2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName
*p
)
43 if(p
->name_string
.len
== 2
44 && strcmp(p
->name_string
.val
[0], KRB5_TGS_NAME
) == 0)
45 return p
->name_string
.val
[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context
,
61 const AuthorizationData
*ad
,
64 AuthorizationData child
;
68 if (ad
== NULL
|| ad
->len
== 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
73 if (ad
->val
[pos
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
76 ret
= decode_AuthorizationData(ad
->val
[pos
].ad_data
.data
,
77 ad
->val
[pos
].ad_data
.length
,
81 krb5_set_error_message(context
, ret
, "Failed to decode "
82 "IF_RELEVANT with %d", ret
);
87 free_AuthorizationData(&child
);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
91 if (child
.val
[0].ad_type
!= KRB5_AUTHDATA_SIGNTICKET
) {
92 free_AuthorizationData(&child
);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
97 ret
= der_copy_octet_string(&child
.val
[0].ad_data
, data
);
98 free_AuthorizationData(&child
);
103 _kdc_add_KRB5SignedPath(krb5_context context
,
104 krb5_kdc_configuration
*config
,
105 hdb_entry_ex
*krbtgt
,
106 krb5_enctype enctype
,
107 krb5_principal client
,
108 krb5_const_principal server
,
109 krb5_principals principals
,
115 krb5_crypto crypto
= NULL
;
118 if (server
&& principals
) {
119 ret
= add_Principals(principals
, server
);
125 KRB5SignedPathData spd
;
128 spd
.authtime
= tkt
->authtime
;
129 spd
.delegated
= principals
;
130 spd
.method_data
= NULL
;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
136 if (data
.length
!= size
)
137 krb5_abortx(context
, "internal asn.1 encoder error");
142 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, enctype
, &key
);
144 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
152 * Fill in KRB5SignedPath
156 sp
.delegated
= principals
;
157 sp
.method_data
= NULL
;
159 ret
= krb5_create_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
, 0,
160 data
.data
, data
.length
, &sp
.cksum
);
161 krb5_crypto_destroy(context
, crypto
);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath
, data
.data
, data
.length
, &sp
, &size
, ret
);
167 free_Checksum(&sp
.cksum
);
170 if (data
.length
!= size
)
171 krb5_abortx(context
, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret
= _kdc_tkt_add_if_relevant_ad(context
, tkt
,
180 KRB5_AUTHDATA_SIGNTICKET
, &data
);
181 krb5_data_free(&data
);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context
,
188 krb5_kdc_configuration
*config
,
189 hdb_entry_ex
*krbtgt
,
192 krb5_principals
*delegated
,
197 krb5_crypto crypto
= NULL
;
202 ret
= find_KRB5SignedPath(context
, tkt
->authorization_data
, &data
);
204 KRB5SignedPathData spd
;
208 ret
= decode_KRB5SignedPath(data
.data
, data
.length
, &sp
, NULL
);
209 krb5_data_free(&data
);
214 spd
.authtime
= tkt
->authtime
;
215 spd
.delegated
= sp
.delegated
;
216 spd
.method_data
= sp
.method_data
;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData
, data
.data
, data
.length
,
221 free_KRB5SignedPath(&sp
);
224 if (data
.length
!= size
)
225 krb5_abortx(context
, "internal asn.1 encoder error");
229 ret
= hdb_enctype2key(context
, &krbtgt
->entry
, sp
.etype
, &key
);
231 ret
= krb5_crypto_init(context
, &key
->key
, 0, &crypto
);
234 free_KRB5SignedPath(&sp
);
238 ret
= krb5_verify_checksum(context
, crypto
, KRB5_KU_KRB5SIGNEDPATH
,
239 data
.data
, data
.length
,
241 krb5_crypto_destroy(context
, crypto
);
244 free_KRB5SignedPath(&sp
);
245 kdc_log(context
, config
, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
250 if (delegated
&& sp
.delegated
) {
252 *delegated
= malloc(sizeof(*sp
.delegated
));
253 if (*delegated
== NULL
) {
254 free_KRB5SignedPath(&sp
);
258 ret
= copy_Principals(*delegated
, sp
.delegated
);
260 free_KRB5SignedPath(&sp
);
266 free_KRB5SignedPath(&sp
);
278 static krb5_error_code
279 check_PAC(krb5_context context
,
280 krb5_kdc_configuration
*config
,
281 const krb5_principal client_principal
,
282 hdb_entry_ex
*client
,
283 hdb_entry_ex
*server
,
284 hdb_entry_ex
*krbtgt
,
285 const EncryptionKey
*server_check_key
,
286 const EncryptionKey
*krbtgt_check_key
,
287 const EncryptionKey
*server_sign_key
,
288 const EncryptionKey
*krbtgt_sign_key
,
293 AuthorizationData
*ad
= tkt
->authorization_data
;
297 if (ad
== NULL
|| ad
->len
== 0)
300 for (i
= 0; i
< ad
->len
; i
++) {
301 AuthorizationData child
;
303 if (ad
->val
[i
].ad_type
!= KRB5_AUTHDATA_IF_RELEVANT
)
306 ret
= decode_AuthorizationData(ad
->val
[i
].ad_data
.data
,
307 ad
->val
[i
].ad_data
.length
,
311 krb5_set_error_message(context
, ret
, "Failed to decode "
312 "IF_RELEVANT with %d", ret
);
315 for (j
= 0; j
< child
.len
; j
++) {
317 if (child
.val
[j
].ad_type
== KRB5_AUTHDATA_WIN2K_PAC
) {
322 ret
= krb5_pac_parse(context
,
323 child
.val
[j
].ad_data
.data
,
324 child
.val
[j
].ad_data
.length
,
326 free_AuthorizationData(&child
);
330 ret
= krb5_pac_verify(context
, pac
, tkt
->authtime
,
332 server_check_key
, krbtgt_check_key
);
334 krb5_pac_free(context
, pac
);
338 ret
= _kdc_pac_verify(context
, client_principal
,
339 client
, server
, krbtgt
, &pac
, &signed_pac
);
341 krb5_pac_free(context
, pac
);
346 * Only re-sign PAC if we could verify it with the PAC
347 * function. The no-verify case happens when we get in
348 * a PAC from cross realm from a Windows domain and
349 * that there is no PAC verification function.
