search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
heimdal:kdc: generic support for 3part servicePrincipalNames
[Samba.git] / source4 / heimdal / kdc / krb5tgs.c
blobca589e87fa0e5e49c5af4dd9f5e7bafe6f6ddb15
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230 if (ret == 0)
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232 if (ret) {
233 free(data.data);
234 free_KRB5SignedPath(&sp);
235 return ret;
236 }
237 }
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
240 &sp.cksum);
241 krb5_crypto_destroy(context, crypto);
242 free(data.data);
243 if (ret) {
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
247 return 0;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 const krb5_principal delegated_proxy_principal,
283 hdb_entry_ex *client,
284 hdb_entry_ex *server,
285 hdb_entry_ex *krbtgt,
286 const EncryptionKey *server_check_key,
287 const EncryptionKey *server_sign_key,
288 const EncryptionKey *krbtgt_sign_key,
289 EncTicketPart *tkt,
290 krb5_data *rspac,
291 int *signedpath)
292 {
293 AuthorizationData *ad = tkt->authorization_data;
294 unsigned i, j;
295 krb5_error_code ret;
296
297 if (ad == NULL || ad->len == 0)
298 return 0;
299
300 for (i = 0; i < ad->len; i++) {
301 AuthorizationData child;
302
303 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
304 continue;
305
306 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
307 ad->val[i].ad_data.length,
308 &child,
309 NULL);
310 if (ret) {
311 krb5_set_error_message(context, ret, "Failed to decode "
312 "IF_RELEVANT with %d", ret);
313 return ret;
314 }
315 for (j = 0; j < child.len; j++) {
316
317 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
318 int signed_pac = 0;
319 krb5_pac pac;
320
321 /* Found PAC */
322 ret = krb5_pac_parse(context,
323 child.val[j].ad_data.data,
324 child.val[j].ad_data.length,
325 &pac);
326 free_AuthorizationData(&child);
327 if (ret)
328 return ret;
329
330 ret = krb5_pac_verify(context, pac, tkt->authtime,
331 client_principal,
332 server_check_key, NULL);
333 if (ret) {
334 krb5_pac_free(context, pac);
335 return ret;
336 }
337
338 ret = _kdc_pac_verify(context, client_principal,
339 delegated_proxy_principal,
340 client, server, krbtgt, &pac, &signed_pac);
341 if (ret) {
342 krb5_pac_free(context, pac);
343 return ret;
344 }
345
346 /*
347 * Only re-sign PAC if we could verify it with the PAC
348 * function. The no-verify case happens when we get in
349 * a PAC from cross realm from a Windows domain and
350 * that there is no PAC verification function.
351 */
352 if (signed_pac) {
353 *signedpath = 1;
354 ret = _krb5_pac_sign(context, pac, tkt->authtime,
355 client_principal,
356 server_sign_key, krbtgt_sign_key, rspac);
357 }
358 krb5_pac_free(context, pac);
359
360 return ret;
361 }
362 }
363 free_AuthorizationData(&child);
364 }
365 return 0;
366 }
367
368 /*
369 *
370 */
371
372 static krb5_error_code
373 check_tgs_flags(krb5_context context,
374 krb5_kdc_configuration *config,
375 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
376 {
377 KDCOptions f = b->kdc_options;
378
379 if(f.validate){
380 if(!tgt->flags.invalid || tgt->starttime == NULL){
381 kdc_log(context, config, 0,
382 "Bad request to validate ticket");
383 return KRB5KDC_ERR_BADOPTION;
384 }
385 if(*tgt->starttime > kdc_time){
386 kdc_log(context, config, 0,
387 "Early request to validate ticket");
388 return KRB5KRB_AP_ERR_TKT_NYV;
389 }
390 /* XXX tkt = tgt */
391 et->flags.invalid = 0;
392 }else if(tgt->flags.invalid){
393 kdc_log(context, config, 0,
394 "Ticket-granting ticket has INVALID flag set");
395 return KRB5KRB_AP_ERR_TKT_INVALID;
396 }
397
398 if(f.forwardable){
399 if(!tgt->flags.forwardable){
400 kdc_log(context, config, 0,
401 "Bad request for forwardable ticket");
402 return KRB5KDC_ERR_BADOPTION;
403 }
404 et->flags.forwardable = 1;
405 }
406 if(f.forwarded){
407 if(!tgt->flags.forwardable){
408 kdc_log(context, config, 0,
409 "Request to forward non-forwardable ticket");
410 return KRB5KDC_ERR_BADOPTION;
411 }
412 et->flags.forwarded = 1;
413 et->caddr = b->addresses;
414 }
415 if(tgt->flags.forwarded)
416 et->flags.forwarded = 1;
417
418 if(f.proxiable){
419 if(!tgt->flags.proxiable){
420 kdc_log(context, config, 0,
421 "Bad request for proxiable ticket");
422 return KRB5KDC_ERR_BADOPTION;
423 }
424 et->flags.proxiable = 1;
425 }
426 if(f.proxy){
427 if(!tgt->flags.proxiable){
428 kdc_log(context, config, 0,
429 "Request to proxy non-proxiable ticket");
430 return KRB5KDC_ERR_BADOPTION;
431 }
432 et->flags.proxy = 1;
433 et->caddr = b->addresses;
434 }
435 if(tgt->flags.proxy)
436 et->flags.proxy = 1;
437
438 if(f.allow_postdate){
439 if(!tgt->flags.may_postdate){
440 kdc_log(context, config, 0,
441 "Bad request for post-datable ticket");
442 return KRB5KDC_ERR_BADOPTION;
443 }
444 et->flags.may_postdate = 1;
445 }
446 if(f.postdated){
447 if(!tgt->flags.may_postdate){
448 kdc_log(context, config, 0,
449 "Bad request for postdated ticket");
450 return KRB5KDC_ERR_BADOPTION;
451 }
452 if(b->from)
453 *et->starttime = *b->from;
454 et->flags.postdated = 1;
455 et->flags.invalid = 1;
456 }else if(b->from && *b->from > kdc_time + context->max_skew){
457 kdc_log(context, config, 0, "Ticket cannot be postdated");
458 return KRB5KDC_ERR_CANNOT_POSTDATE;
459 }
460
461 if(f.renewable){
462 if(!tgt->flags.renewable || tgt->renew_till == NULL){
463 kdc_log(context, config, 0,
464 "Bad request for renewable ticket");
465 return KRB5KDC_ERR_BADOPTION;
466 }
467 et->flags.renewable = 1;
468 ALLOC(et->renew_till);
469 _kdc_fix_time(&b->rtime);
470 *et->renew_till = *b->rtime;
471 }
472 if(f.renew){
473 time_t old_life;
474 if(!tgt->flags.renewable || tgt->renew_till == NULL){
475 kdc_log(context, config, 0,
476 "Request to renew non-renewable ticket");
477 return KRB5KDC_ERR_BADOPTION;
478 }
479 old_life = tgt->endtime;
480 if(tgt->starttime)
481 old_life -= *tgt->starttime;
482 else
483 old_life -= tgt->authtime;
484 et->endtime = *et->starttime + old_life;
485 if (et->renew_till != NULL)
486 et->endtime = min(*et->renew_till, et->endtime);
487 }
488
489 #if 0
490 /* checks for excess flags */
491 if(f.request_anonymous && !config->allow_anonymous){
492 kdc_log(context, config, 0,
493 "Request for anonymous ticket");
494 return KRB5KDC_ERR_BADOPTION;
495 }
496 #endif
497 return 0;
498 }
499
500 /*
501 * Determine if constrained delegation is allowed from this client to this server
502 */
503
504 static krb5_error_code
505 check_constrained_delegation(krb5_context context,
506 krb5_kdc_configuration *config,
507 HDB *clientdb,
508 hdb_entry_ex *client,
509 hdb_entry_ex *server,
510 krb5_const_principal target)
511 {
512 const HDB_Ext_Constrained_delegation_acl *acl;
513 krb5_error_code ret;
514 size_t i;
515
516 /*
517 * constrained_delegation (S4U2Proxy) only works within
518 * the same realm. We use the already canonicalized version
519 * of the principals here, while "target" is the principal
520 * provided by the client.
