search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-lsa: Fix static list of luids in our privileges implementation.
[Samba/ekacnet.git] / source4 / heimdal / kdc / krb5tgs.c
blobdd14ae6513c2d0ad91c4f81d37a8fecba029476c
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230 if (ret == 0)
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232 if (ret) {
233 free(data.data);
234 free_KRB5SignedPath(&sp);
235 return ret;
236 }
237 }
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
240 &sp.cksum);
241 krb5_crypto_destroy(context, crypto);
242 free(data.data);
243 if (ret) {
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
247 return 0;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 hdb_entry_ex *client,
283 hdb_entry_ex *server,
284 const EncryptionKey *server_key,
285 const EncryptionKey *krbtgt_key,
286 EncTicketPart *tkt,
287 krb5_data *rspac,
288 int *signedpath)
289 {
290 AuthorizationData *ad = tkt->authorization_data;
291 unsigned i, j;
292 krb5_error_code ret;
293
294 if (ad == NULL || ad->len == 0)
295 return 0;
296
297 for (i = 0; i < ad->len; i++) {
298 AuthorizationData child;
299
300 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
301 continue;
302
303 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
304 ad->val[i].ad_data.length,
305 &child,
306 NULL);
307 if (ret) {
308 krb5_set_error_message(context, ret, "Failed to decode "
309 "IF_RELEVANT with %d", ret);
310 return ret;
311 }
312 for (j = 0; j < child.len; j++) {
313
314 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
315 krb5_pac pac;
316
317 /* Found PAC */
318 ret = krb5_pac_parse(context,
319 child.val[j].ad_data.data,
320 child.val[j].ad_data.length,
321 &pac);
322 free_AuthorizationData(&child);
323 if (ret)
324 return ret;
325
326 ret = krb5_pac_verify(context, pac, tkt->authtime,
327 client_principal,
328 krbtgt_key, NULL);
329 if (ret) {
330 krb5_pac_free(context, pac);
331 return ret;
332 }
333
334 ret = _kdc_pac_verify(context, client_principal,
335 client, server, &pac);
336 if (ret) {
337 krb5_pac_free(context, pac);
338 return ret;
339 }
340 *signedpath = 1;
341
342 ret = _krb5_pac_sign(context, pac, tkt->authtime,
343 client_principal,
344 server_key, krbtgt_key, rspac);
345
346 krb5_pac_free(context, pac);
347
348 return ret;
349 }
350 }
351 free_AuthorizationData(&child);
352 }
353 return 0;
354 }
355
356 /*
357 *
358 */
359
360 static krb5_error_code
361 check_tgs_flags(krb5_context context,
362 krb5_kdc_configuration *config,
363 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
364 {
365 KDCOptions f = b->kdc_options;
366
367 if(f.validate){
368 if(!tgt->flags.invalid || tgt->starttime == NULL){
369 kdc_log(context, config, 0,
370 "Bad request to validate ticket");
371 return KRB5KDC_ERR_BADOPTION;
372 }
373 if(*tgt->starttime > kdc_time){
374 kdc_log(context, config, 0,
375 "Early request to validate ticket");
376 return KRB5KRB_AP_ERR_TKT_NYV;
377 }
378 /* XXX tkt = tgt */
379 et->flags.invalid = 0;
380 }else if(tgt->flags.invalid){
381 kdc_log(context, config, 0,
382 "Ticket-granting ticket has INVALID flag set");
383 return KRB5KRB_AP_ERR_TKT_INVALID;
384 }
385
386 if(f.forwardable){
387 if(!tgt->flags.forwardable){
388 kdc_log(context, config, 0,
389 "Bad request for forwardable ticket");
390 return KRB5KDC_ERR_BADOPTION;
391 }
392 et->flags.forwardable = 1;
393 }
394 if(f.forwarded){
395 if(!tgt->flags.forwardable){
396 kdc_log(context, config, 0,
397 "Request to forward non-forwardable ticket");
398 return KRB5KDC_ERR_BADOPTION;
399 }
400 et->flags.forwarded = 1;
401 et->caddr = b->addresses;
402 }
403 if(tgt->flags.forwarded)
404 et->flags.forwarded = 1;
405
406 if(f.proxiable){
407 if(!tgt->flags.proxiable){
408 kdc_log(context, config, 0,
409 "Bad request for proxiable ticket");
410 return KRB5KDC_ERR_BADOPTION;
411 }
412 et->flags.proxiable = 1;
413 }
414 if(f.proxy){
415 if(!tgt->flags.proxiable){
416 kdc_log(context, config, 0,
417 "Request to proxy non-proxiable ticket");
418 return KRB5KDC_ERR_BADOPTION;
419 }
420 et->flags.proxy = 1;
421 et->caddr = b->addresses;
422 }
423 if(tgt->flags.proxy)
424 et->flags.proxy = 1;
425
426 if(f.allow_postdate){
427 if(!tgt->flags.may_postdate){
428 kdc_log(context, config, 0,
429 "Bad request for post-datable ticket");
430 return KRB5KDC_ERR_BADOPTION;
431 }
432 et->flags.may_postdate = 1;
433 }
434 if(f.postdated){
435 if(!tgt->flags.may_postdate){
436 kdc_log(context, config, 0,
437 "Bad request for postdated ticket");
438 return KRB5KDC_ERR_BADOPTION;
439 }
440 if(b->from)
441 *et->starttime = *b->from;
442 et->flags.postdated = 1;
443 et->flags.invalid = 1;
444 }else if(b->from && *b->from > kdc_time + context->max_skew){
445 kdc_log(context, config, 0, "Ticket cannot be postdated");
446 return KRB5KDC_ERR_CANNOT_POSTDATE;
447 }
448
449 if(f.renewable){
450 if(!tgt->flags.renewable){
451 kdc_log(context, config, 0,
452 "Bad request for renewable ticket");
453 return KRB5KDC_ERR_BADOPTION;
454 }
455 et->flags.renewable = 1;
456 ALLOC(et->renew_till);
457 _kdc_fix_time(&b->rtime);
458 *et->renew_till = *b->rtime;
459 }
460 if(f.renew){
461 time_t old_life;
462 if(!tgt->flags.renewable || tgt->renew_till == NULL){
463 kdc_log(context, config, 0,
464 "Request to renew non-renewable ticket");
465 return KRB5KDC_ERR_BADOPTION;
466 }
467 old_life = tgt->endtime;
468 if(tgt->starttime)
469 old_life -= *tgt->starttime;
470 else
471 old_life -= tgt->authtime;
472 et->endtime = *et->starttime + old_life;
473 if (et->renew_till != NULL)
474 et->endtime = min(*et->renew_till, et->endtime);
475 }
476
477 #if 0
478 /* checks for excess flags */
479 if(f.request_anonymous && !config->allow_anonymous){
480 kdc_log(context, config, 0,
481 "Request for anonymous ticket");
482 return KRB5KDC_ERR_BADOPTION;
483 }
484 #endif
485 return 0;
486 }
487
488 /*
489 * Determine if constrained delegation is allowed from this client to this server
490 */
491
492 static krb5_error_code
493 check_constrained_delegation(krb5_context context,
494 krb5_kdc_configuration *config,
495 HDB *clientdb,
496 hdb_entry_ex *client,
497 krb5_const_principal server)
498 {
499 const HDB_Ext_Constrained_delegation_acl *acl;
500 krb5_error_code ret;
501 int i;
502
503 /* if client delegates to itself, that ok */
504 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
505 return 0;
506
507 if (clientdb->hdb_check_constrained_delegation) {
508 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
509 if (ret == 0)
510 return 0;
511 } else {
512 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
513 if (ret) {
514 krb5_clear_error_message(context);
515 return ret;
516 }
517
518 if (acl) {
519 for (i = 0; i < acl->len; i++) {
520 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
521 return 0;
522 }
523 }
524 ret = KRB5KDC_ERR_BADOPTION;
525 }
526 kdc_log(context, config, 0,
527 "Bad request for constrained delegation");
528 return ret;
529 }
530
531 /*
532 * Determine if s4u2self is allowed from this client to this server
533 *
534 * For example, regardless of the principal being impersonated, if the
535 * 'client' and 'server' are the same, then it's safe.
