2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName
*p
)
43 if(p
->name_string
.len
== 2
44 && strcmp(p
->name_string
.val
[0], KRB5_TGS_NAME
) == 0)
45 return p
->name_string
.val
[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context
,
61 const AuthorizationData
*ad
,
64 AuthorizationData child
;
68 if (ad
== NULL
|| ad
->len
== 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
73 if (ad
->val
[pos
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
76 ret
= decode_AuthorizationData(ad
->val
[pos
].ad_data
.data
,
77 ad
->val
[pos
].ad_data
.length
,
81 krb5_set_error_message(context
, ret
, "Failed to decode "
82 "IF_RELEVANT with %d", ret
);
87 free_AuthorizationData(&child
);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
91 if (child
.val
[0].ad_type
!= KRB5_AUTHDATA_SIGNTICKET
) {
92 free_AuthorizationData(&child
);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
97 ret
= der_copy_octet_string(&child
.val
[0].ad_data
, data
);
98 free_AuthorizationData(&child
);
103 _kdc_add_KRB5SignedPath(krb5_context context
,
104 krb5_kdc_configuration
*config
,
105 hdb_entry_ex
*krbtgt
,
106 krb5_enctype enctype
,
107 krb5_principal client
,
108 krb5_const_principal server
,
109 krb5_principals principals
,
115 krb5_crypto crypto
= NULL
;
118 if (server
&& principals
) {
119 ret
= add_Principals(principals
, server
);
125 KRB5SignedPathData spd
;
128 spd
.authtime
= tkt
->authtime
;
129 spd
.delegated
= principals
;
130 spd
.method_data
= NULL
;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
136 if (data
.length
!= size
)
137 krb5_abortx(context
, "internal asn.1 encoder error");
142 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, NULL
, enctype
, &key
);
144 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
152 * Fill in KRB5SignedPath
156 sp
.delegated
= principals
;
157 sp
.method_data
= NULL
;
159 ret
= krb5_create_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
, 0,
160 data
.data
, data
.length
, &sp
.cksum
);
161 krb5_crypto_destroy(context
, crypto
);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath
, data
.data
, data
.length
, &sp
, &size
, ret
);
167 free_Checksum(&sp
.cksum
);
170 if (data
.length
!= size
)
171 krb5_abortx(context
, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret
= _kdc_tkt_add_if_relevant_ad(context
, tkt
,
180 KRB5_AUTHDATA_SIGNTICKET
, &data
);
181 krb5_data_free(&data
);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context
,
188 krb5_kdc_configuration
*config
,
189 hdb_entry_ex
*krbtgt
,
192 krb5_principals
*delegated
,
197 krb5_crypto crypto
= NULL
;
202 ret
= find_KRB5SignedPath(context
, tkt
->authorization_data
, &data
);
204 KRB5SignedPathData spd
;
208 ret
= decode_KRB5SignedPath(data
.data
, data
.length
, &sp
, NULL
);
209 krb5_data_free(&data
);
214 spd
.authtime
= tkt
->authtime
;
215 spd
.delegated
= sp
.delegated
;
216 spd
.method_data
= sp
.method_data
;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
221 free_KRB5SignedPath(&sp
);
224 if (data
.length
!= size
)
225 krb5_abortx(context
, "internal asn.1 encoder error");
229 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, NULL
, /* XXX use correct kvno! */
232 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
235 free_KRB5SignedPath(&sp
);
239 ret
= krb5_verify_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
,
240 data
.data
, data
.length
,
242 krb5_crypto_destroy(context
, crypto
);
245 free_KRB5SignedPath(&sp
);
246 kdc_log(context
, config
, 5,
247 "KRB5SignedPath not signed correctly, not marking as signed");
251 if (delegated
&& sp
.delegated
) {
253 *delegated
= malloc(sizeof(*sp
.delegated
));
254 if (*delegated
== NULL
) {
255 free_KRB5SignedPath(&sp
);
259 ret
= copy_Principals(*delegated
, sp
.delegated
);
261 free_KRB5SignedPath(&sp
);
267 free_KRB5SignedPath(&sp
);
279 static krb5_error_code
280 check_PAC(krb5_context context
,
281 krb5_kdc_configuration
*config
,
282 const krb5_principal client_principal
,
283 const krb5_principal delegated_proxy_principal
,
284 hdb_entry_ex
*client
,
285 hdb_entry_ex
*server
,
286 hdb_entry_ex
*krbtgt
,
287 const EncryptionKey
*server_check_key
,
288 const EncryptionKey
*server_sign_key
,
289 const EncryptionKey
*krbtgt_sign_key
,
294 AuthorizationData
*ad
= tkt
->authorization_data
;
298 if (ad
== NULL
|| ad
->len
== 0)
301 for (i
= 0; i
< ad
->len
; i
++) {
302 AuthorizationData child
;
304 if (ad
->val
[i
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
307 ret
= decode_AuthorizationData(ad
->val
[i
].ad_data
.data
,
308 ad
->val
[i
].ad_data
.length
,
312 krb5_set_error_message(context
, ret
, "Failed to decode "
313 "IF_RELEVANT with %d", ret
);
316 for (j
= 0; j
< child
.len
; j
++) {
318 if (child
.val
[j
].ad_type
== KRB5_AUTHDATA_WIN2K_PAC
) {
323 ret
= krb5_pac_parse(context
,
324 child
.val
[j
].ad_data
.data
,
325 child
.val
[j
].ad_data
.length
,
327 free_AuthorizationData(&child
);
331 ret
= krb5_pac_verify(context
, pac
, tkt
->authtime
,
333 server_check_key
, NULL
);
335 krb5_pac_free(context
, pac
);
339 ret
= _kdc_pac_verify(context
, client_principal
,
340 delegated_proxy_principal
,
341 client
, server
, krbtgt
, &pac
, &signed_pac
);
343 krb5_pac_free(context
, pac
);
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
355 ret
= _krb5_pac_sign(context
, pac
, tkt
->authtime
,
357 server_sign_key
, krbtgt_sign_key
, rspac
);
359 krb5_pac_free(context
, pac
);
364 free_AuthorizationData(&child
);
373 static krb5_error_code
374 check_tgs_flags(krb5_context context
,
375 krb5_kdc_configuration
*config
,
376 KDC_REQ_BODY
*b
, const EncTicketPart
*tgt
, EncTicketPart
*et
)
378 KDCOptions f
= b
->kdc_options
;
381 if(!tgt
->flags
.invalid
|| tgt
->starttime
== NULL
){
382 kdc_log(context
, config
, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION
;
386 if(*tgt
->starttime
> kdc_time
){
387 kdc_log(context
, config
, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV
;
392 et
->flags
.invalid
= 0;
393 }else if(tgt
->flags
.invalid
){
394 kdc_log(context
, config
, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID
;
400 if(!tgt
->flags
.forwardable
){
401 kdc_log(context
, config
, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION
;
405 et
->flags
.forwardable
= 1;
408 if(!tgt
->flags
.forwardable
){
409 kdc_log(context
, config
, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION
;
413 et
->flags
.forwarded
= 1;
414 et
->caddr
= b
->addresses
;
416 if(tgt
->flags
.forwarded
)
417 et
->flags
.forwarded
= 1;
420 if(!tgt
->flags
.proxiable
){
421 kdc_log(context
, config
, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION
;
425 et
->flags
.proxiable
= 1;
428 if(!tgt
->flags
.proxiable
){
429 kdc_log(context
, config
, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION
;
434 et
->caddr
= b
->addresses
;
439 if(f
.allow_postdate
){
440 if(!tgt
->flags
