search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #11 from asankah/master
[heimdal.git] / kdc / krb5tgs.c
blob0f4011a4dbfb7ddcb9d694631b24ffa37bc66dde
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230 if (ret == 0)
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232 if (ret) {
233 free(data.data);
234 free_KRB5SignedPath(&sp);
235 return ret;
236 }
237 }
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
240 &sp.cksum);
241 krb5_crypto_destroy(context, crypto);
242 free(data.data);
243 if (ret) {
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
247 return 0;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 hdb_entry_ex *client,
283 hdb_entry_ex *server,
284 hdb_entry_ex *krbtgt,
285 const EncryptionKey *server_check_key,
286 const EncryptionKey *krbtgt_check_key,
287 const EncryptionKey *server_sign_key,
288 const EncryptionKey *krbtgt_sign_key,
289 EncTicketPart *tkt,
290 krb5_data *rspac,
291 int *signedpath)
292 {
293 AuthorizationData *ad = tkt->authorization_data;
294 unsigned i, j;
295 krb5_error_code ret;
296
297 if (ad == NULL || ad->len == 0)
298 return 0;
299
300 for (i = 0; i < ad->len; i++) {
301 AuthorizationData child;
302
303 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
304 continue;
305
306 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
307 ad->val[i].ad_data.length,
308 &child,
309 NULL);
310 if (ret) {
311 krb5_set_error_message(context, ret, "Failed to decode "
312 "IF_RELEVANT with %d", ret);
313 return ret;
314 }
315 for (j = 0; j < child.len; j++) {
316
317 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
318 int signed_pac = 0;
319 krb5_pac pac;
320
321 /* Found PAC */
322 ret = krb5_pac_parse(context,
323 child.val[j].ad_data.data,
324 child.val[j].ad_data.length,
325 &pac);
326 free_AuthorizationData(&child);
327 if (ret)
328 return ret;
329
330 ret = krb5_pac_verify(context, pac, tkt->authtime,
331 client_principal,
332 server_check_key, krbtgt_check_key);
333 if (ret) {
334 krb5_pac_free(context, pac);
335 return ret;
336 }
337
338 ret = _kdc_pac_verify(context, client_principal,
339 client, server, krbtgt, &pac, &signed_pac);
340 if (ret) {
341 krb5_pac_free(context, pac);
342 return ret;
343 }
344
345 /*
346 * Only re-sign PAC if we could verify it with the PAC
347 * function. The no-verify case happens when we get in
348 * a PAC from cross realm from a Windows domain and
349 * that there is no PAC verification function.
350 */
351 if (signed_pac) {
352 *signedpath = 1;
353 ret = _krb5_pac_sign(context, pac, tkt->authtime,
354 client_principal,
355 server_sign_key, krbtgt_sign_key, rspac);
356 }
357 krb5_pac_free(context, pac);
358
359 return ret;
360 }
361 }
362 free_AuthorizationData(&child);
363 }
364 return 0;
365 }
366
367 /*
368 *
369 */
370
371 static krb5_error_code
372 check_tgs_flags(krb5_context context,
373 krb5_kdc_configuration *config,
374 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
375 {
376 KDCOptions f = b->kdc_options;
377
378 if(f.validate){
379 if(!tgt->flags.invalid || tgt->starttime == NULL){
380 kdc_log(context, config, 0,
381 "Bad request to validate ticket");
382 return KRB5KDC_ERR_BADOPTION;
383 }
384 if(*tgt->starttime > kdc_time){
385 kdc_log(context, config, 0,
386 "Early request to validate ticket");
387 return KRB5KRB_AP_ERR_TKT_NYV;
388 }
389 /* XXX tkt = tgt */
390 et->flags.invalid = 0;
391 }else if(tgt->flags.invalid){
392 kdc_log(context, config, 0,
393 "Ticket-granting ticket has INVALID flag set");
394 return KRB5KRB_AP_ERR_TKT_INVALID;
395 }
396
397 if(f.forwardable){
398 if(!tgt->flags.forwardable){
399 kdc_log(context, config, 0,
400 "Bad request for forwardable ticket");
401 return KRB5KDC_ERR_BADOPTION;
402 }
403 et->flags.forwardable = 1;
404 }
405 if(f.forwarded){
406 if(!tgt->flags.forwardable){
407 kdc_log(context, config, 0,
408 "Request to forward non-forwardable ticket");
409 return KRB5KDC_ERR_BADOPTION;
410 }
411 et->flags.forwarded = 1;
412 et->caddr = b->addresses;
413 }
414 if(tgt->flags.forwarded)
415 et->flags.forwarded = 1;
416
417 if(f.proxiable){
418 if(!tgt->flags.proxiable){
419 kdc_log(context, config, 0,
420 "Bad request for proxiable ticket");
421 return KRB5KDC_ERR_BADOPTION;
422 }
423 et->flags.proxiable = 1;
424 }
425 if(f.proxy){
426 if(!tgt->flags.proxiable){
427 kdc_log(context, config, 0,
428 "Request to proxy non-proxiable ticket");
429 return KRB5KDC_ERR_BADOPTION;
430 }
431 et->flags.proxy = 1;
432 et->caddr = b->addresses;
433 }
434 if(tgt->flags.proxy)
435 et->flags.proxy = 1;
436
437 if(f.allow_postdate){
438 if(!tgt->flags.may_postdate){
439 kdc_log(context, config, 0,
440 "Bad request for post-datable ticket");
441 return KRB5KDC_ERR_BADOPTION;
442 }
443 et->flags.may_postdate = 1;
444 }
445 if(f.postdated){
446 if(!tgt->flags.may_postdate){
447 kdc_log(context, config, 0,
448 "Bad request for postdated ticket");
449 return KRB5KDC_ERR_BADOPTION;
450 }
451 if(b->from)
452 *et->starttime = *b->from;
453 et->flags.postdated = 1;
454 et->flags.invalid = 1;
455 }else if(b->from && *b->from > kdc_time + context->max_skew){
456 kdc_log(context, config, 0, "Ticket cannot be postdated");
457 return KRB5KDC_ERR_CANNOT_POSTDATE;
458 }
459
460 if(f.renewable){
461 if(!tgt->flags.renewable || tgt->renew_till == NULL){
462 kdc_log(context, config, 0,
463 "Bad request for renewable ticket");
464 return KRB5KDC_ERR_BADOPTION;
465 }
466 et->flags.renewable = 1;
467 ALLOC(et->renew_till);
468 _kdc_fix_time(&b->rtime);
469 *et->renew_till = *b->rtime;
470 }
471 if(f.renew){
472 time_t old_life;
473 if(!tgt->flags.renewable || tgt->renew_till == NULL){
474 kdc_log(context, config, 0,
475 "Request to renew non-renewable ticket");
476 return KRB5KDC_ERR_BADOPTION;
477 }
478 old_life = tgt->endtime;
479 if(tgt->starttime)
480 old_life -= *tgt->starttime;
481 else
482 old_life -= tgt->authtime;
483 et->endtime = *et->starttime + old_life;
484 if (et->renew_till != NULL)
485 et->endtime = min(*et->renew_till, et->endtime);
486 }
487
488 #if 0
489 /* checks for excess flags */
490 if(f.request_anonymous && !config->allow_anonymous){
491 kdc_log(context, config, 0,
492 "Request for anonymous ticket");
493 return KRB5KDC_ERR_BADOPTION;
494 }
495 #endif
496 return 0;
497 }
498
499 /*
500 * Determine if constrained delegation is allowed from this client to this server
501 */
502
503 static krb5_error_code
504 check_constrained_delegation(krb5_context context,
505 krb5_kdc_configuration *config,
506 HDB *clientdb,
507 hdb_entry_ex *client,
508 krb5_const_principal server)
509 {
510 const HDB_Ext_Constrained_delegation_acl *acl;
511 krb5_error_code ret;
512 size_t i;
513
514 /* if client delegates to itself, that ok */
515 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
516 return 0;
517
518 if (clientdb->hdb_check_constrained_delegation) {
519 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
520 if (ret == 0)
521 return 0;
522 } else {
523 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
524 if (ret) {
525 krb5_clear_error_message(context);
526 return ret;
527 }
528
529 if (acl) {
530 for (i = 0; i < acl->len; i++) {
531 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
532 return 0;
533 }
534 }
535 ret = KRB5KDC_ERR_BADOPTION;
536 }
537 kdc_log(context, config, 0,
538 "Bad request for constrained delegation");
539 return ret;
540 }
541
542 /*
543 * Determine if s4u2self is allowed from this client to this server
544 *
545 * For example, regardless of the principal being impersonated, if the
546 * 'client' and 'server' are the same, then it's safe.
