search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Retain `ret != 0` when capaths finds no match.
[heimdal.git] / kdc / krb5tgs.c
blobfbbba24c01ca8b745680df3b7fe47490240040d2
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use correct kvno! */
230 sp.etype, &key);
231 if (ret == 0)
232 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
233 if (ret) {
234 free(data.data);
235 free_KRB5SignedPath(&sp);
236 return ret;
237 }
238 }
239 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
240 data.data, data.length,
241 &sp.cksum);
242 krb5_crypto_destroy(context, crypto);
243 free(data.data);
244 if (ret) {
245 free_KRB5SignedPath(&sp);
246 kdc_log(context, config, 5,
247 "KRB5SignedPath not signed correctly, not marking as signed");
248 return 0;
249 }
250
251 if (delegated && sp.delegated) {
252
253 *delegated = malloc(sizeof(*sp.delegated));
254 if (*delegated == NULL) {
255 free_KRB5SignedPath(&sp);
256 return ENOMEM;
257 }
258
259 ret = copy_Principals(*delegated, sp.delegated);
260 if (ret) {
261 free_KRB5SignedPath(&sp);
262 free(*delegated);
263 *delegated = NULL;
264 return ret;
265 }
266 }
267 free_KRB5SignedPath(&sp);
268
269 *signedpath = 1;
270 }
271
272 return 0;
273 }
274
275 /*
276 *
277 */
278
279 static krb5_error_code
280 check_PAC(krb5_context context,
281 krb5_kdc_configuration *config,
282 const krb5_principal client_principal,
283 const krb5_principal delegated_proxy_principal,
284 hdb_entry_ex *client,
285 hdb_entry_ex *server,
286 hdb_entry_ex *krbtgt,
287 const EncryptionKey *server_check_key,
288 const EncryptionKey *server_sign_key,
289 const EncryptionKey *krbtgt_sign_key,
290 EncTicketPart *tkt,
291 krb5_data *rspac,
292 int *signedpath)
293 {
294 AuthorizationData *ad = tkt->authorization_data;
295 unsigned i, j;
296 krb5_error_code ret;
297
298 if (ad == NULL || ad->len == 0)
299 return 0;
300
301 for (i = 0; i < ad->len; i++) {
302 AuthorizationData child;
303
304 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
305 continue;
306
307 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
308 ad->val[i].ad_data.length,
309 &child,
310 NULL);
311 if (ret) {
312 krb5_set_error_message(context, ret, "Failed to decode "
313 "IF_RELEVANT with %d", ret);
314 return ret;
315 }
316 for (j = 0; j < child.len; j++) {
317
318 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
319 int signed_pac = 0;
320 krb5_pac pac;
321
322 /* Found PAC */
323 ret = krb5_pac_parse(context,
324 child.val[j].ad_data.data,
325 child.val[j].ad_data.length,
326 &pac);
327 free_AuthorizationData(&child);
328 if (ret)
329 return ret;
330
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
332 client_principal,
333 server_check_key, NULL);
334 if (ret) {
335 krb5_pac_free(context, pac);
336 return ret;
337 }
338
339 ret = _kdc_pac_verify(context, client_principal,
340 delegated_proxy_principal,
341 client, server, krbtgt, &pac, &signed_pac);
342 if (ret) {
343 krb5_pac_free(context, pac);
344 return ret;
345 }
346
347 /*
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
352 */
353 if (signed_pac) {
354 *signedpath = 1;
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
356 client_principal,
357 server_sign_key, krbtgt_sign_key, rspac);
358 }
359 krb5_pac_free(context, pac);
360
361 return ret;
362 }
363 }
364 free_AuthorizationData(&child);
365 }
366 return 0;
367 }
368
369 /*
370 *
371 */
372
373 static krb5_error_code
374 check_tgs_flags(krb5_context context,
375 krb5_kdc_configuration *config,
376 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
377 {
378 KDCOptions f = b->kdc_options;
379
380 if(f.validate){
381 if(!tgt->flags.invalid || tgt->starttime == NULL){
382 kdc_log(context, config, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION;
385 }
386 if(*tgt->starttime > kdc_time){
387 kdc_log(context, config, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV;
390 }
391 /* XXX tkt = tgt */
392 et->flags.invalid = 0;
393 }else if(tgt->flags.invalid){
394 kdc_log(context, config, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID;
397 }
398
399 if(f.forwardable){
400 if(!tgt->flags.forwardable){
401 kdc_log(context, config, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION;
404 }
405 et->flags.forwardable = 1;
406 }
407 if(f.forwarded){
408 if(!tgt->flags.forwardable){
409 kdc_log(context, config, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION;
412 }
413 et->flags.forwarded = 1;
414 et->caddr = b->addresses;
415 }
416 if(tgt->flags.forwarded)
417 et->flags.forwarded = 1;
418
419 if(f.proxiable){
420 if(!tgt->flags.proxiable){
421 kdc_log(context, config, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION;
424 }
425 et->flags.proxiable = 1;
426 }
427 if(f.proxy){
428 if(!tgt->flags.proxiable){
429 kdc_log(context, config, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION;
432 }
433 et->flags.proxy = 1;
434 et->caddr = b->addresses;
435 }
436 if(tgt->flags.proxy)
437 et->flags.proxy = 1;
438
439 if(f.allow_postdate){
440 if(!tgt->flags.may_postdate){
441 kdc_log(context, config, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION;
444 }
445 et->flags.may_postdate = 1;
446 }
447 if(f.postdated){
448 if(!tgt->flags.may_postdate){
449 kdc_log(context, config, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION;
452 }
453 if(b->from)
454 *et->starttime = *b->from;
455 et->flags.postdated = 1;
456 et->flags.invalid = 1;
457 }else if(b->from && *b->from > kdc_time + context->max_skew){
458 kdc_log(context, config, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE;
460 }
461
462 if(f.renewable){
463 if(!tgt->flags.renewable || tgt->renew_till == NULL){
464 kdc_log(context, config, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION;
467 }
468 et->flags.renewable = 1;
469 ALLOC(et->renew_till);
470 _kdc_fix_time(&b->rtime);
471 *et->renew_till = *b->rtime;
472 }
473 if(f.renew){
474 time_t old_life;
475 if(!tgt->flags.renewable || tgt->renew_till == NULL){
476 kdc_log(context, config, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION;
479 }
480 old_life = tgt->endtime;
481 if(tgt->starttime)
482 old_life -= *tgt->starttime;
483 else
484 old_life -= tgt->authtime;
485 et->endtime = *et->starttime + old_life;
486 if (et->renew_till != NULL)
487 et->endtime = min(*et->renew_till, et->endtime);
488 }
489
490 #if 0
491 /* checks for excess flags */
492 if(f.request_anonymous && !config->allow_anonymous){
493 kdc_log(context, config, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION;
496 }
497 #endif
498 return 0;
499 }
500
501 /*
502 * Determine if constrained delegation is allowed from this client to this server
503 */
504
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context,
507 krb5_kdc_configuration *config,
508 HDB *clientdb,
509 hdb_entry_ex *client,
510 hdb_entry_ex *server,
511 krb5_const_principal target)
512 {
513 const HDB_Ext_Constrained_delegation_acl *acl;
514 krb5_error_code ret;
515 size_t i;
516
517 /*
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
522 */
523 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
524 ret = KRB5KDC_ERR_BADOPTION;
525 kdc_log(context, config, 0,
526 "Bad request for constrained delegation");
527 return ret;
528 }
529
530 if (clientdb->hdb_check_constrained_delegation) {
531 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
532 if (ret == 0)
533 return 0;
534 } else {
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
537 return 0;
538
539 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
540 if (ret) {
541 krb5_clear_error_message(context);
542 return ret;
543 }
544
545 if (acl) {
546 for (i = 0; i < acl->len; i++) {
547 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
548 return 0;
549 }
550 }
551 ret = KRB5KDC_ERR_BADOPTION;
552 }
553 kdc_log(context, config, 0,
554 "Bad request for constrained delegation");
555 return ret;
556 }
557
558 /*
559 * Determine if s4u2self is allowed from this client to this server
560 *
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
563 */
564
565 static krb5_error_code
566 check_s4u2self(krb5_context context,
567 krb5_kdc_configuration *config,
568 HDB *clientdb,
569 hdb_entry_ex *client,
570 krb5_const_principal server)
571 {
572 krb5_error_code ret;
573
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
576 return 0;
577
578 if (clientdb->hdb_check_s4u2self) {
579 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
580 if (ret == 0)
581 return 0;
582 } else {
583 ret = KRB5KDC_ERR_BADOPTION;
584 }
585 return ret;
586 }
587
588 /*
589 *
590 */
591
592 static krb5_error_code
593 verify_flags (krb5_context context,
594 krb5_kdc_configuration *config,
595 const EncTicketPart *et,
596 const char *pstr)
597 {
598 if(et->endtime < kdc_time){
599 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED;
601 }
602 if(et->flags.invalid){
603 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
604 return KRB5KRB_AP_ERR_TKT_NYV;
605 }
606 return 0;
607 }
608
609 /*
610 *
611 */
612
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context,
615 krb5_kdc_configuration *config,
616 krb5_boolean check_policy,
617 const TransitedEncoding *tr,
618 EncTicketPart *et,
619 const char *client_realm,
620 const char *server_realm,
621 const char *tgt_realm)
622 {
623 krb5_error_code ret = 0;
624 char **realms, **tmp;
625 unsigned int num_realms;
626 size_t i;
627
628 switch (tr->tr_type) {
629 case DOMAIN_X500_COMPRESS:
630 break;
631 case 0:
632 /*
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
635 */
636 if (tr->contents.length == 0)
637 break;
638 kdc_log(context, config, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP;
641 default:
642 kdc_log(context, config, 0,
643 "Unknown transited type: %u", tr->tr_type);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP;
645 }
646
647 ret = krb5_domain_x500_decode(context,
648 tr->contents,
649 &realms,
650 &num_realms,
651 client_realm,
652 server_realm);
653 if(ret){
654 krb5_warn(context, ret,
655 "Decoding transited encoding");
656 return ret;
657 }
658
659 /*
660 * If the realm of the presented tgt is neither the client nor the server
661 * realm, it is a transit realm and must be added to transited set.
