2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName
*p
)
43 if(p
->name_string
.len
== 2
44 && strcmp(p
->name_string
.val
[0], KRB5_TGS_NAME
) == 0)
45 return p
->name_string
.val
[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context
,
61 const AuthorizationData
*ad
,
64 AuthorizationData child
;
68 if (ad
== NULL
|| ad
->len
== 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
73 if (ad
->val
[pos
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
76 ret
= decode_AuthorizationData(ad
->val
[pos
].ad_data
.data
,
77 ad
->val
[pos
].ad_data
.length
,
81 krb5_set_error_message(context
, ret
, "Failed to decode "
82 "IF_RELEVANT with %d", ret
);
87 free_AuthorizationData(&child
);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
91 if (child
.val
[0].ad_type
!= KRB5_AUTHDATA_SIGNTICKET
) {
92 free_AuthorizationData(&child
);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
97 ret
= der_copy_octet_string(&child
.val
[0].ad_data
, data
);
98 free_AuthorizationData(&child
);
103 _kdc_add_KRB5SignedPath(krb5_context context
,
104 krb5_kdc_configuration
*config
,
105 hdb_entry_ex
*krbtgt
,
106 krb5_enctype enctype
,
107 krb5_principal client
,
108 krb5_const_principal server
,
109 krb5_principals principals
,
115 krb5_crypto crypto
= NULL
;
118 if (server
&& principals
) {
119 ret
= add_Principals(principals
, server
);
125 KRB5SignedPathData spd
;
128 spd
.authtime
= tkt
->authtime
;
129 spd
.delegated
= principals
;
130 spd
.method_data
= NULL
;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
136 if (data
.length
!= size
)
137 krb5_abortx(context
, "internal asn.1 encoder error");
142 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, enctype
, &key
);
144 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
152 * Fill in KRB5SignedPath
156 sp
.delegated
= principals
;
157 sp
.method_data
= NULL
;
159 ret
= krb5_create_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
, 0,
160 data
.data
, data
.length
, &sp
.cksum
);
161 krb5_crypto_destroy(context
, crypto
);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath
, data
.data
, data
.length
, &sp
, &size
, ret
);
167 free_Checksum(&sp
.cksum
);
170 if (data
.length
!= size
)
171 krb5_abortx(context
, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret
= _kdc_tkt_add_if_relevant_ad(context
, tkt
,
180 KRB5_AUTHDATA_SIGNTICKET
, &data
);
181 krb5_data_free(&data
);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context
,
188 krb5_kdc_configuration
*config
,
189 hdb_entry_ex
*krbtgt
,
192 krb5_principals
*delegated
,
197 krb5_crypto crypto
= NULL
;
202 ret
= find_KRB5SignedPath(context
, tkt
->authorization_data
, &data
);
204 KRB5SignedPathData spd
;
208 ret
= decode_KRB5SignedPath(data
.data
, data
.length
, &sp
, NULL
);
209 krb5_data_free(&data
);
214 spd
.authtime
= tkt
->authtime
;
215 spd
.delegated
= sp
.delegated
;
216 spd
.method_data
= sp
.method_data
;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
221 free_KRB5SignedPath(&sp
);
224 if (data
.length
!= size
)
225 krb5_abortx(context
, "internal asn.1 encoder error");
229 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, sp
.etype
, &key
);
231 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
234 free_KRB5SignedPath(&sp
);
238 ret
= krb5_verify_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
,
239 data
.data
, data
.length
,
241 krb5_crypto_destroy(context
, crypto
);
244 free_KRB5SignedPath(&sp
);
245 kdc_log(context
, config
, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
250 if (delegated
&& sp
.delegated
) {
252 *delegated
= malloc(sizeof(*sp
.delegated
));
253 if (*delegated
== NULL
) {
254 free_KRB5SignedPath(&sp
);
258 ret
= copy_Principals(*delegated
, sp
.delegated
);
260 free_KRB5SignedPath(&sp
);
266 free_KRB5SignedPath(&sp
);
278 static krb5_error_code
279 check_PAC(krb5_context context
,
280 krb5_kdc_configuration
*config
,
281 const krb5_principal client_principal
,
282 const krb5_principal delegated_proxy_principal
,
283 hdb_entry_ex
*client
,
284 hdb_entry_ex
*server
,
285 hdb_entry_ex
*krbtgt
,
286 const EncryptionKey
*server_check_key
,
287 const EncryptionKey
*krbtgt_check_key
,
288 const EncryptionKey
*server_sign_key
,
289 const EncryptionKey
*krbtgt_sign_key
,
294 AuthorizationData
*ad
= tkt
->authorization_data
;
298 if (ad
== NULL
|| ad
->len
== 0)
301 for (i
= 0; i
< ad
->len
; i
++) {
302 AuthorizationData child
;
304 if (ad
->val
[i
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
307 ret
= decode_AuthorizationData(ad
->val
[i
].ad_data
.data
,
308 ad
->val
[i
].ad_data
.length
,
312 krb5_set_error_message(context
, ret
, "Failed to decode "
313 "IF_RELEVANT with %d", ret
);
316 for (j
= 0; j
< child
.len
; j
++) {
318 if (child
.val
[j
].ad_type
== KRB5_AUTHDATA_WIN2K_PAC
) {
323 ret
= krb5_pac_parse(context
,
324 child
.val
[j
].ad_data
.data
,
325 child
.val
[j
].ad_data
.length
,
327 free_AuthorizationData(&child
);
331 ret
= krb5_pac_verify(context
, pac
, tkt
->authtime
,
333 server_check_key
, krbtgt_check_key
);
335 krb5_pac_free(context
, pac
);
339 ret
= _kdc_pac_verify(context
, client_principal
,
340 delegated_proxy_principal
,
341 client
, server
, krbtgt
, &pac
, &signed_pac
);
343 krb5_pac_free(context
, pac
);
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
355 ret
= _krb5_pac_sign(context
, pac
, tkt
->authtime
,
357 server_sign_key
, krbtgt_sign_key
, rspac
);
359 krb5_pac_free(context
, pac
);
364 free_AuthorizationData(&child
);
373 static krb5_error_code
374 check_tgs_flags(krb5_context context
,
375 krb5_kdc_configuration
*config
,
376 KDC_REQ_BODY
*b
, const EncTicketPart
*tgt
, EncTicketPart
*et
)
378 KDCOptions f
= b
->kdc_options
;
381 if(!tgt
->flags
.invalid
|| tgt
->starttime
== NULL
){
382 kdc_log(context
, config
, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION
;
386 if(*tgt
->starttime
> kdc_time
){
387 kdc_log(context
, config
, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV
;
392 et
->flags
.invalid
= 0;
393 }else if(tgt
->flags
.invalid
){
394 kdc_log(context
, config
, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID
;
400 if(!tgt
->flags
.forwardable
){
401 kdc_log(context
, config
, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION
;
405 et
->flags
.forwardable
= 1;
408 if(!tgt
->flags
.forwardable
){
409 kdc_log(context
, config
, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION
;
413 et
->flags
.forwarded
= 1;
414 et
->caddr
= b
->addresses
;
416 if(tgt
->flags
.forwarded
)
417 et
->flags
.forwarded
= 1;
420 if(!tgt
->flags
.proxiable
){
421 kdc_log(context
, config
, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION
;
425 et
->flags
.proxiable
= 1;
428 if(!tgt
->flags
.proxiable
){
429 kdc_log(context
, config
, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION
;
434 et
->caddr
= b
->addresses
;
439 if(f