547 */
548
549 static krb5_error_code
550 check_s4u2self(krb5_context context,
551 krb5_kdc_configuration *config,
552 HDB *clientdb,
553 hdb_entry_ex *client,
554 krb5_const_principal server)
555 {
556 krb5_error_code ret;
557
558 /* if client does a s4u2self to itself, that ok */
559 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
560 return 0;
561
562 if (clientdb->hdb_check_s4u2self) {
563 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
564 if (ret == 0)
565 return 0;
566 } else {
567 ret = KRB5KDC_ERR_BADOPTION;
568 }
569 return ret;
570 }
571
572 /*
573 *
574 */
575
576 static krb5_error_code
577 verify_flags (krb5_context context,
578 krb5_kdc_configuration *config,
579 const EncTicketPart *et,
580 const char *pstr)
581 {
582 if(et->endtime < kdc_time){
583 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
584 return KRB5KRB_AP_ERR_TKT_EXPIRED;
585 }
586 if(et->flags.invalid){
587 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
588 return KRB5KRB_AP_ERR_TKT_NYV;
589 }
590 return 0;
591 }
592
593 /*
594 *
595 */
596
597 static krb5_error_code
598 fix_transited_encoding(krb5_context context,
599 krb5_kdc_configuration *config,
600 krb5_boolean check_policy,
601 const TransitedEncoding *tr,
602 EncTicketPart *et,
603 const char *client_realm,
604 const char *server_realm,
605 const char *tgt_realm)
606 {
607 krb5_error_code ret = 0;
608 char **realms, **tmp;
609 unsigned int num_realms;
610 size_t i;
611
612 switch (tr->tr_type) {
613 case DOMAIN_X500_COMPRESS:
614 break;
615 case 0:
616 /*
617 * Allow empty content of type 0 because that is was Microsoft
618 * generates in their TGT.
619 */
620 if (tr->contents.length == 0)
621 break;
622 kdc_log(context, config, 0,
623 "Transited type 0 with non empty content");
624 return KRB5KDC_ERR_TRTYPE_NOSUPP;
625 default:
626 kdc_log(context, config, 0,
627 "Unknown transited type: %u", tr->tr_type);
628 return KRB5KDC_ERR_TRTYPE_NOSUPP;
629 }
630
631 ret = krb5_domain_x500_decode(context,
632 tr->contents,
633 &realms,
634 &num_realms,
635 client_realm,
636 server_realm);
637 if(ret){
638 krb5_warn(context, ret,
639 "Decoding transited encoding");
640 return ret;
641 }
642 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
643 /* not us, so add the previous realm to transited set */
644 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
645 ret = ERANGE;
646 goto free_realms;
647 }
648 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
649 if(tmp == NULL){
650 ret = ENOMEM;
651 goto free_realms;
652 }
653 realms = tmp;
654 realms[num_realms] = strdup(tgt_realm);
655 if(realms[num_realms] == NULL){
656 ret = ENOMEM;
657 goto free_realms;
658 }
659 num_realms++;
660 }
661 if(num_realms == 0) {
662 if(strcmp(client_realm, server_realm))
663 kdc_log(context, config, 0,
664 "cross-realm %s -> %s", client_realm, server_realm);
665 } else {
666 size_t l = 0;
667 char *rs;
668 for(i = 0; i < num_realms; i++)
669 l += strlen(realms[i]) + 2;
670 rs = malloc(l);
671 if(rs != NULL) {
672 *rs = '\0';
673 for(i = 0; i < num_realms; i++) {
674 if(i > 0)
675 strlcat(rs, ", ", l);
676 strlcat(rs, realms[i], l);
677 }
678 kdc_log(context, config, 0,
679 "cross-realm %s -> %s via [%s]",
680 client_realm, server_realm, rs);
681 free(rs);
682 }
683 }
684 if(check_policy) {
685 ret = krb5_check_transited(context, client_realm,
686 server_realm,
687 realms, num_realms, NULL);
688 if(ret) {
689 krb5_warn(context, ret, "cross-realm %s -> %s",
690 client_realm, server_realm);
691 goto free_realms;
692 }
693 et->flags.transited_policy_checked = 1;
694 }
695 et->transited.tr_type = DOMAIN_X500_COMPRESS;
696 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
697 if(ret)
698 krb5_warn(context, ret, "Encoding transited encoding");
699 free_realms:
700 for(i = 0; i < num_realms; i++)
701 free(realms[i]);
702 free(realms);
703 return ret;
704 }
705
706
707 static krb5_error_code
708 tgs_make_reply(krb5_context context,
709 krb5_kdc_configuration *config,
710 KDC_REQ_BODY *b,
711 krb5_const_principal tgt_name,
712 const EncTicketPart *tgt,
713 const krb5_keyblock *replykey,
714 int rk_is_subkey,
715 const EncryptionKey *serverkey,
716 const krb5_keyblock *sessionkey,
717 krb5_kvno kvno,
718 AuthorizationData *auth_data,
719 hdb_entry_ex *server,
720 krb5_principal server_principal,
721 const char *server_name,
722 hdb_entry_ex *client,
723 krb5_principal client_principal,
724 hdb_entry_ex *krbtgt,
725 krb5_enctype krbtgt_etype,
726 krb5_principals spp,
727 const krb5_data *rspac,
728 const METHOD_DATA *enc_pa_data,
729 const char **e_text,
730 krb5_data *reply)
731 {
732 KDC_REP rep;
733 EncKDCRepPart ek;
734 EncTicketPart et;
735 KDCOptions f = b->kdc_options;
736 krb5_error_code ret;
737 int is_weak = 0;
738
739 memset(&rep, 0, sizeof(rep));
740 memset(&et, 0, sizeof(et));
741 memset(&ek, 0, sizeof(ek));
742
743 rep.pvno = 5;
744 rep.msg_type = krb_tgs_rep;
745
746 et.authtime = tgt->authtime;
747 _kdc_fix_time(&b->till);
748 et.endtime = min(tgt->endtime, *b->till);
749 ALLOC(et.starttime);
750 *et.starttime = kdc_time;
751
752 ret = check_tgs_flags(context, config, b, tgt, &et);
753 if(ret)
754 goto out;
755
756 /* We should check the transited encoding if:
757 1) the request doesn't ask not to be checked
758 2) globally enforcing a check
759 3) principal requires checking
760 4) we allow non-check per-principal, but principal isn't marked as allowing this
761 5) we don't globally allow this
762 */
763
764 #define GLOBAL_FORCE_TRANSITED_CHECK \
765 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
766 #define GLOBAL_ALLOW_PER_PRINCIPAL \
767 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
768 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
769 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
770
771 /* these will consult the database in future release */
772 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
773 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
774
775 ret = fix_transited_encoding(context, config,
776 !f.disable_transited_check ||
777 GLOBAL_FORCE_TRANSITED_CHECK ||
778 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
779 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
780 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
781 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
782 &tgt->transited, &et,
783 krb5_principal_get_realm(context, client_principal),
784 krb5_principal_get_realm(context, server->entry.principal),
785 krb5_principal_get_realm(context, krbtgt->entry.principal));
786 if(ret)
787 goto out;
788
789 copy_Realm(&server_principal->realm, &rep.ticket.realm);