536 */
537
538 static krb5_error_code
539 check_s4u2self(krb5_context context,
540 krb5_kdc_configuration *config,
541 HDB *clientdb,
542 hdb_entry_ex *client,
543 krb5_const_principal server)
544 {
545 krb5_error_code ret;
546
547 /* if client does a s4u2self to itself, that ok */
548 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
549 return 0;
550
551 if (clientdb->hdb_check_s4u2self) {
552 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
553 if (ret == 0)
554 return 0;
555 } else {
556 ret = KRB5KDC_ERR_BADOPTION;
557 }
558 return ret;
559 }
560
561 /*
562 *
563 */
564
565 static krb5_error_code
566 verify_flags (krb5_context context,
567 krb5_kdc_configuration *config,
568 const EncTicketPart *et,
569 const char *pstr)
570 {
571 if(et->endtime < kdc_time){
572 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
573 return KRB5KRB_AP_ERR_TKT_EXPIRED;
574 }
575 if(et->flags.invalid){
576 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
577 return KRB5KRB_AP_ERR_TKT_NYV;
578 }
579 return 0;
580 }
581
582 /*
583 *
584 */
585
586 static krb5_error_code
587 fix_transited_encoding(krb5_context context,
588 krb5_kdc_configuration *config,
589 krb5_boolean check_policy,
590 const TransitedEncoding *tr,
591 EncTicketPart *et,
592 const char *client_realm,
593 const char *server_realm,
594 const char *tgt_realm)
595 {
596 krb5_error_code ret = 0;
597 char **realms, **tmp;
598 unsigned int num_realms;
599 int i;
600
601 switch (tr->tr_type) {
602 case DOMAIN_X500_COMPRESS:
603 break;
604 case 0:
605 /*
606 * Allow empty content of type 0 because that is was Microsoft
607 * generates in their TGT.
608 */
609 if (tr->contents.length == 0)
610 break;
611 kdc_log(context, config, 0,
612 "Transited type 0 with non empty content");
613 return KRB5KDC_ERR_TRTYPE_NOSUPP;
614 default:
615 kdc_log(context, config, 0,
616 "Unknown transited type: %u", tr->tr_type);
617 return KRB5KDC_ERR_TRTYPE_NOSUPP;
618 }
619
620 ret = krb5_domain_x500_decode(context,
621 tr->contents,
622 &realms,
623 &num_realms,
624 client_realm,
625 server_realm);
626 if(ret){
627 krb5_warn(context, ret,
628 "Decoding transited encoding");
629 return ret;
630 }
631 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
632 /* not us, so add the previous realm to transited set */
633 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
634 ret = ERANGE;
635 goto free_realms;
636 }
637 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
638 if(tmp == NULL){
639 ret = ENOMEM;
640 goto free_realms;
641 }
642 realms = tmp;
643 realms[num_realms] = strdup(tgt_realm);
644 if(realms[num_realms] == NULL){
645 ret = ENOMEM;
646 goto free_realms;
647 }
648 num_realms++;
649 }
650 if(num_realms == 0) {
651 if(strcmp(client_realm, server_realm))
652 kdc_log(context, config, 0,
653 "cross-realm %s -> %s", client_realm, server_realm);
654 } else {
655 size_t l = 0;
656 char *rs;
657 for(i = 0; i < num_realms; i++)
658 l += strlen(realms[i]) + 2;
659 rs = malloc(l);
660 if(rs != NULL) {
661 *rs = '\0';
662 for(i = 0; i < num_realms; i++) {
663 if(i > 0)
664 strlcat(rs, ", ", l);
665 strlcat(rs, realms[i], l);
666 }
667 kdc_log(context, config, 0,
668 "cross-realm %s -> %s via [%s]",
669 client_realm, server_realm, rs);
670 free(rs);
671 }
672 }
673 if(check_policy) {
674 ret = krb5_check_transited(context, client_realm,
675 server_realm,
676 realms, num_realms, NULL);
677 if(ret) {
678 krb5_warn(context, ret, "cross-realm %s -> %s",
679 client_realm, server_realm);
680 goto free_realms;
681 }
682 et->flags.transited_policy_checked = 1;
683 }
684 et->transited.tr_type = DOMAIN_X500_COMPRESS;
685 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
686 if(ret)
687 krb5_warn(context, ret, "Encoding transited encoding");
688 free_realms:
689 for(i = 0; i < num_realms; i++)
690 free(realms[i]);
691 free(realms);
692 return ret;
693 }
694
695
696 static krb5_error_code
697 tgs_make_reply(krb5_context context,
698 krb5_kdc_configuration *config,
699 KDC_REQ_BODY *b,
700 krb5_const_principal tgt_name,
701 const EncTicketPart *tgt,
702 const krb5_keyblock *replykey,
703 int rk_is_subkey,
704 const EncryptionKey *serverkey,
705 const krb5_keyblock *sessionkey,
706 krb5_kvno kvno,
707 AuthorizationData *auth_data,
708 hdb_entry_ex *server,
709 krb5_principal server_principal,
710 const char *server_name,
711 hdb_entry_ex *client,
712 krb5_principal client_principal,
713 hdb_entry_ex *krbtgt,
714 krb5_enctype krbtgt_etype,
715 krb5_principals spp,
716 const krb5_data *rspac,
717 const METHOD_DATA *enc_pa_data,
718 const char **e_text,
719 krb5_data *reply)
720 {
721 KDC_REP rep;
722 EncKDCRepPart ek;
723 EncTicketPart et;
724 KDCOptions f = b->kdc_options;
725 krb5_error_code ret;
726 int is_weak = 0;
727
728 memset(&rep, 0, sizeof(rep));
729 memset(&et, 0, sizeof(et));
730 memset(&ek, 0, sizeof(ek));
731
732 rep.pvno = 5;
733 rep.msg_type = krb_tgs_rep;
734
735 et.authtime = tgt->authtime;
736 _kdc_fix_time(&b->till);
737 et.endtime = min(tgt->endtime, *b->till);
738 ALLOC(et.starttime);
739 *et.starttime = kdc_time;
740
741 ret = check_tgs_flags(context, config, b, tgt, &et);
742 if(ret)
743 goto out;
744
745 /* We should check the transited encoding if:
746 1) the request doesn't ask not to be checked
747 2) globally enforcing a check
748 3) principal requires checking
749 4) we allow non-check per-principal, but principal isn't marked as allowing this
750 5) we don't globally allow this
751 */
752
753 #define GLOBAL_FORCE_TRANSITED_CHECK \
754 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
755 #define GLOBAL_ALLOW_PER_PRINCIPAL \
756 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
757 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
758 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
759
760 /* these will consult the database in future release */
761 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
762 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
763
764 ret = fix_transited_encoding(context, config,
765 !f.disable_transited_check ||
766 GLOBAL_FORCE_TRANSITED_CHECK ||
767 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
768 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
769 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
770 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
771 &tgt->transited, &et,
772 krb5_principal_get_realm(context, client_principal),
773 krb5_principal_get_realm(context, server->entry.principal),
774 krb5_principal_get_realm(context, krbtgt->entry.principal));
775 if(ret)
776 goto out;
777
