20: #include <sys/socket.h> ! 21: #include <netinet/in.h> ! 22: #include <netdb.h> ! 23: #include <signal.h> ! 24: #include <sgtty.h> ! 25: #include <sys/ioctl.h> ! 26: #include <sys/time.h> ! 27: #include <sys/file.h> ! 28: #include <ctype.h> ! 29: ! 30: #include <des.h> ! 31: #include <krb.h> ! 32: #include <klog.h> ! 33: #include <prot.h> ! 34: #include <krb_db.h> ! 35: #include <kdc.h> ! 36: ! 37: extern int errno; ! 38: ! 39: struct sockaddr_in sin = {AF_INET}; ! 40: int f; ! 41: ! 42: /* XXX several files in libkdb know about this */ ! 43: char *progname; ! 44: ! 45: static Key_schedule master_key_schedule; ! 46: static C_Block master_key; ! 47: ! 48: static struct timeval kerb_time; ! 49: static Principal a_name_data; /* for requesting user */ ! 50: static Principal s_name_data; /* for services requested */ ! 51: static C_Block session_key; ! 52: static C_Block user_key; ! 53: static C_Block service_key; ! 54: static u_char master_key_version; ! 55: static char k_instance[INST_SZ]; ! 56: static char log_text[128]; ! 57: static char *lt; ! 58: static int more; ! 59: ! 60: static int mflag; /* Are we invoked manually? */ ! 61: static int lflag; /* Have we set an alterate log file? */ ! 62: static char *log_file; /* name of alt. log file */ ! 63: static int nflag; /* don't check max age */ ! 64: static int rflag; /* alternate realm specified */ ! 65: ! 66: /* fields within the received request packet */ ! 67: static u_char req_msg_type; ! 68: static u_char req_version; ! 69: static char *req_name_ptr; ! 70: static char *req_inst_ptr; ! 71: static char *req_realm_ptr; ! 72: static u_char req_no_req; ! 73: static u_long req_time_ws; ! 74: ! 75: int req_act_vno = KRB_PROT_VERSION; /* Temporary for version skew */ ! 76: ! 77: static char local_realm[REALM_SZ]; ! 78: ! 79: /* statistics */ ! 80: static long q_bytes; /* current bytes remaining in queue */ ! 81: static long q_n; /* how many consecutive non-zero ! 82: * q_bytes */ ! 83: static long max_q_bytes; ! 84: static long max_q_n; ! 85: static long n_auth_req; ! 86: static long n_appl_req; ! 87: static long n_packets; ! 88: static long n_user; ! 89: static long n_server; ! 90: ! 91: extern char *sys_errlist[]; ! 92: static long max_age = -1; ! 93: static long pause_int = -1; ! 94: ! 95: static void check_db_age(); ! 96: static void hang(); ! 97: ! 98: /* ! 99: * Print usage message and exit. ! 100: */ ! 101: static void usage() ! 102: { ! 103: fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]%s%s\n", progname, ! 104: " [-a max_age] [-l log_file] [-r realm]" ! 105: ," [database_pathname]" ! 106: ); ! 107: exit(1); ! 108: } ! 109: ! 110: ! 111: main(argc, argv) ! 112: int argc; ! 113: char **argv; ! 114: { ! 115: struct sockaddr_in from; ! 116: register int n; ! 117: int on = 1; ! 118: int child; ! 119: struct servent *sp; ! 120: int fromlen; ! 121: static KTEXT_ST pkt_st; ! 122: KTEXT pkt = &pkt_st; ! 123: Principal *p; ! 124: int more, kerror; ! 