.allow_postdate
){
440 if(!tgt
->flags
.may_postdate
){
441 kdc_log(context
, config
, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION
;
445 et
->flags
.may_postdate
= 1;
448 if(!tgt
->flags
.may_postdate
){
449 kdc_log(context
, config
, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION
;
454 *et
->starttime
= *b
->from
;
455 et
->flags
.postdated
= 1;
456 et
->flags
.invalid
= 1;
457 }else if(b
->from
&& *b
->from
> kdc_time
+ context
->max_skew
){
458 kdc_log(context
, config
, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE
;
463 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
464 kdc_log(context
, config
, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION
;
468 et
->flags
.renewable
= 1;
469 ALLOC(et
->renew_till
);
470 _kdc_fix_time(&b
->rtime
);
471 *et
->renew_till
= *b
->rtime
;
475 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
476 kdc_log(context
, config
, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION
;
480 old_life
= tgt
->endtime
;
482 old_life
-= *tgt
->starttime
;
484 old_life
-= tgt
->authtime
;
485 et
->endtime
= *et
->starttime
+ old_life
;
486 if (et
->renew_till
!= NULL
)
487 et
->endtime
= min(*et
->renew_till
, et
->endtime
);
491 /* checks for excess flags */
492 if(f
.request_anonymous
&& !config
->allow_anonymous
){
493 kdc_log(context
, config
, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION
;
502 * Determine if constrained delegation is allowed from this client to this server
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context
,
507 krb5_kdc_configuration
*config
,
509 hdb_entry_ex
*client
,
510 hdb_entry_ex
*server
,
511 krb5_const_principal target
)
513 const HDB_Ext_Constrained_delegation_acl
*acl
;
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
523 if(!krb5_realm_compare(context
, client
->entry
.principal
, server
->entry
.principal
)) {
524 ret
= KRB5KDC_ERR_BADOPTION
;
525 kdc_log(context
, config
, 0,
526 "Bad request for constrained delegation");
530 if (clientdb
->hdb_check_constrained_delegation
) {
531 ret
= clientdb
->hdb_check_constrained_delegation(context
, clientdb
, client
, target
);
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context
, client
->entry
.principal
, server
->entry
.principal
) == TRUE
)
539 ret
= hdb_entry_get_ConstrainedDelegACL(&client
->entry
, &acl
);
541 krb5_clear_error_message(context
);
546 for (i
= 0; i
< acl
->len
; i
++) {
547 if (krb5_principal_compare(context
, target
, &acl
->val
[i
]) == TRUE
)
551 ret
= KRB5KDC_ERR_BADOPTION
;
553 kdc_log(context
, config
, 0,
554 "Bad request for constrained delegation");
559 * Determine if s4u2self is allowed from this client to this server
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
565 static krb5_error_code
566 check_s4u2self(krb5_context context
,
567 krb5_kdc_configuration
*config
,
569 hdb_entry_ex
*client
,
570 krb5_const_principal server
)
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context
, client
->entry
.principal
, server
) == TRUE
)
578 if (clientdb
->hdb_check_s4u2self
) {
579 ret
= clientdb
->hdb_check_s4u2self(context
, clientdb
, client
, server
);
583 ret
= KRB5KDC_ERR_BADOPTION
;
592 static krb5_error_code
593 verify_flags (krb5_context context
,
594 krb5_kdc_configuration
*config
,
595 const EncTicketPart
*et
,
598 if(et
->endtime
< kdc_time
){
599 kdc_log(context
, config
, 0, "Ticket expired (%s)", pstr
);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED
;
602 if(et
->flags
.invalid
){
603 kdc_log(context
, config
, 0, "Ticket not valid (%s)", pstr
);
604 return KRB5KRB_AP_ERR_TKT_NYV
;
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context
,
615 krb5_kdc_configuration
*config
,
616 krb5_boolean check_policy
,
617 const TransitedEncoding
*tr
,
619 const char *client_realm
,
620 const char *server_realm
,
621 const char *tgt_realm
)
623 krb5_error_code ret
= 0;
624 char **realms
, **tmp
;
625 unsigned int num_realms
;
628 switch (tr
->tr_type
) {
629 case DOMAIN_X500_COMPRESS
:
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
636 if (tr
->contents
.length
== 0)
638 kdc_log(context
, config
, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
642 kdc_log(context
, config
, 0,
643 "Unknown transited type: %u", tr
->tr_type
);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
647 ret
= krb5_domain_x500_decode(context
,
654 krb5_warn(context
, ret
,
655 "Decoding transited encoding");
658 if(strcmp(client_realm
, tgt_realm
) && strcmp(server_realm
, tgt_realm
)) {
659 /* not us, so add the previous realm to transited set */
660 if (num_realms
+ 1 > UINT_MAX
/sizeof(*realms
)) {
664 tmp
= realloc(realms
, (num_realms
+ 1) * sizeof(*realms
));
670 realms
[num_realms
] = strdup(tgt_realm
);
671 if(realms
[num_realms
] == NULL
){
677 if(num_realms
== 0) {
678 if(strcmp(client_realm
, server_realm
))
679 kdc_log(context
, config
, 0,
680 "cross-realm %s -> %s", client_realm
, server_realm
);
684 for(i
= 0; i
< num_realms
; i
++)
685 l
+= strlen(realms
[i
]) + 2;
689 for(i
= 0; i
< num_realms
; i
++) {
691 strlcat(rs
, ", ", l
);
692 strlcat(rs
, realms
[i
], l
);
694 kdc_log(context
, config
, 0,
695 "cross-realm %s -> %s via [%s]",
696 client_realm
, server_realm
, rs
);
701 ret
= krb5_check_transited(context
, client_realm
,
703 realms
, num_realms
, NULL
);
705 krb5_warn(context
, ret
, "cross-realm %s -> %s",
706 client_realm
, server_realm
);
709 et
->flags
.transited_policy_checked
= 1;
711 et
->transited
.tr_type
= DOMAIN_X500_COMPRESS
;
712 ret
= krb5_domain_x500_encode(realms
, num_realms
, &et
->transited
.contents
);
714 krb5_warn(context
, ret
, "Encoding transited encoding");
716 for(i
= 0; i
< num_realms
; i
++)
723 static krb5_error_code
724 tgs_make_reply(krb5_context context
,
725 krb5_kdc_configuration
*config
,
727 krb5_const_principal tgt_name
,
728 const EncTicketPart
*tgt
,
729 const krb5_keyblock
*replykey
,
731 const EncryptionKey
*serverkey
,
732 const krb5_keyblock
*sessionkey
,
734 AuthorizationData
*auth_data
,
735 hdb_entry_ex
*server
,
736 krb5_principal server_principal
,
737 const char *server_name
,
738 hdb_entry_ex
*client
,
739 krb5_principal client_principal
,
740 hdb_entry_ex
*krbtgt
,
741 krb5_enctype krbtgt_etype
,
743 const krb5_data
*rspac
,
744 const METHOD_DATA
*enc_pa_data
,
751 KDCOptions f
= b
->kdc_options
;
755 memset(&rep
, 0, sizeof(rep
));
756 memset(&et
, 0, sizeof(et
));
757 memset(&ek
, 0, sizeof(ek
));
760 rep
.msg_type
= krb_tgs_rep
;
762 et
.authtime
= tgt
->authtime
;
763 _kdc_fix_time(&b
->till
);
764 et
.endtime
= min(tgt
->endtime
, *b
->till
);
766 *et
.starttime
= kdc_time
;
768 ret
= check_tgs_flags(context
, config
, b
, tgt
, &et
);
772 /* We should check the transited encoding if:
773 1) the request doesn't ask not to be checked
774 2) globally enforcing a check
775 3) principal requires checking
