/*
* Copyright 2000, International Business Machines Corporation and others.
* All Rights Reserved.
- *
+ *
* This software has been released under the terms of the IBM Public
* License. For details, see the LICENSE file in the top-level source
* directory or online at http://www.openafs.org/dl/license10.html
#include <afsconfig.h>
#include <afs/param.h>
+#include <afs/stds.h>
+#include <roken.h>
+#include <afs/opr.h>
-#include <afs/stds.h>
-#include <errno.h>
-#include "kauth.h"
-#include <sys/types.h>
-#include <time.h>
-#ifdef AFS_NT40_ENV
-#include <afs/afsutil.h>
-#else
-#include <sys/resource.h>
-#include <sys/file.h>
+#ifdef HAVE_SYS_RESOURCE_H
+# include <sys/resource.h>
+#endif
+
+#ifdef IGNORE_SOME_GCC_WARNINGS
+# pragma GCC diagnostic warning "-Wdeprecated-declarations"
#endif
-#include <stdio.h>
+
+#include "kauth.h"
+
+#define HC_DEPRECATED
+#include <hcrypto/des.h>
+
#include <lock.h>
#include <ubik.h>
#include <lwp.h>
-#include <des.h>
-#include <des_prototypes.h>
#include <rx/xdr.h>
#include <rx/rx.h>
#include <rx/rxkad.h>
-#ifdef AFS_NT40_ENV
-#include <winsock2.h>
-#else
-#include <netinet/in.h>
-#endif
-#include <string.h>
+#include <rx/rxkad_convert.h>
#include <afs/cellconfig.h>
#include <afs/auth.h>
#include <afs/com_err.h>
+#include <afs/afsutil.h>
+#include <afs/audit.h>
+
#include "kautils.h"
#include "kaserver.h"
#include "kalog.h"
#include "kaport.h"
#include "kauth_internal.h"
-#include "afs/audit.h"
#include "kadatabase.h"
#include "kaprocs.h"
static afs_int32 autoCPWInterval;
static afs_int32 autoCPWUpdates;
-static afs_int32 set_password(struct ubik_trans *tt, char *name,
+static afs_int32 set_password(struct ubik_trans *tt, char *name,
char *instance,
struct ktc_encryptionKey *password,
afs_int32 kvno, afs_int32 caller);
-static afs_int32 impose_reuse_limits(EncryptionKey *password,
+static afs_int32 impose_reuse_limits(EncryptionKey *password,
struct kaentry *tentry);
static int create_user(struct ubik_trans *tt, char *name, char *instance,
struct ktc_encryptionKey *key, afs_int32 caller,
int i;
afs_int32 to;
- gettimeofday(&time, 0);
+ gettimeofday(&time, NULL);
bit = (random_value[3] >> 31) & 1; /* get high bit of high word */
for (i = 0; i < 4; i++) {
nbit = random_value[i] >> 31;
if (to) { /* check if auto cpw is disabled */
if (!(ntohl(tentry.flags) & KAFNOCPW)) {
memcpy(&key, &random_value[0], sizeof(key));
- des_fixup_key_parity(ktc_to_cblock(&key));
+ DES_set_odd_parity(ktc_to_cblock(&key));
code =
set_password(tt, KA_ADMIN_NAME, KA_ADMIN_INST, &key, 0,
0);
if (code == 0) {
- des_init_random_number_generator(ktc_to_cblock(&key));
+ DES_init_random_number_generator(ktc_to_cblock(&key));
ka_ConvertBytes(buf, sizeof(buf), (char *)&key,
sizeof(key));
es_Report("New Admin key is %s\n", buf);
if (to) { /* check if auto cpw is disabled */
if (!(ntohl(tentry.flags) & KAFNOCPW)) {
memcpy(&key, &random_value[2], sizeof(key));
- des_fixup_key_parity(ktc_to_cblock(&key));
+ DES_set_odd_parity(ktc_to_cblock(&key));
code = set_password(tt, KA_TGS_NAME, lrealm, &key, 0, 0);
if (code == 0) {
ka_ConvertBytes(buf, sizeof(buf), (char *)&key,
struct ktc_encryptionKey key;
int code;
- gettimeofday((struct timeval *)&key, 0); /* this is just a cheap seed key */
- des_fixup_key_parity(ktc_to_cblock(&key));
- des_init_random_number_generator(ktc_to_cblock(&key));
- if ((code = des_random_key(ktc_to_cblock(&key)))
+ gettimeofday((struct timeval *)&key, NULL); /* this is just a cheap seed key */
+ DES_set_odd_parity(ktc_to_cblock(&key));
+ DES_init_random_number_generator(ktc_to_cblock(&key));
+ if ((code = DES_new_random_key(ktc_to_cblock(&key)))
|| (code =
create_user(tt, KA_ADMIN_NAME, KA_ADMIN_INST, &key, 0,
