search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Include <com_err.h>
[heimdal.git] / kdc / krb5tgs.c
blob6371f930537aa47ff89fa8e17971ba8b3525ee4d
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 RCSID("$Id$");
37
38 /*
39 * return the realm of a krbtgt-ticket or NULL
40 */
41
42 static Realm
43 get_krbtgt_realm(const PrincipalName *p)
44 {
45 if(p->name_string.len == 2
46 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
47 return p->name_string.val[1];
48 else
49 return NULL;
50 }
51
52 /*
53 * The KDC might add a signed path to the ticket authorization data
54 * field. This is to avoid server impersonating clients and the
55 * request constrained delegation.
56 *
57 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
58 * entry of type KRB5SignedPath.
59 */
60
61 static krb5_error_code
62 find_KRB5SignedPath(krb5_context context,
63 const AuthorizationData *ad,
64 krb5_data *data)
65 {
66 AuthorizationData child;
67 krb5_error_code ret;
68 int pos;
69
70 if (ad == NULL || ad->len == 0)
71 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
72
73 pos = ad->len - 1;
74
75 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
76 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
77
78 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
79 ad->val[pos].ad_data.length,
80 &child,
81 NULL);
82 if (ret) {
83 krb5_set_error_message(context, ret, "Failed to decode "
84 "IF_RELEVANT with %d", ret);
85 return ret;
86 }
87
88 if (child.len != 1) {
89 free_AuthorizationData(&child);
90 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
91 }
92
93 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
94 free_AuthorizationData(&child);
95 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
96 }
97
98 if (data)
99 ret = der_copy_octet_string(&child.val[0].ad_data, data);
100 free_AuthorizationData(&child);
101 return ret;
102 }
103
104 krb5_error_code
105 _kdc_add_KRB5SignedPath(krb5_context context,
106 krb5_kdc_configuration *config,
107 hdb_entry_ex *krbtgt,
108 krb5_enctype enctype,
109 krb5_principal client,
110 krb5_const_principal server,
111 krb5_principals principals,
112 EncTicketPart *tkt)
113 {
114 krb5_error_code ret;
115 KRB5SignedPath sp;
116 krb5_data data;
117 krb5_crypto crypto = NULL;
118 size_t size;
119
120 if (server && principals) {
121 ret = add_Principals(principals, server);
122 if (ret)
123 return ret;
124 }
125
126 {
127 KRB5SignedPathData spd;
128
129 spd.client = client;
130 spd.authtime = tkt->authtime;
131 spd.delegated = principals;
132 spd.method_data = NULL;
133
134 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
135 &spd, &size, ret);
136 if (ret)
137 return ret;
138 if (data.length != size)
139 krb5_abortx(context, "internal asn.1 encoder error");
140 }
141
142 {
143 Key *key;
144 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
145 if (ret == 0)
146 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
147 if (ret) {
148 free(data.data);
149 return ret;
150 }
151 }
152
153 /*
154 * Fill in KRB5SignedPath
155 */
156
157 sp.etype = enctype;
158 sp.delegated = principals;
159 sp.method_data = NULL;
160
161 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
162 data.data, data.length, &sp.cksum);
163 krb5_crypto_destroy(context, crypto);
164 free(data.data);
165 if (ret)
166 return ret;
167
168 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
169 free_Checksum(&sp.cksum);
170 if (ret)
171 return ret;
172 if (data.length != size)
173 krb5_abortx(context, "internal asn.1 encoder error");
174
175
176 /*
177 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
178 * authorization data field.
179 */
180
181 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
182 KRB5_AUTHDATA_SIGNTICKET, &data);
183 krb5_data_free(&data);
184
185 return ret;
186 }
187
188 static krb5_error_code
189 check_KRB5SignedPath(krb5_context context,
190 krb5_kdc_configuration *config,
191 hdb_entry_ex *krbtgt,
192 krb5_principal cp,
193 EncTicketPart *tkt,
194 krb5_principals *delegated,
195 int *signedpath)
196 {
197 krb5_error_code ret;
198 krb5_data data;
199 krb5_crypto crypto = NULL;
200
201 if (delegated)
202 *delegated = NULL;
203
204 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
205 if (ret == 0) {
206 KRB5SignedPathData spd;
207 KRB5SignedPath sp;
208 size_t size;
209
210 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
211 krb5_data_free(&data);
212 if (ret)
213 return ret;
214
215 spd.client = cp;
216 spd.authtime = tkt->authtime;
217 spd.delegated = sp.delegated;
218 spd.method_data = sp.method_data;
219
220 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
221 &spd, &size, ret);
222 if (ret) {
223 free_KRB5SignedPath(&sp);
224 return ret;
225 }
226 if (data.length != size)
227 krb5_abortx(context, "internal asn.1 encoder error");
228
229 {
230 Key *key;
231 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
232 if (ret == 0)
233 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
234 if (ret) {
235 free(data.data);
236 free_KRB5SignedPath(&sp);
237 return ret;
238 }
239 }
240 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
241 data.data, data.length,
242 &sp.cksum);
243 krb5_crypto_destroy(context, crypto);
244 free(data.data);
245 if (ret) {
246 free_KRB5SignedPath(&sp);
247 kdc_log(context, config, 5,
248 "KRB5SignedPath not signed correctly, not marking as signed");
249 return 0;
250 }
251
252 if (delegated && sp.delegated) {
253
254 *delegated = malloc(sizeof(*sp.delegated));
255 if (*delegated == NULL) {
256 free_KRB5SignedPath(&sp);
257 return ENOMEM;
258 }
259
260 ret = copy_Principals(*delegated, sp.delegated);
261 if (ret) {
262 free_KRB5SignedPath(&sp);
263 free(*delegated);
264 *delegated = NULL;
265 return ret;
266 }
267 }
268 free_KRB5SignedPath(&sp);
269
270 *signedpath = 1;
271 }
272
273 return 0;
274 }
275
276 /*
277 *
278 */
279
280 static krb5_error_code
281 check_PAC(krb5_context context,
282 krb5_kdc_configuration *config,
283 const krb5_principal client_principal,
284 hdb_entry_ex *client,
285 hdb_entry_ex *server,
286 const EncryptionKey *server_key,
287 const EncryptionKey *krbtgt_key,
288 EncTicketPart *tkt,
289 krb5_data *rspac,
290 int *signedpath)
291 {
292 AuthorizationData *ad = tkt->authorization_data;
293 unsigned i, j;
294 krb5_error_code ret;
295
296 if (ad == NULL || ad->len == 0)
297 return 0;
298
299 for (i = 0; i < ad->len; i++) {
300 AuthorizationData child;
301
302 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
303 continue;
304
305 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
306 ad->val[i].ad_data.length,
307 &child,
308 NULL);
