diff options
Diffstat (limited to 'server/kstuff.c')
-rw-r--r-- | server/kstuff.c | 102 |
1 files changed, 7 insertions, 95 deletions
diff --git a/server/kstuff.c b/server/kstuff.c index 89791cf..eff445d 100644 --- a/server/kstuff.c +++ b/server/kstuff.c @@ -8,7 +8,8 @@ * "mit-copyright.h". */ /* - * $Id$ + * $Source$ + * $Header$ */ #include "zserver.h" @@ -21,8 +22,6 @@ static const char rcsid_kstuff_c[] = "$Id$"; #ifdef HAVE_KRB4 -C_Block __Zephyr_session; - /* Keep a hash table mapping tickets to session keys, so we can do a fast * check of the cryptographic checksum without doing and DES decryptions. * Also remember the expiry time of the ticket, so that we can sweep the @@ -44,11 +43,9 @@ struct hash_entry { Hash_entry *hashtab[HASHTAB_SIZE]; -#ifdef BAD_KRB4_HACK static int hash_ticket __P((unsigned char *, int)); static void add_session_key __P((KTEXT, C_Block, char *, time_t)); static int find_session_key __P((KTEXT, C_Block, char *)); -#endif static ZChecksum_t compute_checksum __P((ZNotice_t *, C_Block)); static ZChecksum_t compute_rlm_checksum __P((ZNotice_t *, C_Block)); @@ -128,7 +125,7 @@ SendKerberosData(fd, ticket, service, host) int written; int size_to_write; - rem = krb_mk_req(ticket, service, host, my_galaxy, (u_long) 0); + rem = krb_mk_req(ticket, service, host, ZGetRealm(), (u_long) 0); if (rem != KSUCCESS) return rem + krb_err_base; @@ -155,10 +152,7 @@ ZCheckRealmAuthentication(notice, from, realm) int result; char rlmprincipal[ANAME_SZ+INST_SZ+REALM_SZ+4]; char srcprincipal[ANAME_SZ+INST_SZ+REALM_SZ+4]; - KTEXT_ST authent; -#ifdef BAD_KRB4_HACK - KTEXT_ST ticket; -#endif + KTEXT_ST authent, ticket; AUTH_DAT dat; ZChecksum_t checksum; CREDENTIALS cred; @@ -183,41 +177,6 @@ ZCheckRealmAuthentication(notice, from, realm) (void) sprintf(rlmprincipal, "%s.%s@%s", SERVER_SERVICE, SERVER_INSTANCE, realm); -#ifdef BAD_KRB4_HACK - /* Copy the ticket out of the authentication data. */ - if (krb_find_ticket(&authent, &ticket) != RD_AP_OK) - return ZAUTH_FAILED; - - /* Try to do a fast check against the cryptographic checksum. */ - if (find_session_key(&ticket, session_key, srcprincipal) >= 0) { - if (strcmp(srcprincipal, rlmprincipal) != 0) - return ZAUTH_FAILED; - if (notice->z_time.tv_sec - NOW > CLOCK_SKEW) - return ZAUTH_FAILED; - checksum = compute_rlm_checksum(notice, session_key); - - /* If checksum matches, packet is authentic. Otherwise, check - * the authenticator as if we didn't have the session key cached - * and return ZAUTH_CKSUM_FAILED. This is a rare case (since the - * ticket isn't cached after a checksum failure), so don't worry - * about the extra des_quad_cksum() call. */ - if (checksum == notice->z_checksum) { - memcpy(__Zephyr_session, session_key, sizeof(C_Block)); - return ZAUTH_YES; - } - - /* Try again. This way we can switch to the same checksums - * that the rest of Zephyr uses at a future date, but for now - * we need to be compatible */ - checksum = compute_checksum(notice, session_key); - if (checksum == notice->z_checksum) { - memcpy(__Zephyr_session, session_key, sizeof(C_Block)); - return ZAUTH_YES; - } - } -#endif - - /* We don't have the session key cached; do it the long way. */ result = krb_rd_req(&authent, SERVER_SERVICE, SERVER_INSTANCE, from->sin_addr.s_addr, &dat, srvtab_file); if (result == RD_AP_OK) { @@ -240,16 +199,9 @@ ZCheckRealmAuthentication(notice, from, realm) checksum = compute_checksum(notice, dat.session); if (checksum != notice->z_checksum) #endif - return ZAUTH_CKSUM_FAILED; + return ZAUTH_FAILED; } -#ifdef BAD_KRB4_HACK - /* Record the session key, expiry time, and source principal in the - * hash table, so we can do a fast check next time. */ - add_session_key(&ticket, dat.session, srcprincipal, - (time_t)(dat.time_sec + dat.life * 5 * 60)); -#endif - return ZAUTH_YES; #else /* !HAVE_KRB4 */ @@ -265,10 +217,7 @@ ZCheckAuthentication(notice, from) #ifdef HAVE_KRB4 int result; char srcprincipal[ANAME_SZ+INST_SZ+REALM_SZ+4]; - KTEXT_ST authent; -#ifdef BAD_KRB4_HACK - KTEXT_ST ticket; -#endif + KTEXT_ST authent, ticket; AUTH_DAT dat; ZChecksum_t checksum; C_Block session_key; @@ -289,32 +238,6 @@ ZCheckAuthentication(notice, from) } authent.length = notice->z_authent_len; -#ifdef BAD_KRB4_HACK - /* Copy the ticket out of the authentication data. */ - if (krb_find_ticket(&authent, &ticket) != RD_AP_OK) - return ZAUTH_FAILED; - - /* Try to do a fast check against the cryptographic checksum. */ - if (find_session_key(&ticket, session_key, srcprincipal) >= 0) { - if (strcmp(srcprincipal, notice->z_sender) != 0) - return ZAUTH_FAILED; - if (notice->z_time.tv_sec - NOW > CLOCK_SKEW) - return ZAUTH_FAILED; - checksum = compute_checksum(notice, session_key); - - /* If the checksum matches, the packet is authentic. Otherwise, - * check authenticator as if we didn't have the session key cached - * and return ZAUTH_CKSUM_FAILED. This is a rare case (since the - * ticket isn't cached after a checksum failure), so don't worry - * about the extra des_quad_cksum() call. */ - if (checksum == notice->z_checksum) { - memcpy(__Zephyr_session, session_key, sizeof(C_Block)); - return ZAUTH_YES; - } - } -#endif - - /* We don't have the session key cached; do it the long way. */ result = krb_rd_req(&authent, SERVER_SERVICE, SERVER_INSTANCE, from->sin_addr.s_addr, &dat, srvtab_file); if (result == RD_AP_OK) { @@ -334,14 +257,7 @@ ZCheckAuthentication(notice, from) checksum = compute_checksum(notice, dat.session); #endif if (checksum != notice->z_checksum) - return ZAUTH_CKSUM_FAILED; - -#ifdef BAD_KRB4_HACK - /* Record the session key, expiry time, and source principal in the - * hash table, so we can do a fast check next time. */ - add_session_key(&ticket, dat.session, srcprincipal, - (time_t)(dat.time_sec + dat.life * 5 * 60)); -#endif + return ZAUTH_FAILED; return ZAUTH_YES; @@ -352,8 +268,6 @@ ZCheckAuthentication(notice, from) #ifdef HAVE_KRB4 -#ifdef BAD_KRB4_HACK - static int hash_ticket(p, len) unsigned char *p; int len; @@ -422,8 +336,6 @@ static int find_session_key(ticket, key, srcprincipal) return -1; } -#endif - static ZChecksum_t compute_checksum(notice, session_key) ZNotice_t *notice; C_Block session_key; |