662 */
663 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
664 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
665 ret = ERANGE;
666 goto free_realms;
667 }
668 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
669 if(tmp == NULL){
670 ret = ENOMEM;
671 goto free_realms;
672 }
673 realms = tmp;
674 realms[num_realms] = strdup(tgt_realm);
675 if(realms[num_realms] == NULL){
676 ret = ENOMEM;
677 goto free_realms;
678 }
679 num_realms++;
680 }
681 if(num_realms == 0) {
682 if(strcmp(client_realm, server_realm))
683 kdc_log(context, config, 0,
684 "cross-realm %s -> %s", client_realm, server_realm);
685 } else {
686 size_t l = 0;
687 char *rs;
688 for(i = 0; i < num_realms; i++)
689 l += strlen(realms[i]) + 2;
690 rs = malloc(l);
691 if(rs != NULL) {
692 *rs = '\0';
693 for(i = 0; i < num_realms; i++) {
694 if(i > 0)
695 strlcat(rs, ", ", l);
696 strlcat(rs, realms[i], l);
697 }
698 kdc_log(context, config, 0,
699 "cross-realm %s -> %s via [%s]",
700 client_realm, server_realm, rs);
701 free(rs);
702 }
703 }
704 if(check_policy) {
705 ret = krb5_check_transited(context, client_realm,
706 server_realm,
707 realms, num_realms, NULL);
708 if(ret) {
709 krb5_warn(context, ret, "cross-realm %s -> %s",
710 client_realm, server_realm);
711 goto free_realms;
712 }
713 et->flags.transited_policy_checked = 1;
714 }
715 et->transited.tr_type = DOMAIN_X500_COMPRESS;
716 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
717 if(ret)
718 krb5_warn(context, ret, "Encoding transited encoding");
719 free_realms:
720 for(i = 0; i < num_realms; i++)
721 free(realms[i]);
722 free(realms);
723 return ret;
724 }
725
726
727 static krb5_error_code
728 tgs_make_reply(krb5_context context,
729 krb5_kdc_configuration *config,
730 KDC_REQ_BODY *b,
731 krb5_const_principal tgt_name,
732 const EncTicketPart *tgt,
733 const krb5_keyblock *replykey,
734 int rk_is_subkey,
735 const EncryptionKey *serverkey,
736 const krb5_keyblock *sessionkey,
737 krb5_kvno kvno,
738 AuthorizationData *auth_data,
739 hdb_entry_ex *server,
740 krb5_principal server_principal,
741 const char *server_name,
742 hdb_entry_ex *client,
743 krb5_principal client_principal,
744 const char *tgt_realm,
745 hdb_entry_ex *krbtgt,
746 krb5_enctype krbtgt_etype,
747 krb5_principals spp,
748 const krb5_data *rspac,
749 const METHOD_DATA *enc_pa_data,
750 const char **e_text,
751 krb5_data *reply)
752 {
753 KDC_REP rep;
754 EncKDCRepPart ek;
755 EncTicketPart et;
756 KDCOptions f = b->kdc_options;
757 krb5_error_code ret;
758 int is_weak = 0;
759
760 memset(&rep, 0, sizeof(rep));
761 memset(&et, 0, sizeof(et));
762 memset(&ek, 0, sizeof(ek));
763
764 rep.pvno = 5;
765 rep.msg_type = krb_tgs_rep;
766
767 et.authtime = tgt->authtime;
768 _kdc_fix_time(&b->till);
769 et.endtime = min(tgt->endtime, *b->till);
770 ALLOC(et.starttime);
771 *et.starttime = kdc_time;
772
773 ret = check_tgs_flags(context, config, b, tgt, &et);
774 if(ret)
775 goto out;
776
777 /* We should check the transited encoding if:
778 1) the request doesn't ask not to be checked
779 2) globally enforcing a check
780 3) principal requires checking
781 4) we allow non-check per-principal, but principal isn't marked as allowing this
782 5) we don't globally allow this
783 */
784
785 #define GLOBAL_FORCE_TRANSITED_CHECK \
786 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
787 #define GLOBAL_ALLOW_PER_PRINCIPAL \
788 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
789 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
790 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
791
792 /* these will consult the database in future release */
793 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
794 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
795
796 ret = fix_transited_encoding(context, config,
797 !f.disable_transited_check ||
798 GLOBAL_FORCE_TRANSITED_CHECK ||
799 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
800 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
801 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
802 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
803 &tgt->transited, &et,
804 krb5_principal_get_realm(context, client_principal),
805 krb5_principal_get_realm(context, server->entry.principal),
806 tgt_realm);
807 if(ret)
808 goto out;
809
810 ret = copy_Realm(&server_principal->realm, &rep.ticket.realm);
811 if (ret)
812 goto out;
813 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
814 ret = copy_Realm(&tgt_name->realm, &rep.crealm);
815 if (ret)
816 goto out;
817 /*
818 if (f.request_anonymous)
819 _kdc_make_anonymous_principalname (&rep.cname);
820 else */
821
822 ret = copy_PrincipalName(&tgt_name->name, &rep.cname);
823 if (ret)
824 goto out;
825 rep.ticket.tkt_vno = 5;
826
827 ek.caddr = et.caddr;
828
829 {
830 time_t life;
831 life = et.endtime - *et.starttime;
832 if(client && client->entry.max_life)
833 life = min(life, *client->entry.max_life);
834 if(server->entry.max_life)
835 life = min(life, *server->entry.max_life);
836 et.endtime = *et.starttime + life;
837 }
838 if(f.renewable_ok && tgt->flags.renewable &&
839 et.renew_till == NULL && et.endtime < *b->till &&
840 tgt->renew_till != NULL)
841 {
842 et.flags.renewable = 1;
843 ALLOC(et.renew_till);
844 *et.renew_till = *b->till;
845 }
846 if(et.renew_till){
847 time_t renew;
848 renew = *et.renew_till - *et.starttime;
849 if(client && client->entry.max_renew)
850 renew = min(renew, *client->entry.max_renew);
851 if(server->entry.max_renew)
852 renew = min(renew, *server->entry.max_renew);
853 *et.renew_till = *et.starttime + renew;
854 }
855
856 if(et.renew_till){
857 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
858 *et.starttime = min(*et.starttime, *et.renew_till);
859 et.endtime = min(et.endtime, *et.renew_till);
860 }
861
862 *et.starttime = min(*et.starttime, et.endtime);
863
864 if(*et.starttime == et.endtime){
865 ret = KRB5KDC_ERR_NEVER_VALID;
866 goto out;
867 }
868 if(et.renew_till && et.endtime == *et.renew_till){
869 free(et.renew_till);
870 et.renew_till = NULL;
871 et.flags.renewable = 0;
872 }
873
874 et.flags.pre_authent = tgt->flags.pre_authent;
875 et.flags.hw_authent = tgt->flags.hw_authent;
876 et.flags.anonymous = tgt->flags.anonymous;
877 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
878
879 if(rspac->length) {
880 /*
881 * No not need to filter out the any PAC from the
882 * auth_data since it's signed by the KDC.
