search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Maybe include <sys/types.h> and <sys/select.h>
[heimdal.git] / kdc / krb5tgs.c
blob33fafc4c4f35b6e5e63fb4ddb0597f775276f669
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230 if (ret == 0)
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232 if (ret) {
233 free(data.data);
234 free_KRB5SignedPath(&sp);
235 return ret;
236 }
237 }
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
240 &sp.cksum);
241 krb5_crypto_destroy(context, crypto);
242 free(data.data);
243 if (ret) {
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
247 return 0;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 hdb_entry_ex *client,
283 hdb_entry_ex *server,
284 hdb_entry_ex *krbtgt,
285 const EncryptionKey *server_key,
286 const EncryptionKey *krbtgt_check_key,
287 const EncryptionKey *krbtgt_sign_key,
288 EncTicketPart *tkt,
289 krb5_data *rspac,
290 int *signedpath)
291 {
292 AuthorizationData *ad = tkt->authorization_data;
293 unsigned i, j;
294 krb5_error_code ret;
295
296 if (ad == NULL || ad->len == 0)
297 return 0;
298
299 for (i = 0; i < ad->len; i++) {
300 AuthorizationData child;
301
302 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
303 continue;
304
305 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
306 ad->val[i].ad_data.length,
307 &child,
308 NULL);
309 if (ret) {
310 krb5_set_error_message(context, ret, "Failed to decode "
311 "IF_RELEVANT with %d", ret);
312 return ret;
313 }
314 for (j = 0; j < child.len; j++) {
315
316 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
317 int signed_pac = 0;
318 krb5_pac pac;
319
320 /* Found PAC */
321 ret = krb5_pac_parse(context,
322 child.val[j].ad_data.data,
323 child.val[j].ad_data.length,
324 &pac);
325 free_AuthorizationData(&child);
326 if (ret)
327 return ret;
328
329 ret = krb5_pac_verify(context, pac, tkt->authtime,
330 client_principal,
331 krbtgt_check_key, NULL);
332 if (ret) {
333 krb5_pac_free(context, pac);
334 return ret;
335 }
336
337 ret = _kdc_pac_verify(context, client_principal,
338 client, server, krbtgt, &pac, &signed_pac);
339 if (ret) {
340 krb5_pac_free(context, pac);
341 return ret;
342 }
343
344 /*
345 * Only re-sign PAC if we could verify it with the PAC
346 * function. The no-verify case happens when we get in
347 * a PAC from cross realm from a Windows domain and
348 * that there is no PAC verification function.
349 */
350 if (signed_pac) {
351 *signedpath = 1;
352 ret = _krb5_pac_sign(context, pac, tkt->authtime,
353 client_principal,
354 server_key, krbtgt_sign_key, rspac);
355 }
356 krb5_pac_free(context, pac);
357
358 return ret;
359 }
360 }
361 free_AuthorizationData(&child);
362 }
363 return 0;
364 }
365
366 /*
367 *
368 */
369
370 static krb5_error_code
371 check_tgs_flags(krb5_context context,
372 krb5_kdc_configuration *config,
373 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
374 {
375 KDCOptions f = b->kdc_options;
376
377 if(f.validate){
378 if(!tgt->flags.invalid || tgt->starttime == NULL){
379 kdc_log(context, config, 0,
380 "Bad request to validate ticket");
381 return KRB5KDC_ERR_BADOPTION;
382 }
383 if(*tgt->starttime > kdc_time){
384 kdc_log(context, config, 0,
385 "Early request to validate ticket");
386 return KRB5KRB_AP_ERR_TKT_NYV;
387 }
388 /* XXX tkt = tgt */
389 et->flags.invalid = 0;
390 }else if(tgt->flags.invalid){
391 kdc_log(context, config, 0,
392 "Ticket-granting ticket has INVALID flag set");
393 return KRB5KRB_AP_ERR_TKT_INVALID;
394 }
395
396 if(f.forwardable){
397 if(!tgt->flags.forwardable){
398 kdc_log(context, config, 0,
399 "Bad request for forwardable ticket");
400 return KRB5KDC_ERR_BADOPTION;
401 }
402 et->flags.forwardable = 1;
403 }
404 if(f.forwarded){
405 if(!tgt->flags.forwardable){
406 kdc_log(context, config, 0,
407 "Request to forward non-forwardable ticket");
408 return KRB5KDC_ERR_BADOPTION;
409 }
410 et->flags.forwarded = 1;
411 et->caddr = b->addresses;
412 }
413 if(tgt->flags.forwarded)
414 et->flags.forwarded = 1;
415
416 if(f.proxiable){
417 if(!tgt->flags.proxiable){
418 kdc_log(context, config, 0,
419 "Bad request for proxiable ticket");
420 return KRB5KDC_ERR_BADOPTION;
421 }
422 et->flags.proxiable = 1;
423 }
424 if(f.proxy){
425 if(!tgt->flags.proxiable){
426 kdc_log(context, config, 0,
427 "Request to proxy non-proxiable ticket");
428 return KRB5KDC_ERR_BADOPTION;
429 }
430 et->flags.proxy = 1;
431 et->caddr = b->addresses;
432 }
433 if(tgt->flags.proxy)
434 et->flags.proxy = 1;
435
436 if(f.allow_postdate){
437 if(!tgt->flags.may_postdate){
438 kdc_log(context, config, 0,
439 "Bad request for post-datable ticket");
440 return KRB5KDC_ERR_BADOPTION;
441 }
442 et->flags.may_postdate = 1;
443 }
444 if(f.postdated){
445 if(!tgt->flags.may_postdate){
446 kdc_log(context, config, 0,
447 "Bad request for postdated ticket");
448 return KRB5KDC_ERR_BADOPTION;
449 }
450 if(b->from)
451 *et->starttime = *b->from;
452 et->flags.postdated = 1;
453 et->flags.invalid = 1;
454 }else if(b->from && *b->from > kdc_time + context->max_skew){
455 kdc_log(context, config, 0, "Ticket cannot be postdated");
456 return KRB5KDC_ERR_CANNOT_POSTDATE;
457 }
458
459 if(f.renewable){
460 if(!tgt->flags.renewable || tgt->renew_till == NULL){
461 kdc_log(context, config, 0,
462 "Bad request for renewable ticket");
463 return KRB5KDC_ERR_BADOPTION;
464 }
465 et->flags.renewable = 1;
466 ALLOC(et->renew_till);
467 _kdc_fix_time(&b->rtime);
468 *et->renew_till = *b->rtime;
469 }
470 if(f.renew){
471 time_t old_life;
472 if(!tgt->flags.renewable || tgt->renew_till == NULL){
473 kdc_log(context, config, 0,
474 "Request to renew non-renewable ticket");
475 return KRB5KDC_ERR_BADOPTION;
476 }
477 old_life = tgt->endtime;
478 if(tgt->starttime)
479 old_life -= *tgt->starttime;
480 else
481 old_life -= tgt->authtime;
482 et->endtime = *et->starttime + old_life;
483 if (et->renew_till != NULL)
484 et->endtime = min(*et->renew_till, et->endtime);
485 }
486
487 #if 0
488 /* checks for excess flags */
489 if(f.request_anonymous && !config->allow_anonymous){
490 kdc_log(context, config, 0,
491 "Request for anonymous ticket");
492 return KRB5KDC_ERR_BADOPTION;
493 }
494 #endif
495 return 0;
496 }
497
498 /*
499 * Determine if constrained delegation is allowed from this client to this server
500 */
501
502 static krb5_error_code
503 check_constrained_delegation(krb5_context context,
504 krb5_kdc_configuration *config,
505 HDB *clientdb,
506 hdb_entry_ex *client,
507 krb5_const_principal server)
508 {
509 const HDB_Ext_Constrained_delegation_acl *acl;
510 krb5_error_code ret;
511 size_t i;
512
513 /* if client delegates to itself, that ok */
514 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
515 return 0;
516
517 if (clientdb->hdb_check_constrained_delegation) {
518 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
519 if (ret == 0)
520 return 0;
521 } else {
522 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
523 if (ret) {
524 krb5_clear_error_message(context);
525 return ret;
526 }
527
528 if (acl) {
529 for (i = 0; i < acl->len; i++) {
530 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
531 return 0;
532 }
533 }
534 ret = KRB5KDC_ERR_BADOPTION;
535 }
536 kdc_log(context, config, 0,
537 "Bad request for constrained delegation");
538 return ret;
539 }
540
541 /*
542 * Determine if s4u2self is allowed from this client to this server
543 *
544 * For example, regardless of the principal being impersonated, if the
545 * 'client' and 'server' are the same, then it's safe.