776 4) we allow non-check per-principal, but principal isn't marked as allowing this
777 5) we don't globally allow this
780 #define GLOBAL_FORCE_TRANSITED_CHECK \
781 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
782 #define GLOBAL_ALLOW_PER_PRINCIPAL \
783 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
784 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
785 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
787 /* these will consult the database in future release */
788 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
789 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
791 ret
= fix_transited_encoding(context
, config
,
792 !f
.disable_transited_check
||
793 GLOBAL_FORCE_TRANSITED_CHECK
||
794 PRINCIPAL_FORCE_TRANSITED_CHECK(server
) ||
795 !((GLOBAL_ALLOW_PER_PRINCIPAL
&&
796 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server
)) ||
797 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK
),
798 &tgt
->transited
, &et
,
799 krb5_principal_get_realm(context
, client_principal
),
800 krb5_principal_get_realm(context
, server
->entry
.principal
),
801 krb5_principal_get_realm(context
, krbtgt
->entry
.principal
));
805 copy_Realm(&server_principal
->realm
, &rep
.ticket
.realm
);
806 _krb5_principal2principalname(&rep
.ticket
.sname
, server_principal
);
807 copy_Realm(&tgt_name
->realm
, &rep
.crealm
);
809 if (f.request_anonymous)
810 _kdc_make_anonymous_principalname (&rep.cname);
813 copy_PrincipalName(&tgt_name
->name
, &rep
.cname
);
814 rep
.ticket
.tkt_vno
= 5;
818 et
.caddr
= tgt
->caddr
;
822 life
= et
.endtime
- *et
.starttime
;
823 if(client
&& client
->entry
.max_life
)
824 life
= min(life
, *client
->entry
.max_life
);
825 if(server
->entry
.max_life
)
826 life
= min(life
, *server
->entry
.max_life
);
827 et
.endtime
= *et
.starttime
+ life
;
829 if(f
.renewable_ok
&& tgt
->flags
.renewable
&&
830 et
.renew_till
== NULL
&& et
.endtime
< *b
->till
&&
831 tgt
->renew_till
!= NULL
)
833 et
.flags
.renewable
= 1;
834 ALLOC(et
.renew_till
);
835 *et
.renew_till
= *b
->till
;
839 renew
= *et
.renew_till
- et
.authtime
;
840 if(client
&& client
->entry
.max_renew
)
841 renew
= min(renew
, *client
->entry
.max_renew
);
842 if(server
->entry
.max_renew
)
843 renew
= min(renew
, *server
->entry
.max_renew
);
844 *et
.renew_till
= et
.authtime
+ renew
;
848 *et
.renew_till
= min(*et
.renew_till
, *tgt
->renew_till
);
849 *et
.starttime
= min(*et
.starttime
, *et
.renew_till
);
850 et
.endtime
= min(et
.endtime
, *et
.renew_till
);
853 *et
.starttime
= min(*et
.starttime
, et
.endtime
);
855 if(*et
.starttime
== et
.endtime
){
856 ret
= KRB5KDC_ERR_NEVER_VALID
;
859 if(et
.renew_till
&& et
.endtime
== *et
.renew_till
){
861 et
.renew_till
= NULL
;
862 et
.flags
.renewable
= 0;
865 et
.flags
.pre_authent
= tgt
->flags
.pre_authent
;
866 et
.flags
.hw_authent
= tgt
->flags
.hw_authent
;
867 et
.flags
.anonymous
= tgt
->flags
.anonymous
;
868 et
.flags
.ok_as_delegate
= server
->entry
.flags
.ok_as_delegate
;
872 * No not need to filter out the any PAC from the
873 * auth_data since it's signed by the KDC.
875 ret
= _kdc_tkt_add_if_relevant_ad(context
, &et
,
876 KRB5_AUTHDATA_WIN2K_PAC
, rspac
);
884 /* XXX check authdata */
886 if (et
.authorization_data
== NULL
) {
887 et
.authorization_data
= calloc(1, sizeof(*et
.authorization_data
));
888 if (et
.authorization_data
== NULL
) {
890 krb5_set_error_message(context
, ret
, "malloc: out of memory");
894 for(i
= 0; i
< auth_data
->len
; i
++) {
895 ret
= add_AuthorizationData(et
.authorization_data
, &auth_data
->val
[i
]);
897 krb5_set_error_message(context
, ret
, "malloc: out of memory");
902 /* Filter out type KRB5SignedPath */
903 ret
= find_KRB5SignedPath(context
, et
.authorization_data
, NULL
);
905 if (et
.authorization_data
->len
== 1) {
906 free_AuthorizationData(et
.authorization_data
);
907 free(et
.authorization_data
);
908 et
.authorization_data
= NULL
;
910 AuthorizationData
*ad
= et
.authorization_data
;
911 free_AuthorizationDataElement(&ad
->val
[ad
->len
- 1]);
917 ret
= krb5_copy_keyblock_contents(context
, sessionkey
, &et
.key
);
920 et
.crealm
= tgt_name
->realm
;
921 et
.cname
= tgt_name
->name
;
924 /* MIT must have at least one last_req */
926 ek
.last_req
.val
= calloc(1, sizeof(*ek
.last_req
.val
));
927 if (ek
.last_req
.val
== NULL
) {
933 ek
.authtime
= et
.authtime
;
934 ek
.starttime
= et
.starttime
;
935 ek
.endtime
= et
.endtime
;
936 ek
.renew_till
= et
.renew_till
;
937 ek
.srealm
= rep
.ticket
.realm
;
938 ek
.sname
= rep
.ticket
.sname
;
940 _kdc_log_timestamp(context
, config
, "TGS-REQ", et
.authtime
, et
.starttime
,
941 et
.endtime
, et
.renew_till
);
943 /* Don't sign cross realm tickets, they can't be checked anyway */
945 char *r
= get_krbtgt_realm(&ek
.sname
);
947 if (r
== NULL
|| strcmp(r
, ek
.srealm
) == 0) {
948 ret
= _kdc_add_KRB5SignedPath(context
,
961 if (enc_pa_data
->len
) {
962 rep
.padata
= calloc(1, sizeof(*rep
.padata
));
963 if (rep
.padata
== NULL
) {
967 ret
= copy_METHOD_DATA(enc_pa_data
, rep
.padata
);
972 if (krb5_enctype_valid(context
, et
.key
.keytype
) != 0
973 && _kdc_is_weak_exception(server
->entry
.principal
, et
.key
.keytype
))
975 krb5_enctype_enable(context
, et
.key
.keytype
);
980 /* It is somewhat unclear where the etype in the following
981 encryption should come from. What we have is a session
982 key in the passed tgt, and a list of preferred etypes
983 *for the new ticket*. Should we pick the best possible
984 etype, given the keytype in the tgt, or should we look
985 at the etype list here as well? What if the tgt
986 session key is DES3 and we want a ticket with a (say)
987 CAST session key. Should the DES3 etype be added to the
988 etype list, even if we don't want a session key with
990 ret
= _kdc_encode_reply(context
, config
,
991 &rep
, &et
, &ek
, et
.key
.keytype
,
993 serverkey
, 0, replykey
, rk_is_subkey
,
996 krb5_enctype_disable(context
, et
.key
.keytype
);
1000 free_TransitedEncoding(&et
.transited
);
1004 free(et
.renew_till
);
1005 if(et
.authorization_data
) {
1006 free_AuthorizationData(et
.authorization_data
);
1007 free(et
.authorization_data
);
1009 free_LastReq(&ek
.last_req
);
1010 memset(et
.key
.keyvalue
.data
, 0, et
.key
.keyvalue
.length
);
1011 free_EncryptionKey(&et
.key
);
1015 static krb5_error_code
1016 tgs_check_authenticator(krb5_context context
,
1017 krb5_kdc_configuration
*config
,
1018 krb5_auth_context ac
,
1020 const char **e_text
,
1023 krb5_authenticator auth
;
1027 krb5_error_code ret
;
1030 krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1031 if(auth
->cksum
== NULL
){
1032 kdc_log(context
, config
, 0, "No authenticator in request");
1033 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1037 * according to RFC1510 it doesn't need to be keyed,
1038 * but according to the latest draft it needs to.