353 ret
= _krb5_pac_sign(context
, pac
, tkt
->authtime
,
355 server_sign_key
, krbtgt_sign_key
, rspac
);
357 krb5_pac_free(context
, pac
);
362 free_AuthorizationData(&child
);
371 static krb5_error_code
372 check_tgs_flags(krb5_context context
,
373 krb5_kdc_configuration
*config
,
374 KDC_REQ_BODY
*b
, const EncTicketPart
*tgt
, EncTicketPart
*et
)
376 KDCOptions f
= b
->kdc_options
;
379 if(!tgt
->flags
.invalid
|| tgt
->starttime
== NULL
){
380 kdc_log(context
, config
, 0,
381 "Bad request to validate ticket");
382 return KRB5KDC_ERR_BADOPTION
;
384 if(*tgt
->starttime
> kdc_time
){
385 kdc_log(context
, config
, 0,
386 "Early request to validate ticket");
387 return KRB5KRB_AP_ERR_TKT_NYV
;
390 et
->flags
.invalid
= 0;
391 }else if(tgt
->flags
.invalid
){
392 kdc_log(context
, config
, 0,
393 "Ticket-granting ticket has INVALID flag set");
394 return KRB5KRB_AP_ERR_TKT_INVALID
;
398 if(!tgt
->flags
.forwardable
){
399 kdc_log(context
, config
, 0,
400 "Bad request for forwardable ticket");
401 return KRB5KDC_ERR_BADOPTION
;
403 et
->flags
.forwardable
= 1;
406 if(!tgt
->flags
.forwardable
){
407 kdc_log(context
, config
, 0,
408 "Request to forward non-forwardable ticket");
409 return KRB5KDC_ERR_BADOPTION
;
411 et
->flags
.forwarded
= 1;
412 et
->caddr
= b
->addresses
;
414 if(tgt
->flags
.forwarded
)
415 et
->flags
.forwarded
= 1;
418 if(!tgt
->flags
.proxiable
){
419 kdc_log(context
, config
, 0,
420 "Bad request for proxiable ticket");
421 return KRB5KDC_ERR_BADOPTION
;
423 et
->flags
.proxiable
= 1;
426 if(!tgt
->flags
.proxiable
){
427 kdc_log(context
, config
, 0,
428 "Request to proxy non-proxiable ticket");
429 return KRB5KDC_ERR_BADOPTION
;
432 et
->caddr
= b
->addresses
;
437 if(f
.allow_postdate
){
438 if(!tgt
->flags
.may_postdate
){
439 kdc_log(context
, config
, 0,
440 "Bad request for post-datable ticket");
441 return KRB5KDC_ERR_BADOPTION
;
443 et
->flags
.may_postdate
= 1;
446 if(!tgt
->flags
.may_postdate
){
447 kdc_log(context
, config
, 0,
448 "Bad request for postdated ticket");
449 return KRB5KDC_ERR_BADOPTION
;
452 *et
->starttime
= *b
->from
;
453 et
->flags
.postdated
= 1;
454 et
->flags
.invalid
= 1;
455 }else if(b
->from
&& *b
->from
> kdc_time
+ context
->max_skew
){
456 kdc_log(context
, config
, 0, "Ticket cannot be postdated");
457 return KRB5KDC_ERR_CANNOT_POSTDATE
;
461 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
462 kdc_log(context
, config
, 0,
463 "Bad request for renewable ticket");
464 return KRB5KDC_ERR_BADOPTION
;
466 et
->flags
.renewable
= 1;
467 ALLOC(et
->renew_till
);
468 _kdc_fix_time(&b
->rtime
);
469 *et
->renew_till
= *b
->rtime
;
473 if(!tgt
->flags
.renewable
|| tgt
->renew_till
== NULL
){
474 kdc_log(context
, config
, 0,
475 "Request to renew non-renewable ticket");
476 return KRB5KDC_ERR_BADOPTION
;
478 old_life
= tgt
->endtime
;
480 old_life
-= *tgt
->starttime
;
482 old_life
-= tgt
->authtime
;
483 et
->endtime
= *et
->starttime
+ old_life
;
484 if (et
->renew_till
!= NULL
)
485 et
->endtime
= min(*et
->renew_till
, et
->endtime
);
489 /* checks for excess flags */
490 if(f
.request_anonymous
&& !config
->allow_anonymous
){
491 kdc_log(context
, config
, 0,
492 "Request for anonymous ticket");
493 return KRB5KDC_ERR_BADOPTION
;
500 * Determine if constrained delegation is allowed from this client to this server
503 static krb5_error_code
504 check_constrained_delegation(krb5_context context
,
505 krb5_kdc_configuration
*config
,
507 hdb_entry_ex
*client
,
508 krb5_const_principal server
)
510 const HDB_Ext_Constrained_delegation_acl
*acl
;
514 /* if client delegates to itself, that ok */
515 if (krb5_principal_compare(context
, client
->entry
.principal
, server
) == TRUE
)
518 if (clientdb
->hdb_check_constrained_delegation
) {
519 ret
= clientdb
->hdb_check_constrained_delegation(context
, clientdb
, client
, server
);
523 ret
= hdb_entry_get_ConstrainedDelegACL(&client
->entry
, &acl
);
525 krb5_clear_error_message(context
);
530 for (i
= 0; i
< acl
->len
; i
++) {
531 if (krb5_principal_compare(context
, server
, &acl
->val
[i
]) == TRUE
)
535 ret
= KRB5KDC_ERR_BADOPTION
;
537 kdc_log(context
, config
, 0,
538 "Bad request for constrained delegation");
543 * Determine if s4u2self is allowed from this client to this server
545 * For example, regardless of the principal being impersonated, if the
546 * 'client' and 'server' are the same, then it's safe.
549 static krb5_error_code
550 check_s4u2self(krb5_context context
,
551 krb5_kdc_configuration
*config
,
553 hdb_entry_ex
*client
,
554 krb5_const_principal server
)
558 /* if client does a s4u2self to itself, that ok */
559 if (krb5_principal_compare(context
, client
->entry
.principal
, server
) == TRUE
)
562 if (clientdb
->hdb_check_s4u2self
) {
563 ret
= clientdb
->hdb_check_s4u2self(context
, clientdb
, client
, server
);
567 ret
= KRB5KDC_ERR_BADOPTION
;
576 static krb5_error_code
577 verify_flags (krb5_context context
,
578 krb5_kdc_configuration
*config
,
579 const EncTicketPart
*et
,
582 if(et
->endtime
< kdc_time
){
583 kdc_log(context
, config
, 0, "Ticket expired (%s)", pstr
);
584 return KRB5KRB_AP_ERR_TKT_EXPIRED
;
586 if(et
->flags
.invalid
){
587 kdc_log(context
, config
, 0, "Ticket not valid (%s)", pstr
);
588 return KRB5KRB_AP_ERR_TKT_NYV
;
597 static krb5_error_code
598 fix_transited_encoding(krb5_context context
,
599 krb5_kdc_configuration
*config
,
600 krb5_boolean check_policy
,
601 const TransitedEncoding
*tr
,
603 const char *client_realm
,
604 const char *server_realm
,
605 const char *tgt_realm
)
607 krb5_error_code ret
= 0;
608 char **realms
, **tmp
;
609 unsigned int num_realms
;
612 switch (tr
->tr_type
) {
613 case DOMAIN_X500_COMPRESS
:
617 * Allow empty content of type 0 because that is was Microsoft
618 * generates in their TGT.