125: C_Block key; ! 126: int c; ! 127: extern char *optarg; ! 128: extern int optind; ! 129: ! 130: progname = argv[0]; ! 131: ! 132: while ((c = getopt(argc, argv, "snmp:a:l:r:")) != EOF) { ! 133: switch(c) { ! 134: case 's': ! 135: /* ! 136: * Set parameters to slave server defaults. ! 137: */ ! 138: if (max_age == -1 && !nflag) ! 139: max_age = ONE_DAY; /* 24 hours */ ! 140: if (pause_int == -1) ! 141: pause_int = FIVE_MINUTES; /* 5 minutes */ ! 142: if (lflag == 0) { ! 143: log_file = KRBSLAVELOG; ! 144: lflag++; ! 145: } ! 146: break; ! 147: case 'n': ! 148: max_age = -1; /* don't check max age. */ ! 149: nflag++; ! 150: break; ! 151: case 'm': ! 152: mflag++; /* running manually; prompt for master key */ ! 153: break; ! 154: case 'p': ! 155: /* Set pause interval. */ ! 156: if (!isdigit(optarg[0])) ! 157: usage(); ! 158: pause_int = atoi(optarg); ! 159: if ((pause_int < 5) || (pause_int > ONE_HOUR)) { ! 160: fprintf(stderr, "pause_int must be between 5 and 3600 seconds.\n"); ! 161: usage(); ! 162: } ! 163: break; ! 164: case 'a': ! 165: /* Set max age. */ ! 166: if (!isdigit(optarg[0])) ! 167: usage(); ! 168: max_age = atoi(optarg); ! 169: if ((max_age < ONE_HOUR) || (max_age > THREE_DAYS)) { ! 170: fprintf(stderr, "max_age must be between one hour and three days, in seconds\n"); ! 171: usage(); ! 172: } ! 173: break; ! 174: case 'l': ! 175: /* Set alternate log file */ ! 176: lflag++; ! 177: log_file = optarg; ! 178: break; ! 179: case 'r': ! 180: /* Set realm name */ ! 181: rflag++; ! 182: strcpy(local_realm, optarg); ! 183: break; ! 184: default: ! 185: usage(); ! 186: break; ! 187: } ! 188: } ! 189: ! 190: if (optind == (argc-1)) { ! 191: if (kerb_db_set_name(argv[optind]) != 0) { ! 192: fprintf(stderr, "Could not set alternate database name\n"); ! 193: exit(1); ! 194: } ! 195: optind++; ! 196: } ! 197: ! 198: if (optind != argc) ! 199: usage(); ! 200: ! 201: printf("Kerberos server starting\n"); ! 202: ! 203: if ((!nflag) && (max_age != -1)) ! 204: printf("\tMaximum database age: %d seconds\n", max_age); ! 205: if (pause_int != -1) ! 206: printf("\tSleep for %d seconds on error\n", pause_int); ! 207: else ! 208: printf("\tSleep forever on error\n"); ! 209: if (mflag) ! 210: printf("\tMaster key will be entered manually\n"); ! 211: ! 212: printf("\tLog file is %s\n", lflag ? log_file : KRBLOG); ! 213: ! 214: if (lflag) ! 215: kset_logfile(log_file); ! 216: ! 217: /* find our hostname, and use it as the instance */ ! 218: if (gethostname(k_instance, INST_SZ)) { ! 219: fprintf(stderr, "%s: gethostname error\n", progname); ! 220: exit(1); ! 221: } ! 222: ! 223: if ((sp = getservbyname("kerberos", "udp")) == 0) { ! 224: fprintf(stderr, "%s: udp/kerberos unknown service\n", progname); ! 225: exit(1); ! 226: } ! 227: sin.sin_port = sp->s_port; ! 228: ! 229: if ((f = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { ! 230: fprintf(stderr, "%s: Can't open socket\n", progname); ! 