521 */
522 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
523 ret = KRB5KDC_ERR_BADOPTION;
524 kdc_log(context, config, 0,
525 "Bad request for constrained delegation");
526 return ret;
527 }
528
529 if (clientdb->hdb_check_constrained_delegation) {
530 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
531 if (ret == 0)
532 return 0;
533 } else {
534 /* if client delegates to itself, that ok */
535 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
536 return 0;
537
538 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
539 if (ret) {
540 krb5_clear_error_message(context);
541 return ret;
542 }
543
544 if (acl) {
545 for (i = 0; i < acl->len; i++) {
546 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
547 return 0;
548 }
549 }
550 ret = KRB5KDC_ERR_BADOPTION;
551 }
552 kdc_log(context, config, 0,
553 "Bad request for constrained delegation");
554 return ret;
555 }
556
557 /*
558 * Determine if s4u2self is allowed from this client to this server
559 *
560 * For example, regardless of the principal being impersonated, if the
561 * 'client' and 'server' are the same, then it's safe.
562 */
563
564 static krb5_error_code
565 check_s4u2self(krb5_context context,
566 krb5_kdc_configuration *config,
567 HDB *clientdb,
568 hdb_entry_ex *client,
569 krb5_const_principal server)
570 {
571 krb5_error_code ret;
572
573 /* if client does a s4u2self to itself, that ok */
574 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
575 return 0;
576
577 if (clientdb->hdb_check_s4u2self) {
578 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
579 if (ret == 0)
580 return 0;
581 } else {
582 ret = KRB5KDC_ERR_BADOPTION;
583 }
584 return ret;
585 }
586
587 /*
588 *
589 */
590
591 static krb5_error_code
592 verify_flags (krb5_context context,
593 krb5_kdc_configuration *config,
594 const EncTicketPart *et,
595 const char *pstr)
596 {
597 if(et->endtime < kdc_time){
598 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
599 return KRB5KRB_AP_ERR_TKT_EXPIRED;
600 }
601 if(et->flags.invalid){
602 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
603 return KRB5KRB_AP_ERR_TKT_NYV;
604 }
605 return 0;
606 }
607
608 /*
609 *
610 */
611
612 static krb5_error_code
613 fix_transited_encoding(krb5_context context,
614 krb5_kdc_configuration *config,
615 krb5_boolean check_policy,
616 const TransitedEncoding *tr,
617 EncTicketPart *et,
618 const char *client_realm,
619 const char *server_realm,
620 const char *tgt_realm)
621 {
622 krb5_error_code ret = 0;
623 char **realms, **tmp;
624 unsigned int num_realms;
625 size_t i;
626
627 switch (tr->tr_type) {
628 case DOMAIN_X500_COMPRESS:
629 break;
630 case 0:
631 /*
632 * Allow empty content of type 0 because that is was Microsoft
633 * generates in their TGT.
634 */
635 if (tr->contents.length == 0)
636 break;
637 kdc_log(context, config, 0,
638 "Transited type 0 with non empty content");
639 return KRB5KDC_ERR_TRTYPE_NOSUPP;
640 default:
641 kdc_log(context, config, 0,
642 "Unknown transited type: %u", tr->tr_type);
643 return KRB5KDC_ERR_TRTYPE_NOSUPP;
644 }
645
646 ret = krb5_domain_x500_decode(context,
647 tr->contents,
648 &realms,
649 &num_realms,
650 client_realm,
651 server_realm);
652 if(ret){
653 krb5_warn(context, ret,
654 "Decoding transited encoding");
655 return ret;
656 }
657 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
658 /* not us, so add the previous realm to transited set */
659 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
660 ret = ERANGE;
661 goto free_realms;
662 }
663 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
664 if(tmp == NULL){
665 ret = ENOMEM;
666 goto free_realms;
667 }
668 realms = tmp;
669 realms[num_realms] = strdup(tgt_realm);
670 if(realms[num_realms] == NULL){
671 ret = ENOMEM;
672 goto free_realms;
673 }
674 num_realms++;
675 }
676 if(num_realms == 0) {
677 if(strcmp(client_realm, server_realm))
678 kdc_log(context, config, 0,
679 "cross-realm %s -> %s", client_realm, server_realm);
680 } else {
681 size_t l = 0;
682 char *rs;
683 for(i = 0; i < num_realms; i++)
684 l += strlen(realms[i]) + 2;
685 rs = malloc(l);
686 if(rs != NULL) {
687 *rs = '\0';
688 for(i = 0; i < num_realms; i++) {
689 if(i > 0)
690 strlcat(rs, ", ", l);
691 strlcat(rs, realms[i], l);
692 }
693 kdc_log(context, config, 0,
694 "cross-realm %s -> %s via [%s]",
695 client_realm, server_realm, rs);
696 free(rs);
697 }
698 }
699 if(check_policy) {
700 ret = krb5_check_transited(context, client_realm,
701 server_realm,
702 realms, num_realms, NULL);
703 if(ret) {
704 krb5_warn(context, ret, "cross-realm %s -> %s",
705 client_realm, server_realm);
706 goto free_realms;
707 }
708 et->flags.transited_policy_checked = 1;
709 }
710 et->transited.tr_type = DOMAIN_X500_COMPRESS;
711 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
712 if(ret)
713 krb5_warn(context, ret, "Encoding transited encoding");
714 free_realms:
715 for(i = 0; i < num_realms; i++)
716 free(realms[i]);
717 free(realms);
718 return ret;
719 }
720
721
722 static krb5_error_code
723 tgs_make_reply(krb5_context context,
724 krb5_kdc_configuration *config,
725 KDC_REQ_BODY *b,
726 krb5_const_principal tgt_name,
727 const EncTicketPart *tgt,
728 const krb5_keyblock *replykey,
729 int rk_is_subkey,
730 const EncryptionKey *serverkey,
731 const krb5_keyblock *sessionkey,
732 krb5_kvno kvno,
733 AuthorizationData *auth_data,
734 hdb_entry_ex *server,
735 krb5_principal server_principal,
736 const char *server_name,
737 hdb_entry_ex *client,
738 krb5_principal client_principal,
739 hdb_entry_ex *krbtgt,
740 krb5_enctype krbtgt_etype,
741 krb5_principals spp,
742 const krb5_data *rspac,
743 const METHOD_DATA *enc_pa_data,
744 const char **e_text,
745 krb5_data *reply)
746 {
747 KDC_REP rep;
748 EncKDCRepPart ek;
749 EncTicketPart et;
750 KDCOptions f = b->kdc_options;
751 krb5_error_code ret;
752 int is_weak = 0;
753
754 memset(&rep, 0, sizeof(rep));
755 memset(&et, 0, sizeof(et));
756 memset(&ek, 0, sizeof(ek));
757
758 rep.pvno = 5;
759 rep.msg_type = krb_tgs_rep;
760
761 et.authtime = tgt->authtime;
762 _kdc_fix_time(&b->till);
763 et.endtime = min(tgt->endtime, *b->till);
764 ALLOC(et.starttime);
765 *et.starttime = kdc_time;
766
767 ret = check_tgs_flags(context, config, b, tgt, &et);
768 if(ret)
769 goto out;
770
771 /* We should check the transited encoding if:
772 1) the request doesn't ask not to be checked
773 2) globally enforcing a check
774 3) principal requires checking
775 4) we allow non-check per-principal, but principal isn't marked as allowing this
776 5) we don't globally allow this
777 */
778
779 #define GLOBAL_FORCE_TRANSITED_CHECK \
780 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
781 #define GLOBAL_ALLOW_PER_PRINCIPAL \
782 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
783 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
784 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
785
786 /* these will consult the database in future release */
787 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
788 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
789
790 ret = fix_transited_encoding(context, config,
791 !f.disable_transited_check ||