883 */
884 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
885 KRB5_AUTHDATA_WIN2K_PAC, rspac);
886 if (ret)
887 goto out;
888 }
889
890 if (auth_data) {
891 unsigned int i = 0;
892
893 /* XXX check authdata */
894
895 if (et.authorization_data == NULL) {
896 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
897 if (et.authorization_data == NULL) {
898 ret = ENOMEM;
899 krb5_set_error_message(context, ret, "malloc: out of memory");
900 goto out;
901 }
902 }
903 for(i = 0; i < auth_data->len ; i++) {
904 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
905 if (ret) {
906 krb5_set_error_message(context, ret, "malloc: out of memory");
907 goto out;
908 }
909 }
910
911 /* Filter out type KRB5SignedPath */
912 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
913 if (ret == 0) {
914 if (et.authorization_data->len == 1) {
915 free_AuthorizationData(et.authorization_data);
916 free(et.authorization_data);
917 et.authorization_data = NULL;
918 } else {
919 AuthorizationData *ad = et.authorization_data;
920 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
921 ad->len--;
922 }
923 }
924 }
925
926 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
927 if (ret)
928 goto out;
929 et.crealm = tgt_name->realm;
930 et.cname = tgt_name->name;
931
932 ek.key = et.key;
933 /* MIT must have at least one last_req */
934 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
935 if (ek.last_req.val == NULL) {
936 ret = ENOMEM;
937 goto out;
938 }
939 ek.last_req.len = 1; /* set after alloc to avoid null deref on cleanup */
940 ek.nonce = b->nonce;
941 ek.flags = et.flags;
942 ek.authtime = et.authtime;
943 ek.starttime = et.starttime;
944 ek.endtime = et.endtime;
945 ek.renew_till = et.renew_till;
946 ek.srealm = rep.ticket.realm;
947 ek.sname = rep.ticket.sname;
948
949 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
950 et.endtime, et.renew_till);
951
952 /* Don't sign cross realm tickets, they can't be checked anyway */
953 {
954 char *r = get_krbtgt_realm(&ek.sname);
955
956 if (r == NULL || strcmp(r, ek.srealm) == 0) {
957 ret = _kdc_add_KRB5SignedPath(context,
958 config,
959 krbtgt,
960 krbtgt_etype,
961 client_principal,
962 NULL,
963 spp,
964 &et);
965 if (ret)
966 goto out;
967 }
968 }
969
970 if (enc_pa_data->len) {
971 rep.padata = calloc(1, sizeof(*rep.padata));
972 if (rep.padata == NULL) {
973 ret = ENOMEM;
974 goto out;
975 }
976 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
977 if (ret)
978 goto out;
979 }
980
981 if (krb5_enctype_valid(context, serverkey->keytype) != 0
982 && _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
983 {
984 krb5_enctype_enable(context, serverkey->keytype);
985 is_weak = 1;
986 }
987
988
989 /* It is somewhat unclear where the etype in the following
990 encryption should come from. What we have is a session
991 key in the passed tgt, and a list of preferred etypes
992 *for the new ticket*. Should we pick the best possible
993 etype, given the keytype in the tgt, or should we look
994 at the etype list here as well? What if the tgt
995 session key is DES3 and we want a ticket with a (say)
996 CAST session key. Should the DES3 etype be added to the
997 etype list, even if we don't want a session key with
998 DES3? */
999 ret = _kdc_encode_reply(context, config, NULL, 0,
1000 &rep, &et, &ek, serverkey->keytype,
1001 kvno,
1002 serverkey, 0, replykey, rk_is_subkey,
1003 e_text, reply);
1004 if (is_weak)
1005 krb5_enctype_disable(context, serverkey->keytype);
1006
1007 out:
1008 free_TGS_REP(&rep);
1009 free_TransitedEncoding(&et.transited);
1010 if(et.starttime)
1011 free(et.starttime);
1012 if(et.renew_till)
1013 free(et.renew_till);
1014 if(et.authorization_data) {
1015 free_AuthorizationData(et.authorization_data);
1016 free(et.authorization_data);
1017 }
1018 free_LastReq(&ek.last_req);
1019 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1020 free_EncryptionKey(&et.key);
1021 return ret;
1022 }
1023
1024 static krb5_error_code
1025 tgs_check_authenticator(krb5_context context,
1026 krb5_kdc_configuration *config,
1027 krb5_auth_context ac,
1028 KDC_REQ_BODY *b,
1029 const char **e_text,
1030 krb5_keyblock *key)
1031 {
1032 krb5_authenticator auth;
1033 size_t len = 0;
1034 unsigned char *buf;
1035 size_t buf_size;
1036 krb5_error_code ret;
1037 krb5_crypto crypto;
1038
1039 krb5_auth_con_getauthenticator(context, ac, &auth);
1040 if(auth->cksum == NULL){
1041 kdc_log(context, config, 0, "No authenticator in request");
1042 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1043 goto out;
1044 }
1045 /*
1046 * according to RFC1510 it doesn't need to be keyed,
1047 * but according to the latest draft it needs to.
1048 */
1049 if (
1050 #if 0
1051 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1052 ||
1053 #endif
1054 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1055 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1056 auth->cksum->cksumtype);
1057 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1058 goto out;
1059 }
1060
1061 /* XXX should not re-encode this */
1062 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1063 if(ret){
1064 const char *msg = krb5_get_error_message(context, ret);
1065 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1066 krb5_free_error_message(context, msg);
1067 goto out;
1068 }
1069 if(buf_size != len) {
1070 free(buf);
1071 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1072 *e_text = "KDC internal error";
1073 ret = KRB5KRB_ERR_GENERIC;
1074 goto out;
1075 }
1076 ret = krb5_crypto_init(context, key, 0, &crypto);
1077 if (ret) {
1078 const char *msg = krb5_get_error_message(context, ret);
1079 free(buf);
1080 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1081 krb5_free_error_message(context, msg);
1082 goto out;
1083 }
1084 ret = krb5_verify_checksum(context,
1085 crypto,
1086 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1087 buf,
1088 len,
1089 auth->cksum);
1090 free(buf);
1091 krb5_crypto_destroy(context, crypto);
1092 if(ret){
1093 const char *msg = krb5_get_error_message(context, ret);
1094 kdc_log(context, config, 0,
1095 "Failed to verify authenticator checksum: %s", msg);
1096 krb5_free_error_message(context, msg);
1097 }
1098 out:
1099 free_Authenticator(auth);
1100 free(auth);
1101 return ret;
1102 }
1103
1104 static krb5_boolean
1105 need_referral(krb5_context context, krb5_kdc_configuration *config,
1106 const KDCOptions * const options, krb5_principal server,
1107 krb5_realm **realms)
1108 {
1109 const char *name;
1110
1111 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1112 return FALSE;
1113
1114 if (server->name.name_string.len == 1)
1115 name = server->name.name_string.val[0];
1116 else if (server->name.name_string.len == 3) {
1117 /*
1118 This is used to give referrals for the
1119 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1120 SPN form, which is used for inter-domain communication in AD
1121 */
1122 name = server->name.name_string.val[2];
1123 kdc_log(context, config, 0, "Giving 3 part referral for %s", name);
1124 *realms = malloc(sizeof(char *)*2);
1125 if (*realms == NULL) {
1126 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1127 return FALSE;
1128 }
1129 (*realms)[0] = strdup(name);
1130 (*realms)[1] = NULL;
1131 return TRUE;
1132 } else if (server->name.name_string.len > 1)
1133 name = server->name.name_string.val[1];
1134 else
1135 return FALSE;
1136
1137 kdc_log(context, config, 0, "Searching referral for %s", name);
1138
1139 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1140 }
1141
1142 static krb5_error_code