546 */
547
548 static krb5_error_code
549 check_s4u2self(krb5_context context,
550 krb5_kdc_configuration *config,
551 HDB *clientdb,
552 hdb_entry_ex *client,
553 krb5_const_principal server)
554 {
555 krb5_error_code ret;
556
557 /* if client does a s4u2self to itself, that ok */
558 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
559 return 0;
560
561 if (clientdb->hdb_check_s4u2self) {
562 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
563 if (ret == 0)
564 return 0;
565 } else {
566 ret = KRB5KDC_ERR_BADOPTION;
567 }
568 return ret;
569 }
570
571 /*
572 *
573 */
574
575 static krb5_error_code
576 verify_flags (krb5_context context,
577 krb5_kdc_configuration *config,
578 const EncTicketPart *et,
579 const char *pstr)
580 {
581 if(et->endtime < kdc_time){
582 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
583 return KRB5KRB_AP_ERR_TKT_EXPIRED;
584 }
585 if(et->flags.invalid){
586 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
587 return KRB5KRB_AP_ERR_TKT_NYV;
588 }
589 return 0;
590 }
591
592 /*
593 *
594 */
595
596 static krb5_error_code
597 fix_transited_encoding(krb5_context context,
598 krb5_kdc_configuration *config,
599 krb5_boolean check_policy,
600 const TransitedEncoding *tr,
601 EncTicketPart *et,
602 const char *client_realm,
603 const char *server_realm,
604 const char *tgt_realm)
605 {
606 krb5_error_code ret = 0;
607 char **realms, **tmp;
608 unsigned int num_realms;
609 size_t i;
610
611 switch (tr->tr_type) {
612 case DOMAIN_X500_COMPRESS:
613 break;
614 case 0:
615 /*
616 * Allow empty content of type 0 because that is was Microsoft
617 * generates in their TGT.
618 */
619 if (tr->contents.length == 0)
620 break;
621 kdc_log(context, config, 0,
622 "Transited type 0 with non empty content");
623 return KRB5KDC_ERR_TRTYPE_NOSUPP;
624 default:
625 kdc_log(context, config, 0,
626 "Unknown transited type: %u", tr->tr_type);
627 return KRB5KDC_ERR_TRTYPE_NOSUPP;
628 }
629
630 ret = krb5_domain_x500_decode(context,
631 tr->contents,
632 &realms,
633 &num_realms,
634 client_realm,
635 server_realm);
636 if(ret){
637 krb5_warn(context, ret,
638 "Decoding transited encoding");
639 return ret;
640 }
641 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
642 /* not us, so add the previous realm to transited set */
643 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
644 ret = ERANGE;
645 goto free_realms;
646 }
647 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
648 if(tmp == NULL){
649 ret = ENOMEM;
650 goto free_realms;
651 }
652 realms = tmp;
653 realms[num_realms] = strdup(tgt_realm);
654 if(realms[num_realms] == NULL){
655 ret = ENOMEM;
656 goto free_realms;
657 }
658 num_realms++;
659 }
660 if(num_realms == 0) {
661 if(strcmp(client_realm, server_realm))
662 kdc_log(context, config, 0,
663 "cross-realm %s -> %s", client_realm, server_realm);
664 } else {
665 size_t l = 0;
666 char *rs;
667 for(i = 0; i < num_realms; i++)
668 l += strlen(realms[i]) + 2;
669 rs = malloc(l);
670 if(rs != NULL) {
671 *rs = '\0';
672 for(i = 0; i < num_realms; i++) {
673 if(i > 0)
674 strlcat(rs, ", ", l);
675 strlcat(rs, realms[i], l);
676 }
677 kdc_log(context, config, 0,
678 "cross-realm %s -> %s via [%s]",
679 client_realm, server_realm, rs);
680 free(rs);
681 }
682 }
683 if(check_policy) {
684 ret = krb5_check_transited(context, client_realm,
685 server_realm,
686 realms, num_realms, NULL);
687 if(ret) {
688 krb5_warn(context, ret, "cross-realm %s -> %s",
689 client_realm, server_realm);
690 goto free_realms;
691 }
692 et->flags.transited_policy_checked = 1;
693 }
694 et->transited.tr_type = DOMAIN_X500_COMPRESS;
695 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
696 if(ret)
697 krb5_warn(context, ret, "Encoding transited encoding");
698 free_realms:
699 for(i = 0; i < num_realms; i++)
700 free(realms[i]);
701 free(realms);
702 return ret;
703 }
704
705
706 static krb5_error_code
707 tgs_make_reply(krb5_context context,
708 krb5_kdc_configuration *config,
709 KDC_REQ_BODY *b,
710 krb5_const_principal tgt_name,
711 const EncTicketPart *tgt,
712 const krb5_keyblock *replykey,
713 int rk_is_subkey,
714 const EncryptionKey *serverkey,
715 const krb5_keyblock *sessionkey,
716 krb5_kvno kvno,
717 AuthorizationData *auth_data,
718 hdb_entry_ex *server,
719 krb5_principal server_principal,
720 const char *server_name,
721 hdb_entry_ex *client,
722 krb5_principal client_principal,
723 hdb_entry_ex *krbtgt,
724 krb5_enctype krbtgt_etype,
725 krb5_principals spp,
726 const krb5_data *rspac,
727 const METHOD_DATA *enc_pa_data,
728 const char **e_text,
729 krb5_data *reply)
730 {
731 KDC_REP rep;
732 EncKDCRepPart ek;
733 EncTicketPart et;
734 KDCOptions f = b->kdc_options;
735 krb5_error_code ret;
736 int is_weak = 0;
737
738 memset(&rep, 0, sizeof(rep));
739 memset(&et, 0, sizeof(et));
740 memset(&ek, 0, sizeof(ek));
741
742 rep.pvno = 5;
743 rep.msg_type = krb_tgs_rep;
744
745 et.authtime = tgt->authtime;
746 _kdc_fix_time(&b->till);
747 et.endtime = min(tgt->endtime, *b->till);
748 ALLOC(et.starttime);
749 *et.starttime = kdc_time;
750
751 ret = check_tgs_flags(context, config, b, tgt, &et);
752 if(ret)
753 goto out;
754
755 /* We should check the transited encoding if:
756 1) the request doesn't ask not to be checked
757 2) globally enforcing a check
758 3) principal requires checking
759 4) we allow non-check per-principal, but principal isn't marked as allowing this
760 5) we don't globally allow this
761 */
762
763 #define GLOBAL_FORCE_TRANSITED_CHECK \
764 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
765 #define GLOBAL_ALLOW_PER_PRINCIPAL \
766 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
767 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
768 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
769
770 /* these will consult the database in future release */
771 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
772 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
773
774 ret = fix_transited_encoding(context, config,
775 !f.disable_transited_check ||
776 GLOBAL_FORCE_TRANSITED_CHECK ||
777 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
778 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
779 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
780 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
781 &tgt->transited, &et,
782 krb5_principal_get_realm(context, client_principal),
783 krb5_principal_get_realm(context, server->entry.principal),
784 krb5_principal_get_realm(context, krbtgt->entry.principal));
785 if(ret)
786 goto out;
787
788 copy_Realm(&server_principal->realm, &rep.ticket.realm);