309 if (ret) {
310 krb5_set_error_message(context, ret, "Failed to decode "
311 "IF_RELEVANT with %d", ret);
312 return ret;
313 }
314 for (j = 0; j < child.len; j++) {
315
316 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
317 krb5_pac pac;
318
319 /* Found PAC */
320 ret = krb5_pac_parse(context,
321 child.val[j].ad_data.data,
322 child.val[j].ad_data.length,
323 &pac);
324 free_AuthorizationData(&child);
325 if (ret)
326 return ret;
327
328 ret = krb5_pac_verify(context, pac, tkt->authtime,
329 client_principal,
330 krbtgt_key, NULL);
331 if (ret) {
332 krb5_pac_free(context, pac);
333 return ret;
334 }
335
336 ret = _kdc_pac_verify(context, client_principal,
337 client, server, &pac);
338 if (ret) {
339 krb5_pac_free(context, pac);
340 return ret;
341 }
342 *signedpath = 1;
343
344 ret = _krb5_pac_sign(context, pac, tkt->authtime,
345 client_principal,
346 server_key, krbtgt_key, rspac);
347
348 krb5_pac_free(context, pac);
349
350 return ret;
351 }
352 }
353 free_AuthorizationData(&child);
354 }
355 return 0;
356 }
357
358 /*
359 *
360 */
361
362 static krb5_error_code
363 check_tgs_flags(krb5_context context,
364 krb5_kdc_configuration *config,
365 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
366 {
367 KDCOptions f = b->kdc_options;
368
369 if(f.validate){
370 if(!tgt->flags.invalid || tgt->starttime == NULL){
371 kdc_log(context, config, 0,
372 "Bad request to validate ticket");
373 return KRB5KDC_ERR_BADOPTION;
374 }
375 if(*tgt->starttime > kdc_time){
376 kdc_log(context, config, 0,
377 "Early request to validate ticket");
378 return KRB5KRB_AP_ERR_TKT_NYV;
379 }
380 /* XXX tkt = tgt */
381 et->flags.invalid = 0;
382 }else if(tgt->flags.invalid){
383 kdc_log(context, config, 0,
384 "Ticket-granting ticket has INVALID flag set");
385 return KRB5KRB_AP_ERR_TKT_INVALID;
386 }
387
388 if(f.forwardable){
389 if(!tgt->flags.forwardable){
390 kdc_log(context, config, 0,
391 "Bad request for forwardable ticket");
392 return KRB5KDC_ERR_BADOPTION;
393 }
394 et->flags.forwardable = 1;
395 }
396 if(f.forwarded){
397 if(!tgt->flags.forwardable){
398 kdc_log(context, config, 0,
399 "Request to forward non-forwardable ticket");
400 return KRB5KDC_ERR_BADOPTION;
401 }
402 et->flags.forwarded = 1;
403 et->caddr = b->addresses;
404 }
405 if(tgt->flags.forwarded)
406 et->flags.forwarded = 1;
407
408 if(f.proxiable){
409 if(!tgt->flags.proxiable){
410 kdc_log(context, config, 0,
411 "Bad request for proxiable ticket");
412 return KRB5KDC_ERR_BADOPTION;
413 }
414 et->flags.proxiable = 1;
415 }
416 if(f.proxy){
417 if(!tgt->flags.proxiable){
418 kdc_log(context, config, 0,
419 "Request to proxy non-proxiable ticket");
420 return KRB5KDC_ERR_BADOPTION;
421 }
422 et->flags.proxy = 1;
423 et->caddr = b->addresses;
424 }
425 if(tgt->flags.proxy)
426 et->flags.proxy = 1;
427
428 if(f.allow_postdate){
429 if(!tgt->flags.may_postdate){
430 kdc_log(context, config, 0,
431 "Bad request for post-datable ticket");
432 return KRB5KDC_ERR_BADOPTION;
433 }
434 et->flags.may_postdate = 1;
435 }
436 if(f.postdated){
437 if(!tgt->flags.may_postdate){
438 kdc_log(context, config, 0,
439 "Bad request for postdated ticket");
440 return KRB5KDC_ERR_BADOPTION;
441 }
442 if(b->from)
443 *et->starttime = *b->from;
444 et->flags.postdated = 1;
445 et->flags.invalid = 1;
446 }else if(b->from && *b->from > kdc_time + context->max_skew){
447 kdc_log(context, config, 0, "Ticket cannot be postdated");
448 return KRB5KDC_ERR_CANNOT_POSTDATE;
449 }
450
451 if(f.renewable){
452 if(!tgt->flags.renewable){
453 kdc_log(context, config, 0,
454 "Bad request for renewable ticket");
455 return KRB5KDC_ERR_BADOPTION;
456 }
457 et->flags.renewable = 1;
458 ALLOC(et->renew_till);
459 _kdc_fix_time(&b->rtime);
460 *et->renew_till = *b->rtime;
461 }
462 if(f.renew){
463 time_t old_life;
464 if(!tgt->flags.renewable || tgt->renew_till == NULL){
465 kdc_log(context, config, 0,
466 "Request to renew non-renewable ticket");
467 return KRB5KDC_ERR_BADOPTION;
468 }
469 old_life = tgt->endtime;
470 if(tgt->starttime)
471 old_life -= *tgt->starttime;
472 else
473 old_life -= tgt->authtime;
474 et->endtime = *et->starttime + old_life;
475 if (et->renew_till != NULL)
476 et->endtime = min(*et->renew_till, et->endtime);
477 }
478
479 #if 0
480 /* checks for excess flags */
481 if(f.request_anonymous && !config->allow_anonymous){
482 kdc_log(context, config, 0,
483 "Request for anonymous ticket");
484 return KRB5KDC_ERR_BADOPTION;
485 }
486 #endif
487 return 0;
488 }
489
490 /*
491 *
492 */
493
494 static krb5_error_code
495 check_constrained_delegation(krb5_context context,
496 krb5_kdc_configuration *config,
497 HDB *clientdb,
498 hdb_entry_ex *client,
499 krb5_const_principal server)
500 {
501 const HDB_Ext_Constrained_delegation_acl *acl;
502 krb5_error_code ret;
503 int i;
504
505 /* if client delegates to itself, that ok */
506 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
507 return 0;
508
509 if (clientdb->hdb_check_constrained_delegation) {
510 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
511 if (ret == 0)
512 return 0;
513 } else {
514 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
515 if (ret) {
516 krb5_clear_error_message(context);
517 return ret;
518 }
519
520 if (acl) {
521 for (i = 0; i < acl->len; i++) {
522 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
523 return 0;
524 }
525 }
526 ret = KRB5KDC_ERR_BADOPTION;
527 }
528 kdc_log(context, config, 0,
529 "Bad request for constrained delegation");
530 return ret;
531 }
532
533 /*
534 *
535 */
536
537 static krb5_error_code
538 verify_flags (krb5_context context,
539 krb5_kdc_configuration *config,
540 const EncTicketPart *et,
541 const char *pstr)
542 {
543 if(et->endtime < kdc_time){
544 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
545 return KRB5KRB_AP_ERR_TKT_EXPIRED;
546 }
547 if(et->flags.invalid){
548 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
549 return KRB5KRB_AP_ERR_TKT_NYV;
550 }
551 return 0;
552 }
553
554 /*
555 *
556 */
557
558 static krb5_error_code
559 fix_transited_encoding(krb5_context context,
560 krb5_kdc_configuration *config,
561 krb5_boolean check_policy,
562 const TransitedEncoding *tr,
563 EncTicketPart *et,
564 const char *client_realm,
565 const char *server_realm,
566 const char *tgt_realm)
567 {
568 krb5_error_code ret = 0;
569 char **realms, **tmp;
570 unsigned int num_realms;
571 int i;
572
573 switch (tr->tr_type) {
574 case DOMAIN_X500_COMPRESS:
575 break;
576 case 0:
577 /*
578 * Allow empty content of type 0 because that is was Microsoft
579 * generates in their TGT.