1143 tgs_parse_request(krb5_context context,
1144 krb5_kdc_configuration *config,
1145 KDC_REQ_BODY *b,
1146 const PA_DATA *tgs_req,
1147 hdb_entry_ex **krbtgt,
1148 krb5_enctype *krbtgt_etype,
1149 krb5_ticket **ticket,
1150 const char **e_text,
1151 const char *from,
1152 const struct sockaddr *from_addr,
1153 time_t **csec,
1154 int **cusec,
1155 AuthorizationData **auth_data,
1156 krb5_keyblock **replykey,
1157 int *rk_is_subkey)
1158 {
1159 static char failed[] = "<unparse_name failed>";
1160 krb5_ap_req ap_req;
1161 krb5_error_code ret;
1162 krb5_principal princ;
1163 krb5_auth_context ac = NULL;
1164 krb5_flags ap_req_options;
1165 krb5_flags verify_ap_req_flags;
1166 krb5_crypto crypto;
1167 krb5uint32 krbtgt_kvno; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */
1168 krb5uint32 krbtgt_kvno_try;
1169 int kvno_search_tries = 4; /* number of kvnos to try when tkt_vno == 0 */
1170 const Keys *krbtgt_keys;/* keyset for TGT tkt_vno */
1171 Key *tkey;
1172 krb5_keyblock *subkey = NULL;
1173 unsigned usage;
1174
1175 *auth_data = NULL;
1176 *csec = NULL;
1177 *cusec = NULL;
1178 *replykey = NULL;
1179
1180 memset(&ap_req, 0, sizeof(ap_req));
1181 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1182 if(ret){
1183 const char *msg = krb5_get_error_message(context, ret);
1184 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1185 krb5_free_error_message(context, msg);
1186 goto out;
1187 }
1188
1189 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1190 /* XXX check for ticket.sname == req.sname */
1191 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1192 ret = KRB5KDC_ERR_POLICY; /* ? */
1193 goto out;
1194 }
1195
1196 _krb5_principalname2krb5_principal(context,
1197 &princ,
1198 ap_req.ticket.sname,
1199 ap_req.ticket.realm);
1200
1201 krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
1202 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
1203 &krbtgt_kvno, NULL, krbtgt);
1204
1205 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1206 /* XXX Factor out this unparsing of the same princ all over */
1207 char *p;
1208 ret = krb5_unparse_name(context, princ, &p);
1209 if (ret != 0)
1210 p = failed;
1211 krb5_free_principal(context, princ);
1212 kdc_log(context, config, 5,
1213 "Ticket-granting ticket account %s does not have secrets at "
1214 "this KDC, need to proxy", p);
1215 if (ret == 0)
1216 free(p);
1217 ret = HDB_ERR_NOT_FOUND_HERE;
1218 goto out;
1219 } else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
1220 char *p;
1221 ret = krb5_unparse_name(context, princ, &p);
1222 if (ret != 0)
1223 p = failed;
1224 krb5_free_principal(context, princ);
1225 kdc_log(context, config, 5,
1226 "Ticket-granting ticket account %s does not have keys for "
1227 "kvno %d at this KDC", p, krbtgt_kvno);
1228 if (ret == 0)
1229 free(p);
1230 ret = HDB_ERR_KVNO_NOT_FOUND;
1231 goto out;
1232 } else if (ret == HDB_ERR_NO_MKEY) {
1233 char *p;
1234 ret = krb5_unparse_name(context, princ, &p);
1235 if (ret != 0)
1236 p = failed;
1237 krb5_free_principal(context, princ);
1238 kdc_log(context, config, 5,
1239 "Missing master key for decrypting keys for ticket-granting "
1240 "ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
1241 if (ret == 0)
1242 free(p);
1243 ret = HDB_ERR_KVNO_NOT_FOUND;
1244 goto out;
1245 } else if (ret) {
1246 const char *msg = krb5_get_error_message(context, ret);
1247 char *p;
1248 ret = krb5_unparse_name(context, princ, &p);
1249 if (ret != 0)
1250 p = failed;
1251 krb5_free_principal(context, princ);
1252 kdc_log(context, config, 0,
1253 "Ticket-granting ticket not found in database: %s", msg);
1254 krb5_free_error_message(context, msg);
1255 if (ret == 0)
1256 free(p);
1257 ret = KRB5KRB_AP_ERR_NOT_US;
1258 goto out;
1259 }
1260
1261 krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : (*krbtgt)->entry.kvno;
1262 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1263
1264 next_kvno:
1265 krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
1266 ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
1267 ap_req.ticket.enc_part.etype, &tkey);
1268 if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
1269 kvno_search_tries--;
1270 krbtgt_kvno_try--;
1271 goto next_kvno;
1272 } else if (ret) {
1273 char *str = NULL, *p = NULL;
1274
1275 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1276 krb5_unparse_name(context, princ, &p);
1277 kdc_log(context, config, 0,
1278 "No server key with enctype %s found for %s",
1279 str ? str : "<unknown enctype>",
1280 p ? p : "<unparse_name failed>");
1281 free(str);
1282 free(p);
1283 ret = KRB5KRB_AP_ERR_BADKEYVER;
1284 goto out;
1285 }
1286
1287 if (b->kdc_options.validate)
1288 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1289 else
1290 verify_ap_req_flags = 0;
1291
1292 ret = krb5_verify_ap_req2(context,
1293 &ac,
1294 &ap_req,
1295 princ,
1296 &tkey->key,
1297 verify_ap_req_flags,
1298 &ap_req_options,
1299 ticket,
1300 KRB5_KU_TGS_REQ_AUTH);
1301 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
1302 kvno_search_tries--;
1303 krbtgt_kvno_try--;
1304 goto next_kvno;
1305 }
1306
1307 krb5_free_principal(context, princ);
1308 if(ret) {
1309 const char *msg = krb5_get_error_message(context, ret);
1310 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1311 krb5_free_error_message(context, msg);
1312 goto out;
1313 }
1314
1315 {
1316 krb5_authenticator auth;
1317
1318 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1319 if (ret == 0) {
1320 *csec = malloc(sizeof(**csec));
1321 if (*csec == NULL) {
1322 krb5_free_authenticator(context, &auth);
1323 kdc_log(context, config, 0, "malloc failed");
1324 goto out;
1325 }
1326 **csec = auth->ctime;
1327 *cusec = malloc(sizeof(**cusec));
1328 if (*cusec == NULL) {
1329 krb5_free_authenticator(context, &auth);
1330 kdc_log(context, config, 0, "malloc failed");
1331 goto out;
1332 }
1333 **cusec = auth->cusec;
1334 krb5_free_authenticator(context, &auth);
1335 }
1336 }
1337
1338 ret = tgs_check_authenticator(context, config,
1339 ac, b, e_text, &(*ticket)->ticket.key);
1340 if (ret) {
1341 krb5_auth_con_free(context, ac);
1342 goto out;
1343 }
1344
1345 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1346 *rk_is_subkey = 1;
1347
1348 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1349 if(ret){
1350 const char *msg = krb5_get_error_message(context, ret);
1351 krb5_auth_con_free(context, ac);
1352 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1353 krb5_free_error_message(context, msg);
1354 goto out;
1355 }
1356 if(subkey == NULL){
1357 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1358 *rk_is_subkey = 0;
1359
1360 ret = krb5_auth_con_getkey(context, ac, &subkey);
1361 if(ret) {
1362 const char *msg = krb5_get_error_message(context, ret);
1363 krb5_auth_con_free(context, ac);
1364 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1365 krb5_free_error_message(context, msg);
1366 goto out;
1367 }
1368 }
1369 if(subkey == NULL){
1370 krb5_auth_con_free(context, ac);
1371 kdc_log(context, config, 0,
1372 "Failed to get key for enc-authorization-data");
1373 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1374 goto out;
1375 }
1376
1377 *replykey = subkey;
1378
1379 if (b->enc_authorization_data) {
1380 krb5_data ad;
1381
1382 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1383 if (ret) {
1384 const char *msg = krb5_get_error_message(context, ret);
1385 krb5_auth_con_free(context, ac);
1386 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1387 krb5_free_error_message(context, msg);
1388 goto out;
1389 }
1390 ret = krb5_decrypt_EncryptedData (context,
1391 crypto,