789 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
790 copy_Realm(&tgt_name->realm, &rep.crealm);
791 /*
792 if (f.request_anonymous)
793 _kdc_make_anonymous_principalname (&rep.cname);
794 else */
795
796 copy_PrincipalName(&tgt_name->name, &rep.cname);
797 rep.ticket.tkt_vno = 5;
798
799 ek.caddr = et.caddr;
800 if(et.caddr == NULL)
801 et.caddr = tgt->caddr;
802
803 {
804 time_t life;
805 life = et.endtime - *et.starttime;
806 if(client && client->entry.max_life)
807 life = min(life, *client->entry.max_life);
808 if(server->entry.max_life)
809 life = min(life, *server->entry.max_life);
810 et.endtime = *et.starttime + life;
811 }
812 if(f.renewable_ok && tgt->flags.renewable &&
813 et.renew_till == NULL && et.endtime < *b->till &&
814 tgt->renew_till != NULL)
815 {
816 et.flags.renewable = 1;
817 ALLOC(et.renew_till);
818 *et.renew_till = *b->till;
819 }
820 if(et.renew_till){
821 time_t renew;
822 renew = *et.renew_till - et.authtime;
823 if(client && client->entry.max_renew)
824 renew = min(renew, *client->entry.max_renew);
825 if(server->entry.max_renew)
826 renew = min(renew, *server->entry.max_renew);
827 *et.renew_till = et.authtime + renew;
828 }
829
830 if(et.renew_till){
831 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
832 *et.starttime = min(*et.starttime, *et.renew_till);
833 et.endtime = min(et.endtime, *et.renew_till);
834 }
835
836 *et.starttime = min(*et.starttime, et.endtime);
837
838 if(*et.starttime == et.endtime){
839 ret = KRB5KDC_ERR_NEVER_VALID;
840 goto out;
841 }
842 if(et.renew_till && et.endtime == *et.renew_till){
843 free(et.renew_till);
844 et.renew_till = NULL;
845 et.flags.renewable = 0;
846 }
847
848 et.flags.pre_authent = tgt->flags.pre_authent;
849 et.flags.hw_authent = tgt->flags.hw_authent;
850 et.flags.anonymous = tgt->flags.anonymous;
851 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
852
853 if(rspac->length) {
854 /*
855 * No not need to filter out the any PAC from the
856 * auth_data since it's signed by the KDC.
857 */
858 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
859 KRB5_AUTHDATA_WIN2K_PAC, rspac);
860 if (ret)
861 goto out;
862 }
863
864 if (auth_data) {
865 unsigned int i = 0;
866
867 /* XXX check authdata */
868
869 if (et.authorization_data == NULL) {
870 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
871 if (et.authorization_data == NULL) {
872 ret = ENOMEM;
873 krb5_set_error_message(context, ret, "malloc: out of memory");
874 goto out;
875 }
876 }
877 for(i = 0; i < auth_data->len ; i++) {
878 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
879 if (ret) {
880 krb5_set_error_message(context, ret, "malloc: out of memory");
881 goto out;
882 }
883 }
884
885 /* Filter out type KRB5SignedPath */
886 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
887 if (ret == 0) {
888 if (et.authorization_data->len == 1) {
889 free_AuthorizationData(et.authorization_data);
890 free(et.authorization_data);
891 et.authorization_data = NULL;
892 } else {
893 AuthorizationData *ad = et.authorization_data;
894 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
895 ad->len--;
896 }
897 }
898 }
899
900 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
901 if (ret)
902 goto out;
903 et.crealm = tgt->crealm;
904 et.cname = tgt_name->name;
905
906 ek.key = et.key;
907 /* MIT must have at least one last_req */
908 ek.last_req.len = 1;
909 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
910 if (ek.last_req.val == NULL) {
911 ret = ENOMEM;
912 goto out;
913 }
914 ek.nonce = b->nonce;
915 ek.flags = et.flags;
916 ek.authtime = et.authtime;
917 ek.starttime = et.starttime;
918 ek.endtime = et.endtime;
919 ek.renew_till = et.renew_till;
920 ek.srealm = rep.ticket.realm;
921 ek.sname = rep.ticket.sname;
922
923 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
924 et.endtime, et.renew_till);
925
926 /* Don't sign cross realm tickets, they can't be checked anyway */
927 {
928 char *r = get_krbtgt_realm(&ek.sname);
929
930 if (r == NULL || strcmp(r, ek.srealm) == 0) {
931 ret = _kdc_add_KRB5SignedPath(context,
932 config,
933 krbtgt,
934 krbtgt_etype,
935 client_principal,
936 NULL,
937 spp,
938 &et);
939 if (ret)
940 goto out;
941 }
942 }
943
944 if (enc_pa_data->len) {
945 rep.padata = calloc(1, sizeof(*rep.padata));
946 if (rep.padata == NULL) {
947 ret = ENOMEM;
948 goto out;
949 }
950 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
951 if (ret)
952 goto out;
953 }
954
955 if (krb5_enctype_valid(context, et.key.keytype) != 0
956 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
957 {
958 krb5_enctype_enable(context, et.key.keytype);
959 is_weak = 1;
960 }
961
962
963 /* It is somewhat unclear where the etype in the following
964 encryption should come from. What we have is a session
965 key in the passed tgt, and a list of preferred etypes
966 *for the new ticket*. Should we pick the best possible
967 etype, given the keytype in the tgt, or should we look
968 at the etype list here as well? What if the tgt
969 session key is DES3 and we want a ticket with a (say)
970 CAST session key. Should the DES3 etype be added to the
971 etype list, even if we don't want a session key with
972 DES3? */
973 ret = _kdc_encode_reply(context, config,
974 &rep, &et, &ek, et.key.keytype,
975 kvno,
976 serverkey, 0, replykey, rk_is_subkey,
977 e_text, reply);
978 if (is_weak)
979 krb5_enctype_disable(context, et.key.keytype);
980
981 out:
982 free_TGS_REP(&rep);
983 free_TransitedEncoding(&et.transited);
984 if(et.starttime)
985 free(et.starttime);
986 if(et.renew_till)
987 free(et.renew_till);
988 if(et.authorization_data) {
989 free_AuthorizationData(et.authorization_data);
990 free(et.authorization_data);
991 }
992 free_LastReq(&ek.last_req);
993 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
994 free_EncryptionKey(&et.key);
995 return ret;
996 }
997
998 static krb5_error_code
999 tgs_check_authenticator(krb5_context context,
1000 krb5_kdc_configuration *config,
1001 krb5_auth_context ac,
1002 KDC_REQ_BODY *b,
1003 const char **e_text,
1004 krb5_keyblock *key)
1005 {
1006 krb5_authenticator auth;
1007 size_t len = 0;
1008 unsigned char *buf;
1009 size_t buf_size;
1010 krb5_error_code ret;
1011 krb5_crypto crypto;
1012
1013 krb5_auth_con_getauthenticator(context, ac, &auth);
1014 if(auth->cksum == NULL){
1015 kdc_log(context, config, 0, "No authenticator in request");
1016 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1017 goto out;
1018 }
1019 /*
1020 * according to RFC1510 it doesn't need to be keyed,
1021 * but according to the latest draft it needs to.