620 if (tr
->contents
.length
== 0)
622 kdc_log(context
, config
, 0,
623 "Transited type 0 with non empty content");
624 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
626 kdc_log(context
, config
, 0,
627 "Unknown transited type: %u", tr
->tr_type
);
628 return KRB5KDC_ERR_TRTYPE_NOSUPP
;
631 ret
= krb5_domain_x500_decode(context
,
638 krb5_warn(context
, ret
,
639 "Decoding transited encoding");
642 if(strcmp(client_realm
, tgt_realm
) && strcmp(server_realm
, tgt_realm
)) {
643 /* not us, so add the previous realm to transited set */
644 if (num_realms
+ 1 > UINT_MAX
/sizeof(*realms
)) {
648 tmp
= realloc(realms
, (num_realms
+ 1) * sizeof(*realms
));
654 realms
[num_realms
] = strdup(tgt_realm
);
655 if(realms
[num_realms
] == NULL
){
661 if(num_realms
== 0) {
662 if(strcmp(client_realm
, server_realm
))
663 kdc_log(context
, config
, 0,
664 "cross-realm %s -> %s", client_realm
, server_realm
);
668 for(i
= 0; i
< num_realms
; i
++)
669 l
+= strlen(realms
[i
]) + 2;
673 for(i
= 0; i
< num_realms
; i
++) {
675 strlcat(rs
, ", ", l
);
676 strlcat(rs
, realms
[i
], l
);
678 kdc_log(context
, config
, 0,
679 "cross-realm %s -> %s via [%s]",
680 client_realm
, server_realm
, rs
);
685 ret
= krb5_check_transited(context
, client_realm
,
687 realms
, num_realms
, NULL
);
689 krb5_warn(context
, ret
, "cross-realm %s -> %s",
690 client_realm
, server_realm
);
693 et
->flags
.transited_policy_checked
= 1;
695 et
->transited
.tr_type
= DOMAIN_X500_COMPRESS
;
696 ret
= krb5_domain_x500_encode(realms
, num_realms
, &et
->transited
.contents
);
698 krb5_warn(context
, ret
, "Encoding transited encoding");
700 for(i
= 0; i
< num_realms
; i
++)
707 static krb5_error_code
708 tgs_make_reply(krb5_context context
,
709 krb5_kdc_configuration
*config
,
711 krb5_const_principal tgt_name
,
712 const EncTicketPart
*tgt
,
713 const krb5_keyblock
*replykey
,
715 const EncryptionKey
*serverkey
,
716 const krb5_keyblock
*sessionkey
,
718 AuthorizationData
*auth_data
,
719 hdb_entry_ex
*server
,
720 krb5_principal server_principal
,
721 const char *server_name
,
722 hdb_entry_ex
*client
,
723 krb5_principal client_principal
,
724 hdb_entry_ex
*krbtgt
,
725 krb5_enctype krbtgt_etype
,
727 const krb5_data
*rspac
,
728 const METHOD_DATA
*enc_pa_data
,
735 KDCOptions f
= b
->kdc_options
;
739 memset(&rep
, 0, sizeof(rep
));
740 memset(&et
, 0, sizeof(et
));
741 memset(&ek
, 0, sizeof(ek
));
744 rep
.msg_type
= krb_tgs_rep
;
746 et
.authtime
= tgt
->authtime
;
747 _kdc_fix_time(&b
->till
);
748 et
.endtime
= min(tgt
->endtime
, *b
->till
);
750 *et
.starttime
= kdc_time
;
752 ret
= check_tgs_flags(context
, config
, b
, tgt
, &et
);
756 /* We should check the transited encoding if:
757 1) the request doesn't ask not to be checked
758 2) globally enforcing a check
759 3) principal requires checking
760 4) we allow non-check per-principal, but principal isn't marked as allowing this
761 5) we don't globally allow this
764 #define GLOBAL_FORCE_TRANSITED_CHECK \
765 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
766 #define GLOBAL_ALLOW_PER_PRINCIPAL \
767 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
768 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
769 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
771 /* these will consult the database in future release */
772 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
773 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
775 ret
= fix_transited_encoding(context
, config
,
776 !f
.disable_transited_check
||
777 GLOBAL_FORCE_TRANSITED_CHECK
||
778 PRINCIPAL_FORCE_TRANSITED_CHECK(server
) ||
779 !((GLOBAL_ALLOW_PER_PRINCIPAL
&&
780 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server
)) ||
781 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK
),
782 &tgt
->transited
, &et
,
783 krb5_principal_get_realm(context
, client_principal
),
784 krb5_principal_get_realm(context
, server
->entry
.principal
),
785 krb5_principal_get_realm(context
, krbtgt
->entry
.principal
));
789 copy_Realm(&server_principal
->realm
, &rep
.ticket
.realm
);
790 _krb5_principal2principalname(&rep
.ticket
.sname
, server_principal
);
791 copy_Realm(&tgt_name
->realm
, &rep
.crealm
);
793 if (f.request_anonymous)
794 _kdc_make_anonymous_principalname (&rep.cname);
797 copy_PrincipalName(&tgt_name
->name
, &rep
.cname
);
798 rep
.ticket
.tkt_vno
= 5;
802 et
.caddr
= tgt
->caddr
;
806 life
= et
.endtime
- *et
.starttime
;
807 if(client
&& client
->entry
.max_life
)
808 life
= min(life
, *client
->entry
.max_life
);
809 if(server
->entry
.max_life
)
810 life
= min(life
, *server
->entry
.max_life
);
811 et
.endtime
= *et
.starttime
+ life
;
813 if(f
.renewable_ok
&& tgt
->flags
.renewable
&&
814 et
.renew_till
== NULL
&& et
.endtime
< *b
->till
&&
815 tgt
->renew_till
!= NULL
)
817 et
.flags
.renewable
= 1;
818 ALLOC(et
.renew_till
);
819 *et
.renew_till
= *b
->till
;
823 renew
= *et
.renew_till
- et
.authtime
;
824 if(client
&& client
->entry
.max_renew
)
825 renew
= min(renew
, *client
->entry
.max_renew
);
826 if(server
->entry
.max_renew
)
827 renew
= min(renew
, *server
->entry
.max_renew
);
828 *et
.renew_till
= et
.authtime
+ renew
;
832 *et
.renew_till
= min(*et
.renew_till
, *tgt
->renew_till
);
833 *et
.starttime
= min(*et
.starttime
, *et
.renew_till
);
834 et
.endtime
= min(et
.endtime
, *et
.renew_till
);
837 *et
.starttime
= min(*et
.starttime
, et
.endtime
);
839 if(*et
.starttime
== et
.endtime
){
840 ret
= KRB5KDC_ERR_NEVER_VALID
;
843 if(et
.renew_till
&& et
.endtime
== *et
.renew_till
){
845 et
.renew_till
= NULL
;
846 et
.flags
.renewable
= 0;
849 et
.flags
.pre_authent
= tgt
->flags
.pre_authent
;
850 et
.flags
.hw_authent
= tgt
->flags
.hw_authent
;
851 et
.flags
.anonymous
= tgt
->flags
.anonymous
;
852 et
.flags
.ok_as_delegate
= server
->entry
.flags
.ok_as_delegate
;
856 * No not need to filter out the any PAC from the
857 * auth_data since it's signed by the KDC.