580 */
581 if (tr->contents.length == 0)
582 break;
583 kdc_log(context, config, 0,
584 "Transited type 0 with non empty content");
585 return KRB5KDC_ERR_TRTYPE_NOSUPP;
586 default:
587 kdc_log(context, config, 0,
588 "Unknown transited type: %u", tr->tr_type);
589 return KRB5KDC_ERR_TRTYPE_NOSUPP;
590 }
591
592 ret = krb5_domain_x500_decode(context,
593 tr->contents,
594 &realms,
595 &num_realms,
596 client_realm,
597 server_realm);
598 if(ret){
599 krb5_warn(context, ret,
600 "Decoding transited encoding");
601 return ret;
602 }
603 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
604 /* not us, so add the previous realm to transited set */
605 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
606 ret = ERANGE;
607 goto free_realms;
608 }
609 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
610 if(tmp == NULL){
611 ret = ENOMEM;
612 goto free_realms;
613 }
614 realms = tmp;
615 realms[num_realms] = strdup(tgt_realm);
616 if(realms[num_realms] == NULL){
617 ret = ENOMEM;
618 goto free_realms;
619 }
620 num_realms++;
621 }
622 if(num_realms == 0) {
623 if(strcmp(client_realm, server_realm))
624 kdc_log(context, config, 0,
625 "cross-realm %s -> %s", client_realm, server_realm);
626 } else {
627 size_t l = 0;
628 char *rs;
629 for(i = 0; i < num_realms; i++)
630 l += strlen(realms[i]) + 2;
631 rs = malloc(l);
632 if(rs != NULL) {
633 *rs = '\0';
634 for(i = 0; i < num_realms; i++) {
635 if(i > 0)
636 strlcat(rs, ", ", l);
637 strlcat(rs, realms[i], l);
638 }
639 kdc_log(context, config, 0,
640 "cross-realm %s -> %s via [%s]",
641 client_realm, server_realm, rs);
642 free(rs);
643 }
644 }
645 if(check_policy) {
646 ret = krb5_check_transited(context, client_realm,
647 server_realm,
648 realms, num_realms, NULL);
649 if(ret) {
650 krb5_warn(context, ret, "cross-realm %s -> %s",
651 client_realm, server_realm);
652 goto free_realms;
653 }
654 et->flags.transited_policy_checked = 1;
655 }
656 et->transited.tr_type = DOMAIN_X500_COMPRESS;
657 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
658 if(ret)
659 krb5_warn(context, ret, "Encoding transited encoding");
660 free_realms:
661 for(i = 0; i < num_realms; i++)
662 free(realms[i]);
663 free(realms);
664 return ret;
665 }
666
667
668 static krb5_error_code
669 tgs_make_reply(krb5_context context,
670 krb5_kdc_configuration *config,
671 KDC_REQ_BODY *b,
672 krb5_const_principal tgt_name,
673 const EncTicketPart *tgt,
674 const krb5_keyblock *replykey,
675 int rk_is_subkey,
676 const EncryptionKey *serverkey,
677 const krb5_keyblock *sessionkey,
678 krb5_kvno kvno,
679 AuthorizationData *auth_data,
680 hdb_entry_ex *server,
681 krb5_principal server_principal,
682 const char *server_name,
683 hdb_entry_ex *client,
684 krb5_principal client_principal,
685 hdb_entry_ex *krbtgt,
686 krb5_enctype krbtgt_etype,
687 krb5_principals spp,
688 const krb5_data *rspac,
689 const METHOD_DATA *enc_pa_data,
690 const char **e_text,
691 krb5_data *reply)
692 {
693 KDC_REP rep;
694 EncKDCRepPart ek;
695 EncTicketPart et;
696 KDCOptions f = b->kdc_options;
697 krb5_error_code ret;
698 int is_weak = 0;
699
700 memset(&rep, 0, sizeof(rep));
701 memset(&et, 0, sizeof(et));
702 memset(&ek, 0, sizeof(ek));
703
704 rep.pvno = 5;
705 rep.msg_type = krb_tgs_rep;
706
707 et.authtime = tgt->authtime;
708 _kdc_fix_time(&b->till);
709 et.endtime = min(tgt->endtime, *b->till);
710 ALLOC(et.starttime);
711 *et.starttime = kdc_time;
712
713 ret = check_tgs_flags(context, config, b, tgt, &et);
714 if(ret)
715 goto out;
716
717 /* We should check the transited encoding if:
718 1) the request doesn't ask not to be checked
719 2) globally enforcing a check
720 3) principal requires checking
721 4) we allow non-check per-principal, but principal isn't marked as allowing this
722 5) we don't globally allow this
723 */
724
725 #define GLOBAL_FORCE_TRANSITED_CHECK \
726 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
727 #define GLOBAL_ALLOW_PER_PRINCIPAL \
728 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
729 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
730 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
731
732 /* these will consult the database in future release */
733 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
734 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
735
736 ret = fix_transited_encoding(context, config,
737 !f.disable_transited_check ||
738 GLOBAL_FORCE_TRANSITED_CHECK ||
739 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
740 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
741 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
742 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
743 &tgt->transited, &et,
744 krb5_principal_get_realm(context, client_principal),
745 krb5_principal_get_realm(context, server->entry.principal),
746 krb5_principal_get_realm(context, krbtgt->entry.principal));
747 if(ret)
748 goto out;
749
750 copy_Realm(&server_principal->realm, &rep.ticket.realm);
751 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
752 copy_Realm(&tgt_name->realm, &rep.crealm);
753 /*
754 if (f.request_anonymous)
755 _kdc_make_anonymous_principalname (&rep.cname);
756 else */
757
758 copy_PrincipalName(&tgt_name->name, &rep.cname);
759 rep.ticket.tkt_vno = 5;
760
761 ek.caddr = et.caddr;
762 if(et.caddr == NULL)
763 et.caddr = tgt->caddr;
764
765 {
766 time_t life;
767 life = et.endtime - *et.starttime;
768 if(client && client->entry.max_life)
769 life = min(life, *client->entry.max_life);
770 if(server->entry.max_life)
771 life = min(life, *server->entry.max_life);
772 et.endtime = *et.starttime + life;
773 }
774 if(f.renewable_ok && tgt->flags.renewable &&
775 et.renew_till == NULL && et.endtime < *b->till){
776 et.flags.renewable = 1;
777 ALLOC(et.renew_till);
778 *et.renew_till = *b->till;
779 }
780 if(et.renew_till){
781 time_t renew;
782 renew = *et.renew_till - et.authtime;
783 if(client && client->entry.max_renew)
784 renew = min(renew, *client->entry.max_renew);
785 if(server->entry.max_renew)
786 renew = min(renew, *server->entry.max_renew);
787 *et.renew_till = et.authtime + renew;
788 }
789
790 if(et.renew_till){
791 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
792 *et.starttime = min(*et.starttime, *et.renew_till);
793 et.endtime = min(et.endtime, *et.renew_till);
794 }
795
796 *et.starttime = min(*et.starttime, et.endtime);
797
798 if(*et.starttime == et.endtime){
799 ret = KRB5KDC_ERR_NEVER_VALID;
800 goto out;
801 }
802 if(et.renew_till && et.endtime == *et.renew_till){
803 free(et.renew_till);
804 et.renew_till = NULL;
805 et.flags.renewable = 0;
806 }
807
808 et.flags.pre_authent = tgt->flags.pre_authent;
809 et.flags.hw_authent = tgt->flags.hw_authent;
810 et.flags.anonymous = tgt->flags.anonymous;
811 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
812
813 if(rspac->length) {
814 /*
815 * No not need to filter out the any PAC from the
816 * auth_data since it's signed by the KDC.