.may_postdate
){
441 kdc_log(context
, config
, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION
;
445 et
->flags
.may_postdate
= 1;
448 if(!tgt
->flags
.may_postdate
){
449 kdc_log(context
, config
, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION
;
454 *et
->starttime
= *b
->from
;
455 et
->flags
.postdated
= 1;
456 et
->flags
.invalid
= 1;
457 }else if(b
->from
&& *b
->from
> kdc_time
+ context
->max_skew
){
458 kdc_log(context
, config
, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE
;
463 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
464 kdc_log(context
, config
, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION
;
468 et
->flags
.renewable
= 1;
469 ALLOC(et
->renew_till
);
470 _kdc_fix_time(&b
->rtime
);
471 *et
->renew_till
= *b
->rtime
;
475 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
476 kdc_log(context
, config
, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION
;
480 old_life
= tgt
->endtime
;
482 old_life
-= *tgt
->starttime
;
484 old_life
-= tgt
->authtime
;
485 et
->endtime
= *et
->starttime
+ old_life
;
486 if (et
->renew_till
!= NULL
)
487 et
->endtime
= min(*et
->renew_till
, et
->endtime
);
491 /* checks for excess flags */
492 if(f
.request_anonymous
&& !config
->allow_anonymous
){
493 kdc_log(context
, config
, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION
;
502 * Determine if constrained delegation is allowed from this client to this server
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context
,
507 krb5_kdc_configuration
*config
,
509 hdb_entry_ex
*client
,
510 hdb_entry_ex
*server
,
511 krb5_const_principal target
)
513 const HDB_Ext_Constrained_delegation_acl
*acl
;
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
523 if(!krb5_realm_compare(context
, client
->entry
.principal
, server
->entry
.principal
)) {
524 ret
= KRB5KDC_ERR_BADOPTION
;
525 kdc_log(context
, config
, 0,
526 "Bad request for constrained delegation");
530 if (clientdb
->hdb_check_constrained_delegation
) {
531 ret
= clientdb
->hdb_check_constrained_delegation(context
, clientdb
, client
, target
);
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context
, client
->entry
.principal
, server
->entry
.principal
) == TRUE
)
539 ret
= hdb_entry_get_ConstrainedDelegACL(&client
->entry
, &acl
);
541 krb5_clear_error_message(context
);
546 for (i
= 0; i
< acl
->len
; i
++) {
547 if (krb5_principal_compare(context
, target
, &acl
->val
[i
]) == TRUE
)
551 ret
= KRB5KDC_ERR_BADOPTION
;
553 kdc_log(context
, config
, 0,
554 "Bad request for constrained delegation");
559 * Determine if s4u2self is allowed from this client to this server
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
565 static krb5_error_code
566 check_s4u2self(krb5_context context
,
567 krb5_kdc_configuration
*config
,
569 hdb_entry_ex
*client
,
570 krb5_const_principal server
)
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context
, client
->entry
.principal
, server
) == TRUE
)
578 if (clientdb
->hdb_check_s4u2self
) {
579 ret
= clientdb
->hdb_check_s4u2self(context
, clientdb
, client
, server
);
583 ret
= KRB5KDC_ERR_BADOPTION
;
592 static krb5_error_code
593 verify_flags (krb5_context context
,
594 krb5_kdc_configuration
*config
,
595 const EncTicketPart
*et
,
598 if(et
->endtime
< kdc_time
){
599 kdc_log(context
, config
, 0, "Ticket expired (%s)", pstr
);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED
;
602 if(et
->flags
.invalid
){
603 kdc_log(context
, config
, 0, "Ticket not valid (%s)", pstr
);
604 return KRB5KRB_AP_ERR_TKT_NYV
;
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context
,
615 krb5_kdc_configuration
*config
,
616 krb5_boolean check_policy
,
617 const TransitedEncoding
*tr
,
619 const char *client_realm
,
620 const char *server_realm
,
621 const char *tgt_realm
)
623 krb5_error_code ret
= 0;
624 char **realms
, **tmp
;
625 unsigned int num_realms
;
628 switch (tr
->tr_type
) {
629 case DOMAIN_X500_COMPRESS
:
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
636 if (tr
->contents
.length
== 0)
638 kdc_log(context
, config
, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
642 kdc_log(context
, config
, 0,
643 "Unknown transited type: %u", tr
->tr_type
);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
647 ret
= krb5_domain_x500_decode(context
,
654 krb5_warn(context
, ret
,
655 "Decoding transited encoding");
658 if(strcmp(client_realm
, tgt_realm
) && strcmp(server_realm
, tgt_realm
)) {
659 /* not us, so add the previous realm to transited set */
660 if (num_realms
+ 1 > UINT_MAX
/sizeof(*realms
)) {
664 tmp
= realloc(realms
, (num_realms
+ 1) * sizeof(*realms
));
670 realms
[num_realms
] = strdup(tgt_realm
);
671 if(realms
[num_realms
] == NULL
){
677 if(num_realms
== 0) {
678 if(strcmp(client_realm
, server_realm
))
679 kdc_log(context
, config
, 0,
680 "cross-realm %s -> %s", client_realm
, server_realm
);
684 for(i
= 0; i
< num_realms
; i
++)
685 l
+= strlen(realms
[i
]) + 2;
689 for(i
= 0; i
< num_realms
; i
++) {
691 strlcat(rs
, ", ", l
);
692 strlcat(rs
, realms
[i
], l
);
694 kdc_log(context
, config
, 0,
695 "cross-realm %s -> %s via [%s]",
696 client_realm
, server_realm
, rs
);
701 ret
= krb5_check_transited(context
, client_realm
,
703 realms
, num_realms
, NULL
);
705 krb5_warn(context
, ret
, "cross-realm %s -> %s",
706 client_realm
, server_realm
);
709 et
->flags
.transited_policy_checked
= 1;
711 et
->transited
.tr_type
= DOMAIN_X500_COMPRESS
;
712 ret
= krb5_domain_x500_encode(realms
, num_realms
, &et
->transited
.contents
);
714 krb5_warn(context
, ret
, "Encoding transited encoding");
716 for(i
= 0; i
< num_realms
; i
++)
723 static krb5_error_code
724 tgs_make_reply(krb5_context context
,
725 krb5_kdc_configuration
*config
,
727 krb5_const_principal tgt_name
,
728 const EncTicketPart
*tgt
,
729 const krb5_keyblock
*replykey
,
731 const EncryptionKey
*serverkey
,
732 const krb5_keyblock
*sessionkey
,
734 AuthorizationData
*auth_data
,
735 hdb_entry_ex
*server
,
736 krb5_principal server_principal
,
737 const char *server_name
,
738 hdb_entry_ex
*client
,
739 krb5_principal client_principal
,
740 hdb_entry_ex
*krbtgt
,
741 krb5_enctype krbtgt_etype
,
743 const krb5_data
*rspac
,
744 const METHOD_DATA
*enc_pa_data
,
751 KDCOptions f
= b
->kdc_options
;
755 memset(&rep
, 0, sizeof(rep
));
756 memset(&et
, 0, sizeof(et
));
757 memset(&ek
, 0, sizeof(ek
));
760 rep
.msg_type
= krb_tgs_rep
;
762 et
.authtime
= tgt
->authtime
;
763 _kdc_fix_time(&b
->till
);
764 et
.endtime
= min(tgt
->endtime
, *b
->till
);
766 *et
.starttime
= kdc_time
;
768 ret
= check_tgs_flags(context
, config
, b
, tgt
, &et
);
772 /* We should check the transited encoding if:
773 1) the request doesn't ask not to be checked
774 2) globally enforcing a check
775 3) principal requires checking
776 4) we allow non-check per-principal, but principal isn't marked as allowing this