KAFNORMAL | KAFNOSEAL | KAFNOTGS)))
return code;
- if ((code = des_random_key(ktc_to_cblock(&key)))
+ if ((code = DES_new_random_key(ktc_to_cblock(&key)))
|| (code =
create_user(tt, KA_TGS_NAME, lrealm, &key, 0,
KAFNORMAL | KAFNOSEAL | KAFNOTGS)))
code);
return code;
}
- des_init_random_number_generator(ktc_to_cblock(&key));
+ DES_init_random_number_generator(ktc_to_cblock(&key));
code = ubik_EndTrans(tt);
if (code) {
noAuthenticationRequired = afsconf_GetNoAuthFlag(KA_conf);
si = rx_SecurityClassOf(rx_ConnectionOf(call));
- if (si == RX_SCINDEX_VAB) {
+ if (si == RX_SECIDX_VAB) {
printf("No support for VAB security module yet.\n");
return -1;
- } else if (si == RX_SCINDEX_NULL) {
+ } else if (si == RX_SECIDX_NULL) {
code = KANOAUTH;
goto no_auth;
- } else if (si != RX_SCINDEX_KAD) {
+ } else if (si != RX_SECIDX_KAD) {
es_Report("Unknown security index %d\n", si);
return -1;
}
struct ktc_encryptionKey *key, afs_int32 caller,
afs_int32 flags)
{
- register int code;
+ int code;
afs_int32 to;
struct kaentry tentry;
afs_int32 maxLifetime;
afs_int32
-kamCreateUser(struct rx_call *call, char *aname, char *ainstance,
+kamCreateUser(struct rx_call *call, char *aname, char *ainstance,
EncryptionKey ainitpw)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 caller; /* Disk offset of caller's entry */
COUNT_REQ(CreateUser);
- if (!des_check_key_parity(EncryptionKey_to_cblock(&ainitpw)) || des_is_weak_key(EncryptionKey_to_cblock(&ainitpw)))
+ if (!DES_check_key_parity(EncryptionKey_to_cblock(&ainitpw)) ||
+ DES_is_weak_key(EncryptionKey_to_cblock(&ainitpw)))
return KABADKEY;
if (!name_instance_legal(aname, ainstance))
return KABADNAME;
return code;
}
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, NULL, NULL, NULL, call->conn->peer->host,
- LOG_CRUSER);
+ KALOG(aname, ainstance, NULL, NULL, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_CRUSER);
return code;
}
}
afs_int32
-ChangePassWord(struct rx_call *call, char *aname, char *ainstance,
+ChangePassWord(struct rx_call *call, char *aname, char *ainstance,
ka_CBS *arequest, ka_BBS *oanswer)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 to; /* offset of block */
struct kaentry tentry;
char *answer; /* where answer is to be put */
int answer_len; /* length of answer packet */
afs_int32 kvno; /* requested key version number */
- des_key_schedule user_schedule; /* key schedule for user's key */
+ DES_key_schedule user_schedule; /* key schedule for user's key */
Date request_time; /* time request originated */
COUNT_REQ(ChangePassword);
}
/* decrypt request w/ user password */
- if ((code = des_key_sched(ktc_to_cblock(&tentry.key), user_schedule)))
+ if ((code = DES_key_sched(ktc_to_cblock(&tentry.key), &user_schedule)))
es_Report("In KAChangePassword: key_sched returned %d\n", code);
- des_pcbc_encrypt(arequest->SeqBody, &request,
- min(arequest->SeqLen, sizeof(request)), user_schedule,
+ DES_pcbc_encrypt(arequest->SeqBody, &request,
+ min(arequest->SeqLen, sizeof(request)), &user_schedule,
ktc_to_cblockptr(&tentry.key), DECRYPT);
/* validate the request */
request_time = ntohl(request.time); /* reorder date */
kvno = ntohl(request.kvno);
- if ((abs(request_time - time(0)) > KTC_TIME_UNCERTAINTY) || strncmp(request.label, KA_CPW_REQ_LABEL, sizeof(request.label)) || (request.spare) || (kvno > MAXKAKVNO)) { /* these are reseved */
+ if (check_ka_skew(request_time, time(NULL), KTC_TIME_UNCERTAINTY) ||
+ strncmp(request.label, KA_CPW_REQ_LABEL, sizeof(request.label)) ||
+ request.spare || kvno > MAXKAKVNO) { /* these are reserved */
code = KABADREQUEST;
goto abort;
}
answer += sizeof(Date);
memcpy(answer, KA_CPW_ANS_LABEL, KA_LABELSIZE);
- des_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, answer_len,