778 copy_Realm(&server_principal->realm, &rep.ticket.realm);
779 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
780 copy_Realm(&tgt_name->realm, &rep.crealm);
781 /*
782 if (f.request_anonymous)
783 _kdc_make_anonymous_principalname (&rep.cname);
784 else */
785
786 copy_PrincipalName(&tgt_name->name, &rep.cname);
787 rep.ticket.tkt_vno = 5;
788
789 ek.caddr = et.caddr;
790 if(et.caddr == NULL)
791 et.caddr = tgt->caddr;
792
793 {
794 time_t life;
795 life = et.endtime - *et.starttime;
796 if(client && client->entry.max_life)
797 life = min(life, *client->entry.max_life);
798 if(server->entry.max_life)
799 life = min(life, *server->entry.max_life);
800 et.endtime = *et.starttime + life;
801 }
802 if(f.renewable_ok && tgt->flags.renewable &&
803 et.renew_till == NULL && et.endtime < *b->till){
804 et.flags.renewable = 1;
805 ALLOC(et.renew_till);
806 *et.renew_till = *b->till;
807 }
808 if(et.renew_till){
809 time_t renew;
810 renew = *et.renew_till - et.authtime;
811 if(client && client->entry.max_renew)
812 renew = min(renew, *client->entry.max_renew);
813 if(server->entry.max_renew)
814 renew = min(renew, *server->entry.max_renew);
815 *et.renew_till = et.authtime + renew;
816 }
817
818 if(et.renew_till){
819 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
820 *et.starttime = min(*et.starttime, *et.renew_till);
821 et.endtime = min(et.endtime, *et.renew_till);
822 }
823
824 *et.starttime = min(*et.starttime, et.endtime);
825
826 if(*et.starttime == et.endtime){
827 ret = KRB5KDC_ERR_NEVER_VALID;
828 goto out;
829 }
830 if(et.renew_till && et.endtime == *et.renew_till){
831 free(et.renew_till);
832 et.renew_till = NULL;
833 et.flags.renewable = 0;
834 }
835
836 et.flags.pre_authent = tgt->flags.pre_authent;
837 et.flags.hw_authent = tgt->flags.hw_authent;
838 et.flags.anonymous = tgt->flags.anonymous;
839 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
840
841 if(rspac->length) {
842 /*
843 * No not need to filter out the any PAC from the
844 * auth_data since it's signed by the KDC.
845 */
846 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
847 KRB5_AUTHDATA_WIN2K_PAC, rspac);
848 if (ret)
849 goto out;
850 }
851
852 if (auth_data) {
853 unsigned int i = 0;
854
855 /* XXX check authdata */
856
857 if (et.authorization_data == NULL) {
858 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
859 if (et.authorization_data == NULL) {
860 ret = ENOMEM;
861 krb5_set_error_message(context, ret, "malloc: out of memory");
862 goto out;
863 }
864 }
865 for(i = 0; i < auth_data->len ; i++) {
866 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
867 if (ret) {
868 krb5_set_error_message(context, ret, "malloc: out of memory");
869 goto out;
870 }
871 }
872
873 /* Filter out type KRB5SignedPath */
874 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
875 if (ret == 0) {
876 if (et.authorization_data->len == 1) {
877 free_AuthorizationData(et.authorization_data);
878 free(et.authorization_data);
879 et.authorization_data = NULL;
880 } else {
881 AuthorizationData *ad = et.authorization_data;
882 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
883 ad->len--;
884 }
885 }
886 }
887
888 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
889 if (ret)
890 goto out;
891 et.crealm = tgt->crealm;
892 et.cname = tgt_name->name;
893
894 ek.key = et.key;
895 /* MIT must have at least one last_req */
896 ek.last_req.len = 1;
897 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
898 if (ek.last_req.val == NULL) {
899 ret = ENOMEM;
900 goto out;
901 }
902 ek.nonce = b->nonce;
903 ek.flags = et.flags;
904 ek.authtime = et.authtime;
905 ek.starttime = et.starttime;
906 ek.endtime = et.endtime;
907 ek.renew_till = et.renew_till;
908 ek.srealm = rep.ticket.realm;
909 ek.sname = rep.ticket.sname;
910
911 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
912 et.endtime, et.renew_till);
913
914 /* Don't sign cross realm tickets, they can't be checked anyway */
915 {
916 char *r = get_krbtgt_realm(&ek.sname);
917
918 if (r == NULL || strcmp(r, ek.srealm) == 0) {
919 ret = _kdc_add_KRB5SignedPath(context,
920 config,
921 krbtgt,
922 krbtgt_etype,
923 client_principal,
924 NULL,
925 spp,
926 &et);
927 if (ret)
928 goto out;
929 }
930 }
931
932 if (enc_pa_data->len) {
933 rep.padata = calloc(1, sizeof(*rep.padata));
934 if (rep.padata == NULL) {
935 ret = ENOMEM;
936 goto out;
937 }
938 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
939 if (ret)
940 goto out;
941 }
942
943 if (krb5_enctype_valid(context, et.key.keytype) != 0
944 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
945 {
946 krb5_enctype_enable(context, et.key.keytype);
947 is_weak = 1;
948 }
949
950
951 /* It is somewhat unclear where the etype in the following
952 encryption should come from. What we have is a session
953 key in the passed tgt, and a list of preferred etypes
954 *for the new ticket*. Should we pick the best possible
955 etype, given the keytype in the tgt, or should we look
956 at the etype list here as well? What if the tgt
957 session key is DES3 and we want a ticket with a (say)
958 CAST session key. Should the DES3 etype be added to the
959 etype list, even if we don't want a session key with
960 DES3? */
961 ret = _kdc_encode_reply(context, config,
962 &rep, &et, &ek, et.key.keytype,
963 kvno,
964 serverkey, 0, replykey, rk_is_subkey,
965 e_text, reply);
966 if (is_weak)
967 krb5_enctype_disable(context, et.key.keytype);
968
969 out:
970 free_TGS_REP(&rep);
971 free_TransitedEncoding(&et.transited);
972 if(et.starttime)
973 free(et.starttime);
974 if(et.renew_till)
975 free(et.renew_till);
976 if(et.authorization_data) {
977 free_AuthorizationData(et.authorization_data);
978 free(et.authorization_data);
979 }
980 free_LastReq(&ek.last_req);
981 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
982 free_EncryptionKey(&et.key);
983 return ret;
984 }
985
986 static krb5_error_code
987 tgs_check_authenticator(krb5_context context,
988 krb5_kdc_configuration *config,
989 krb5_auth_context ac,
990 KDC_REQ_BODY *b,
991 const char **e_text,
992 krb5_keyblock *key)
993 {
994 krb5_authenticator auth;
995 size_t len;
996 unsigned char *buf;
997 size_t buf_size;
998 krb5_error_code ret;
999 krb5_crypto crypto;
1000
1001 krb5_auth_con_getauthenticator(context, ac, &auth);
1002 if(auth->cksum == NULL){
1003 kdc_log(context, config, 0, "No authenticator in request");
1004 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1005 goto out;
1006 }
1007 /*
1008 * according to RFC1510 it doesn't need to be keyed,
1009 * but according to the latest draft it needs to.