777 5) we don't globally allow this
780 #define GLOBAL_FORCE_TRANSITED_CHECK \
781 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
782 #define GLOBAL_ALLOW_PER_PRINCIPAL \
783 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
784 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
785 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
787 /* these will consult the database in future release */
788 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
789 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
791 ret
= fix_transited_encoding(context
, config
,
792 !f
.disable_transited_check
||
793 GLOBAL_FORCE_TRANSITED_CHECK
||
794 PRINCIPAL_FORCE_TRANSITED_CHECK(server
) ||
795 !((GLOBAL_ALLOW_PER_PRINCIPAL
&&
796 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server
)) ||
797 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK
),
798 &tgt
->transited
, &et
,
799 krb5_principal_get_realm(context
, client_principal
),
800 krb5_principal_get_realm(context
, server
->entry
.principal
),
801 krb5_principal_get_realm(context
, krbtgt
->entry
.principal
));
805 copy_Realm(&server_principal
->realm
, &rep
.ticket
.realm
);
806 _krb5_principal2principalname(&rep
.ticket
.sname
, server_principal
);
807 copy_Realm(&tgt_name
->realm
, &rep
.crealm
);
809 if (f.request_anonymous)
810 _kdc_make_anonymous_principalname (&rep.cname);
813 copy_PrincipalName(&tgt_name
->name
, &rep
.cname
);
814 rep
.ticket
.tkt_vno
= 5;
820 life
= et
.endtime
- *et
.starttime
;
821 if(client
&& client
->entry
.max_life
)
822 life
= min(life
, *client
->entry
.max_life
);
823 if(server
->entry
.max_life
)
824 life
= min(life
, *server
->entry
.max_life
);
825 et
.endtime
= *et
.starttime
+ life
;
827 if(f
.renewable_ok
&& tgt
->flags
.renewable
&&
828 et
.renew_till
== NULL
&& et
.endtime
< *b
->till
&&
829 tgt
->renew_till
!= NULL
)
831 et
.flags
.renewable
= 1;
832 ALLOC(et
.renew_till
);
833 *et
.renew_till
= *b
->till
;
837 renew
= *et
.renew_till
- *et
.starttime
;
838 if(client
&& client
->entry
.max_renew
)
839 renew
= min(renew
, *client
->entry
.max_renew
);
840 if(server
->entry
.max_renew
)
841 renew
= min(renew
, *server
->entry
.max_renew
);
842 *et
.renew_till
= *et
.starttime
+ renew
;
846 *et
.renew_till
= min(*et
.renew_till
, *tgt
->renew_till
);
847 *et
.starttime
= min(*et
.starttime
, *et
.renew_till
);
848 et
.endtime
= min(et
.endtime
, *et
.renew_till
);
851 *et
.starttime
= min(*et
.starttime
, et
.endtime
);
853 if(*et
.starttime
== et
.endtime
){
854 ret
= KRB5KDC_ERR_NEVER_VALID
;
857 if(et
.renew_till
&& et
.endtime
== *et
.renew_till
){
859 et
.renew_till
= NULL
;
860 et
.flags
.renewable
= 0;
863 et
.flags
.pre_authent
= tgt
->flags
.pre_authent
;
864 et
.flags
.hw_authent
= tgt
->flags
.hw_authent
;
865 et
.flags
.anonymous
= tgt
->flags
.anonymous
;
866 et
.flags
.ok_as_delegate
= server
->entry
.flags
.ok_as_delegate
;
870 * No not need to filter out the any PAC from the
871 * auth_data since it's signed by the KDC.
873 ret
= _kdc_tkt_add_if_relevant_ad(context
, &et
,
874 KRB5_AUTHDATA_WIN2K_PAC
, rspac
);
882 /* XXX check authdata */
884 if (et
.authorization_data
== NULL
) {
885 et
.authorization_data
= calloc(1, sizeof(*et
.authorization_data
));
886 if (et
.authorization_data
== NULL
) {
888 krb5_set_error_message(context
, ret
, "malloc: out of memory");
892 for(i
= 0; i
< auth_data
->len
; i
++) {
893 ret
= add_AuthorizationData(et
.authorization_data
, &auth_data
->val
[i
]);
895 krb5_set_error_message(context
, ret
, "malloc: out of memory");
900 /* Filter out type KRB5SignedPath */
901 ret
= find_KRB5SignedPath(context
, et
.authorization_data
, NULL
);
903 if (et
.authorization_data
->len
== 1) {
904 free_AuthorizationData(et
.authorization_data
);
905 free(et
.authorization_data
);
906 et
.authorization_data
= NULL
;
908 AuthorizationData
*ad
= et
.authorization_data
;
909 free_AuthorizationDataElement(&ad
->val
[ad
->len
- 1]);
915 ret
= krb5_copy_keyblock_contents(context
, sessionkey
, &et
.key
);
918 et
.crealm
= tgt_name
->realm
;
919 et
.cname
= tgt_name
->name
;
922 /* MIT must have at least one last_req */
923 ek
.last_req
.val
= calloc(1, sizeof(*ek
.last_req
.val
));
924 if (ek
.last_req
.val
== NULL
) {
928 ek
.last_req
.len
= 1; /* set after alloc to avoid null deref on cleanup */
931 ek
.authtime
= et
.authtime
;
932 ek
.starttime
= et
.starttime
;
933 ek
.endtime
= et
.endtime
;
934 ek
.renew_till
= et
.renew_till
;
935 ek
.srealm
= rep
.ticket
.realm
;
936 ek
.sname
= rep
.ticket
.sname
;
938 _kdc_log_timestamp(context
, config
, "TGS-REQ", et
.authtime
, et
.starttime
,
939 et
.endtime
, et
.renew_till
);
941 /* Don't sign cross realm tickets, they can't be checked anyway */
943 char *r
= get_krbtgt_realm(&ek
.sname
);
945 if (r
== NULL
|| strcmp(r
, ek
.srealm
) == 0) {
946 ret
= _kdc_add_KRB5SignedPath(context
,
959 if (enc_pa_data
->len
) {
960 rep
.padata
= calloc(1, sizeof(*rep
.padata
));
961 if (rep
.padata
== NULL
) {
965 ret
= copy_METHOD_DATA(enc_pa_data
, rep
.padata
);
970 if (krb5_enctype_valid(context
, serverkey
->keytype
) != 0
971 && _kdc_is_weak_exception(server
->entry
.principal
, serverkey
->keytype
))
973 krb5_enctype_enable(context
, serverkey
->keytype
);
978 /* It is somewhat unclear where the etype in the following
979 encryption should come from. What we have is a session
980 key in the passed tgt, and a list of preferred etypes
981 *for the new ticket*. Should we pick the best possible
982 etype, given the keytype in the tgt, or should we look
983 at the etype list here as well? What if the tgt
984 session key is DES3 and we want a ticket with a (say)
985 CAST session key. Should the DES3 etype be added to the
986 etype list, even if we don't want a session key with
988 ret
= _kdc_encode_reply(context
, config
, NULL
, 0,
989 &rep
, &et
, &ek
, serverkey
->keytype
,
991 serverkey
, 0, replykey
, rk_is_subkey
,
994 krb5_enctype_disable(context
, serverkey
->keytype
);
998 free_TransitedEncoding(&et
.transited
);
1002 free(et
.renew_till
);
1003 if(et
.authorization_data
) {
1004 free_AuthorizationData(et
.authorization_data
);
1005 free(et
.authorization_data
);
1007 free_LastReq(&ek
.last_req
);
1008 memset(et
.key
.keyvalue
.data
, 0, et
.key
.keyvalue
.length
);
1009 free_EncryptionKey(&et
.key
);
1013 static krb5_error_code
1014 tgs_check_authenticator(krb5_context context
,
1015 krb5_kdc_configuration
*config
,
1016 krb5_auth_context ac
,
1018 const char **e_text
,
1021 krb5_authenticator auth
;
1025 krb5_error_code ret
;
1028 krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1029 if(auth
->cksum
== NULL
){
1030 kdc_log(context
, config
, 0, "No authenticator in request");
1031 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1035 * according to RFC1510 it doesn't need to be keyed,
1036 * but according to the latest draft it needs to.
