1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kdc/kdc_preauth_encts.c - Encrypted timestamp kdcpreauth module */
4 * Copyright (C) 1995, 2003, 2007, 2011 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
28 #include <krb5/preauth_plugin.h>
32 enc_ts_get(krb5_context context, krb5_kdc_req *request,
33 krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
34 krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
35 krb5_kdcpreauth_edata_respond_fn respond, void *arg)
37 krb5_keyblock *armor_key = cb->fast_armor(context, rock);
39 (*respond)(arg, (armor_key != NULL) ? ENOENT : 0, NULL);
43 enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
44 krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
45 krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
46 krb5_kdcpreauth_moddata moddata,
47 krb5_kdcpreauth_verify_respond_fn respond, void *arg)
49 krb5_pa_enc_ts * pa_enc = 0;
50 krb5_error_code retval;
52 krb5_data enc_ts_data;
53 krb5_enc_data *enc_data = 0;
55 krb5_key_data * client_key;
57 krb5_timestamp timenow;
58 krb5_error_code decrypt_err = 0;
60 scratch.data = (char *)pa->contents;
61 scratch.length = pa->length;
65 if ((retval = decode_krb5_enc_data(&scratch, &enc_data)) != 0)
68 enc_ts_data.length = enc_data->ciphertext.length;
69 if ((enc_ts_data.data = (char *) malloc(enc_ts_data.length)) == NULL)
75 if ((retval = krb5_dbe_search_enctype(context, rock->client,
76 &start, enc_data->enctype,
80 if ((retval = krb5_dbe_decrypt_key_data(context, NULL, client_key,
84 key.enctype = enc_data->enctype;
86 retval = krb5_c_decrypt(context, &key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
87 0, enc_data, &enc_ts_data);
88 krb5_free_keyblock_contents(context, &key);
95 if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
98 if ((retval = krb5_timeofday(context, &timenow)) != 0)
101 if (labs(timenow - pa_enc->patimestamp) > context->clockskew) {
102 retval = KRB5KRB_AP_ERR_SKEW;
106 setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
112 krb5_free_data_contents(context, &enc_data->ciphertext);
115 krb5_free_data_contents(context, &enc_ts_data);
119 * If we get NO_MATCHING_KEY and decryption previously failed, and
120 * we failed to find any other keys of the correct enctype after
121 * that failed decryption, it probably means that the password was
124 if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
125 retval = decrypt_err;
127 (*respond)(arg, retval, NULL, NULL, NULL);
130 static krb5_preauthtype enc_ts_types[] = {
131 KRB5_PADATA_ENC_TIMESTAMP, 0 };
134 kdcpreauth_encrypted_timestamp_initvt(krb5_context context, int maj_ver,
135 int min_ver, krb5_plugin_vtable vtable)
137 krb5_kdcpreauth_vtable vt;
140 return KRB5_PLUGIN_VER_NOTSUPP;
141 vt = (krb5_kdcpreauth_vtable)vtable;
142 vt->name = "encrypted_timestamp";
143 vt->pa_type_list = enc_ts_types;
144 vt->edata = enc_ts_get;
145 vt->verify = enc_ts_verify;