1042 !krb5_checksum_is_keyed(context
, auth
->cksum
->cksumtype
)
1045 !krb5_checksum_is_collision_proof(context
, auth
->cksum
->cksumtype
)) {
1046 kdc_log(context
, config
, 0, "Bad checksum type in authenticator: %d",
1047 auth
->cksum
->cksumtype
);
1048 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1052 /* XXX should not re-encode this */
1053 ASN1_MALLOC_ENCODE(KDC_REQ_BODY
, buf
, buf_size
, b
, &len
, ret
);
1055 const char *msg
= krb5_get_error_message(context
, ret
);
1056 kdc_log(context
, config
, 0, "Failed to encode KDC-REQ-BODY: %s", msg
);
1057 krb5_free_error_message(context
, msg
);
1060 if(buf_size
!= len
) {
1062 kdc_log(context
, config
, 0, "Internal error in ASN.1 encoder");
1063 *e_text
= "KDC internal error";
1064 ret
= KRB5KRB_ERR_GENERIC
;
1067 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
1069 const char *msg
= krb5_get_error_message(context
, ret
);
1071 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1072 krb5_free_error_message(context
, msg
);
1075 ret
= krb5_verify_checksum(context
,
1077 KRB5_KU_TGS_REQ_AUTH_CKSUM
,
1082 krb5_crypto_destroy(context
, crypto
);
1084 const char *msg
= krb5_get_error_message(context
, ret
);
1085 kdc_log(context
, config
, 0,
1086 "Failed to verify authenticator checksum: %s", msg
);
1087 krb5_free_error_message(context
, msg
);
1090 free_Authenticator(auth
);
1100 find_rpath(krb5_context context
, Realm crealm
, Realm srealm
)
1102 const char *new_realm
= krb5_config_get_string(context
,
1113 need_referral(krb5_context context
, krb5_kdc_configuration
*config
,
1114 const KDCOptions
* const options
, krb5_principal server
,
1115 krb5_realm
**realms
)
1119 if(!options
->canonicalize
&& server
->name
.name_type
!= KRB5_NT_SRV_INST
)
1122 if (server
->name
.name_string
.len
== 1)
1123 name
= server
->name
.name_string
.val
[0];
1124 else if (server
->name
.name_string
.len
> 1)
1125 name
= server
->name
.name_string
.val
[1];
1129 kdc_log(context
, config
, 0, "Searching referral for %s", name
);
1131 return _krb5_get_host_realm_int(context
, name
, FALSE
, realms
) == 0;
1134 static krb5_error_code
1135 tgs_parse_request(krb5_context context
,
1136 krb5_kdc_configuration
*config
,
1138 const PA_DATA
*tgs_req
,
1139 hdb_entry_ex
**krbtgt
,
1140 krb5_enctype
*krbtgt_etype
,
1141 krb5_ticket
**ticket
,
1142 const char **e_text
,
1144 const struct sockaddr
*from_addr
,
1147 AuthorizationData
**auth_data
,
1148 krb5_keyblock
**replykey
,
1151 static char failed
[] = "<unparse_name failed>";
1153 krb5_error_code ret
;
1154 krb5_principal princ
;
1155 krb5_auth_context ac
= NULL
;
1156 krb5_flags ap_req_options
;
1157 krb5_flags verify_ap_req_flags
;
1160 krb5_keyblock
*subkey
= NULL
;
1168 memset(&ap_req
, 0, sizeof(ap_req
));
1169 ret
= krb5_decode_ap_req(context
, &tgs_req
->padata_value
, &ap_req
);
1171 const char *msg
= krb5_get_error_message(context
, ret
);
1172 kdc_log(context
, config
, 0, "Failed to decode AP-REQ: %s", msg
);
1173 krb5_free_error_message(context
, msg
);
1177 if(!get_krbtgt_realm(&ap_req
.ticket
.sname
)){
1178 /* XXX check for ticket.sname == req.sname */
1179 kdc_log(context
, config
, 0, "PA-DATA is not a ticket-granting ticket");
1180 ret
= KRB5KDC_ERR_POLICY
; /* ? */
1184 _krb5_principalname2krb5_principal(context
,
1186 ap_req
.ticket
.sname
,
1187 ap_req
.ticket
.realm
);
1189 ret
= _kdc_db_fetch(context
, config
, princ
, HDB_F_GET_KRBTGT
, ap_req
.ticket
.enc_part
.kvno
, NULL
, krbtgt
);
1191 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1193 ret
= krb5_unparse_name(context
, princ
, &p
);
1196 krb5_free_principal(context
, princ
);
1197 kdc_log(context
, config
, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p
);
1200 ret
= HDB_ERR_NOT_FOUND_HERE
;
1203 const char *msg
= krb5_get_error_message(context
, ret
);
1205 ret
= krb5_unparse_name(context
, princ
, &p
);
1208 krb5_free_principal(context
, princ
);
1209 kdc_log(context
, config
, 0,
1210 "Ticket-granting ticket not found in database: %s", msg
);
1211 krb5_free_error_message(context
, msg
);
1214 ret
= KRB5KRB_AP_ERR_NOT_US
;
1218 if(ap_req
.ticket
.enc_part
.kvno
&&
1219 *ap_req
.ticket
.enc_part
.kvno
!= (*krbtgt
)->entry
.kvno
){
1222 ret
= krb5_unparse_name (context
, princ
, &p
);
1223 krb5_free_principal(context
, princ
);
1226 kdc_log(context
, config
, 0,
1227 "Ticket kvno = %d, DB kvno = %d (%s)",
1228 *ap_req
.ticket
.enc_part
.kvno
,
1229 (*krbtgt
)->entry
.kvno
,
1233 ret
= KRB5KRB_AP_ERR_BADKEYVER
;
1237 *krbtgt_etype
= ap_req
.ticket
.enc_part
.etype
;
1239 ret
= hdb_enctype2key(context
, &(*krbtgt
)->entry
,
1240 ap_req
.ticket
.enc_part
.etype
, &tkey
);
1242 char *str
= NULL
, *p
= NULL
;
1244 krb5_enctype_to_string(context
, ap_req
.ticket
.enc_part
.etype
, &str
);
1245 krb5_unparse_name(context
, princ
, &p
);
1246 kdc_log(context
, config
, 0,
1247 "No server key with enctype %s found for %s",
1248 str
? str
: "<unknown enctype>",
1249 p
? p
: "<unparse_name failed>");
1252 ret
= KRB5KRB_AP_ERR_BADKEYVER
;
1256 if (b
->kdc_options
.validate
)
1257 verify_ap_req_flags
= KRB5_VERIFY_AP_REQ_IGNORE_INVALID
;
1259 verify_ap_req_flags
= 0;
1261 ret
= krb5_verify_ap_req2(context
,
1266 verify_ap_req_flags
,
1269 KRB5_KU_TGS_REQ_AUTH
);
1271 krb5_free_principal(context
, princ
);
1273 const char *msg
= krb5_get_error_message(context
, ret
);
1274 kdc_log(context
, config
, 0, "Failed to verify AP-REQ: %s", msg
);
1275 krb5_free_error_message(context
, msg
);
1280 krb5_authenticator auth
;
1282 ret
= krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1284 *csec
= malloc(sizeof(**csec
));
1285 if (*csec
== NULL
) {
1286 krb5_free_authenticator(context
, &auth
);
1287 kdc_log(context
, config
, 0, "malloc failed");
1290 **csec
= auth
->ctime
;
1291 *cusec
= malloc(sizeof(**cusec
));
1292 if (*cusec
== NULL
) {
1293 krb5_free_authenticator(context
, &auth
);
1294 kdc_log(context
, config
, 0, "malloc failed");
1297 **cusec
= auth
->cusec
;
1298 krb5_free_authenticator(context
, &auth
);
1302 ret