- user_schedule, ktc_to_cblockptr(&tentry.key), ENCRYPT);
+ DES_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, answer_len,
+ &user_schedule, ktc_to_cblockptr(&tentry.key), ENCRYPT);
code = set_password(tt, aname, ainstance, &request.newpw, kvno, 0);
if (code) {
static afs_int32
-set_password(struct ubik_trans *tt, char *name, char *instance,
+set_password(struct ubik_trans *tt, char *name, char *instance,
struct ktc_encryptionKey *password, afs_int32 kvno, afs_int32 caller)
{
afs_int32 code;
kamSetPassword(struct rx_call *call, char *aname, char *ainstance,
afs_int32 akvno, EncryptionKey apassword)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 caller; /* Disk offset of caller's entry */
struct kaentry tentry;
COUNT_REQ(SetPassword);
if (akvno > MAXKAKVNO)
return KABADARGUMENT;
- if (!des_check_key_parity(EncryptionKey_to_cblock(&apassword)) || des_is_weak_key(EncryptionKey_to_cblock(&apassword)))
+ if (!DES_check_key_parity(EncryptionKey_to_cblock(&apassword)) ||
+ DES_is_weak_key(EncryptionKey_to_cblock(&apassword)))
return KABADKEY;
if (!name_instance_legal(aname, ainstance))
goto abort;
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, NULL, NULL, NULL, call->conn->peer->host,
- LOG_CHPASSWD);
+ KALOG(aname, ainstance, NULL, NULL, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_CHPASSWD);
return code;
abort:
static afs_int32
PrepareTicketAnswer(ka_BBS *oanswer, afs_int32 challenge, char *ticket,
afs_int32 ticketLen, struct ktc_encryptionKey *sessionKey,
- Date start, Date end, struct kaentry *caller,
+ Date start, Date end, struct kaentry *caller,
struct kaentry *server, char *cell, char *label)
{
afs_int32 code;
is normally disabled for these two principals. */
static afs_int32
-Authenticate(int version, struct rx_call *call, char *aname, char *ainstance,
+Authenticate(int version, struct rx_call *call, char *aname, char *ainstance,
Date start, Date end, ka_CBS *arequest, ka_BBS *oanswer)
{
int code;
int answer_len; /* length of answer packet */
Date answer_time; /* 1+ request time in network order */
afs_int32 temp; /* for htonl conversions */
- des_key_schedule user_schedule; /* key schedule for user's key */
+ DES_key_schedule user_schedule; /* key schedule for user's key */
afs_int32 tgskvno; /* key version of service key */
struct ktc_encryptionKey tgskey; /* service key for encrypting ticket */
Date now;
}
#ifdef LOCKPW
/* have to check for locked before verifying the password, otherwise all
- * KALOCKED means is "yup, you guessed the password all right, now wait a
+ * KALOCKED means is "yup, you guessed the password all right, now wait a
* few minutes and we'll let you in"
*/
if (kaux_islocked
save_principal(authPrincipal, aname, ainstance, 0);
/* decrypt request w/ user password */
- if ((code = des_key_sched(ktc_to_cblock(&tentry.key), user_schedule)))
+ if ((code = DES_key_sched(ktc_to_cblock(&tentry.key), &user_schedule)))
es_Report("In KAAuthenticate: key_sched returned %d\n", code);
- des_pcbc_encrypt(arequest->SeqBody, &request,
- min(arequest->SeqLen, sizeof(request)), user_schedule,
+ DES_pcbc_encrypt(arequest->SeqBody, &request,
+ min(arequest->SeqLen, sizeof(request)), &user_schedule,
ktc_to_cblockptr(&tentry.key), DECRYPT);
request.time = ntohl(request.time); /* reorder date */
}
#endif /* EXPIREPW */
- if (abs(request.time - now) > KTC_TIME_UNCERTAINTY) {
-#if 0
- if (oanswer->MaxSeqLen < sizeof(afs_int32))
- code = KAANSWERTOOLONG;
- else { /* return our time if possible */
- oanswer->SeqLen = sizeof(afs_int32);
- request.time = htonl(now);
- memcpy(oanswer->SeqBody, &request.time, sizeof(afs_int32));
- }
-#endif
+ if (check_ka_skew(request.time, now, KTC_TIME_UNCERTAINTY)) {
