search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Improve configure.in so it can be used outside the Samba source tree.
[Samba/gebeck_regimport.git] / source4 / heimdal / kdc / krb5tgs.c
blob96ee9ccc30aa1b6f078381dd364293e5ec35bbdd
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230 if (ret == 0)
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232 if (ret) {
233 free(data.data);
234 free_KRB5SignedPath(&sp);
235 return ret;
236 }
237 }
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
240 &sp.cksum);
241 krb5_crypto_destroy(context, crypto);
242 free(data.data);
243 if (ret) {
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
247 return 0;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 const krb5_principal delegated_proxy_principal,
283 hdb_entry_ex *client,
284 hdb_entry_ex *server,
285 hdb_entry_ex *krbtgt,
286 const EncryptionKey *server_check_key,
287 const EncryptionKey *krbtgt_check_key,
288 const EncryptionKey *server_sign_key,
289 const EncryptionKey *krbtgt_sign_key,
290 EncTicketPart *tkt,
291 krb5_data *rspac,
292 int *signedpath)
293 {
294 AuthorizationData *ad = tkt->authorization_data;
295 unsigned i, j;
296 krb5_error_code ret;
297
298 if (ad == NULL || ad->len == 0)
299 return 0;
300
301 for (i = 0; i < ad->len; i++) {
302 AuthorizationData child;
303
304 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
305 continue;
306
307 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
308 ad->val[i].ad_data.length,
309 &child,
310 NULL);
311 if (ret) {
312 krb5_set_error_message(context, ret, "Failed to decode "
313 "IF_RELEVANT with %d", ret);
314 return ret;
315 }
316 for (j = 0; j < child.len; j++) {
317
318 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
319 int signed_pac = 0;
320 krb5_pac pac;
321
322 /* Found PAC */
323 ret = krb5_pac_parse(context,
324 child.val[j].ad_data.data,
325 child.val[j].ad_data.length,
326 &pac);
327 free_AuthorizationData(&child);
328 if (ret)
329 return ret;
330
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
332 client_principal,
333 server_check_key, krbtgt_check_key);
334 if (ret) {
335 krb5_pac_free(context, pac);
336 return ret;
337 }
338
339 ret = _kdc_pac_verify(context, client_principal,
340 delegated_proxy_principal,
341 client, server, krbtgt, &pac, &signed_pac);
342 if (ret) {
343 krb5_pac_free(context, pac);
344 return ret;
345 }
346
347 /*
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
352 */
353 if (signed_pac) {
354 *signedpath = 1;
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
356 client_principal,
357 server_sign_key, krbtgt_sign_key, rspac);
358 }
359 krb5_pac_free(context, pac);
360
361 return ret;
362 }
363 }
364 free_AuthorizationData(&child);
365 }
366 return 0;
367 }
368
369 /*
370 *
371 */
372
373 static krb5_error_code
374 check_tgs_flags(krb5_context context,
375 krb5_kdc_configuration *config,
376 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
377 {
378 KDCOptions f = b->kdc_options;
379
380 if(f.validate){
381 if(!tgt->flags.invalid || tgt->starttime == NULL){
382 kdc_log(context, config, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION;
385 }
386 if(*tgt->starttime > kdc_time){
387 kdc_log(context, config, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV;
390 }
391 /* XXX tkt = tgt */
392 et->flags.invalid = 0;
393 }else if(tgt->flags.invalid){
394 kdc_log(context, config, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID;
397 }
398
399 if(f.forwardable){
400 if(!tgt->flags.forwardable){
401 kdc_log(context, config, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION;
404 }
405 et->flags.forwardable = 1;
406 }
407 if(f.forwarded){
408 if(!tgt->flags.forwardable){
409 kdc_log(context, config, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION;
412 }
413 et->flags.forwarded = 1;
414 et->caddr = b->addresses;
415 }
416 if(tgt->flags.forwarded)
417 et->flags.forwarded = 1;
418
419 if(f.proxiable){
420 if(!tgt->flags.proxiable){
421 kdc_log(context, config, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION;
424 }
425 et->flags.proxiable = 1;
426 }
427 if(f.proxy){
428 if(!tgt->flags.proxiable){
429 kdc_log(context, config, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION;
432 }
433 et->flags.proxy = 1;
434 et->caddr = b->addresses;
435 }
436 if(tgt->flags.proxy)
437 et->flags.proxy = 1;
438
439 if(f.allow_postdate){
440 if(!tgt->flags.may_postdate){
441 kdc_log(context, config, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION;
444 }
445 et->flags.may_postdate = 1;
446 }
447 if(f.postdated){
448 if(!tgt->flags.may_postdate){
449 kdc_log(context, config, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION;
452 }
453 if(b->from)
454 *et->starttime = *b->from;
455 et->flags.postdated = 1;
456 et->flags.invalid = 1;
457 }else if(b->from && *b->from > kdc_time + context->max_skew){
458 kdc_log(context, config, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE;
460 }
461
462 if(f.renewable){
463 if(!tgt->flags.renewable || tgt->renew_till == NULL){
464 kdc_log(context, config, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION;
467 }
468 et->flags.renewable = 1;
469 ALLOC(et->renew_till);
470 _kdc_fix_time(&b->rtime);
471 *et->renew_till = *b->rtime;
472 }
473 if(f.renew){
474 time_t old_life;
475 if(!tgt->flags.renewable || tgt->renew_till == NULL){
476 kdc_log(context, config, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION;
479 }
480 old_life = tgt->endtime;
481 if(tgt->starttime)
482 old_life -= *tgt->starttime;
483 else
484 old_life -= tgt->authtime;
485 et->endtime = *et->starttime + old_life;
486 if (et->renew_till != NULL)
487 et->endtime = min(*et->renew_till, et->endtime);
488 }
489
490 #if 0
491 /* checks for excess flags */
492 if(f.request_anonymous && !config->allow_anonymous){
493 kdc_log(context, config, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION;
496 }
497 #endif
498 return 0;
499 }
500
501 /*
502 * Determine if constrained delegation is allowed from this client to this server
503 */
504
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context,
507 krb5_kdc_configuration *config,
508 HDB *clientdb,
509 hdb_entry_ex *client,
510 hdb_entry_ex *server,
511 krb5_const_principal target)
512 {
513 const HDB_Ext_Constrained_delegation_acl *acl;
514 krb5_error_code ret;
515 size_t i;
516
517 /*
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
522 */
523 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
524 ret = KRB5KDC_ERR_BADOPTION;
525 kdc_log(context, config, 0,
526 "Bad request for constrained delegation");
527 return ret;
528 }
529
530 if (clientdb->hdb_check_constrained_delegation) {
531 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
532 if (ret == 0)
533 return 0;
534 } else {
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
537 return 0;
538
539 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
540 if (ret) {
541 krb5_clear_error_message(context);
542 return ret;
543 }
544
545 if (acl) {
546 for (i = 0; i < acl->len; i++) {
547 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
548 return 0;
549 }
550 }
551 ret = KRB5KDC_ERR_BADOPTION;
552 }
553 kdc_log(context, config, 0,
554 "Bad request for constrained delegation");
555 return ret;
556 }
557
558 /*
559 * Determine if s4u2self is allowed from this client to this server
560 *
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
563 */
564
565 static krb5_error_code
566 check_s4u2self(krb5_context context,
567 krb5_kdc_configuration *config,
568 HDB *clientdb,
569 hdb_entry_ex *client,
570 krb5_const_principal server)
571 {
572 krb5_error_code ret;
573
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
576 return 0;
577
578 if (clientdb->hdb_check_s4u2self) {
579 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
580 if (ret == 0)
581 return 0;
582 } else {
583 ret = KRB5KDC_ERR_BADOPTION;
584 }
585 return ret;
586 }
587
588 /*
589 *
590 */
591
