1
1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* plugins/preauth/securid_sam2/securid2.c */
3
* plugins/preauth/securid_sam2/securid2.c
5
4
* Copyright (C) 2010 by the Massachusetts Institute of Technology.
6
5
* All rights reserved.
24
23
* this software for any purpose. It is provided "as is" without express
25
24
* or implied warranty.
29
* Copyright (c) 2002 Naval Research Laboratory (NRL/CCS)
27
* Copyright (c) 2002 Naval Research Laboratory (NRL/CCS)
31
29
* Permission to use, copy, modify and distribute this software and its
32
30
* documentation is hereby granted, provided that both the copyright
106
104
-1, -1, -1, &client_securid_key_data);
108
106
com_err("krb5kdc", retval,
109
"while getting key from client's SAM SecurID "
107
"while getting key from client's SAM SecurID entry");
113
110
retval = krb5_dbe_decrypt_key_data(context, NULL, client_securid_key_data,
114
111
client_securid_key, NULL);
116
113
com_err("krb5kdc", retval,
117
"while decrypting key from client's SAM "
114
"while decrypting key from client's SAM SecurID entry");
290
286
sc2b->sam_response_prompt.data = PASSCODE_message;
291
287
sc2b->sam_response_prompt.length = strlen(sc2b->sam_response_prompt.data);
292
288
sc2b->sam_pk_for_sad.length = 0;
293
sc2b->sam_type = PA_SAM_TYPE_SECURID;
289
sc2b->sam_type = PA_SAM_TYPE_SECURID;
295
291
sid_track_data.state = SECURID_STATE_INITIAL;
296
292
sid_track_data.hostid = gethostid();
299
295
retval = securid_encrypt_track_data_2(context, client, &tmp_data,
300
296
&sc2b->sam_track_id);
301
297
if (retval != 0) {
302
com_err("krb5kdc", retval,
303
"While encrypting nonce track data");
298
com_err("krb5kdc", retval, "while encrypting nonce track data");
309
304
retval = krb5_c_random_make_octets(context, &scratch);
311
306
com_err("krb5kdc", retval,
312
"while generating nonce data in "
313
"get_securid_edata_2 (%s)",
314
user ? user : def_user);
307
"while generating nonce data in get_securid_edata_2 (%s)",
308
user ? user : def_user);
322
316
sc2, sc2b, client_key);
324
318
com_err("krb5kdc", retval,
325
"while making SAM_CHALLENGE_2 checksum (%s)",
326
user ? user : def_user);
319
"while making SAM_CHALLENGE_2 checksum (%s)",
320
user ? user : def_user);
363
357
retval = krb5_unparse_name(context, client->princ, &user);
364
358
if (retval != 0) {
365
359
com_err("krb5kdc", retval,
366
"while unparsing client name in "
367
"verify_securid_data_2");
360
"while unparsing client name in verify_securid_data_2");
371
364
if ((sr2->sam_enc_nonce_or_sad.ciphertext.data == NULL) ||
372
365
(sr2->sam_enc_nonce_or_sad.ciphertext.length <= 0)) {
373
retval = KRB5KDC_ERR_PREAUTH_FAILED;
374
krb5_set_error_message(context, retval,
375
"No preauth data supplied in "
376
"verify_securid_data_2 (%s)", user);
366
retval = KRB5KDC_ERR_PREAUTH_FAILED;
367
krb5_set_error_message(context, retval,
368
"No preauth data supplied in "
369
"verify_securid_data_2 (%s)", user);
380
373
retval = krb5_dbe_find_enctype(context, client,
384
377
&client_key_data);
386
379
com_err("krb5kdc", retval,
387
"while getting client key in "
388
"verify_securid_data_2 (%s)", user);
380
"while getting client key in verify_securid_data_2 (%s)",
393
386
&client_key, NULL);
394
387
if (retval != 0) {
395
388
com_err("krb5kdc", retval,
396
"while decrypting client key in "
397
"verify_securid_data_2 (%s)",
389
"while decrypting client key in verify_securid_data_2 (%s)",
408
400
&sr2->sam_enc_nonce_or_sad, &scratch);
410
402
com_err("krb5kdc", retval,
411
"while decrypting SAD in "
412
"verify_securid_data_2 (%s)", user);
403
"while decrypting SAD in verify_securid_data_2 (%s)", user);
416
407
retval = decode_krb5_enc_sam_response_enc_2(&scratch, &esre2);
418
409
com_err("krb5kdc", retval,
419
"while decoding SAD in "
420
"verify_securid_data_2 (%s)", user);
410
"while decoding SAD in verify_securid_data_2 (%s)", user);
425
415
if (sr2->sam_nonce != esre2->sam_nonce) {
426
416
com_err("krb5kdc", KRB5KDC_ERR_PREAUTH_FAILED,
427
"while checking nonce in "
428
"verify_securid_data_2 (%s)", user);
417
"while checking nonce in verify_securid_data_2 (%s)", user);