1392 usage,
1393 b->enc_authorization_data,
1394 &ad);
1395 krb5_crypto_destroy(context, crypto);
1396 if(ret){
1397 krb5_auth_con_free(context, ac);
1398 kdc_log(context, config, 0,
1399 "Failed to decrypt enc-authorization-data");
1400 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1401 goto out;
1402 }
1403 ALLOC(*auth_data);
1404 if (*auth_data == NULL) {
1405 krb5_auth_con_free(context, ac);
1406 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1407 goto out;
1408 }
1409 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1410 if(ret){
1411 krb5_auth_con_free(context, ac);
1412 free(*auth_data);
1413 *auth_data = NULL;
1414 kdc_log(context, config, 0, "Failed to decode authorization data");
1415 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1416 goto out;
1417 }
1418 }
1419
1420 krb5_auth_con_free(context, ac);
1421
1422 out:
1423 free_AP_REQ(&ap_req);
1424
1425 return ret;
1426 }
1427
1428 static krb5_error_code
1429 build_server_referral(krb5_context context,
1430 krb5_kdc_configuration *config,
1431 krb5_crypto session,
1432 krb5_const_realm referred_realm,
1433 const PrincipalName *true_principal_name,
1434 const PrincipalName *requested_principal,
1435 krb5_data *outdata)
1436 {
1437 PA_ServerReferralData ref;
1438 krb5_error_code ret;
1439 EncryptedData ed;
1440 krb5_data data;
1441 size_t size = 0;
1442
1443 memset(&ref, 0, sizeof(ref));
1444
1445 if (referred_realm) {
1446 ALLOC(ref.referred_realm);
1447 if (ref.referred_realm == NULL)
1448 goto eout;
1449 *ref.referred_realm = strdup(referred_realm);
1450 if (*ref.referred_realm == NULL)
1451 goto eout;
1452 }
1453 if (true_principal_name) {
1454 ALLOC(ref.true_principal_name);
1455 if (ref.true_principal_name == NULL)
1456 goto eout;
1457 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1458 if (ret)
1459 goto eout;
1460 }
1461 if (requested_principal) {
1462 ALLOC(ref.requested_principal_name);
1463 if (ref.requested_principal_name == NULL)
1464 goto eout;
1465 ret = copy_PrincipalName(requested_principal,
1466 ref.requested_principal_name);
1467 if (ret)
1468 goto eout;
1469 }
1470
1471 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1472 data.data, data.length,
1473 &ref, &size, ret);
1474 free_PA_ServerReferralData(&ref);
1475 if (ret)
1476 return ret;
1477 if (data.length != size)
1478 krb5_abortx(context, "internal asn.1 encoder error");
1479
1480 ret = krb5_encrypt_EncryptedData(context, session,
1481 KRB5_KU_PA_SERVER_REFERRAL,
1482 data.data, data.length,
1483 0 /* kvno */, &ed);
1484 free(data.data);
1485 if (ret)
1486 return ret;
1487
1488 ASN1_MALLOC_ENCODE(EncryptedData,
1489 outdata->data, outdata->length,
1490 &ed, &size, ret);
1491 free_EncryptedData(&ed);
1492 if (ret)
1493 return ret;
1494 if (outdata->length != size)
1495 krb5_abortx(context, "internal asn.1 encoder error");
1496
1497 return 0;
1498 eout:
1499 free_PA_ServerReferralData(&ref);
1500 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1501 return ENOMEM;
1502 }
1503
1504 static krb5_error_code
1505 tgs_build_reply(krb5_context context,
1506 krb5_kdc_configuration *config,
1507 KDC_REQ *req,
1508 KDC_REQ_BODY *b,
1509 hdb_entry_ex *krbtgt,
1510 krb5_enctype krbtgt_etype,
1511 const krb5_keyblock *replykey,
1512 int rk_is_subkey,
1513 krb5_ticket *ticket,
1514 krb5_data *reply,
1515 const char *from,
1516 const char **e_text,
1517 AuthorizationData **auth_data,
1518 const struct sockaddr *from_addr)
1519 {
1520 krb5_error_code ret, ret2;
1521 krb5_principal cp = NULL, sp = NULL, rsp = NULL, tp = NULL, dp = NULL;
1522 krb5_principal krbtgt_out_principal = NULL;
1523 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL, *krbtgt_out_n = NULL;
1524 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1525 HDB *clientdb, *s4u2self_impersonated_clientdb;
1526 krb5_realm ref_realm = NULL;
1527 EncTicketPart *tgt = &ticket->ticket;
1528 krb5_principals spp = NULL;
1529 const EncryptionKey *ekey;
1530 krb5_keyblock sessionkey;
1531 krb5_kvno kvno;
1532 krb5_data rspac;
1533 const char *tgt_realm = /* Realm of TGT issuer */
1534 krb5_principal_get_realm(context, krbtgt->entry.principal);
1535 const char *our_realm = /* Realm of this KDC */
1536 krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
1537 char **capath = NULL;
1538 size_t num_capath = 0;
1539
1540 hdb_entry_ex *krbtgt_out = NULL;
1541
1542 METHOD_DATA enc_pa_data;
1543
1544 PrincipalName *s;
1545 Realm r;
1546 EncTicketPart adtkt;
1547 char opt_str[128];
1548 int signedpath = 0;
1549
1550 Key *tkey_check;
1551 Key *tkey_sign;
1552 int flags = HDB_F_FOR_TGS_REQ;
1553
1554 memset(&sessionkey, 0, sizeof(sessionkey));
1555 memset(&adtkt, 0, sizeof(adtkt));
1556 krb5_data_zero(&rspac);
1557 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1558
1559 s = b->sname;
1560 r = b->realm;
1561
1562 /*
1563 * Always to do CANON, see comment below about returned server principal (rsp).
1564 */
1565 flags |= HDB_F_CANON;
1566
1567 if(b->kdc_options.enc_tkt_in_skey){
1568 Ticket *t;
1569 hdb_entry_ex *uu;
1570 krb5_principal p;
1571 Key *uukey;
1572 krb5uint32 second_kvno = 0;
1573 krb5uint32 *kvno_ptr = NULL;
1574
1575 if(b->additional_tickets == NULL ||
1576 b->additional_tickets->len == 0){
1577 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1578 kdc_log(context, config, 0,
1579 "No second ticket present in request");
1580 goto out;
1581 }
1582 t = &b->additional_tickets->val[0];
1583 if(!get_krbtgt_realm(&t->sname)){
1584 kdc_log(context, config, 0,
1585 "Additional ticket is not a ticket-granting ticket");
1586 ret = KRB5KDC_ERR_POLICY;
1587 goto out;
1588 }
1589 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1590 if(t->enc_part.kvno){
1591 second_kvno = *t->enc_part.kvno;
1592 kvno_ptr = &second_kvno;
1593 }
1594 ret = _kdc_db_fetch(context, config, p,
1595 HDB_F_GET_KRBTGT, kvno_ptr,
1596 NULL, &uu);
1597 krb5_free_principal(context, p);
1598 if(ret){
1599 if (ret == HDB_ERR_NOENTRY)
1600 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1601 goto out;
1602 }
1603 ret = hdb_enctype2key(context, &uu->entry, NULL,
1604 t->enc_part.etype, &uukey);
1605 if(ret){
1606 _kdc_free_ent(context, uu);
1607 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1608 goto out;
1609 }
1610 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1611 _kdc_free_ent(context, uu);
1612 if(ret)
1613 goto out;
1614
1615 ret = verify_flags(context, config, &adtkt, spn);
1616 if (ret)
1617 goto out;
1618
1619 s = &adtkt.cname;
1620 r = adtkt.crealm;
1621 }
1622
1623 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1624 ret = krb5_unparse_name(context, sp, &spn);
1625 if (ret)
1626 goto out;
1627 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1628 ret = krb5_unparse_name(context, cp, &cpn);
1629 if (ret)
1630 goto out;
1631 unparse_flags (KDCOptions2int(b->kdc_options),
1632 asn1_KDCOptions_units(),
1633 opt_str, sizeof(opt_str));
1634 if(*opt_str)
1635 kdc_log(context, config, 0,
1636 "TGS-REQ %s from %s for %s [%s]",
1637 cpn, from, spn, opt_str);
1638 else
1639 kdc_log(context, config, 0,
1640 "TGS-REQ %s from %s for %s", cpn, from, spn);
1641
1642 /*
1643 * Fetch server
1644 */
1645
1646 server_lookup:
1647 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1648 NULL, NULL, &server);
1649
1650 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1651 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1652 goto out;
1653 } else if (ret == HDB_ERR_WRONG_REALM) {
1654 free(ref_realm);
1655 ref_realm = strdup(server->entry.principal->realm);
1656 if (ref_realm == NULL) {
1657 ret = krb5_enomem(context);