= tgs_check_authenticator(context
, config
,
1303 ac
, b
, e_text
, &(*ticket
)->ticket
.key
);
1305 krb5_auth_con_free(context
, ac
);
1309 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY
;
1312 ret
= krb5_auth_con_getremotesubkey(context
, ac
, &subkey
);
1314 const char *msg
= krb5_get_error_message(context
, ret
);
1315 krb5_auth_con_free(context
, ac
);
1316 kdc_log(context
, config
, 0, "Failed to get remote subkey: %s", msg
);
1317 krb5_free_error_message(context
, msg
);
1321 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SESSION
;
1324 ret
= krb5_auth_con_getkey(context
, ac
, &subkey
);
1326 const char *msg
= krb5_get_error_message(context
, ret
);
1327 krb5_auth_con_free(context
, ac
);
1328 kdc_log(context
, config
, 0, "Failed to get session key: %s", msg
);
1329 krb5_free_error_message(context
, msg
);
1334 krb5_auth_con_free(context
, ac
);
1335 kdc_log(context
, config
, 0,
1336 "Failed to get key for enc-authorization-data");
1337 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1343 if (b
->enc_authorization_data
) {
1346 ret
= krb5_crypto_init(context
, subkey
, 0, &crypto
);
1348 const char *msg
= krb5_get_error_message(context
, ret
);
1349 krb5_auth_con_free(context
, ac
);
1350 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1351 krb5_free_error_message(context
, msg
);
1354 ret
= krb5_decrypt_EncryptedData (context
,
1357 b
->enc_authorization_data
,
1359 krb5_crypto_destroy(context
, crypto
);
1361 krb5_auth_con_free(context
, ac
);
1362 kdc_log(context
, config
, 0,
1363 "Failed to decrypt enc-authorization-data");
1364 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1368 if (*auth_data
== NULL
) {
1369 krb5_auth_con_free(context
, ac
);
1370 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1373 ret
= decode_AuthorizationData(ad
.data
, ad
.length
, *auth_data
, NULL
);
1375 krb5_auth_con_free(context
, ac
);
1378 kdc_log(context
, config
, 0, "Failed to decode authorization data");
1379 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1384 krb5_auth_con_free(context
, ac
);
1387 free_AP_REQ(&ap_req
);
1392 static krb5_error_code
1393 build_server_referral(krb5_context context
,
1394 krb5_kdc_configuration
*config
,
1395 krb5_crypto session
,
1396 krb5_const_realm referred_realm
,
1397 const PrincipalName
*true_principal_name
,
1398 const PrincipalName
*requested_principal
,
1401 PA_ServerReferralData ref
;
1402 krb5_error_code ret
;
1407 memset(&ref
, 0, sizeof(ref
));
1409 if (referred_realm
) {
1410 ALLOC(ref
.referred_realm
);
1411 if (ref
.referred_realm
== NULL
)
1413 *ref
.referred_realm
= strdup(referred_realm
);
1414 if (*ref
.referred_realm
== NULL
)
1417 if (true_principal_name
) {
1418 ALLOC(ref
.true_principal_name
);
1419 if (ref
.true_principal_name
== NULL
)
1421 ret
= copy_PrincipalName(true_principal_name
, ref
.true_principal_name
);
1425 if (requested_principal
) {
1426 ALLOC(ref
.requested_principal_name
);
1427 if (ref
.requested_principal_name
== NULL
)
1429 ret
= copy_PrincipalName(requested_principal
,
1430 ref
.requested_principal_name
);
1435 ASN1_MALLOC_ENCODE(PA_ServerReferralData
,
1436 data
.data
, data
.length
,
1438 free_PA_ServerReferralData(&ref
);
1441 if (data
.length
!= size
)
1442 krb5_abortx(context
, "internal asn.1 encoder error");
1444 ret
= krb5_encrypt_EncryptedData(context
, session
,
1445 KRB5_KU_PA_SERVER_REFERRAL
,
1446 data
.data
, data
.length
,
1452 ASN1_MALLOC_ENCODE(EncryptedData
,
1453 outdata
->data
, outdata
->length
,
1455 free_EncryptedData(&ed
);
1458 if (outdata
->length
!= size
)
1459 krb5_abortx(context
, "internal asn.1 encoder error");
1463 free_PA_ServerReferralData(&ref
);
1464 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1468 static krb5_error_code
1469 tgs_build_reply(krb5_context context
,
1470 krb5_kdc_configuration
*config
,
1473 hdb_entry_ex
*krbtgt
,
1474 krb5_enctype krbtgt_etype
,
1475 const krb5_keyblock
*replykey
,
1477 krb5_ticket
*ticket
,
1480 const char **e_text
,
1481 AuthorizationData
**auth_data
,
1482 const struct sockaddr
*from_addr
)
1484 krb5_error_code ret
;
1485 krb5_principal cp
= NULL
, sp
= NULL
, tp
= NULL
, dp
= NULL
;
1486 krb5_principal krbtgt_principal
= NULL
;
1487 char *spn
= NULL
, *cpn
= NULL
, *tpn
= NULL
, *dpn
= NULL
;
1488 hdb_entry_ex
*server
= NULL
, *client
= NULL
, *s4u2self_impersonated_client
= NULL
;
1489 HDB
*clientdb
, *s4u2self_impersonated_clientdb
;
1490 krb5_realm ref_realm
= NULL
;
1491 EncTicketPart
*tgt
= &ticket
->ticket
;
1492 krb5_principals spp
= NULL
;
1493 const EncryptionKey
*ekey
;
1494 krb5_keyblock sessionkey
;
1498 hdb_entry_ex
*krbtgt_out
= NULL
;
1500 METHOD_DATA enc_pa_data
;
1505 EncTicketPart adtkt
;
1511 Key
*tkey_krbtgt_check
= NULL
;
1512 int flags
= HDB_F_FOR_TGS_REQ
;
1514 memset(&sessionkey
, 0, sizeof(sessionkey
));
1515 memset(&adtkt
, 0, sizeof(adtkt
));
1516 krb5_data_zero(&rspac
);
1517 memset(&enc_pa_data
, 0, sizeof(enc_pa_data
));
1522 if (b
->kdc_options
.canonicalize
)
1523 flags
|= HDB_F_CANON
;
1525 if(b
->kdc_options
.enc_tkt_in_skey
){
1531 if(b
->additional_tickets
== NULL
||
1532 b
->additional_tickets
->len
== 0){
1533 ret
= KRB5KDC_ERR_BADOPTION
; /* ? */
1534 kdc_log(context
, config
, 0,
1535 "No second ticket present in request");
1538 t
= &b
->additional_tickets
->val
[0];
1539 if(!get_krbtgt_realm(&t
->sname
)){
1540 kdc_log(context
, config
, 0,
1541 "Additional ticket is not a ticket-granting ticket");
1542 ret
= KRB5KDC_ERR_POLICY
;
1545 _krb5_principalname2krb5_principal(context
, &p
, t
->sname
, t
->realm
);
1546 ret
= _kdc_db_fetch(context
, config
, p
,
1547 HDB_F_GET_KRBTGT
, t
->enc_part
.kvno
,
1549 krb5_free_principal(context
, p
);
1551 if (ret
== HDB_ERR_NOENTRY
)
1552 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1555 ret
= hdb_enctype2key(context
, &uu
->entry
,
1556 t
->enc_part
.etype
, &uukey
);
1558 _kdc_free_ent(context
, uu
);
1559 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
1562 ret
= krb5_decrypt_ticket(context
, t
, &uukey
->key
, &adtkt
, 0);