790 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
791 copy_Realm(&tgt_name->realm, &rep.crealm);
792 /*
793 if (f.request_anonymous)
794 _kdc_make_anonymous_principalname (&rep.cname);
795 else */
796
797 copy_PrincipalName(&tgt_name->name, &rep.cname);
798 rep.ticket.tkt_vno = 5;
799
800 ek.caddr = et.caddr;
801 if(et.caddr == NULL)
802 et.caddr = tgt->caddr;
803
804 {
805 time_t life;
806 life = et.endtime - *et.starttime;
807 if(client && client->entry.max_life)
808 life = min(life, *client->entry.max_life);
809 if(server->entry.max_life)
810 life = min(life, *server->entry.max_life);
811 et.endtime = *et.starttime + life;
812 }
813 if(f.renewable_ok && tgt->flags.renewable &&
814 et.renew_till == NULL && et.endtime < *b->till &&
815 tgt->renew_till != NULL)
816 {
817 et.flags.renewable = 1;
818 ALLOC(et.renew_till);
819 *et.renew_till = *b->till;
820 }
821 if(et.renew_till){
822 time_t renew;
823 renew = *et.renew_till - et.authtime;
824 if(client && client->entry.max_renew)
825 renew = min(renew, *client->entry.max_renew);
826 if(server->entry.max_renew)
827 renew = min(renew, *server->entry.max_renew);
828 *et.renew_till = et.authtime + renew;
829 }
830
831 if(et.renew_till){
832 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
833 *et.starttime = min(*et.starttime, *et.renew_till);
834 et.endtime = min(et.endtime, *et.renew_till);
835 }
836
837 *et.starttime = min(*et.starttime, et.endtime);
838
839 if(*et.starttime == et.endtime){
840 ret = KRB5KDC_ERR_NEVER_VALID;
841 goto out;
842 }
843 if(et.renew_till && et.endtime == *et.renew_till){
844 free(et.renew_till);
845 et.renew_till = NULL;
846 et.flags.renewable = 0;
847 }
848
849 et.flags.pre_authent = tgt->flags.pre_authent;
850 et.flags.hw_authent = tgt->flags.hw_authent;
851 et.flags.anonymous = tgt->flags.anonymous;
852 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
853
854 if(rspac->length) {
855 /*
856 * No not need to filter out the any PAC from the
857 * auth_data since it's signed by the KDC.
858 */
859 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
860 KRB5_AUTHDATA_WIN2K_PAC, rspac);
861 if (ret)
862 goto out;
863 }
864
865 if (auth_data) {
866 unsigned int i = 0;
867
868 /* XXX check authdata */
869
870 if (et.authorization_data == NULL) {
871 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
872 if (et.authorization_data == NULL) {
873 ret = ENOMEM;
874 krb5_set_error_message(context, ret, "malloc: out of memory");
875 goto out;
876 }
877 }
878 for(i = 0; i < auth_data->len ; i++) {
879 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
880 if (ret) {
881 krb5_set_error_message(context, ret, "malloc: out of memory");
882 goto out;
883 }
884 }
885
886 /* Filter out type KRB5SignedPath */
887 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
888 if (ret == 0) {
889 if (et.authorization_data->len == 1) {
890 free_AuthorizationData(et.authorization_data);
891 free(et.authorization_data);
892 et.authorization_data = NULL;
893 } else {
894 AuthorizationData *ad = et.authorization_data;
895 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
896 ad->len--;
897 }
898 }
899 }
900
901 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
902 if (ret)
903 goto out;
904 et.crealm = tgt->crealm;
905 et.cname = tgt_name->name;
906
907 ek.key = et.key;
908 /* MIT must have at least one last_req */
909 ek.last_req.len = 1;
910 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
911 if (ek.last_req.val == NULL) {
912 ret = ENOMEM;
913 goto out;
914 }
915 ek.nonce = b->nonce;
916 ek.flags = et.flags;
917 ek.authtime = et.authtime;
918 ek.starttime = et.starttime;
919 ek.endtime = et.endtime;
920 ek.renew_till = et.renew_till;
921 ek.srealm = rep.ticket.realm;
922 ek.sname = rep.ticket.sname;
923
924 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
925 et.endtime, et.renew_till);
926
927 /* Don't sign cross realm tickets, they can't be checked anyway */
928 {
929 char *r = get_krbtgt_realm(&ek.sname);
930
931 if (r == NULL || strcmp(r, ek.srealm) == 0) {
932 ret = _kdc_add_KRB5SignedPath(context,
933 config,
934 krbtgt,
935 krbtgt_etype,
936 client_principal,
937 NULL,
938 spp,
939 &et);
940 if (ret)
941 goto out;
942 }
943 }
944
945 if (enc_pa_data->len) {
946 rep.padata = calloc(1, sizeof(*rep.padata));
947 if (rep.padata == NULL) {
948 ret = ENOMEM;
949 goto out;
950 }
951 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
952 if (ret)
953 goto out;
954 }
955
956 if (krb5_enctype_valid(context, et.key.keytype) != 0
957 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
958 {
959 krb5_enctype_enable(context, et.key.keytype);
960 is_weak = 1;
961 }
962
963
964 /* It is somewhat unclear where the etype in the following
965 encryption should come from. What we have is a session
966 key in the passed tgt, and a list of preferred etypes
967 *for the new ticket*. Should we pick the best possible
968 etype, given the keytype in the tgt, or should we look
969 at the etype list here as well? What if the tgt
970 session key is DES3 and we want a ticket with a (say)
971 CAST session key. Should the DES3 etype be added to the
972 etype list, even if we don't want a session key with
973 DES3? */
974 ret = _kdc_encode_reply(context, config,
975 &rep, &et, &ek, et.key.keytype,
976 kvno,
977 serverkey, 0, replykey, rk_is_subkey,
978 e_text, reply);
979 if (is_weak)
980 krb5_enctype_disable(context, et.key.keytype);
981
982 out:
983 free_TGS_REP(&rep);
984 free_TransitedEncoding(&et.transited);
985 if(et.starttime)
986 free(et.starttime);
987 if(et.renew_till)
988 free(et.renew_till);
989 if(et.authorization_data) {
990 free_AuthorizationData(et.authorization_data);
991 free(et.authorization_data);
992 }
993 free_LastReq(&ek.last_req);
994 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
995 free_EncryptionKey(&et.key);
996 return ret;
997 }
998
999 static krb5_error_code
1000 tgs_check_authenticator(krb5_context context,
1001 krb5_kdc_configuration *config,
1002 krb5_auth_context ac,
1003 KDC_REQ_BODY *b,
1004 const char **e_text,
1005 krb5_keyblock *key)
1006 {
1007 krb5_authenticator auth;
1008 size_t len = 0;
1009 unsigned char *buf;
1010 size_t buf_size;
1011 krb5_error_code ret;
1012 krb5_crypto crypto;
1013
1014 krb5_auth_con_getauthenticator(context, ac, &auth);
1015 if(auth->cksum == NULL){
1016 kdc_log(context, config, 0, "No authenticator in request");
1017 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1018 goto out;
1019 }
1020 /*
1021 * according to RFC1510 it doesn't need to be keyed,
1022 * but according to the latest draft it needs to.