231: exit(1); ! 232: } ! 233: if (setsockopt(f, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) ! 234: fprintf(stderr, "%s: setsockopt (SO_REUSEADDR)\n", progname); ! 235: ! 236: if (bind(f, &sin, S_AD_SZ, 0) < 0) { ! 237: fprintf(stderr, "%s: Can't bind socket\n", progname); ! 238: exit(1); ! 239: } ! 240: /* do all the database and cache inits */ ! 241: if (n = kerb_init()) { ! 242: if (mflag) { ! 243: printf("Kerberos db and cache init "); ! 244: printf("failed = %d ...exiting\n", n); ! 245: exit(-1); ! 246: } else { ! 247: klog(L_KRB_PERR, ! 248: "Kerberos db and cache init failed = %d ...exiting", n); ! 249: hang(); ! 250: } ! 251: } ! 252: ! 253: /* Make sure database isn't stale */ ! 254: check_db_age(); ! 255: ! 256: /* setup master key */ ! 257: if (kdb_get_master_key (mflag, master_key, master_key_schedule) != 0) { ! 258: klog (L_KRB_PERR, "kerberos: couldn't get master key.\n"); ! 259: exit (-1); ! 260: } ! 261: kerror = kdb_verify_master_key (master_key, master_key_schedule, stdout); ! 262: if (kerror < 0) { ! 263: klog (L_KRB_PERR, "Can't verify master key."); ! 264: bzero (master_key, sizeof (master_key)); ! 265: bzero (master_key_schedule, sizeof (master_key_schedule)); ! 266: exit (-1); ! 267: } ! 268: ! 269: master_key_version = (u_char) kerror; ! 270: ! 271: fprintf(stdout, "\nCurrent Kerberos master key version is %d\n", ! 272: master_key_version); ! 273: ! 274: if (!rflag) { ! 275: /* Look up our local realm */ ! 276: krb_get_lrealm(local_realm, 1); ! 277: } ! 278: fprintf(stdout, "Local realm: %s\n", local_realm); ! 279: fflush(stdout); ! 280: ! 281: if (set_tgtkey(local_realm)) { ! 282: /* Ticket granting service unknown */ ! 283: klog(L_KRB_PERR, "Ticket granting ticket service unknown"); ! 284: fprintf(stderr, "Ticket granting ticket service unknown\n"); ! 285: exit(1); ! 286: } ! 287: if (mflag) { ! 288: if ((child = fork()) != 0) { ! 289: printf("Kerberos started, PID=%d\n", child); ! 290: exit(0); ! 291: } ! 292: setup_disc(); ! 293: } ! 294: /* receive loop */ ! 295: for (;;) { ! 296: fromlen = S_AD_SZ; ! 297: n = recvfrom(f, pkt->dat, MAX_PKT_LEN, 0, &from, &fromlen); ! 298: if (n > 0) { ! 299: pkt->length = n; ! 300: pkt->mbz = 0; /* force zeros to catch runaway strings */ ! 301: /* see what is left in the input queue */ ! 302: ioctl(f, FIONREAD, &q_bytes); ! 303: gettimeofday(&kerb_time, NULL); ! 304: q_n++; ! 305: max_q_n = max(max_q_n, q_n); ! 306: n_packets++; ! 307: klog(L_NET_INFO, ! 308: "q_byt %d, q_n %d, rd_byt %d, mx_q_b %d, mx_q_n %d, n_pkt %d", ! 309: q_bytes, q_n, n, max_q_bytes, max_q_n, n_packets, 0); ! 310: max_q_bytes = max(max_q_bytes, q_bytes); ! 311: if (!q_bytes) ! 312: q_n = 0; /* reset consecutive packets */ ! 313: kerberos(&from, pkt); ! 314: } else ! 315: klog(L_NET_ERR, ! 316: "%s: bad recvfrom n = %d errno = %d", progname, n, errno, 0); ! 317: } ! 318: } ! 319: ! 320: ! 321: kerberos(client, pkt) ! 322: struct sockaddr_in *client; ! 