1040 !krb5_checksum_is_keyed(context
, auth
->cksum
->cksumtype
)
1043 !krb5_checksum_is_collision_proof(context
, auth
->cksum
->cksumtype
)) {
1044 kdc_log(context
, config
, 0, "Bad checksum type in authenticator: %d",
1045 auth
->cksum
->cksumtype
);
1046 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1050 /* XXX should not re-encode this */
1051 ASN1_MALLOC_ENCODE(KDC_REQ_BODY
, buf
, buf_size
, b
, &len
, ret
);
1053 const char *msg
= krb5_get_error_message(context
, ret
);
1054 kdc_log(context
, config
, 0, "Failed to encode KDC-REQ-BODY: %s", msg
);
1055 krb5_free_error_message(context
, msg
);
1058 if(buf_size
!= len
) {
1060 kdc_log(context
, config
, 0, "Internal error in ASN.1 encoder");
1061 *e_text
= "KDC internal error";
1062 ret
= KRB5KRB_ERR_GENERIC
;
1065 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
1067 const char *msg
= krb5_get_error_message(context
, ret
);
1069 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1070 krb5_free_error_message(context
, msg
);
1073 ret
= krb5_verify_checksum(context
,
1075 KRB5_KU_TGS_REQ_AUTH_CKSUM
,
1080 krb5_crypto_destroy(context
, crypto
);
1082 const char *msg
= krb5_get_error_message(context
, ret
);
1083 kdc_log(context
, config
, 0,
1084 "Failed to verify authenticator checksum: %s", msg
);
1085 krb5_free_error_message(context
, msg
);
1088 free_Authenticator(auth
);
1094 need_referral(krb5_context context
, krb5_kdc_configuration
*config
,
1095 const KDCOptions
* const options
, krb5_principal server
,
1096 krb5_realm
**realms
)
1100 if(!options
->canonicalize
&& server
->name
.name_type
!= KRB5_NT_SRV_INST
)
1103 if (server
->name
.name_string
.len
== 1)
1104 name
= server
->name
.name_string
.val
[0];
1105 else if (server
->name
.name_string
.len
== 3) {
1107 This is used to give referrals for the
1108 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1109 SPN form, which is used for inter-domain communication in AD
1111 name
= server
->name
.name_string
.val
[2];
1112 kdc_log(context
, config
, 0, "Giving 3 part referral for %s", name
);
1113 *realms
= malloc(sizeof(char *)*2);
1114 if (*realms
== NULL
) {
1115 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1118 (*realms
)[0] = strdup(name
);
1119 (*realms
)[1] = NULL
;
1121 } else if (server
->name
.name_string
.len
> 1)
1122 name
= server
->name
.name_string
.val
[1];
1126 kdc_log(context
, config
, 0, "Searching referral for %s", name
);
1128 return _krb5_get_host_realm_int(context
, name
, FALSE
, realms
) == 0;
1131 static krb5_error_code
1132 tgs_parse_request(krb5_context context
,
1133 krb5_kdc_configuration
*config
,
1135 const PA_DATA
*tgs_req
,
1136 hdb_entry_ex
**krbtgt
,
1137 krb5_enctype
*krbtgt_etype
,
1138 krb5_ticket
**ticket
,
1139 const char **e_text
,
1141 const struct sockaddr
*from_addr
,
1144 AuthorizationData
**auth_data
,
1145 krb5_keyblock
**replykey
,
1148 static char failed
[] = "<unparse_name failed>";
1150 krb5_error_code ret
;
1151 krb5_principal princ
;
1152 krb5_auth_context ac
= NULL
;
1153 krb5_flags ap_req_options
;
1154 krb5_flags verify_ap_req_flags
;
1156 krb5uint32 krbtgt_kvno
; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */
1157 krb5uint32 krbtgt_kvno_try
;
1158 int kvno_search_tries
= 4; /* number of kvnos to try when tkt_vno == 0 */
1159 const Keys
*krbtgt_keys
;/* keyset for TGT tkt_vno */
1161 krb5_keyblock
*subkey
= NULL
;
1169 memset(&ap_req
, 0, sizeof(ap_req
));
1170 ret
= krb5_decode_ap_req(context
, &tgs_req
->padata_value
, &ap_req
);
1172 const char *msg
= krb5_get_error_message(context
, ret
);
1173 kdc_log(context
, config
, 0, "Failed to decode AP-REQ: %s", msg
);
1174 krb5_free_error_message(context
, msg
);
1178 if(!get_krbtgt_realm(&ap_req
.ticket
.sname
)){
1179 /* XXX check for ticket.sname == req.sname */
1180 kdc_log(context
, config
, 0, "PA-DATA is not a ticket-granting ticket");
1181 ret
= KRB5KDC_ERR_POLICY
; /* ? */
1185 _krb5_principalname2krb5_principal(context
,
1187 ap_req
.ticket
.sname
,
1188 ap_req
.ticket
.realm
);
1190 krbtgt_kvno
= ap_req
.ticket
.enc_part
.kvno
? *ap_req
.ticket
.enc_part
.kvno
: 0;
1191 ret
= _kdc_db_fetch(context
, config
, princ
, HDB_F_GET_KRBTGT
,
1192 &krbtgt_kvno
, NULL
, krbtgt
);
1194 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
1195 /* XXX Factor out this unparsing of the same princ all over */
1197 ret
= krb5_unparse_name(context
, princ
, &p
);
1200 krb5_free_principal(context
, princ
);
1201 kdc_log(context
, config
, 5,
1202 "Ticket-granting ticket account %s does not have secrets at "
1203 "this KDC, need to proxy", p
);
1206 ret
= HDB_ERR_NOT_FOUND_HERE
;
1208 } else if (ret
== HDB_ERR_KVNO_NOT_FOUND
) {
1210 ret
= krb5_unparse_name(context
, princ
, &p
);
1213 krb5_free_principal(context
, princ
);
1214 kdc_log(context
, config
, 5,
1215 "Ticket-granting ticket account %s does not have keys for "
1216 "kvno %d at this KDC", p
, krbtgt_kvno
);
1219 ret
= HDB_ERR_KVNO_NOT_FOUND
;
1221 } else if (ret
== HDB_ERR_NO_MKEY
) {
1223 ret
= krb5_unparse_name(context
, princ
, &p
);
1226 krb5_free_principal(context
, princ
);
1227 kdc_log(context
, config
, 5,
1228 "Missing master key for decrypting keys for ticket-granting "
1229 "ticket account %s with kvno %d at this KDC", p
, krbtgt_kvno
);
1232 ret
= HDB_ERR_KVNO_NOT_FOUND
;
1235 const char *msg
= krb5_get_error_message(context
, ret
);
1237 ret
= krb5_unparse_name(context
, princ
, &p
);
1240 krb5_free_principal(context
, princ
);
1241 kdc_log(context
, config
, 0,
1242 "Ticket-granting ticket not found in database: %s", msg
);
1243 krb5_free_error_message(context
, msg
);
1246 ret
= KRB5KRB_AP_ERR_NOT_US
;
1250 krbtgt_kvno_try
= krbtgt_kvno
? krbtgt_kvno
: (*krbtgt
)->entry
.kvno
;
1251 *krbtgt_etype
= ap_req
.ticket
.enc_part
.etype
;
1254 krbtgt_keys
= hdb_kvno2keys(context
, &(*krbtgt
)->entry
, krbtgt_kvno_try
);
1255 ret
= hdb_enctype2key(context
, &(*krbtgt
)->entry
, krbtgt_keys
,
1256 ap_req
.ticket
.enc_part
.etype
, &tkey
);
1257 if (ret
&& krbtgt_kvno
== 0 && kvno_search_tries
> 0) {
1258 kvno_search_tries
--;
1262 char *str
= NULL
, *p
= NULL
;
1264 krb5_enctype_to_string(context
, ap_req
.ticket
.enc_part
.etype
, &str
);
1265 krb5_unparse_name(context
, princ
, &p
);
1266 kdc_log(context
, config
, 0,
1267 "No server key with enctype %s found for %s",
1268 str
? str
: "<unknown enctype>",
1269 p
? p
: "<unparse_name failed>");