1563 _kdc_free_ent(context
, uu
);
1567 ret
= verify_flags(context
, config
, &adtkt
, spn
);
1575 _krb5_principalname2krb5_principal(context
, &sp
, *s
, r
);
1576 ret
= krb5_unparse_name(context
, sp
, &spn
);
1579 _krb5_principalname2krb5_principal(context
, &cp
, tgt
->cname
, tgt
->crealm
);
1580 ret
= krb5_unparse_name(context
, cp
, &cpn
);
1583 unparse_flags (KDCOptions2int(b
->kdc_options
),
1584 asn1_KDCOptions_units(),
1585 opt_str
, sizeof(opt_str
));
1587 kdc_log(context
, config
, 0,
1588 "TGS-REQ %s from %s for %s [%s]",
1589 cpn
, from
, spn
, opt_str
);
1591 kdc_log(context
, config
, 0,
1592 "TGS-REQ %s from %s for %s", cpn
, from
, spn
);
1599 ret
= _kdc_db_fetch(context
, config
, sp
, HDB_F_GET_SERVER
| flags
,
1600 NULL
, NULL
, &server
);
1602 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1603 kdc_log(context
, config
, 5, "target %s does not have secrets at this KDC, need to proxy", sp
);
1606 const char *new_rlm
, *msg
;
1610 if ((req_rlm
= get_krbtgt_realm(&sp
->name
)) != NULL
) {
1612 new_rlm
= find_rpath(context
, tgt
->crealm
, req_rlm
);
1614 kdc_log(context
, config
, 5, "krbtgt for realm %s "
1615 "not found, trying %s",
1617 krb5_free_principal(context
, sp
);
1619 krb5_make_principal(context
, &sp
, r
,
1620 KRB5_TGS_NAME
, new_rlm
, NULL
);
1621 ret
= krb5_unparse_name(context
, sp
, &spn
);
1627 ref_realm
= strdup(new_rlm
);
1631 } else if(need_referral(context
, config
, &b
->kdc_options
, sp
, &realms
)) {
1632 if (strcmp(realms
[0], sp
->realm
) != 0) {
1633 kdc_log(context
, config
, 5,
1634 "Returning a referral to realm %s for "
1635 "server %s that was not found",
1637 krb5_free_principal(context
, sp
);
1639 krb5_make_principal(context
, &sp
, r
, KRB5_TGS_NAME
,
1641 ret
= krb5_unparse_name(context
, sp
, &spn
);
1647 ref_realm
= strdup(realms
[0]);
1649 krb5_free_host_realm(context
, realms
);
1652 krb5_free_host_realm(context
, realms
);
1654 msg
= krb5_get_error_message(context
, ret
);
1655 kdc_log(context
, config
, 0,
1656 "Server not found in database: %s: %s", spn
, msg
);
1657 krb5_free_error_message(context
, msg
);
1658 if (ret
== HDB_ERR_NOENTRY
)
1659 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1664 * Select enctype, return key and kvno.
1670 if(b
->kdc_options
.enc_tkt_in_skey
) {
1673 for(i
= 0; i
< b
->etype
.len
; i
++)
1674 if (b
->etype
.val
[i
] == adtkt
.key
.keytype
)
1676 if(i
== b
->etype
.len
) {
1677 kdc_log(context
, config
, 0,
1678 "Addition ticket have not matching etypes");
1679 krb5_clear_error_message(context
);
1680 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
;
1683 etype
= b
->etype
.val
[i
];
1688 ret
= _kdc_find_etype(context
,
1689 config
->tgs_use_strongest_session_key
, FALSE
,
1690 server
, b
->etype
.val
, b
->etype
.len
, NULL
,
1693 kdc_log(context
, config
, 0,
1694 "Server (%s) has no support for etypes", spn
);
1698 etype
= skey
->key
.keytype
;
1699 kvno
= server
->entry
.kvno
;
1702 ret
= krb5_generate_random_keyblock(context
, etype
, &sessionkey
);
1708 * Check that service is in the same realm as the krbtgt. If it's
1709 * not the same, it's someone that is using a uni-directional trust
1714 * Validate authoriation data
1717 ret
= hdb_enctype2key(context
, &krbtgt
->entry
,
1718 krbtgt_etype
, &tkey_check
);
1720 kdc_log(context
, config
, 0,
1721 "Failed to find key for krbtgt PAC check");
1725 /* Now refetch the primary krbtgt, and get the current kvno (the
1726 * sign check may have been on an old kvno, and the server may
1727 * have been an incoming trust) */
1728 ret
= krb5_make_principal(context
, &krbtgt_principal
,
1729 krb5_principal_get_comp_string(context
,
1730 krbtgt
->entry
.principal
,
1733 krb5_principal_get_comp_string(context
,
1734 krbtgt
->entry
.principal
,
1737 kdc_log(context
, config
, 0,
1738 "Failed to generate krbtgt principal");
1742 ret
= _kdc_db_fetch(context
, config
, krbtgt_principal
, HDB_F_GET_KRBTGT
, NULL
, NULL
, &krbtgt_out
);
1743 krb5_free_principal(context
, krbtgt_principal
);
1745 krb5_error_code ret2
;
1747 ret
= krb5_unparse_name(context
, krbtgt
->entry
.principal
, &ktpn
);
1748 ret2
= krb5_unparse_name(context
, krbtgt_principal
, &ktpn2
);
1749 kdc_log(context
, config
, 0,
1750 "Request with wrong krbtgt: %s, %s not found in our database",
1751 (ret
== 0) ? ktpn
: "<unknown>", (ret2
== 0) ? ktpn2
: "<unknown>");
1756 ret
= KRB5KRB_AP_ERR_NOT_US
;
1760 /* The first realm is the realm of the service, the second is
1761 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1762 * encrypted to. The redirection via the krbtgt_out entry allows
1763 * the DB to possibly correct the case of the realm (Samba4 does
1764 * this) before the strcmp() */
1765 if (strcmp(krb5_principal_get_realm(context
, server
->entry
.principal
),
1766 krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
)) != 0) {
1768 ret
= krb5_unparse_name(context
, krbtgt_out
->entry
.principal
, &ktpn
);
1769 kdc_log(context
, config
, 0,
1770 "Request with wrong krbtgt: %s",
1771 (ret
== 0) ? ktpn
: "<unknown>");
1774 ret
= KRB5KRB_AP_ERR_NOT_US
;
1777 ret
= hdb_enctype2key(context
, &krbtgt_out
->entry
,
1778 krbtgt_etype
, &tkey_sign
);
1780 kdc_log(context
, config
, 0,
1781 "Failed to find key for krbtgt PAC signature");
1785 /* Check if we would know the krbtgt key for the PAC. We would
1786 * only know this if the krbtgt principal was the same (ie, in our
1787 * realm, regardless of KVNO) */
1788 if (krb5_principal_compare(context
, krbtgt_out
->entry
.principal
, krbtgt
->entry
.principal
)) {
1789 tkey_krbtgt_check
= tkey_check
;
1792 ret
= _kdc_db_fetch(context
, config
, cp
, HDB_F_GET_CLIENT
| flags
,
1793 NULL
, &clientdb
, &client
);
1794 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1795 /* This is OK, we are just trying to find out if they have
1796 * been disabled or deleted in the meantime, missing secrets
1799 const char *krbtgt_realm
, *msg
;
1802 * If the client belongs to the same realm as our krbtgt, it
1803 * should exist in the local database.