323: KTEXT pkt; ! 324: { ! 325: static KTEXT_ST rpkt_st; ! 326: KTEXT rpkt = &rpkt_st; ! 327: static KTEXT_ST ciph_st; ! 328: KTEXT ciph = &ciph_st; ! 329: static KTEXT_ST tk_st; ! 330: KTEXT tk = &tk_st; ! 331: static KTEXT_ST auth_st; ! 332: KTEXT auth = &auth_st; ! 333: AUTH_DAT ad_st; ! 334: AUTH_DAT *ad = &ad_st; ! 335: ! 336: ! 337: static struct in_addr client_host; ! 338: static int msg_byte_order; ! 339: static int swap_bytes; ! 340: static u_char k_flags; ! 341: char *p_name, *instance; ! 342: u_long lifetime; ! 343: int i; ! 344: C_Block key; ! 345: Key_schedule key_s; ! 346: char *ptr; ! 347: ! 348: ! 349: ! 350: ciph->length = 0; ! 351: ! 352: client_host = client->sin_addr; ! 353: ! 354: /* eval macros and correct the byte order and alignment as needed */ ! 355: req_version = pkt_version(pkt); /* 1 byte, version */ ! 356: req_msg_type = pkt_msg_type(pkt); /* 1 byte, Kerberos msg type */ ! 357: ! 358: req_act_vno = req_version; ! 359: ! 360: /* check packet version */ ! 361: if (req_version != KRB_PROT_VERSION) { ! 362: lt = klog(L_KRB_PERR, ! 363: "KRB prot version mismatch: KRB =%d request = %d", ! 364: KRB_PROT_VERSION, req_version, 0); ! 365: /* send an error reply */ ! 366: kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); ! 367: return; ! 368: } ! 369: msg_byte_order = req_msg_type & 1; ! 370: ! 371: swap_bytes = 0; ! 372: if (msg_byte_order != HOST_BYTE_ORDER) { ! 373: swap_bytes++; ! 374: } ! 375: klog(L_KRB_PINFO, ! 376: "Prot version: %d, Byte order: %d, Message type: %d", ! 377: req_version, msg_byte_order, req_msg_type); ! 378: ! 379: switch (req_msg_type & ~1) { ! 380: ! 381: case AUTH_MSG_KDC_REQUEST: ! 382: { ! 383: u_long time_ws; /* Workstation time */ ! 384: u_long req_life; /* Requested liftime */ ! 385: char *service; /* Service name */ ! 386: char *instance; /* Service instance */ ! 387: int kerno; /* Kerberos error number */ ! 388: n_auth_req++; ! 389: tk->length = 0; ! 390: k_flags = 0; /* various kerberos flags */ ! 391: ! 392: ! 393: /* set up and correct for byte order and alignment */ ! 394: req_name_ptr = (char *) pkt_a_name(pkt); ! 395: req_inst_ptr = (char *) pkt_a_inst(pkt); ! 396: req_realm_ptr = (char *) pkt_a_realm(pkt); ! 397: bcopy(pkt_time_ws(pkt), &req_time_ws, sizeof(req_time_ws)); ! 398: /* time has to be diddled */ ! 399: if (swap_bytes) { ! 400: swap_u_long(req_time_ws); ! 401: } ! 402: ptr = (char *) pkt_time_ws(pkt) + 4; ! 403: ! 404: req_life = (u_long) (*ptr++); ! 405: ! 406: service = ptr; ! 407: instance = ptr + strlen(service) + 1; ! 408: ! 409: rpkt = &rpkt_st; ! 410: klog(L_INI_REQ, ! 411: "Initial ticket request Host: %s User: \"%s\" \"%s\"", ! 412: inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0); ! 413: ! 414: if (i = check_princ(req_name_ptr, req_inst_ptr, 0, ! 415: &a_name_data)) { ! 416: kerb_err_reply(client, pkt, i, lt); ! 417: return; ! 418: } ! 419: tk->length = 0; /* init */ ! 420: if (strcmp(service, "krbtgt")) ! 