1023 */
1024 if (
1025 #if 0
1026 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1027 ||
1028 #endif
1029 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1030 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1031 auth->cksum->cksumtype);
1032 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1033 goto out;
1034 }
1035
1036 /* XXX should not re-encode this */
1037 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1038 if(ret){
1039 const char *msg = krb5_get_error_message(context, ret);
1040 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1041 krb5_free_error_message(context, msg);
1042 goto out;
1043 }
1044 if(buf_size != len) {
1045 free(buf);
1046 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1047 *e_text = "KDC internal error";
1048 ret = KRB5KRB_ERR_GENERIC;
1049 goto out;
1050 }
1051 ret = krb5_crypto_init(context, key, 0, &crypto);
1052 if (ret) {
1053 const char *msg = krb5_get_error_message(context, ret);
1054 free(buf);
1055 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1056 krb5_free_error_message(context, msg);
1057 goto out;
1058 }
1059 ret = krb5_verify_checksum(context,
1060 crypto,
1061 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1062 buf,
1063 len,
1064 auth->cksum);
1065 free(buf);
1066 krb5_crypto_destroy(context, crypto);
1067 if(ret){
1068 const char *msg = krb5_get_error_message(context, ret);
1069 kdc_log(context, config, 0,
1070 "Failed to verify authenticator checksum: %s", msg);
1071 krb5_free_error_message(context, msg);
1072 }
1073 out:
1074 free_Authenticator(auth);
1075 free(auth);
1076 return ret;
1077 }
1078
1079 /*
1080 *
1081 */
1082
1083 static const char *
1084 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1085 {
1086 const char *new_realm = krb5_config_get_string(context,
1087 NULL,
1088 "capaths",
1089 crealm,
1090 srealm,
1091 NULL);
1092 return new_realm;
1093 }
1094
1095
1096 static krb5_boolean
1097 need_referral(krb5_context context, krb5_kdc_configuration *config,
1098 const KDCOptions * const options, krb5_principal server,
1099 krb5_realm **realms)
1100 {
1101 const char *name;
1102
1103 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1104 return FALSE;
1105
1106 if (server->name.name_string.len == 1)
1107 name = server->name.name_string.val[0];
1108 else if (server->name.name_string.len > 1)
1109 name = server->name.name_string.val[1];
1110 else
1111 return FALSE;
1112
1113 kdc_log(context, config, 0, "Searching referral for %s", name);
1114
1115 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1116 }
1117
1118 static krb5_error_code
1119 tgs_parse_request(krb5_context context,
1120 krb5_kdc_configuration *config,
1121 KDC_REQ_BODY *b,
1122 const PA_DATA *tgs_req,
1123 hdb_entry_ex **krbtgt,
1124 krb5_enctype *krbtgt_etype,
1125 krb5_ticket **ticket,
1126 const char **e_text,
1127 const char *from,
1128 const struct sockaddr *from_addr,
1129 time_t **csec,
1130 int **cusec,
1131 AuthorizationData **auth_data,
1132 krb5_keyblock **replykey,
1133 int *rk_is_subkey)
1134 {
1135 static char failed[] = "<unparse_name failed>";
1136 krb5_ap_req ap_req;
1137 krb5_error_code ret;
1138 krb5_principal princ;
1139 krb5_auth_context ac = NULL;
1140 krb5_flags ap_req_options;
1141 krb5_flags verify_ap_req_flags;
1142 krb5_crypto crypto;
1143 Key *tkey;
1144 krb5_keyblock *subkey = NULL;
1145 unsigned usage;
1146
1147 *auth_data = NULL;
1148 *csec = NULL;
1149 *cusec = NULL;
1150 *replykey = NULL;
1151
1152 memset(&ap_req, 0, sizeof(ap_req));
1153 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1154 if(ret){
1155 const char *msg = krb5_get_error_message(context, ret);
1156 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1157 krb5_free_error_message(context, msg);
1158 goto out;
1159 }
1160
1161 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1162 /* XXX check for ticket.sname == req.sname */
1163 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1164 ret = KRB5KDC_ERR_POLICY; /* ? */
1165 goto out;
1166 }
1167
1168 _krb5_principalname2krb5_principal(context,
1169 &princ,
1170 ap_req.ticket.sname,
1171 ap_req.ticket.realm);
1172
1173 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1174
1175 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1176 char *p;
1177 ret = krb5_unparse_name(context, princ, &p);
1178 if (ret != 0)
1179 p = failed;
1180 krb5_free_principal(context, princ);
1181 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1182 if (ret == 0)
1183 free(p);
1184 ret = HDB_ERR_NOT_FOUND_HERE;
1185 goto out;
1186 } else if(ret){
1187 const char *msg = krb5_get_error_message(context, ret);
1188 char *p;
1189 ret = krb5_unparse_name(context, princ, &p);
1190 if (ret != 0)
1191 p = failed;
1192 krb5_free_principal(context, princ);
1193 kdc_log(context, config, 0,
1194 "Ticket-granting ticket not found in database: %s", msg);
1195 krb5_free_error_message(context, msg);
1196 if (ret == 0)
1197 free(p);
1198 ret = KRB5KRB_AP_ERR_NOT_US;
1199 goto out;
1200 }
1201
1202 if(ap_req.ticket.enc_part.kvno &&
1203 (size_t)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1204 char *p;
1205
1206 ret = krb5_unparse_name (context, princ, &p);
1207 krb5_free_principal(context, princ);
1208 if (ret != 0)
1209 p = failed;
1210 kdc_log(context, config, 0,
1211 "Ticket kvno = %d, DB kvno = %d (%s)",
1212 *ap_req.ticket.enc_part.kvno,
1213 (*krbtgt)->entry.kvno,
1214 p);
1215 if (ret == 0)
1216 free (p);
1217 ret = KRB5KRB_AP_ERR_BADKEYVER;
1218 goto out;
1219 }
1220
1221 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1222
1223 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1224 ap_req.ticket.enc_part.etype, &tkey);
1225 if(ret){
1226 char *str = NULL, *p = NULL;
1227
1228 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1229 krb5_unparse_name(context, princ, &p);
1230 kdc_log(context, config, 0,
1231 "No server key with enctype %s found for %s",
1232 str ? str : "<unknown enctype>",
1233 p ? p : "<unparse_name failed>");
1234 free(str);
1235 free(p);
1236 ret = KRB5KRB_AP_ERR_BADKEYVER;
1237 goto out;
1238 }
1239
1240 if (b->kdc_options.validate)
1241 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1242 else
1243 verify_ap_req_flags = 0;
1244
1245 ret = krb5_verify_ap_req2(context,
1246 &ac,
1247 &ap_req,
1248 princ,
1249 &tkey->key,
1250 verify_ap_req_flags,
1251 &ap_req_options,
1252 ticket,
1253 KRB5_KU_TGS_REQ_AUTH);
1254
1255 krb5_free_principal(context, princ);
1256 if(ret) {
1257 const char *msg = krb5_get_error_message(context, ret);
1258 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1259 krb5_free_error_message(context, msg);
1260 goto out;
1261 }
1262
1263 {
1264 krb5_authenticator auth;
1265
1266 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1267 if (ret == 0) {
1268 *csec = malloc(sizeof(**csec));
1269 if (*csec == NULL) {
1270 krb5_free_authenticator(context, &auth);
1271 kdc_log(context, config, 0, "malloc failed");
1272 goto out;
1273 }
1274 **csec = auth->ctime;
1275 *cusec = malloc(sizeof(**cusec));
1276 if (*cusec == NULL) {
1277 krb5_free_authenticator(context, &auth);
1278 kdc_log(context, config, 0, "malloc failed");
