From dc4b459e025d05e4889f9837653dc51a457ea361 Mon Sep 17 00:00:00 2001 From: Chaskiel Grundman Date: Sat, 6 Apr 2013 13:42:23 -0400 Subject: [PATCH] Use rfc3961 library to decrypt kerberos 5 tickets Decrypt tickets with non-des enctypes by calling out to the rfc3961 library. This requires the security object to be given an enhanced get_key callback that supports looking up keys by enctype. Include a wrapper around afsconf_GetKeyByTypes so rxkad doesn't have to know anything about libauth internals/interfaces (cherry-picked from ea4812f03d498b6a838440fa3349e085fa5ea8b5) Change-Id: Id2b085fb41e2ed3576ec66b2914c03e78c0077ec --- Makefile.in | 2 +- src/WINNT/afsd/NTMakefile | 4 +- src/WINNT/afssvrmgr/NTMakefile | 3 +- src/WINNT/aklog/NTMakefile | 3 +- src/WINNT/client_creds/NTMakefile | 3 +- src/WINNT/netidmgr_plugin/NTMakefile | 1 + src/auth/Makefile.in | 1 + src/auth/NTMakefile | 3 +- src/auth/authcon.c | 40 ++++++++++-- src/auth/cellconfig.p.h | 3 +- src/bozo/Makefile.in | 1 + src/bozo/NTMakefile | 6 +- src/bucoord/Makefile.in | 1 + src/bucoord/NTMakefile | 3 +- src/budb/Makefile.in | 1 + src/budb/NTMakefile | 3 +- src/butc/Makefile.in | 1 + src/butc/NTMakefile | 3 +- src/finale/Makefile.in | 1 + src/fsprobe/Makefile.in | 1 + src/gtx/Makefile.in | 1 + src/kauth/Makefile.in | 2 + src/kauth/NTMakefile | 3 +- src/kauth/test/NTMakefile | 3 +- src/libafsrpc/afsrpc.def | 1 + src/log/Makefile.in | 2 + src/ptserver/Makefile.in | 1 + src/ptserver/NTMakefile | 6 +- src/rxkad/private_data.h | 1 + src/rxkad/rxkad.p.h | 4 ++ src/rxkad/rxkad_prototypes.h | 7 ++ src/rxkad/rxkad_server.c | 22 ++++++- src/rxkad/ticket5.c | 98 +++++++++++++++++++++++----- src/scout/Makefile.in | 1 + src/sgistuff/Makefile.in | 2 + src/tbutc/NTMakefile | 3 +- src/tests/Makefile.in | 2 +- src/tptserver/NTMakefile | 3 +- src/tsm41/Makefile.in | 1 + src/update/Makefile.in | 1 + src/update/NTMakefile | 3 +- src/uss/Makefile.in | 1 + src/venus/Makefile.in | 1 + src/viced/NTMakefile | 3 +- src/vlserver/Makefile.in | 1 + src/vlserver/NTMakefile | 3 +- src/volser/Makefile.in | 1 + src/volser/NTMakefile | 3 +- 48 files changed, 219 insertions(+), 45 deletions(-) diff --git a/Makefile.in b/Makefile.in index 535baf2e3a..d90abc93e1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -213,7 +213,7 @@ afs: config export comerr afs_depinstall sys: cmd comerr afs hcrypto rx rxstat fsint auth sys_depinstall +${COMPILE_PART1} sys ${COMPILE_PART2} -rxkad: cmd comerr hcrypto rx rxkad_depinstall +rxkad: cmd comerr hcrypto rfc3961 rx rxkad_depinstall +${COMPILE_PART1} rxkad ${COMPILE_PART2} auth: cmd comerr hcrypto lwp rx rxkad audit sys_depinstall auth_depinstall diff --git a/src/WINNT/afsd/NTMakefile b/src/WINNT/afsd/NTMakefile index e347a2a174..e9bbb20bbb 100644 --- a/src/WINNT/afsd/NTMakefile +++ b/src/WINNT/afsd/NTMakefile @@ -320,6 +320,7 @@ LOGON_DLLLIBS =\ $(DESTDIR)\lib\afs\afsutil.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrpc.lib \ $(LANAHELPERLIB) \ $(AFSKFWLIB) @@ -404,7 +405,8 @@ EXELIBS = \ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib EXELIBS2 = \ $(DESTDIR)\lib\afsrpc.lib \ diff --git a/src/WINNT/afssvrmgr/NTMakefile b/src/WINNT/afssvrmgr/NTMakefile index 2587320489..bb6b2ac9e7 100644 --- a/src/WINNT/afssvrmgr/NTMakefile +++ b/src/WINNT/afssvrmgr/NTMakefile @@ -103,7 +103,8 @@ EXELIBS = \ $(DESTDIR)\lib\afs\TaAfsAppLib.lib \ $(DESTDIR)\lib\afs\afsutil.lib \ $(DESTDIR)\lib\opr.