1807 krbtgt_realm
= krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
);
1809 if(strcmp(krb5_principal_get_realm(context
, cp
), krbtgt_realm
) == 0) {
1810 if (ret
== HDB_ERR_NOENTRY
)
1811 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
1812 kdc_log(context
, config
, 1, "Client no longer in database: %s",
1817 msg
= krb5_get_error_message(context
, ret
);
1818 kdc_log(context
, config
, 1, "Client not found in database: %s", msg
);
1819 krb5_free_error_message(context
, msg
);
1822 ret
= check_PAC(context
, config
, cp
, NULL
,
1823 client
, server
, krbtgt
,
1825 tkey_krbtgt_check
? &tkey_krbtgt_check
->key
: NULL
,
1826 ekey
, &tkey_sign
->key
,
1827 tgt
, &rspac
, &signedpath
);
1829 const char *msg
= krb5_get_error_message(context
, ret
);
1830 kdc_log(context
, config
, 0,
1831 "Verify PAC failed for %s (%s) from %s with %s",
1832 spn
, cpn
, from
, msg
);
1833 krb5_free_error_message(context
, msg
);
1837 /* also check the krbtgt for signature */
1838 ret
= check_KRB5SignedPath(context
,
1846 const char *msg
= krb5_get_error_message(context
, ret
);
1847 kdc_log(context
, config
, 0,
1848 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1849 spn
, cpn
, from
, msg
);
1850 krb5_free_error_message(context
, msg
);
1858 /* by default the tgt principal matches the client principal */
1863 const PA_DATA
*sdata
;
1866 sdata
= _kdc_find_padata(req
, &i
, KRB5_PADATA_FOR_USER
);
1873 ret
= decode_PA_S4U2Self(sdata
->padata_value
.data
,
1874 sdata
->padata_value
.length
,
1877 kdc_log(context
, config
, 0, "Failed to decode PA-S4U2Self");
1881 ret
= _krb5_s4u2self_to_checksumdata(context
, &self
, &datack
);
1885 ret
= krb5_crypto_init(context
, &tgt
->key
, 0, &crypto
);
1887 const char *msg
= krb5_get_error_message(context
, ret
);
1888 free_PA_S4U2Self(&self
);
1889 krb5_data_free(&datack
);
1890 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1891 krb5_free_error_message(context
, msg
);
1895 ret
= krb5_verify_checksum(context
,
1897 KRB5_KU_OTHER_CKSUM
,
1901 krb5_data_free(&datack
);
1902 krb5_crypto_destroy(context
, crypto
);
1904 const char *msg
= krb5_get_error_message(context
, ret
);
1905 free_PA_S4U2Self(&self
);
1906 kdc_log(context
, config
, 0,
1907 "krb5_verify_checksum failed for S4U2Self: %s", msg
);
1908 krb5_free_error_message(context
, msg
);
1912 ret
= _krb5_principalname2krb5_principal(context
,
1916 free_PA_S4U2Self(&self
);
1920 ret
= krb5_unparse_name(context
, tp
, &tpn
);
1924 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1927 krb5_data_free(&rspac
);
1928 ret
= _kdc_db_fetch(context
, config
, tp
, HDB_F_GET_CLIENT
| flags
,
1929 NULL
, &s4u2self_impersonated_clientdb
, &s4u2self_impersonated_client
);
1934 * If the client belongs to the same realm as our krbtgt, it
1935 * should exist in the local database.
1939 if (ret
== HDB_ERR_NOENTRY
)
1940 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
1941 msg
= krb5_get_error_message(context
, ret
);
1942 kdc_log(context
, config
, 1,
1943 "S2U4Self principal to impersonate %s not found in database: %s",
1945 krb5_free_error_message(context
, msg
);
1948 ret
= _kdc_pac_generate(context
, s4u2self_impersonated_client
, &p
);
1950 kdc_log(context
, config
, 0, "PAC generation failed for -- %s",
1955 ret
= _krb5_pac_sign(context
, p
, ticket
->ticket
.authtime
,
1956 s4u2self_impersonated_client
->entry
.principal
,
1957 ekey
, &tkey_sign
->key
,
1959 krb5_pac_free(context
, p
);
1961 kdc_log(context
, config
, 0, "PAC signing failed for -- %s",
1969 * Check that service doing the impersonating is
1970 * requesting a ticket to it-self.
1972 ret
= check_s4u2self(context
, config
, clientdb
, client
, sp
);
1974 kdc_log(context
, config
, 0, "S4U2Self: %s is not allowed "
1975 "to impersonate to service "
1976 "(tried for user %s to service %s)",
1982 * If the service isn't trusted for authentication to
1983 * delegation, remove the forward flag.
1986 if (client
->entry
.flags
.trusted_for_delegation
) {
1987 str
= "[forwardable]";
1989 b
->kdc_options
.forwardable
= 0;
1992 kdc_log(context
, config
, 0, "s4u2self %s impersonating %s to "
1993 "service %s %s", cpn
, tpn
, spn
, str
);
1998 * Constrained delegation
2002 && b
->additional_tickets
!= NULL
2003 && b
->additional_tickets
->len
!= 0
2004 && b
->kdc_options
.enc_tkt_in_skey
== 0)
2006 int ad_signedpath
= 0;
2011 * Require that the KDC have issued the service's krbtgt (not
2012 * self-issued ticket with kimpersonate(1).