1658 goto out;
1659 }
1660
1661 kdc_log(context, config, 5,
1662 "Returning a referral to realm %s for "
1663 "server %s.",
1664 ref_realm, spn);
1665 krb5_free_principal(context, sp);
1666 sp = NULL;
1667 ret = krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1668 ref_realm, NULL);
1669 if (ret)
1670 goto out;
1671 free(spn);
1672 spn = NULL;
1673 ret = krb5_unparse_name(context, sp, &spn);
1674 if (ret)
1675 goto out;
1676
1677 goto server_lookup;
1678 } else if (ret) {
1679 const char *new_rlm, *msg;
1680 Realm req_rlm;
1681 krb5_realm *realms;
1682
1683 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1684 if (capath == NULL) {
1685 /* With referalls, hierarchical capaths are always enabled */
1686 ret2 = _krb5_find_capath(context, tgt->crealm, our_realm,
1687 req_rlm, TRUE, &capath, &num_capath);
1688 if (ret2) {
1689 ret = ret2;
1690 goto out;
1691 }
1692 }
1693 new_rlm = num_capath > 0 ? capath[--num_capath] : NULL;
1694 if (new_rlm) {
1695 kdc_log(context, config, 5, "krbtgt from %s via %s for "
1696 "realm %s not found, trying %s", tgt->crealm,
1697 our_realm, req_rlm, new_rlm);
1698
1699 free(ref_realm);
1700 ref_realm = strdup(new_rlm);
1701 if (ref_realm == NULL) {
1702 ret = krb5_enomem(context);
1703 goto out;
1704 }
1705
1706 krb5_free_principal(context, sp);
1707 sp = NULL;
1708 krb5_make_principal(context, &sp, r,
1709 KRB5_TGS_NAME, ref_realm, NULL);
1710 free(spn);
1711 spn = NULL;
1712 ret = krb5_unparse_name(context, sp, &spn);
1713 if (ret)
1714 goto out;
1715 goto server_lookup;
1716 }
1717 } else if (need_referral(context, config, &b->kdc_options, sp, &realms)) {
1718 if (strcmp(realms[0], sp->realm) != 0) {
1719 kdc_log(context, config, 5,
1720 "Returning a referral to realm %s for "
1721 "server %s that was not found",
1722 realms[0], spn);
1723 krb5_free_principal(context, sp);
1724 sp = NULL;
1725 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1726 realms[0], NULL);
1727 free(spn);
1728 spn = NULL;
1729 ret = krb5_unparse_name(context, sp, &spn);
1730 if (ret) {
1731 krb5_free_host_realm(context, realms);
1732 goto out;
1733 }
1734
1735 free(ref_realm);
1736 ref_realm = strdup(realms[0]);
1737
1738 krb5_free_host_realm(context, realms);
1739 goto server_lookup;
1740 }
1741 krb5_free_host_realm(context, realms);
1742 }
1743 msg = krb5_get_error_message(context, ret);
1744 kdc_log(context, config, 0,
1745 "Server not found in database: %s: %s", spn, msg);
1746 krb5_free_error_message(context, msg);
1747 if (ret == HDB_ERR_NOENTRY)
1748 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1749 goto out;
1750 }
1751
1752 /* the name returned to the client depend on what was asked for,
1753 * return canonical name if kdc_options.canonicalize was set, the
1754 * client wants the true name of the principal, if not it just
1755 * wants the name its asked for.
1756 */
1757
1758 if (b->kdc_options.canonicalize)
1759 rsp = server->entry.principal;
1760 else
1761 rsp = sp;
1762
1763
1764 /*
1765 * Select enctype, return key and kvno.
1766 */
1767
1768 {
1769 krb5_enctype etype;
1770
1771 if(b->kdc_options.enc_tkt_in_skey) {
1772 size_t i;
1773 ekey = &adtkt.key;
1774 for(i = 0; i < b->etype.len; i++)
1775 if (b->etype.val[i] == adtkt.key.keytype)
1776 break;
1777 if(i == b->etype.len) {
1778 kdc_log(context, config, 0,
1779 "Addition ticket have not matching etypes");
1780 krb5_clear_error_message(context);
1781 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1782 goto out;
1783 }
1784 etype = b->etype.val[i];
1785 kvno = 0;
1786 } else {
1787 Key *skey;
1788
1789 ret = _kdc_find_etype(context,
1790 krb5_principal_is_krbtgt(context, sp) ?
1791 config->tgt_use_strongest_session_key :
1792 config->svc_use_strongest_session_key, FALSE,
1793 server, b->etype.val, b->etype.len, &etype,
1794 NULL);
1795 if(ret) {
1796 kdc_log(context, config, 0,
1797 "Server (%s) has no support for etypes", spn);
1798 goto out;
1799 }
1800 ret = _kdc_get_preferred_key(context, config, server, spn,
1801 NULL, &skey);
1802 if(ret) {
1803 kdc_log(context, config, 0,
1804 "Server (%s) has no supported etypes", spn);
1805 goto out;
1806 }
1807 ekey = &skey->key;
1808 kvno = server->entry.kvno;
1809 }
1810
1811 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1812 if (ret)
1813 goto out;
1814 }
1815
1816 /*
1817 * Check that service is in the same realm as the krbtgt. If it's
1818 * not the same, it's someone that is using a uni-directional trust
1819 * backward.
1820 */
1821
1822 /*
1823 * Validate authoriation data
1824 */
1825
1826 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
1827 krbtgt_etype, &tkey_check);
1828 if(ret) {
1829 kdc_log(context, config, 0,
1830 "Failed to find key for krbtgt PAC check");
1831 goto out;
1832 }
1833
1834 /*
1835 * Now refetch the primary krbtgt, and get the current kvno (the
1836 * sign check may have been on an old kvno, and the server may
1837 * have been an incoming trust)
1838 */
1839
1840 ret = krb5_make_principal(context,
1841 &krbtgt_out_principal,
1842 our_realm,
1843 KRB5_TGS_NAME,
1844 our_realm,
1845 NULL);
1846 if (ret) {
1847 kdc_log(context, config, 0,
1848 "Failed to make krbtgt principal name object for "
1849 "authz-data signatures");
1850 goto out;
1851 }
1852 ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
1853 if (ret) {
1854 kdc_log(context, config, 0,
1855 "Failed to make krbtgt principal name object for "
1856 "authz-data signatures");
1857 goto out;
1858 }
1859
1860 ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
1861 HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1862 if (ret) {
1863 char *ktpn = NULL;
1864 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1865 kdc_log(context, config, 0,
1866 "No such principal %s (needed for authz-data signature keys) "
1867 "while processing TGS-REQ for service %s with krbtg %s",
1868 krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
1869 free(ktpn);
1870 ret = KRB5KRB_AP_ERR_NOT_US;
1871 goto out;
1872 }
1873
1874 /*
1875 * The first realm is the realm of the service, the second is
1876 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1877 * encrypted to. The redirection via the krbtgt_out entry allows
1878 * the DB to possibly correct the case of the realm (Samba4 does
1879 * this) before the strcmp()
1880 */
1881 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1882 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1883 char *ktpn;
1884 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1885 kdc_log(context, config, 0,
1886 "Request with wrong krbtgt: %s",
1887 (ret == 0) ? ktpn : "<unknown>");
1888 if(ret == 0)
1889 free(ktpn);
1890 ret = KRB5KRB_AP_ERR_NOT_US;
1891 goto out;
1892 }
1893
1894 ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
1895 NULL, &tkey_sign);
1896 if (ret) {
1897 kdc_log(context, config, 0,
1898 "Failed to find key for krbtgt PAC signature");
1899 goto out;
1900 }
1901 ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
1902 tkey_sign->key.keytype, &tkey_sign);
1903 if(ret) {
1904 kdc_log(context, config, 0,
1905 "Failed to find key for krbtgt PAC signature");
1906 goto out;
1907 }
1908
1909 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1910 NULL, &clientdb, &client);
1911 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1912 /* This is OK, we are just trying to find out if they have
1913 * been disabled or deleted in the meantime, missing secrets
1914 * is OK */
1915 } else if(ret){
1916 const char *krbtgt_realm, *msg;
1917
1918 /*
1919 * If the client belongs to the same realm as our krbtgt, it
1920 * should exist in the local database.