1022 */
1023 if (
1024 #if 0
1025 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1026 ||
1027 #endif
1028 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1029 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1030 auth->cksum->cksumtype);
1031 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1032 goto out;
1033 }
1034
1035 /* XXX should not re-encode this */
1036 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1037 if(ret){
1038 const char *msg = krb5_get_error_message(context, ret);
1039 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1040 krb5_free_error_message(context, msg);
1041 goto out;
1042 }
1043 if(buf_size != len) {
1044 free(buf);
1045 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1046 *e_text = "KDC internal error";
1047 ret = KRB5KRB_ERR_GENERIC;
1048 goto out;
1049 }
1050 ret = krb5_crypto_init(context, key, 0, &crypto);
1051 if (ret) {
1052 const char *msg = krb5_get_error_message(context, ret);
1053 free(buf);
1054 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1055 krb5_free_error_message(context, msg);
1056 goto out;
1057 }
1058 ret = krb5_verify_checksum(context,
1059 crypto,
1060 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1061 buf,
1062 len,
1063 auth->cksum);
1064 free(buf);
1065 krb5_crypto_destroy(context, crypto);
1066 if(ret){
1067 const char *msg = krb5_get_error_message(context, ret);
1068 kdc_log(context, config, 0,
1069 "Failed to verify authenticator checksum: %s", msg);
1070 krb5_free_error_message(context, msg);
1071 }
1072 out:
1073 free_Authenticator(auth);
1074 free(auth);
1075 return ret;
1076 }
1077
1078 /*
1079 *
1080 */
1081
1082 static const char *
1083 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1084 {
1085 const char *new_realm = krb5_config_get_string(context,
1086 NULL,
1087 "capaths",
1088 crealm,
1089 srealm,
1090 NULL);
1091 return new_realm;
1092 }
1093
1094
1095 static krb5_boolean
1096 need_referral(krb5_context context, krb5_kdc_configuration *config,
1097 const KDCOptions * const options, krb5_principal server,
1098 krb5_realm **realms)
1099 {
1100 const char *name;
1101
1102 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1103 return FALSE;
1104
1105 if (server->name.name_string.len == 1)
1106 name = server->name.name_string.val[0];
1107 else if (server->name.name_string.len > 1)
1108 name = server->name.name_string.val[1];
1109 else
1110 return FALSE;
1111
1112 kdc_log(context, config, 0, "Searching referral for %s", name);
1113
1114 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1115 }
1116
1117 static krb5_error_code
1118 tgs_parse_request(krb5_context context,
1119 krb5_kdc_configuration *config,
1120 KDC_REQ_BODY *b,
1121 const PA_DATA *tgs_req,
1122 hdb_entry_ex **krbtgt,
1123 krb5_enctype *krbtgt_etype,
1124 krb5_ticket **ticket,
1125 const char **e_text,
1126 const char *from,
1127 const struct sockaddr *from_addr,
1128 time_t **csec,
1129 int **cusec,
1130 AuthorizationData **auth_data,
1131 krb5_keyblock **replykey,
1132 int *rk_is_subkey)
1133 {
1134 static char failed[] = "<unparse_name failed>";
1135 krb5_ap_req ap_req;
1136 krb5_error_code ret;
1137 krb5_principal princ;
1138 krb5_auth_context ac = NULL;
1139 krb5_flags ap_req_options;
1140 krb5_flags verify_ap_req_flags;
1141 krb5_crypto crypto;
1142 Key *tkey;
1143 krb5_keyblock *subkey = NULL;
1144 unsigned usage;
1145
1146 *auth_data = NULL;
1147 *csec = NULL;
1148 *cusec = NULL;
1149 *replykey = NULL;
1150
1151 memset(&ap_req, 0, sizeof(ap_req));
1152 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1153 if(ret){
1154 const char *msg = krb5_get_error_message(context, ret);
1155 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1156 krb5_free_error_message(context, msg);
1157 goto out;
1158 }
1159
1160 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1161 /* XXX check for ticket.sname == req.sname */
1162 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1163 ret = KRB5KDC_ERR_POLICY; /* ? */
1164 goto out;
1165 }
1166
1167 _krb5_principalname2krb5_principal(context,
1168 &princ,
1169 ap_req.ticket.sname,
1170 ap_req.ticket.realm);
1171
1172 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1173
1174 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1175 char *p;
1176 ret = krb5_unparse_name(context, princ, &p);
1177 if (ret != 0)
1178 p = failed;
1179 krb5_free_principal(context, princ);
1180 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1181 if (ret == 0)
1182 free(p);
1183 ret = HDB_ERR_NOT_FOUND_HERE;
1184 goto out;
1185 } else if(ret){
1186 const char *msg = krb5_get_error_message(context, ret);
1187 char *p;
1188 ret = krb5_unparse_name(context, princ, &p);
1189 if (ret != 0)
1190 p = failed;
1191 krb5_free_principal(context, princ);
1192 kdc_log(context, config, 0,
1193 "Ticket-granting ticket not found in database: %s", msg);
1194 krb5_free_error_message(context, msg);
1195 if (ret == 0)
1196 free(p);
1197 ret = KRB5KRB_AP_ERR_NOT_US;
1198 goto out;
1199 }
1200
1201 if(ap_req.ticket.enc_part.kvno &&
1202 (size_t)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1203 char *p;
1204
1205 ret = krb5_unparse_name (context, princ, &p);
1206 krb5_free_principal(context, princ);
1207 if (ret != 0)
1208 p = failed;
1209 kdc_log(context, config, 0,
1210 "Ticket kvno = %d, DB kvno = %d (%s)",
1211 *ap_req.ticket.enc_part.kvno,
1212 (*krbtgt)->entry.kvno,
1213 p);
1214 if (ret == 0)
1215 free (p);
1216 ret = KRB5KRB_AP_ERR_BADKEYVER;
1217 goto out;
1218 }
1219
1220 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1221
1222 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1223 ap_req.ticket.enc_part.etype, &tkey);
1224 if(ret){
1225 char *str = NULL, *p = NULL;
1226
1227 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1228 krb5_unparse_name(context, princ, &p);
1229 kdc_log(context, config, 0,
1230 "No server key with enctype %s found for %s",
1231 str ? str : "<unknown enctype>",
1232 p ? p : "<unparse_name failed>");
1233 free(str);
1234 free(p);
1235 ret = KRB5KRB_AP_ERR_BADKEYVER;
1236 goto out;
1237 }
1238
1239 if (b->kdc_options.validate)
1240 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1241 else
1242 verify_ap_req_flags = 0;
1243
1244 ret = krb5_verify_ap_req2(context,
1245 &ac,
1246 &ap_req,
1247 princ,
1248 &tkey->key,
1249 verify_ap_req_flags,
1250 &ap_req_options,
1251 ticket,
1252 KRB5_KU_TGS_REQ_AUTH);
1253
1254 krb5_free_principal(context, princ);
1255 if(ret) {
1256 const char *msg = krb5_get_error_message(context, ret);
1257 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1258 krb5_free_error_message(context, msg);
1259 goto out;
1260 }
1261
1262 {
1263 krb5_authenticator auth;
1264
1265 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1266 if (ret == 0) {
1267 *csec = malloc(sizeof(**csec));
1268 if (*csec == NULL) {
1269 krb5_free_authenticator(context, &auth);
1270 kdc_log(context, config, 0, "malloc failed");
1271 goto out;
1272 }
1273 **csec = auth->ctime;
1274 *cusec = malloc(sizeof(**cusec));
1275 if (*cusec == NULL) {
1276 krb5_free_authenticator(context, &auth);