1279 goto out;
1280 }
1281 **cusec = auth->cusec;
1282 krb5_free_authenticator(context, &auth);
1283 }
1284 }
1285
1286 ret = tgs_check_authenticator(context, config,
1287 ac, b, e_text, &(*ticket)->ticket.key);
1288 if (ret) {
1289 krb5_auth_con_free(context, ac);
1290 goto out;
1291 }
1292
1293 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1294 *rk_is_subkey = 1;
1295
1296 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1297 if(ret){
1298 const char *msg = krb5_get_error_message(context, ret);
1299 krb5_auth_con_free(context, ac);
1300 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1301 krb5_free_error_message(context, msg);
1302 goto out;
1303 }
1304 if(subkey == NULL){
1305 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1306 *rk_is_subkey = 0;
1307
1308 ret = krb5_auth_con_getkey(context, ac, &subkey);
1309 if(ret) {
1310 const char *msg = krb5_get_error_message(context, ret);
1311 krb5_auth_con_free(context, ac);
1312 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1313 krb5_free_error_message(context, msg);
1314 goto out;
1315 }
1316 }
1317 if(subkey == NULL){
1318 krb5_auth_con_free(context, ac);
1319 kdc_log(context, config, 0,
1320 "Failed to get key for enc-authorization-data");
1321 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1322 goto out;
1323 }
1324
1325 *replykey = subkey;
1326
1327 if (b->enc_authorization_data) {
1328 krb5_data ad;
1329
1330 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1331 if (ret) {
1332 const char *msg = krb5_get_error_message(context, ret);
1333 krb5_auth_con_free(context, ac);
1334 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1335 krb5_free_error_message(context, msg);
1336 goto out;
1337 }
1338 ret = krb5_decrypt_EncryptedData (context,
1339 crypto,
1340 usage,
1341 b->enc_authorization_data,
1342 &ad);
1343 krb5_crypto_destroy(context, crypto);
1344 if(ret){
1345 krb5_auth_con_free(context, ac);
1346 kdc_log(context, config, 0,
1347 "Failed to decrypt enc-authorization-data");
1348 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1349 goto out;
1350 }
1351 ALLOC(*auth_data);
1352 if (*auth_data == NULL) {
1353 krb5_auth_con_free(context, ac);
1354 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1355 goto out;
1356 }
1357 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1358 if(ret){
1359 krb5_auth_con_free(context, ac);
1360 free(*auth_data);
1361 *auth_data = NULL;
1362 kdc_log(context, config, 0, "Failed to decode authorization data");
1363 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1364 goto out;
1365 }
1366 }
1367
1368 krb5_auth_con_free(context, ac);
1369
1370 out:
1371 free_AP_REQ(&ap_req);
1372
1373 return ret;
1374 }
1375
1376 static krb5_error_code
1377 build_server_referral(krb5_context context,
1378 krb5_kdc_configuration *config,
1379 krb5_crypto session,
1380 krb5_const_realm referred_realm,
1381 const PrincipalName *true_principal_name,
1382 const PrincipalName *requested_principal,
1383 krb5_data *outdata)
1384 {
1385 PA_ServerReferralData ref;
1386 krb5_error_code ret;
1387 EncryptedData ed;
1388 krb5_data data;
1389 size_t size = 0;
1390
1391 memset(&ref, 0, sizeof(ref));
1392
1393 if (referred_realm) {
1394 ALLOC(ref.referred_realm);
1395 if (ref.referred_realm == NULL)
1396 goto eout;
1397 *ref.referred_realm = strdup(referred_realm);
1398 if (*ref.referred_realm == NULL)
1399 goto eout;
1400 }
1401 if (true_principal_name) {
1402 ALLOC(ref.true_principal_name);
1403 if (ref.true_principal_name == NULL)
1404 goto eout;
1405 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1406 if (ret)
1407 goto eout;
1408 }
1409 if (requested_principal) {
1410 ALLOC(ref.requested_principal_name);
1411 if (ref.requested_principal_name == NULL)
1412 goto eout;
1413 ret = copy_PrincipalName(requested_principal,
1414 ref.requested_principal_name);
1415 if (ret)
1416 goto eout;
1417 }
1418
1419 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1420 data.data, data.length,
1421 &ref, &size, ret);
1422 free_PA_ServerReferralData(&ref);
1423 if (ret)
1424 return ret;
1425 if (data.length != size)
1426 krb5_abortx(context, "internal asn.1 encoder error");
1427
1428 ret = krb5_encrypt_EncryptedData(context, session,
1429 KRB5_KU_PA_SERVER_REFERRAL,
1430 data.data, data.length,
1431 0 /* kvno */, &ed);
1432 free(data.data);
1433 if (ret)
1434 return ret;
1435
1436 ASN1_MALLOC_ENCODE(EncryptedData,
1437 outdata->data, outdata->length,
1438 &ed, &size, ret);
1439 free_EncryptedData(&ed);
1440 if (ret)
1441 return ret;
1442 if (outdata->length != size)
1443 krb5_abortx(context, "internal asn.1 encoder error");
1444
1445 return 0;
1446 eout:
1447 free_PA_ServerReferralData(&ref);
1448 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1449 return ENOMEM;
1450 }
1451
1452 static krb5_error_code
1453 tgs_build_reply(krb5_context context,
1454 krb5_kdc_configuration *config,
1455 KDC_REQ *req,
1456 KDC_REQ_BODY *b,
1457 hdb_entry_ex *krbtgt,
1458 krb5_enctype krbtgt_etype,
1459 const krb5_keyblock *replykey,
1460 int rk_is_subkey,
1461 krb5_ticket *ticket,
1462 krb5_data *reply,
1463 const char *from,
1464 const char **e_text,
1465 AuthorizationData **auth_data,
1466 const struct sockaddr *from_addr)
1467 {
1468 krb5_error_code ret;
1469 krb5_principal cp = NULL, sp = NULL, tp = NULL;
1470 krb5_principal krbtgt_principal = NULL;
1471 char *spn = NULL, *cpn = NULL, *tpn = NULL;
1472 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1473 HDB *clientdb, *s4u2self_impersonated_clientdb;
1474 krb5_realm ref_realm = NULL;
1475 EncTicketPart *tgt = &ticket->ticket;
1476 krb5_principals spp = NULL;
1477 const EncryptionKey *ekey;
1478 krb5_keyblock sessionkey;
1479 krb5_kvno kvno;
1480 krb5_data rspac;
1481
1482 hdb_entry_ex *krbtgt_out = NULL;
1483
1484 METHOD_DATA enc_pa_data;
1485
1486 PrincipalName *s;
1487 Realm r;
1488 int nloop = 0;
1489 EncTicketPart adtkt;
1490 char opt_str[128];
1491 int signedpath = 0;
1492
1493 Key *tkey_check;
1494 Key *tkey_sign;
1495
1496 memset(&sessionkey, 0, sizeof(sessionkey));
1497 memset(&adtkt, 0, sizeof(adtkt));
1498 krb5_data_zero(&rspac);
1499 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1500
1501 s = b->sname;
1502 r = b->realm;
1503
1504 if(b->kdc_options.enc_tkt_in_skey){
1505 Ticket *t;
1506 hdb_entry_ex *uu;
1507 krb5_principal p;
1508 Key *uukey;
1509
1510 if(b->additional_tickets == NULL ||
1511 b->additional_tickets->len == 0){
1512 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1513 kdc_log(context, config, 0,
1514 "No second ticket present in request");
1515 goto out;
1516 }
1517 t = &b->additional_tickets->val[0];
1518 if(!get_krbtgt_realm(&t->sname)){
1519 kdc_log(context, config, 0,
1520 "Additional ticket is not a ticket-granting ticket");
1521 ret = KRB5KDC_ERR_POLICY;
1522 goto out;
1523 }
1524 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1525 ret = _kdc_db_fetch(context, config, p,
1526 HDB_F_GET_KRBTGT, t->enc_part.kvno,
1527 NULL, &uu);
1528 krb5_free_principal(context, p);
1529 if(ret){
1530 if (ret == HDB_ERR_NOENTRY)
1531 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1532 goto out;