1010 */
1011 if (
1012 #if 0
1013 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1014 ||
1015 #endif
1016 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1017 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1018 auth->cksum->cksumtype);
1019 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1020 goto out;
1021 }
1022
1023 /* XXX should not re-encode this */
1024 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1025 if(ret){
1026 const char *msg = krb5_get_error_message(context, ret);
1027 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1028 krb5_free_error_message(context, msg);
1029 goto out;
1030 }
1031 if(buf_size != len) {
1032 free(buf);
1033 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1034 *e_text = "KDC internal error";
1035 ret = KRB5KRB_ERR_GENERIC;
1036 goto out;
1037 }
1038 ret = krb5_crypto_init(context, key, 0, &crypto);
1039 if (ret) {
1040 const char *msg = krb5_get_error_message(context, ret);
1041 free(buf);
1042 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1043 krb5_free_error_message(context, msg);
1044 goto out;
1045 }
1046 ret = krb5_verify_checksum(context,
1047 crypto,
1048 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1049 buf,
1050 len,
1051 auth->cksum);
1052 free(buf);
1053 krb5_crypto_destroy(context, crypto);
1054 if(ret){
1055 const char *msg = krb5_get_error_message(context, ret);
1056 kdc_log(context, config, 0,
1057 "Failed to verify authenticator checksum: %s", msg);
1058 krb5_free_error_message(context, msg);
1059 }
1060 out:
1061 free_Authenticator(auth);
1062 free(auth);
1063 return ret;
1064 }
1065
1066 /*
1067 *
1068 */
1069
1070 static const char *
1071 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1072 {
1073 const char *new_realm = krb5_config_get_string(context,
1074 NULL,
1075 "capaths",
1076 crealm,
1077 srealm,
1078 NULL);
1079 return new_realm;
1080 }
1081
1082
1083 static krb5_boolean
1084 need_referral(krb5_context context, krb5_kdc_configuration *config,
1085 const KDCOptions * const options, krb5_principal server,
1086 krb5_realm **realms)
1087 {
1088 const char *name;
1089
1090 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1091 return FALSE;
1092
1093 if (server->name.name_string.len == 1)
1094 name = server->name.name_string.val[0];
1095 else if (server->name.name_string.len > 1)
1096 name = server->name.name_string.val[1];
1097 else
1098 return FALSE;
1099
1100 kdc_log(context, config, 0, "Searching referral for %s", name);
1101
1102 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1103 }
1104
1105 static krb5_error_code
1106 tgs_parse_request(krb5_context context,
1107 krb5_kdc_configuration *config,
1108 KDC_REQ_BODY *b,
1109 const PA_DATA *tgs_req,
1110 hdb_entry_ex **krbtgt,
1111 krb5_enctype *krbtgt_etype,
1112 krb5_ticket **ticket,
1113 const char **e_text,
1114 const char *from,
1115 const struct sockaddr *from_addr,
1116 time_t **csec,
1117 int **cusec,
1118 AuthorizationData **auth_data,
1119 krb5_keyblock **replykey,
1120 int *rk_is_subkey)
1121 {
1122 krb5_ap_req ap_req;
1123 krb5_error_code ret;
1124 krb5_principal princ;
1125 krb5_auth_context ac = NULL;
1126 krb5_flags ap_req_options;
1127 krb5_flags verify_ap_req_flags;
1128 krb5_crypto crypto;
1129 Key *tkey;
1130 krb5_keyblock *subkey = NULL;
1131 unsigned usage;
1132
1133 *auth_data = NULL;
1134 *csec = NULL;
1135 *cusec = NULL;
1136 *replykey = NULL;
1137
1138 memset(&ap_req, 0, sizeof(ap_req));
1139 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1140 if(ret){
1141 const char *msg = krb5_get_error_message(context, ret);
1142 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1143 krb5_free_error_message(context, msg);
1144 goto out;
1145 }
1146
1147 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1148 /* XXX check for ticket.sname == req.sname */
1149 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1150 ret = KRB5KDC_ERR_POLICY; /* ? */
1151 goto out;
1152 }
1153
1154 _krb5_principalname2krb5_principal(context,
1155 &princ,
1156 ap_req.ticket.sname,
1157 ap_req.ticket.realm);
1158
1159 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
1160
1161 if(ret) {
1162 const char *msg = krb5_get_error_message(context, ret);
1163 char *p;
1164 ret = krb5_unparse_name(context, princ, &p);
1165 if (ret != 0)
1166 p = "<unparse_name failed>";
1167 krb5_free_principal(context, princ);
1168 kdc_log(context, config, 0,
1169 "Ticket-granting ticket not found in database: %s", msg);
1170 krb5_free_error_message(context, msg);
1171 if (ret == 0)
1172 free(p);
1173 ret = KRB5KRB_AP_ERR_NOT_US;
1174 goto out;
1175 }
1176
1177 if(ap_req.ticket.enc_part.kvno &&
1178 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1179 char *p;
1180
1181 ret = krb5_unparse_name (context, princ, &p);
1182 krb5_free_principal(context, princ);
1183 if (ret != 0)
1184 p = "<unparse_name failed>";
1185 kdc_log(context, config, 0,
1186 "Ticket kvno = %d, DB kvno = %d (%s)",
1187 *ap_req.ticket.enc_part.kvno,
1188 (*krbtgt)->entry.kvno,
1189 p);
1190 if (ret == 0)
1191 free (p);
1192 ret = KRB5KRB_AP_ERR_BADKEYVER;
1193 goto out;
1194 }
1195
1196 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1197
1198 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1199 ap_req.ticket.enc_part.etype, &tkey);
1200 if(ret){
1201 char *str = NULL, *p = NULL;
1202
1203 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1204 krb5_unparse_name(context, princ, &p);
1205 kdc_log(context, config, 0,
1206 "No server key with enctype %s found for %s",
1207 str ? str : "<unknown enctype>",
1208 p ? p : "<unparse_name failed>");
1209 free(str);
1210 free(p);
1211 ret = KRB5KRB_AP_ERR_BADKEYVER;
1212 goto out;
1213 }
1214
1215 if (b->kdc_options.validate)
1216 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1217 else
1218 verify_ap_req_flags = 0;
1219
1220 ret = krb5_verify_ap_req2(context,
1221 &ac,
1222 &ap_req,
1223 princ,
1224 &tkey->key,
1225 verify_ap_req_flags,
1226 &ap_req_options,
1227 ticket,
1228 KRB5_KU_TGS_REQ_AUTH);
1229
1230 krb5_free_principal(context, princ);
1231 if(ret) {
1232 const char *msg = krb5_get_error_message(context, ret);
1233 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1234 krb5_free_error_message(context, msg);