859 ret
= _kdc_tkt_add_if_relevant_ad(context
, &et
,
860 KRB5_AUTHDATA_WIN2K_PAC
, rspac
);
868 /* XXX check authdata */
870 if (et
.authorization_data
== NULL
) {
871 et
.authorization_data
= calloc(1, sizeof(*et
.authorization_data
));
872 if (et
.authorization_data
== NULL
) {
874 krb5_set_error_message(context
, ret
, "malloc: out of memory");
878 for(i
= 0; i
< auth_data
->len
; i
++) {
879 ret
= add_AuthorizationData(et
.authorization_data
, &auth_data
->val
[i
]);
881 krb5_set_error_message(context
, ret
, "malloc: out of memory");
886 /* Filter out type KRB5SignedPath */
887 ret
= find_KRB5SignedPath(context
, et
.authorization_data
, NULL
);
889 if (et
.authorization_data
->len
== 1) {
890 free_AuthorizationData(et
.authorization_data
);
891 free(et
.authorization_data
);
892 et
.authorization_data
= NULL
;
894 AuthorizationData
*ad
= et
.authorization_data
;
895 free_AuthorizationDataElement(&ad
->val
[ad
->len
- 1]);
901 ret
= krb5_copy_keyblock_contents(context
, sessionkey
, &et
.key
);
904 et
.crealm
= tgt
->crealm
;
905 et
.cname
= tgt_name
->name
;
908 /* MIT must have at least one last_req */
910 ek
.last_req
.val
= calloc(1, sizeof(*ek
.last_req
.val
));
911 if (ek
.last_req
.val
== NULL
) {
917 ek
.authtime
= et
.authtime
;
918 ek
.starttime
= et
.starttime
;
919 ek
.endtime
= et
.endtime
;
920 ek
.renew_till
= et
.renew_till
;
921 ek
.srealm
= rep
.ticket
.realm
;
922 ek
.sname
= rep
.ticket
.sname
;
924 _kdc_log_timestamp(context
, config
, "TGS-REQ", et
.authtime
, et
.starttime
,
925 et
.endtime
, et
.renew_till
);
927 /* Don't sign cross realm tickets, they can't be checked anyway */
929 char *r
= get_krbtgt_realm(&ek
.sname
);
931 if (r
== NULL
|| strcmp(r
, ek
.srealm
) == 0) {
932 ret
= _kdc_add_KRB5SignedPath(context
,
945 if (enc_pa_data
->len
) {
946 rep
.padata
= calloc(1, sizeof(*rep
.padata
));
947 if (rep
.padata
== NULL
) {
951 ret
= copy_METHOD_DATA(enc_pa_data
, rep
.padata
);
956 if (krb5_enctype_valid(context
, et
.key
.keytype
) != 0
957 && _kdc_is_weak_exception(server
->entry
.principal
, et
.key
.keytype
))
959 krb5_enctype_enable(context
, et
.key
.keytype
);
964 /* It is somewhat unclear where the etype in the following
965 encryption should come from. What we have is a session
966 key in the passed tgt, and a list of preferred etypes
967 *for the new ticket*. Should we pick the best possible
968 etype, given the keytype in the tgt, or should we look
969 at the etype list here as well? What if the tgt
970 session key is DES3 and we want a ticket with a (say)
971 CAST session key. Should the DES3 etype be added to the
972 etype list, even if we don't want a session key with
974 ret
= _kdc_encode_reply(context
, config
,
975 &rep
, &et
, &ek
, et
.key
.keytype
,
977 serverkey
, 0, replykey
, rk_is_subkey
,
980 krb5_enctype_disable(context
, et
.key
.keytype
);
984 free_TransitedEncoding(&et
.transited
);
989 if(et
.authorization_data
) {
990 free_AuthorizationData(et
.authorization_data
);
991 free(et
.authorization_data
);
993 free_LastReq(&ek
.last_req
);
994 memset(et
.key
.keyvalue
.data
, 0, et
.key
.keyvalue
.length
);
995 free_EncryptionKey(&et
.key
);
999 static krb5_error_code
1000 tgs_check_authenticator(krb5_context context
,
1001 krb5_kdc_configuration
*config
,
1002 krb5_auth_context ac
,
1004 const char **e_text
,
1007 krb5_authenticator auth
;
1011 krb5_error_code ret
;
1014 krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1015 if(auth
->cksum
== NULL
){
1016 kdc_log(context
, config
, 0, "No authenticator in request");
1017 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1021 * according to RFC1510 it doesn't need to be keyed,
1022 * but according to the latest draft it needs to.
1026 !krb5_checksum_is_keyed(context
, auth
->cksum
->cksumtype
)
1029 !krb5_checksum_is_collision_proof(context
, auth
->cksum
->cksumtype
)) {
1030 kdc_log(context
, config
, 0, "Bad checksum type in authenticator: %d",
1031 auth
->cksum
->cksumtype
);
1032 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
1036 /* XXX should not re-encode this */
1037 ASN1_MALLOC_ENCODE(KDC_REQ_BODY
, buf
, buf_size
, b
, &len
, ret
);
1039 const char *msg
= krb5_get_error_message(context
, ret
);
1040 kdc_log(context
, config
, 0, "Failed to encode KDC-REQ-BODY: %s", msg
);
1041 krb5_free_error_message(context
, msg
);
1044 if(buf_size
!= len
) {
1046 kdc_log(context
, config
, 0, "Internal error in ASN.1 encoder");
1047 *e_text
= "KDC internal error";
1048 ret
= KRB5KRB_ERR_GENERIC
;
1051 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
1053 const char *msg
= krb5_get_error_message(context
, ret
);
1055 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1056 krb5_free_error_message(context
, msg
);
1059 ret
= krb5_verify_checksum(context
,
1061 KRB5_KU_TGS_REQ_AUTH_CKSUM
,
1066 krb5_crypto_destroy(context
, crypto
);
1068 const char *msg
= krb5_get_error_message(context
, ret
);
1069 kdc_log(context
, config
, 0,
1070 "Failed to verify authenticator checksum: %s", msg
);
1071 krb5_free_error_message(context
, msg
);
1074 free_Authenticator(auth
);
1084 find_rpath(krb5_context context
, Realm crealm
, Realm srealm
)
1086 const char *new_realm
= krb5_config_get_string(context
,
1097 need_referral(krb5_context context
, krb5_kdc_configuration
*config
,
1098 const KDCOptions
* const options
, krb5_principal server
,
1099 krb5_realm
**realms
)
1103 if(!options
->canonicalize
&& server
->name
.name_type
!= KRB5_NT_SRV_INST
)
1106 if (server
->name
.name_string
.len
== 1)
1107 name
= server
->name
.name_string
.val
[0];
1108 else if (server
->name
.name_string
.len
> 1)
1109 name
= server
->name
.name_string
.val
[1];
1113 kdc_log(context
, config
, 0, "Searching referral for %s", name
);
1115 return _krb5_get_host_realm_int(context
, name
, FALSE
, realms
) == 0;
1118 static krb5_error_code
1119 tgs_parse_request(krb5_context context
,
1120 krb5_kdc_configuration
*config
,
1122 const PA_DATA
*tgs_req
,