1533 }
1534 ret = hdb_enctype2key(context, &uu->entry,
1535 t->enc_part.etype, &uukey);
1536 if(ret){
1537 _kdc_free_ent(context, uu);
1538 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1539 goto out;
1540 }
1541 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1542 _kdc_free_ent(context, uu);
1543 if(ret)
1544 goto out;
1545
1546 ret = verify_flags(context, config, &adtkt, spn);
1547 if (ret)
1548 goto out;
1549
1550 s = &adtkt.cname;
1551 r = adtkt.crealm;
1552 }
1553
1554 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1555 ret = krb5_unparse_name(context, sp, &spn);
1556 if (ret)
1557 goto out;
1558 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1559 ret = krb5_unparse_name(context, cp, &cpn);
1560 if (ret)
1561 goto out;
1562 unparse_flags (KDCOptions2int(b->kdc_options),
1563 asn1_KDCOptions_units(),
1564 opt_str, sizeof(opt_str));
1565 if(*opt_str)
1566 kdc_log(context, config, 0,
1567 "TGS-REQ %s from %s for %s [%s]",
1568 cpn, from, spn, opt_str);
1569 else
1570 kdc_log(context, config, 0,
1571 "TGS-REQ %s from %s for %s", cpn, from, spn);
1572
1573 /*
1574 * Fetch server
1575 */
1576
1577 server_lookup:
1578 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
1579 NULL, NULL, &server);
1580
1581 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1582 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1583 goto out;
1584 } else if(ret){
1585 const char *new_rlm, *msg;
1586 Realm req_rlm;
1587 krb5_realm *realms;
1588
1589 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1590 if(nloop++ < 2) {
1591 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1592 if(new_rlm) {
1593 kdc_log(context, config, 5, "krbtgt for realm %s "
1594 "not found, trying %s",
1595 req_rlm, new_rlm);
1596 krb5_free_principal(context, sp);
1597 free(spn);
1598 krb5_make_principal(context, &sp, r,
1599 KRB5_TGS_NAME, new_rlm, NULL);
1600 ret = krb5_unparse_name(context, sp, &spn);
1601 if (ret)
1602 goto out;
1603
1604 if (ref_realm)
1605 free(ref_realm);
1606 ref_realm = strdup(new_rlm);
1607 goto server_lookup;
1608 }
1609 }
1610 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1611 if (strcmp(realms[0], sp->realm) != 0) {
1612 kdc_log(context, config, 5,
1613 "Returning a referral to realm %s for "
1614 "server %s that was not found",
1615 realms[0], spn);
1616 krb5_free_principal(context, sp);
1617 free(spn);
1618 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1619 realms[0], NULL);
1620 ret = krb5_unparse_name(context, sp, &spn);
1621 if (ret)
1622 goto out;
1623
1624 if (ref_realm)
1625 free(ref_realm);
1626 ref_realm = strdup(realms[0]);
1627
1628 krb5_free_host_realm(context, realms);
1629 goto server_lookup;
1630 }
1631 krb5_free_host_realm(context, realms);
1632 }
1633 msg = krb5_get_error_message(context, ret);
1634 kdc_log(context, config, 0,
1635 "Server not found in database: %s: %s", spn, msg);
1636 krb5_free_error_message(context, msg);
1637 if (ret == HDB_ERR_NOENTRY)
1638 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1639 goto out;
1640 }
1641
1642 /*
1643 * Select enctype, return key and kvno.
1644 */
1645
1646 {
1647 krb5_enctype etype;
1648
1649 if(b->kdc_options.enc_tkt_in_skey) {
1650 size_t i;
1651 ekey = &adtkt.key;
1652 for(i = 0; i < b->etype.len; i++)
1653 if (b->etype.val[i] == adtkt.key.keytype)
1654 break;
1655 if(i == b->etype.len) {
1656 kdc_log(context, config, 0,
1657 "Addition ticket have not matching etypes");
1658 krb5_clear_error_message(context);
1659 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1660 goto out;
1661 }
1662 etype = b->etype.val[i];
1663 kvno = 0;
1664 } else {
1665 Key *skey;
1666
1667 ret = _kdc_find_etype(context,
1668 config->tgs_use_strongest_session_key, FALSE,
1669 server, b->etype.val, b->etype.len, NULL,
1670 &skey);
1671 if(ret) {
1672 kdc_log(context, config, 0,
1673 "Server (%s) has no support for etypes", spn);
1674 goto out;
1675 }
1676 ekey = &skey->key;
1677 etype = skey->key.keytype;
1678 kvno = server->entry.kvno;
1679 }
1680
1681 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1682 if (ret)
1683 goto out;
1684 }
1685
1686 /*
1687 * Check that service is in the same realm as the krbtgt. If it's
1688 * not the same, it's someone that is using a uni-directional trust
1689 * backward.
1690 */
1691
1692 /*
1693 * Validate authoriation data
1694 */
1695
1696 ret = hdb_enctype2key(context, &krbtgt->entry,
1697 krbtgt_etype, &tkey_check);
1698 if(ret) {
1699 kdc_log(context, config, 0,
1700 "Failed to find key for krbtgt PAC check");
1701 goto out;
1702 }
1703
1704 /* Now refetch the primary krbtgt, and get the current kvno (the
1705 * sign check may have been on an old kvno, and the server may
1706 * have been an incoming trust) */
1707 ret = krb5_make_principal(context, &krbtgt_principal,
1708 krb5_principal_get_comp_string(context,
1709 krbtgt->entry.principal,
1710 1),
1711 KRB5_TGS_NAME,
1712 krb5_principal_get_comp_string(context,
1713 krbtgt->entry.principal,
1714 1), NULL);
1715 if(ret) {
1716 kdc_log(context, config, 0,
1717 "Failed to generate krbtgt principal");
1718 goto out;
1719 }
1720
1721 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1722 krb5_free_principal(context, krbtgt_principal);
1723 if (ret) {
1724 krb5_error_code ret2;
1725 char *ktpn, *ktpn2;
1726 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1727 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1728 kdc_log(context, config, 0,
1729 "Request with wrong krbtgt: %s, %s not found in our database",
1730 (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
1731 if(ret == 0)
1732 free(ktpn);
1733 if(ret2 == 0)
1734 free(ktpn2);
1735 ret = KRB5KRB_AP_ERR_NOT_US;
1736 goto out;
1737 }
1738
1739 /* The first realm is the realm of the service, the second is
1740 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1741 * encrypted to. The redirection via the krbtgt_out entry allows
1742 * the DB to possibly correct the case of the realm (Samba4 does
1743 * this) before the strcmp() */
1744 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1745 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1746 char *ktpn;
1747 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1748 kdc_log(context, config, 0,
1749 "Request with wrong krbtgt: %s",
1750 (ret == 0) ? ktpn : "<unknown>");
1751 if(ret == 0)
1752 free(ktpn);
1753 ret = KRB5KRB_AP_ERR_NOT_US;
1754 }
1755
1756 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1757 krbtgt_etype, &tkey_sign);
1758 if(ret) {
1759 kdc_log(context, config, 0,
1760 "Failed to find key for krbtgt PAC signature");
1761 goto out;
1762 }
1763
1764 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1765 NULL, &clientdb, &client);
1766 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1767 /* This is OK, we are just trying to find out if they have
1768 * been disabled or deleted in the meantime, missing secrets
1769 * is OK */
1770 } else if(ret){
1771 const char *krbtgt_realm, *msg;
1772
1773 /*
1774 * If the client belongs to the same realm as our krbtgt, it
1775 * should exist in the local database.