817 */
818 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
819 KRB5_AUTHDATA_WIN2K_PAC, rspac);
820 if (ret)
821 goto out;
822 }
823
824 if (auth_data) {
825 unsigned int i = 0;
826
827 /* XXX check authdata */
828
829 if (et.authorization_data == NULL) {
830 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
831 if (et.authorization_data == NULL) {
832 ret = ENOMEM;
833 krb5_set_error_message(context, ret, "malloc: out of memory");
834 goto out;
835 }
836 }
837 for(i = 0; i < auth_data->len ; i++) {
838 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
839 if (ret) {
840 krb5_set_error_message(context, ret, "malloc: out of memory");
841 goto out;
842 }
843 }
844
845 /* Filter out type KRB5SignedPath */
846 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
847 if (ret == 0) {
848 if (et.authorization_data->len == 1) {
849 free_AuthorizationData(et.authorization_data);
850 free(et.authorization_data);
851 et.authorization_data = NULL;
852 } else {
853 AuthorizationData *ad = et.authorization_data;
854 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
855 ad->len--;
856 }
857 }
858 }
859
860 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
861 if (ret)
862 goto out;
863 et.crealm = tgt->crealm;
864 et.cname = tgt_name->name;
865
866 ek.key = et.key;
867 /* MIT must have at least one last_req */
868 ek.last_req.len = 1;
869 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
870 if (ek.last_req.val == NULL) {
871 ret = ENOMEM;
872 goto out;
873 }
874 ek.nonce = b->nonce;
875 ek.flags = et.flags;
876 ek.authtime = et.authtime;
877 ek.starttime = et.starttime;
878 ek.endtime = et.endtime;
879 ek.renew_till = et.renew_till;
880 ek.srealm = rep.ticket.realm;
881 ek.sname = rep.ticket.sname;
882
883 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
884 et.endtime, et.renew_till);
885
886 /* Don't sign cross realm tickets, they can't be checked anyway */
887 {
888 char *r = get_krbtgt_realm(&ek.sname);
889
890 if (r == NULL || strcmp(r, ek.srealm) == 0) {
891 ret = _kdc_add_KRB5SignedPath(context,
892 config,
893 krbtgt,
894 krbtgt_etype,
895 client_principal,
896 NULL,
897 spp,
898 &et);
899 if (ret)
900 goto out;
901 }
902 }
903
904 if (enc_pa_data->len) {
905 rep.padata = calloc(1, sizeof(*rep.padata));
906 if (rep.padata == NULL) {
907 ret = ENOMEM;
908 goto out;
909 }
910 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
911 if (ret)
912 goto out;
913 }
914
915 if (krb5_enctype_valid(context, et.key.keytype) != 0
916 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
917 {
918 krb5_enctype_enable(context, et.key.keytype);
919 is_weak = 1;
920 }
921
922
923 /* It is somewhat unclear where the etype in the following
924 encryption should come from. What we have is a session
925 key in the passed tgt, and a list of preferred etypes
926 *for the new ticket*. Should we pick the best possible
927 etype, given the keytype in the tgt, or should we look
928 at the etype list here as well? What if the tgt
929 session key is DES3 and we want a ticket with a (say)
930 CAST session key. Should the DES3 etype be added to the
931 etype list, even if we don't want a session key with
932 DES3? */
933 ret = _kdc_encode_reply(context, config,
934 &rep, &et, &ek, et.key.keytype,
935 kvno,
936 serverkey, 0, replykey, rk_is_subkey,
937 e_text, reply);
938 if (is_weak)
939 krb5_enctype_disable(context, et.key.keytype);
940
941 out:
942 free_TGS_REP(&rep);
943 free_TransitedEncoding(&et.transited);
944 if(et.starttime)
945 free(et.starttime);
946 if(et.renew_till)
947 free(et.renew_till);
948 if(et.authorization_data) {
949 free_AuthorizationData(et.authorization_data);
950 free(et.authorization_data);
951 }
952 free_LastReq(&ek.last_req);
953 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
954 free_EncryptionKey(&et.key);
955 return ret;
956 }
957
958 static krb5_error_code
959 tgs_check_authenticator(krb5_context context,
960 krb5_kdc_configuration *config,
961 krb5_auth_context ac,
962 KDC_REQ_BODY *b,
963 const char **e_text,
964 krb5_keyblock *key)
965 {
966 krb5_authenticator auth;
967 size_t len;
968 unsigned char *buf;
969 size_t buf_size;
970 krb5_error_code ret;
971 krb5_crypto crypto;
972
973 krb5_auth_con_getauthenticator(context, ac, &auth);
974 if(auth->cksum == NULL){
975 kdc_log(context, config, 0, "No authenticator in request");
976 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
977 goto out;
978 }
979 /*
980 * according to RFC1510 it doesn't need to be keyed,
981 * but according to the latest draft it needs to.
982 */
983 if (
984 #if 0
985 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
986 ||
987 #endif
988 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
989 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
990 auth->cksum->cksumtype);
991 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
992 goto out;
993 }
994
995 /* XXX should not re-encode this */
996 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
997 if(ret){
998 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
999 krb5_get_err_text(context, ret));
1000 goto out;
1001 }
1002 if(buf_size != len) {
1003 free(buf);
1004 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1005 *e_text = "KDC internal error";
1006 ret = KRB5KRB_ERR_GENERIC;
1007 goto out;
1008 }
1009 ret = krb5_crypto_init(context, key, 0, &crypto);
1010 if (ret) {
1011 free(buf);
1012 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1013 krb5_get_err_text(context, ret));
1014 goto out;
1015 }
1016 ret = krb5_verify_checksum(context,
1017 crypto,
1018 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1019 buf,
1020 len,
1021 auth->cksum);
1022 free(buf);
1023 krb5_crypto_destroy(context, crypto);
1024 if(ret){
1025 kdc_log(context, config, 0,
1026 "Failed to verify authenticator checksum: %s",
1027 krb5_get_err_text(context, ret));
1028 }
1029 out:
1030 free_Authenticator(auth);
1031 free(auth);
1032 return ret;
1033 }
1034
1035 /*
1036 *
1037 */
1038
1039 static const char *
1040 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1041 {
1042 const char *new_realm = krb5_config_get_string(context,
1043 NULL,
1044 "capaths",
1045 crealm,
1046 srealm,
1047 NULL);
1048 return new_realm;
1049 }
1050
1051
1052 static krb5_boolean
1053 need_referral(krb5_context context, krb5_kdc_configuration *config,
1054 const KDCOptions * const options, krb5_principal server,
1055 krb5_realm **realms)
1056 {
1057 const char *name;
1058
1059 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1060 return FALSE;
1061
1062 if (server->name.name_string.len == 1)
1063 name = server->name.name_string.val[0];
1064 else if (server->name.name_string.len > 1)
1065 name = server->name.name_string.val[1];
1066 else
1067 return FALSE;
1068
1069 kdc_log(context, config, 0, "Searching referral for %s", name);
1070
1071 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1072 }
1073
1074 static krb5_error_code
1075 tgs_parse_request(krb5_context context,
1076 krb5_kdc_configuration *config,
1077 KDC_REQ_BODY *b,
1078 const PA_DATA *tgs_req,
1079 hdb_entry_ex **krbtgt,
1080 krb5_enctype *krbtgt_etype,