792 GLOBAL_FORCE_TRANSITED_CHECK ||
793 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
794 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
795 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
796 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
797 &tgt->transited, &et,
798 krb5_principal_get_realm(context, client_principal),
799 krb5_principal_get_realm(context, server->entry.principal),
800 krb5_principal_get_realm(context, krbtgt->entry.principal));
801 if(ret)
802 goto out;
803
804 copy_Realm(&server_principal->realm, &rep.ticket.realm);
805 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
806 copy_Realm(&tgt_name->realm, &rep.crealm);
807 /*
808 if (f.request_anonymous)
809 _kdc_make_anonymous_principalname (&rep.cname);
810 else */
811
812 copy_PrincipalName(&tgt_name->name, &rep.cname);
813 rep.ticket.tkt_vno = 5;
814
815 ek.caddr = et.caddr;
816 if(et.caddr == NULL)
817 et.caddr = tgt->caddr;
818
819 {
820 time_t life;
821 life = et.endtime - *et.starttime;
822 if(client && client->entry.max_life)
823 life = min(life, *client->entry.max_life);
824 if(server->entry.max_life)
825 life = min(life, *server->entry.max_life);
826 et.endtime = *et.starttime + life;
827 }
828 if(f.renewable_ok && tgt->flags.renewable &&
829 et.renew_till == NULL && et.endtime < *b->till &&
830 tgt->renew_till != NULL)
831 {
832 et.flags.renewable = 1;
833 ALLOC(et.renew_till);
834 *et.renew_till = *b->till;
835 }
836 if(et.renew_till){
837 time_t renew;
838 renew = *et.renew_till - et.authtime;
839 if(client && client->entry.max_renew)
840 renew = min(renew, *client->entry.max_renew);
841 if(server->entry.max_renew)
842 renew = min(renew, *server->entry.max_renew);
843 *et.renew_till = et.authtime + renew;
844 }
845
846 if(et.renew_till){
847 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
848 *et.starttime = min(*et.starttime, *et.renew_till);
849 et.endtime = min(et.endtime, *et.renew_till);
850 }
851
852 *et.starttime = min(*et.starttime, et.endtime);
853
854 if(*et.starttime == et.endtime){
855 ret = KRB5KDC_ERR_NEVER_VALID;
856 goto out;
857 }
858 if(et.renew_till && et.endtime == *et.renew_till){
859 free(et.renew_till);
860 et.renew_till = NULL;
861 et.flags.renewable = 0;
862 }
863
864 et.flags.pre_authent = tgt->flags.pre_authent;
865 et.flags.hw_authent = tgt->flags.hw_authent;
866 et.flags.anonymous = tgt->flags.anonymous;
867 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
868
869 if(rspac->length) {
870 /*
871 * No not need to filter out the any PAC from the
872 * auth_data since it's signed by the KDC.
873 */
874 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
875 KRB5_AUTHDATA_WIN2K_PAC, rspac);
876 if (ret)
877 goto out;
878 }
879
880 if (auth_data) {
881 unsigned int i = 0;
882
883 /* XXX check authdata */
884
885 if (et.authorization_data == NULL) {
886 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
887 if (et.authorization_data == NULL) {
888 ret = ENOMEM;
889 krb5_set_error_message(context, ret, "malloc: out of memory");
890 goto out;
891 }
892 }
893 for(i = 0; i < auth_data->len ; i++) {
894 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
895 if (ret) {
896 krb5_set_error_message(context, ret, "malloc: out of memory");
897 goto out;
898 }
899 }
900
901 /* Filter out type KRB5SignedPath */
902 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
903 if (ret == 0) {
904 if (et.authorization_data->len == 1) {
905 free_AuthorizationData(et.authorization_data);
906 free(et.authorization_data);
907 et.authorization_data = NULL;
908 } else {
909 AuthorizationData *ad = et.authorization_data;
910 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
911 ad->len--;
912 }
913 }
914 }
915
916 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
917 if (ret)
918 goto out;
919 et.crealm = tgt_name->realm;
920 et.cname = tgt_name->name;
921
922 ek.key = et.key;
923 /* MIT must have at least one last_req */
924 ek.last_req.len = 1;
925 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
926 if (ek.last_req.val == NULL) {
927 ret = ENOMEM;
928 goto out;
929 }
930 ek.nonce = b->nonce;
931 ek.flags = et.flags;
932 ek.authtime = et.authtime;
933 ek.starttime = et.starttime;
934 ek.endtime = et.endtime;
935 ek.renew_till = et.renew_till;
936 ek.srealm = rep.ticket.realm;
937 ek.sname = rep.ticket.sname;
938
939 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
940 et.endtime, et.renew_till);
941
942 /* Don't sign cross realm tickets, they can't be checked anyway */
943 {
944 char *r = get_krbtgt_realm(&ek.sname);
945
946 if (r == NULL || strcmp(r, ek.srealm) == 0) {
947 ret = _kdc_add_KRB5SignedPath(context,
948 config,
949 krbtgt,
950 krbtgt_etype,
951 client_principal,
952 NULL,
953 spp,
954 &et);
955 if (ret)
956 goto out;
957 }
958 }
959
960 if (enc_pa_data->len) {
961 rep.padata = calloc(1, sizeof(*rep.padata));
962 if (rep.padata == NULL) {
963 ret = ENOMEM;
964 goto out;
965 }
966 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
967 if (ret)
968 goto out;
969 }
970
971 if (krb5_enctype_valid(context, et.key.keytype) != 0
972 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
973 {
974 krb5_enctype_enable(context, et.key.keytype);
975 is_weak = 1;
976 }
977
978
979 /* It is somewhat unclear where the etype in the following
980 encryption should come from. What we have is a session
981 key in the passed tgt, and a list of preferred etypes
982 *for the new ticket*. Should we pick the best possible
983 etype, given the keytype in the tgt, or should we look
984 at the etype list here as well? What if the tgt
985 session key is DES3 and we want a ticket with a (say)
986 CAST session key. Should the DES3 etype be added to the
987 etype list, even if we don't want a session key with
988 DES3? */
989 ret = _kdc_encode_reply(context, config,
990 &rep, &et, &ek, et.key.keytype,
991 kvno,
992 serverkey, 0, replykey, rk_is_subkey,
993 e_text, reply);
994 if (is_weak)
995 krb5_enctype_disable(context, et.key.keytype);
996
997 out:
998 free_TGS_REP(&rep);
999 free_TransitedEncoding(&et.transited);
1000 if(et.starttime)
1001 free(et.starttime);
1002 if(et.renew_till)
1003 free(et.renew_till);
1004 if(et.authorization_data) {
1005 free_AuthorizationData(et.authorization_data);
1006 free(et.authorization_data);
1007 }
1008 free_LastReq(&ek.last_req);
1009 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1010 free_EncryptionKey(&et.key);
1011 return ret;
1012 }
1013
1014 static krb5_error_code
1015 tgs_check_authenticator(krb5_context context,
1016 krb5_kdc_configuration *config,
1017 krb5_auth_context ac,
1018 KDC_REQ_BODY *b,
1019 const char **e_text,
1020 krb5_keyblock *key)
1021 {
1022 krb5_authenticator auth;
1023 size_t len = 0;
1024 unsigned char *buf;
1025 size_t buf_size;
1026 krb5_error_code ret;
1027 krb5_crypto crypto;
1028
1029 krb5_auth_con_getauthenticator(context, ac, &auth);
1030 if(auth->cksum == NULL){
1031 kdc_log(context, config, 0, "No authenticator in request");
1032 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1033 goto out;
1034 }
1035 /*
1036 * according to RFC1510 it doesn't need to be keyed,
1037 * but according to the latest draft it needs to.