1776 *
1777 */
1778
1779 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1780
1781 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1782 if (ret == HDB_ERR_NOENTRY)
1783 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1784 kdc_log(context, config, 1, "Client no longer in database: %s",
1785 cpn);
1786 goto out;
1787 }
1788
1789 msg = krb5_get_error_message(context, ret);
1790 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1791 krb5_free_error_message(context, msg);
1792 }
1793
1794 ret = check_PAC(context, config, cp,
1795 client, server, krbtgt,
1796 &tkey_check->key, &tkey_check->key,
1797 ekey, &tkey_sign->key,
1798 tgt, &rspac, &signedpath);
1799 if (ret) {
1800 const char *msg = krb5_get_error_message(context, ret);
1801 kdc_log(context, config, 0,
1802 "Verify PAC failed for %s (%s) from %s with %s",
1803 spn, cpn, from, msg);
1804 krb5_free_error_message(context, msg);
1805 goto out;
1806 }
1807
1808 /* also check the krbtgt for signature */
1809 ret = check_KRB5SignedPath(context,
1810 config,
1811 krbtgt,
1812 cp,
1813 tgt,
1814 &spp,
1815 &signedpath);
1816 if (ret) {
1817 const char *msg = krb5_get_error_message(context, ret);
1818 kdc_log(context, config, 0,
1819 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1820 spn, cpn, from, msg);
1821 krb5_free_error_message(context, msg);
1822 goto out;
1823 }
1824
1825 /*
1826 * Process request
1827 */
1828
1829 /* by default the tgt principal matches the client principal */
1830 tp = cp;
1831 tpn = cpn;
1832
1833 if (client) {
1834 const PA_DATA *sdata;
1835 int i = 0;
1836
1837 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1838 if (sdata) {
1839 krb5_crypto crypto;
1840 krb5_data datack;
1841 PA_S4U2Self self;
1842 const char *str;
1843
1844 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1845 sdata->padata_value.length,
1846 &self, NULL);
1847 if (ret) {
1848 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1849 goto out;
1850 }
1851
1852 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1853 if (ret)
1854 goto out;
1855
1856 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1857 if (ret) {
1858 const char *msg = krb5_get_error_message(context, ret);
1859 free_PA_S4U2Self(&self);
1860 krb5_data_free(&datack);
1861 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1862 krb5_free_error_message(context, msg);
1863 goto out;
1864 }
1865
1866 ret = krb5_verify_checksum(context,
1867 crypto,
1868 KRB5_KU_OTHER_CKSUM,
1869 datack.data,
1870 datack.length,
1871 &self.cksum);
1872 krb5_data_free(&datack);
1873 krb5_crypto_destroy(context, crypto);
1874 if (ret) {
1875 const char *msg = krb5_get_error_message(context, ret);
1876 free_PA_S4U2Self(&self);
1877 kdc_log(context, config, 0,
1878 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1879 krb5_free_error_message(context, msg);
1880 goto out;
1881 }
1882
1883 ret = _krb5_principalname2krb5_principal(context,
1884 &tp,
1885 self.name,
1886 self.realm);
1887 free_PA_S4U2Self(&self);
1888 if (ret)
1889 goto out;
1890
1891 ret = krb5_unparse_name(context, tp, &tpn);
1892 if (ret)
1893 goto out;
1894
1895 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1896 if(rspac.data) {
1897 krb5_pac p = NULL;
1898 krb5_data_free(&rspac);
1899 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON,
1900 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1901 if (ret) {
1902 const char *msg;
1903
1904 /*
1905 * If the client belongs to the same realm as our krbtgt, it
1906 * should exist in the local database.
1907 *
1908 */
1909
1910 if (ret == HDB_ERR_NOENTRY)
1911 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1912 msg = krb5_get_error_message(context, ret);
1913 kdc_log(context, config, 1,
1914 "S2U4Self principal to impersonate %s not found in database: %s",
1915 tpn, msg);
1916 krb5_free_error_message(context, msg);
1917 goto out;
1918 }
1919 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1920 if (ret) {
1921 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1922 tpn);
1923 goto out;
1924 }
1925 if (p != NULL) {
1926 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1927 s4u2self_impersonated_client->entry.principal,
1928 ekey, &tkey_sign->key,
1929 &rspac);
1930 krb5_pac_free(context, p);
1931 if (ret) {
1932 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1933 tpn);
1934 goto out;
1935 }
1936 }
1937 }
1938
1939 /*
1940 * Check that service doing the impersonating is
1941 * requesting a ticket to it-self.
1942 */
1943 ret = check_s4u2self(context, config, clientdb, client, sp);
1944 if (ret) {
1945 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1946 "to impersonate to service "
1947 "(tried for user %s to service %s)",
1948 cpn, tpn, spn);
1949 goto out;
1950 }
1951
1952 /*
1953 * If the service isn't trusted for authentication to
1954 * delegation, remove the forward flag.
1955 */
1956
1957 if (client->entry.flags.trusted_for_delegation) {
1958 str = "[forwardable]";
1959 } else {
1960 b->kdc_options.forwardable = 0;
1961 str = "";
1962 }
1963 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1964 "service %s %s", cpn, tpn, spn, str);
1965 }
1966 }
1967
1968 /*
1969 * Constrained delegation
1970 */
1971
1972 if (client != NULL
1973 && b->additional_tickets != NULL
1974 && b->additional_tickets->len != 0
1975 && b->kdc_options.enc_tkt_in_skey == 0)
1976 {
1977 int ad_signedpath = 0;
1978 Key *clientkey;
1979 Ticket *t;
1980
1981 /*
1982 * Require that the KDC have issued the service's krbtgt (not
1983 * self-issued ticket with kimpersonate(1).
1984 */
1985 if (!signedpath) {
1986 ret = KRB5KDC_ERR_BADOPTION;
1987 kdc_log(context, config, 0,
1988 "Constrained delegation done on service ticket %s/%s",
1989 cpn, spn);
1990 goto out;
1991 }
1992
1993 t = &b->additional_tickets->val[0];
1994
1995 ret = hdb_enctype2key(context, &client->entry,
1996 t->enc_part.etype, &clientkey);
1997 if(ret){
1998 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1999 goto out;
2000 }
2001
2002 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2003 if (ret) {
2004 kdc_log(context, config, 0,
2005 "failed to decrypt ticket for "
2006 "constrained delegation from %s to %s ", cpn, spn);
2007 goto out;
2008 }
2009
2010 ret = _krb5_principalname2krb5_principal(context,
2011 &tp,
2012 adtkt.cname,
2013 adtkt.crealm);
2014 if (ret)
2015 goto out;
2016
2017 ret = krb5_unparse_name(context, tp, &tpn);
2018 if (ret)
2019 goto out;
2020
2021 /* check that ticket is valid */
2022 if (adtkt.flags.forwardable == 0) {
2023 kdc_log(context, config, 0,
2024 "Missing forwardable flag on ticket for "
2025 "constrained delegation from %s as %s to %s ",
2026 cpn, tpn, spn);
2027 ret = KRB5KDC_ERR_BADOPTION;
2028 goto out;
2029 }
2030
2031 ret = check_constrained_delegation(context, config, clientdb,
2032 client, sp);
2033 if (ret) {
2034 kdc_log(context, config, 0,
2035 "constrained delegation from %s as %s to %s not allowed",
2036 cpn, tpn, spn);
2037 goto out;
2038 }
2039
2040 ret = verify_flags(context, config, &adtkt, tpn);
2041 if (ret) {
2042 goto out;
2043 }
2044
2045 krb5_data_free(&rspac);
2046
2047 /*
2048 * generate the PAC for the user.
2049 *
2050 * TODO: pass in t->sname and t->realm and build
2051 * a S4U_DELEGATION_INFO blob to the PAC.
2052 */
2053 ret = check_PAC(context, config, tp,
2054 client, server, krbtgt,
2055 &clientkey->key, &tkey_check->key,
2056 ekey, &tkey_sign->key,
2057 &adtkt, &rspac, &ad_signedpath);
2058 if (ret) {
2059 const char *msg = krb5_get_error_message(context, ret);
2060 kdc_log(context, config, 0,
2061 "Verify delegated PAC failed to %s for client"
2062 "%s as %s from %s with %s",
2063 spn, cpn, tpn, from, msg);
2064 krb5_free_error_message(context, msg);
2065 goto out;
2066 }
2067
2068 /*
2069 * Check that the KDC issued the user's ticket.