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrpc.lib ############################################################################ diff --git a/src/WINNT/aklog/NTMakefile b/src/WINNT/aklog/NTMakefile index 00b4e6efd9..3aacd01695 100644 --- a/src/WINNT/aklog/NTMakefile +++ b/src/WINNT/aklog/NTMakefile @@ -38,7 +38,8 @@ EXELIBS = \ $(DESTDIR)\lib\afsrpc.lib \ $(DESTDIR)\lib\afsauthent.lib \ $(DESTDIR)\lib\opr.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrpc.lib !IF "$(CPU)" == "IA64" || "$(CPU)" == "AMD64" || "$(CPU)" == "ALPHA64" OTHERLIBS = \ diff --git a/src/WINNT/client_creds/NTMakefile b/src/WINNT/client_creds/NTMakefile index 2e3f6d0ad4..8026fed547 100644 --- a/src/WINNT/client_creds/NTMakefile +++ b/src/WINNT/client_creds/NTMakefile @@ -72,7 +72,8 @@ EXELIBS = \ $(DESTDIR)\lib\afs\afscom_err.lib \ $(DESTDIR)\lib\afs\afsutil.lib \ $(DESTDIR)\lib\opr.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrpc.lib ############################################################################ diff --git a/src/WINNT/netidmgr_plugin/NTMakefile b/src/WINNT/netidmgr_plugin/NTMakefile index 92bca702fe..79536bc927 100644 --- a/src/WINNT/netidmgr_plugin/NTMakefile +++ b/src/WINNT/netidmgr_plugin/NTMakefile @@ -98,6 +98,7 @@ OBJFILES= \ LIBFILES= \ $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrpc.lib \ $(DESTDIR)\lib\afsauthent.lib \ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\afs\mtafsutil.lib\ diff --git a/src/auth/Makefile.in b/src/auth/Makefile.in index 4825a42079..32c5bfbb26 100644 --- a/src/auth/Makefile.in +++ b/src/auth/Makefile.in @@ -17,6 +17,7 @@ KOBJS= cellconfig.o keys.o ktc.krb.o userok.o writeconfig.o authcon.o \ LIBS=libauth.a \ ${TOP_LIBDIR}/librxkad.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/librx.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/liblwp.a \ diff --git a/src/auth/NTMakefile b/src/auth/NTMakefile index 37146e8216..0e77e0e505 100644 --- a/src/auth/NTMakefile +++ b/src/auth/NTMakefile @@ -99,7 +99,8 @@ EXELIBS =\ $(EXELIBDIR)\libafsconf.lib \ $(EXELIBDIR)\opr.lib \ $(EXELIBDIR)\afshcrypto.lib \ - $(EXELIBDIR)\afsroken.lib + $(EXELIBDIR)\afsroken.lib \ + $(EXELIBDIR)\afsrfc3961.lib $(SETKEY_EXEFILE): $(SETKEY_EXEOBJS) $(EXELIBS) $(EXECONLINK) dnsapi.lib shell32.lib diff --git a/src/auth/authcon.c b/src/auth/authcon.c index 8ede547a57..ef2347c8da 100644 --- a/src/auth/authcon.c +++ b/src/auth/authcon.c @@ -42,6 +42,31 @@ QuickAuth(struct rx_securityClass **astr, afs_int32 *aindex) } #if !defined(UKERNEL) +static int _afsconf_GetRxkadKrb5Key(void *arock, int kvno, int enctype, void *outkey, + size_t *keylen) +{ + struct afsconf_dir *adir = arock; + struct afsconf_typedKey *kobj; + struct rx_opaque *keymat; + afsconf_keyType tktype; + int tkvno, tenctype; + int code; + + code = afsconf_GetKeyByTypes(adir, afsconf_rxkad_krb5, kvno, enctype, &kobj); + if (code != 0) + return code; + afsconf_typedKey_values(kobj, &tktype, &tkvno, &tenctype, &keymat); + if (*keylen < keymat->len) { + afsconf_typedKey_put(&kobj); + return AFSCONF_BADKEY; + } + memcpy(outkey, keymat->val, keymat->len); + *keylen = keymat->len; + afsconf_typedKey_put(&kobj); + return 0; +} + + /* Return an appropriate security class and index */ afs_int32 afsconf_ServerAuth(void *arock, @@ -53,7 +78,8 @@ afsconf_ServerAuth(void *arock, LOCK_GLOBAL_MUTEX; tclass = (struct rx_securityClass *) - rxkad_NewServerSecurityObject(0, adir, afsconf_GetKey, NULL); + rxkad_NewKrb5ServerSecurityObject(0, adir, afsconf_GetKey, + _afsconf_GetRxkadKrb5Key, NULL); if (tclass) { *astr = tclass; *aindex = RX_SECIDX_KAD; @@ -254,12 +280,16 @@ afsconf_BuildServerSecurityObjects(void *rock, (*classes)[0] = rxnull_NewServerSecurityObject(); (*classes)[1] = NULL; - (*classes)[2] = rxkad_NewServerSecurityObject(0, dir, - afsconf_GetKey, NULL); + (*classes)[2] = rxkad_NewKrb5ServerSecurityObject(0, dir, + afsconf_GetKey, + _afsconf_GetRxkadKrb5Key, + NULL); if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT) - (*classes)[3] = rxkad_NewServerSecurityObject(rxkad_crypt, dir, - afsconf_GetKey, NULL); + (*classes)[3] = rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir, + afsconf_GetKey, + _afsconf_GetRxkadKrb5Key, + NULL); } #endif diff --git a/src/auth/cellconfig.p.h b/src/auth/cellconfig.p.h index f22153d970..c641fc37b1 100644 --- a/src/auth/cellconfig.p.h +++ b/src/auth/cellconfig.p.h @@ -150,7 +150,8 @@ struct afsconf_typedKeyList { typedef enum { afsconf_rxkad = 0, - afsconf_rxgk =1 + afsconf_rxgk =1, + afsconf_rxkad_krb5 =2 } afsconf_keyType; extern struct afsconf_typedKey * diff --git a/src/bozo/Makefile.in b/src/bozo/Makefile.in index 69ec46cdee..c826fff074 100644 --- a/src/bozo/Makefile.in +++ b/src/bozo/Makefile.in @@ -38,6 +38,7 @@ LIBS= ${TOP_LIBDIR}/librx.a \ ${TOP_LIBDIR}/libopr.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/libprocmgmt.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a OBJS=bosserver.o bnode.o ezbnodeops.o fsbnodeops.o bosint.ss.o bosint.xdr.o \ diff --git a/src/bozo/NTMakefile b/src/bozo/NTMakefile index c6376cc388..98a1182768 100644 --- a/src/bozo/NTMakefile +++ b/src/bozo/NTMakefile @@ -70,7 +70,8 @@ BOSSERVER_EXELIBS =\ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(BOSSERVER_EXEFILE): $(BOSSERVER_EXEOBJS) $(BOSSERVER_EXELIBS) $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib @@ -109,7 +110,8 @@ BOS_EXELIBS =\ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(RS_BOS_EXEFILE): $(BOS_EXEOBJS) $(BOS_EXELIBS) diff --git a/src/bucoord/Makefile.in b/src/bucoord/Makefile.in index cb1ad0eccd..f70369e0c7 100644 --- a/src/bucoord/Makefile.in +++ b/src/bucoord/Makefile.in @@ -21,6 +21,7 @@ LIBS=${TOP_LIBDIR}/libbudb.a ${TOP_LIBDIR}/libbubasics.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/util.a \ $(TOP_LIBDIR)/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a all: ${TOP_LIBDIR}/libbxdb.a ${TOP_INCDIR}/afs/bucoord_prototypes.h ${TOP_INCDIR}/afs/bc.h backup diff --git a/src/bucoord/NTMakefile b/src/bucoord/NTMakefile index 3085b95cc0..05db66cfc9 100644 --- a/src/bucoord/NTMakefile +++ b/src/bucoord/NTMakefile @@ -93,7 +93,8 @@ EXELIBS =\ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(EXEFILE): $(EXEOBJS) $(EXERES) $(EXELIBS) diff --git a/src/budb/Makefile.in b/src/budb/Makefile.in index 44352e31b3..c7ec1fc91b 100644 --- a/src/budb/Makefile.in +++ b/src/budb/Makefile.in @@ -42,6 +42,7 @@ LIBS=${TOP_LIBDIR}/libbubasics.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/util.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a COMMON_OBJS = database.o db_alloc.o db_dump.o db_hash.o struct_ops.o ol_verify.o diff --git a/src/budb/NTMakefile b/src/budb/NTMakefile index a396dcb7b7..0465f50220 100644 --- a/src/budb/NTMakefile +++ b/src/budb/NTMakefile @@ -81,7 +81,8 @@ EXELIBS =\ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(EXEFILE): $(EXEOBJS) $(EXELIBS) $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib diff --git a/src/butc/Makefile.in b/src/butc/Makefile.in index 8de4bbf820..7e8ef1c85e 100644 --- a/src/butc/Makefile.in +++ b/src/butc/Makefile.in @@ -41,6 +41,7 @@ LIBS=${TOP_LIBDIR}/libbudb.a \ ${TOP_LIBDIR}/liblwp.a \ ${TOP_LIBDIR}/libcmd.a \ ${TOP_LIBDIR}/libafscom_err.