1038 */
1039 if (
1040 #if 0
1041 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1042 ||
1043 #endif
1044 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1045 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1046 auth->cksum->cksumtype);
1047 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1048 goto out;
1049 }
1050
1051 /* XXX should not re-encode this */
1052 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1053 if(ret){
1054 const char *msg = krb5_get_error_message(context, ret);
1055 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1056 krb5_free_error_message(context, msg);
1057 goto out;
1058 }
1059 if(buf_size != len) {
1060 free(buf);
1061 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1062 *e_text = "KDC internal error";
1063 ret = KRB5KRB_ERR_GENERIC;
1064 goto out;
1065 }
1066 ret = krb5_crypto_init(context, key, 0, &crypto);
1067 if (ret) {
1068 const char *msg = krb5_get_error_message(context, ret);
1069 free(buf);
1070 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1071 krb5_free_error_message(context, msg);
1072 goto out;
1073 }
1074 ret = krb5_verify_checksum(context,
1075 crypto,
1076 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1077 buf,
1078 len,
1079 auth->cksum);
1080 free(buf);
1081 krb5_crypto_destroy(context, crypto);
1082 if(ret){
1083 const char *msg = krb5_get_error_message(context, ret);
1084 kdc_log(context, config, 0,
1085 "Failed to verify authenticator checksum: %s", msg);
1086 krb5_free_error_message(context, msg);
1087 }
1088 out:
1089 free_Authenticator(auth);
1090 free(auth);
1091 return ret;
1092 }
1093
1094 /*
1095 *
1096 */
1097
1098 static const char *
1099 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1100 {
1101 const char *new_realm = krb5_config_get_string(context,
1102 NULL,
1103 "capaths",
1104 crealm,
1105 srealm,
1106 NULL);
1107 return new_realm;
1108 }
1109
1110
1111 static krb5_boolean
1112 need_referral(krb5_context context, krb5_kdc_configuration *config,
1113 const KDCOptions * const options, krb5_principal server,
1114 krb5_realm **realms)
1115 {
1116 const char *name;
1117
1118 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1119 return FALSE;
1120
1121 if (server->name.name_string.len == 1)
1122 name = server->name.name_string.val[0];
1123 else if (server->name.name_string.len == 3) {
1124 /*
1125 This is used to give referrals for the
1126 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1127 SPN form, which is used for inter-domain communication in AD
1128 */
1129 name = server->name.name_string.val[2];
1130 kdc_log(context, config, 0, "Giving 3 part referral for %s", name);
1131 *realms = malloc(sizeof(char *)*2);
1132 if (*realms == NULL) {
1133 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1134 return FALSE;
1135 }
1136 (*realms)[0] = strdup(name);
1137 (*realms)[1] = NULL;
1138 return TRUE;
1139 } else if (server->name.name_string.len > 1)
1140 name = server->name.name_string.val[1];
1141 else
1142 return FALSE;
1143
1144 kdc_log(context, config, 0, "Searching referral for %s", name);
1145
1146 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1147 }
1148
1149 static krb5_error_code
1150 tgs_parse_request(krb5_context context,
1151 krb5_kdc_configuration *config,
1152 KDC_REQ_BODY *b,
1153 const PA_DATA *tgs_req,
1154 hdb_entry_ex **krbtgt,
1155 krb5_enctype *krbtgt_etype,
1156 krb5_ticket **ticket,
1157 const char **e_text,
1158 const char *from,
1159 const struct sockaddr *from_addr,
1160 time_t **csec,
1161 int **cusec,
1162 AuthorizationData **auth_data,
1163 krb5_keyblock **replykey,
1164 int *rk_is_subkey)
1165 {
1166 static char failed[] = "<unparse_name failed>";
1167 krb5_ap_req ap_req;
1168 krb5_error_code ret;
1169 krb5_principal princ;
1170 krb5_auth_context ac = NULL;
1171 krb5_flags ap_req_options;
1172 krb5_flags verify_ap_req_flags;
1173 krb5_crypto crypto;
1174 Key *tkey;
1175 krb5_keyblock *subkey = NULL;
1176 unsigned usage;
1177
1178 *auth_data = NULL;
1179 *csec = NULL;
1180 *cusec = NULL;
1181 *replykey = NULL;
1182
1183 memset(&ap_req, 0, sizeof(ap_req));
1184 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1185 if(ret){
1186 const char *msg = krb5_get_error_message(context, ret);
1187 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1188 krb5_free_error_message(context, msg);
1189 goto out;
1190 }
1191
1192 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1193 /* XXX check for ticket.sname == req.sname */
1194 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1195 ret = KRB5KDC_ERR_POLICY; /* ? */
1196 goto out;
1197 }
1198
1199 _krb5_principalname2krb5_principal(context,
1200 &princ,
1201 ap_req.ticket.sname,
1202 ap_req.ticket.realm);
1203
1204 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1205
1206 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1207 char *p;
1208 ret = krb5_unparse_name(context, princ, &p);
1209 if (ret != 0)
1210 p = failed;
1211 krb5_free_principal(context, princ);
1212 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1213 if (ret == 0)
1214 free(p);
1215 ret = HDB_ERR_NOT_FOUND_HERE;
1216 goto out;
1217 } else if(ret){
1218 const char *msg = krb5_get_error_message(context, ret);
1219 char *p;
1220 ret = krb5_unparse_name(context, princ, &p);
1221 if (ret != 0)
1222 p = failed;
1223 krb5_free_principal(context, princ);
1224 kdc_log(context, config, 0,
1225 "Ticket-granting ticket not found in database: %s", msg);
1226 krb5_free_error_message(context, msg);
1227 if (ret == 0)
1228 free(p);
1229 ret = KRB5KRB_AP_ERR_NOT_US;
1230 goto out;
1231 }
1232
1233 if(ap_req.ticket.enc_part.kvno &&
1234 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1235 char *p;
1236
1237 ret = krb5_unparse_name (context, princ, &p);
1238 krb5_free_principal(context, princ);
1239 if (ret != 0)
1240 p = failed;
1241 kdc_log(context, config, 0,
1242 "Ticket kvno = %d, DB kvno = %d (%s)",
1243 *ap_req.ticket.enc_part.kvno,
1244 (*krbtgt)->entry.kvno,
1245 p);
1246 if (ret == 0)
1247 free (p);
1248 ret = KRB5KRB_AP_ERR_BADKEYVER;
1249 goto out;
1250 }
1251
1252 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1253
1254 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1255 ap_req.ticket.enc_part.etype, &tkey);
1256 if(ret){
1257 char *str = NULL, *p = NULL;
1258
1259 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1260 krb5_unparse_name(context, princ, &p);
1261 kdc_log(context, config, 0,
1262 "No server key with enctype %s found for %s",
1263 str ? str : "<unknown enctype>",
1264 p ? p : "<unparse_name failed>");
1265 free(str);
1266 free(p);
1267 ret = KRB5KRB_AP_ERR_BADKEYVER;
1268 goto out;
1269 }
1270
1271 if (b->kdc_options.validate)
1272 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1273 else
1274 verify_ap_req_flags = 0;
1275
1276 ret = krb5_verify_ap_req2(context,
1277 &ac,
1278 &ap_req,
1279 princ,
1280 &tkey->key,
1281 verify_ap_req_flags,
1282 &ap_req_options,
1283 ticket,
1284 KRB5_KU_TGS_REQ_AUTH);
1285
1286 krb5_free_principal(context, princ);
1287 if(ret) {
1288 const char *msg = krb5_get_error_message(context, ret);
1289 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1290 krb5_free_error_message(context, msg);
1291 goto out;
1292 }
1293
1294 {
1295 krb5_authenticator auth;
1296
1297 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1298 if (ret == 0) {