592 static krb5_error_code
593 verify_flags (krb5_context context,
594 krb5_kdc_configuration *config,
595 const EncTicketPart *et,
596 const char *pstr)
597 {
598 if(et->endtime < kdc_time){
599 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED;
601 }
602 if(et->flags.invalid){
603 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
604 return KRB5KRB_AP_ERR_TKT_NYV;
605 }
606 return 0;
607 }
608
609 /*
610 *
611 */
612
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context,
615 krb5_kdc_configuration *config,
616 krb5_boolean check_policy,
617 const TransitedEncoding *tr,
618 EncTicketPart *et,
619 const char *client_realm,
620 const char *server_realm,
621 const char *tgt_realm)
622 {
623 krb5_error_code ret = 0;
624 char **realms, **tmp;
625 unsigned int num_realms;
626 size_t i;
627
628 switch (tr->tr_type) {
629 case DOMAIN_X500_COMPRESS:
630 break;
631 case 0:
632 /*
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
635 */
636 if (tr->contents.length == 0)
637 break;
638 kdc_log(context, config, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP;
641 default:
642 kdc_log(context, config, 0,
643 "Unknown transited type: %u", tr->tr_type);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP;
645 }
646
647 ret = krb5_domain_x500_decode(context,
648 tr->contents,
649 &realms,
650 &num_realms,
651 client_realm,
652 server_realm);
653 if(ret){
654 krb5_warn(context, ret,
655 "Decoding transited encoding");
656 return ret;
657 }
658 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
659 /* not us, so add the previous realm to transited set */
660 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
661 ret = ERANGE;
662 goto free_realms;
663 }
664 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
665 if(tmp == NULL){
666 ret = ENOMEM;
667 goto free_realms;
668 }
669 realms = tmp;
670 realms[num_realms] = strdup(tgt_realm);
671 if(realms[num_realms] == NULL){
672 ret = ENOMEM;
673 goto free_realms;
674 }
675 num_realms++;
676 }
677 if(num_realms == 0) {
678 if(strcmp(client_realm, server_realm))
679 kdc_log(context, config, 0,
680 "cross-realm %s -> %s", client_realm, server_realm);
681 } else {
682 size_t l = 0;
683 char *rs;
684 for(i = 0; i < num_realms; i++)
685 l += strlen(realms[i]) + 2;
686 rs = malloc(l);
687 if(rs != NULL) {
688 *rs = '\0';
689 for(i = 0; i < num_realms; i++) {
690 if(i > 0)
691 strlcat(rs, ", ", l);
692 strlcat(rs, realms[i], l);
693 }
694 kdc_log(context, config, 0,
695 "cross-realm %s -> %s via [%s]",
696 client_realm, server_realm, rs);
697 free(rs);
698 }
699 }
700 if(check_policy) {
701 ret = krb5_check_transited(context, client_realm,
702 server_realm,
703 realms, num_realms, NULL);
704 if(ret) {
705 krb5_warn(context, ret, "cross-realm %s -> %s",
706 client_realm, server_realm);
707 goto free_realms;
708 }
709 et->flags.transited_policy_checked = 1;
710 }
711 et->transited.tr_type = DOMAIN_X500_COMPRESS;
712 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
713 if(ret)
714 krb5_warn(context, ret, "Encoding transited encoding");
715 free_realms:
716 for(i = 0; i < num_realms; i++)
717 free(realms[i]);
718 free(realms);
719 return ret;
720 }
721
722
723 static krb5_error_code
724 tgs_make_reply(krb5_context context,
725 krb5_kdc_configuration *config,
726 KDC_REQ_BODY *b,
727 krb5_const_principal tgt_name,
728 const EncTicketPart *tgt,
729 const krb5_keyblock *replykey,
730 int rk_is_subkey,
731 const EncryptionKey *serverkey,
732 const krb5_keyblock *sessionkey,
733 krb5_kvno kvno,
734 AuthorizationData *auth_data,
735 hdb_entry_ex *server,
736 krb5_principal server_principal,
737 const char *server_name,
738 hdb_entry_ex *client,
739 krb5_principal client_principal,
740 hdb_entry_ex *krbtgt,
741 krb5_enctype krbtgt_etype,
742 krb5_principals spp,
743 const krb5_data *rspac,
744 const METHOD_DATA *enc_pa_data,
745 const char **e_text,
746 krb5_data *reply)
747 {
748 KDC_REP rep;
749 EncKDCRepPart ek;
750 EncTicketPart et;
751 KDCOptions f = b->kdc_options;
752 krb5_error_code ret;
753 int is_weak = 0;
754
755 memset(&rep, 0, sizeof(rep));
756 memset(&et, 0, sizeof(et));
757 memset(&ek, 0, sizeof(ek));
758
759 rep.pvno = 5;
760 rep.msg_type = krb_tgs_rep;
761
762 et.authtime = tgt->authtime;
763 _kdc_fix_time(&b->till);
764 et.endtime = min(tgt->endtime, *b->till);
765 ALLOC(et.starttime);
766 *et.starttime = kdc_time;
767
768 ret = check_tgs_flags(context, config, b, tgt, &et);
769 if(ret)
770 goto out;
771
772 /* We should check the transited encoding if:
773 1) the request doesn't ask not to be checked
774 2) globally enforcing a check
775 3) principal requires checking
776 4) we allow non-check per-principal, but principal isn't marked as allowing this
777 5) we don't globally allow this
778 */
779
780 #define GLOBAL_FORCE_TRANSITED_CHECK \
781 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
782 #define GLOBAL_ALLOW_PER_PRINCIPAL \
783 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
784 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
785 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
786
787 /* these will consult the database in future release */
788 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
789 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
790
791 ret = fix_transited_encoding(context, config,
792 !f.disable_transited_check ||
793 GLOBAL_FORCE_TRANSITED_CHECK ||
794 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
795 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
796 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
797 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
798 &tgt->transited, &et,
799 krb5_principal_get_realm(context, client_principal),
800 krb5_principal_get_realm(context, server->entry.principal),
801 krb5_principal_get_realm(context, krbtgt->entry.principal));
802 if(ret)
803 goto out;
804
805 copy_Realm(&server_principal->realm, &rep.ticket.realm);
806 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
807 copy_Realm(&tgt_name->realm, &rep.crealm);
808 /*
809 if (f.request_anonymous)
810 _kdc_make_anonymous_principalname (&rep.cname);
811 else */
812
813 copy_PrincipalName(&tgt_name->name, &rep.cname);
814 rep.ticket.tkt_vno = 5;
815
816 ek.caddr = et.caddr;
817 if(et.caddr == NULL)
818 et.caddr = tgt->caddr;
819
820 {
821 time_t life;
822 life = et.endtime - *et.starttime;
823 if(client && client->entry.max_life)
824 life = min(life, *client->entry.max_life);
825 if(server->entry.max_life)
826 life = min(life, *server->entry.max_life);
827 et.endtime = *et.starttime + life;
828 }
829 if(f.renewable_ok && tgt->flags.renewable &&
830 et.renew_till == NULL && et.endtime < *b->till &&
831 tgt->renew_till != NULL)
832 {
833 et.flags.renewable = 1;
834 ALLOC(et.renew_till);
835 *et.renew_till = *b->till;
836 }
837 if(et.renew_till){
838 time_t renew;
839 renew = *et.renew_till - et.authtime;
840 if(client && client->entry.max_renew)
841 renew = min(renew, *client->entry.max_renew);
842 if(server->entry.max_renew)
843 renew = min(renew, *server->entry.max_renew);
844 *et.renew_till = et.authtime + renew;
845 }
846
847 if(et.renew_till){
848 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
849 *et.starttime = min(*et.starttime, *et.renew_till);
850 et.endtime = min(et.endtime, *et.renew_till);
851 }
852
853 *et.starttime = min(*et.starttime, et.endtime);
854
855 if(*et.starttime == et.endtime){
856 ret = KRB5KDC_ERR_NEVER_VALID;
857 goto out;
858 }
859 if(et.renew_till && et.endtime == *et.renew_till){
860 free(et.renew_till);
861 et.renew_till = NULL;
862 et.flags.renewable = 0;
863 }
864
865 et.flags.pre_authent = tgt->flags.pre_authent;
866 et.flags.hw_authent = tgt->flags.hw_authent;
867 et.flags.anonymous = tgt->flags.anonymous;
868 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
869
870 if(rspac->length) {
871 /*
872 * No not need to filter out the any PAC from the
873 * auth_data since it's signed by the KDC.