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a \ ${TOP_LIBDIR}/libusd.a \ ${TOP_LIBDIR}/util.a \ diff --git a/src/butc/NTMakefile b/src/butc/NTMakefile index cb9d7a7f1a..8add58cb7f 100644 --- a/src/butc/NTMakefile +++ b/src/butc/NTMakefile @@ -55,7 +55,8 @@ EXELIBS =\ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(EXERES): butc.rc AFS_component_version_number.h diff --git a/src/finale/Makefile.in b/src/finale/Makefile.in index c15415a3ab..606f7c970a 100644 --- a/src/finale/Makefile.in +++ b/src/finale/Makefile.in @@ -40,6 +40,7 @@ LIBS=${TOP_LIBDIR}/libubik.a \ ${TOP_LIBDIR}/libkauth.a \ ${TOP_LIBDIR}/libprot.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${XLIBS} all: translate_et diff --git a/src/fsprobe/Makefile.in b/src/fsprobe/Makefile.in index 6b1b9e7df8..c26d3f2b9a 100644 --- a/src/fsprobe/Makefile.in +++ b/src/fsprobe/Makefile.in @@ -26,6 +26,7 @@ LIBS=${TOP_LIBDIR}/libvolser.a ${TOP_LIBDIR}/vlib.a ${TOP_LIBDIR}/libacl.a \ ${TOP_LIBDIR}/liblwp.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a all: ${TOP_INCDIR}/afs/fsprobe.h ${TOP_LIBDIR}/libfsprobe.a fsprobe_test diff --git a/src/gtx/Makefile.in b/src/gtx/Makefile.in index b0433d05e8..1688e6f5ef 100644 --- a/src/gtx/Makefile.in +++ b/src/gtx/Makefile.in @@ -36,6 +36,7 @@ LIBS=\ ${TOP_LIBDIR}/libkauth.a \ ${TOP_LIBDIR}/libauth.a \ ${TOP_LIBDIR}/librxkad.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/libopr.a \ ${TOP_LIBDIR}/util.a diff --git a/src/kauth/Makefile.in b/src/kauth/Makefile.in index ebd615913d..078ca3cf2c 100644 --- a/src/kauth/Makefile.in +++ b/src/kauth/Makefile.in @@ -33,6 +33,7 @@ LIBS=${TOP_LIBDIR}/libubik.a \ ${TOP_LIBDIR}/libafsutil.a \ ${TOP_LIBDIR}/libopr.a \ $(DBM) \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a UKSRCS=authclient.c user.c kautils.h kaserver.h kaaux.c katoken.c \ @@ -50,6 +51,7 @@ KLIBS=${TOP_LIBDIR}/libubik.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/libafsutil.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a OBJS=kauth.xdr.o kauth.cs.o kaaux.o client.o authclient.o katoken.o kautils.o kalocalcell.o kaerrors.o user.o krb_tf.o diff --git a/src/kauth/NTMakefile b/src/kauth/NTMakefile index a1efbd94d4..baa7638dcf 100644 --- a/src/kauth/NTMakefile +++ b/src/kauth/NTMakefile @@ -95,7 +95,8 @@ AFSLIBS = \ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib TOKENLIB = $(DESTDIR)\lib\afs\afspioctl.lib diff --git a/src/kauth/test/NTMakefile b/src/kauth/test/NTMakefile index 0fe5c66b37..8a836c7dff 100644 --- a/src/kauth/test/NTMakefile +++ b/src/kauth/test/NTMakefile @@ -18,7 +18,8 @@ EXELIBS = \ $(DESTDIR)\afs\afsprot.lib \ $(DESTDIR)\afsrx.lib \ $(DESTDIR)\afs\afscom_err.lib \ - $(DESTDIR)\afs\afskauth.lib + $(DESTDIR)\afs\afskauth.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(OUT)\multiklog.exe: $(OUT)\multiklog.obj diff --git a/src/libafsrpc/afsrpc.def b/src/libafsrpc/afsrpc.def index 8c6bedded0..5d226691c4 100755 --- a/src/libafsrpc/afsrpc.def +++ b/src/libafsrpc/afsrpc.def @@ -340,6 +340,7 @@ EXPORTS initialize_RXK_error_table @345 rx_GetNetworkError @346 afs_set_com_err_hook @347 + rxkad_NewKrb5ServerSecurityObject @348 ; for performance testing rx_TSFPQGlobSize @2001 DATA diff --git a/src/log/Makefile.in b/src/log/Makefile.in index c70f7ccf85..b48734a9b6 100644 --- a/src/log/Makefile.in +++ b/src/log/Makefile.in @@ -22,6 +22,7 @@ LIBRARIES=${TOP_LIBDIR}/libauth.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libcmd.a \ ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a KLIBRARIES=${TOP_LIBDIR}/libauth.krb.a \ @@ -30,6 +31,7 @@ KLIBRARIES=${TOP_LIBDIR}/libauth.krb.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libcmd.a \ ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a # diff --git a/src/ptserver/Makefile.in b/src/ptserver/Makefile.in index 16c5b60c6e..bfdf7382ea 100644 --- a/src/ptserver/Makefile.in +++ b/src/ptserver/Makefile.in @@ -39,6 +39,7 @@ LIBS= ${TOP_LIBDIR}/libubik.a \ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/libafsutil.