2070 */
2071 ret = check_KRB5SignedPath(context,
2072 config,
2073 krbtgt,
2074 cp,
2075 &adtkt,
2076 NULL,
2077 &ad_signedpath);
2078 if (ret) {
2079 const char *msg = krb5_get_error_message(context, ret);
2080 kdc_log(context, config, 0,
2081 "KRB5SignedPath check from service %s failed "
2082 "for delegation to %s for client %s "
2083 "from %s failed with %s",
2084 spn, tpn, cpn, from, msg);
2085 krb5_free_error_message(context, msg);
2086 goto out;
2087 }
2088
2089 if (!ad_signedpath) {
2090 ret = KRB5KDC_ERR_BADOPTION;
2091 kdc_log(context, config, 0,
2092 "Ticket not signed with PAC nor SignedPath service %s failed "
2093 "for delegation to %s for client %s "
2094 "from %s",
2095 spn, tpn, cpn, from);
2096 goto out;
2097 }
2098
2099 kdc_log(context, config, 0, "constrained delegation for %s "
2100 "from %s to %s", tpn, cpn, spn);
2101 }
2102
2103 /*
2104 * Check flags
2105 */
2106
2107 ret = kdc_check_flags(context, config,
2108 client, cpn,
2109 server, spn,
2110 FALSE);
2111 if(ret)
2112 goto out;
2113
2114 if((b->kdc_options.validate || b->kdc_options.renew) &&
2115 !krb5_principal_compare(context,
2116 krbtgt->entry.principal,
2117 server->entry.principal)){
2118 kdc_log(context, config, 0, "Inconsistent request.");
2119 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2120 goto out;
2121 }
2122
2123 /* check for valid set of addresses */
2124 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2125 ret = KRB5KRB_AP_ERR_BADADDR;
2126 kdc_log(context, config, 0, "Request from wrong address");
2127 goto out;
2128 }
2129
2130 /*
2131 * If this is an referral, add server referral data to the
2132 * auth_data reply .
2133 */
2134 if (ref_realm) {
2135 PA_DATA pa;
2136 krb5_crypto crypto;
2137
2138 kdc_log(context, config, 0,
2139 "Adding server referral to %s", ref_realm);
2140
2141 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2142 if (ret)
2143 goto out;
2144
2145 ret = build_server_referral(context, config, crypto, ref_realm,
2146 NULL, s, &pa.padata_value);
2147 krb5_crypto_destroy(context, crypto);
2148 if (ret) {
2149 kdc_log(context, config, 0,
2150 "Failed building server referral");
2151 goto out;
2152 }
2153 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2154
2155 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2156 krb5_data_free(&pa.padata_value);
2157 if (ret) {
2158 kdc_log(context, config, 0,
2159 "Add server referral METHOD-DATA failed");
2160 goto out;
2161 }
2162 }
2163
2164 /*
2165 *
2166 */
2167
2168 ret = tgs_make_reply(context,
2169 config,
2170 b,
2171 tp,
2172 tgt,
2173 replykey,
2174 rk_is_subkey,
2175 ekey,
2176 &sessionkey,
2177 kvno,
2178 *auth_data,
2179 server,
2180 sp,
2181 spn,
2182 client,
2183 cp,
2184 krbtgt_out,
2185 krbtgt_etype,
2186 spp,
2187 &rspac,
2188 &enc_pa_data,
2189 e_text,
2190 reply);
2191
2192 out:
2193 if (tpn != cpn)
2194 free(tpn);
2195 free(spn);
2196 free(cpn);
2197
2198 krb5_data_free(&rspac);
2199 krb5_free_keyblock_contents(context, &sessionkey);
2200 if(krbtgt_out)
2201 _kdc_free_ent(context, krbtgt_out);
2202 if(server)
2203 _kdc_free_ent(context, server);
2204 if(client)
2205 _kdc_free_ent(context, client);
2206 if(s4u2self_impersonated_client)
2207 _kdc_free_ent(context, s4u2self_impersonated_client);
2208
2209 if (tp && tp != cp)
2210 krb5_free_principal(context, tp);
2211 if (cp)
2212 krb5_free_principal(context, cp);
2213 if (sp)
2214 krb5_free_principal(context, sp);
2215 if (ref_realm)
2216 free(ref_realm);
2217 free_METHOD_DATA(&enc_pa_data);
2218
2219 free_EncTicketPart(&adtkt);
2220
2221 return ret;
2222 }
2223
2224 /*
2225 *
2226 */
2227
2228 krb5_error_code
2229 _kdc_tgs_rep(krb5_context context,
2230 krb5_kdc_configuration *config,
2231 KDC_REQ *req,
2232 krb5_data *data,
2233 const char *from,
2234 struct sockaddr *from_addr,
2235 int datagram_reply)
2236 {
2237 AuthorizationData *auth_data = NULL;
2238 krb5_error_code ret;
2239 int i = 0;
2240 const PA_DATA *tgs_req;
2241
2242 hdb_entry_ex *krbtgt = NULL;
2243 krb5_ticket *ticket = NULL;
2244 const char *e_text = NULL;
2245 krb5_enctype krbtgt_etype = ETYPE_NULL;
2246
2247 krb5_keyblock *replykey = NULL;
2248 int rk_is_subkey = 0;
2249 time_t *csec = NULL;
2250 int *cusec = NULL;
2251
2252 if(req->padata == NULL){
2253 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2254 kdc_log(context, config, 0,
2255 "TGS-REQ from %s without PA-DATA", from);
2256 goto out;
2257 }
2258
2259 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2260
2261 if(tgs_req == NULL){
2262 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2263
2264 kdc_log(context, config, 0,
2265 "TGS-REQ from %s without PA-TGS-REQ", from);
2266 goto out;
2267 }
2268 ret = tgs_parse_request(context, config,
2269 &req->req_body, tgs_req,
2270 &krbtgt,
2271 &krbtgt_etype,
2272 &ticket,
2273 &e_text,
2274 from, from_addr,
2275 &csec, &cusec,
2276 &auth_data,
2277 &replykey,
2278 &rk_is_subkey);
2279 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2280 /* kdc_log() is called in tgs_parse_request() */
2281 goto out;
2282 }
2283 if (ret) {
2284 kdc_log(context, config, 0,
2285 "Failed parsing TGS-REQ from %s", from);
2286 goto out;
2287 }
2288
2289 ret = tgs_build_reply(context,
2290 config,
2291 req,
2292 &req->req_body,
2293 krbtgt,
2294 krbtgt_etype,
2295 replykey,
2296 rk_is_subkey,
2297 ticket,
2298 data,
2299 from,
2300 &e_text,
2301 &auth_data,
2302 from_addr);
2303 if (ret) {
2304 kdc_log(context, config, 0,
2305 "Failed building TGS-REP to %s", from);
2306 goto out;
2307 }
2308
2309 /* */
2310 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2311 krb5_data_free(data);
2312 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2313 e_text = "Reply packet too large";
2314 }
2315
2316 out:
2317 if (replykey)
2318 krb5_free_keyblock(context, replykey);
2319 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2320 krb5_mk_error(context,
2321 ret,
2322 NULL,
2323 NULL,
2324 NULL,
2325 NULL,
2326 csec,
2327 cusec,
2328 data);
2329 ret = 0;
2330 }
2331 free(csec);
2332 free(cusec);
2333 if (ticket)
2334 krb5_free_ticket(context, ticket);
2335 if(krbtgt)
2336 _kdc_free_ent(context, krbtgt);
2337
2338 if (auth_data) {
2339 free_AuthorizationData(auth_data);
2340 free(auth_data);
2341 }
2342
2343 return ret;
2344 }
Heimdal