874 */
875 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
876 KRB5_AUTHDATA_WIN2K_PAC, rspac);
877 if (ret)
878 goto out;
879 }
880
881 if (auth_data) {
882 unsigned int i = 0;
883
884 /* XXX check authdata */
885
886 if (et.authorization_data == NULL) {
887 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
888 if (et.authorization_data == NULL) {
889 ret = ENOMEM;
890 krb5_set_error_message(context, ret, "malloc: out of memory");
891 goto out;
892 }
893 }
894 for(i = 0; i < auth_data->len ; i++) {
895 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
896 if (ret) {
897 krb5_set_error_message(context, ret, "malloc: out of memory");
898 goto out;
899 }
900 }
901
902 /* Filter out type KRB5SignedPath */
903 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
904 if (ret == 0) {
905 if (et.authorization_data->len == 1) {
906 free_AuthorizationData(et.authorization_data);
907 free(et.authorization_data);
908 et.authorization_data = NULL;
909 } else {
910 AuthorizationData *ad = et.authorization_data;
911 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
912 ad->len--;
913 }
914 }
915 }
916
917 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
918 if (ret)
919 goto out;
920 et.crealm = tgt_name->realm;
921 et.cname = tgt_name->name;
922
923 ek.key = et.key;
924 /* MIT must have at least one last_req */
925 ek.last_req.len = 1;
926 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
927 if (ek.last_req.val == NULL) {
928 ret = ENOMEM;
929 goto out;
930 }
931 ek.nonce = b->nonce;
932 ek.flags = et.flags;
933 ek.authtime = et.authtime;
934 ek.starttime = et.starttime;
935 ek.endtime = et.endtime;
936 ek.renew_till = et.renew_till;
937 ek.srealm = rep.ticket.realm;
938 ek.sname = rep.ticket.sname;
939
940 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
941 et.endtime, et.renew_till);
942
943 /* Don't sign cross realm tickets, they can't be checked anyway */
944 {
945 char *r = get_krbtgt_realm(&ek.sname);
946
947 if (r == NULL || strcmp(r, ek.srealm) == 0) {
948 ret = _kdc_add_KRB5SignedPath(context,
949 config,
950 krbtgt,
951 krbtgt_etype,
952 client_principal,
953 NULL,
954 spp,
955 &et);
956 if (ret)
957 goto out;
958 }
959 }
960
961 if (enc_pa_data->len) {
962 rep.padata = calloc(1, sizeof(*rep.padata));
963 if (rep.padata == NULL) {
964 ret = ENOMEM;
965 goto out;
966 }
967 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
968 if (ret)
969 goto out;
970 }
971
972 if (krb5_enctype_valid(context, et.key.keytype) != 0
973 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
974 {
975 krb5_enctype_enable(context, et.key.keytype);
976 is_weak = 1;
977 }
978
979
980 /* It is somewhat unclear where the etype in the following
981 encryption should come from. What we have is a session
982 key in the passed tgt, and a list of preferred etypes
983 *for the new ticket*. Should we pick the best possible
984 etype, given the keytype in the tgt, or should we look
985 at the etype list here as well? What if the tgt
986 session key is DES3 and we want a ticket with a (say)
987 CAST session key. Should the DES3 etype be added to the
988 etype list, even if we don't want a session key with
989 DES3? */
990 ret = _kdc_encode_reply(context, config,
991 &rep, &et, &ek, et.key.keytype,
992 kvno,
993 serverkey, 0, replykey, rk_is_subkey,
994 e_text, reply);
995 if (is_weak)
996 krb5_enctype_disable(context, et.key.keytype);
997
998 out:
999 free_TGS_REP(&rep);
1000 free_TransitedEncoding(&et.transited);
1001 if(et.starttime)
1002 free(et.starttime);
1003 if(et.renew_till)
1004 free(et.renew_till);
1005 if(et.authorization_data) {
1006 free_AuthorizationData(et.authorization_data);
1007 free(et.authorization_data);
1008 }
1009 free_LastReq(&ek.last_req);
1010 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1011 free_EncryptionKey(&et.key);
1012 return ret;
1013 }
1014
1015 static krb5_error_code
1016 tgs_check_authenticator(krb5_context context,
1017 krb5_kdc_configuration *config,
1018 krb5_auth_context ac,
1019 KDC_REQ_BODY *b,
1020 const char **e_text,
1021 krb5_keyblock *key)
1022 {
1023 krb5_authenticator auth;
1024 size_t len = 0;
1025 unsigned char *buf;
1026 size_t buf_size;
1027 krb5_error_code ret;
1028 krb5_crypto crypto;
1029
1030 krb5_auth_con_getauthenticator(context, ac, &auth);
1031 if(auth->cksum == NULL){
1032 kdc_log(context, config, 0, "No authenticator in request");
1033 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1034 goto out;
1035 }
1036 /*
1037 * according to RFC1510 it doesn't need to be keyed,
1038 * but according to the latest draft it needs to.