1277 kdc_log(context, config, 0, "malloc failed");
1278 goto out;
1279 }
1280 **cusec = auth->cusec;
1281 krb5_free_authenticator(context, &auth);
1282 }
1283 }
1284
1285 ret = tgs_check_authenticator(context, config,
1286 ac, b, e_text, &(*ticket)->ticket.key);
1287 if (ret) {
1288 krb5_auth_con_free(context, ac);
1289 goto out;
1290 }
1291
1292 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1293 *rk_is_subkey = 1;
1294
1295 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1296 if(ret){
1297 const char *msg = krb5_get_error_message(context, ret);
1298 krb5_auth_con_free(context, ac);
1299 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1300 krb5_free_error_message(context, msg);
1301 goto out;
1302 }
1303 if(subkey == NULL){
1304 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1305 *rk_is_subkey = 0;
1306
1307 ret = krb5_auth_con_getkey(context, ac, &subkey);
1308 if(ret) {
1309 const char *msg = krb5_get_error_message(context, ret);
1310 krb5_auth_con_free(context, ac);
1311 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1312 krb5_free_error_message(context, msg);
1313 goto out;
1314 }
1315 }
1316 if(subkey == NULL){
1317 krb5_auth_con_free(context, ac);
1318 kdc_log(context, config, 0,
1319 "Failed to get key for enc-authorization-data");
1320 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1321 goto out;
1322 }
1323
1324 *replykey = subkey;
1325
1326 if (b->enc_authorization_data) {
1327 krb5_data ad;
1328
1329 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1330 if (ret) {
1331 const char *msg = krb5_get_error_message(context, ret);
1332 krb5_auth_con_free(context, ac);
1333 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1334 krb5_free_error_message(context, msg);
1335 goto out;
1336 }
1337 ret = krb5_decrypt_EncryptedData (context,
1338 crypto,
1339 usage,
1340 b->enc_authorization_data,
1341 &ad);
1342 krb5_crypto_destroy(context, crypto);
1343 if(ret){
1344 krb5_auth_con_free(context, ac);
1345 kdc_log(context, config, 0,
1346 "Failed to decrypt enc-authorization-data");
1347 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1348 goto out;
1349 }
1350 ALLOC(*auth_data);
1351 if (*auth_data == NULL) {
1352 krb5_auth_con_free(context, ac);
1353 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1354 goto out;
1355 }
1356 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1357 if(ret){
1358 krb5_auth_con_free(context, ac);
1359 free(*auth_data);
1360 *auth_data = NULL;
1361 kdc_log(context, config, 0, "Failed to decode authorization data");
1362 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1363 goto out;
1364 }
1365 }
1366
1367 krb5_auth_con_free(context, ac);
1368
1369 out:
1370 free_AP_REQ(&ap_req);
1371
1372 return ret;
1373 }
1374
1375 static krb5_error_code
1376 build_server_referral(krb5_context context,
1377 krb5_kdc_configuration *config,
1378 krb5_crypto session,
1379 krb5_const_realm referred_realm,
1380 const PrincipalName *true_principal_name,
1381 const PrincipalName *requested_principal,
1382 krb5_data *outdata)
1383 {
1384 PA_ServerReferralData ref;
1385 krb5_error_code ret;
1386 EncryptedData ed;
1387 krb5_data data;
1388 size_t size = 0;
1389
1390 memset(&ref, 0, sizeof(ref));
1391
1392 if (referred_realm) {
1393 ALLOC(ref.referred_realm);
1394 if (ref.referred_realm == NULL)
1395 goto eout;
1396 *ref.referred_realm = strdup(referred_realm);
1397 if (*ref.referred_realm == NULL)
1398 goto eout;
1399 }
1400 if (true_principal_name) {
1401 ALLOC(ref.true_principal_name);
1402 if (ref.true_principal_name == NULL)
1403 goto eout;
1404 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1405 if (ret)
1406 goto eout;
1407 }
1408 if (requested_principal) {
1409 ALLOC(ref.requested_principal_name);
1410 if (ref.requested_principal_name == NULL)
1411 goto eout;
1412 ret = copy_PrincipalName(requested_principal,
1413 ref.requested_principal_name);
1414 if (ret)
1415 goto eout;
1416 }
1417
1418 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1419 data.data, data.length,
1420 &ref, &size, ret);
1421 free_PA_ServerReferralData(&ref);
1422 if (ret)
1423 return ret;
1424 if (data.length != size)
1425 krb5_abortx(context, "internal asn.1 encoder error");
1426
1427 ret = krb5_encrypt_EncryptedData(context, session,
1428 KRB5_KU_PA_SERVER_REFERRAL,
1429 data.data, data.length,
1430 0 /* kvno */, &ed);
1431 free(data.data);
1432 if (ret)
1433 return ret;
1434
1435 ASN1_MALLOC_ENCODE(EncryptedData,
1436 outdata->data, outdata->length,
1437 &ed, &size, ret);
1438 free_EncryptedData(&ed);
1439 if (ret)
1440 return ret;
1441 if (outdata->length != size)
1442 krb5_abortx(context, "internal asn.1 encoder error");
1443
1444 return 0;
1445 eout:
1446 free_PA_ServerReferralData(&ref);
1447 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1448 return ENOMEM;
1449 }
1450
1451 static krb5_error_code
1452 tgs_build_reply(krb5_context context,
1453 krb5_kdc_configuration *config,
1454 KDC_REQ *req,
1455 KDC_REQ_BODY *b,
1456 hdb_entry_ex *krbtgt,
1457 krb5_enctype krbtgt_etype,
1458 const krb5_keyblock *replykey,
1459 int rk_is_subkey,
1460 krb5_ticket *ticket,
1461 krb5_data *reply,
1462 const char *from,
1463 const char **e_text,
1464 AuthorizationData **auth_data,
1465 const struct sockaddr *from_addr)
1466 {
1467 krb5_error_code ret;
1468 krb5_principal cp = NULL, sp = NULL;
1469 krb5_principal client_principal = NULL;
1470 krb5_principal krbtgt_principal = NULL;
1471 char *spn = NULL, *cpn = NULL;
1472 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1473 HDB *clientdb, *s4u2self_impersonated_clientdb;
1474 krb5_realm ref_realm = NULL;
1475 EncTicketPart *tgt = &ticket->ticket;
1476 krb5_principals spp = NULL;
1477 const EncryptionKey *ekey;
1478 krb5_keyblock sessionkey;
1479 krb5_kvno kvno;
1480 krb5_data rspac;
1481
1482 hdb_entry_ex *krbtgt_out = NULL;
1483
1484 METHOD_DATA enc_pa_data;
1485
1486 PrincipalName *s;
1487 Realm r;
1488 int nloop = 0;
1489 EncTicketPart adtkt;
1490 char opt_str[128];
1491 int signedpath = 0;
1492
1493 Key *tkey_check;
1494 Key *tkey_sign;
1495
1496 memset(&sessionkey, 0, sizeof(sessionkey));
1497 memset(&adtkt, 0, sizeof(adtkt));
1498 krb5_data_zero(&rspac);
1499 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1500
1501 s = b->sname;
1502 r = b->realm;
1503
1504 if(b->kdc_options.enc_tkt_in_skey){
1505 Ticket *t;
1506 hdb_entry_ex *uu;
1507 krb5_principal p;
1508 Key *uukey;
1509
1510 if(b->additional_tickets == NULL ||
1511 b->additional_tickets->len == 0){
1512 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1513 kdc_log(context, config, 0,
1514 "No second ticket present in request");
1515 goto out;
1516 }
1517 t = &b->additional_tickets->val[0];
1518 if(!get_krbtgt_realm(&t->sname)){
1519 kdc_log(context, config, 0,
1520 "Additional ticket is not a ticket-granting ticket");
1521 ret = KRB5KDC_ERR_POLICY;
1522 goto out;
1523 }
1524 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1525 ret = _kdc_db_fetch(context, config, p,
1526 HDB_F_GET_KRBTGT, t->enc_part.kvno,
1527 NULL, &uu);
1528 krb5_free_principal(context, p);
1529 if(ret){
1530 if (ret == HDB_ERR_NOENTRY)