1235 goto out;
1236 }
1237
1238 {
1239 krb5_authenticator auth;
1240
1241 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1242 if (ret == 0) {
1243 *csec = malloc(sizeof(**csec));
1244 if (*csec == NULL) {
1245 krb5_free_authenticator(context, &auth);
1246 kdc_log(context, config, 0, "malloc failed");
1247 goto out;
1248 }
1249 **csec = auth->ctime;
1250 *cusec = malloc(sizeof(**cusec));
1251 if (*cusec == NULL) {
1252 krb5_free_authenticator(context, &auth);
1253 kdc_log(context, config, 0, "malloc failed");
1254 goto out;
1255 }
1256 **cusec = auth->cusec;
1257 krb5_free_authenticator(context, &auth);
1258 }
1259 }
1260
1261 ret = tgs_check_authenticator(context, config,
1262 ac, b, e_text, &(*ticket)->ticket.key);
1263 if (ret) {
1264 krb5_auth_con_free(context, ac);
1265 goto out;
1266 }
1267
1268 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1269 *rk_is_subkey = 1;
1270
1271 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1272 if(ret){
1273 const char *msg = krb5_get_error_message(context, ret);
1274 krb5_auth_con_free(context, ac);
1275 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1276 krb5_free_error_message(context, msg);
1277 goto out;
1278 }
1279 if(subkey == NULL){
1280 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1281 *rk_is_subkey = 0;
1282
1283 ret = krb5_auth_con_getkey(context, ac, &subkey);
1284 if(ret) {
1285 const char *msg = krb5_get_error_message(context, ret);
1286 krb5_auth_con_free(context, ac);
1287 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1288 krb5_free_error_message(context, msg);
1289 goto out;
1290 }
1291 }
1292 if(subkey == NULL){
1293 krb5_auth_con_free(context, ac);
1294 kdc_log(context, config, 0,
1295 "Failed to get key for enc-authorization-data");
1296 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1297 goto out;
1298 }
1299
1300 *replykey = subkey;
1301
1302 if (b->enc_authorization_data) {
1303 krb5_data ad;
1304
1305 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1306 if (ret) {
1307 const char *msg = krb5_get_error_message(context, ret);
1308 krb5_auth_con_free(context, ac);
1309 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1310 krb5_free_error_message(context, msg);
1311 goto out;
1312 }
1313 ret = krb5_decrypt_EncryptedData (context,
1314 crypto,
1315 usage,
1316 b->enc_authorization_data,
1317 &ad);
1318 krb5_crypto_destroy(context, crypto);
1319 if(ret){
1320 krb5_auth_con_free(context, ac);
1321 kdc_log(context, config, 0,
1322 "Failed to decrypt enc-authorization-data");
1323 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1324 goto out;
1325 }
1326 ALLOC(*auth_data);
1327 if (*auth_data == NULL) {
1328 krb5_auth_con_free(context, ac);
1329 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1330 goto out;
1331 }
1332 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1333 if(ret){
1334 krb5_auth_con_free(context, ac);
1335 free(*auth_data);
1336 *auth_data = NULL;
1337 kdc_log(context, config, 0, "Failed to decode authorization data");
1338 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1339 goto out;
1340 }
1341 }
1342
1343 krb5_auth_con_free(context, ac);
1344
1345 out:
1346 free_AP_REQ(&ap_req);
1347
1348 return ret;
1349 }
1350
1351 static krb5_error_code
1352 build_server_referral(krb5_context context,
1353 krb5_kdc_configuration *config,
1354 krb5_crypto session,
1355 krb5_const_realm referred_realm,
1356 const PrincipalName *true_principal_name,
1357 const PrincipalName *requested_principal,
1358 krb5_data *outdata)
1359 {
1360 PA_ServerReferralData ref;
1361 krb5_error_code ret;
1362 EncryptedData ed;
1363 krb5_data data;
1364 size_t size;
1365
1366 memset(&ref, 0, sizeof(ref));
1367
1368 if (referred_realm) {
1369 ALLOC(ref.referred_realm);
1370 if (ref.referred_realm == NULL)
1371 goto eout;
1372 *ref.referred_realm = strdup(referred_realm);
1373 if (*ref.referred_realm == NULL)
1374 goto eout;
1375 }
1376 if (true_principal_name) {
1377 ALLOC(ref.true_principal_name);
1378 if (ref.true_principal_name == NULL)
1379 goto eout;
1380 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1381 if (ret)
1382 goto eout;
1383 }
1384 if (requested_principal) {
1385 ALLOC(ref.requested_principal_name);
1386 if (ref.requested_principal_name == NULL)
1387 goto eout;
1388 ret = copy_PrincipalName(requested_principal,
1389 ref.requested_principal_name);
1390 if (ret)
1391 goto eout;
1392 }
1393
1394 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1395 data.data, data.length,
1396 &ref, &size, ret);
1397 free_PA_ServerReferralData(&ref);
1398 if (ret)
1399 return ret;
1400 if (data.length != size)
1401 krb5_abortx(context, "internal asn.1 encoder error");
1402
1403 ret = krb5_encrypt_EncryptedData(context, session,
1404 KRB5_KU_PA_SERVER_REFERRAL,
1405 data.data, data.length,
1406 0 /* kvno */, &ed);
1407 free(data.data);
1408 if (ret)
1409 return ret;
1410
1411 ASN1_MALLOC_ENCODE(EncryptedData,
1412 outdata->data, outdata->length,
1413 &ed, &size, ret);
1414 free_EncryptedData(&ed);
1415 if (ret)
1416 return ret;
1417 if (outdata->length != size)
1418 krb5_abortx(context, "internal asn.1 encoder error");
1419
1420 return 0;
1421 eout:
1422 free_PA_ServerReferralData(&ref);
1423 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1424 return ENOMEM;
1425 }
1426
1427 static krb5_error_code
1428 tgs_build_reply(krb5_context context,
1429 krb5_kdc_configuration *config,
1430 KDC_REQ *req,
1431 KDC_REQ_BODY *b,
1432 hdb_entry_ex *krbtgt,
1433 krb5_enctype krbtgt_etype,
1434 const krb5_keyblock *replykey,
1435 int rk_is_subkey,
1436 krb5_ticket *ticket,
1437 krb5_data *reply,
1438 const char *from,
1439 const char **e_text,
1440 AuthorizationData **auth_data,
1441 const struct sockaddr *from_addr)
1442 {
1443 krb5_error_code ret;
1444 krb5_principal cp = NULL, sp = NULL;
1445 krb5_principal client_principal = NULL;
1446 char *spn = NULL, *cpn = NULL;
1447 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1448 HDB *clientdb, *s4u2self_impersonated_clientdb;
1449 krb5_realm ref_realm = NULL;
1450 EncTicketPart *tgt = &ticket->ticket;
1451 krb5_principals spp = NULL;
1452 const EncryptionKey *ekey;
1453 krb5_keyblock sessionkey;
1454 krb5_kvno kvno;
1455 krb5_data rspac;