1039 */
1040 if (
1041 #if 0
1042 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1043 ||
1044 #endif
1045 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1046 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1047 auth->cksum->cksumtype);
1048 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1049 goto out;
1050 }
1051
1052 /* XXX should not re-encode this */
1053 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1054 if(ret){
1055 const char *msg = krb5_get_error_message(context, ret);
1056 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1057 krb5_free_error_message(context, msg);
1058 goto out;
1059 }
1060 if(buf_size != len) {
1061 free(buf);
1062 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1063 *e_text = "KDC internal error";
1064 ret = KRB5KRB_ERR_GENERIC;
1065 goto out;
1066 }
1067 ret = krb5_crypto_init(context, key, 0, &crypto);
1068 if (ret) {
1069 const char *msg = krb5_get_error_message(context, ret);
1070 free(buf);
1071 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1072 krb5_free_error_message(context, msg);
1073 goto out;
1074 }
1075 ret = krb5_verify_checksum(context,
1076 crypto,
1077 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1078 buf,
1079 len,
1080 auth->cksum);
1081 free(buf);
1082 krb5_crypto_destroy(context, crypto);
1083 if(ret){
1084 const char *msg = krb5_get_error_message(context, ret);
1085 kdc_log(context, config, 0,
1086 "Failed to verify authenticator checksum: %s", msg);
1087 krb5_free_error_message(context, msg);
1088 }
1089 out:
1090 free_Authenticator(auth);
1091 free(auth);
1092 return ret;
1093 }
1094
1095 /*
1096 *
1097 */
1098
1099 static const char *
1100 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1101 {
1102 const char *new_realm = krb5_config_get_string(context,
1103 NULL,
1104 "capaths",
1105 crealm,
1106 srealm,
1107 NULL);
1108 return new_realm;
1109 }
1110
1111
1112 static krb5_boolean
1113 need_referral(krb5_context context, krb5_kdc_configuration *config,
1114 const KDCOptions * const options, krb5_principal server,
1115 krb5_realm **realms)
1116 {
1117 const char *name;
1118
1119 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1120 return FALSE;
1121
1122 if (server->name.name_string.len == 1)
1123 name = server->name.name_string.val[0];
1124 else if (server->name.name_string.len == 3 &&
1125 strcasecmp("E3514235-4B06-11D1-AB04-00C04FC2DCD2", server->name.name_string.val[0]) == 0) {
1126 /*
1127 This is used to give referrals for the
1128 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1129 SPN form, which is used for inter-domain communication in AD
1130 */
1131 name = server->name.name_string.val[2];
1132 kdc_log(context, config, 0, "Giving 3 part DRSUAPI referral for %s", name);
1133 *realms = malloc(sizeof(char *)*2);
1134 if (*realms == NULL) {
1135 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1136 return FALSE;
1137 }
1138 (*realms)[0] = strdup(name);
1139 (*realms)[1] = NULL;
1140 return TRUE;
1141 } else if (server->name.name_string.len > 1)
1142 name = server->name.name_string.val[1];
1143 else
1144 return FALSE;
1145
1146 kdc_log(context, config, 0, "Searching referral for %s", name);
1147
1148 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1149 }
1150
1151 static krb5_error_code
1152 tgs_parse_request(krb5_context context,
1153 krb5_kdc_configuration *config,
1154 KDC_REQ_BODY *b,
1155 const PA_DATA *tgs_req,
1156 hdb_entry_ex **krbtgt,
1157 krb5_enctype *krbtgt_etype,
1158 krb5_ticket **ticket,
1159 const char **e_text,
1160 const char *from,
1161 const struct sockaddr *from_addr,
1162 time_t **csec,
1163 int **cusec,
1164 AuthorizationData **auth_data,
1165 krb5_keyblock **replykey,
1166 int *rk_is_subkey)
1167 {
1168 static char failed[] = "<unparse_name failed>";
1169 krb5_ap_req ap_req;
1170 krb5_error_code ret;
1171 krb5_principal princ;
1172 krb5_auth_context ac = NULL;
1173 krb5_flags ap_req_options;
1174 krb5_flags verify_ap_req_flags;
1175 krb5_crypto crypto;
1176 Key *tkey;
1177 krb5_keyblock *subkey = NULL;
1178 unsigned usage;
1179
1180 *auth_data = NULL;
1181 *csec = NULL;
1182 *cusec = NULL;
1183 *replykey = NULL;
1184
1185 memset(&ap_req, 0, sizeof(ap_req));
1186 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1187 if(ret){
1188 const char *msg = krb5_get_error_message(context, ret);
1189 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1190 krb5_free_error_message(context, msg);
1191 goto out;
1192 }
1193
1194 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1195 /* XXX check for ticket.sname == req.sname */
1196 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1197 ret = KRB5KDC_ERR_POLICY; /* ? */
1198 goto out;
1199 }
1200
1201 _krb5_principalname2krb5_principal(context,
1202 &princ,
1203 ap_req.ticket.sname,
1204 ap_req.ticket.realm);
1205
1206 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1207
1208 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1209 char *p;
1210 ret = krb5_unparse_name(context, princ, &p);
1211 if (ret != 0)
1212 p = failed;
1213 krb5_free_principal(context, princ);
1214 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1215 if (ret == 0)
1216 free(p);
1217 ret = HDB_ERR_NOT_FOUND_HERE;
1218 goto out;
1219 } else if(ret){
1220 const char *msg = krb5_get_error_message(context, ret);
1221 char *p;
1222 ret = krb5_unparse_name(context, princ, &p);
1223 if (ret != 0)
1224 p = failed;
1225 krb5_free_principal(context, princ);
1226 kdc_log(context, config, 0,
1227 "Ticket-granting ticket not found in database: %s", msg);
1228 krb5_free_error_message(context, msg);
1229 if (ret == 0)
1230 free(p);
1231 ret = KRB5KRB_AP_ERR_NOT_US;
1232 goto out;
1233 }
1234
1235 if(ap_req.ticket.enc_part.kvno &&
1236 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1237 char *p;
1238
1239 ret = krb5_unparse_name (context, princ, &p);
1240 krb5_free_principal(context, princ);
1241 if (ret != 0)
1242 p = failed;
1243 kdc_log(context, config, 0,
1244 "Ticket kvno = %d, DB kvno = %d (%s)",
1245 *ap_req.ticket.enc_part.kvno,
1246 (*krbtgt)->entry.kvno,
1247 p);
1248 if (ret == 0)
1249 free (p);
1250 ret = KRB5KRB_AP_ERR_BADKEYVER;
1251 goto out;
1252 }
1253
1254 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1255
1256 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1257 ap_req.ticket.enc_part.etype, &tkey);
1258 if(ret){
1259 char *str = NULL, *p = NULL;
1260
1261 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1262 krb5_unparse_name(context, princ, &p);
1263 kdc_log(context, config, 0,
1264 "No server key with enctype %s found for %s",
1265 str ? str : "<unknown enctype>",
1266 p ? p : "<unparse_name failed>");
1267 free(str);
1268 free(p);
1269 ret = KRB5KRB_AP_ERR_BADKEYVER;
1270 goto out;
1271 }
1272
1273 if (b->kdc_options.validate)
1274 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1275 else
1276 verify_ap_req_flags = 0;
1277
1278 ret = krb5_verify_ap_req2(context,
1279 &ac,
1280 &ap_req,
1281 princ,
1282 &tkey->key,
1283 verify_ap_req_flags,
1284 &ap_req_options,
1285 ticket,
1286 KRB5_KU_TGS_REQ_AUTH);
1287
1288 krb5_free_principal(context, princ);
1289 if(ret) {
1290 const char *msg = krb5_get_error_message(context, ret);
1291 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1292 krb5_free_error_message(context, msg);
1293 goto out;
1294 }
1295
1296 {
1297 krb5_authenticator auth;
1298
1299 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1300 if (ret == 0) {
1301 *csec = malloc(sizeof(**csec));
1302 if (*csec == NULL) {
1303 krb5_free_authenticator(context, &auth);
1304 kdc_log(context, config, 0, "malloc failed");
1305 goto out;
1306 }
1307 **csec = auth->ctime;
1308 *cusec = malloc(sizeof(**cusec));
1309 if (*cusec == NULL) {
1310 krb5_free_authenticator(context, &auth);
1311 kdc_log(context, config, 0, "malloc failed");
1312 goto out;
1313 }
1314 **cusec = auth->cusec;
1315 krb5_free_authenticator(context, &auth);
1316 }
1317 }
1318
1319 ret = tgs_check_authenticator(context, config,
1320 ac, b, e_text, &(*ticket)->ticket.key);
1321 if (ret) {
1322 krb5_auth_con_free(context, ac);
1323 goto out;
1324 }
1325
1326 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1327 *rk_is_subkey = 1;
1328
1329 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1330 if(ret){
1331 const char *msg = krb5_get_error_message(context, ret);
1332 krb5_auth_con_free(context, ac);
1333 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1334 krb5_free_error_message(context, msg);
1335 goto out;
1336 }
1337 if(subkey == NULL){
1338 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1339 *rk_is_subkey = 0;
1340
1341 ret = krb5_auth_con_getkey(context, ac, &subkey);
1342 if(ret) {
1343 const char *msg = krb5_get_error_message(context, ret);
1344 krb5_auth_con_free(context, ac);
1345 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1346 krb5_free_error_message(context, msg);
1347 goto out;
1348 }
1349 }
1350 if(subkey == NULL){
1351 krb5_auth_con_free(context, ac);
1352 kdc_log(context, config, 0,
1353 "Failed to get key for enc-authorization-data");
1354 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1355 goto out;