1531 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1532 goto out;
1533 }
1534 ret = hdb_enctype2key(context, &uu->entry,
1535 t->enc_part.etype, &uukey);
1536 if(ret){
1537 _kdc_free_ent(context, uu);
1538 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1539 goto out;
1540 }
1541 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1542 _kdc_free_ent(context, uu);
1543 if(ret)
1544 goto out;
1545
1546 ret = verify_flags(context, config, &adtkt, spn);
1547 if (ret)
1548 goto out;
1549
1550 s = &adtkt.cname;
1551 r = adtkt.crealm;
1552 }
1553
1554 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1555 ret = krb5_unparse_name(context, sp, &spn);
1556 if (ret)
1557 goto out;
1558 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1559 ret = krb5_unparse_name(context, cp, &cpn);
1560 if (ret)
1561 goto out;
1562 unparse_flags (KDCOptions2int(b->kdc_options),
1563 asn1_KDCOptions_units(),
1564 opt_str, sizeof(opt_str));
1565 if(*opt_str)
1566 kdc_log(context, config, 0,
1567 "TGS-REQ %s from %s for %s [%s]",
1568 cpn, from, spn, opt_str);
1569 else
1570 kdc_log(context, config, 0,
1571 "TGS-REQ %s from %s for %s", cpn, from, spn);
1572
1573 /*
1574 * Fetch server
1575 */
1576
1577 server_lookup:
1578 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
1579 NULL, NULL, &server);
1580
1581 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1582 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1583 goto out;
1584 } else if(ret){
1585 const char *new_rlm, *msg;
1586 Realm req_rlm;
1587 krb5_realm *realms;
1588
1589 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1590 if(nloop++ < 2) {
1591 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1592 if(new_rlm) {
1593 kdc_log(context, config, 5, "krbtgt for realm %s "
1594 "not found, trying %s",
1595 req_rlm, new_rlm);
1596 krb5_free_principal(context, sp);
1597 free(spn);
1598 krb5_make_principal(context, &sp, r,
1599 KRB5_TGS_NAME, new_rlm, NULL);
1600 ret = krb5_unparse_name(context, sp, &spn);
1601 if (ret)
1602 goto out;
1603
1604 if (ref_realm)
1605 free(ref_realm);
1606 ref_realm = strdup(new_rlm);
1607 goto server_lookup;
1608 }
1609 }
1610 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1611 if (strcmp(realms[0], sp->realm) != 0) {
1612 kdc_log(context, config, 5,
1613 "Returning a referral to realm %s for "
1614 "server %s that was not found",
1615 realms[0], spn);
1616 krb5_free_principal(context, sp);
1617 free(spn);
1618 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1619 realms[0], NULL);
1620 ret = krb5_unparse_name(context, sp, &spn);
1621 if (ret)
1622 goto out;
1623
1624 if (ref_realm)
1625 free(ref_realm);
1626 ref_realm = strdup(realms[0]);
1627
1628 krb5_free_host_realm(context, realms);
1629 goto server_lookup;
1630 }
1631 krb5_free_host_realm(context, realms);
1632 }
1633 msg = krb5_get_error_message(context, ret);
1634 kdc_log(context, config, 0,
1635 "Server not found in database: %s: %s", spn, msg);
1636 krb5_free_error_message(context, msg);
1637 if (ret == HDB_ERR_NOENTRY)
1638 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1639 goto out;
1640 }
1641
1642 /*
1643 * Select enctype, return key and kvno.
1644 */
1645
1646 {
1647 krb5_enctype etype;
1648
1649 if(b->kdc_options.enc_tkt_in_skey) {
1650 size_t i;
1651 ekey = &adtkt.key;
1652 for(i = 0; i < b->etype.len; i++)
1653 if (b->etype.val[i] == adtkt.key.keytype)
1654 break;
1655 if(i == b->etype.len) {
1656 kdc_log(context, config, 0,
1657 "Addition ticket have not matching etypes");
1658 krb5_clear_error_message(context);
1659 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1660 goto out;
1661 }
1662 etype = b->etype.val[i];
1663 kvno = 0;
1664 } else {
1665 Key *skey;
1666
1667 ret = _kdc_find_etype(context, server,
1668 b->etype.val, b->etype.len, &skey);
1669 if(ret) {
1670 kdc_log(context, config, 0,
1671 "Server (%s) has no support for etypes", spn);
1672 goto out;
1673 }
1674 ekey = &skey->key;
1675 etype = skey->key.keytype;
1676 kvno = server->entry.kvno;
1677 }
1678
1679 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1680 if (ret)
1681 goto out;
1682 }
1683
1684 /*
1685 * Check that service is in the same realm as the krbtgt. If it's
1686 * not the same, it's someone that is using a uni-directional trust
1687 * backward.
1688 */
1689
1690 /*
1691 * Validate authoriation data
1692 */
1693
1694 ret = hdb_enctype2key(context, &krbtgt->entry,
1695 krbtgt_etype, &tkey_check);
1696 if(ret) {
1697 kdc_log(context, config, 0,
1698 "Failed to find key for krbtgt PAC check");
1699 goto out;
1700 }
1701
1702 /* Now refetch the primary krbtgt, and get the current kvno (the
1703 * sign check may have been on an old kvno, and the server may
1704 * have been an incoming trust) */
1705 ret = krb5_make_principal(context, &krbtgt_principal,
1706 krb5_principal_get_comp_string(context,
1707 krbtgt->entry.principal,
1708 1),
1709 KRB5_TGS_NAME,
1710 krb5_principal_get_comp_string(context,
1711 krbtgt->entry.principal,
1712 1), NULL);
1713 if(ret) {
1714 kdc_log(context, config, 0,
1715 "Failed to generate krbtgt principal");
1716 goto out;
1717 }
1718
1719 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1720 krb5_free_principal(context, krbtgt_principal);
1721 if (ret) {
1722 krb5_error_code ret2;
1723 char *tpn, *tpn2;
1724 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1725 ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
1726 kdc_log(context, config, 0,
1727 "Request with wrong krbtgt: %s, %s not found in our database",
1728 (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
1729 if(ret == 0)
1730 free(tpn);
1731 if(ret2 == 0)
1732 free(tpn2);
1733 ret = KRB5KRB_AP_ERR_NOT_US;
1734 goto out;
1735 }
1736
1737 /* The first realm is the realm of the service, the second is
1738 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1739 * encrypted to. The redirection via the krbtgt_out entry allows
1740 * the DB to possibly correct the case of the realm (Samba4 does
1741 * this) before the strcmp() */
1742 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1743 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1744 char *tpn;
1745 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
1746 kdc_log(context, config, 0,
1747 "Request with wrong krbtgt: %s",
1748 (ret == 0) ? tpn : "<unknown>");
1749 if(ret == 0)
1750 free(tpn);
1751 ret = KRB5KRB_AP_ERR_NOT_US;
1752 }
1753
1754 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1755 krbtgt_etype, &tkey_sign);
1756 if(ret) {
1757 kdc_log(context, config, 0,
1758 "Failed to find key for krbtgt PAC signature");
1759 goto out;
1760 }
1761
1762 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1763 NULL, &clientdb, &client);
1764 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1765 /* This is OK, we are just trying to find out if they have
1766 * been disabled or deleted in the meantime, missing secrets
1767 * is OK */
1768 } else if(ret){
1769 const char *krbtgt_realm, *msg;
1770
1771 /*
1772 * If the client belongs to the same realm as our krbtgt, it
1773 * should exist in the local database.