1921 *
1922 */
1923
1924 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1925
1926 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1927 if (ret == HDB_ERR_NOENTRY)
1928 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1929 kdc_log(context, config, 1, "Client no longer in database: %s",
1930 cpn);
1931 goto out;
1932 }
1933
1934 msg = krb5_get_error_message(context, ret);
1935 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1936 krb5_free_error_message(context, msg);
1937 }
1938
1939 ret = check_PAC(context, config, cp, NULL,
1940 client, server, krbtgt,
1941 &tkey_check->key,
1942 ekey, &tkey_sign->key,
1943 tgt, &rspac, &signedpath);
1944 if (ret) {
1945 const char *msg = krb5_get_error_message(context, ret);
1946 kdc_log(context, config, 0,
1947 "Verify PAC failed for %s (%s) from %s with %s",
1948 spn, cpn, from, msg);
1949 krb5_free_error_message(context, msg);
1950 goto out;
1951 }
1952
1953 /* also check the krbtgt for signature */
1954 ret = check_KRB5SignedPath(context,
1955 config,
1956 krbtgt,
1957 cp,
1958 tgt,
1959 &spp,
1960 &signedpath);
1961 if (ret) {
1962 const char *msg = krb5_get_error_message(context, ret);
1963 kdc_log(context, config, 0,
1964 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1965 spn, cpn, from, msg);
1966 krb5_free_error_message(context, msg);
1967 goto out;
1968 }
1969
1970 /*
1971 * Process request
1972 */
1973
1974 /* by default the tgt principal matches the client principal */
1975 tp = cp;
1976 tpn = cpn;
1977
1978 if (client) {
1979 const PA_DATA *sdata;
1980 int i = 0;
1981
1982 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1983 if (sdata) {
1984 krb5_crypto crypto;
1985 krb5_data datack;
1986 PA_S4U2Self self;
1987 const char *str;
1988
1989 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1990 sdata->padata_value.length,
1991 &self, NULL);
1992 if (ret) {
1993 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1994 goto out;
1995 }
1996
1997 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1998 if (ret)
1999 goto out;
2000
2001 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
2002 if (ret) {
2003 const char *msg = krb5_get_error_message(context, ret);
2004 free_PA_S4U2Self(&self);
2005 krb5_data_free(&datack);
2006 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
2007 krb5_free_error_message(context, msg);
2008 goto out;
2009 }
2010
2011 ret = krb5_verify_checksum(context,
2012 crypto,
2013 KRB5_KU_OTHER_CKSUM,
2014 datack.data,
2015 datack.length,
2016 &self.cksum);
2017 krb5_data_free(&datack);
2018 krb5_crypto_destroy(context, crypto);
2019 if (ret) {
2020 const char *msg = krb5_get_error_message(context, ret);
2021 free_PA_S4U2Self(&self);
2022 kdc_log(context, config, 0,
2023 "krb5_verify_checksum failed for S4U2Self: %s", msg);
2024 krb5_free_error_message(context, msg);
2025 goto out;
2026 }
2027
2028 ret = _krb5_principalname2krb5_principal(context,
2029 &tp,
2030 self.name,
2031 self.realm);
2032 free_PA_S4U2Self(&self);
2033 if (ret)
2034 goto out;
2035
2036 ret = krb5_unparse_name(context, tp, &tpn);
2037 if (ret)
2038 goto out;
2039
2040 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
2041 if(rspac.data) {
2042 krb5_pac p = NULL;
2043 krb5_data_free(&rspac);
2044 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
2045 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
2046 if (ret) {
2047 const char *msg;
2048
2049 /*
2050 * If the client belongs to the same realm as our krbtgt, it
2051 * should exist in the local database.
2052 *
2053 */
2054
2055 if (ret == HDB_ERR_NOENTRY)
2056 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2057 msg = krb5_get_error_message(context, ret);
2058 kdc_log(context, config, 1,
2059 "S2U4Self principal to impersonate %s not found in database: %s",
2060 tpn, msg);
2061 krb5_free_error_message(context, msg);
2062 goto out;
2063 }
2064 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
2065 if (ret) {
2066 kdc_log(context, config, 0, "PAC generation failed for -- %s",
2067 tpn);
2068 goto out;
2069 }
2070 if (p != NULL) {
2071 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
2072 s4u2self_impersonated_client->entry.principal,
2073 ekey, &tkey_sign->key,
2074 &rspac);
2075 krb5_pac_free(context, p);
2076 if (ret) {
2077 kdc_log(context, config, 0, "PAC signing failed for -- %s",
2078 tpn);
2079 goto out;
2080 }
2081 }
2082 }
2083
2084 /*
2085 * Check that service doing the impersonating is
2086 * requesting a ticket to it-self.
2087 */
2088 ret = check_s4u2self(context, config, clientdb, client, sp);
2089 if (ret) {
2090 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
2091 "to impersonate to service "
2092 "(tried for user %s to service %s)",
2093 cpn, tpn, spn);
2094 goto out;
2095 }
2096
2097 /*
2098 * If the service isn't trusted for authentication to
2099 * delegation, remove the forward flag.
2100 */
2101
2102 if (client->entry.flags.trusted_for_delegation) {
2103 str = "[forwardable]";
2104 } else {
2105 b->kdc_options.forwardable = 0;
2106 str = "";
2107 }
2108 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2109 "service %s %s", cpn, tpn, spn, str);
2110 }
2111 }
2112
2113 /*
2114 * Constrained delegation
2115 */
2116
2117 if (client != NULL
2118 && b->additional_tickets != NULL
2119 && b->additional_tickets->len != 0
2120 && b->kdc_options.enc_tkt_in_skey == 0)
2121 {
2122 int ad_signedpath = 0;
2123 Key *clientkey;
2124 Ticket *t;
2125
2126 /*
2127 * Require that the KDC have issued the service's krbtgt (not
2128 * self-issued ticket with kimpersonate(1).
2129 */
2130 if (!signedpath) {
2131 ret = KRB5KDC_ERR_BADOPTION;
2132 kdc_log(context, config, 0,
2133 "Constrained delegation done on service ticket %s/%s",
2134 cpn, spn);
2135 goto out;
2136 }
2137
2138 t = &b->additional_tickets->val[0];
2139
2140 ret = hdb_enctype2key(context, &client->entry,
2141 hdb_kvno2keys(context, &client->entry,
2142 t->enc_part.kvno ? * t->enc_part.kvno : 0),
2143 t->enc_part.etype, &clientkey);
2144 if(ret){
2145 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2146 goto out;
2147 }
2148
2149 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2150 if (ret) {
2151 kdc_log(context, config, 0,
2152 "failed to decrypt ticket for "
2153 "constrained delegation from %s to %s ", cpn, spn);
2154 goto out;
2155 }
2156
2157 ret = _krb5_principalname2krb5_principal(context,
2158 &tp,
2159 adtkt.cname,
2160 adtkt.crealm);
2161 if (ret)
2162 goto out;
2163
2164 ret = krb5_unparse_name(context, tp, &tpn);
2165 if (ret)
2166 goto out;
2167
2168 ret = _krb5_principalname2krb5_principal(context,
2169 &dp,
2170 t->sname,
2171 t->realm);
2172 if (ret)
2173 goto out;
2174
2175 ret = krb5_unparse_name(context, dp, &dpn);
2176 if (ret)
2177 goto out;
2178
2179 /* check that ticket is valid */
2180 if (adtkt.flags.forwardable == 0) {
2181 kdc_log(context, config, 0,
2182 "Missing forwardable flag on ticket for "
2183 "constrained delegation from %s (%s) as %s to %s ",
2184 cpn, dpn, tpn, spn);
2185 ret = KRB5KDC_ERR_BADOPTION;
2186 goto out;
2187 }
2188
2189 ret = check_constrained_delegation(context, config, clientdb,
2190 client, server, sp);
2191 if (ret) {
2192 kdc_log(context, config, 0,
2193 "constrained delegation from %s (%s) as %s to %s not allowed",
2194 cpn, dpn, tpn, spn);
2195 goto out;
2196 }
2197
2198 ret = verify_flags(context, config, &adtkt, tpn);
2199 if (ret) {
2200 goto out;
2201 }
2202
2203 krb5_data_free(&rspac);
2204
2205 /*
2206 * generate the PAC for the user.
2207 *
2208 * TODO: pass in t->sname and t->realm and build
2209 * a S4U_DELEGATION_INFO blob to the PAC.
2210 */
2211 ret = check_PAC(context, config, tp, dp,
2212 client, server, krbtgt,
2213 &clientkey->key,
2214 ekey, &tkey_sign->key,
2215 &adtkt, &rspac, &ad_signedpath);
2216 if (ret) {
2217 const char *msg = krb5_get_error_message(context, ret);
2218 kdc_log(context, config, 0,
2219 "Verify delegated PAC failed to %s for client"
2220 "%s (%s) as %s from %s with %s",
2221 spn, cpn, dpn, tpn, from, msg);
2222 krb5_free_error_message(context, msg);
2223 goto out;
2224 }
2225
2226 /*
2227 * Check that the KDC issued the user's ticket.