421: klog(L_NTGT_INTK, ! 422: "INITIAL request from %s.%s for %s.%s", ! 423: req_name_ptr, req_inst_ptr, service, instance, 0); ! 424: /* this does all the checking */ ! 425: if (i = check_princ(service, instance, lifetime, ! 426: &s_name_data)) { ! 427: kerb_err_reply(client, pkt, i, lt); ! 428: return; ! 429: } ! 430: /* Bound requested lifetime with service and user */ ! 431: lifetime = min(req_life, ((u_long) s_name_data.max_life)); ! 432: lifetime = min(lifetime, ((u_long) a_name_data.max_life)); ! 433: #ifdef NOENCRYPTION ! 434: bzero(session_key, sizeof(C_Block)); ! 435: #else ! 436: /* random session key */ ! 437: random_key(session_key); ! 438: #endif ! 439: ! 440: /* unseal server's key from master key */ ! 441: bcopy(&s_name_data.key_low, key, 4); ! 442: bcopy(&s_name_data.key_high, ((long *) key) + 1, 4); ! 443: kdb_encrypt_key(key, key, master_key, ! 444: master_key_schedule, DECRYPT); ! 445: /* construct and seal the ticket */ ! 446: krb_create_ticket(tk, k_flags, a_name_data.name, ! 447: a_name_data.instance, local_realm, ! 448: client_host.s_addr, session_key, lifetime, kerb_time.tv_sec, ! 449: s_name_data.name, s_name_data.instance, key); ! 450: bzero(key, sizeof(key)); ! 451: bzero(key_s, sizeof(key_s)); ! 452: ! 453: /* ! 454: * get the user's key, unseal it from the server's key, and ! 455: * use it to seal the cipher ! 456: */ ! 457: ! 458: /* a_name_data.key_low a_name_data.key_high */ ! 459: bcopy(&a_name_data.key_low, key, 4); ! 460: bcopy(&a_name_data.key_high, ((long *) key) + 1, 4); ! 461: ! 462: /* unseal the a_name key from the master key */ ! 463: kdb_encrypt_key(key, key, master_key, ! 464: master_key_schedule, DECRYPT); ! 465: ! 466: create_ciph(ciph, session_key, s_name_data.name, ! 467: s_name_data.instance, local_realm, lifetime, ! 468: s_name_data.key_version, tk, kerb_time.tv_sec, key); ! 469: ! 470: /* clear session key */ ! 471: bzero(session_key, sizeof(session_key)); ! 472: ! 473: bzero(key, sizeof(key)); ! 474: ! 475: ! 476: ! 477: /* always send a reply packet */ ! 478: rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, ! 479: req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, ! 480: a_name_data.key_version, ciph); ! 481: sendto(f, rpkt->dat, rpkt->length, 0, client, S_AD_SZ); ! 482: bzero(&a_name_data, sizeof(a_name_data)); ! 483: bzero(&s_name_data, sizeof(s_name_data)); ! 484: break; ! 485: } ! 486: case AUTH_MSG_APPL_REQUEST: ! 487: { ! 488: u_long time_ws; /* Workstation time */ ! 489: u_long req_life; /* Requested liftime */ ! 490: char *service; /* Service name */ ! 491: char *instance; /* Service instance */ ! 492: int kerno; /* Kerberos error number */ ! 493: char tktrlm[REALM_SZ]; ! 494: ! 495: n_appl_req++; ! 496: tk->length = 0; ! 497: k_flags = 0; /* various kerberos flags */ ! 498: ! 499: auth->length = 4 + strlen(pkt->dat + 3); ! 500: auth->length += (int) *(pkt->dat + auth->length) + ! 501: (int) *(pkt->dat + auth->length + 1) + 2; ! 