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a diff --git a/src/ptserver/NTMakefile b/src/ptserver/NTMakefile index d6180bb91e..aee854dec3 100644 --- a/src/ptserver/NTMakefile +++ b/src/ptserver/NTMakefile @@ -73,7 +73,8 @@ PTSERVER_EXELIBS =\ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib !IF (("$(SYS_NAME)"!="i386_win95" ) && ("$(SYS_NAME)"!="I386_WIN95" )) PTSERVER_EXELIBS =$(PTSERVER_EXELIBS) $(DESTDIR)\lib\afs\afsprocmgmt.lib @@ -126,7 +127,8 @@ PTS_EXELIBS =\ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(PTS): $(PTS_EXEOBJS) $(PTS_EXELIBS) $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib diff --git a/src/rxkad/private_data.h b/src/rxkad/private_data.h index a26c603ffc..fc4ccf6857 100644 --- a/src/rxkad/private_data.h +++ b/src/rxkad/private_data.h @@ -78,6 +78,7 @@ struct rxkad_sprivate { int (*get_key) (void *, int, struct ktc_encryptionKey *); /* func. of kvno and server key ptr */ + rxkad_get_key_enctype_func get_key_enctype; int (*user_ok) (char *, char *, char *, afs_int32); /* func called with new client name */ diff --git a/src/rxkad/rxkad.p.h b/src/rxkad/rxkad.p.h index 55cfcfa74a..141f534d80 100644 --- a/src/rxkad/rxkad.p.h +++ b/src/rxkad/rxkad.p.h @@ -91,6 +91,10 @@ typedef signed char rxkad_level; extern int rxkad_EpochWasSet; /* TRUE => we called rx_SetEpoch */ +/* Get key by enctype. Takes a rock (path to conf dir), kvno and enctype as + * input and returns the key and key length. On input, the keylength parameter + * must be set to the length of storage allocated by the caller. */ +typedef int (*rxkad_get_key_enctype_func) (void *, int, int, void *, size_t *); #include diff --git a/src/rxkad/rxkad_prototypes.h b/src/rxkad/rxkad_prototypes.h index be03608678..08439ac3f8 100644 --- a/src/rxkad/rxkad_prototypes.h +++ b/src/rxkad/rxkad_prototypes.h @@ -108,6 +108,12 @@ extern struct rx_securityClass *rxkad_NewServerSecurityObject(rxkad_level char *cell, afs_int32 kvno)); +extern struct rx_securityClass *rxkad_NewKrb5ServerSecurityObject +(rxkad_level level, void *get_key_rock, + int (*get_key) (void *get_key_rock, int kvno, + struct ktc_encryptionKey *serverKey), + rxkad_get_key_enctype_func get_key_enctype, + int (*user_ok) (char *name, char *instance, char *cell, afs_int32 kvno)); extern int rxkad_CheckAuthentication(struct rx_securityClass *aobj, struct rx_connection *aconn); extern int rxkad_CreateChallenge(struct rx_securityClass *aobj, @@ -153,6 +159,7 @@ extern afs_uint32 _rxkad_crc_update(const char *p, size_t len, afs_uint32 res); extern int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, int (*get_key) (void *, int, struct ktc_encryptionKey *), + rxkad_get_key_enctype_func get_key2, char *get_key_rock, int serv_kvno, char *name, char *inst, char *cell, struct ktc_encryptionKey *session_key, afs_int32 * host, afs_uint32 * start, diff --git a/src/rxkad/rxkad_server.c b/src/rxkad/rxkad_server.c index 125ab84de6..b92af81667 100644 --- a/src/rxkad/rxkad_server.c +++ b/src/rxkad/rxkad_server.c @@ -164,6 +164,23 @@ rxkad_NewServerSecurityObject(rxkad_level level, void *get_key_rock, return tsc; } +struct rx_securityClass * +rxkad_NewKrb5ServerSecurityObject(rxkad_level level, void *get_key_rock, + int (*get_key) (void *get_key_rock, int kvno, + struct ktc_encryptionKey * + serverKey), + rxkad_get_key_enctype_func get_key_enctype, + int (*user_ok) (char *name, char *instance, + char *cell, afs_int32 