1081 krb5_ticket **ticket,
1082 const char **e_text,
1083 const char *from,
1084 const struct sockaddr *from_addr,
1085 time_t **csec,
1086 int **cusec,
1087 AuthorizationData **auth_data,
1088 krb5_keyblock **replykey,
1089 int *rk_is_subkey)
1090 {
1091 krb5_ap_req ap_req;
1092 krb5_error_code ret;
1093 krb5_principal princ;
1094 krb5_auth_context ac = NULL;
1095 krb5_flags ap_req_options;
1096 krb5_flags verify_ap_req_flags;
1097 krb5_crypto crypto;
1098 Key *tkey;
1099 krb5_keyblock *subkey = NULL;
1100 unsigned usage;
1101
1102 *auth_data = NULL;
1103 *csec = NULL;
1104 *cusec = NULL;
1105 *replykey = NULL;
1106
1107 memset(&ap_req, 0, sizeof(ap_req));
1108 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1109 if(ret){
1110 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
1111 krb5_get_err_text(context, ret));
1112 goto out;
1113 }
1114
1115 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1116 /* XXX check for ticket.sname == req.sname */
1117 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1118 ret = KRB5KDC_ERR_POLICY; /* ? */
1119 goto out;
1120 }
1121
1122 _krb5_principalname2krb5_principal(context,
1123 &princ,
1124 ap_req.ticket.sname,
1125 ap_req.ticket.realm);
1126
1127 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
1128
1129 if(ret) {
1130 char *p;
1131 ret = krb5_unparse_name(context, princ, &p);
1132 if (ret != 0)
1133 p = "<unparse_name failed>";
1134 krb5_free_principal(context, princ);
1135 kdc_log(context, config, 0,
1136 "Ticket-granting ticket not found in database: %s: %s",
1137 p, krb5_get_err_text(context, ret));
1138 if (ret == 0)
1139 free(p);
1140 ret = KRB5KRB_AP_ERR_NOT_US;
1141 goto out;
1142 }
1143
1144 if(ap_req.ticket.enc_part.kvno &&
1145 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1146 char *p;
1147
1148 ret = krb5_unparse_name (context, princ, &p);
1149 krb5_free_principal(context, princ);
1150 if (ret != 0)
1151 p = "<unparse_name failed>";
1152 kdc_log(context, config, 0,
1153 "Ticket kvno = %d, DB kvno = %d (%s)",
1154 *ap_req.ticket.enc_part.kvno,
1155 (*krbtgt)->entry.kvno,
1156 p);
1157 if (ret == 0)
1158 free (p);
1159 ret = KRB5KRB_AP_ERR_BADKEYVER;
1160 goto out;
1161 }
1162
1163 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1164
1165 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1166 ap_req.ticket.enc_part.etype, &tkey);
1167 if(ret){
1168 char *str = NULL, *p = NULL;
1169
1170 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1171 krb5_unparse_name(context, princ, &p);
1172 kdc_log(context, config, 0,
1173 "No server key with enctype %s found for %s",
1174 str ? str : "<unknown enctype>",
1175 p ? p : "<unparse_name failed>");
1176 free(str);
1177 free(p);
1178 ret = KRB5KRB_AP_ERR_BADKEYVER;
1179 goto out;
1180 }
1181
1182 if (b->kdc_options.validate)
1183 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1184 else
1185 verify_ap_req_flags = 0;
1186
1187 ret = krb5_verify_ap_req2(context,
1188 &ac,
1189 &ap_req,
1190 princ,
1191 &tkey->key,
1192 verify_ap_req_flags,
1193 &ap_req_options,
1194 ticket,
1195 KRB5_KU_TGS_REQ_AUTH);
1196
1197 krb5_free_principal(context, princ);
1198 if(ret) {
1199 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
1200 krb5_get_err_text(context, ret));
1201 goto out;
1202 }
1203
1204 {
1205 krb5_authenticator auth;
1206
1207 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1208 if (ret == 0) {
1209 *csec = malloc(sizeof(**csec));
1210 if (*csec == NULL) {
1211 krb5_free_authenticator(context, &auth);
1212 kdc_log(context, config, 0, "malloc failed");
1213 goto out;
1214 }
1215 **csec = auth->ctime;
1216 *cusec = malloc(sizeof(**cusec));
1217 if (*cusec == NULL) {
1218 krb5_free_authenticator(context, &auth);
1219 kdc_log(context, config, 0, "malloc failed");
1220 goto out;
1221 }
1222 **cusec = auth->cusec;
1223 krb5_free_authenticator(context, &auth);
1224 }
1225 }
1226
1227 ret = tgs_check_authenticator(context, config,
1228 ac, b, e_text, &(*ticket)->ticket.key);
1229 if (ret) {
1230 krb5_auth_con_free(context, ac);
1231 goto out;
1232 }
1233
1234 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1235 *rk_is_subkey = 1;
1236
1237 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1238 if(ret){
1239 krb5_auth_con_free(context, ac);
1240 kdc_log(context, config, 0, "Failed to get remote subkey: %s",
1241 krb5_get_err_text(context, ret));
1242 goto out;
1243 }
1244 if(subkey == NULL){
1245 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1246 *rk_is_subkey = 0;
1247
1248 ret = krb5_auth_con_getkey(context, ac, &subkey);
1249 if(ret) {
1250 krb5_auth_con_free(context, ac);
1251 kdc_log(context, config, 0, "Failed to get session key: %s",
1252 krb5_get_err_text(context, ret));
1253 goto out;
1254 }
1255 }
1256 if(subkey == NULL){
1257 krb5_auth_con_free(context, ac);
1258 kdc_log(context, config, 0,
1259 "Failed to get key for enc-authorization-data");
1260 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1261 goto out;
1262 }
1263
1264 *replykey = subkey;
1265
1266 if (b->enc_authorization_data) {
1267 krb5_data ad;
1268
1269 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1270 if (ret) {
1271 krb5_auth_con_free(context, ac);
1272 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1273 krb5_get_err_text(context, ret));
1274 goto out;
1275 }
1276 ret = krb5_decrypt_EncryptedData (context,
1277 crypto,
1278 usage,
1279 b->enc_authorization_data,
1280 &ad);
1281 krb5_crypto_destroy(context, crypto);
1282 if(ret){
1283 krb5_auth_con_free(context, ac);
1284 kdc_log(context, config, 0,
1285 "Failed to decrypt enc-authorization-data");
1286 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1287 goto out;
1288 }
1289 ALLOC(*auth_data);
1290 if (*auth_data == NULL) {
1291 krb5_auth_con_free(context, ac);
1292 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1293 goto out;
1294 }
1295 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1296 if(ret){
1297 krb5_auth_con_free(context, ac);
1298 free(*auth_data);
1299 *auth_data = NULL;
1300 kdc_log(context, config, 0, "Failed to decode authorization data");
1301 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1302 goto out;
1303 }
1304 }
1305
1306 krb5_auth_con_free(context, ac);
1307
1308 out:
1309 free_AP_REQ(&ap_req);
1310
1311 return ret;
1312 }
1313
1314 static krb5_error_code
1315 build_server_referral(krb5_context context,
1316 krb5_kdc_configuration *config,
1317 krb5_crypto session,
1318 krb5_const_realm referred_realm,
1319 const PrincipalName *true_principal_name,
1320 const PrincipalName *requested_principal,
1321 krb5_data *outdata)
1322 {
1323 PA_ServerReferralData ref;
1324 krb5_error_code ret;
1325 EncryptedData ed;
1326 krb5_data data;
1327 size_t size;
1328
1329 memset(&ref, 0, sizeof(ref));
1330
1331 if (referred_realm) {
1332 ALLOC(ref.referred_realm);
1333 if (ref.referred_realm == NULL)
1334 goto eout;
1335 *ref.referred_realm = strdup(referred_realm);
1336 if (*ref.referred_realm == NULL)
1337 goto eout;
1338 }
1339 if (true_principal_name) {
1340 ALLOC(ref.true_principal_name);
1341 if (ref.true_principal_name == NULL)
1342 goto eout;