502: ! 503: bcopy(pkt->dat, auth->dat, auth->length); ! 504: ! 505: strncpy(tktrlm, auth->dat + 3, REALM_SZ); ! 506: if (set_tgtkey(tktrlm)) { ! 507: lt = klog(L_ERR_UNK, ! 508: "FAILED realm %s unknown. Host: %s ", ! 509: tktrlm, inet_ntoa(client_host)); ! 510: kerb_err_reply(client, pkt, kerno, lt); ! 511: return; ! 512: } ! 513: kerno = krb_rd_req(auth, "ktbtgt", tktrlm, client_host.s_addr, ! 514: ad, 0); ! 515: ! 516: if (kerno) { ! 517: klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", ! 518: inet_ntoa(client_host), krb_err_txt[kerno]); ! 519: kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); ! 520: return; ! 521: } ! 522: ptr = (char *) pkt->dat + auth->length; ! 523: ! 524: bcopy(ptr, &time_ws, 4); ! 525: ptr += 4; ! 526: ! 527: req_life = (u_long) (*ptr++); ! 528: ! 529: service = ptr; ! 530: instance = ptr + strlen(service) + 1; ! 531: ! 532: klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s", ! 533: ad->pname, ad->pinst, ad->prealm, inet_ntoa(client_host), ! 534: service, instance, 0); ! 535: ! 536: if (strcmp(ad->prealm, tktrlm)) { ! 537: kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ! 538: "Can't hop realms"); ! 539: return; ! 540: } ! 541: if (!strcmp(service, "changepw")) { ! 542: kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ! 543: "Can't authorize password changed based on TGT"); ! 544: return; ! 545: } ! 546: kerno = check_princ(service, instance, req_life, ! 547: &s_name_data); ! 548: if (kerno) { ! 549: kerb_err_reply(client, pkt, kerno, lt); ! 550: return; ! 551: } ! 552: /* Bound requested lifetime with service and user */ ! 553: lifetime = min(req_life, ! 554: (ad->life - ((kerb_time.tv_sec - ad->time_sec) / 300))); ! 555: lifetime = min(lifetime, ((u_long) s_name_data.max_life)); ! 556: ! 557: /* unseal server's key from master key */ ! 558: bcopy(&s_name_data.key_low, key, 4); ! 559: bcopy(&s_name_data.key_high, ((long *) key) + 1, 4); ! 560: kdb_encrypt_key(key, key, master_key, ! 561: master_key_schedule, DECRYPT); ! 562: /* construct and seal the ticket */ ! 563: ! 564: #ifdef NOENCRYPTION ! 565: bzero(session_key, sizeof(C_Block)); ! 566: #else ! 567: /* random session key */ ! 568: random_key(session_key); ! 569: #endif ! 570: ! 571: krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, ! 572: ad->prealm, client_host.s_addr, ! 573: session_key, lifetime, kerb_time.tv_sec, ! 574: s_name_data.name, s_name_data.instance, ! 575: key); ! 576: bzero(key, sizeof(key)); ! 577: bzero(key_s, sizeof(key_s)); ! 578: ! 579: create_ciph(ciph, session_key, service, instance, ! 580: local_realm, ! 581: lifetime, s_name_data.key_version, tk, ! 582: kerb_time.tv_sec, ad->session); ! 583: ! 584: /* clear session key */ ! 585: bzero(session_key, sizeof(session_key)); ! 586: ! 587: bzero(ad->session, sizeof(ad->session)); ! 588: ! 589: rpkt = create_auth_reply(ad->pname, ad->pinst, ! 590: ad->prealm, time_ws, ! 591: 0, 0, 0, ciph); ! 