1456
1457 METHOD_DATA enc_pa_data;
1458
1459 PrincipalName *s;
1460 Realm r;
1461 int nloop = 0;
1462 EncTicketPart adtkt;
1463 char opt_str[128];
1464 int signedpath = 0;
1465
1466 Key *tkey;
1467
1468 memset(&sessionkey, 0, sizeof(sessionkey));
1469 memset(&adtkt, 0, sizeof(adtkt));
1470 krb5_data_zero(&rspac);
1471 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1472
1473 s = b->sname;
1474 r = b->realm;
1475
1476 if(b->kdc_options.enc_tkt_in_skey){
1477 Ticket *t;
1478 hdb_entry_ex *uu;
1479 krb5_principal p;
1480 Key *uukey;
1481
1482 if(b->additional_tickets == NULL ||
1483 b->additional_tickets->len == 0){
1484 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1485 kdc_log(context, config, 0,
1486 "No second ticket present in request");
1487 goto out;
1488 }
1489 t = &b->additional_tickets->val[0];
1490 if(!get_krbtgt_realm(&t->sname)){
1491 kdc_log(context, config, 0,
1492 "Additional ticket is not a ticket-granting ticket");
1493 ret = KRB5KDC_ERR_POLICY;
1494 goto out;
1495 }
1496 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1497 ret = _kdc_db_fetch(context, config, p,
1498 HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
1499 NULL, &uu);
1500 krb5_free_principal(context, p);
1501 if(ret){
1502 if (ret == HDB_ERR_NOENTRY)
1503 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1504 goto out;
1505 }
1506 ret = hdb_enctype2key(context, &uu->entry,
1507 t->enc_part.etype, &uukey);
1508 if(ret){
1509 _kdc_free_ent(context, uu);
1510 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1511 goto out;
1512 }
1513 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1514 _kdc_free_ent(context, uu);
1515 if(ret)
1516 goto out;
1517
1518 ret = verify_flags(context, config, &adtkt, spn);
1519 if (ret)
1520 goto out;
1521
1522 s = &adtkt.cname;
1523 r = adtkt.crealm;
1524 }
1525
1526 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1527 ret = krb5_unparse_name(context, sp, &spn);
1528 if (ret)
1529 goto out;
1530 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1531 ret = krb5_unparse_name(context, cp, &cpn);
1532 if (ret)
1533 goto out;
1534 unparse_flags (KDCOptions2int(b->kdc_options),
1535 asn1_KDCOptions_units(),
1536 opt_str, sizeof(opt_str));
1537 if(*opt_str)
1538 kdc_log(context, config, 0,
1539 "TGS-REQ %s from %s for %s [%s]",
1540 cpn, from, spn, opt_str);
1541 else
1542 kdc_log(context, config, 0,
1543 "TGS-REQ %s from %s for %s", cpn, from, spn);
1544
1545 /*
1546 * Fetch server
1547 */
1548
1549 server_lookup:
1550 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
1551 NULL, &server);
1552
1553 if(ret){
1554 const char *new_rlm, *msg;
1555 Realm req_rlm;
1556 krb5_realm *realms;
1557
1558 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1559 if(nloop++ < 2) {
1560 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1561 if(new_rlm) {
1562 kdc_log(context, config, 5, "krbtgt for realm %s "
1563 "not found, trying %s",
1564 req_rlm, new_rlm);
1565 krb5_free_principal(context, sp);
1566 free(spn);
1567 krb5_make_principal(context, &sp, r,
1568 KRB5_TGS_NAME, new_rlm, NULL);
1569 ret = krb5_unparse_name(context, sp, &spn);
1570 if (ret)
1571 goto out;
1572
1573 if (ref_realm)
1574 free(ref_realm);
1575 ref_realm = strdup(new_rlm);
1576 goto server_lookup;
1577 }
1578 }
1579 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1580 if (strcmp(realms[0], sp->realm) != 0) {
1581 kdc_log(context, config, 5,
1582 "Returning a referral to realm %s for "
1583 "server %s that was not found",
1584 realms[0], spn);
1585 krb5_free_principal(context, sp);
1586 free(spn);
1587 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1588 realms[0], NULL);
1589 ret = krb5_unparse_name(context, sp, &spn);
1590 if (ret)
1591 goto out;
1592
1593 if (ref_realm)
1594 free(ref_realm);
1595 ref_realm = strdup(realms[0]);
1596
1597 krb5_free_host_realm(context, realms);
1598 goto server_lookup;
1599 }
1600 krb5_free_host_realm(context, realms);
1601 }
1602 msg = krb5_get_error_message(context, ret);
1603 kdc_log(context, config, 0,
1604 "Server not found in database: %s: %s", spn, msg);
1605 krb5_free_error_message(context, msg);
1606 if (ret == HDB_ERR_NOENTRY)
1607 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1608 goto out;
1609 }
1610
1611 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1612 &clientdb, &client);
1613 if(ret) {
1614 const char *krbtgt_realm, *msg;
1615
1616 /*
1617 * If the client belongs to the same realm as our krbtgt, it
1618 * should exist in the local database.
1619 *
1620 */
1621
1622 krbtgt_realm =
1623 krb5_principal_get_comp_string(context,
1624 krbtgt->entry.principal, 1);
1625
1626 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1627 if (ret == HDB_ERR_NOENTRY)
1628 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1629 kdc_log(context, config, 1, "Client no longer in database: %s",
1630 cpn);
1631 goto out;
1632 }
1633
1634 msg = krb5_get_error_message(context, ret);
1635 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1636 krb5_free_error_message(context, msg);
1637 }
1638
1639 /*
1640 * Select enctype, return key and kvno.
1641 */
1642
1643 {
1644 krb5_enctype etype;
1645
1646 if(b->kdc_options.enc_tkt_in_skey) {
1647 int i;
1648 ekey = &adtkt.key;
1649 for(i = 0; i < b->etype.len; i++)
1650 if (b->etype.val[i] == adtkt.key.keytype)
1651 break;
1652 if(i == b->etype.len) {
1653 kdc_log(context, config, 0,
1654 "Addition ticket have not matching etypes");
1655 krb5_clear_error_message(context);
1656 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1657 goto out;
1658 }
1659 etype = b->etype.val[i];
1660 kvno = 0;
1661 } else {
1662 Key *skey;
1663
1664 ret = _kdc_find_etype(context, server,
1665 b->etype.val, b->etype.len, &skey);
1666 if(ret) {
1667 kdc_log(context, config, 0,
1668 "Server (%s) has no support for etypes", spn);
1669 goto out;
1670 }
1671 ekey = &skey->key;
1672 etype = skey->key.keytype;
1673 kvno = server->entry.kvno;
1674 }
1675
1676 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1677 if (ret)
1678 goto out;
1679 }
1680
1681 /*
1682 * Check that service is in the same realm as the krbtgt. If it's
1683 * not the same, it's someone that is using a uni-directional trust
1684 * backward.
