search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upstream NetBSD libedit has readline.h in readline/ not editline/
[heimdal.git] / kdc / krb5tgs.c
blob47b8f10b6e7959b63ffca6bfeaa25135ad46ceb1
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * return the realm of a krbtgt-ticket or NULL
38 */
39
40 static Realm
41 get_krbtgt_realm(const PrincipalName *p)
42 {
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
46 else
47 return NULL;
48 }
49
50 /*
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
54 *
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
57 */
58
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
62 krb5_data *data)
63 {
64 AuthorizationData child;
65 krb5_error_code ret;
66 int pos;
67
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71 pos = ad->len - 1;
72
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
78 &child,
79 NULL);
80 if (ret) {
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
83 return ret;
84 }
85
86 if (child.len != 1) {
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89 }
90
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94 }
95
96 if (data)
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
99 return ret;
100 }
101
102 krb5_error_code
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
110 EncTicketPart *tkt)
111 {
112 krb5_error_code ret;
113 KRB5SignedPath sp;
114 krb5_data data;
115 krb5_crypto crypto = NULL;
116 size_t size = 0;
117
118 if (server && principals) {
119 ret = add_Principals(principals, server);
120 if (ret)
121 return ret;
122 }
123
124 {
125 KRB5SignedPathData spd;
126
127 spd.client = client;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
131
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133 &spd, &size, ret);
134 if (ret)
135 return ret;
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
138 }
139
140 {
141 Key *key;
142 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, enctype, &key);
143 if (ret == 0)
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145 if (ret) {
146 free(data.data);
147 return ret;
148 }
149 }
150
151 /*
152 * Fill in KRB5SignedPath
153 */
154
155 sp.etype = enctype;
156 sp.delegated = principals;
157 sp.method_data = NULL;
158
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
162 free(data.data);
163 if (ret)
164 return ret;
165
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
168 if (ret)
169 return ret;
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
172
173
174 /*
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
177 */
178
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
182
183 return ret;
184 }
185
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
190 krb5_principal cp,
191 EncTicketPart *tkt,
192 krb5_principals *delegated,
193 int *signedpath)
194 {
195 krb5_error_code ret;
196 krb5_data data;
197 krb5_crypto crypto = NULL;
198
199 if (delegated)
200 *delegated = NULL;
201
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203 if (ret == 0) {
204 KRB5SignedPathData spd;
205 KRB5SignedPath sp;
206 size_t size = 0;
207
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
210 if (ret)
211 return ret;
212
213 spd.client = cp;
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 if (ret) {
221 free_KRB5SignedPath(&sp);
222 return ret;
223 }
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
226
227 {
228 Key *key;
229 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use correct kvno! */
230 sp.etype, &key);
231 if (ret == 0)
232 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
233 if (ret) {
234 free(data.data);
235 free_KRB5SignedPath(&sp);
236 return ret;
237 }
238 }
239 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
240 data.data, data.length,
241 &sp.cksum);
242 krb5_crypto_destroy(context, crypto);
243 free(data.data);
244 if (ret) {
245 free_KRB5SignedPath(&sp);
246 kdc_log(context, config, 5,
247 "KRB5SignedPath not signed correctly, not marking as signed");
248 return 0;
249 }
250
251 if (delegated && sp.delegated) {
252
253 *delegated = malloc(sizeof(*sp.delegated));
254 if (*delegated == NULL) {
255 free_KRB5SignedPath(&sp);