1123 hdb_entry_ex
**krbtgt
,
1124 krb5_enctype
*krbtgt_etype
,
1125 krb5_ticket
**ticket
,
1126 const char **e_text
,
1128 const struct sockaddr
*from_addr
,
1131 AuthorizationData
**auth_data
,
1132 krb5_keyblock
**replykey
,
1135 static char failed
[] = "<unparse_name failed>";
1137 krb5_error_code ret
;
1138 krb5_principal princ
;
1139 krb5_auth_context ac
= NULL
;
1140 krb5_flags ap_req_options
;
1141 krb5_flags verify_ap_req_flags
;
1144 krb5_keyblock
*subkey
= NULL
;
1152 memset(&ap_req
, 0, sizeof(ap_req
));
1153 ret
= krb5_decode_ap_req(context
, &tgs_req
->padata_value
, &ap_req
);
1155 const char *msg
= krb5_get_error_message(context
, ret
);
1156 kdc_log(context
, config
, 0, "Failed to decode AP-REQ: %s", msg
);
1157 krb5_free_error_message(context
, msg
);
1161 if(!get_krbtgt_realm(&ap_req
.ticket
.sname
)){
1162 /* XXX check for ticket.sname == req.sname */
1163 kdc_log(context
, config
, 0, "PA-DATA is not a ticket-granting ticket");
1164 ret
= KRB5KDC_ERR_POLICY
; /* ? */
1168 _krb5_principalname2krb5_principal(context
,
1170 ap_req
.ticket
.sname
,
1171 ap_req
.ticket
.realm
);
1173 ret
= _kdc_db_fetch(context
, config
, princ
, HDB_F_GET_KRBTGT
, ap_req
.ticket
.enc_part
.kvno
, NULL
, krbtgt
);
1175 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1177 ret
= krb5_unparse_name(context
, princ
, &p
);
1180 krb5_free_principal(context
, princ
);
1181 kdc_log(context
, config
, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p
);
1184 ret
= HDB_ERR_NOT_FOUND_HERE
;
1187 const char *msg
= krb5_get_error_message(context
, ret
);
1189 ret
= krb5_unparse_name(context
, princ
, &p
);
1192 krb5_free_principal(context
, princ
);
1193 kdc_log(context
, config
, 0,
1194 "Ticket-granting ticket not found in database: %s", msg
);
1195 krb5_free_error_message(context
, msg
);
1198 ret
= KRB5KRB_AP_ERR_NOT_US
;
1202 if(ap_req
.ticket
.enc_part
.kvno
&&
1203 (size_t)*ap_req
.ticket
.enc_part
.kvno
!= (*krbtgt
)->entry
.kvno
){
1206 ret
= krb5_unparse_name (context
, princ
, &p
);
1207 krb5_free_principal(context
, princ
);
1210 kdc_log(context
, config
, 0,
1211 "Ticket kvno = %d, DB kvno = %d (%s)",
1212 *ap_req
.ticket
.enc_part
.kvno
,
1213 (*krbtgt
)->entry
.kvno
,
1217 ret
= KRB5KRB_AP_ERR_BADKEYVER
;
1221 *krbtgt_etype
= ap_req
.ticket
.enc_part
.etype
;
1223 ret
= hdb_enctype2key(context
, &(*krbtgt
)->entry
,
1224 ap_req
.ticket
.enc_part
.etype
, &tkey
);
1226 char *str
= NULL
, *p
= NULL
;
1228 krb5_enctype_to_string(context
, ap_req
.ticket
.enc_part
.etype
, &str
);
1229 krb5_unparse_name(context
, princ
, &p
);
1230 kdc_log(context
, config
, 0,
1231 "No server key with enctype %s found for %s",
1232 str
? str
: "<unknown enctype>",
1233 p
? p
: "<unparse_name failed>");
1236 ret
= KRB5KRB_AP_ERR_BADKEYVER
;
1240 if (b
->kdc_options
.validate
)
1241 verify_ap_req_flags
= KRB5_VERIFY_AP_REQ_IGNORE_INVALID
;
1243 verify_ap_req_flags
= 0;
1245 ret
= krb5_verify_ap_req2(context
,
1250 verify_ap_req_flags
,
1253 KRB5_KU_TGS_REQ_AUTH
);
1255 krb5_free_principal(context
, princ
);
1257 const char *msg
= krb5_get_error_message(context
, ret
);
1258 kdc_log(context
, config
, 0, "Failed to verify AP-REQ: %s", msg
);
1259 krb5_free_error_message(context
, msg
);
1264 krb5_authenticator auth
;
1266 ret
= krb5_auth_con_getauthenticator(context
, ac
, &auth
);
1268 *csec
= malloc(sizeof(**csec
));
1269 if (*csec
== NULL
) {
1270 krb5_free_authenticator(context
, &auth
);
1271 kdc_log(context
, config
, 0, "malloc failed");
1274 **csec
= auth
->ctime
;
1275 *cusec
= malloc(sizeof(**cusec
));
1276 if (*cusec
== NULL
) {
1277 krb5_free_authenticator(context
, &auth
);
1278 kdc_log(context
, config
, 0, "malloc failed");
1281 **cusec
= auth
->cusec
;
1282 krb5_free_authenticator(context
, &auth
);
1286 ret
= tgs_check_authenticator(context
, config
,
1287 ac
, b
, e_text
, &(*ticket
)->ticket
.key
);
1289 krb5_auth_con_free(context
, ac
);
1293 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY
;
1296 ret
= krb5_auth_con_getremotesubkey(context
, ac
, &subkey
);
1298 const char *msg
= krb5_get_error_message(context
, ret
);
1299 krb5_auth_con_free(context
, ac
);
1300 kdc_log(context
, config
, 0, "Failed to get remote subkey: %s", msg
);
1301 krb5_free_error_message(context
, msg
);
1305 usage
= KRB5_KU_TGS_REQ_AUTH_DAT_SESSION
;
1308 ret
= krb5_auth_con_getkey(context
, ac
, &subkey
);
1310 const char *msg
= krb5_get_error_message(context
, ret
);
1311 krb5_auth_con_free(context
, ac
);
1312 kdc_log(context
, config
, 0, "Failed to get session key: %s", msg
);
1313 krb5_free_error_message(context
, msg
);
1318 krb5_auth_con_free(context
, ac
);
1319 kdc_log(context
, config
, 0,
1320 "Failed to get key for enc-authorization-data");
1321 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1327 if (b
->enc_authorization_data
) {
1330 ret
= krb5_crypto_init(context
, subkey
, 0, &crypto
);
1332 const char *msg
= krb5_get_error_message(context
, ret
);
1333 krb5_auth_con_free(context
, ac
);
1334 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1335 krb5_free_error_message(context
, msg
);
1338 ret
= krb5_decrypt_EncryptedData (context
,
1341 b
->enc_authorization_data
,
1343 krb5_crypto_destroy(context
, crypto
);
1345 krb5_auth_con_free(context
, ac
);
1346 kdc_log(context
, config
, 0,
1347 "Failed to decrypt enc-authorization-data");
1348 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1352 if (*auth_data
== NULL
) {
1353 krb5_auth_con_free(context
, ac
);
1354 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1357 ret
= decode_AuthorizationData(ad
.data
, ad
.length
, *auth_data
, NULL
);
1359 krb5_auth_con_free(context
, ac
);
1362 kdc_log(context
, config
, 0, "Failed to decode authorization data");
1363 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
; /* ? */
1368 krb5_auth_con_free(context
, ac
);
1371 free_AP_REQ(&ap_req
);
1376 static krb5_error_code
1377 build_server_referral(krb5_context context
,