1272 ret
= KRB5KRB_AP_ERR_BADKEYVER
;
1276 if (b
->kdc_options
.validate
)
1277 verify_ap_req_flags
= KRB5_VERIFY_AP_REQ_IGNORE_INVALID
;
1279 verify_ap_req_flags
= 0;
1281 ret
= krb5_verify_ap_req2(context
,
1286 verify_ap_req_flags
,
1289 KRB5_KU_TGS_REQ_AUTH
);
1290 if (ret
== KRB5KRB_AP_ERR_BAD_INTEGRITY
&& kvno_search_tries
> 0) {
1291 kvno_search_tries
--;
1296 krb5_free_principal(context
, princ
);
1298 const char *msg
= krb5_get_error_message(context
, ret
);
1299 kdc_log(context
, config
, 0, "Failed to verify AP-REQ: %s", msg
);
1300 krb5_free_error_message(context
, msg
);
1305 krb5_authenticator auth
;
1307 ret
= krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1309 *csec
= malloc(sizeof(**csec
));
1310 if (*csec
== NULL
) {
1311 krb5_free_authenticator(context
, &auth
);
1312 kdc_log(context
, config
, 0, "malloc failed");
1315 **csec
= auth
->ctime
;
1316 *cusec
= malloc(sizeof(**cusec
));
1317 if (*cusec
== NULL
) {
1318 krb5_free_authenticator(context
, &auth
);
1319 kdc_log(context
, config
, 0, "malloc failed");
1322 **cusec
= auth
->cusec
;
1323 krb5_free_authenticator(context
, &auth
);
1327 ret
= tgs_check_authenticator(context
, config
,
1328 ac
, b
, e_text
, &(*ticket
)->ticket
.key
);
1330 krb5_auth_con_free(context
, ac
);
1334 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY
;
1337 ret
= krb5_auth_con_getremotesubkey(context
, ac
, &subkey
);
1339 const char *msg
= krb5_get_error_message(context
, ret
);
1340 krb5_auth_con_free(context
, ac
);
1341 kdc_log(context
, config
, 0, "Failed to get remote subkey: %s", msg
);
1342 krb5_free_error_message(context
, msg
);
1346 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SESSION
;
1349 ret
= krb5_auth_con_getkey(context
, ac
, &subkey
);
1351 const char *msg
= krb5_get_error_message(context
, ret
);
1352 krb5_auth_con_free(context
, ac
);
1353 kdc_log(context
, config
, 0, "Failed to get session key: %s", msg
);
1354 krb5_free_error_message(context
, msg
);
1359 krb5_auth_con_free(context
, ac
);
1360 kdc_log(context
, config
, 0,
1361 "Failed to get key for enc-authorization-data");
1362 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1368 if (b
->enc_authorization_data
) {
1371 ret
= krb5_crypto_init(context
, subkey
, 0, &crypto
);
1373 const char *msg
= krb5_get_error_message(context
, ret
);
1374 krb5_auth_con_free(context
, ac
);
1375 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1376 krb5_free_error_message(context
, msg
);
1379 ret
= krb5_decrypt_EncryptedData (context
,
1382 b
->enc_authorization_data
,
1384 krb5_crypto_destroy(context
, crypto
);
1386 krb5_auth_con_free(context
, ac
);
1387 kdc_log(context
, config
, 0,
1388 "Failed to decrypt enc-authorization-data");
1389 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1393 if (*auth_data
== NULL
) {
1394 krb5_auth_con_free(context
, ac
);
1395 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1398 ret
= decode_AuthorizationData(ad
.data
, ad
.length
, *auth_data
, NULL
);
1400 krb5_auth_con_free(context
, ac
);
1403 kdc_log(context
, config
, 0, "Failed to decode authorization data");
1404 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1409 krb5_auth_con_free(context
, ac
);
1412 free_AP_REQ(&ap_req
);
1417 static krb5_error_code
1418 build_server_referral(krb5_context context
,
1419 krb5_kdc_configuration
*config
,
1420 krb5_crypto session
,
1421 krb5_const_realm referred_realm
,
1422 const PrincipalName
*true_principal_name
,
1423 const PrincipalName
*requested_principal
,
1426 PA_ServerReferralData ref
;
1427 krb5_error_code ret
;
1432 memset(&ref
, 0, sizeof(ref
));
1434 if (referred_realm
) {
1435 ALLOC(ref
.referred_realm
);
1436 if (ref
.referred_realm
== NULL
)
1438 *ref
.referred_realm
= strdup(referred_realm
);
1439 if (*ref
.referred_realm
== NULL
)
1442 if (true_principal_name
) {
1443 ALLOC(ref
.true_principal_name
);
1444 if (ref
.true_principal_name
== NULL
)
1446 ret
= copy_PrincipalName(true_principal_name
, ref
.true_principal_name
);
1450 if (requested_principal
) {
1451 ALLOC(ref
.requested_principal_name
);
1452 if (ref
.requested_principal_name
== NULL
)
1454 ret
= copy_PrincipalName(requested_principal
,
1455 ref
.requested_principal_name
);
1460 ASN1_MALLOC_ENCODE(PA_ServerReferralData
,
1461 data
.data
, data
.length
,
1463 free_PA_ServerReferralData(&ref
);
1466 if (data
.length
!= size
)
1467 krb5_abortx(context
, "internal asn.1 encoder error");
1469 ret
= krb5_encrypt_EncryptedData(context
, session
,
1470 KRB5_KU_PA_SERVER_REFERRAL
,
1471 data
.data
, data
.length
,
1477 ASN1_MALLOC_ENCODE(EncryptedData
,
1478 outdata
->data
, outdata
->length
,
1480 free_EncryptedData(&ed
);
1483 if (outdata
->length
!= size
)
1484 krb5_abortx(context
, "internal asn.1 encoder error");
1488 free_PA_ServerReferralData(&ref
);
1489 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1493 static krb5_error_code
1494 tgs_build_reply(krb5_context context
,
1495 krb5_kdc_configuration
*config
,
1498 hdb_entry_ex
*krbtgt
,
1499 krb5_enctype krbtgt_etype
,
1500 const krb5_keyblock
*replykey
,
1502 krb5_ticket
*ticket
,
1505 const char **e_text
,
1506 AuthorizationData
**auth_data
,
1507 const struct sockaddr
*from_addr
)
1509 krb5_error_code ret
;
1510 krb5_principal cp
= NULL
, sp
= NULL
, rsp
= NULL
, tp
= NULL
, dp
= NULL
;
1511 krb5_principal krbtgt_out_principal
= NULL
;
1512 char *spn
= NULL
, *cpn
= NULL
, *tpn
= NULL
, *dpn
= NULL
, *krbtgt_out_n
= NULL
;
1513 hdb_entry_ex
*server
= NULL
, *client
= NULL
, *s4u2self_impersonated_client
= NULL
;
1514 HDB
*clientdb
, *s4u2self_impersonated_clientdb
;
1515 krb5_realm ref_realm
= NULL
;
1516 EncTicketPart
*tgt
= &ticket
->ticket
;
1517 krb5_principals spp
= NULL
;
1518 const EncryptionKey
*ekey
;
1519 krb5_keyblock sessionkey
;
1522 const char *our_realm
= /* Realm of this KDC */
1523 krb5_principal_get_comp_string(context
, krbtgt
->entry
.principal
, 1);
1524 char **capath
= NULL
;
1525 size_t num_capath
= 0;
1527 hdb_entry_ex
*krbtgt_out
= NULL
;
1529 METHOD_DATA enc_pa_data
;
1533 EncTicketPart adtkt
;
1539 int flags
= HDB_F_FOR_TGS_REQ
;
1541 memset(&sessionkey
, 0, sizeof(sessionkey
));
1542 memset(&adtkt
, 0, sizeof(adtkt
));
1543 krb5_data_zero(&rspac
);
1544 memset(&enc_pa_data
, 0, sizeof(enc_pa_data
));
1550 * Always to do CANON, see comment below about returned server principal (rsp).