2015 ret
= KRB5KDC_ERR_BADOPTION
;
2016 kdc_log(context
, config
, 0,
2017 "Constrained delegation done on service ticket %s/%s",
2022 t
= &b
->additional_tickets
->val
[0];
2024 ret
= hdb_enctype2key(context
, &client
->entry
,
2025 t
->enc_part
.etype
, &clientkey
);
2027 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
2031 ret
= krb5_decrypt_ticket(context
, t
, &clientkey
->key
, &adtkt
, 0);
2033 kdc_log(context
, config
, 0,
2034 "failed to decrypt ticket for "
2035 "constrained delegation from %s to %s ", cpn
, spn
);
2039 ret
= _krb5_principalname2krb5_principal(context
,
2046 ret
= krb5_unparse_name(context
, tp
, &tpn
);
2050 ret
= _krb5_principalname2krb5_principal(context
,
2057 ret
= krb5_unparse_name(context
, dp
, &dpn
);
2061 /* check that ticket is valid */
2062 if (adtkt
.flags
.forwardable
== 0) {
2063 kdc_log(context
, config
, 0,
2064 "Missing forwardable flag on ticket for "
2065 "constrained delegation from %s (%s) as %s to %s ",
2066 cpn
, dpn
, tpn
, spn
);
2067 ret
= KRB5KDC_ERR_BADOPTION
;
2071 ret
= check_constrained_delegation(context
, config
, clientdb
,
2072 client
, server
, sp
);
2074 kdc_log(context
, config
, 0,
2075 "constrained delegation from %s (%s) as %s to %s not allowed",
2076 cpn
, dpn
, tpn
, spn
);
2080 ret
= verify_flags(context
, config
, &adtkt
, tpn
);
2085 krb5_data_free(&rspac
);
2088 * generate the PAC for the user.
2090 * TODO: pass in t->sname and t->realm and build
2091 * a S4U_DELEGATION_INFO blob to the PAC.
2093 ret
= check_PAC(context
, config
, tp
, dp
,
2094 client
, server
, krbtgt
,
2095 &clientkey
->key
, &tkey_check
->key
,
2096 ekey
, &tkey_sign
->key
,
2097 &adtkt
, &rspac
, &ad_signedpath
);
2099 const char *msg
= krb5_get_error_message(context
, ret
);
2100 kdc_log(context
, config
, 0,
2101 "Verify delegated PAC failed to %s for client"
2102 "%s (%s) as %s from %s with %s",
2103 spn
, cpn
, dpn
, tpn
, from
, msg
);
2104 krb5_free_error_message(context
, msg
);
2109 * Check that the KDC issued the user's ticket.
2111 ret
= check_KRB5SignedPath(context
,
2119 const char *msg
= krb5_get_error_message(context
, ret
);
2120 kdc_log(context
, config
, 0,
2121 "KRB5SignedPath check from service %s failed "
2122 "for delegation to %s for client %s (%s)"
2123 "from %s failed with %s",
2124 spn
, tpn
, dpn
, cpn
, from
, msg
);
2125 krb5_free_error_message(context
, msg
);
2129 if (!ad_signedpath
) {
2130 ret
= KRB5KDC_ERR_BADOPTION
;
2131 kdc_log(context
, config
, 0,
2132 "Ticket not signed with PAC nor SignedPath service %s failed "
2133 "for delegation to %s for client %s (%s)"
2135 spn
, tpn
, dpn
, cpn
, from
);
2139 kdc_log(context
, config
, 0, "constrained delegation for %s "
2140 "from %s (%s) to %s", tpn
, cpn
, dpn
, spn
);
2147 ret
= kdc_check_flags(context
, config
,
2154 if((b
->kdc_options
.validate
|| b
->kdc_options
.renew
) &&
2155 !krb5_principal_compare(context
,
2156 krbtgt
->entry
.principal
,
2157 server
->entry
.principal
)){
2158 kdc_log(context
, config
, 0, "Inconsistent request.");
2159 ret
= KRB5KDC_ERR_SERVER_NOMATCH
;
2163 /* check for valid set of addresses */
2164 if(!_kdc_check_addresses(context
, config
, tgt
->caddr
, from_addr
)) {
2165 ret
= KRB5KRB_AP_ERR_BADADDR
;
2166 kdc_log(context
, config
, 0, "Request from wrong address");
2171 * If this is an referral, add server referral data to the
2178 kdc_log(context
, config
, 0,
2179 "Adding server referral to %s", ref_realm
);
2181 ret
= krb5_crypto_init(context
, &sessionkey
, 0, &crypto
);
2185 ret
= build_server_referral(context
, config
, crypto
, ref_realm
,
2186 NULL
, s
, &pa
.padata_value
);
2187 krb5_crypto_destroy(context
, crypto
);
2189 kdc_log(context
, config
, 0,
2190 "Failed building server referral");
2193 pa
.padata_type
= KRB5_PADATA_SERVER_REFERRAL
;
2195 ret
= add_METHOD_DATA(&enc_pa_data
, &pa
);
2196 krb5_data_free(&pa
.padata_value
);
2198 kdc_log(context
, config
, 0,
2199 "Add server referral METHOD-DATA failed");
2208 ret
= tgs_make_reply(context
,
2220 server
->entry
.principal
,
2240 krb5_data_free(&rspac
);
2241 krb5_free_keyblock_contents(context
, &sessionkey
);
2243 _kdc_free_ent(context
, krbtgt_out
);
2245 _kdc_free_ent(context
, server
);
2247 _kdc_free_ent(context
, client
);
2248 if(s4u2self_impersonated_client
)
2249 _kdc_free_ent(context
, s4u2self_impersonated_client
);
2252 krb5_free_principal(context
, tp
);
2254 krb5_free_principal(context
, cp
);
2256 krb5_free_principal(context
, dp
);
2258 krb5_free_principal(context
, sp
);
2261 free_METHOD_DATA(&enc_pa_data
);
2263 free_EncTicketPart(&adtkt
);
2273 _kdc_tgs_rep(krb5_context context
,
2274 krb5_kdc_configuration
*config
,
2278 struct sockaddr
*from_addr
,
2281 AuthorizationData
*auth_data
= NULL
;
2282 krb5_error_code ret
;
2284 const PA_DATA
*tgs_req
;
2286 hdb_entry_ex
*krbtgt
= NULL
;
2287 krb5_ticket
*ticket
= NULL
;
2288 const char *e_text
= NULL
;
2289 krb5_enctype krbtgt_etype
= ETYPE_NULL
;
2291 krb5_keyblock
*replykey
= NULL
;
2292 int rk_is_subkey
= 0;
2293 time_t *csec
= NULL
;
2296 if(req
->padata
== NULL
){
2297 ret
= KRB5KDC_ERR_PREAUTH_REQUIRED
; /* XXX ??? */
2298 kdc_log(context
, config
, 0,
2299 "TGS-REQ from %s without PA-DATA", from
);
2303 tgs_req
= _kdc_find_padata(req
, &i
, KRB5_PADATA_TGS_REQ
);
2305 if(tgs_req
== NULL
){
2306 ret
= KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
2308 kdc_log(context
, config
, 0,
2309 "TGS-REQ from %s without PA-TGS-REQ", from
);
2312 ret
= tgs_parse_request(context
, config
,
2313 &req
->req_body
, tgs_req
,
2323 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
2324 /* kdc_log() is called in tgs_parse_request() */
2328 kdc_log(context
, config
, 0,
2329 "Failed parsing TGS-REQ from %s", from
);
2333 ret
= tgs_build_reply(context
,
2348 kdc_log(context
, config
, 0,
2349 "Failed building TGS-REP to %s", from
);
2354 if (datagram_reply
&& data
->length
> config
->max_datagram_reply_length
) {
2355 krb5_data_free(data
);
2356 ret
= KRB5KRB_ERR_RESPONSE_TOO_BIG
;
2357 e_text
= "Reply packet too large";
2362 krb5_free_keyblock(context
, replykey
);
2363 if(ret
&& ret
!= HDB_ERR_NOT_FOUND_HERE
&& data
->data
== NULL
){
2364 krb5_mk_error(context
,
2378 krb5_free_ticket(context
, ticket
);
2380 _kdc_free_ent(context
, krbtgt
);
2383 free_AuthorizationData(auth_data
);