592: sendto(f, rpkt->dat, rpkt->length, 0, client, S_AD_SZ); ! 593: bzero(&s_name_data, sizeof(s_name_data)); ! 594: break; ! 595: } ! 596: ! 597: ! 598: #ifdef notdef_DIE ! 599: case AUTH_MSG_DIE: ! 600: { ! 601: lt = klog(L_DEATH_REQ, ! 602: "Host: %s User: \"%s\" \"%s\" Kerberos killed", ! 603: inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0); ! 604: exit(0); ! 605: } ! 606: #endif notdef_DIE ! 607: ! 608: default: ! 609: { ! 610: lt = klog(L_KRB_PERR, ! 611: "Unknown message type: %d from %s port %u", ! 612: req_msg_type, inet_ntoa(client_host), ! 613: ntohs(client->sin_port)); ! 614: break; ! 615: } ! 616: } ! 617: } ! 618: ! 619: ! 620: /* ! 621: * setup_disc ! 622: * ! 623: * disconnect all descriptors, remove ourself from the process ! 624: * group that spawned us. ! 625: */ ! 626: ! 627: setup_disc() ! 628: { ! 629: ! 630: int s; ! 631: ! 632: for (s = 0; s < 3; s++) { ! 633: (void) close(s); ! 634: } ! 635: ! 636: (void) open("/dev/null", 0); ! 637: (void) dup2(0, 1); ! 638: (void) dup2(0, 2); ! 639: ! 640: s = open("/dev/tty", 2); ! 641: ! 642: if (s >= 0) { ! 643: ioctl(s, TIOCNOTTY, (struct sgttyb *) 0); ! 644: (void) close(s); ! 645: } ! 646: (void) chdir("/tmp"); ! 647: return; ! 648: } ! 649: ! 650: ! 651: /* ! 652: * kerb_er_reply creates an error reply packet and sends it to the ! 653: * client. ! 654: */ ! 655: ! 656: kerb_err_reply(client, pkt, err, string) ! 657: struct sockaddr_in *client; ! 658: KTEXT pkt; ! 659: long err; ! 660: char *string; ! 661: ! 662: { ! 663: static KTEXT_ST e_pkt_st; ! 664: KTEXT e_pkt = &e_pkt_st; ! 665: static char e_msg[128]; ! 666: ! 667: strcpy(e_msg, "\nKerberos error -- "); ! 668: strcat(e_msg, string); ! 669: cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, ! 670: req_time_ws, err, e_msg); ! 671: sendto(f, e_pkt->dat, e_pkt->length, 0, client, S_AD_SZ); ! 672: ! 673: } ! 674: ! 675: /* ! 676: * Make sure that database isn't stale. ! 677: * ! 678: * Exit if it is; we don't want to tell lies. ! 679: */ ! 680: ! 681: static void check_db_age() ! 682: { ! 683: long age; ! 684: ! 685: if (max_age != -1) { ! 686: /* Requires existance of kerb_get_db_age() */ ! 687: gettimeofday(&kerb_time, 0); ! 688: age = kerb_get_db_age(); ! 689: if (age == 0) { ! 690: klog(L_KRB_PERR, "Database currently being updated!"); ! 691: hang(); ! 692: } ! 693: if ((age + max_age) < kerb_time.tv_sec) { ! 694: klog(L_KRB_PERR, "Database out of date!"); ! 695: hang(); ! 696: /* NOTREACHED */ ! 697: } ! 698: } ! 699: } ! 700: ! 701: check_princ(p_name, instance, lifetime, p) ! 702: char *p_name; ! 703: char *instance; ! 704: unsigned lifetime; ! 705: ! 706: Principal *p; ! 707: { ! 708: static int n; ! 709: static int more; ! 710: long trans; ! 711: ! 712: n = kerb_get_principal(p_name, instance, p, 1, &more); ! 713: klog(L_ALL_REQ, ! 714: "Principal: \"%s\", Instance: \"%s\" Lifetime = %d n = %d", ! 715: p_name, instance, lifetime, n, 0); ! 716: ! 717: if (n < 0) { ! 