1299 *csec = malloc(sizeof(**csec));
1300 if (*csec == NULL) {
1301 krb5_free_authenticator(context, &auth);
1302 kdc_log(context, config, 0, "malloc failed");
1303 goto out;
1304 }
1305 **csec = auth->ctime;
1306 *cusec = malloc(sizeof(**cusec));
1307 if (*cusec == NULL) {
1308 krb5_free_authenticator(context, &auth);
1309 kdc_log(context, config, 0, "malloc failed");
1310 goto out;
1311 }
1312 **cusec = auth->cusec;
1313 krb5_free_authenticator(context, &auth);
1314 }
1315 }
1316
1317 ret = tgs_check_authenticator(context, config,
1318 ac, b, e_text, &(*ticket)->ticket.key);
1319 if (ret) {
1320 krb5_auth_con_free(context, ac);
1321 goto out;
1322 }
1323
1324 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1325 *rk_is_subkey = 1;
1326
1327 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1328 if(ret){
1329 const char *msg = krb5_get_error_message(context, ret);
1330 krb5_auth_con_free(context, ac);
1331 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1332 krb5_free_error_message(context, msg);
1333 goto out;
1334 }
1335 if(subkey == NULL){
1336 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1337 *rk_is_subkey = 0;
1338
1339 ret = krb5_auth_con_getkey(context, ac, &subkey);
1340 if(ret) {
1341 const char *msg = krb5_get_error_message(context, ret);
1342 krb5_auth_con_free(context, ac);
1343 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1344 krb5_free_error_message(context, msg);
1345 goto out;
1346 }
1347 }
1348 if(subkey == NULL){
1349 krb5_auth_con_free(context, ac);
1350 kdc_log(context, config, 0,
1351 "Failed to get key for enc-authorization-data");
1352 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1353 goto out;
1354 }
1355
1356 *replykey = subkey;
1357
1358 if (b->enc_authorization_data) {
1359 krb5_data ad;
1360
1361 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1362 if (ret) {
1363 const char *msg = krb5_get_error_message(context, ret);
1364 krb5_auth_con_free(context, ac);
1365 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1366 krb5_free_error_message(context, msg);
1367 goto out;
1368 }
1369 ret = krb5_decrypt_EncryptedData (context,
1370 crypto,
1371 usage,
1372 b->enc_authorization_data,
1373 &ad);
1374 krb5_crypto_destroy(context, crypto);
1375 if(ret){
1376 krb5_auth_con_free(context, ac);
1377 kdc_log(context, config, 0,
1378 "Failed to decrypt enc-authorization-data");
1379 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1380 goto out;
1381 }
1382 ALLOC(*auth_data);
1383 if (*auth_data == NULL) {
1384 krb5_auth_con_free(context, ac);
1385 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1386 goto out;
1387 }
1388 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1389 if(ret){
1390 krb5_auth_con_free(context, ac);
1391 free(*auth_data);
1392 *auth_data = NULL;
1393 kdc_log(context, config, 0, "Failed to decode authorization data");
1394 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1395 goto out;
1396 }
1397 }
1398
1399 krb5_auth_con_free(context, ac);
1400
1401 out:
1402 free_AP_REQ(&ap_req);
1403
1404 return ret;
1405 }
1406
1407 static krb5_error_code
1408 build_server_referral(krb5_context context,
1409 krb5_kdc_configuration *config,
1410 krb5_crypto session,
1411 krb5_const_realm referred_realm,
1412 const PrincipalName *true_principal_name,
1413 const PrincipalName *requested_principal,
1414 krb5_data *outdata)
1415 {
1416 PA_ServerReferralData ref;
1417 krb5_error_code ret;
1418 EncryptedData ed;
1419 krb5_data data;
1420 size_t size = 0;
1421
1422 memset(&ref, 0, sizeof(ref));
1423
1424 if (referred_realm) {
1425 ALLOC(ref.referred_realm);
1426 if (ref.referred_realm == NULL)
1427 goto eout;
1428 *ref.referred_realm = strdup(referred_realm);
1429 if (*ref.referred_realm == NULL)
1430 goto eout;
1431 }
1432 if (true_principal_name) {
1433 ALLOC(ref.true_principal_name);
1434 if (ref.true_principal_name == NULL)
1435 goto eout;
1436 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1437 if (ret)
1438 goto eout;
1439 }
1440 if (requested_principal) {
1441 ALLOC(ref.requested_principal_name);
1442 if (ref.requested_principal_name == NULL)
1443 goto eout;
1444 ret = copy_PrincipalName(requested_principal,
1445 ref.requested_principal_name);
1446 if (ret)
1447 goto eout;
1448 }
1449
1450 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1451 data.data, data.length,
1452 &ref, &size, ret);
1453 free_PA_ServerReferralData(&ref);
1454 if (ret)
1455 return ret;
1456 if (data.length != size)
1457 krb5_abortx(context, "internal asn.1 encoder error");
1458
1459 ret = krb5_encrypt_EncryptedData(context, session,
1460 KRB5_KU_PA_SERVER_REFERRAL,
1461 data.data, data.length,
1462 0 /* kvno */, &ed);
1463 free(data.data);
1464 if (ret)
1465 return ret;
1466
1467 ASN1_MALLOC_ENCODE(EncryptedData,
1468 outdata->data, outdata->length,
1469 &ed, &size, ret);
1470 free_EncryptedData(&ed);
1471 if (ret)
1472 return ret;
1473 if (outdata->length != size)
1474 krb5_abortx(context, "internal asn.1 encoder error");
1475
1476 return 0;
1477 eout:
1478 free_PA_ServerReferralData(&ref);
1479 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1480 return ENOMEM;
1481 }
1482
1483 static krb5_error_code
1484 tgs_build_reply(krb5_context context,
1485 krb5_kdc_configuration *config,
1486 KDC_REQ *req,
1487 KDC_REQ_BODY *b,
1488 hdb_entry_ex *krbtgt,
1489 krb5_enctype krbtgt_etype,
1490 const krb5_keyblock *replykey,
1491 int rk_is_subkey,
1492 krb5_ticket *ticket,
1493 krb5_data *reply,
1494 const char *from,
1495 const char **e_text,
1496 AuthorizationData **auth_data,
1497 const struct sockaddr *from_addr)
1498 {
1499 krb5_error_code ret;
1500 krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
1501 krb5_principal krbtgt_principal = NULL;
1502 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
1503 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1504 HDB *clientdb, *s4u2self_impersonated_clientdb;
1505 krb5_realm ref_realm = NULL;
1506 EncTicketPart *tgt = &ticket->ticket;
1507 krb5_principals spp = NULL;
1508 const EncryptionKey *ekey;
1509 krb5_keyblock sessionkey;
1510 krb5_kvno kvno;
1511 krb5_data rspac;
1512
1513 hdb_entry_ex *krbtgt_out = NULL;
1514
1515 METHOD_DATA enc_pa_data;
1516
1517 PrincipalName *s;
1518 Realm r;
1519 int nloop = 0;
1520 EncTicketPart adtkt;
1521 char opt_str[128];
1522 int signedpath = 0;
1523
1524 Key *tkey_check;
1525 Key *tkey_sign;
1526 int flags = HDB_F_FOR_TGS_REQ;
1527
1528 memset(&sessionkey, 0, sizeof(sessionkey));
1529 memset(&adtkt, 0, sizeof(adtkt));
1530 krb5_data_zero(&rspac);
1531 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1532
1533 s = b->sname;
1534 r = b->realm;
1535
1536 if (b->kdc_options.canonicalize)
1537 flags |= HDB_F_CANON;
1538
1539 if(b->kdc_options.enc_tkt_in_skey){
1540 Ticket *t;
1541 hdb_entry_ex *uu;
1542 krb5_principal p;
1543 Key *uukey;
1544
1545 if(b->additional_tickets == NULL ||
1546 b->additional_tickets->len == 0){
1547 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1548 kdc_log(context, config, 0,
1549 "No second ticket present in request");
1550 goto out;
1551 }
1552 t = &b->additional_tickets->val[0];
1553 if(!get_krbtgt_realm(&t->sname)){
1554 kdc_log(context, config, 0,
1555 "Additional ticket is not a ticket-granting ticket");
1556 ret = KRB5KDC_ERR_POLICY;
1557 goto out;
1558 }