1356 }
1357
1358 *replykey = subkey;
1359
1360 if (b->enc_authorization_data) {
1361 krb5_data ad;
1362
1363 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1364 if (ret) {
1365 const char *msg = krb5_get_error_message(context, ret);
1366 krb5_auth_con_free(context, ac);
1367 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1368 krb5_free_error_message(context, msg);
1369 goto out;
1370 }
1371 ret = krb5_decrypt_EncryptedData (context,
1372 crypto,
1373 usage,
1374 b->enc_authorization_data,
1375 &ad);
1376 krb5_crypto_destroy(context, crypto);
1377 if(ret){
1378 krb5_auth_con_free(context, ac);
1379 kdc_log(context, config, 0,
1380 "Failed to decrypt enc-authorization-data");
1381 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1382 goto out;
1383 }
1384 ALLOC(*auth_data);
1385 if (*auth_data == NULL) {
1386 krb5_auth_con_free(context, ac);
1387 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1388 goto out;
1389 }
1390 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1391 if(ret){
1392 krb5_auth_con_free(context, ac);
1393 free(*auth_data);
1394 *auth_data = NULL;
1395 kdc_log(context, config, 0, "Failed to decode authorization data");
1396 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1397 goto out;
1398 }
1399 }
1400
1401 krb5_auth_con_free(context, ac);
1402
1403 out:
1404 free_AP_REQ(&ap_req);
1405
1406 return ret;
1407 }
1408
1409 static krb5_error_code
1410 build_server_referral(krb5_context context,
1411 krb5_kdc_configuration *config,
1412 krb5_crypto session,
1413 krb5_const_realm referred_realm,
1414 const PrincipalName *true_principal_name,
1415 const PrincipalName *requested_principal,
1416 krb5_data *outdata)
1417 {
1418 PA_ServerReferralData ref;
1419 krb5_error_code ret;
1420 EncryptedData ed;
1421 krb5_data data;
1422 size_t size = 0;
1423
1424 memset(&ref, 0, sizeof(ref));
1425
1426 if (referred_realm) {
1427 ALLOC(ref.referred_realm);
1428 if (ref.referred_realm == NULL)
1429 goto eout;
1430 *ref.referred_realm = strdup(referred_realm);
1431 if (*ref.referred_realm == NULL)
1432 goto eout;
1433 }
1434 if (true_principal_name) {
1435 ALLOC(ref.true_principal_name);
1436 if (ref.true_principal_name == NULL)
1437 goto eout;
1438 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1439 if (ret)
1440 goto eout;
1441 }
1442 if (requested_principal) {
1443 ALLOC(ref.requested_principal_name);
1444 if (ref.requested_principal_name == NULL)
1445 goto eout;
1446 ret = copy_PrincipalName(requested_principal,
1447 ref.requested_principal_name);
1448 if (ret)
1449 goto eout;
1450 }
1451
1452 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1453 data.data, data.length,
1454 &ref, &size, ret);
1455 free_PA_ServerReferralData(&ref);
1456 if (ret)
1457 return ret;
1458 if (data.length != size)
1459 krb5_abortx(context, "internal asn.1 encoder error");
1460
1461 ret = krb5_encrypt_EncryptedData(context, session,
1462 KRB5_KU_PA_SERVER_REFERRAL,
1463 data.data, data.length,
1464 0 /* kvno */, &ed);
1465 free(data.data);
1466 if (ret)
1467 return ret;
1468
1469 ASN1_MALLOC_ENCODE(EncryptedData,
1470 outdata->data, outdata->length,
1471 &ed, &size, ret);
1472 free_EncryptedData(&ed);
1473 if (ret)
1474 return ret;
1475 if (outdata->length != size)
1476 krb5_abortx(context, "internal asn.1 encoder error");
1477
1478 return 0;
1479 eout:
1480 free_PA_ServerReferralData(&ref);
1481 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1482 return ENOMEM;
1483 }
1484
1485 static krb5_error_code
1486 tgs_build_reply(krb5_context context,
1487 krb5_kdc_configuration *config,
1488 KDC_REQ *req,
1489 KDC_REQ_BODY *b,
1490 hdb_entry_ex *krbtgt,
1491 krb5_enctype krbtgt_etype,
1492 const krb5_keyblock *replykey,
1493 int rk_is_subkey,
1494 krb5_ticket *ticket,
1495 krb5_data *reply,
1496 const char *from,
1497 const char **e_text,
1498 AuthorizationData **auth_data,
1499 const struct sockaddr *from_addr)
1500 {
1501 krb5_error_code ret;
1502 krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
1503 krb5_principal krbtgt_principal = NULL;
1504 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
1505 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1506 HDB *clientdb, *s4u2self_impersonated_clientdb;
1507 krb5_realm ref_realm = NULL;
1508 EncTicketPart *tgt = &ticket->ticket;
1509 krb5_principals spp = NULL;
1510 const EncryptionKey *ekey;
1511 krb5_keyblock sessionkey;
1512 krb5_kvno kvno;
1513 krb5_data rspac;
1514
1515 hdb_entry_ex *krbtgt_out = NULL;
1516
1517 METHOD_DATA enc_pa_data;
1518
1519 PrincipalName *s;
1520 Realm r;
1521 int nloop = 0;
1522 EncTicketPart adtkt;
1523 char opt_str[128];
1524 int signedpath = 0;
1525
1526 Key *tkey_check;
1527 Key *tkey_sign;
1528 Key *tkey_krbtgt_check = NULL;
1529 int flags = HDB_F_FOR_TGS_REQ;
1530
1531 memset(&sessionkey, 0, sizeof(sessionkey));
1532 memset(&adtkt, 0, sizeof(adtkt));
1533 krb5_data_zero(&rspac);
1534 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1535
1536 s = b->sname;
1537 r = b->realm;
1538
1539 if (b->kdc_options.canonicalize)
1540 flags |= HDB_F_CANON;
1541
1542 if(b->kdc_options.enc_tkt_in_skey){
1543 Ticket *t;
1544 hdb_entry_ex *uu;
1545 krb5_principal p;
1546 Key *uukey;
1547
1548 if(b->additional_tickets == NULL ||
1549 b->additional_tickets->len == 0){
1550 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1551 kdc_log(context, config, 0,
1552 "No second ticket present in request");
1553 goto out;
1554 }
1555 t = &b->additional_tickets->val[0];
1556 if(!get_krbtgt_realm(&t->sname)){
1557 kdc_log(context, config, 0,
1558 "Additional ticket is not a ticket-granting ticket");
1559 ret = KRB5KDC_ERR_POLICY;
1560 goto out;
1561 }
1562 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1563 ret = _kdc_db_fetch(context, config, p,
1564 HDB_F_GET_KRBTGT, t->enc_part.kvno,
1565 NULL, &uu);
1566 krb5_free_principal(context, p);
1567 if(ret){
1568 if (ret == HDB_ERR_NOENTRY)
1569 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1570 goto out;
1571 }
1572 ret = hdb_enctype2key(context, &uu->entry,
1573 t->enc_part.etype, &uukey);
1574 if(ret){
1575 _kdc_free_ent(context, uu);
1576 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1577 goto out;
1578 }
1579 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1580 _kdc_free_ent(context, uu);
1581 if(ret)
1582 goto out;
1583
1584 ret = verify_flags(context, config, &adtkt, spn);
1585 if (ret)
1586 goto out;
1587
1588 s = &adtkt.cname;
1589 r = adtkt.crealm;
1590 }
1591
1592 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1593 ret = krb5_unparse_name(context, sp, &spn);
1594 if (ret)
1595 goto out;
1596 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1597 ret = krb5_unparse_name(context, cp, &cpn);
1598 if (ret)
1599 goto out;
1600 unparse_flags (KDCOptions2int(b->kdc_options),
1601 asn1_KDCOptions_units(),
1602 opt_str, sizeof(opt_str));
1603 if(*opt_str)
1604 kdc_log(context, config, 0,
1605 "TGS-REQ %s from %s for %s [%s]",
1606 cpn, from, spn, opt_str);
1607 else
1608 kdc_log(context, config, 0,
1609 "TGS-REQ %s from %s for %s", cpn, from, spn);
1610
1611 /*
1612 * Fetch server
1613 */
1614
1615 server_lookup:
1616 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1617 NULL, NULL, &server);
1618
1619 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1620 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1621 goto out;
1622 } else if(ret){
1623 const char *new_rlm, *msg;
1624 Realm req_rlm;
1625 krb5_realm *realms;
1626
1627 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1628 if(nloop++ < 2) {
1629 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1630 if(new_rlm) {
1631 kdc_log(context, config, 5, "krbtgt for realm %s "
1632 "not found, trying %s",
1633 req_rlm, new_rlm);
1634 krb5_free_principal(context, sp);
1635 free(spn);
1636 krb5_make_principal(context, &sp, r,
1637 KRB5_TGS_NAME, new_rlm, NULL);
1638 ret = krb5_unparse_name(context, sp, &spn);
1639 if (ret)
1640 goto out;
1641
1642 if (ref_realm)
1643 free(ref_realm);
1644 ref_realm = strdup(new_rlm);
1645 goto server_lookup;
1646 }
1647 }
1648 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1649 if (strcmp(realms[0], sp->realm) != 0) {
1650 kdc_log(context, config, 5,
1651 "Returning a referral to realm %s for "
1652 "server %s that was not found",
1653 realms[0], spn);
1654 krb5_free_principal(context, sp);
1655 free(spn);
1656 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1657 realms[0], NULL);
1658 ret = krb5_unparse_name(context, sp, &spn);
1659 if (ret)
1660 goto out;
1661
1662 if (ref_realm)
1663 free(ref_realm);
1664 ref_realm = strdup(realms[0]);
1665
1666 krb5_free_host_realm(context, realms);
1667 goto server_lookup;
1668 }
1669 krb5_free_host_realm(context, realms);
1670 }
1671 msg = krb5_get_error_message(context, ret);
1672 kdc_log(context, config, 0,
1673 "Server not found in database: %s: %s", spn, msg);
1674 krb5_free_error_message(context, msg);
1675 if (ret == HDB_ERR_NOENTRY)
1676 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1677 goto out;
1678 }
1679
1680 /*
1681 * Select enctype, return key and kvno.