2228 */
2229 ret = check_KRB5SignedPath(context,
2230 config,
2231 krbtgt,
2232 cp,
2233 &adtkt,
2234 NULL,
2235 &ad_signedpath);
2236 if (ret) {
2237 const char *msg = krb5_get_error_message(context, ret);
2238 kdc_log(context, config, 0,
2239 "KRB5SignedPath check from service %s failed "
2240 "for delegation to %s for client %s (%s)"
2241 "from %s failed with %s",
2242 spn, tpn, dpn, cpn, from, msg);
2243 krb5_free_error_message(context, msg);
2244 goto out;
2245 }
2246
2247 if (!ad_signedpath) {
2248 ret = KRB5KDC_ERR_BADOPTION;
2249 kdc_log(context, config, 0,
2250 "Ticket not signed with PAC nor SignedPath service %s failed "
2251 "for delegation to %s for client %s (%s)"
2252 "from %s",
2253 spn, tpn, dpn, cpn, from);
2254 goto out;
2255 }
2256
2257 kdc_log(context, config, 0, "constrained delegation for %s "
2258 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2259 }
2260
2261 /*
2262 * Check flags
2263 */
2264
2265 ret = kdc_check_flags(context, config,
2266 client, cpn,
2267 server, spn,
2268 FALSE);
2269 if(ret)
2270 goto out;
2271
2272 if((b->kdc_options.validate || b->kdc_options.renew) &&
2273 !krb5_principal_compare(context,
2274 krbtgt->entry.principal,
2275 server->entry.principal)){
2276 kdc_log(context, config, 0, "Inconsistent request.");
2277 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2278 goto out;
2279 }
2280
2281 /* check for valid set of addresses */
2282 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2283 ret = KRB5KRB_AP_ERR_BADADDR;
2284 kdc_log(context, config, 0, "Request from wrong address");
2285 goto out;
2286 }
2287
2288 /*
2289 * If this is an referral, add server referral data to the
2290 * auth_data reply .
2291 */
2292 if (ref_realm) {
2293 PA_DATA pa;
2294 krb5_crypto crypto;
2295
2296 kdc_log(context, config, 0,
2297 "Adding server referral to %s", ref_realm);
2298
2299 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2300 if (ret)
2301 goto out;
2302
2303 ret = build_server_referral(context, config, crypto, ref_realm,
2304 NULL, s, &pa.padata_value);
2305 krb5_crypto_destroy(context, crypto);
2306 if (ret) {
2307 kdc_log(context, config, 0,
2308 "Failed building server referral");
2309 goto out;
2310 }
2311 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2312
2313 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2314 krb5_data_free(&pa.padata_value);
2315 if (ret) {
2316 kdc_log(context, config, 0,
2317 "Add server referral METHOD-DATA failed");
2318 goto out;
2319 }
2320 }
2321
2322 /*
2323 *
2324 */
2325
2326 ret = tgs_make_reply(context,
2327 config,
2328 b,
2329 tp,
2330 tgt,
2331 replykey,
2332 rk_is_subkey,
2333 ekey,
2334 &sessionkey,
2335 kvno,
2336 *auth_data,
2337 server,
2338 rsp,
2339 spn,
2340 client,
2341 cp,
2342 tgt_realm,
2343 krbtgt_out,
2344 tkey_sign->key.keytype,
2345 spp,
2346 &rspac,
2347 &enc_pa_data,
2348 e_text,
2349 reply);
2350
2351 out:
2352 if (tpn != cpn)
2353 free(tpn);
2354 free(spn);
2355 free(cpn);
2356 free(dpn);
2357 free(krbtgt_out_n);
2358 _krb5_free_capath(context, capath);
2359
2360 krb5_data_free(&rspac);
2361 krb5_free_keyblock_contents(context, &sessionkey);
2362 if(krbtgt_out)
2363 _kdc_free_ent(context, krbtgt_out);
2364 if(server)
2365 _kdc_free_ent(context, server);
2366 if(client)
2367 _kdc_free_ent(context, client);
2368 if(s4u2self_impersonated_client)
2369 _kdc_free_ent(context, s4u2self_impersonated_client);
2370
2371 if (tp && tp != cp)
2372 krb5_free_principal(context, tp);
2373 krb5_free_principal(context, cp);
2374 krb5_free_principal(context, dp);
2375 krb5_free_principal(context, sp);
2376 krb5_free_principal(context, krbtgt_out_principal);
2377 free(ref_realm);
2378 free_METHOD_DATA(&enc_pa_data);
2379
2380 free_EncTicketPart(&adtkt);
2381
2382 return ret;
2383 }
2384
2385 /*
2386 *
2387 */
2388
2389 krb5_error_code
2390 _kdc_tgs_rep(krb5_context context,
2391 krb5_kdc_configuration *config,
2392 KDC_REQ *req,
2393 krb5_data *data,
2394 const char *from,
2395 struct sockaddr *from_addr,
2396 int datagram_reply)
2397 {
2398 AuthorizationData *auth_data = NULL;
2399 krb5_error_code ret;
2400 int i = 0;
2401 const PA_DATA *tgs_req;
2402
2403 hdb_entry_ex *krbtgt = NULL;
2404 krb5_ticket *ticket = NULL;
2405 const char *e_text = NULL;
2406 krb5_enctype krbtgt_etype = ETYPE_NULL;
2407
2408 krb5_keyblock *replykey = NULL;
2409 int rk_is_subkey = 0;
2410 time_t *csec = NULL;
2411 int *cusec = NULL;
2412
2413 if(req->padata == NULL){
2414 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2415 kdc_log(context, config, 0,
2416 "TGS-REQ from %s without PA-DATA", from);
2417 goto out;
2418 }
2419
2420 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2421
2422 if(tgs_req == NULL){
2423 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2424
2425 kdc_log(context, config, 0,
2426 "TGS-REQ from %s without PA-TGS-REQ", from);
2427 goto out;
2428 }
2429 ret = tgs_parse_request(context, config,
2430 &req->req_body, tgs_req,
2431 &krbtgt,
2432 &krbtgt_etype,
2433 &ticket,
2434 &e_text,
2435 from, from_addr,
2436 &csec, &cusec,
2437 &auth_data,
2438 &replykey,
2439 &rk_is_subkey);
2440 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2441 /* kdc_log() is called in tgs_parse_request() */
2442 goto out;
2443 }
2444 if (ret) {
2445 kdc_log(context, config, 0,
2446 "Failed parsing TGS-REQ from %s", from);
2447 goto out;
2448 }
2449
2450 {
2451 const PA_DATA *pa = _kdc_find_padata(req, &i, KRB5_PADATA_FX_FAST);
2452 if (pa)
2453 kdc_log(context, config, 10, "Got TGS FAST request");
2454 }
2455
2456
2457 ret = tgs_build_reply(context,
2458 config,
2459 req,
2460 &req->req_body,
2461 krbtgt,
2462 krbtgt_etype,
2463 replykey,
2464 rk_is_subkey,
2465 ticket,
2466 data,
2467 from,
2468 &e_text,
2469 &auth_data,
2470 from_addr);
2471 if (ret) {
2472 kdc_log(context, config, 0,
2473 "Failed building TGS-REP to %s", from);
2474 goto out;
2475 }
2476
2477 /* */
2478 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2479 krb5_data_free(data);
2480 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2481 e_text = "Reply packet too large";
2482 }
2483
2484 out:
2485 if (replykey)
2486 krb5_free_keyblock(context, replykey);
2487
2488 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2489 /* XXX add fast wrapping on the error */
2490 METHOD_DATA error_method = { 0, NULL };
2491
2492
2493 kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret);
2494 ret = _kdc_fast_mk_error(context, NULL,
2495 &error_method,
2496 NULL,
2497 NULL,
2498 ret, NULL,
2499 NULL,
2500 NULL, NULL,
2501 csec, cusec,
2502 data);
2503 free_METHOD_DATA(&error_method);
2504 }
2505 free(csec);
2506 free(cusec);
2507 if (ticket)
2508 krb5_free_ticket(context, ticket);
2509 if(krbtgt)
2510 _kdc_free_ent(context, krbtgt);
2511
2512 if (auth_data) {
2513 free_AuthorizationData(auth_data);
2514 free(auth_data);
2515 }
2516
2517 return ret;
2518 }
Heimdal