1552 flags
|= HDB_F_CANON
;
1554 if(b
->kdc_options
.enc_tkt_in_skey
){
1559 krb5uint32 second_kvno
= 0;
1560 krb5uint32
*kvno_ptr
= NULL
;
1562 if(b
->additional_tickets
== NULL
||
1563 b
->additional_tickets
->len
== 0){
1564 ret
= KRB5KDC_ERR_BADOPTION
; /* ? */
1565 kdc_log(context
, config
, 0,
1566 "No second ticket present in request");
1569 t
= &b
->additional_tickets
->val
[0];
1570 if(!get_krbtgt_realm(&t
->sname
)){
1571 kdc_log(context
, config
, 0,
1572 "Additional ticket is not a ticket-granting ticket");
1573 ret
= KRB5KDC_ERR_POLICY
;
1576 _krb5_principalname2krb5_principal(context
, &p
, t
->sname
, t
->realm
);
1577 if(t
->enc_part
.kvno
){
1578 second_kvno
= *t
->enc_part
.kvno
;
1579 kvno_ptr
= &second_kvno
;
1581 ret
= _kdc_db_fetch(context
, config
, p
,
1582 HDB_F_GET_KRBTGT
, kvno_ptr
,
1584 krb5_free_principal(context
, p
);
1586 if (ret
== HDB_ERR_NOENTRY
)
1587 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1590 ret
= hdb_enctype2key(context
, &uu
->entry
, NULL
,
1591 t
->enc_part
.etype
, &uukey
);
1593 _kdc_free_ent(context
, uu
);
1594 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
1597 ret
= krb5_decrypt_ticket(context
, t
, &uukey
->key
, &adtkt
, 0);
1598 _kdc_free_ent(context
, uu
);
1602 ret
= verify_flags(context
, config
, &adtkt
, spn
);
1610 _krb5_principalname2krb5_principal(context
, &sp
, *s
, r
);
1611 ret
= krb5_unparse_name(context
, sp
, &spn
);
1614 _krb5_principalname2krb5_principal(context
, &cp
, tgt
->cname
, tgt
->crealm
);
1615 ret
= krb5_unparse_name(context
, cp
, &cpn
);
1618 unparse_flags (KDCOptions2int(b
->kdc_options
),
1619 asn1_KDCOptions_units(),
1620 opt_str
, sizeof(opt_str
));
1622 kdc_log(context
, config
, 0,
1623 "TGS-REQ %s from %s for %s [%s]",
1624 cpn
, from
, spn
, opt_str
);
1626 kdc_log(context
, config
, 0,
1627 "TGS-REQ %s from %s for %s", cpn
, from
, spn
);
1634 ret
= _kdc_db_fetch(context
, config
, sp
, HDB_F_GET_SERVER
| flags
,
1635 NULL
, NULL
, &server
);
1637 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
1638 kdc_log(context
, config
, 5, "target %s does not have secrets at this KDC, need to proxy", sp
);
1640 } else if (ret
== HDB_ERR_WRONG_REALM
) {
1642 ref_realm
= strdup(server
->entry
.principal
->realm
);
1643 if (ref_realm
== NULL
) {
1644 ret
= krb5_enomem(context
);
1648 kdc_log(context
, config
, 5,
1649 "Returning a referral to realm %s for "
1652 krb5_free_principal(context
, sp
);
1654 ret
= krb5_make_principal(context
, &sp
, r
, KRB5_TGS_NAME
,
1660 ret
= krb5_unparse_name(context
, sp
, &spn
);
1666 const char *new_rlm
, *msg
;
1670 if ((req_rlm
= get_krbtgt_realm(&sp
->name
)) != NULL
) {
1671 if (capath
== NULL
) {
1672 /* With referalls, hierarchical capaths are always enabled */
1673 ret
= _krb5_find_capath(context
, tgt
->crealm
, our_realm
,
1674 req_rlm
, TRUE
, &capath
, &num_capath
);
1678 new_rlm
= num_capath
> 0 ? capath
[--num_capath
] : NULL
;
1680 kdc_log(context
, config
, 5, "krbtgt from %s via %s for "
1681 "realm %s not found, trying %s", tgt
->crealm
,
1682 our_realm
, req_rlm
, new_rlm
);
1685 ref_realm
= strdup(new_rlm
);
1686 if (ref_realm
== NULL
) {
1687 ret
= krb5_enomem(context
);
1691 krb5_free_principal(context
, sp
);
1693 krb5_make_principal(context
, &sp
, r
,
1694 KRB5_TGS_NAME
, ref_realm
, NULL
);
1697 ret
= krb5_unparse_name(context
, sp
, &spn
);
1702 } else if (need_referral(context
, config
, &b
->kdc_options
, sp
, &realms
)) {
1703 if (strcmp(realms
[0], sp
->realm
) != 0) {
1704 kdc_log(context
, config
, 5,
1705 "Returning a referral to realm %s for "
1706 "server %s that was not found",
1708 krb5_free_principal(context
, sp
);
1710 krb5_make_principal(context
, &sp
, r
, KRB5_TGS_NAME
,
1714 ret
= krb5_unparse_name(context
, sp
, &spn
);
1716 krb5_free_host_realm(context
, realms
);
1721 ref_realm
= strdup(realms
[0]);
1723 krb5_free_host_realm(context
, realms
);
1726 krb5_free_host_realm(context
, realms
);
1728 msg
= krb5_get_error_message(context
, ret
);
1729 kdc_log(context
, config
, 0,
1730 "Server not found in database: %s: %s", spn
, msg
);
1731 krb5_free_error_message(context
, msg
);
1732 if (ret
== HDB_ERR_NOENTRY
)
1733 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1737 /* the name returned to the client depend on what was asked for,
1738 * return canonical name if kdc_options.canonicalize was set, the
1739 * client wants the true name of the principal, if not it just
1740 * wants the name its asked for.
1743 if (b
->kdc_options
.canonicalize
)
1744 rsp
= server
->entry
.principal
;
1750 * Select enctype, return key and kvno.
1756 if(b
->kdc_options
.enc_tkt_in_skey
) {
1759 for(i
= 0; i
< b
->etype
.len
; i
++)
1760 if (b
->etype
.val
[i
] == adtkt
.key
.keytype
)
1762 if(i
== b
->etype
.len
) {
1763 kdc_log(context
, config
, 0,
1764 "Addition ticket have not matching etypes");
1765 krb5_clear_error_message(context
);
1766 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
;
1769 etype
= b
->etype
.val
[i
];
1774 ret
= _kdc_find_etype(context
,
1775 krb5_principal_is_krbtgt(context
, sp
) ?
1776 config
->tgt_use_strongest_session_key
:
1777 config
->svc_use_strongest_session_key
, FALSE
,
1778 server
, b
->etype
.val
, b
->etype
.len
, &etype
,
1781 kdc_log(context
, config
, 0,
1782 "Server (%s) has no support for etypes", spn
);
1785 ret
= _kdc_get_preferred_key(context
, config
, server
, spn
,
1788 kdc_log(context
, config
, 0,
1789 "Server (%s) has no supported etypes", spn
);
1793 kvno
= server
->entry
.kvno
;
1796 ret
= krb5_generate_random_keyblock(context
, etype
, &sessionkey
);
1802 * Check that service is in the same realm as the krbtgt. If it's
1803 * not the same, it's someone that is using a uni-directional trust
1808 * Validate authoriation data
1811 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, NULL
, /* XXX use the right kvno! */
1812 krbtgt_etype
, &tkey_check
);
1814 kdc_log(context
, config
, 0,
1815 "Failed to find key for krbtgt PAC check");
1820 * Now refetch the primary krbtgt, and get the current kvno (the
1821 * sign check may have been on an old kvno, and the server may
1822 * have been an incoming trust)
1825 ret
= krb5_make_principal(context
,
1826 &krbtgt_out_principal
,
1832 kdc_log(context
, config
, 0,
1833 "Failed to make krbtgt principal name object for "
1834 "authz-data signatures");
1837 ret
= krb5_unparse_name(context
, krbtgt_out_principal
, &krbtgt_out_n
);
1839 kdc_log(context
, config
, 0,
1840 "Failed to make krbtgt principal name object for "
1841 "authz-data signatures");
1845 ret
= _kdc_db_fetch(context
, config
, krbtgt_out_principal
,
1846 HDB_F_GET_KRBTGT
, NULL
, NULL
, &krbtgt_out
);
1849 ret
= krb5_unparse_name(context
, krbtgt
->entry
.principal
, &ktpn
);
1850 kdc_log(context
, config
, 0,
1851 "No such principal %s (needed for authz-data signature keys) "
1852 "while processing TGS-REQ for service %s with krbtg %s",
1853 krbtgt_out_n
, spn
, (ret
== 0) ? ktpn
: "<unknown>");
1855 ret
= KRB5KRB_AP_ERR_NOT_US
;
1860 * The first realm is the realm of the service, the second is
1861 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1862 * encrypted to. The redirection via the krbtgt_out entry allows
1863 * the DB to possibly correct the case of the realm (Samba4 does
1864 * this) before the strcmp()
1866 if (strcmp(krb5_principal_get_realm(context
, server
->entry
.principal
),
1867 krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
)) != 0) {
1869 ret
= krb5_unparse_name(context
, krbtgt_out
->entry
.principal
, &ktpn
);
1870 kdc_log(context
, config
, 0,
1871 "Request with wrong krbtgt: %s",
1872 (ret
== 0) ? ktpn
: "<unknown>");
1875 ret
= KRB5KRB_AP_ERR_NOT_US
;
1879 ret
= _kdc_get_preferred_key(context
, config
, krbtgt_out
, krbtgt_out_n
,
1882 kdc_log(context
, config
, 0,
1883 "Failed to find key for krbtgt PAC signature");
1886 ret
= hdb_enctype2key(context
, &krbtgt_out
->entry
, NULL
,
1887 tkey_sign
->key
.keytype
, &tkey_sign
);
1889 kdc_log(context
, config
, 0,
1890 "Failed to find key for krbtgt PAC signature");
1894 ret
= _kdc_db_fetch(context
, config
, cp
, HDB_F_GET_CLIENT
| flags
,
1895 NULL
, &clientdb
, &client
);
1896 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1897 /* This is OK, we are just trying to find out if they have
1898 * been disabled or deleted in the meantime, missing secrets
1901 const char *krbtgt_realm
, *msg
;
1904 * If the client belongs to the same realm as our krbtgt, it
1905 * should exist in the local database.