1682 */
1683
1684 {
1685 krb5_enctype etype;
1686
1687 if(b->kdc_options.enc_tkt_in_skey) {
1688 size_t i;
1689 ekey = &adtkt.key;
1690 for(i = 0; i < b->etype.len; i++)
1691 if (b->etype.val[i] == adtkt.key.keytype)
1692 break;
1693 if(i == b->etype.len) {
1694 kdc_log(context, config, 0,
1695 "Addition ticket have not matching etypes");
1696 krb5_clear_error_message(context);
1697 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1698 goto out;
1699 }
1700 etype = b->etype.val[i];
1701 kvno = 0;
1702 } else {
1703 Key *skey;
1704
1705 ret = _kdc_find_etype(context,
1706 config->tgs_use_strongest_session_key, FALSE,
1707 server, b->etype.val, b->etype.len, NULL,
1708 &skey);
1709 if(ret) {
1710 kdc_log(context, config, 0,
1711 "Server (%s) has no support for etypes", spn);
1712 goto out;
1713 }
1714 ekey = &skey->key;
1715 etype = skey->key.keytype;
1716 kvno = server->entry.kvno;
1717 }
1718
1719 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1720 if (ret)
1721 goto out;
1722 }
1723
1724 /*
1725 * Check that service is in the same realm as the krbtgt. If it's
1726 * not the same, it's someone that is using a uni-directional trust
1727 * backward.
1728 */
1729
1730 /*
1731 * Validate authoriation data
1732 */
1733
1734 ret = hdb_enctype2key(context, &krbtgt->entry,
1735 krbtgt_etype, &tkey_check);
1736 if(ret) {
1737 kdc_log(context, config, 0,
1738 "Failed to find key for krbtgt PAC check");
1739 goto out;
1740 }
1741
1742 /* Now refetch the primary krbtgt, and get the current kvno (the
1743 * sign check may have been on an old kvno, and the server may
1744 * have been an incoming trust) */
1745 ret = krb5_make_principal(context, &krbtgt_principal,
1746 krb5_principal_get_comp_string(context,
1747 krbtgt->entry.principal,
1748 1),
1749 KRB5_TGS_NAME,
1750 krb5_principal_get_comp_string(context,
1751 krbtgt->entry.principal,
1752 1), NULL);
1753 if(ret) {
1754 kdc_log(context, config, 0,
1755 "Failed to generate krbtgt principal");
1756 goto out;
1757 }
1758
1759 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1760 krb5_free_principal(context, krbtgt_principal);
1761 if (ret) {
1762 krb5_error_code ret2;
1763 char *ktpn, *ktpn2;
1764 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1765 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1766 kdc_log(context, config, 0,
1767 "Request with wrong krbtgt: %s, %s not found in our database",
1768 (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
1769 if(ret == 0)
1770 free(ktpn);
1771 if(ret2 == 0)
1772 free(ktpn2);
1773 ret = KRB5KRB_AP_ERR_NOT_US;
1774 goto out;
1775 }
1776
1777 /* The first realm is the realm of the service, the second is
1778 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1779 * encrypted to. The redirection via the krbtgt_out entry allows
1780 * the DB to possibly correct the case of the realm (Samba4 does
1781 * this) before the strcmp() */
1782 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1783 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1784 char *ktpn;
1785 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1786 kdc_log(context, config, 0,
1787 "Request with wrong krbtgt: %s",
1788 (ret == 0) ? ktpn : "<unknown>");
1789 if(ret == 0)
1790 free(ktpn);
1791 ret = KRB5KRB_AP_ERR_NOT_US;
1792 }
1793
1794 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1795 krbtgt_etype, &tkey_sign);
1796 if(ret) {
1797 kdc_log(context, config, 0,
1798 "Failed to find key for krbtgt PAC signature");
1799 goto out;
1800 }
1801
1802 /* Check if we would know the krbtgt key for the PAC. We would
1803 * only know this if the krbtgt principal was the same (ie, in our
1804 * realm, regardless of KVNO) */
1805 if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal)) {
1806 tkey_krbtgt_check = tkey_check;
1807 }
1808
1809 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1810 NULL, &clientdb, &client);
1811 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1812 /* This is OK, we are just trying to find out if they have
1813 * been disabled or deleted in the meantime, missing secrets
1814 * is OK */
1815 } else if(ret){
1816 const char *krbtgt_realm, *msg;
1817
1818 /*
1819 * If the client belongs to the same realm as our krbtgt, it
1820 * should exist in the local database.