kvno) +) { + struct rx_securityClass *tsc; + struct rxkad_sprivate *tsp; + tsc = rxkad_NewServerSecurityObject(level, get_key_rock, get_key, user_ok); + tsp = (struct rxkad_sprivate *)tsc->privateData; + tsp->get_key_enctype = get_key_enctype; + return tsc; +} + /* server: called to tell if a connection authenticated properly */ int @@ -324,8 +341,9 @@ rxkad_CheckResponse(struct rx_securityClass *aobj, if (code == -1 && ((kvno == RXKAD_TKT_TYPE_KERBEROS_V5) || (kvno == RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY))) { code = - tkt_DecodeTicket5(tix, tlen, tsp->get_key, tsp->get_key_rock, - kvno, client.name, client.instance, client.cell, + tkt_DecodeTicket5(tix, tlen, tsp->get_key, tsp->get_key_enctype, + tsp->get_key_rock, kvno, client.name, + client.instance, client.cell, &sessionkey, &host, &start, &end, tsp->flags & RXS_CONFIG_FLAGS_DISABLE_DOTCHECK); if (code) diff --git a/src/rxkad/ticket5.c b/src/rxkad/ticket5.c index a709d5d092..59f14d3baa 100644 --- a/src/rxkad/ticket5.c +++ b/src/rxkad/ticket5.c @@ -79,6 +79,10 @@ #include "v5der.c" #include "v5gen.c" +#define RFC3961_NO_ENUMS +#define RFC3961_NO_CKSUM +#include + /* * Principal conversion Taken from src/lib/krb5/krb/conv_princ from MIT Kerberos. If you * find a need to change the services here, please consider opening a @@ -174,12 +178,19 @@ static int int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, int (*get_key) (void *, int, struct ktc_encryptionKey *), + rxkad_get_key_enctype_func get_key_enctype, char *get_key_rock, int serv_kvno, char *name, char *inst, char *cell, struct ktc_encryptionKey *session_key, afs_int32 * host, afs_uint32 * start, afs_uint32 * end, afs_int32 disableCheckdot) { char plain[MAXKRB5TICKETLEN]; struct ktc_encryptionKey serv_key; + void *keybuf; + size_t keysize, allocsiz; + krb5_context context; + krb5_keyblock k; + krb5_crypto cr; + krb5_data plaindata; Ticket t5; /* Must free */ EncTicketPart decr_part; /* Must free */ int code; @@ -222,25 +233,82 @@ tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len, case ETYPE_DES_CBC_CRC: case ETYPE_DES_CBC_MD4: case ETYPE_DES_CBC_MD5: + /* check ticket */ + if (t5.enc_part.cipher.length > sizeof(plain) + || t5.enc_part.cipher.length % 8 != 0) + goto bad_ticket; + + code = (*get_key) (get_key_rock, v5_serv_kvno, &serv_key); + if (code) + goto unknown_key; + + /* Decrypt data here, save in plain, assume it will shrink */ + code = + krb5_des_decrypt(&serv_key, t5.enc_part.etype, + t5.enc_part.cipher.data, t5.enc_part.cipher.length, + plain, &plainsiz); break; default: - goto unknown_key; + if (get_key_enctype == NULL) + goto unknown_key; + code = krb5_init_context(&context); + if (code != 0) + goto unknown_key; + code = krb5_enctype_valid(context, t5.enc_part.etype); + if (code != 0) { + krb5_free_context(context); + goto unknown_key; + } + code = krb5_enctype_keybits(context, t5.enc_part.etype, &keysize); + if (code != 0) { + krb5_free_context(context); + goto unknown_key; + } + keysize = keysize / 8; + allocsiz = keysize; + keybuf = rxi_Alloc(allocsiz); + /* this is not quite a hole for afsconf_GetKeyByTypes. A wrapper + that calls afsconf_GetKeyByTypes and afsconf_typedKey_values + is needed */ + code = get_key_enctype(get_key_rock, v5_serv_kvno, t5.enc_part.etype, + keybuf, &keysize); + if (code) { + rxi_Free(keybuf, allocsiz); + krb5_free_context(context); + goto unknown_key; + } + code = krb5_keyblock_init(context, t5.enc_part.etype, + keybuf, keysize, &k); + rxi_Free(keybuf, allocsiz); + if (code != 0) { + krb5_free_context(context); + goto unknown_key; + } + code = krb5_crypto_init(context, &k, t5.enc_part.etype, &cr); + krb5_free_keyblock_contents(context, &k); + if (code != 0) { + krb5_free_context(context); + goto unknown_key; + } +#ifndef KRB5_KU_TICKET +#define KRB5_KU_TICKET 2 +#endif + code = krb5_decrypt(context, cr, KRB5_KU_TICKET, t5.enc_part.cipher.data, + t5.enc_part.cipher.length, &plaindata); + krb5_crypto_destroy(context, cr); + if (code == 0) { + if (plaindata.length > MAXKRB5TICKETLEN) { + krb5_data_free(&plaindata); + krb5_free_context(context); + goto bad_ticket; + } + memcpy(plain, plaindata.data, plaindata.length); + plainsiz = plaindata.length; + krb5_data_free(&plaindata); + } + krb5_free_context(context); } - /* check ticket */ - if (t5.enc_part.cipher.length > sizeof(plain) - || t5.enc_part.cipher.length % 8 != 0) - goto bad_ticket; - - code = (*get_key) (get_key_rock, v5_serv_kvno, &serv_key); - if (code) - goto unknown_key; - - /* Decrypt data here, save in plain, assume it will shrink */ - code = - krb5_des_decrypt(&serv_key, t5.enc_part.etype, - t5.enc_part.cipher.data, t5.enc_part.cipher.length, - plain, &plainsiz); if (code != 0) goto bad_ticket; diff --git a/src/scout/Makefile.in b/src/scout/Makefile.in index 53e8b2db34..d7708cdcd5 100644 --- a/src/scout/Makefile.in +++ b/src/scout/Makefile.in @@ -43,6 +43,7 @@ LIBS=${TOP_LIBDIR}/libgtx.a \ ${TOP_LIBDIR}/liblwp.a \ ${TOP_LIBDIR}/util.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a all: scout diff --git a/src/sgistuff/Makefile.in b/src/sgistuff/Makefile.in index 5c55120e85..5d36ea1a3f 100644 --- a/src/sgistuff/Makefile.in +++ b/src/sgistuff/Makefile.in @@ -25,6 +25,7 @@ AFSLIBS=${TOP_LIBDIR}/libkauth.a \ ${TOP_LIBDIR}/librxkad.a \ ${TOP_LIBDIR}/libsys.a \ ${LIBDIR}/librx.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a \ ${LIBDIR}/liblwp.a \ ${TOP_LIBDIR}/libcmd.a \ @@ -38,6 +39,7 @@ KAFSLIBS=${TOP_LIBDIR}/libkauth.krb.a \ ${TOP_LIBDIR}/librxkad.a \ ${TOP_LIBDIR}/libsys.a \ ${LIBDIR}/librx.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a \ ${LIBDIR}/liblwp.a \ ${TOP_LIBDIR}/libcmd.a \ diff --git a/src/tbutc/NTMakefile b/src/tbutc/NTMakefile index 4eb24e2ad2..e8beb39ca7 100644 --- a/src/tbutc/NTMakefile +++ b/src/tbutc/NTMakefile @@ -83,7 +83,8 @@ BUTCLIBS=$(DESTDIR)\lib\afs\afsbudb.lib \ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib # rm $(OUT)\tcstatus.obj diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index b0150a934f..06eebf90dd 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -97,7 +97,7 @@ SYS_LIBS = ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a $ AUTH_LIBS = ${TOP_LIBDIR}/libauth.a ${SYS_LIBS} -INT_LIBS = ${TOP_LIBDIR}/libafsint.a ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libafscom_err.a ${TOP_LIBDIR}/util.a +INT_LIBS = ${TOP_LIBDIR}/libafsint.a ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libafscom_err.a ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libafsrfc3961.a TEST_PROGRAMS = write-ro-file hello-world read-vs-mmap read-vs-mmap2 \ mmap-and-read large-dir large-dir2 large-dir3 mountpoint \ diff --git a/src/tptserver/NTMakefile b/src/tptserver/NTMakefile index b23134424b..ec1667c351 100644 --- a/src/tptserver/NTMakefile +++ b/src/tptserver/NTMakefile @@ -95,7 +95,8 @@ PTSERVER_EXELIBS =\ $(DESTDIR)\lib\libafsconf.lib \ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\afs\afsprocmgmt.lib \ - $(DESTDIR)\lib\afspthread.lib + $(DESTDIR)\lib\afspthread.