429
418
retval = KRB5KDC_ERR_PREAUTH_FAILED;
433
422
if (esre2->sam_sad.length == 0 || esre2->sam_sad.data == NULL) {
434
423
com_err("krb5kdc", KRB5KDC_ERR_PREAUTH_FAILED,
435
"No SecurID passcode in "
436
"verify_securid_data_2 (%s)", user);
424
"No SecurID passcode in verify_securid_data_2 (%s)", user);
437
425
retval = KRB5KDC_ERR_PREAUTH_FAILED;
443
431
if (esre2->sam_sad.length > (sizeof(passcode) - 1)) {
444
432
retval = KRB5KDC_ERR_PREAUTH_FAILED;
445
433
com_err("krb5kdc", retval,
446
"SecurID passcode/PIN too long (%d bytes) in "
447
"verify_securid_data_2 (%s)",
448
esre2->sam_sad.length, user);
434
"SecurID passcode/PIN too long (%d bytes) in "
435
"verify_securid_data_2 (%s)",
436
esre2->sam_sad.length, user);
451
439
memcpy(passcode, esre2->sam_sad.data, esre2->sam_sad.length);
454
442
if (!securid_user) {
456
444
com_err("krb5kdc", ENOMEM,
457
"while copying user name in "
458
"verify_securid_data_2 (%s)", user);
445
"while copying user name in verify_securid_data_2 (%s)", user);
461
448
cp = strchr(securid_user, '@');
476
463
com_err("krb5kdc", retval,
477
"while decrypting SecurID trackID in "
478
"verify_securid_data_2 (%s)", user);
464
"while decrypting SecurID trackID in "
465
"verify_securid_data_2 (%s)", user);
481
468
if (track_id_data.length < sizeof (struct securid_track_data)) {
482
469
retval = KRB5KDC_ERR_PREAUTH_FAILED;
483
com_err("krb5kdc", retval,
484
"Length of track data incorrect");
470
com_err("krb5kdc", retval, "Length of track data incorrect");
487
473
trackp = (struct securid_track_data *)track_id_data.data;
547
533
tmp_data.length = sizeof(sc2b.sam_nonce);
548
534
if ((retval = krb5_c_random_make_octets(context, &tmp_data))) {
549
535
com_err("krb5kdc", retval,
550
"while making nonce for SecurID new "
551
"PIN2 SAM_CHALLENGE_2 (%s)", user);
536
"while making nonce for SecurID new "
537
"PIN2 SAM_CHALLENGE_2 (%s)", user);
554
540
sid_track_data.state = SECURID_STATE_NEW_PIN_AGAIN;
564
550
&sc2b.sam_track_id))) {
565
551
com_err("krb5kdc", retval,
566
"while encrypting NEW PIN2 SecurID "
567
"track data for SAM_CHALLENGE_2 (%s)",
552
"while encrypting NEW PIN2 SecurID "
553
"track data for SAM_CHALLENGE_2 (%s)",
571
557
retval = securid_make_sam_challenge_2_and_cksum(context, sc2p,
575
561
com_err("krb5kdc", retval,
576
"while making cksum for "
577
"SAM_CHALLENGE_2 (new PIN2) (%s)",
562
"while making cksum for "
563
"SAM_CHALLENGE_2 (new PIN2) (%s)", securid_user);
581
566
krb5_klog_syslog(LOG_INFO,
610
595
retval = SD_Init(&sd_handle);
612
597
com_err("krb5kdc", KRB5KDC_ERR_PREAUTH_FAILED,
613
"SD_Init() returns error %d in "
614
"verify_securid_data_2 (%s)",
615
retval, securid_user);
598
"SD_Init() returns error %d in verify_securid_data_2 (%s)",
599
retval, securid_user);
616
600
retval = KRB5KDC_ERR_PREAUTH_FAILED;
682
666
tmp_data.data = (char *)&sc2b.sam_nonce;
683
667
tmp_data.length = sizeof(sc2b.sam_nonce);
684
668
if ((retval = krb5_c_random_make_octets(context, &tmp_data))) {
685
com_err("krb5kdc", retval, "while making nonce "
686
"for SecurID SAM_CHALLENGE_2 (%s)",
669
com_err("krb5kdc", retval,
670
"while making nonce for SecurID SAM_CHALLENGE_2 (%s)",
698
682
retval = securid_encrypt_track_data_2(context, client, &tmp_data,
699
683
&sc2b.sam_track_id);
701
com_err("krb5kdc", retval,
702
"while encrypting SecurID track "
703
"data for SAM_CHALLENGE_2 (%s)",
685
com_err("krb5kdc", retval,
686
"while encrypting SecurID track "
687
"data for SAM_CHALLENGE_2 (%s)",
707
691
retval = securid_make_sam_challenge_2_and_cksum(context, sc2p,
711
com_err("krb5kdc", retval, "while making cksum "
712
"for SAM_CHALLENGE_2 (%s)",
695
com_err("krb5kdc", retval,
696
"while making cksum for SAM_CHALLENGE_2 (%s)",
716
700
krb5_klog_syslog(LOG_INFO, "New SecurID PIN required for "
728
712
com_err("krb5kdc", KRB5KDC_ERR_PREAUTH_FAILED,
729
"AceServer returns unknown error code %d "
730
"in verify_securid_data_2\n", retval);
713
"AceServer returns unknown error code %d "
714
"in verify_securid_data_2\n", retval);
731
715
retval = KRB5KDC_ERR_PREAUTH_FAILED;