1909 krbtgt_realm
= krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
);
1911 if(strcmp(krb5_principal_get_realm(context
, cp
), krbtgt_realm
) == 0) {
1912 if (ret
== HDB_ERR_NOENTRY
)
1913 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
1914 kdc_log(context
, config
, 1, "Client no longer in database: %s",
1919 msg
= krb5_get_error_message(context
, ret
);
1920 kdc_log(context
, config
, 1, "Client not found in database: %s", msg
);
1921 krb5_free_error_message(context
, msg
);
1924 ret
= check_PAC(context
, config
, cp
, NULL
,
1925 client
, server
, krbtgt
,
1927 ekey
, &tkey_sign
->key
,
1928 tgt
, &rspac
, &signedpath
);
1930 const char *msg
= krb5_get_error_message(context
, ret
);
1931 kdc_log(context
, config
, 0,
1932 "Verify PAC failed for %s (%s) from %s with %s",
1933 spn
, cpn
, from
, msg
);
1934 krb5_free_error_message(context
, msg
);
1938 /* also check the krbtgt for signature */
1939 ret
= check_KRB5SignedPath(context
,
1947 const char *msg
= krb5_get_error_message(context
, ret
);
1948 kdc_log(context
, config
, 0,
1949 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1950 spn
, cpn
, from
, msg
);
1951 krb5_free_error_message(context
, msg
);
1959 /* by default the tgt principal matches the client principal */
1964 const PA_DATA
*sdata
;
1967 sdata
= _kdc_find_padata(req
, &i
, KRB5_PADATA_FOR_USER
);
1974 ret
= decode_PA_S4U2Self(sdata
->padata_value
.data
,
1975 sdata
->padata_value
.length
,
1978 kdc_log(context
, config
, 0, "Failed to decode PA-S4U2Self");
1982 ret
= _krb5_s4u2self_to_checksumdata(context
, &self
, &datack
);
1986 ret
= krb5_crypto_init(context
, &tgt
->key
, 0, &crypto
);
1988 const char *msg
= krb5_get_error_message(context
, ret
);
1989 free_PA_S4U2Self(&self
);
1990 krb5_data_free(&datack
);
1991 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1992 krb5_free_error_message(context
, msg
);
1996 ret
= krb5_verify_checksum(context
,
1998 KRB5_KU_OTHER_CKSUM
,
2002 krb5_data_free(&datack
);
2003 krb5_crypto_destroy(context
, crypto
);
2005 const char *msg
= krb5_get_error_message(context
, ret
);
2006 free_PA_S4U2Self(&self
);
2007 kdc_log(context
, config
, 0,
2008 "krb5_verify_checksum failed for S4U2Self: %s", msg
);
2009 krb5_free_error_message(context
, msg
);
2013 ret
= _krb5_principalname2krb5_principal(context
,
2017 free_PA_S4U2Self(&self
);
2021 ret
= krb5_unparse_name(context
, tp
, &tpn
);
2025 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
2028 krb5_data_free(&rspac
);
2029 ret
= _kdc_db_fetch(context
, config
, tp
, HDB_F_GET_CLIENT
| flags
,
2030 NULL
, &s4u2self_impersonated_clientdb
, &s4u2self_impersonated_client
);
2035 * If the client belongs to the same realm as our krbtgt, it
2036 * should exist in the local database.
2040 if (ret
== HDB_ERR_NOENTRY
)
2041 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
2042 msg
= krb5_get_error_message(context
, ret
);
2043 kdc_log(context
, config
, 1,
2044 "S2U4Self principal to impersonate %s not found in database: %s",
2046 krb5_free_error_message(context
, msg
);
2049 ret
= _kdc_pac_generate(context
, s4u2self_impersonated_client
, &p
);
2051 kdc_log(context
, config
, 0, "PAC generation failed for -- %s",
2056 ret
= _krb5_pac_sign(context
, p
, ticket
->ticket
.authtime
,
2057 s4u2self_impersonated_client
->entry
.principal
,
2058 ekey
, &tkey_sign
->key
,
2060 krb5_pac_free(context
, p
);
2062 kdc_log(context
, config
, 0, "PAC signing failed for -- %s",
2070 * Check that service doing the impersonating is
2071 * requesting a ticket to it-self.
2073 ret
= check_s4u2self(context
, config
, clientdb
, client
, sp
);
2075 kdc_log(context
, config
, 0, "S4U2Self: %s is not allowed "
2076 "to impersonate to service "
2077 "(tried for user %s to service %s)",
2083 * If the service isn't trusted for authentication to
2084 * delegation, remove the forward flag.
2087 if (client
->entry
.flags
.trusted_for_delegation
) {
2088 str
= "[forwardable]";
2090 b
->kdc_options
.forwardable
= 0;
2093 kdc_log(context
, config
, 0, "s4u2self %s impersonating %s to "
2094 "service %s %s", cpn
, tpn
, spn
, str
);
2099 * Constrained delegation
2103 && b
->additional_tickets
!= NULL
2104 && b
->additional_tickets
->len
!= 0
2105 && b
->kdc_options
.enc_tkt_in_skey
== 0)
2107 int ad_signedpath
= 0;
2112 * Require that the KDC have issued the service's krbtgt (not
2113 * self-issued ticket with kimpersonate(1).