1685 */
1686
1687 if (strcmp(krb5_principal_get_realm(context, sp),
1688 krb5_principal_get_comp_string(context,
1689 krbtgt->entry.principal,
1690 1)) != 0) {
1691 char *tpn;
1692 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1693 kdc_log(context, config, 0,
1694 "Request with wrong krbtgt: %s",
1695 (ret == 0) ? tpn : "<unknown>");
1696 if(ret == 0)
1697 free(tpn);
1698 ret = KRB5KRB_AP_ERR_NOT_US;
1699 goto out;
1700 }
1701
1702 /*
1703 * Validate authoriation data
1704 */
1705
1706 ret = hdb_enctype2key(context, &krbtgt->entry,
1707 krbtgt_etype, &tkey);
1708 if(ret) {
1709 kdc_log(context, config, 0,
1710 "Failed to find key for krbtgt PAC check");
1711 goto out;
1712 }
1713
1714 ret = check_PAC(context, config, cp,
1715 client, server, ekey, &tkey->key,
1716 tgt, &rspac, &signedpath);
1717 if (ret) {
1718 const char *msg = krb5_get_error_message(context, ret);
1719 kdc_log(context, config, 0,
1720 "Verify PAC failed for %s (%s) from %s with %s",
1721 spn, cpn, from, msg);
1722 krb5_free_error_message(context, msg);
1723 goto out;
1724 }
1725
1726 /* also check the krbtgt for signature */
1727 ret = check_KRB5SignedPath(context,
1728 config,
1729 krbtgt,
1730 cp,
1731 tgt,
1732 &spp,
1733 &signedpath);
1734 if (ret) {
1735 const char *msg = krb5_get_error_message(context, ret);
1736 kdc_log(context, config, 0,
1737 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1738 spn, cpn, from, msg);
1739 krb5_free_error_message(context, msg);
1740 goto out;
1741 }
1742
1743 /*
1744 * Process request
1745 */
1746
1747 client_principal = cp;
1748
1749 if (client) {
1750 const PA_DATA *sdata;
1751 int i = 0;
1752
1753 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1754 if (sdata) {
1755 krb5_crypto crypto;
1756 krb5_data datack;
1757 PA_S4U2Self self;
1758 char *selfcpn = NULL;
1759 const char *str;
1760
1761 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1762 sdata->padata_value.length,
1763 &self, NULL);
1764 if (ret) {
1765 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1766 goto out;
1767 }
1768
1769 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1770 if (ret)
1771 goto out;
1772
1773 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1774 if (ret) {
1775 const char *msg = krb5_get_error_message(context, ret);
1776 free_PA_S4U2Self(&self);
1777 krb5_data_free(&datack);
1778 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1779 krb5_free_error_message(context, msg);
1780 goto out;
1781 }
1782
1783 ret = krb5_verify_checksum(context,
1784 crypto,
1785 KRB5_KU_OTHER_CKSUM,
1786 datack.data,
1787 datack.length,
1788 &self.cksum);
1789 krb5_data_free(&datack);
1790 krb5_crypto_destroy(context, crypto);
1791 if (ret) {
1792 const char *msg = krb5_get_error_message(context, ret);
1793 free_PA_S4U2Self(&self);
1794 kdc_log(context, config, 0,
1795 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1796 krb5_free_error_message(context, msg);
1797 goto out;
1798 }
1799
1800 ret = _krb5_principalname2krb5_principal(context,
1801 &client_principal,
1802 self.name,
1803 self.realm);
1804 free_PA_S4U2Self(&self);
1805 if (ret)
1806 goto out;
1807
1808 ret = krb5_unparse_name(context, client_principal, &selfcpn);
1809 if (ret)
1810 goto out;
1811
1812 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1813 if(rspac.data) {
1814 krb5_pac p = NULL;
1815 krb5_data_free(&rspac);
1816 ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
1817 &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1818 if (ret) {
1819 const char *msg;
1820
1821 /*
1822 * If the client belongs to the same realm as our krbtgt, it
1823 * should exist in the local database.
1824 *
1825 */
1826
1827 if (ret == HDB_ERR_NOENTRY)
1828 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1829 msg = krb5_get_error_message(context, ret);
1830 kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg);
1831 krb5_free_error_message(context, msg);
1832 goto out;
1833 }
1834 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1835 if (ret) {
1836 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1837 selfcpn);
1838 goto out;
1839 }
1840 if (p != NULL) {
1841 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1842 s4u2self_impersonated_client->entry.principal,
1843 ekey, &tkey->key,
1844 &rspac);
1845 krb5_pac_free(context, p);
1846 if (ret) {
1847 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1848 selfcpn);
1849 goto out;
1850 }
1851 }
1852 }
1853
1854 /*
1855 * Check that service doing the impersonating is
1856 * requesting a ticket to it-self.
1857 */
1858 ret = check_s4u2self(context, config, clientdb, client, sp);
1859 if (ret) {
1860 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1861 "to impersonate to service "
1862 "(tried for user %s to service %s)",
1863 cpn, selfcpn, spn);
1864 free(selfcpn);
1865 goto out;
1866 }
1867
1868 /*
1869 * If the service isn't trusted for authentication to
1870 * delegation, remove the forward flag.
1871 */
1872
1873 if (client->entry.flags.trusted_for_delegation) {
1874 str = "[forwardable]";
1875 } else {
1876 b->kdc_options.forwardable = 0;
1877 str = "";
1878 }
1879 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1880 "service %s %s", cpn, selfcpn, spn, str);
1881 free(selfcpn);
1882 }
1883 }
1884
1885 /*
1886 * Constrained delegation
1887 */
1888
1889 if (client != NULL
1890 && b->additional_tickets != NULL
1891 && b->additional_tickets->len != 0
1892 && b->kdc_options.enc_tkt_in_skey == 0)
1893 {
1894 int ad_signedpath = 0;
1895 Key *clientkey;
1896 Ticket *t;
1897 char *str;
1898
1899 /*
1900 * Require that the KDC have issued the service's krbtgt (not
1901 * self-issued ticket with kimpersonate(1).
1902 */
1903 if (!signedpath) {
1904 ret = KRB5KDC_ERR_BADOPTION;
1905 kdc_log(context, config, 0,
1906 "Constrained delegation done on service ticket %s/%s",
1907 cpn, spn);
1908 goto out;
1909 }
1910
1911 t = &b->additional_tickets->val[0];
1912
1913 ret = hdb_enctype2key(context, &client->entry,
1914 t->enc_part.etype, &clientkey);
1915 if(ret){
1916 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1917 goto out;
1918 }
1919
1920 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1921 if (ret) {
1922 kdc_log(context, config, 0,
1923 "failed to decrypt ticket for "
1924 "constrained delegation from %s to %s ", cpn, spn);
1925 goto out;
1926 }
1927
1928 /* check that ticket is valid */
1929 if (adtkt.flags.forwardable == 0) {
1930 kdc_log(context, config, 0,
1931 "Missing forwardable flag on ticket for "
1932 "constrained delegation from %s to %s ", cpn, spn);
1933 ret = KRB5KDC_ERR_BADOPTION;
1934 goto out;
1935 }
1936
1937 ret = check_constrained_delegation(context, config, clientdb,
1938 client, sp);
1939 if (ret) {
1940 kdc_log(context, config, 0,
1941 "constrained delegation from %s to %s not allowed",
1942 cpn, spn);
1943 goto out;
1944 }
1945
1946 ret = _krb5_principalname2krb5_principal(context,
1947 &client_principal,
1948 adtkt.cname,
1949 adtkt.crealm);
1950 if (ret)
1951 goto out;
1952
1953 ret = krb5_unparse_name(context, client_principal, &str);
1954 if (ret)
1955 goto out;
1956
1957 ret = verify_flags(context, config, &adtkt, str);
1958 if (ret) {
1959 free(str);
1960 goto out;
1961 }
1962
1963 /*
1964 * Check that the KDC issued the user's ticket.