1343 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1344 if (ret)
1345 goto eout;
1346 }
1347 if (requested_principal) {
1348 ALLOC(ref.requested_principal_name);
1349 if (ref.requested_principal_name == NULL)
1350 goto eout;
1351 ret = copy_PrincipalName(requested_principal,
1352 ref.requested_principal_name);
1353 if (ret)
1354 goto eout;
1355 }
1356
1357 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1358 data.data, data.length,
1359 &ref, &size, ret);
1360 free_PA_ServerReferralData(&ref);
1361 if (ret)
1362 return ret;
1363 if (data.length != size)
1364 krb5_abortx(context, "internal asn.1 encoder error");
1365
1366 ret = krb5_encrypt_EncryptedData(context, session,
1367 KRB5_KU_PA_SERVER_REFERRAL,
1368 data.data, data.length,
1369 0 /* kvno */, &ed);
1370 free(data.data);
1371 if (ret)
1372 return ret;
1373
1374 ASN1_MALLOC_ENCODE(EncryptedData,
1375 outdata->data, outdata->length,
1376 &ed, &size, ret);
1377 free_EncryptedData(&ed);
1378 if (ret)
1379 return ret;
1380 if (outdata->length != size)
1381 krb5_abortx(context, "internal asn.1 encoder error");
1382
1383 return 0;
1384 eout:
1385 free_PA_ServerReferralData(&ref);
1386 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1387 return ENOMEM;
1388 }
1389
1390 static krb5_error_code
1391 tgs_build_reply(krb5_context context,
1392 krb5_kdc_configuration *config,
1393 KDC_REQ *req,
1394 KDC_REQ_BODY *b,
1395 hdb_entry_ex *krbtgt,
1396 krb5_enctype krbtgt_etype,
1397 const krb5_keyblock *replykey,
1398 int rk_is_subkey,
1399 krb5_ticket *ticket,
1400 krb5_data *reply,
1401 const char *from,
1402 const char **e_text,
1403 AuthorizationData **auth_data,
1404 const struct sockaddr *from_addr)
1405 {
1406 krb5_error_code ret;
1407 krb5_principal cp = NULL, sp = NULL;
1408 krb5_principal client_principal = NULL;
1409 char *spn = NULL, *cpn = NULL;
1410 hdb_entry_ex *server = NULL, *client = NULL;
1411 HDB *clientdb;
1412 krb5_realm ref_realm = NULL;
1413 EncTicketPart *tgt = &ticket->ticket;
1414 krb5_principals spp = NULL;
1415 const EncryptionKey *ekey;
1416 krb5_keyblock sessionkey;
1417 krb5_kvno kvno;
1418 krb5_data rspac;
1419
1420 METHOD_DATA enc_pa_data;
1421
1422 PrincipalName *s;
1423 Realm r;
1424 int nloop = 0;
1425 EncTicketPart adtkt;
1426 char opt_str[128];
1427 int signedpath = 0;
1428
1429 Key *tkey;
1430
1431 memset(&sessionkey, 0, sizeof(sessionkey));
1432 memset(&adtkt, 0, sizeof(adtkt));
1433 krb5_data_zero(&rspac);
1434 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1435
1436 s = b->sname;
1437 r = b->realm;
1438
1439 if(b->kdc_options.enc_tkt_in_skey){
1440 Ticket *t;
1441 hdb_entry_ex *uu;
1442 krb5_principal p;
1443 Key *uukey;
1444
1445 if(b->additional_tickets == NULL ||
1446 b->additional_tickets->len == 0){
1447 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1448 kdc_log(context, config, 0,
1449 "No second ticket present in request");
1450 goto out;
1451 }
1452 t = &b->additional_tickets->val[0];
1453 if(!get_krbtgt_realm(&t->sname)){
1454 kdc_log(context, config, 0,
1455 "Additional ticket is not a ticket-granting ticket");
1456 ret = KRB5KDC_ERR_POLICY;
1457 goto out;
1458 }
1459 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1460 ret = _kdc_db_fetch(context, config, p,
1461 HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
1462 NULL, &uu);
1463 krb5_free_principal(context, p);
1464 if(ret){
1465 if (ret == HDB_ERR_NOENTRY)
1466 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1467 goto out;
1468 }
1469 ret = hdb_enctype2key(context, &uu->entry,
1470 t->enc_part.etype, &uukey);
1471 if(ret){
1472 _kdc_free_ent(context, uu);
1473 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1474 goto out;
1475 }
1476 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1477 _kdc_free_ent(context, uu);
1478 if(ret)
1479 goto out;
1480
1481 ret = verify_flags(context, config, &adtkt, spn);
1482 if (ret)
1483 goto out;
1484
1485 s = &adtkt.cname;
1486 r = adtkt.crealm;
1487 }
1488
1489 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1490 ret = krb5_unparse_name(context, sp, &spn);
1491 if (ret)
1492 goto out;
1493 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1494 ret = krb5_unparse_name(context, cp, &cpn);
1495 if (ret)
1496 goto out;
1497 unparse_flags (KDCOptions2int(b->kdc_options),
1498 asn1_KDCOptions_units(),
1499 opt_str, sizeof(opt_str));
1500 if(*opt_str)
1501 kdc_log(context, config, 0,
1502 "TGS-REQ %s from %s for %s [%s]",
1503 cpn, from, spn, opt_str);
1504 else
1505 kdc_log(context, config, 0,
1506 "TGS-REQ %s from %s for %s", cpn, from, spn);
1507
1508 /*
1509 * Fetch server
1510 */
1511
1512 server_lookup:
1513 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
1514 NULL, &server);
1515
1516 if(ret){
1517 const char *new_rlm;
1518 Realm req_rlm;
1519 krb5_realm *realms;
1520
1521 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1522 if(nloop++ < 2) {
1523 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1524 if(new_rlm) {
1525 kdc_log(context, config, 5, "krbtgt for realm %s "
1526 "not found, trying %s",
1527 req_rlm, new_rlm);
1528 krb5_free_principal(context, sp);
1529 free(spn);
1530 krb5_make_principal(context, &sp, r,
1531 KRB5_TGS_NAME, new_rlm, NULL);
1532 ret = krb5_unparse_name(context, sp, &spn);
1533 if (ret)
1534 goto out;
1535
1536 if (ref_realm)
1537 free(ref_realm);
1538 ref_realm = strdup(new_rlm);
1539 goto server_lookup;
1540 }
1541 }
1542 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1543 if (strcmp(realms[0], sp->realm) != 0) {
1544 kdc_log(context, config, 5,
1545 "Returning a referral to realm %s for "
1546 "server %s that was not found",
1547 realms[0], spn);
1548 krb5_free_principal(context, sp);
1549 free(spn);
1550 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1551 realms[0], NULL);
1552 ret = krb5_unparse_name(context, sp, &spn);
1553 if (ret)
1554 goto out;
1555
1556 if (ref_realm)
1557 free(ref_realm);
1558 ref_realm = strdup(realms[0]);
1559
1560 krb5_free_host_realm(context, realms);
1561 goto server_lookup;
1562 }
1563 krb5_free_host_realm(context, realms);
1564 }
1565 kdc_log(context, config, 0,
1566 "Server not found in database: %s: %s", spn,
1567 krb5_get_err_text(context, ret));
1568 if (ret == HDB_ERR_NOENTRY)
1569 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1570 goto out;
1571 }
1572
1573 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1574 &clientdb, &client);
1575 if(ret) {
1576 const char *krbtgt_realm;
1577
1578 /*
1579 * If the client belongs to the same realm as our krbtgt, it
1580 * should exist in the local database.
1581 *
1582 */
1583
1584 krbtgt_realm =
1585 krb5_principal_get_comp_string(context,
1586 krbtgt->entry.principal, 1);
1587
1588 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1589 if (ret == HDB_ERR_NOENTRY)
1590 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1591 kdc_log(context, config, 1, "Client no longer in database: %s",
1592 cpn);
1593 goto out;
1594 }
1595
1596 kdc_log(context, config, 1, "Client not found in database: %s: %s",
1597 cpn, krb5_get_err_text(context, ret));
1598 }
1599
1600 /*
1601 * Select enctype, return key and kvno.