2116 ret
= KRB5KDC_ERR_BADOPTION
;
2117 kdc_log(context
, config
, 0,
2118 "Constrained delegation done on service ticket %s/%s",
2123 t
= &b
->additional_tickets
->val
[0];
2125 ret
= hdb_enctype2key(context
, &client
->entry
,
2126 hdb_kvno2keys(context
, &client
->entry
,
2127 t
->enc_part
.kvno
? * t
->enc_part
.kvno
: 0),
2128 t
->enc_part
.etype
, &clientkey
);
2130 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
2134 ret
= krb5_decrypt_ticket(context
, t
, &clientkey
->key
, &adtkt
, 0);
2136 kdc_log(context
, config
, 0,
2137 "failed to decrypt ticket for "
2138 "constrained delegation from %s to %s ", cpn
, spn
);
2142 ret
= _krb5_principalname2krb5_principal(context
,
2149 ret
= krb5_unparse_name(context
, tp
, &tpn
);
2153 ret
= _krb5_principalname2krb5_principal(context
,
2160 ret
= krb5_unparse_name(context
, dp
, &dpn
);
2164 /* check that ticket is valid */
2165 if (adtkt
.flags
.forwardable
== 0) {
2166 kdc_log(context
, config
, 0,
2167 "Missing forwardable flag on ticket for "
2168 "constrained delegation from %s (%s) as %s to %s ",
2169 cpn
, dpn
, tpn
, spn
);
2170 ret
= KRB5KDC_ERR_BADOPTION
;
2174 ret
= check_constrained_delegation(context
, config
, clientdb
,
2175 client
, server
, sp
);
2177 kdc_log(context
, config
, 0,
2178 "constrained delegation from %s (%s) as %s to %s not allowed",
2179 cpn
, dpn
, tpn
, spn
);
2183 ret
= verify_flags(context
, config
, &adtkt
, tpn
);
2188 krb5_data_free(&rspac
);
2191 * generate the PAC for the user.
2193 * TODO: pass in t->sname and t->realm and build
2194 * a S4U_DELEGATION_INFO blob to the PAC.
2196 ret
= check_PAC(context
, config
, tp
, dp
,
2197 client
, server
, krbtgt
,
2199 ekey
, &tkey_sign
->key
,
2200 &adtkt
, &rspac
, &ad_signedpath
);
2202 const char *msg
= krb5_get_error_message(context
, ret
);
2203 kdc_log(context
, config
, 0,
2204 "Verify delegated PAC failed to %s for client"
2205 "%s (%s) as %s from %s with %s",
2206 spn
, cpn
, dpn
, tpn
, from
, msg
);
2207 krb5_free_error_message(context
, msg
);
2212 * Check that the KDC issued the user's ticket.
2214 ret
= check_KRB5SignedPath(context
,
2222 const char *msg
= krb5_get_error_message(context
, ret
);
2223 kdc_log(context
, config
, 0,
2224 "KRB5SignedPath check from service %s failed "
2225 "for delegation to %s for client %s (%s)"
2226 "from %s failed with %s",
2227 spn
, tpn
, dpn
, cpn
, from
, msg
);
2228 krb5_free_error_message(context
, msg
);
2232 if (!ad_signedpath
) {
2233 ret
= KRB5KDC_ERR_BADOPTION
;
2234 kdc_log(context
, config
, 0,
2235 "Ticket not signed with PAC nor SignedPath service %s failed "
2236 "for delegation to %s for client %s (%s)"
2238 spn
, tpn
, dpn
, cpn
, from
);
2242 kdc_log(context
, config
, 0, "constrained delegation for %s "
2243 "from %s (%s) to %s", tpn
, cpn
, dpn
, spn
);
2250 ret
= kdc_check_flags(context
, config
,
2257 if((b
->kdc_options
.validate
|| b
->kdc_options
.renew
) &&
2258 !krb5_principal_compare(context
,
2259 krbtgt
->entry
.principal
,
2260 server
->entry
.principal
)){
2261 kdc_log(context
, config
, 0, "Inconsistent request.");
2262 ret
= KRB5KDC_ERR_SERVER_NOMATCH
;
2266 /* check for valid set of addresses */
2267 if(!_kdc_check_addresses(context
, config
, tgt
->caddr
, from_addr
)) {
2268 ret
= KRB5KRB_AP_ERR_BADADDR
;
2269 kdc_log(context
, config
, 0, "Request from wrong address");
2274 * If this is an referral, add server referral data to the
2281 kdc_log(context
, config
, 0,
2282 "Adding server referral to %s", ref_realm
);
2284 ret
= krb5_crypto_init(context
, &sessionkey
, 0, &crypto
);
2288 ret
= build_server_referral(context
, config
, crypto
, ref_realm
,
2289 NULL
, s
, &pa
.padata_value
);
2290 krb5_crypto_destroy(context
, crypto
);
2292 kdc_log(context
, config
, 0,
2293 "Failed building server referral");
2296 pa
.padata_type
= KRB5_PADATA_SERVER_REFERRAL
;
2298 ret
= add_METHOD_DATA(&enc_pa_data
, &pa
);
2299 krb5_data_free(&pa
.padata_value
);
2301 kdc_log(context
, config
, 0,
2302 "Add server referral METHOD-DATA failed");
2311 ret
= tgs_make_reply(context
,
2328 tkey_sign
->key
.keytype
,
2342 _krb5_free_capath(context
, capath
);
2344 krb5_data_free(&rspac
);
2345 krb5_free_keyblock_contents(context
, &sessionkey
);
2347 _kdc_free_ent(context
, krbtgt_out
);
2349 _kdc_free_ent(context
, server
);
2351 _kdc_free_ent(context
, client
);
2352 if(s4u2self_impersonated_client
)
2353 _kdc_free_ent(context
, s4u2self_impersonated_client
);
2356 krb5_free_principal(context
, tp
);
2357 krb5_free_principal(context
, cp
);
2358 krb5_free_principal(context
, dp
);
2359 krb5_free_principal(context
, sp
);
2360 krb5_free_principal(context
, krbtgt_out_principal
);
2362 free_METHOD_DATA(&enc_pa_data
);
2364 free_EncTicketPart(&adtkt
);
2374 _kdc_tgs_rep(krb5_context context
,
2375 krb5_kdc_configuration
*config
,
2379 struct sockaddr
*from_addr
,
2382 AuthorizationData
*auth_data
= NULL
;
2383 krb5_error_code ret
;
2385 const PA_DATA
*tgs_req
;
2387 hdb_entry_ex
*krbtgt
= NULL
;
2388 krb5_ticket
*ticket
= NULL
;
2389 const char *e_text
= NULL
;
2390 krb5_enctype krbtgt_etype
= ETYPE_NULL
;
2392 krb5_keyblock
*replykey
= NULL
;
2393 int rk_is_subkey
= 0;
2394 time_t *csec
= NULL
;
2397 if(req
->padata
== NULL
){
2398 ret
= KRB5KDC_ERR_PREAUTH_REQUIRED
; /* XXX ??? */
2399 kdc_log(context
, config
, 0,
2400 "TGS-REQ from %s without PA-DATA", from
);
2404 tgs_req
= _kdc_find_padata(req
, &i
, KRB5_PADATA_TGS_REQ
);
2406 if(tgs_req
== NULL
){
2407 ret
= KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
2409 kdc_log(context
, config
, 0,
2410 "TGS-REQ from %s without PA-TGS-REQ", from
);
2413 ret
= tgs_parse_request(context
, config
,
2414 &req
->req_body
, tgs_req
,
2424 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
2425 /* kdc_log() is called in tgs_parse_request() */
2429 kdc_log(context
, config
, 0,
2430 "Failed parsing TGS-REQ from %s", from
);
2435 const PA_DATA
*pa
= _kdc_find_padata(req
, &i
, KRB5_PADATA_FX_FAST
);
2437 kdc_log(context
, config
, 10, "Got TGS FAST request");
2441 ret
= tgs_build_reply(context
,
2456 kdc_log(context
, config
, 0,
2457 "Failed building TGS-REP to %s", from
);
2462 if (datagram_reply
&& data
->length
> config
->max_datagram_reply_length
) {
2463 krb5_data_free(data
);
2464 ret
= KRB5KRB_ERR_RESPONSE_TOO_BIG
;
2465 e_text
= "Reply packet too large";
2470 krb5_free_keyblock(context
, replykey
);
2472 if(ret
&& ret
!= HDB_ERR_NOT_FOUND_HERE
&& data
->data
== NULL
){
2473 /* XXX add fast wrapping on the error */
2474 METHOD_DATA error_method
= { 0, NULL
};
2477 kdc_log(context
, config
, 10, "tgs-req: sending error: %d to client", ret
);
2478 ret
= _kdc_fast_mk_error(context
, NULL
,
2487 free_METHOD_DATA(&error_method
);
2492 krb5_free_ticket(context
, ticket
);
2494 _kdc_free_ent(context
, krbtgt
);
2497 free_AuthorizationData(auth_data
);