1965 */
1966 ret = check_KRB5SignedPath(context,
1967 config,
1968 krbtgt,
1969 cp,
1970 &adtkt,
1971 NULL,
1972 &ad_signedpath);
1973 if (ret == 0 && !ad_signedpath)
1974 ret = KRB5KDC_ERR_BADOPTION;
1975 if (ret) {
1976 const char *msg = krb5_get_error_message(context, ret);
1977 kdc_log(context, config, 0,
1978 "KRB5SignedPath check from service %s failed "
1979 "for delegation to %s for client %s "
1980 "from %s failed with %s",
1981 spn, str, cpn, from, msg);
1982 krb5_free_error_message(context, msg);
1983 free(str);
1984 goto out;
1985 }
1986
1987 kdc_log(context, config, 0, "constrained delegation for %s "
1988 "from %s to %s", str, cpn, spn);
1989 free(str);
1990 }
1991
1992 /*
1993 * Check flags
1994 */
1995
1996 ret = kdc_check_flags(context, config,
1997 client, cpn,
1998 server, spn,
1999 FALSE);
2000 if(ret)
2001 goto out;
2002
2003 if((b->kdc_options.validate || b->kdc_options.renew) &&
2004 !krb5_principal_compare(context,
2005 krbtgt->entry.principal,
2006 server->entry.principal)){
2007 kdc_log(context, config, 0, "Inconsistent request.");
2008 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2009 goto out;
2010 }
2011
2012 /* check for valid set of addresses */
2013 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2014 ret = KRB5KRB_AP_ERR_BADADDR;
2015 kdc_log(context, config, 0, "Request from wrong address");
2016 goto out;
2017 }
2018
2019 /*
2020 * If this is an referral, add server referral data to the
2021 * auth_data reply .
2022 */
2023 if (ref_realm) {
2024 PA_DATA pa;
2025 krb5_crypto crypto;
2026
2027 kdc_log(context, config, 0,
2028 "Adding server referral to %s", ref_realm);
2029
2030 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2031 if (ret)
2032 goto out;
2033
2034 ret = build_server_referral(context, config, crypto, ref_realm,
2035 NULL, s, &pa.padata_value);
2036 krb5_crypto_destroy(context, crypto);
2037 if (ret) {
2038 kdc_log(context, config, 0,
2039 "Failed building server referral");
2040 goto out;
2041 }
2042 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2043
2044 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2045 krb5_data_free(&pa.padata_value);
2046 if (ret) {
2047 kdc_log(context, config, 0,
2048 "Add server referral METHOD-DATA failed");
2049 goto out;
2050 }
2051 }
2052
2053 /*
2054 *
2055 */
2056
2057 ret = tgs_make_reply(context,
2058 config,
2059 b,
2060 client_principal,
2061 tgt,
2062 replykey,
2063 rk_is_subkey,
2064 ekey,
2065 &sessionkey,
2066 kvno,
2067 *auth_data,
2068 server,
2069 sp,
2070 spn,
2071 client,
2072 cp,
2073 krbtgt,
2074 krbtgt_etype,
2075 spp,
2076 &rspac,
2077 &enc_pa_data,
2078 e_text,
2079 reply);
2080
2081 out:
2082 free(spn);
2083 free(cpn);
2084
2085 krb5_data_free(&rspac);
2086 krb5_free_keyblock_contents(context, &sessionkey);
2087 if(server)
2088 _kdc_free_ent(context, server);
2089 if(client)
2090 _kdc_free_ent(context, client);
2091 if(s4u2self_impersonated_client)
2092 _kdc_free_ent(context, s4u2self_impersonated_client);
2093
2094 if (client_principal && client_principal != cp)
2095 krb5_free_principal(context, client_principal);
2096 if (cp)
2097 krb5_free_principal(context, cp);
2098 if (sp)
2099 krb5_free_principal(context, sp);
2100 if (ref_realm)
2101 free(ref_realm);
2102 free_METHOD_DATA(&enc_pa_data);
2103
2104 free_EncTicketPart(&adtkt);
2105
2106 return ret;
2107 }
2108
2109 /*
2110 *
2111 */
2112
2113 krb5_error_code
2114 _kdc_tgs_rep(krb5_context context,
2115 krb5_kdc_configuration *config,
2116 KDC_REQ *req,
2117 krb5_data *data,
2118 const char *from,
2119 struct sockaddr *from_addr,
2120 int datagram_reply)
2121 {
2122 AuthorizationData *auth_data = NULL;
2123 krb5_error_code ret;
2124 int i = 0;
2125 const PA_DATA *tgs_req;
2126
2127 hdb_entry_ex *krbtgt = NULL;
2128 krb5_ticket *ticket = NULL;
2129 const char *e_text = NULL;
2130 krb5_enctype krbtgt_etype = ETYPE_NULL;
2131
2132 krb5_keyblock *replykey = NULL;
2133 int rk_is_subkey = 0;
2134 time_t *csec = NULL;
2135 int *cusec = NULL;
2136
2137 if(req->padata == NULL){
2138 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2139 kdc_log(context, config, 0,
2140 "TGS-REQ from %s without PA-DATA", from);
2141 goto out;
2142 }
2143
2144 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2145
2146 if(tgs_req == NULL){
2147 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2148
2149 kdc_log(context, config, 0,
2150 "TGS-REQ from %s without PA-TGS-REQ", from);
2151 goto out;
2152 }
2153 ret = tgs_parse_request(context, config,
2154 &req->req_body, tgs_req,
2155 &krbtgt,
2156 &krbtgt_etype,
2157 &ticket,
2158 &e_text,
2159 from, from_addr,
2160 &csec, &cusec,
2161 &auth_data,
2162 &replykey,
2163 &rk_is_subkey);
2164 if (ret) {
2165 kdc_log(context, config, 0,
2166 "Failed parsing TGS-REQ from %s", from);
2167 goto out;
2168 }
2169
2170 ret = tgs_build_reply(context,
2171 config,
2172 req,
2173 &req->req_body,
2174 krbtgt,
2175 krbtgt_etype,
2176 replykey,
2177 rk_is_subkey,
2178 ticket,
2179 data,
2180 from,
2181 &e_text,
2182 &auth_data,
2183 from_addr);
2184 if (ret) {
2185 kdc_log(context, config, 0,
2186 "Failed building TGS-REP to %s", from);
2187 goto out;
2188 }
2189
2190 /* */
2191 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2192 krb5_data_free(data);
2193 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2194 e_text = "Reply packet too large";
2195 }
2196
2197 out:
2198 if (replykey)
2199 krb5_free_keyblock(context, replykey);
2200 if(ret && data->data == NULL){
2201 krb5_mk_error(context,
2202 ret,
2203 NULL,
2204 NULL,
2205 NULL,
2206 NULL,
2207 csec,
2208 cusec,
2209 data);
2210 }
2211 free(csec);
2212 free(cusec);
2213 if (ticket)
2214 krb5_free_ticket(context, ticket);
2215 if(krbtgt)
2216 _kdc_free_ent(context, krbtgt);
2217
2218 if (auth_data) {
2219 free_AuthorizationData(auth_data);
2220 free(auth_data);
2221 }
2222
2223 return 0;
2224 }