1559 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1560 ret = _kdc_db_fetch(context, config, p,
1561 HDB_F_GET_KRBTGT, t->enc_part.kvno,
1562 NULL, &uu);
1563 krb5_free_principal(context, p);
1564 if(ret){
1565 if (ret == HDB_ERR_NOENTRY)
1566 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1567 goto out;
1568 }
1569 ret = hdb_enctype2key(context, &uu->entry,
1570 t->enc_part.etype, &uukey);
1571 if(ret){
1572 _kdc_free_ent(context, uu);
1573 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1574 goto out;
1575 }
1576 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1577 _kdc_free_ent(context, uu);
1578 if(ret)
1579 goto out;
1580
1581 ret = verify_flags(context, config, &adtkt, spn);
1582 if (ret)
1583 goto out;
1584
1585 s = &adtkt.cname;
1586 r = adtkt.crealm;
1587 }
1588
1589 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1590 ret = krb5_unparse_name(context, sp, &spn);
1591 if (ret)
1592 goto out;
1593 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1594 ret = krb5_unparse_name(context, cp, &cpn);
1595 if (ret)
1596 goto out;
1597 unparse_flags (KDCOptions2int(b->kdc_options),
1598 asn1_KDCOptions_units(),
1599 opt_str, sizeof(opt_str));
1600 if(*opt_str)
1601 kdc_log(context, config, 0,
1602 "TGS-REQ %s from %s for %s [%s]",
1603 cpn, from, spn, opt_str);
1604 else
1605 kdc_log(context, config, 0,
1606 "TGS-REQ %s from %s for %s", cpn, from, spn);
1607
1608 /*
1609 * Fetch server
1610 */
1611
1612 server_lookup:
1613 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1614 NULL, NULL, &server);
1615
1616 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1617 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1618 goto out;
1619 } else if(ret){
1620 const char *new_rlm, *msg;
1621 Realm req_rlm;
1622 krb5_realm *realms;
1623
1624 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1625 if(nloop++ < 2) {
1626 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1627 if(new_rlm) {
1628 kdc_log(context, config, 5, "krbtgt for realm %s "
1629 "not found, trying %s",
1630 req_rlm, new_rlm);
1631 krb5_free_principal(context, sp);
1632 free(spn);
1633 krb5_make_principal(context, &sp, r,
1634 KRB5_TGS_NAME, new_rlm, NULL);
1635 ret = krb5_unparse_name(context, sp, &spn);
1636 if (ret)
1637 goto out;
1638
1639 if (ref_realm)
1640 free(ref_realm);
1641 ref_realm = strdup(new_rlm);
1642 goto server_lookup;
1643 }
1644 }
1645 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1646 if (strcmp(realms[0], sp->realm) != 0) {
1647 kdc_log(context, config, 5,
1648 "Returning a referral to realm %s for "
1649 "server %s that was not found",
1650 realms[0], spn);
1651 krb5_free_principal(context, sp);
1652 free(spn);
1653 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1654 realms[0], NULL);
1655 ret = krb5_unparse_name(context, sp, &spn);
1656 if (ret)
1657 goto out;
1658
1659 if (ref_realm)
1660 free(ref_realm);
1661 ref_realm = strdup(realms[0]);
1662
1663 krb5_free_host_realm(context, realms);
1664 goto server_lookup;
1665 }
1666 krb5_free_host_realm(context, realms);
1667 }
1668 msg = krb5_get_error_message(context, ret);
1669 kdc_log(context, config, 0,
1670 "Server not found in database: %s: %s", spn, msg);
1671 krb5_free_error_message(context, msg);
1672 if (ret == HDB_ERR_NOENTRY)
1673 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1674 goto out;
1675 }
1676
1677 /*
1678 * Select enctype, return key and kvno.
1679 */
1680
1681 {
1682 krb5_enctype etype;
1683
1684 if(b->kdc_options.enc_tkt_in_skey) {
1685 size_t i;
1686 ekey = &adtkt.key;
1687 for(i = 0; i < b->etype.len; i++)
1688 if (b->etype.val[i] == adtkt.key.keytype)
1689 break;
1690 if(i == b->etype.len) {
1691 kdc_log(context, config, 0,
1692 "Addition ticket have not matching etypes");
1693 krb5_clear_error_message(context);
1694 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1695 goto out;
1696 }
1697 etype = b->etype.val[i];
1698 kvno = 0;
1699 } else {
1700 Key *skey;
1701
1702 ret = _kdc_find_etype(context,
1703 config->tgs_use_strongest_session_key, FALSE,
1704 server, b->etype.val, b->etype.len, NULL,
1705 &skey);
1706 if(ret) {
1707 kdc_log(context, config, 0,
1708 "Server (%s) has no support for etypes", spn);
1709 goto out;
1710 }
1711 ekey = &skey->key;
1712 etype = skey->key.keytype;
1713 kvno = server->entry.kvno;
1714 }
1715
1716 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1717 if (ret)
1718 goto out;
1719 }
1720
1721 /*
1722 * Check that service is in the same realm as the krbtgt. If it's
1723 * not the same, it's someone that is using a uni-directional trust
1724 * backward.
1725 */
1726
1727 /*
1728 * Validate authoriation data
1729 */
1730
1731 ret = hdb_enctype2key(context, &krbtgt->entry,
1732 krbtgt_etype, &tkey_check);
1733 if(ret) {
1734 kdc_log(context, config, 0,
1735 "Failed to find key for krbtgt PAC check");
1736 goto out;
1737 }
1738
1739 /* Now refetch the primary krbtgt, and get the current kvno (the
1740 * sign check may have been on an old kvno, and the server may
1741 * have been an incoming trust) */
1742 ret = krb5_make_principal(context, &krbtgt_principal,
1743 krb5_principal_get_comp_string(context,
1744 krbtgt->entry.principal,
1745 1),
1746 KRB5_TGS_NAME,
1747 krb5_principal_get_comp_string(context,
1748 krbtgt->entry.principal,
1749 1), NULL);
1750 if(ret) {
1751 kdc_log(context, config, 0,
1752 "Failed to generate krbtgt principal");
1753 goto out;
1754 }
1755
1756 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1757 krb5_free_principal(context, krbtgt_principal);
1758 if (ret) {
1759 krb5_error_code ret2;
1760 char *ktpn, *ktpn2;
1761 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1762 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1763 kdc_log(context, config, 0,
1764 "Request with wrong krbtgt: %s, %s not found in our database",
1765 (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
1766 if(ret == 0)
1767 free(ktpn);
1768 if(ret2 == 0)
1769 free(ktpn2);
1770 ret = KRB5KRB_AP_ERR_NOT_US;
1771 goto out;
1772 }
1773
1774 /* The first realm is the realm of the service, the second is
1775 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1776 * encrypted to. The redirection via the krbtgt_out entry allows
1777 * the DB to possibly correct the case of the realm (Samba4 does
1778 * this) before the strcmp() */
1779 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1780 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1781 char *ktpn;
1782 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1783 kdc_log(context, config, 0,
1784 "Request with wrong krbtgt: %s",
1785 (ret == 0) ? ktpn : "<unknown>");
1786 if(ret == 0)
1787 free(ktpn);
1788 ret = KRB5KRB_AP_ERR_NOT_US;
1789 }
1790
1791 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1792 krbtgt_etype, &tkey_sign);
1793 if(ret) {
1794 kdc_log(context, config, 0,
1795 "Failed to find key for krbtgt PAC signature");
1796 goto out;
1797 }
1798
1799 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1800 NULL, &clientdb, &client);
1801 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1802 /* This is OK, we are just trying to find out if they have
1803 * been disabled or deleted in the meantime, missing secrets
1804 * is OK */
1805 } else if(ret){
1806 const char *krbtgt_realm, *msg;
1807
1808 /*
1809 * If the client belongs to the same realm as our krbtgt, it
1810 * should exist in the local database.