718: lt = klog(L_KRB_PERR, "Database unavailable!"); ! 719: hang(); ! 720: } ! 721: ! 722: /* ! 723: * if more than one p_name, pick one, randomly create a session key, ! 724: * compute maximum lifetime, lookup authorizations if applicable, ! 725: * and stuff into cipher. ! 726: */ ! 727: if (n == 0) { ! 728: /* service unknown, log error, skip to next request */ ! 729: lt = klog(L_ERR_UNK, "UNKNOWN \"%s\" \"%s\"", p_name, ! 730: instance, 0); ! 731: return KERB_ERR_PRINCIPAL_UNKNOWN; ! 732: } ! 733: if (more) { ! 734: /* not unique, log error */ ! 735: lt = klog(L_ERR_NUN, "Principal NOT UNIQUE \"%s\" \"%s\"", ! 736: p_name, instance, 0); ! 737: return KERB_ERR_PRINCIPAL_NOT_UNIQUE; ! 738: } ! 739: /* If the user's key is null, we want to return an error */ ! 740: if ((p->key_low == 0) && (p->key_high == 0)) { ! 741: /* User has a null key */ ! 742: lt = klog(L_ERR_NKY, "Null key \"%s\" \"%s\"", p_name, ! 743: instance, 0); ! 744: return KERB_ERR_NULL_KEY; ! 745: } ! 746: if (master_key_version != p->kdc_key_ver) { ! 747: /* log error reply */ ! 748: lt = klog(L_ERR_MKV, ! 749: "Key vers incorrect, KRB = %d, \"%s\" \"%s\" = %d", ! 750: master_key_version, p->name, p->instance, p->kdc_key_ver, ! 751: 0); ! 752: return KERB_ERR_NAME_MAST_KEY_VER; ! 753: } ! 754: /* make sure the service hasn't expired */ ! 755: if ((u_long) p->exp_date < (u_long) kerb_time.tv_sec) { ! 756: /* service did expire, log it */ ! 757: lt = klog(L_ERR_SEXP, ! 758: "EXPIRED \"%s\" \"%s\" %s", p->name, p->instance, ! 759: stime(&(p->exp_date)), 0); ! 760: return KERB_ERR_NAME_EXP; ! 761: } ! 762: /* ok is zero */ ! 763: return 0; ! 764: } ! 765: ! 766: ! 767: /* Set the key for krb_rd_req so we can check tgt */ ! 768: set_tgtkey(r) ! 769: char *r; /* Realm for desired key */ ! 770: { ! 771: int n; ! 772: static char lastrealm[REALM_SZ]; ! 773: Principal p_st; ! 774: Principal *p = &p_st; ! 775: C_Block key; ! 776: ! 777: if (!strcmp(lastrealm, r)) ! 778: return (KSUCCESS); ! 779: ! 780: log("Getting key for %s", r); ! 781: ! 782: n = kerb_get_principal("krbtgt", r, p, 1, &more); ! 783: if (n == 0) ! 784: return (KFAILURE); ! 785: ! 786: /* unseal tgt key from master key */ ! 787: bcopy(&p->key_low, key, 4); ! 788: bcopy(&p->key_high, ((long *) key) + 1, 4); ! 789: kdb_encrypt_key(key, key, master_key, ! 790: master_key_schedule, DECRYPT); ! 791: krb_set_key(key, 0); ! 792: strcpy(lastrealm, r); ! 793: return (KSUCCESS); ! 794: } ! 795: ! 796: static void ! 797: hang() ! 798: { ! 799: if (pause_int == -1) { ! 800: klog(L_KRB_PERR, "Kerberos will pause so as not to loop init"); ! 801: for (;;) ! 802: pause(); ! 803: } else { ! 804: char buf[256]; ! 805: sprintf(buf, "Kerberos will wait %d seconds before dying so as not to loop init", pause_int); ! 806: klog(L_KRB_PERR, buf); ! 807: sleep(pause_int); ! 808: klog(L_KRB_PERR, "Do svedania....\n"); ! 809: exit(1); ! 810: } ! 811: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.