1821 *
1822 */
1823
1824 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1825
1826 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1827 if (ret == HDB_ERR_NOENTRY)
1828 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1829 kdc_log(context, config, 1, "Client no longer in database: %s",
1830 cpn);
1831 goto out;
1832 }
1833
1834 msg = krb5_get_error_message(context, ret);
1835 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1836 krb5_free_error_message(context, msg);
1837 }
1838
1839 ret = check_PAC(context, config, cp, NULL,
1840 client, server, krbtgt,
1841 &tkey_check->key,
1842 tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
1843 ekey, &tkey_sign->key,
1844 tgt, &rspac, &signedpath);
1845 if (ret) {
1846 const char *msg = krb5_get_error_message(context, ret);
1847 kdc_log(context, config, 0,
1848 "Verify PAC failed for %s (%s) from %s with %s",
1849 spn, cpn, from, msg);
1850 krb5_free_error_message(context, msg);
1851 goto out;
1852 }
1853
1854 /* also check the krbtgt for signature */
1855 ret = check_KRB5SignedPath(context,
1856 config,
1857 krbtgt,
1858 cp,
1859 tgt,
1860 &spp,
1861 &signedpath);
1862 if (ret) {
1863 const char *msg = krb5_get_error_message(context, ret);
1864 kdc_log(context, config, 0,
1865 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1866 spn, cpn, from, msg);
1867 krb5_free_error_message(context, msg);
1868 goto out;
1869 }
1870
1871 /*
1872 * Process request
1873 */
1874
1875 /* by default the tgt principal matches the client principal */
1876 tp = cp;
1877 tpn = cpn;
1878
1879 if (client) {
1880 const PA_DATA *sdata;
1881 int i = 0;
1882
1883 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1884 if (sdata) {
1885 krb5_crypto crypto;
1886 krb5_data datack;
1887 PA_S4U2Self self;
1888 const char *str;
1889
1890 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1891 sdata->padata_value.length,
1892 &self, NULL);
1893 if (ret) {
1894 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1895 goto out;
1896 }
1897
1898 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1899 if (ret)
1900 goto out;
1901
1902 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1903 if (ret) {
1904 const char *msg = krb5_get_error_message(context, ret);
1905 free_PA_S4U2Self(&self);
1906 krb5_data_free(&datack);
1907 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1908 krb5_free_error_message(context, msg);
1909 goto out;
1910 }
1911
1912 ret = krb5_verify_checksum(context,
1913 crypto,
1914 KRB5_KU_OTHER_CKSUM,
1915 datack.data,
1916 datack.length,
1917 &self.cksum);
1918 krb5_data_free(&datack);
1919 krb5_crypto_destroy(context, crypto);
1920 if (ret) {
1921 const char *msg = krb5_get_error_message(context, ret);
1922 free_PA_S4U2Self(&self);
1923 kdc_log(context, config, 0,
1924 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1925 krb5_free_error_message(context, msg);
1926 goto out;
1927 }
1928
1929 ret = _krb5_principalname2krb5_principal(context,
1930 &tp,
1931 self.name,
1932 self.realm);
1933 free_PA_S4U2Self(&self);
1934 if (ret)
1935 goto out;
1936
1937 ret = krb5_unparse_name(context, tp, &tpn);
1938 if (ret)
1939 goto out;
1940
1941 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1942 if(rspac.data) {
1943 krb5_pac p = NULL;
1944 krb5_data_free(&rspac);
1945 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
1946 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1947 if (ret) {
1948 const char *msg;
1949
1950 /*
1951 * If the client belongs to the same realm as our krbtgt, it
1952 * should exist in the local database.
1953 *
1954 */
1955
1956 if (ret == HDB_ERR_NOENTRY)
1957 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1958 msg = krb5_get_error_message(context, ret);
1959 kdc_log(context, config, 1,
1960 "S2U4Self principal to impersonate %s not found in database: %s",
1961 tpn, msg);
1962 krb5_free_error_message(context, msg);
1963 goto out;
1964 }
1965 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1966 if (ret) {
1967 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1968 tpn);
1969 goto out;
1970 }
1971 if (p != NULL) {
1972 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1973 s4u2self_impersonated_client->entry.principal,
1974 ekey, &tkey_sign->key,
1975 &rspac);
1976 krb5_pac_free(context, p);
1977 if (ret) {
1978 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1979 tpn);
1980 goto out;
1981 }
1982 }
1983 }
1984
1985 /*
1986 * Check that service doing the impersonating is
1987 * requesting a ticket to it-self.
1988 */
1989 ret = check_s4u2self(context, config, clientdb, client, sp);
1990 if (ret) {
1991 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1992 "to impersonate to service "
1993 "(tried for user %s to service %s)",
1994 cpn, tpn, spn);
1995 goto out;
1996 }
1997
1998 /*
1999 * If the service isn't trusted for authentication to
2000 * delegation, remove the forward flag.
2001 */
2002
2003 if (client->entry.flags.trusted_for_delegation) {
2004 str = "[forwardable]";
2005 } else {
2006 b->kdc_options.forwardable = 0;
2007 str = "";
2008 }
2009 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2010 "service %s %s", cpn, tpn, spn, str);
2011 }
2012 }
2013
2014 /*
2015 * Constrained delegation
2016 */
2017
2018 if (client != NULL
2019 && b->additional_tickets != NULL
2020 && b->additional_tickets->len != 0
2021 && b->kdc_options.enc_tkt_in_skey == 0)
2022 {
2023 int ad_signedpath = 0;
2024 Key *clientkey;
2025 Ticket *t;
2026
2027 /*
2028 * Require that the KDC have issued the service's krbtgt (not
2029 * self-issued ticket with kimpersonate(1).
2030 */
2031 if (!signedpath) {
2032 ret = KRB5KDC_ERR_BADOPTION;
2033 kdc_log(context, config, 0,
2034 "Constrained delegation done on service ticket %s/%s",
2035 cpn, spn);
2036 goto out;
2037 }
2038
2039 t = &b->additional_tickets->val[0];
2040
2041 ret = hdb_enctype2key(context, &client->entry,
2042 t->enc_part.etype, &clientkey);
2043 if(ret){
2044 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2045 goto out;
2046 }
2047
2048 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2049 if (ret) {
2050 kdc_log(context, config, 0,
2051 "failed to decrypt ticket for "
2052 "constrained delegation from %s to %s ", cpn, spn);
2053 goto out;
2054 }
2055
2056 ret = _krb5_principalname2krb5_principal(context,
2057 &tp,
2058 adtkt.cname,
2059 adtkt.crealm);
2060 if (ret)
2061 goto out;
2062
2063 ret = krb5_unparse_name(context, tp, &tpn);
2064 if (ret)
2065 goto out;
2066
2067 ret = _krb5_principalname2krb5_principal(context,
2068 &dp,
2069 t->sname,
2070 t->realm);
2071 if (ret)
2072 goto out;
2073
2074 ret = krb5_unparse_name(context, dp, &dpn);
2075 if (ret)
2076 goto out;
2077
2078 /* check that ticket is valid */
2079 if (adtkt.flags.forwardable == 0) {
2080 kdc_log(context, config, 0,
2081 "Missing forwardable flag on ticket for "
2082 "constrained delegation from %s (%s) as %s to %s ",
2083 cpn, dpn, tpn, spn);
2084 ret = KRB5KDC_ERR_BADOPTION;
2085 goto out;
2086 }
2087
2088 ret = check_constrained_delegation(context, config, clientdb,
2089 client, server, sp);
2090 if (ret) {
2091 kdc_log(context, config, 0,
2092 "constrained delegation from %s (%s) as %s to %s not allowed",
2093 cpn, dpn, tpn, spn);
2094 goto out;
2095 }
2096
2097 ret = verify_flags(context, config, &adtkt, tpn);
2098 if (ret) {
2099 goto out;
2100 }
2101
2102 krb5_data_free(&rspac);
2103
2104 /*
2105 * generate the PAC for the user.
2106 *
2107 * TODO: pass in t->sname and t->realm and build
2108 * a S4U_DELEGATION_INFO blob to the PAC.
2109 */
2110 ret = check_PAC(context, config, tp, dp,
2111 client, server, krbtgt,
2112 &clientkey->key, &tkey_check->key,
2113 ekey, &tkey_sign->key,
2114 &adtkt, &rspac, &ad_signedpath);
2115 if (ret) {
2116 const char *msg = krb5_get_error_message(context, ret);
2117 kdc_log(context, config, 0,
2118 "Verify delegated PAC failed to %s for client"
2119 "%s (%s) as %s from %s with %s",
2120 spn, cpn, dpn, tpn, from, msg);
2121 krb5_free_error_message(context, msg);
2122 goto out;
2123 }
2124
2125 /*
2126 * Check that the KDC issued the user's ticket.