1811 *
1812 */
1813
1814 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1815
1816 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1817 if (ret == HDB_ERR_NOENTRY)
1818 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1819 kdc_log(context, config, 1, "Client no longer in database: %s",
1820 cpn);
1821 goto out;
1822 }
1823
1824 msg = krb5_get_error_message(context, ret);
1825 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1826 krb5_free_error_message(context, msg);
1827 }
1828
1829 ret = check_PAC(context, config, cp, NULL,
1830 client, server, krbtgt,
1831 &tkey_check->key,
1832 ekey, &tkey_sign->key,
1833 tgt, &rspac, &signedpath);
1834 if (ret) {
1835 const char *msg = krb5_get_error_message(context, ret);
1836 kdc_log(context, config, 0,
1837 "Verify PAC failed for %s (%s) from %s with %s",
1838 spn, cpn, from, msg);
1839 krb5_free_error_message(context, msg);
1840 goto out;
1841 }
1842
1843 /* also check the krbtgt for signature */
1844 ret = check_KRB5SignedPath(context,
1845 config,
1846 krbtgt,
1847 cp,
1848 tgt,
1849 &spp,
1850 &signedpath);
1851 if (ret) {
1852 const char *msg = krb5_get_error_message(context, ret);
1853 kdc_log(context, config, 0,
1854 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1855 spn, cpn, from, msg);
1856 krb5_free_error_message(context, msg);
1857 goto out;
1858 }
1859
1860 /*
1861 * Process request
1862 */
1863
1864 /* by default the tgt principal matches the client principal */
1865 tp = cp;
1866 tpn = cpn;
1867
1868 if (client) {
1869 const PA_DATA *sdata;
1870 int i = 0;
1871
1872 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1873 if (sdata) {
1874 krb5_crypto crypto;
1875 krb5_data datack;
1876 PA_S4U2Self self;
1877 const char *str;
1878
1879 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1880 sdata->padata_value.length,
1881 &self, NULL);
1882 if (ret) {
1883 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1884 goto out;
1885 }
1886
1887 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1888 if (ret)
1889 goto out;
1890
1891 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1892 if (ret) {
1893 const char *msg = krb5_get_error_message(context, ret);
1894 free_PA_S4U2Self(&self);
1895 krb5_data_free(&datack);
1896 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1897 krb5_free_error_message(context, msg);
1898 goto out;
1899 }
1900
1901 ret = krb5_verify_checksum(context,
1902 crypto,
1903 KRB5_KU_OTHER_CKSUM,
1904 datack.data,
1905 datack.length,
1906 &self.cksum);
1907 krb5_data_free(&datack);
1908 krb5_crypto_destroy(context, crypto);
1909 if (ret) {
1910 const char *msg = krb5_get_error_message(context, ret);
1911 free_PA_S4U2Self(&self);
1912 kdc_log(context, config, 0,
1913 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1914 krb5_free_error_message(context, msg);
1915 goto out;
1916 }
1917
1918 ret = _krb5_principalname2krb5_principal(context,
1919 &tp,
1920 self.name,
1921 self.realm);
1922 free_PA_S4U2Self(&self);
1923 if (ret)
1924 goto out;
1925
1926 ret = krb5_unparse_name(context, tp, &tpn);
1927 if (ret)
1928 goto out;
1929
1930 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1931 if(rspac.data) {
1932 krb5_pac p = NULL;
1933 krb5_data_free(&rspac);
1934 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
1935 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1936 if (ret) {
1937 const char *msg;
1938
1939 /*
1940 * If the client belongs to the same realm as our krbtgt, it
1941 * should exist in the local database.
1942 *
1943 */
1944
1945 if (ret == HDB_ERR_NOENTRY)
1946 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1947 msg = krb5_get_error_message(context, ret);
1948 kdc_log(context, config, 1,
1949 "S2U4Self principal to impersonate %s not found in database: %s",
1950 tpn, msg);
1951 krb5_free_error_message(context, msg);
1952 goto out;
1953 }
1954 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1955 if (ret) {
1956 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1957 tpn);
1958 goto out;
1959 }
1960 if (p != NULL) {
1961 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1962 s4u2self_impersonated_client->entry.principal,
1963 ekey, &tkey_sign->key,
1964 &rspac);
1965 krb5_pac_free(context, p);
1966 if (ret) {
1967 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1968 tpn);
1969 goto out;
1970 }
1971 }
1972 }
1973
1974 /*
1975 * Check that service doing the impersonating is
1976 * requesting a ticket to it-self.
1977 */
1978 ret = check_s4u2self(context, config, clientdb, client, sp);
1979 if (ret) {
1980 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1981 "to impersonate to service "
1982 "(tried for user %s to service %s)",
1983 cpn, tpn, spn);
1984 goto out;
1985 }
1986
1987 /*
1988 * If the service isn't trusted for authentication to
1989 * delegation, remove the forward flag.
1990 */
1991
1992 if (client->entry.flags.trusted_for_delegation) {
1993 str = "[forwardable]";
1994 } else {
1995 b->kdc_options.forwardable = 0;
1996 str = "";
1997 }
1998 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1999 "service %s %s", cpn, tpn, spn, str);
2000 }
2001 }
2002
2003 /*
2004 * Constrained delegation
2005 */
2006
2007 if (client != NULL
2008 && b->additional_tickets != NULL
2009 && b->additional_tickets->len != 0
2010 && b->kdc_options.enc_tkt_in_skey == 0)
2011 {
2012 int ad_signedpath = 0;
2013 Key *clientkey;
2014 Ticket *t;
2015
2016 /*
2017 * Require that the KDC have issued the service's krbtgt (not
2018 * self-issued ticket with kimpersonate(1).
2019 */
2020 if (!signedpath) {
2021 ret = KRB5KDC_ERR_BADOPTION;
2022 kdc_log(context, config, 0,
2023 "Constrained delegation done on service ticket %s/%s",
2024 cpn, spn);
2025 goto out;
2026 }
2027
2028 t = &b->additional_tickets->val[0];
2029
2030 ret = hdb_enctype2key(context, &client->entry,
2031 t->enc_part.etype, &clientkey);
2032 if(ret){
2033 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2034 goto out;
2035 }
2036
2037 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2038 if (ret) {
2039 kdc_log(context, config, 0,
2040 "failed to decrypt ticket for "
2041 "constrained delegation from %s to %s ", cpn, spn);
2042 goto out;
2043 }
2044
2045 ret = _krb5_principalname2krb5_principal(context,
2046 &tp,
2047 adtkt.cname,
2048 adtkt.crealm);
2049 if (ret)
2050 goto out;
2051
2052 ret = krb5_unparse_name(context, tp, &tpn);
2053 if (ret)
2054 goto out;
2055
2056 ret = _krb5_principalname2krb5_principal(context,
2057 &dp,
2058 t->sname,
2059 t->realm);
2060 if (ret)
2061 goto out;
2062
2063 ret = krb5_unparse_name(context, dp, &dpn);
2064 if (ret)
2065 goto out;
2066
2067 /* check that ticket is valid */
2068 if (adtkt.flags.forwardable == 0) {
2069 kdc_log(context, config, 0,
2070 "Missing forwardable flag on ticket for "
2071 "constrained delegation from %s (%s) as %s to %s ",
2072 cpn, dpn, tpn, spn);
2073 ret = KRB5KDC_ERR_BADOPTION;
2074 goto out;
2075 }
2076
2077 ret = check_constrained_delegation(context, config, clientdb,
2078 client, server, sp);
2079 if (ret) {
2080 kdc_log(context, config, 0,
2081 "constrained delegation from %s (%s) as %s to %s not allowed",
2082 cpn, dpn, tpn, spn);
2083 goto out;
2084 }
2085
2086 ret = verify_flags(context, config, &adtkt, tpn);
2087 if (ret) {
2088 goto out;
2089 }
2090
2091 krb5_data_free(&rspac);
2092
2093 /*
2094 * generate the PAC for the user.
2095 *
2096 * TODO: pass in t->sname and t->realm and build
2097 * a S4U_DELEGATION_INFO blob to the PAC.
2098 */
2099 ret = check_PAC(context, config, tp, dp,
2100 client, server, krbtgt,
2101 &clientkey->key,
2102 ekey, &tkey_sign->key,
2103 &adtkt, &rspac, &ad_signedpath);
2104 if (ret) {
2105 const char *msg = krb5_get_error_message(context, ret);
2106 kdc_log(context, config, 0,
2107 "Verify delegated PAC failed to %s for client"
2108 "%s (%s) as %s from %s with %s",
2109 spn, cpn, dpn, tpn, from, msg);
2110 krb5_free_error_message(context, msg);
2111 goto out;
2112 }
2113
2114 /*
2115 * Check that the KDC issued the user's ticket.