code = KACLOCKSKEW;
goto abort;
}
tgskvno = ntohl(server.key_version);
memcpy(&tgskey, &server.key, sizeof(tgskey));
- code = des_random_key(ktc_to_cblock(&sessionKey));
+ code = DES_new_random_key(ktc_to_cblock(&sessionKey));
if (code) {
code = KANOKEYS;
goto abort;
code = KAINTERNALERROR;
goto abort;
}
- des_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, oanswer->SeqLen,
- user_schedule, ktc_to_cblockptr(&tentry.key), ENCRYPT);
+ DES_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, oanswer->SeqLen,
+ &user_schedule, ktc_to_cblockptr(&tentry.key), ENCRYPT);
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, sname, sinst, NULL, call->conn->peer->host,
- LOG_AUTHENTICATE);
+ KALOG(aname, ainstance, sname, sinst, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_AUTHENTICATE);
return code;
abort:
COUNT_ABO;
ubik_AbortTrans(tt);
- KALOG(aname, ainstance, sname, sinst, NULL, call->conn->peer->host,
- LOG_AUTHFAILED);
+ KALOG(aname, ainstance, sname, sinst, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_AUTHFAILED);
return code;
}
afs_int32
SKAA_Authenticate_old(struct rx_call *call, char *aname, char *ainstance,
- Date start, Date end, ka_CBS *arequest,
+ Date start, Date end, ka_CBS *arequest,
ka_BBS *oanswer)
{
int code;
}
afs_int32
-SKAA_Authenticate(struct rx_call *call, char *aname, char *ainstance,
+SKAA_Authenticate(struct rx_call *call, char *aname, char *ainstance,
Date start, Date end, ka_CBS *arequest, ka_BBS *oanswer)
{
int code;
}
afs_int32
-SKAA_AuthenticateV2(struct rx_call *call, char *aname, char *ainstance,
+SKAA_AuthenticateV2(struct rx_call *call, char *aname, char *ainstance,
Date start, Date end, ka_CBS *arequest, ka_BBS *oanswer)
{
int code;
tentry.max_ticket_lifetime = htonl(alifetime);
#ifndef NOPWCONTROLS
- /*
+ /*
* We've packed a bunch of bytes into a long for backward compatibility.
* These include password expiration time, and some failed login limits
* counters. Now let's unpack them and stick them into the
* kaentry struct. All the bytes have values in the range
* 1..255, else they were not specified in the interface, and are
- * set to zero.
+ * set to zero.
* In the case of password expiration times, 1 means password never
* expires (==>0), 2 means password only lives for one day (==>1),
* and so on.
goto abort;
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, NULL, NULL, NULL, call->conn->peer->host,
- LOG_SETFIELDS);
+ KALOG(aname, ainstance, NULL, NULL, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_SETFIELDS);
return code;
abort:
afs_int32
kamDeleteUser(struct rx_call *call, char *aname, char *ainstance)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 caller;
afs_int32 to;
goto abort;
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, NULL, NULL, NULL, call->conn->peer->host,
- LOG_DELUSER);
+ KALOG(aname, ainstance, NULL, NULL, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_DELUSER);
return code;
}
afs_int32 aversion, /* major version assumed by caller */
kaentryinfo *aentry) /* entry data copied here */
{
- register afs_int32 code;
+ afs_int32 code;
struct ubik_trans *tt;
afs_int32 callerIndex;
struct kaentry caller;
temp = pack_long(tentry.misc_auth_bytes);
aentry->misc_auth_bytes = temp;
- /*
+ /*
* only return user's key if security disabled or if admin and
* we have an encrypted connection to the user
*/
- rxkad_GetServerInfo(call->conn, &enc_level, 0, 0, 0, 0, 0);
+ rxkad_GetServerInfo(rx_ConnectionOf(call), &enc_level, 0, 0, 0, 0, 0);
if ((noAuthenticationRequired)
|| (callerIsAdmin && enc_level == rxkad_crypt))
memcpy(&aentry->key, &tentry.key, sizeof(struct ktc_encryptionKey));
else
memset(&aentry->key, 0, sizeof(aentry->key));