1602 */
1603
1604 {
1605 krb5_enctype etype;
1606
1607 if(b->kdc_options.enc_tkt_in_skey) {
1608 int i;
1609 ekey = &adtkt.key;
1610 for(i = 0; i < b->etype.len; i++)
1611 if (b->etype.val[i] == adtkt.key.keytype)
1612 break;
1613 if(i == b->etype.len) {
1614 kdc_log(context, config, 0,
1615 "Addition ticket have not matching etypes");
1616 krb5_clear_error_message(context);
1617 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1618 goto out;
1619 }
1620 etype = b->etype.val[i];
1621 kvno = 0;
1622 } else {
1623 Key *skey;
1624
1625 ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
1626 &skey, &etype);
1627 if(ret) {
1628 kdc_log(context, config, 0,
1629 "Server (%s) has no support for etypes", spn);
1630 goto out;
1631 }
1632 ekey = &skey->key;
1633 kvno = server->entry.kvno;
1634 }
1635
1636 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1637 if (ret)
1638 goto out;
1639 }
1640
1641 /*
1642 * Check that service is in the same realm as the krbtgt. If it's
1643 * not the same, it's someone that is using a uni-directional trust
1644 * backward.
1645 */
1646
1647 if (strcmp(krb5_principal_get_realm(context, sp),
1648 krb5_principal_get_comp_string(context,
1649 krbtgt->entry.principal,
1650 1)) != 0) {
1651 char *tpn;
1652 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1653 kdc_log(context, config, 0,
1654 "Request with wrong krbtgt: %s",
1655 (ret == 0) ? tpn : "<unknown>");
1656 if(ret == 0)
1657 free(tpn);
1658 ret = KRB5KRB_AP_ERR_NOT_US;
1659 goto out;
1660 }
1661
1662 /*
1663 * Validate authoriation data
1664 */
1665
1666 ret = hdb_enctype2key(context, &krbtgt->entry,
1667 krbtgt_etype, &tkey);
1668 if(ret) {
1669 kdc_log(context, config, 0,
1670 "Failed to find key for krbtgt PAC check");
1671 goto out;
1672 }
1673
1674 ret = check_PAC(context, config, cp,
1675 client, server, ekey, &tkey->key,
1676 tgt, &rspac, &signedpath);
1677 if (ret) {
1678 kdc_log(context, config, 0,
1679 "Verify PAC failed for %s (%s) from %s with %s",
1680 spn, cpn, from, krb5_get_err_text(context, ret));
1681 goto out;
1682 }
1683
1684 /* also check the krbtgt for signature */
1685 ret = check_KRB5SignedPath(context,
1686 config,
1687 krbtgt,
1688 cp,
1689 tgt,
1690 &spp,
1691 &signedpath);
1692 if (ret) {
1693 kdc_log(context, config, 0,
1694 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1695 spn, cpn, from, krb5_get_err_text(context, ret));
1696 goto out;
1697 }
1698
1699 /*
1700 * Process request
1701 */
1702
1703 client_principal = cp;
1704
1705 if (client) {
1706 const PA_DATA *sdata;
1707 int i = 0;
1708
1709 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1710 if (sdata) {
1711 krb5_crypto crypto;
1712 krb5_data datack;
1713 PA_S4U2Self self;
1714 char *selfcpn = NULL;
1715 const char *str;
1716
1717 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1718 sdata->padata_value.length,
1719 &self, NULL);
1720 if (ret) {
1721 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1722 goto out;
1723 }
1724
1725 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1726 if (ret)
1727 goto out;
1728
1729 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1730 if (ret) {
1731 free_PA_S4U2Self(&self);
1732 krb5_data_free(&datack);
1733 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1734 krb5_get_err_text(context, ret));
1735 goto out;
1736 }
1737
1738 ret = krb5_verify_checksum(context,
1739 crypto,
1740 KRB5_KU_OTHER_CKSUM,
1741 datack.data,
1742 datack.length,
1743 &self.cksum);
1744 krb5_data_free(&datack);
1745 krb5_crypto_destroy(context, crypto);
1746 if (ret) {
1747 free_PA_S4U2Self(&self);
1748 kdc_log(context, config, 0,
1749 "krb5_verify_checksum failed for S4U2Self: %s",
1750 krb5_get_err_text(context, ret));
1751 goto out;
1752 }
1753
1754 ret = _krb5_principalname2krb5_principal(context,
1755 &client_principal,
1756 self.name,
1757 self.realm);
1758 free_PA_S4U2Self(&self);
1759 if (ret)
1760 goto out;
1761
1762 ret = krb5_unparse_name(context, client_principal, &selfcpn);
1763 if (ret)
1764 goto out;
1765
1766 /*
1767 * Check that service doing the impersonating is
1768 * requesting a ticket to it-self.
1769 */
1770 if (krb5_principal_compare(context, cp, sp) != TRUE) {
1771 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1772 "to impersonate some other user "
1773 "(tried for user %s to service %s)",
1774 cpn, selfcpn, spn);
1775 free(selfcpn);
1776 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1777 goto out;
1778 }
1779
1780 /*
1781 * If the service isn't trusted for authentication to
1782 * delegation, remove the forward flag.
1783 */
1784
1785 if (client->entry.flags.trusted_for_delegation) {
1786 str = "[forwardable]";
1787 } else {
1788 b->kdc_options.forwardable = 0;
1789 str = "";
1790 }
1791 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1792 "service %s %s", cpn, selfcpn, spn, str);
1793 free(selfcpn);
1794 }
1795 }
1796
1797 /*
1798 * Constrained delegation
1799 */
1800
1801 if (client != NULL
1802 && b->additional_tickets != NULL
1803 && b->additional_tickets->len != 0
1804 && b->kdc_options.enc_tkt_in_skey == 0)
1805 {
1806 int ad_signedpath = 0;
1807 Key *clientkey;
1808 Ticket *t;
1809 char *str;
1810
1811 /*
1812 * Require that the KDC have issued the service's krbtgt (not
1813 * self-issued ticket with kimpersonate(1).
1814 */
1815 if (!signedpath) {
1816 ret = KRB5KDC_ERR_BADOPTION;
1817 kdc_log(context, config, 0,
1818 "Constrained delegation done on service ticket %s/%s",
1819 cpn, spn);
1820 goto out;
1821 }
1822
1823 t = &b->additional_tickets->val[0];
1824
1825 ret = hdb_enctype2key(context, &client->entry,
1826 t->enc_part.etype, &clientkey);
1827 if(ret){
1828 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1829 goto out;
1830 }
1831
1832 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1833 if (ret) {
1834 kdc_log(context, config, 0,
1835 "failed to decrypt ticket for "
1836 "constrained delegation from %s to %s ", cpn, spn);
1837 goto out;
1838 }
1839
1840 /* check that ticket is valid */
1841 if (adtkt.flags.forwardable == 0) {
1842 kdc_log(context, config, 0,
1843 "Missing forwardable flag on ticket for "
1844 "constrained delegation from %s to %s ", cpn, spn);
1845 ret = KRB5KDC_ERR_BADOPTION;
1846 goto out;
1847 }
1848
1849 ret = check_constrained_delegation(context, config, clientdb,
1850 client, sp);
1851 if (ret) {
1852 kdc_log(context, config, 0,
1853 "constrained delegation from %s to %s not allowed",
1854 cpn, spn);
1855 goto out;
1856 }
1857
1858 ret = _krb5_principalname2krb5_principal(context,
1859 &client_principal,
1860 adtkt.cname,
1861 adtkt.crealm);
1862 if (ret)
1863 goto out;
1864
1865 ret = krb5_unparse_name(context, client_principal, &str);
1866 if (ret)
1867 goto out;
1868
1869 ret = verify_flags(context, config, &adtkt, str);
1870 if (ret) {
1871 free(str);
1872 goto out;
1873 }
1874
1875 /*
1876 * Check that the KDC issued the user's ticket.