2116 */
2117 ret = check_KRB5SignedPath(context,
2118 config,
2119 krbtgt,
2120 cp,
2121 &adtkt,
2122 NULL,
2123 &ad_signedpath);
2124 if (ret) {
2125 const char *msg = krb5_get_error_message(context, ret);
2126 kdc_log(context, config, 0,
2127 "KRB5SignedPath check from service %s failed "
2128 "for delegation to %s for client %s (%s)"
2129 "from %s failed with %s",
2130 spn, tpn, dpn, cpn, from, msg);
2131 krb5_free_error_message(context, msg);
2132 goto out;
2133 }
2134
2135 if (!ad_signedpath) {
2136 ret = KRB5KDC_ERR_BADOPTION;
2137 kdc_log(context, config, 0,
2138 "Ticket not signed with PAC nor SignedPath service %s failed "
2139 "for delegation to %s for client %s (%s)"
2140 "from %s",
2141 spn, tpn, dpn, cpn, from);
2142 goto out;
2143 }
2144
2145 kdc_log(context, config, 0, "constrained delegation for %s "
2146 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2147 }
2148
2149 /*
2150 * Check flags
2151 */
2152
2153 ret = kdc_check_flags(context, config,
2154 client, cpn,
2155 server, spn,
2156 FALSE);
2157 if(ret)
2158 goto out;
2159
2160 if((b->kdc_options.validate || b->kdc_options.renew) &&
2161 !krb5_principal_compare(context,
2162 krbtgt->entry.principal,
2163 server->entry.principal)){
2164 kdc_log(context, config, 0, "Inconsistent request.");
2165 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2166 goto out;
2167 }
2168
2169 /* check for valid set of addresses */
2170 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2171 ret = KRB5KRB_AP_ERR_BADADDR;
2172 kdc_log(context, config, 0, "Request from wrong address");
2173 goto out;
2174 }
2175
2176 /*
2177 * If this is an referral, add server referral data to the
2178 * auth_data reply .
2179 */
2180 if (ref_realm) {
2181 PA_DATA pa;
2182 krb5_crypto crypto;
2183
2184 kdc_log(context, config, 0,
2185 "Adding server referral to %s", ref_realm);
2186
2187 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2188 if (ret)
2189 goto out;
2190
2191 ret = build_server_referral(context, config, crypto, ref_realm,
2192 NULL, s, &pa.padata_value);
2193 krb5_crypto_destroy(context, crypto);
2194 if (ret) {
2195 kdc_log(context, config, 0,
2196 "Failed building server referral");
2197 goto out;
2198 }
2199 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2200
2201 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2202 krb5_data_free(&pa.padata_value);
2203 if (ret) {
2204 kdc_log(context, config, 0,
2205 "Add server referral METHOD-DATA failed");
2206 goto out;
2207 }
2208 }
2209
2210 /*
2211 *
2212 */
2213
2214 ret = tgs_make_reply(context,
2215 config,
2216 b,
2217 tp,
2218 tgt,
2219 replykey,
2220 rk_is_subkey,
2221 ekey,
2222 &sessionkey,
2223 kvno,
2224 *auth_data,
2225 server,
2226 server->entry.principal,
2227 spn,
2228 client,
2229 cp,
2230 krbtgt_out,
2231 krbtgt_etype,
2232 spp,
2233 &rspac,
2234 &enc_pa_data,
2235 e_text,
2236 reply);
2237
2238 out:
2239 if (tpn != cpn)
2240 free(tpn);
2241 free(spn);
2242 free(cpn);
2243 if (dpn)
2244 free(dpn);
2245
2246 krb5_data_free(&rspac);
2247 krb5_free_keyblock_contents(context, &sessionkey);
2248 if(krbtgt_out)
2249 _kdc_free_ent(context, krbtgt_out);
2250 if(server)
2251 _kdc_free_ent(context, server);
2252 if(client)
2253 _kdc_free_ent(context, client);
2254 if(s4u2self_impersonated_client)
2255 _kdc_free_ent(context, s4u2self_impersonated_client);
2256
2257 if (tp && tp != cp)
2258 krb5_free_principal(context, tp);
2259 if (cp)
2260 krb5_free_principal(context, cp);
2261 if (dp)
2262 krb5_free_principal(context, dp);
2263 if (sp)
2264 krb5_free_principal(context, sp);
2265 if (ref_realm)
2266 free(ref_realm);
2267 free_METHOD_DATA(&enc_pa_data);
2268
2269 free_EncTicketPart(&adtkt);
2270
2271 return ret;
2272 }
2273
2274 /*
2275 *
2276 */
2277
2278 krb5_error_code
2279 _kdc_tgs_rep(krb5_context context,
2280 krb5_kdc_configuration *config,
2281 KDC_REQ *req,
2282 krb5_data *data,
2283 const char *from,
2284 struct sockaddr *from_addr,
2285 int datagram_reply)
2286 {
2287 AuthorizationData *auth_data = NULL;
2288 krb5_error_code ret;
2289 int i = 0;
2290 const PA_DATA *tgs_req;
2291
2292 hdb_entry_ex *krbtgt = NULL;
2293 krb5_ticket *ticket = NULL;
2294 const char *e_text = NULL;
2295 krb5_enctype krbtgt_etype = ETYPE_NULL;
2296
2297 krb5_keyblock *replykey = NULL;
2298 int rk_is_subkey = 0;
2299 time_t *csec = NULL;
2300 int *cusec = NULL;
2301
2302 if(req->padata == NULL){
2303 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2304 kdc_log(context, config, 0,
2305 "TGS-REQ from %s without PA-DATA", from);
2306 goto out;
2307 }
2308
2309 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2310
2311 if(tgs_req == NULL){
2312 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2313
2314 kdc_log(context, config, 0,
2315 "TGS-REQ from %s without PA-TGS-REQ", from);
2316 goto out;
2317 }
2318 ret = tgs_parse_request(context, config,
2319 &req->req_body, tgs_req,
2320 &krbtgt,
2321 &krbtgt_etype,
2322 &ticket,
2323 &e_text,
2324 from, from_addr,
2325 &csec, &cusec,
2326 &auth_data,
2327 &replykey,
2328 &rk_is_subkey);
2329 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2330 /* kdc_log() is called in tgs_parse_request() */
2331 goto out;
2332 }
2333 if (ret) {
2334 kdc_log(context, config, 0,
2335 "Failed parsing TGS-REQ from %s", from);
2336 goto out;
2337 }
2338
2339 ret = tgs_build_reply(context,
2340 config,
2341 req,
2342 &req->req_body,
2343 krbtgt,
2344 krbtgt_etype,
2345 replykey,
2346 rk_is_subkey,
2347 ticket,
2348 data,
2349 from,
2350 &e_text,
2351 &auth_data,
2352 from_addr);
2353 if (ret) {
2354 kdc_log(context, config, 0,
2355 "Failed building TGS-REP to %s", from);
2356 goto out;
2357 }
2358
2359 /* */
2360 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2361 krb5_data_free(data);
2362 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2363 e_text = "Reply packet too large";
2364 }
2365
2366 out:
2367 if (replykey)
2368 krb5_free_keyblock(context, replykey);
2369 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2370 krb5_mk_error(context,
2371 ret,
2372 NULL,
2373 NULL,
2374 NULL,
2375 NULL,
2376 csec,
2377 cusec,
2378 data);
2379 ret = 0;
2380 }
2381 free(csec);
2382 free(cusec);
2383 if (ticket)
2384 krb5_free_ticket(context, ticket);
2385 if(krbtgt)
2386 _kdc_free_ent(context, krbtgt);
2387
2388 if (auth_data) {
2389 free_AuthorizationData(auth_data);
2390 free(auth_data);
2391 }
2392
2393 return ret;
2394 }
Samba GIT mirror