1774 *
1775 */
1776
1777 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1778
1779 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1780 if (ret == HDB_ERR_NOENTRY)
1781 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1782 kdc_log(context, config, 1, "Client no longer in database: %s",
1783 cpn);
1784 goto out;
1785 }
1786
1787 msg = krb5_get_error_message(context, ret);
1788 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1789 krb5_free_error_message(context, msg);
1790 }
1791
1792 ret = check_PAC(context, config, cp,
1793 client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
1794 tgt, &rspac, &signedpath);
1795 if (ret) {
1796 const char *msg = krb5_get_error_message(context, ret);
1797 kdc_log(context, config, 0,
1798 "Verify PAC failed for %s (%s) from %s with %s",
1799 spn, cpn, from, msg);
1800 krb5_free_error_message(context, msg);
1801 goto out;
1802 }
1803
1804 /* also check the krbtgt for signature */
1805 ret = check_KRB5SignedPath(context,
1806 config,
1807 krbtgt,
1808 cp,
1809 tgt,
1810 &spp,
1811 &signedpath);
1812 if (ret) {
1813 const char *msg = krb5_get_error_message(context, ret);
1814 kdc_log(context, config, 0,
1815 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1816 spn, cpn, from, msg);
1817 krb5_free_error_message(context, msg);
1818 goto out;
1819 }
1820
1821 /*
1822 * Process request
1823 */
1824
1825 client_principal = cp;
1826
1827 if (client) {
1828 const PA_DATA *sdata;
1829 int i = 0;
1830
1831 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1832 if (sdata) {
1833 krb5_crypto crypto;
1834 krb5_data datack;
1835 PA_S4U2Self self;
1836 char *selfcpn = NULL;
1837 const char *str;
1838
1839 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1840 sdata->padata_value.length,
1841 &self, NULL);
1842 if (ret) {
1843 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1844 goto out;
1845 }
1846
1847 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1848 if (ret)
1849 goto out;
1850
1851 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1852 if (ret) {
1853 const char *msg = krb5_get_error_message(context, ret);
1854 free_PA_S4U2Self(&self);
1855 krb5_data_free(&datack);
1856 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1857 krb5_free_error_message(context, msg);
1858 goto out;
1859 }
1860
1861 ret = krb5_verify_checksum(context,
1862 crypto,
1863 KRB5_KU_OTHER_CKSUM,
1864 datack.data,
1865 datack.length,
1866 &self.cksum);
1867 krb5_data_free(&datack);
1868 krb5_crypto_destroy(context, crypto);
1869 if (ret) {
1870 const char *msg = krb5_get_error_message(context, ret);
1871 free_PA_S4U2Self(&self);
1872 kdc_log(context, config, 0,
1873 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1874 krb5_free_error_message(context, msg);
1875 goto out;
1876 }
1877
1878 ret = _krb5_principalname2krb5_principal(context,
1879 &client_principal,
1880 self.name,
1881 self.realm);
1882 free_PA_S4U2Self(&self);
1883 if (ret)
1884 goto out;
1885
1886 ret = krb5_unparse_name(context, client_principal, &selfcpn);
1887 if (ret)
1888 goto out;
1889
1890 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1891 if(rspac.data) {
1892 krb5_pac p = NULL;
1893 krb5_data_free(&rspac);
1894 ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
1895 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1896 if (ret) {
1897 const char *msg;
1898
1899 /*
1900 * If the client belongs to the same realm as our krbtgt, it
1901 * should exist in the local database.
1902 *
1903 */
1904
1905 if (ret == HDB_ERR_NOENTRY)
1906 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1907 msg = krb5_get_error_message(context, ret);
1908 kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg);
1909 krb5_free_error_message(context, msg);
1910 goto out;
1911 }
1912 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1913 if (ret) {
1914 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1915 selfcpn);
1916 goto out;
1917 }
1918 if (p != NULL) {
1919 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1920 s4u2self_impersonated_client->entry.principal,
1921 ekey, &tkey_sign->key,
1922 &rspac);
1923 krb5_pac_free(context, p);
1924 if (ret) {
1925 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1926 selfcpn);
1927 goto out;
1928 }
1929 }
1930 }
1931
1932 /*
1933 * Check that service doing the impersonating is
1934 * requesting a ticket to it-self.
1935 */
1936 ret = check_s4u2self(context, config, clientdb, client, sp);
1937 if (ret) {
1938 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1939 "to impersonate to service "
1940 "(tried for user %s to service %s)",
1941 cpn, selfcpn, spn);
1942 free(selfcpn);
1943 goto out;
1944 }
1945
1946 /*
1947 * If the service isn't trusted for authentication to
1948 * delegation, remove the forward flag.
1949 */
1950
1951 if (client->entry.flags.trusted_for_delegation) {
1952 str = "[forwardable]";
1953 } else {
1954 b->kdc_options.forwardable = 0;
1955 str = "";
1956 }
1957 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1958 "service %s %s", cpn, selfcpn, spn, str);
1959 free(selfcpn);
1960 }
1961 }
1962
1963 /*
1964 * Constrained delegation
1965 */
1966
1967 if (client != NULL
1968 && b->additional_tickets != NULL
1969 && b->additional_tickets->len != 0
1970 && b->kdc_options.enc_tkt_in_skey == 0)
1971 {
1972 int ad_signedpath = 0;
1973 Key *clientkey;
1974 Ticket *t;
1975 char *str;
1976
1977 /*
1978 * Require that the KDC have issued the service's krbtgt (not
1979 * self-issued ticket with kimpersonate(1).
1980 */
1981 if (!signedpath) {
1982 ret = KRB5KDC_ERR_BADOPTION;
1983 kdc_log(context, config, 0,
1984 "Constrained delegation done on service ticket %s/%s",
1985 cpn, spn);
1986 goto out;
1987 }
1988
1989 t = &b->additional_tickets->val[0];
1990
1991 ret = hdb_enctype2key(context, &client->entry,
1992 t->enc_part.etype, &clientkey);
1993 if(ret){
1994 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1995 goto out;
1996 }
1997
1998 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1999 if (ret) {
2000 kdc_log(context, config, 0,
2001 "failed to decrypt ticket for "
2002 "constrained delegation from %s to %s ", cpn, spn);
2003 goto out;
2004 }
2005
2006 /* check that ticket is valid */
2007 if (adtkt.flags.forwardable == 0) {
2008 kdc_log(context, config, 0,
2009 "Missing forwardable flag on ticket for "
2010 "constrained delegation from %s to %s ", cpn, spn);
2011 ret = KRB5KDC_ERR_BADOPTION;
2012 goto out;
2013 }
2014
2015 ret = check_constrained_delegation(context, config, clientdb,
2016 client, sp);
2017 if (ret) {
2018 kdc_log(context, config, 0,
2019 "constrained delegation from %s to %s not allowed",
2020 cpn, spn);
2021 goto out;
2022 }
2023
2024 ret = _krb5_principalname2krb5_principal(context,
2025 &client_principal,
2026 adtkt.cname,
2027 adtkt.crealm);
2028 if (ret)
2029 goto out;
2030
2031 ret = krb5_unparse_name(context, client_principal, &str);
2032 if (ret)
2033 goto out;
2034
2035 ret = verify_flags(context, config, &adtkt, str);
2036 if (ret) {
2037 free(str);
2038 goto out;
2039 }
2040
2041 /*
2042 * Check that the KDC issued the user's ticket.