+
code = ka_KeyCheckSum((char *)&tentry.key, &aentry->keyCheckSum);
+ if (code)
+ goto abort;
+
if (!tentry.pwsums[0] && npwSums > 1 && !tentry.pwsums[1]) {
aentry->reserved3 = 0x12340000;
} else {
afs_int32 *count, /* total entries in database */
kaident *name) /* name & instance of this entry */
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 caller;
struct kaentry tentry;
COUNT_REQ(ListEntry);
+ memset(name, 0, sizeof(*name));
if ((code = InitAuthServ(&tt, LOCKREAD, this_op)))
return code;
code = check_auth(call, tt, 1, &caller);
int import, export;
struct ubik_trans *tt;
struct ktc_encryptionKey tgskey;
- des_key_schedule schedule;
+ DES_key_schedule schedule;
afs_int32 to;
char name[MAXKTCNAMELEN];
char instance[MAXKTCNAMELEN];
code = KANOAUTH;
goto abort;
}
- code = des_key_sched(ktc_to_cblock(&authSessionKey), schedule);
+ code = DES_key_sched(ktc_to_cblock(&authSessionKey), &schedule);
if (code) {
code = KANOAUTH;
goto abort;
goto abort;
}
- des_ecb_encrypt(atimes->SeqBody, ×, schedule, DECRYPT);
+ DES_ecb_encrypt((DES_cblock *)atimes->SeqBody, (DES_cblock *)×, &schedule, DECRYPT);
times.start = ntohl(times.start);
times.end = ntohl(times.end);
code = tkt_CheckTimes(times.start, times.end, now);
}
save_principal(tgsServerPrincipal, sname, sinstance, 0);
- code = des_random_key(ktc_to_cblock(&sessionKey));
+ code = DES_new_random_key(ktc_to_cblock(&sessionKey));
if (code) {
code = KANOKEYS;
goto abort;
code = KAINTERNALERROR;
goto abort;
}
- des_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, oanswer->SeqLen,
- schedule, ktc_to_cblockptr(&authSessionKey), ENCRYPT);
+ DES_pcbc_encrypt(oanswer->SeqBody, oanswer->SeqBody, oanswer->SeqLen,
+ &schedule, ktc_to_cblockptr(&authSessionKey), ENCRYPT);
code = ubik_EndTrans(tt);
KALOG(name, instance, sname, sinstance, (import ? authDomain : NULL),
- call->conn->peer->host, LOG_GETTICKET);
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_GETTICKET);
return code;
abort:
}
afs_int32
-SKAM_GetStats(struct rx_call *call, afs_int32 version,
+SKAM_GetStats(struct rx_call *call, afs_int32 version,
afs_int32 *admin_accounts, kasstats *statics,
kadstats *dynamics)
{
}
afs_int32
-kamGetStats(struct rx_call *call, afs_int32 version,
+kamGetStats(struct rx_call *call, afs_int32 version,
afs_int32 *admin_accounts, kasstats *statics,
kadstats *dynamics)
{
AFS_UNUSED COUNT_REQ(GetRandomKey);
if ((code = AwaitInitialization()))
return code;
- code = des_random_key(EncryptionKey_to_cblock(key));
+ code = DES_new_random_key(EncryptionKey_to_cblock(key));
if (code)
return KANOKEYS;
return 0;
return 0;
}
-/* these are auxiliary routines. They don't do any Ubik stuff. They use
+/* these are auxiliary routines. They don't do any Ubik stuff. They use
* a tacked-on-the-side data file.
* prob'ly ought to check the noauth flag.
*/
SKAM_Unlock(struct rx_call *call,
char *aname,
char *ainstance,
- afs_int32 spare1,
- afs_int32 spare2,
- afs_int32 spare3,
+ afs_int32 spare1,
+ afs_int32 spare2,
+ afs_int32 spare3,
afs_int32 spare4)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 caller;
afs_int32 to;
kaux_write(to, 0, 0); /* zero failure counters at this offset */
code = ubik_EndTrans(tt);
- KALOG(aname, ainstance, NULL, NULL, NULL, call->conn->peer->host,
- LOG_UNLOCK);
+ KALOG(aname, ainstance, NULL, NULL, NULL,
+ rx_HostOf(rx_PeerOf(rx_ConnectionOf(call))), LOG_UNLOCK);
goto exit;
abort:
char *aname,
char *ainstance,
afs_int32 *lockeduntil,
- afs_int32 spare1,
- afs_int32 spare2,
- afs_int32 spare3,
+ afs_int32 spare1,
+ afs_int32 spare2,
+ afs_int32 spare3,
afs_int32 spare4)
{
- register int code;
+ int code;
struct ubik_trans *tt;
afs_int32 callerIndex;
afs_int32 to;