1378 krb5_kdc_configuration
*config
,
1379 krb5_crypto session
,
1380 krb5_const_realm referred_realm
,
1381 const PrincipalName
*true_principal_name
,
1382 const PrincipalName
*requested_principal
,
1385 PA_ServerReferralData ref
;
1386 krb5_error_code ret
;
1391 memset(&ref
, 0, sizeof(ref
));
1393 if (referred_realm
) {
1394 ALLOC(ref
.referred_realm
);
1395 if (ref
.referred_realm
== NULL
)
1397 *ref
.referred_realm
= strdup(referred_realm
);
1398 if (*ref
.referred_realm
== NULL
)
1401 if (true_principal_name
) {
1402 ALLOC(ref
.true_principal_name
);
1403 if (ref
.true_principal_name
== NULL
)
1405 ret
= copy_PrincipalName(true_principal_name
, ref
.true_principal_name
);
1409 if (requested_principal
) {
1410 ALLOC(ref
.requested_principal_name
);
1411 if (ref
.requested_principal_name
== NULL
)
1413 ret
= copy_PrincipalName(requested_principal
,
1414 ref
.requested_principal_name
);
1419 ASN1_MALLOC_ENCODE(PA_ServerReferralData
,
1420 data
.data
, data
.length
,
1422 free_PA_ServerReferralData(&ref
);
1425 if (data
.length
!= size
)
1426 krb5_abortx(context
, "internal asn.1 encoder error");
1428 ret
= krb5_encrypt_EncryptedData(context
, session
,
1429 KRB5_KU_PA_SERVER_REFERRAL
,
1430 data
.data
, data
.length
,
1436 ASN1_MALLOC_ENCODE(EncryptedData
,
1437 outdata
->data
, outdata
->length
,
1439 free_EncryptedData(&ed
);
1442 if (outdata
->length
!= size
)
1443 krb5_abortx(context
, "internal asn.1 encoder error");
1447 free_PA_ServerReferralData(&ref
);
1448 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
1452 static krb5_error_code
1453 tgs_build_reply(krb5_context context
,
1454 krb5_kdc_configuration
*config
,
1457 hdb_entry_ex
*krbtgt
,
1458 krb5_enctype krbtgt_etype
,
1459 const krb5_keyblock
*replykey
,
1461 krb5_ticket
*ticket
,
1464 const char **e_text
,
1465 AuthorizationData
**auth_data
,
1466 const struct sockaddr
*from_addr
)
1468 krb5_error_code ret
;
1469 krb5_principal cp
= NULL
, sp
= NULL
;
1470 krb5_principal client_principal
= NULL
;
1471 krb5_principal krbtgt_principal
= NULL
;
1472 char *spn
= NULL
, *cpn
= NULL
;
1473 hdb_entry_ex
*server
= NULL
, *client
= NULL
, *s4u2self_impersonated_client
= NULL
;
1474 HDB
*clientdb
, *s4u2self_impersonated_clientdb
;
1475 krb5_realm ref_realm
= NULL
;
1476 EncTicketPart
*tgt
= &ticket
->ticket
;
1477 krb5_principals spp
= NULL
;
1478 const EncryptionKey
*ekey
;
1479 krb5_keyblock sessionkey
;
1483 hdb_entry_ex
*krbtgt_out
= NULL
;
1485 METHOD_DATA enc_pa_data
;
1490 EncTicketPart adtkt
;
1497 memset(&sessionkey
, 0, sizeof(sessionkey
));
1498 memset(&adtkt
, 0, sizeof(adtkt
));
1499 krb5_data_zero(&rspac
);
1500 memset(&enc_pa_data
, 0, sizeof(enc_pa_data
));
1505 if(b
->kdc_options
.enc_tkt_in_skey
){
1511 if(b
->additional_tickets
== NULL
||
1512 b
->additional_tickets
->len
== 0){
1513 ret
= KRB5KDC_ERR_BADOPTION
; /* ? */
1514 kdc_log(context
, config
, 0,
1515 "No second ticket present in request");
1518 t
= &b
->additional_tickets
->val
[0];
1519 if(!get_krbtgt_realm(&t
->sname
)){
1520 kdc_log(context
, config
, 0,
1521 "Additional ticket is not a ticket-granting ticket");
1522 ret
= KRB5KDC_ERR_POLICY
;
1525 _krb5_principalname2krb5_principal(context
, &p
, t
->sname
, t
->realm
);
1526 ret
= _kdc_db_fetch(context
, config
, p
,
1527 HDB_F_GET_KRBTGT
, t
->enc_part
.kvno
,
1529 krb5_free_principal(context
, p
);
1531 if (ret
== HDB_ERR_NOENTRY
)
1532 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1535 ret
= hdb_enctype2key(context
, &uu
->entry
,
1536 t
->enc_part
.etype
, &uukey
);
1538 _kdc_free_ent(context
, uu
);
1539 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
1542 ret
= krb5_decrypt_ticket(context
, t
, &uukey
->key
, &adtkt
, 0);
1543 _kdc_free_ent(context
, uu
);
1547 ret
= verify_flags(context
, config
, &adtkt
, spn
);
1555 _krb5_principalname2krb5_principal(context
, &sp
, *s
, r
);
1556 ret
= krb5_unparse_name(context
, sp
, &spn
);
1559 _krb5_principalname2krb5_principal(context
, &cp
, tgt
->cname
, tgt
->crealm
);
1560 ret
= krb5_unparse_name(context
, cp
, &cpn
);
1563 unparse_flags (KDCOptions2int(b
->kdc_options
),
1564 asn1_KDCOptions_units(),
1565 opt_str
, sizeof(opt_str
));
1567 kdc_log(context
, config
, 0,
1568 "TGS-REQ %s from %s for %s [%s]",
1569 cpn
, from
, spn
, opt_str
);
1571 kdc_log(context
, config
, 0,
1572 "TGS-REQ %s from %s for %s", cpn
, from
, spn
);
1579 ret
= _kdc_db_fetch(context
, config
, sp
, HDB_F_GET_SERVER
| HDB_F_CANON
,
1580 NULL
, NULL
, &server
);
1582 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1583 kdc_log(context
, config
, 5, "target %s does not have secrets at this KDC, need to proxy", sp
);
1586 const char *new_rlm
, *msg
;
1590 if ((req_rlm
= get_krbtgt_realm(&sp
->name
)) != NULL
) {
1592 new_rlm
= find_rpath(context
, tgt
->crealm
, req_rlm
);
1594 kdc_log(context
, config
, 5, "krbtgt for realm %s "
1595 "not found, trying %s",
1597 krb5_free_principal(context
, sp
);
1599 krb5_make_principal(context
, &sp
, r
,
1600 KRB5_TGS_NAME
, new_rlm
, NULL
);
1601 ret
= krb5_unparse_name(context
, sp
, &spn
);
1607 ref_realm
= strdup(new_rlm
);
1611 } else if(need_referral(context
, config
, &b
->kdc_options
, sp
, &realms
)) {
1612 if (strcmp(realms
[0], sp
->realm
) != 0) {
1613 kdc_log(context
, config
, 5,
1614 "Returning a referral to realm %s for "
1615 "server %s that was not found",
1617 krb5_free_principal(context
, sp
);
1619 krb5_make_principal(context
, &sp
, r
, KRB5_TGS_NAME
,
1621 ret
= krb5_unparse_name(context
, sp
, &spn
);
1627 ref_realm
= strdup(realms
[0]);
1629 krb5_free_host_realm(context
, realms
);
1632 krb5_free_host_realm(context
, realms
);
1634 msg
= krb5_get_error_message(context
, ret
);
1635 kdc_log(context
, config
, 0,
1636 "Server not found in database: %s: %s", spn
, msg
);
1637 krb5_free_error_message(context
, msg
);
1638 if (ret
== HDB_ERR_NOENTRY
)
1639 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1644 * Select enctype, return key and kvno.