2043 */
2044 ret = check_KRB5SignedPath(context,
2045 config,
2046 krbtgt,
2047 cp,
2048 &adtkt,
2049 NULL,
2050 &ad_signedpath);
2051 if (ret == 0 && !ad_signedpath)
2052 ret = KRB5KDC_ERR_BADOPTION;
2053 if (ret) {
2054 const char *msg = krb5_get_error_message(context, ret);
2055 kdc_log(context, config, 0,
2056 "KRB5SignedPath check from service %s failed "
2057 "for delegation to %s for client %s "
2058 "from %s failed with %s",
2059 spn, str, cpn, from, msg);
2060 krb5_free_error_message(context, msg);
2061 free(str);
2062 goto out;
2063 }
2064
2065 kdc_log(context, config, 0, "constrained delegation for %s "
2066 "from %s to %s", str, cpn, spn);
2067 free(str);
2068 }
2069
2070 /*
2071 * Check flags
2072 */
2073
2074 ret = kdc_check_flags(context, config,
2075 client, cpn,
2076 server, spn,
2077 FALSE);
2078 if(ret)
2079 goto out;
2080
2081 if((b->kdc_options.validate || b->kdc_options.renew) &&
2082 !krb5_principal_compare(context,
2083 krbtgt->entry.principal,
2084 server->entry.principal)){
2085 kdc_log(context, config, 0, "Inconsistent request.");
2086 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2087 goto out;
2088 }
2089
2090 /* check for valid set of addresses */
2091 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2092 ret = KRB5KRB_AP_ERR_BADADDR;
2093 kdc_log(context, config, 0, "Request from wrong address");
2094 goto out;
2095 }
2096
2097 /*
2098 * If this is an referral, add server referral data to the
2099 * auth_data reply .
2100 */
2101 if (ref_realm) {
2102 PA_DATA pa;
2103 krb5_crypto crypto;
2104
2105 kdc_log(context, config, 0,
2106 "Adding server referral to %s", ref_realm);
2107
2108 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2109 if (ret)
2110 goto out;
2111
2112 ret = build_server_referral(context, config, crypto, ref_realm,
2113 NULL, s, &pa.padata_value);
2114 krb5_crypto_destroy(context, crypto);
2115 if (ret) {
2116 kdc_log(context, config, 0,
2117 "Failed building server referral");
2118 goto out;
2119 }
2120 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2121
2122 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2123 krb5_data_free(&pa.padata_value);
2124 if (ret) {
2125 kdc_log(context, config, 0,
2126 "Add server referral METHOD-DATA failed");
2127 goto out;
2128 }
2129 }
2130
2131 /*
2132 *
2133 */
2134
2135 ret = tgs_make_reply(context,
2136 config,
2137 b,
2138 client_principal,
2139 tgt,
2140 replykey,
2141 rk_is_subkey,
2142 ekey,
2143 &sessionkey,
2144 kvno,
2145 *auth_data,
2146 server,
2147 sp,
2148 spn,
2149 client,
2150 cp,
2151 krbtgt_out,
2152 krbtgt_etype,
2153 spp,
2154 &rspac,
2155 &enc_pa_data,
2156 e_text,
2157 reply);
2158
2159 out:
2160 free(spn);
2161 free(cpn);
2162
2163 krb5_data_free(&rspac);
2164 krb5_free_keyblock_contents(context, &sessionkey);
2165 if(krbtgt_out)
2166 _kdc_free_ent(context, krbtgt_out);
2167 if(server)
2168 _kdc_free_ent(context, server);
2169 if(client)
2170 _kdc_free_ent(context, client);
2171 if(s4u2self_impersonated_client)
2172 _kdc_free_ent(context, s4u2self_impersonated_client);
2173
2174 if (client_principal && client_principal != cp)
2175 krb5_free_principal(context, client_principal);
2176 if (cp)
2177 krb5_free_principal(context, cp);
2178 if (sp)
2179 krb5_free_principal(context, sp);
2180 if (ref_realm)
2181 free(ref_realm);
2182 free_METHOD_DATA(&enc_pa_data);
2183
2184 free_EncTicketPart(&adtkt);
2185
2186 return ret;
2187 }
2188
2189 /*
2190 *
2191 */
2192
2193 krb5_error_code
2194 _kdc_tgs_rep(krb5_context context,
2195 krb5_kdc_configuration *config,
2196 KDC_REQ *req,
2197 krb5_data *data,
2198 const char *from,
2199 struct sockaddr *from_addr,
2200 int datagram_reply)
2201 {
2202 AuthorizationData *auth_data = NULL;
2203 krb5_error_code ret;
2204 int i = 0;
2205 const PA_DATA *tgs_req;
2206
2207 hdb_entry_ex *krbtgt = NULL;
2208 krb5_ticket *ticket = NULL;
2209 const char *e_text = NULL;
2210 krb5_enctype krbtgt_etype = ETYPE_NULL;
2211
2212 krb5_keyblock *replykey = NULL;
2213 int rk_is_subkey = 0;
2214 time_t *csec = NULL;
2215 int *cusec = NULL;
2216
2217 if(req->padata == NULL){
2218 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2219 kdc_log(context, config, 0,
2220 "TGS-REQ from %s without PA-DATA", from);
2221 goto out;
2222 }
2223
2224 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2225
2226 if(tgs_req == NULL){
2227 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2228
2229 kdc_log(context, config, 0,
2230 "TGS-REQ from %s without PA-TGS-REQ", from);
2231 goto out;
2232 }
2233 ret = tgs_parse_request(context, config,
2234 &req->req_body, tgs_req,
2235 &krbtgt,
2236 &krbtgt_etype,
2237 &ticket,
2238 &e_text,
2239 from, from_addr,
2240 &csec, &cusec,
2241 &auth_data,
2242 &replykey,
2243 &rk_is_subkey);
2244 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2245 /* kdc_log() is called in tgs_parse_request() */
2246 goto out;
2247 }
2248 if (ret) {
2249 kdc_log(context, config, 0,
2250 "Failed parsing TGS-REQ from %s", from);
2251 goto out;
2252 }
2253
2254 ret = tgs_build_reply(context,
2255 config,
2256 req,
2257 &req->req_body,
2258 krbtgt,
2259 krbtgt_etype,
2260 replykey,
2261 rk_is_subkey,
2262 ticket,
2263 data,
2264 from,
2265 &e_text,
2266 &auth_data,
2267 from_addr);
2268 if (ret) {
2269 kdc_log(context, config, 0,
2270 "Failed building TGS-REP to %s", from);
2271 goto out;
2272 }
2273
2274 /* */
2275 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2276 krb5_data_free(data);
2277 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2278 e_text = "Reply packet too large";
2279 }
2280
2281 out:
2282 if (replykey)
2283 krb5_free_keyblock(context, replykey);
2284 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2285 krb5_mk_error(context,
2286 ret,
2287 NULL,
2288 NULL,
2289 NULL,
2290 NULL,
2291 csec,
2292 cusec,
2293 data);
2294 ret = 0;
2295 }
2296 free(csec);
2297 free(cusec);
2298 if (ticket)
2299 krb5_free_ticket(context, ticket);
2300 if(krbtgt)
2301 _kdc_free_ent(context, krbtgt);
2302
2303 if (auth_data) {
2304 free_AuthorizationData(auth_data);
2305 free(auth_data);
2306 }
2307
2308 return ret;
2309 }
Heimdal