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(PTSERVER): $(PTSERVER_EXEOBJS) $(PTUTILS_OBJ) $(PTINT_XDR_OBJ) $(UTILS_OBJ) $(MAP_OBJ) $(LWP_OBJS) $(PTSERVER_EXERES) $(RXKADOBJS) $(PTSERVER_EXELIBS) $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib diff --git a/src/tsm41/Makefile.in b/src/tsm41/Makefile.in index a8f72bb38d..c62984e671 100644 --- a/src/tsm41/Makefile.in +++ b/src/tsm41/Makefile.in @@ -18,6 +18,7 @@ AFSLIBS = \ ${TOP_LIBDIR}/libauth.a \ ${TOP_LIBDIR}/librxkad.a \ ${TOP_LIBDIR}/libsys.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a \ ${TOP_LIBDIR}/librx.a \ ${TOP_LIBDIR}/liblwp.a \ diff --git a/src/update/Makefile.in b/src/update/Makefile.in index 96fb5d1e37..2dd023dfc1 100644 --- a/src/update/Makefile.in +++ b/src/update/Makefile.in @@ -19,6 +19,7 @@ LIBS=${TOP_LIBDIR}/libauth.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/util.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a all: upserver upclient diff --git a/src/update/NTMakefile b/src/update/NTMakefile index baf6e1486b..f11e46c643 100644 --- a/src/update/NTMakefile +++ b/src/update/NTMakefile @@ -25,7 +25,8 @@ LIBS = \ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib ############################################################################ # Definitions for generating files via RXGEN diff --git a/src/uss/Makefile.in b/src/uss/Makefile.in index 0fe78676d2..250aa3f1dd 100644 --- a/src/uss/Makefile.in +++ b/src/uss/Makefile.in @@ -30,6 +30,7 @@ LIBS=${TOP_LIBDIR}/libvolser.a \ ${TOP_LIBDIR}/libafscom_err.a \ ${TOP_LIBDIR}/util.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a OBJS = uss_procs.o \ diff --git a/src/venus/Makefile.in b/src/venus/Makefile.in index dd76819457..24096bd903 100644 --- a/src/venus/Makefile.in +++ b/src/venus/Makefile.in @@ -47,6 +47,7 @@ FSLIBS=${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/libaudit.a \ $(TOP_LIBDIR)/libafsutil.a \ $(TOP_LIBDIR)/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a CMLIBS=${TOP_LIBDIR}/libsys.a \ diff --git a/src/viced/NTMakefile b/src/viced/NTMakefile index 9cb5036a60..a97327df42 100644 --- a/src/viced/NTMakefile +++ b/src/viced/NTMakefile @@ -62,7 +62,8 @@ EXELIBS = \ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(EXEFILE): $(EXEOBJS) $(EXERES) $(EXELIBS) $(EXECONLINK) diff --git a/src/vlserver/Makefile.in b/src/vlserver/Makefile.in index 548bc78bd8..8c58bdca95 100644 --- a/src/vlserver/Makefile.in +++ b/src/vlserver/Makefile.in @@ -32,6 +32,7 @@ LIBS=\ ${TOP_LIBDIR}/libsys.a \ ${TOP_LIBDIR}/libafsutil.a \ $(TOP_LIBDIR)/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a OBJS=vldbint.xdr.o vldbint.cs.o vl_errors.o diff --git a/src/vlserver/NTMakefile b/src/vlserver/NTMakefile index fc28ef97c8..d097ab59a3 100644 --- a/src/vlserver/NTMakefile +++ b/src/vlserver/NTMakefile @@ -92,7 +92,8 @@ VLSERVER_EXECLIBS = \ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib $(VLSERVER): $(VLSERVER_EXEOBJS) $(LIBFILE) $(VLSERVER_EXECLIBS) $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib diff --git a/src/volser/Makefile.in b/src/volser/Makefile.in index 112e68a875..e4fe971499 100644 --- a/src/volser/Makefile.in +++ b/src/volser/Makefile.in @@ -41,6 +41,7 @@ LIBS=\ ${TOP_LIBDIR}/libusd.a \ ${TOP_LIBDIR}/util.a \ ${TOP_LIBDIR}/libopr.a \ + ${TOP_LIBDIR}/libafsrfc3961.a \ ${TOP_LIBDIR}/libafshcrypto_lwp.a VOLDUMP_LIBS = \ diff --git a/src/volser/NTMakefile b/src/volser/NTMakefile index 990f8cfc87..4a33548de7 100644 --- a/src/volser/NTMakefile +++ b/src/volser/NTMakefile @@ -75,7 +75,8 @@ EXEC_LIBS = \ $(DESTDIR)\lib\afs\afspioctl.lib \ $(DESTDIR)\lib\opr.lib \ $(DESTDIR)\lib\afshcrypto.lib \ - $(DESTDIR)\lib\afsroken.lib + $(DESTDIR)\lib\afsroken.lib \ + $(DESTDIR)\lib\afsrfc3961.lib ############################################################################