2127 */
2128 ret = check_KRB5SignedPath(context,
2129 config,
2130 krbtgt,
2131 cp,
2132 &adtkt,
2133 NULL,
2134 &ad_signedpath);
2135 if (ret) {
2136 const char *msg = krb5_get_error_message(context, ret);
2137 kdc_log(context, config, 0,
2138 "KRB5SignedPath check from service %s failed "
2139 "for delegation to %s for client %s (%s)"
2140 "from %s failed with %s",
2141 spn, tpn, dpn, cpn, from, msg);
2142 krb5_free_error_message(context, msg);
2143 goto out;
2144 }
2145
2146 if (!ad_signedpath) {
2147 ret = KRB5KDC_ERR_BADOPTION;
2148 kdc_log(context, config, 0,
2149 "Ticket not signed with PAC nor SignedPath service %s failed "
2150 "for delegation to %s for client %s (%s)"
2151 "from %s",
2152 spn, tpn, dpn, cpn, from);
2153 goto out;
2154 }
2155
2156 kdc_log(context, config, 0, "constrained delegation for %s "
2157 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2158 }
2159
2160 /*
2161 * Check flags
2162 */
2163
2164 ret = kdc_check_flags(context, config,
2165 client, cpn,
2166 server, spn,
2167 FALSE);
2168 if(ret)
2169 goto out;
2170
2171 if((b->kdc_options.validate || b->kdc_options.renew) &&
2172 !krb5_principal_compare(context,
2173 krbtgt->entry.principal,
2174 server->entry.principal)){
2175 kdc_log(context, config, 0, "Inconsistent request.");
2176 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2177 goto out;
2178 }
2179
2180 /* check for valid set of addresses */
2181 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2182 ret = KRB5KRB_AP_ERR_BADADDR;
2183 kdc_log(context, config, 0, "Request from wrong address");
2184 goto out;
2185 }
2186
2187 /*
2188 * If this is an referral, add server referral data to the
2189 * auth_data reply .
2190 */
2191 if (ref_realm) {
2192 PA_DATA pa;
2193 krb5_crypto crypto;
2194
2195 kdc_log(context, config, 0,
2196 "Adding server referral to %s", ref_realm);
2197
2198 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2199 if (ret)
2200 goto out;
2201
2202 ret = build_server_referral(context, config, crypto, ref_realm,
2203 NULL, s, &pa.padata_value);
2204 krb5_crypto_destroy(context, crypto);
2205 if (ret) {
2206 kdc_log(context, config, 0,
2207 "Failed building server referral");
2208 goto out;
2209 }
2210 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2211
2212 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2213 krb5_data_free(&pa.padata_value);
2214 if (ret) {
2215 kdc_log(context, config, 0,
2216 "Add server referral METHOD-DATA failed");
2217 goto out;
2218 }
2219 }
2220
2221 /*
2222 *
2223 */
2224
2225 ret = tgs_make_reply(context,
2226 config,
2227 b,
2228 tp,
2229 tgt,
2230 replykey,
2231 rk_is_subkey,
2232 ekey,
2233 &sessionkey,
2234 kvno,
2235 *auth_data,
2236 server,
2237 server->entry.principal,
2238 spn,
2239 client,
2240 cp,
2241 krbtgt_out,
2242 krbtgt_etype,
2243 spp,
2244 &rspac,
2245 &enc_pa_data,
2246 e_text,
2247 reply);
2248
2249 out:
2250 if (tpn != cpn)
2251 free(tpn);
2252 free(spn);
2253 free(cpn);
2254 if (dpn)
2255 free(dpn);
2256
2257 krb5_data_free(&rspac);
2258 krb5_free_keyblock_contents(context, &sessionkey);
2259 if(krbtgt_out)
2260 _kdc_free_ent(context, krbtgt_out);
2261 if(server)
2262 _kdc_free_ent(context, server);
2263 if(client)
2264 _kdc_free_ent(context, client);
2265 if(s4u2self_impersonated_client)
2266 _kdc_free_ent(context, s4u2self_impersonated_client);
2267
2268 if (tp && tp != cp)
2269 krb5_free_principal(context, tp);
2270 if (cp)
2271 krb5_free_principal(context, cp);
2272 if (dp)
2273 krb5_free_principal(context, dp);
2274 if (sp)
2275 krb5_free_principal(context, sp);
2276 if (ref_realm)
2277 free(ref_realm);
2278 free_METHOD_DATA(&enc_pa_data);
2279
2280 free_EncTicketPart(&adtkt);
2281
2282 return ret;
2283 }
2284
2285 /*
2286 *
2287 */
2288
2289 krb5_error_code
2290 _kdc_tgs_rep(krb5_context context,
2291 krb5_kdc_configuration *config,
2292 KDC_REQ *req,
2293 krb5_data *data,
2294 const char *from,
2295 struct sockaddr *from_addr,
2296 int datagram_reply)
2297 {
2298 AuthorizationData *auth_data = NULL;
2299 krb5_error_code ret;
2300 int i = 0;
2301 const PA_DATA *tgs_req;
2302
2303 hdb_entry_ex *krbtgt = NULL;
2304 krb5_ticket *ticket = NULL;
2305 const char *e_text = NULL;
2306 krb5_enctype krbtgt_etype = ETYPE_NULL;
2307
2308 krb5_keyblock *replykey = NULL;
2309 int rk_is_subkey = 0;
2310 time_t *csec = NULL;
2311 int *cusec = NULL;
2312
2313 if(req->padata == NULL){
2314 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2315 kdc_log(context, config, 0,
2316 "TGS-REQ from %s without PA-DATA", from);
2317 goto out;
2318 }
2319
2320 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2321
2322 if(tgs_req == NULL){
2323 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2324
2325 kdc_log(context, config, 0,
2326 "TGS-REQ from %s without PA-TGS-REQ", from);
2327 goto out;
2328 }
2329 ret = tgs_parse_request(context, config,
2330 &req->req_body, tgs_req,
2331 &krbtgt,
2332 &krbtgt_etype,
2333 &ticket,
2334 &e_text,
2335 from, from_addr,
2336 &csec, &cusec,
2337 &auth_data,
2338 &replykey,
2339 &rk_is_subkey);
2340 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2341 /* kdc_log() is called in tgs_parse_request() */
2342 goto out;
2343 }
2344 if (ret) {
2345 kdc_log(context, config, 0,
2346 "Failed parsing TGS-REQ from %s", from);
2347 goto out;
2348 }
2349
2350 ret = tgs_build_reply(context,
2351 config,
2352 req,
2353 &req->req_body,
2354 krbtgt,
2355 krbtgt_etype,
2356 replykey,
2357 rk_is_subkey,
2358 ticket,
2359 data,
2360 from,
2361 &e_text,
2362 &auth_data,
2363 from_addr);
2364 if (ret) {
2365 kdc_log(context, config, 0,
2366 "Failed building TGS-REP to %s", from);
2367 goto out;
2368 }
2369
2370 /* */
2371 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2372 krb5_data_free(data);
2373 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2374 e_text = "Reply packet too large";
2375 }
2376
2377 out:
2378 if (replykey)
2379 krb5_free_keyblock(context, replykey);
2380 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2381 krb5_mk_error(context,
2382 ret,
2383 NULL,
2384 NULL,
2385 NULL,
2386 NULL,
2387 csec,
2388 cusec,
2389 data);
2390 ret = 0;
2391 }
2392 free(csec);
2393 free(cusec);
2394 if (ticket)
2395 krb5_free_ticket(context, ticket);
2396 if(krbtgt)
2397 _kdc_free_ent(context, krbtgt);
2398
2399 if (auth_data) {
2400 free_AuthorizationData(auth_data);
2401 free(auth_data);
2402 }
2403
2404 return ret;
2405 }
reg import