1650 if(b
->kdc_options
.enc_tkt_in_skey
) {
1653 for(i
= 0; i
< b
->etype
.len
; i
++)
1654 if (b
->etype
.val
[i
] == adtkt
.key
.keytype
)
1656 if(i
== b
->etype
.len
) {
1657 kdc_log(context
, config
, 0,
1658 "Addition ticket have not matching etypes");
1659 krb5_clear_error_message(context
);
1660 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
;
1663 etype
= b
->etype
.val
[i
];
1668 ret
= _kdc_find_etype(context
,
1669 config
->tgs_use_strongest_session_key
, FALSE
,
1670 server
, b
->etype
.val
, b
->etype
.len
, NULL
,
1673 kdc_log(context
, config
, 0,
1674 "Server (%s) has no support for etypes", spn
);
1678 etype
= skey
->key
.keytype
;
1679 kvno
= server
->entry
.kvno
;
1682 ret
= krb5_generate_random_keyblock(context
, etype
, &sessionkey
);
1688 * Check that service is in the same realm as the krbtgt. If it's
1689 * not the same, it's someone that is using a uni-directional trust
1694 * Validate authoriation data
1697 ret
= hdb_enctype2key(context
, &krbtgt
->entry
,
1698 krbtgt_etype
, &tkey_check
);
1700 kdc_log(context
, config
, 0,
1701 "Failed to find key for krbtgt PAC check");
1705 /* Now refetch the primary krbtgt, and get the current kvno (the
1706 * sign check may have been on an old kvno, and the server may
1707 * have been an incoming trust) */
1708 ret
= krb5_make_principal(context
, &krbtgt_principal
,
1709 krb5_principal_get_comp_string(context
,
1710 krbtgt
->entry
.principal
,
1713 krb5_principal_get_comp_string(context
,
1714 krbtgt
->entry
.principal
,
1717 kdc_log(context
, config
, 0,
1718 "Failed to generate krbtgt principal");
1722 ret
= _kdc_db_fetch(context
, config
, krbtgt_principal
, HDB_F_GET_KRBTGT
, NULL
, NULL
, &krbtgt_out
);
1723 krb5_free_principal(context
, krbtgt_principal
);
1725 krb5_error_code ret2
;
1727 ret
= krb5_unparse_name(context
, krbtgt
->entry
.principal
, &tpn
);
1728 ret2
= krb5_unparse_name(context
, krbtgt
->entry
.principal
, &tpn2
);
1729 kdc_log(context
, config
, 0,
1730 "Request with wrong krbtgt: %s, %s not found in our database",
1731 (ret
== 0) ? tpn
: "<unknown>", (ret2
== 0) ? tpn2
: "<unknown>");
1736 ret
= KRB5KRB_AP_ERR_NOT_US
;
1740 /* The first realm is the realm of the service, the second is
1741 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1742 * encrypted to. The redirection via the krbtgt_out entry allows
1743 * the DB to possibly correct the case of the realm (Samba4 does
1744 * this) before the strcmp() */
1745 if (strcmp(krb5_principal_get_realm(context
, server
->entry
.principal
),
1746 krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
)) != 0) {
1748 ret
= krb5_unparse_name(context
, krbtgt_out
->entry
.principal
, &tpn
);
1749 kdc_log(context
, config
, 0,
1750 "Request with wrong krbtgt: %s",
1751 (ret
== 0) ? tpn
: "<unknown>");
1754 ret
= KRB5KRB_AP_ERR_NOT_US
;
1757 ret
= hdb_enctype2key(context
, &krbtgt_out
->entry
,
1758 krbtgt_etype
, &tkey_sign
);
1760 kdc_log(context
, config
, 0,
1761 "Failed to find key for krbtgt PAC signature");
1765 ret
= _kdc_db_fetch(context
, config
, cp
, HDB_F_GET_CLIENT
| HDB_F_CANON
,
1766 NULL
, &clientdb
, &client
);
1767 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
1768 /* This is OK, we are just trying to find out if they have
1769 * been disabled or deleted in the meantime, missing secrets
1772 const char *krbtgt_realm
, *msg
;
1775 * If the client belongs to the same realm as our krbtgt, it
1776 * should exist in the local database.
1780 krbtgt_realm
= krb5_principal_get_realm(context
, krbtgt_out
->entry
.principal
);
1782 if(strcmp(krb5_principal_get_realm(context
, cp
), krbtgt_realm
) == 0) {
1783 if (ret
== HDB_ERR_NOENTRY
)
1784 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
1785 kdc_log(context
, config
, 1, "Client no longer in database: %s",
1790 msg
= krb5_get_error_message(context
, ret
);
1791 kdc_log(context
, config
, 1, "Client not found in database: %s", msg
);
1792 krb5_free_error_message(context
, msg
);
1795 ret
= check_PAC(context
, config
, cp
,
1796 client
, server
, krbtgt
,
1797 &tkey_check
->key
, &tkey_check
->key
,
1798 ekey
, &tkey_sign
->key
,
1799 tgt
, &rspac
, &signedpath
);
1801 const char *msg
= krb5_get_error_message(context
, ret
);
1802 kdc_log(context
, config
, 0,
1803 "Verify PAC failed for %s (%s) from %s with %s",
1804 spn
, cpn
, from
, msg
);
1805 krb5_free_error_message(context
, msg
);
1809 /* also check the krbtgt for signature */
1810 ret
= check_KRB5SignedPath(context
,
1818 const char *msg
= krb5_get_error_message(context
, ret
);
1819 kdc_log(context
, config
, 0,
1820 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1821 spn
, cpn
, from
, msg
);
1822 krb5_free_error_message(context
, msg
);
1830 client_principal
= cp
;
1833 const PA_DATA
*sdata
;
1836 sdata
= _kdc_find_padata(req
, &i
, KRB5_PADATA_FOR_USER
);
1841 char *selfcpn
= NULL
;
1844 ret
= decode_PA_S4U2Self(sdata
->padata_value
.data
,
1845 sdata
->padata_value
.length
,
1848 kdc_log(context
, config
, 0, "Failed to decode PA-S4U2Self");
1852 ret
= _krb5_s4u2self_to_checksumdata(context
, &self
, &datack
);
1856 ret
= krb5_crypto_init(context
, &tgt
->key
, 0, &crypto
);
1858 const char *msg
= krb5_get_error_message(context
, ret
);
1859 free_PA_S4U2Self(&self
);
1860 krb5_data_free(&datack
);
1861 kdc_log(context
, config
, 0, "krb5_crypto_init failed: %s", msg
);
1862 krb5_free_error_message(context
, msg
);
1866 ret
= krb5_verify_checksum(context
,
1868 KRB5_KU_OTHER_CKSUM
,
1872 krb5_data_free(&datack
);
1873 krb5_crypto_destroy(context
, crypto
);
1875 const char *msg
= krb5_get_error_message(context
, ret
);
1876 free_PA_S4U2Self(&self
);
1877 kdc_log(context
, config
, 0,
1878 "krb5_verify_checksum failed for S4U2Self: %s", msg
);
1879 krb5_free_error_message(context
, msg
);
1883 ret
= _krb5_principalname2krb5_principal(context
,
1887 free_PA_S4U2Self(&self
);
1891 ret
= krb5_unparse_name(context
, client_principal
, &selfcpn
);
1895 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1898 krb5_data_free(&rspac
);
1899 ret
= _kdc_db_fetch(context
, config
, client_principal
, HDB_F_GET_CLIENT
| HDB_F_CANON
,
1900 NULL
, &s4u2self_impersonated_clientdb
, &s4u2self_impersonated_client
);
1905 * If the client belongs to the same realm as our krbtgt, it
1906 * should exist in the local database.
1910 if (ret
== HDB_ERR_NOENTRY
)
1911 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
1912 msg
= krb5_get_error_message(context
, ret
);
1913 kdc_log(context
, config
, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn
, msg
);
1914 krb5_free_error_message(context
, msg
);
1917 ret
= _kdc_pac_generate(context
, s4u2self_impersonated_client
, &p
);
1919 kdc_log(context
, config
, 0, "PAC generation failed for -- %s",
1924 ret
= _krb5_pac_sign(context
, p
, ticket
->ticket
.authtime
,
1925 s4u2self_impersonated_client
->entry
.principal
,
1926 ekey
, &tkey_sign
->key
,
1928 krb5_pac_free(context
, p
);
1930 kdc_log(context
, config
, 0, "PAC signing failed for -- %s",
1938 * Check that service doing the impersonating is
1939 * requesting a ticket to it-self.
1941 ret
= check_s4u2self(context
, config
, clientdb
, client
, sp
);
1943 kdc_log(context
, config
, 0, "S4U2Self: %s is not allowed "
1944 "to impersonate to service "
1945 "(tried for user %s to service %s)",
1952 * If the service isn't trusted for authentication to
1953 * delegation, remove the forward flag.