1877 */
1878 ret = check_KRB5SignedPath(context,
1879 config,
1880 krbtgt,
1881 cp,
1882 &adtkt,
1883 NULL,
1884 &ad_signedpath);
1885 if (ret == 0 && !ad_signedpath)
1886 ret = KRB5KDC_ERR_BADOPTION;
1887 if (ret) {
1888 kdc_log(context, config, 0,
1889 "KRB5SignedPath check from service %s failed "
1890 "for delegation to %s for client %s "
1891 "from %s failed with %s",
1892 spn, str, cpn, from, krb5_get_err_text(context, ret));
1893 free(str);
1894 goto out;
1895 }
1896
1897 kdc_log(context, config, 0, "constrained delegation for %s "
1898 "from %s to %s", str, cpn, spn);
1899 free(str);
1900 }
1901
1902 /*
1903 * Check flags
1904 */
1905
1906 ret = kdc_check_flags(context, config,
1907 client, cpn,
1908 server, spn,
1909 FALSE);
1910 if(ret)
1911 goto out;
1912
1913 if((b->kdc_options.validate || b->kdc_options.renew) &&
1914 !krb5_principal_compare(context,
1915 krbtgt->entry.principal,
1916 server->entry.principal)){
1917 kdc_log(context, config, 0, "Inconsistent request.");
1918 ret = KRB5KDC_ERR_SERVER_NOMATCH;
1919 goto out;
1920 }
1921
1922 /* check for valid set of addresses */
1923 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
1924 ret = KRB5KRB_AP_ERR_BADADDR;
1925 kdc_log(context, config, 0, "Request from wrong address");
1926 goto out;
1927 }
1928
1929 /*
1930 * If this is an referral, add server referral data to the
1931 * auth_data reply .
1932 */
1933 if (ref_realm) {
1934 PA_DATA pa;
1935 krb5_crypto crypto;
1936
1937 kdc_log(context, config, 0,
1938 "Adding server referral to %s", ref_realm);
1939
1940 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
1941 if (ret)
1942 goto out;
1943
1944 ret = build_server_referral(context, config, crypto, ref_realm,
1945 NULL, s, &pa.padata_value);
1946 krb5_crypto_destroy(context, crypto);
1947 if (ret) {
1948 kdc_log(context, config, 0,
1949 "Failed building server referral");
1950 goto out;
1951 }
1952 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
1953
1954 ret = add_METHOD_DATA(&enc_pa_data, &pa);
1955 krb5_data_free(&pa.padata_value);
1956 if (ret) {
1957 kdc_log(context, config, 0,
1958 "Add server referral METHOD-DATA failed");
1959 goto out;
1960 }
1961 }
1962
1963 /*
1964 *
1965 */
1966
1967 ret = tgs_make_reply(context,
1968 config,
1969 b,
1970 client_principal,
1971 tgt,
1972 replykey,
1973 rk_is_subkey,
1974 ekey,
1975 &sessionkey,
1976 kvno,
1977 *auth_data,
1978 server,
1979 sp,
1980 spn,
1981 client,
1982 cp,
1983 krbtgt,
1984 krbtgt_etype,
1985 spp,
1986 &rspac,
1987 &enc_pa_data,
1988 e_text,
1989 reply);
1990
1991 out:
1992 free(spn);
1993 free(cpn);
1994
1995 krb5_data_free(&rspac);
1996 krb5_free_keyblock_contents(context, &sessionkey);
1997 if(server)
1998 _kdc_free_ent(context, server);
1999 if(client)
2000 _kdc_free_ent(context, client);
2001
2002 if (client_principal && client_principal != cp)
2003 krb5_free_principal(context, client_principal);
2004 if (cp)
2005 krb5_free_principal(context, cp);
2006 if (sp)
2007 krb5_free_principal(context, sp);
2008 if (ref_realm)
2009 free(ref_realm);
2010 free_METHOD_DATA(&enc_pa_data);
2011
2012 free_EncTicketPart(&adtkt);
2013
2014 return ret;
2015 }
2016
2017 /*
2018 *
2019 */
2020
2021 krb5_error_code
2022 _kdc_tgs_rep(krb5_context context,
2023 krb5_kdc_configuration *config,
2024 KDC_REQ *req,
2025 krb5_data *data,
2026 const char *from,
2027 struct sockaddr *from_addr,
2028 int datagram_reply)
2029 {
2030 AuthorizationData *auth_data = NULL;
2031 krb5_error_code ret;
2032 int i = 0;
2033 const PA_DATA *tgs_req;
2034
2035 hdb_entry_ex *krbtgt = NULL;
2036 krb5_ticket *ticket = NULL;
2037 const char *e_text = NULL;
2038 krb5_enctype krbtgt_etype = ETYPE_NULL;
2039
2040 krb5_keyblock *replykey = NULL;
2041 int rk_is_subkey = 0;
2042 time_t *csec = NULL;
2043 int *cusec = NULL;
2044
2045 if(req->padata == NULL){
2046 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2047 kdc_log(context, config, 0,
2048 "TGS-REQ from %s without PA-DATA", from);
2049 goto out;
2050 }
2051
2052 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2053
2054 if(tgs_req == NULL){
2055 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2056
2057 kdc_log(context, config, 0,
2058 "TGS-REQ from %s without PA-TGS-REQ", from);
2059 goto out;
2060 }
2061 ret = tgs_parse_request(context, config,
2062 &req->req_body, tgs_req,
2063 &krbtgt,
2064 &krbtgt_etype,
2065 &ticket,
2066 &e_text,
2067 from, from_addr,
2068 &csec, &cusec,
2069 &auth_data,
2070 &replykey,
2071 &rk_is_subkey);
2072 if (ret) {
2073 kdc_log(context, config, 0,
2074 "Failed parsing TGS-REQ from %s", from);
2075 goto out;
2076 }
2077
2078 ret = tgs_build_reply(context,
2079 config,
2080 req,
2081 &req->req_body,
2082 krbtgt,
2083 krbtgt_etype,
2084 replykey,
2085 rk_is_subkey,
2086 ticket,
2087 data,
2088 from,
2089 &e_text,
2090 &auth_data,
2091 from_addr);
2092 if (ret) {
2093 kdc_log(context, config, 0,
2094 "Failed building TGS-REP to %s", from);
2095 goto out;
2096 }
2097
2098 /* */
2099 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2100 krb5_data_free(data);
2101 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2102 e_text = "Reply packet too large";
2103 }
2104
2105 out:
2106 if (replykey)
2107 krb5_free_keyblock(context, replykey);
2108 if(ret && data->data == NULL){
2109 krb5_mk_error(context,
2110 ret,
2111 NULL,
2112 NULL,
2113 NULL,
2114 NULL,
2115 csec,
2116 cusec,
2117 data);
2118 }
2119 free(csec);
2120 free(cusec);
2121 if (ticket)
2122 krb5_free_ticket(context, ticket);
2123 if(krbtgt)
2124 _kdc_free_ent(context, krbtgt);
2125
2126 if (auth_data) {
2127 free_AuthorizationData(auth_data);
2128 free(auth_data);
2129 }
2130
2131 return 0;
2132 }
Heimdal