1956 if (client
->entry
.flags
.trusted_for_delegation
) {
1957 str
= "[forwardable]";
1959 b
->kdc_options
.forwardable
= 0;
1962 kdc_log(context
, config
, 0, "s4u2self %s impersonating %s to "
1963 "service %s %s", cpn
, selfcpn
, spn
, str
);
1969 * Constrained delegation
1973 && b
->additional_tickets
!= NULL
1974 && b
->additional_tickets
->len
!= 0
1975 && b
->kdc_options
.enc_tkt_in_skey
== 0)
1977 int ad_signedpath
= 0;
1983 * Require that the KDC have issued the service's krbtgt (not
1984 * self-issued ticket with kimpersonate(1).
1987 ret
= KRB5KDC_ERR_BADOPTION
;
1988 kdc_log(context
, config
, 0,
1989 "Constrained delegation done on service ticket %s/%s",
1994 t
= &b
->additional_tickets
->val
[0];
1996 ret
= hdb_enctype2key(context
, &client
->entry
,
1997 t
->enc_part
.etype
, &clientkey
);
1999 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
2003 ret
= krb5_decrypt_ticket(context
, t
, &clientkey
->key
, &adtkt
, 0);
2005 kdc_log(context
, config
, 0,
2006 "failed to decrypt ticket for "
2007 "constrained delegation from %s to %s ", cpn
, spn
);
2011 /* check that ticket is valid */
2012 if (adtkt
.flags
.forwardable
== 0) {
2013 kdc_log(context
, config
, 0,
2014 "Missing forwardable flag on ticket for "
2015 "constrained delegation from %s to %s ", cpn
, spn
);
2016 ret
= KRB5KDC_ERR_BADOPTION
;
2020 ret
= check_constrained_delegation(context
, config
, clientdb
,
2023 kdc_log(context
, config
, 0,
2024 "constrained delegation from %s to %s not allowed",
2029 ret
= _krb5_principalname2krb5_principal(context
,
2036 ret
= krb5_unparse_name(context
, client_principal
, &str
);
2040 ret
= verify_flags(context
, config
, &adtkt
, str
);
2047 * Check that the KDC issued the user's ticket.
2049 ret
= check_KRB5SignedPath(context
,
2056 if (ret
== 0 && !ad_signedpath
)
2057 ret
= KRB5KDC_ERR_BADOPTION
;
2059 const char *msg
= krb5_get_error_message(context
, ret
);
2060 kdc_log(context
, config
, 0,
2061 "KRB5SignedPath check from service %s failed "
2062 "for delegation to %s for client %s "
2063 "from %s failed with %s",
2064 spn
, str
, cpn
, from
, msg
);
2065 krb5_free_error_message(context
, msg
);
2070 kdc_log(context
, config
, 0, "constrained delegation for %s "
2071 "from %s to %s", str
, cpn
, spn
);
2079 ret
= kdc_check_flags(context
, config
,
2086 if((b
->kdc_options
.validate
|| b
->kdc_options
.renew
) &&
2087 !krb5_principal_compare(context
,
2088 krbtgt
->entry
.principal
,
2089 server
->entry
.principal
)){
2090 kdc_log(context
, config
, 0, "Inconsistent request.");
2091 ret
= KRB5KDC_ERR_SERVER_NOMATCH
;
2095 /* check for valid set of addresses */
2096 if(!_kdc_check_addresses(context
, config
, tgt
->caddr
, from_addr
)) {
2097 ret
= KRB5KRB_AP_ERR_BADADDR
;
2098 kdc_log(context
, config
, 0, "Request from wrong address");
2103 * If this is an referral, add server referral data to the
2110 kdc_log(context
, config
, 0,
2111 "Adding server referral to %s", ref_realm
);
2113 ret
= krb5_crypto_init(context
, &sessionkey
, 0, &crypto
);
2117 ret
= build_server_referral(context
, config
, crypto
, ref_realm
,
2118 NULL
, s
, &pa
.padata_value
);
2119 krb5_crypto_destroy(context
, crypto
);
2121 kdc_log(context
, config
, 0,
2122 "Failed building server referral");
2125 pa
.padata_type
= KRB5_PADATA_SERVER_REFERRAL
;
2127 ret
= add_METHOD_DATA(&enc_pa_data
, &pa
);
2128 krb5_data_free(&pa
.padata_value
);
2130 kdc_log(context
, config
, 0,
2131 "Add server referral METHOD-DATA failed");
2140 ret
= tgs_make_reply(context
,
2168 krb5_data_free(&rspac
);
2169 krb5_free_keyblock_contents(context
, &sessionkey
);
2171 _kdc_free_ent(context
, krbtgt_out
);
2173 _kdc_free_ent(context
, server
);
2175 _kdc_free_ent(context
, client
);
2176 if(s4u2self_impersonated_client
)
2177 _kdc_free_ent(context
, s4u2self_impersonated_client
);
2179 if (client_principal
&& client_principal
!= cp
)
2180 krb5_free_principal(context
, client_principal
);
2182 krb5_free_principal(context
, cp
);
2184 krb5_free_principal(context
, sp
);
2187 free_METHOD_DATA(&enc_pa_data
);
2189 free_EncTicketPart(&adtkt
);
2199 _kdc_tgs_rep(krb5_context context
,
2200 krb5_kdc_configuration
*config
,
2204 struct sockaddr
*from_addr
,
2207 AuthorizationData
*auth_data
= NULL
;
2208 krb5_error_code ret
;
2210 const PA_DATA
*tgs_req
;
2212 hdb_entry_ex
*krbtgt
= NULL
;
2213 krb5_ticket
*ticket
= NULL
;
2214 const char *e_text
= NULL
;
2215 krb5_enctype krbtgt_etype
= ETYPE_NULL
;
2217 krb5_keyblock
*replykey
= NULL
;
2218 int rk_is_subkey
= 0;
2219 time_t *csec
= NULL
;
2222 if(req
->padata
== NULL
){
2223 ret
= KRB5KDC_ERR_PREAUTH_REQUIRED
; /* XXX ??? */
2224 kdc_log(context
, config
, 0,
2225 "TGS-REQ from %s without PA-DATA", from
);
2229 tgs_req
= _kdc_find_padata(req
, &i
, KRB5_PADATA_TGS_REQ
);
2231 if(tgs_req
== NULL
){
2232 ret
= KRB5KDC_ERR_PADATA_TYPE_NOSUPP
;
2234 kdc_log(context
, config
, 0,
2235 "TGS-REQ from %s without PA-TGS-REQ", from
);
2238 ret
= tgs_parse_request(context
, config
,
2239 &req
->req_body
, tgs_req
,
2249 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
2250 /* kdc_log() is called in tgs_parse_request() */
2254 kdc_log(context
, config
, 0,
2255 "Failed parsing TGS-REQ from %s", from
);
2259 ret
= tgs_build_reply(context
,
2274 kdc_log(context
, config
, 0,
2275 "Failed building TGS-REP to %s", from
);
2280 if (datagram_reply
&& data
->length
> config
->max_datagram_reply_length
) {
2281 krb5_data_free(data
);
2282 ret
= KRB5KRB_ERR_RESPONSE_TOO_BIG
;
2283 e_text
= "Reply packet too large";
2288 krb5_free_keyblock(context
, replykey
);
2289 if(ret
&& ret
!= HDB_ERR_NOT_FOUND_HERE
&& data
->data
== NULL
){
2290 krb5_mk_error(context
,
2304 krb5_free_ticket(context
, ticket
);
2306 _kdc_free_ent(context
, krbtgt
);
2309 free_AuthorizationData(auth_data
);