256 return ENOMEM;
257 }
258
259 ret = copy_Principals(*delegated, sp.delegated);
260 if (ret) {
261 free_KRB5SignedPath(&sp);
262 free(*delegated);
263 *delegated = NULL;
264 return ret;
265 }
266 }
267 free_KRB5SignedPath(&sp);
268
269 *signedpath = 1;
270 }
271
272 return 0;
273 }
274
275 /*
276 *
277 */
278
279 static krb5_error_code
280 check_PAC(krb5_context context,
281 krb5_kdc_configuration *config,
282 const krb5_principal client_principal,
283 const krb5_principal delegated_proxy_principal,
284 hdb_entry_ex *client,
285 hdb_entry_ex *server,
286 hdb_entry_ex *krbtgt,
287 const EncryptionKey *server_check_key,
288 const EncryptionKey *server_sign_key,
289 const EncryptionKey *krbtgt_sign_key,
290 EncTicketPart *tkt,
291 krb5_data *rspac,
292 int *signedpath)
293 {
294 AuthorizationData *ad = tkt->authorization_data;
295 unsigned i, j;
296 krb5_error_code ret;
297
298 if (ad == NULL || ad->len == 0)
299 return 0;
300
301 for (i = 0; i < ad->len; i++) {
302 AuthorizationData child;
303
304 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
305 continue;
306
307 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
308 ad->val[i].ad_data.length,
309 &child,
310 NULL);
311 if (ret) {
312 krb5_set_error_message(context, ret, "Failed to decode "
313 "IF_RELEVANT with %d", ret);
314 return ret;
315 }
316 for (j = 0; j < child.len; j++) {
317
318 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
319 int signed_pac = 0;
320 krb5_pac pac;
321
322 /* Found PAC */
323 ret = krb5_pac_parse(context,
324 child.val[j].ad_data.data,
325 child.val[j].ad_data.length,
326 &pac);
327 free_AuthorizationData(&child);
328 if (ret)
329 return ret;
330
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
332 client_principal,
333 server_check_key, NULL);
334 if (ret) {
335 krb5_pac_free(context, pac);
336 return ret;
337 }
338
339 ret = _kdc_pac_verify(context, client_principal,
340 delegated_proxy_principal,
341 client, server, krbtgt, &pac, &signed_pac);
342 if (ret) {
343 krb5_pac_free(context, pac);
344 return ret;
345 }
346
347 /*
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
352 */
353 if (signed_pac) {
354 *signedpath = 1;
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
356 client_principal,
357 server_sign_key, krbtgt_sign_key, rspac);
358 }
359 krb5_pac_free(context, pac);
360
361 return ret;
362 }
363 }
364 free_AuthorizationData(&child);
365 }
366 return 0;
367 }
368
369 /*
370 *
371 */
372
373 static krb5_error_code
374 check_tgs_flags(krb5_context context,
375 krb5_kdc_configuration *config,
376 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
377 {
378 KDCOptions f = b->kdc_options;
379
380 if(f.validate){
381 if(!tgt->flags.invalid || tgt->starttime == NULL){
382 kdc_log(context, config, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION;
385 }
386 if(*tgt->starttime > kdc_time){
387 kdc_log(context, config, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV;
390 }
391 /* XXX tkt = tgt */
392 et->flags.invalid = 0;
393 }else if(tgt->flags.invalid){
394 kdc_log(context, config, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID;
397 }
398
399 if(f.forwardable){
400 if(!tgt->flags.forwardable){
401 kdc_log(context, config, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION;
404 }
405 et->flags.forwardable = 1;
406 }
407 if(f.forwarded){
408 if(!tgt->flags.forwardable){
409 kdc_log(context, config, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION;
412 }
413 et->flags.forwarded = 1;
414 et->caddr = b->addresses;
415 }
416 if(tgt->flags.forwarded)
417 et->flags.forwarded = 1;
418
419 if(f.proxiable){
420 if(!tgt->flags.proxiable){
421 kdc_log(context, config, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION;
424 }
425 et->flags.proxiable = 1;
426 }
427 if(f.proxy){
428 if(!tgt->flags.proxiable){
429 kdc_log(context, config, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION;
432 }
433 et->flags.proxy = 1;
434 et->caddr = b->addresses;
435 }
436 if(tgt->flags.proxy)
437 et->flags.proxy = 1;
438
439 if(f.allow_postdate){
440 if(!tgt->flags.may_postdate){
441 kdc_log(context, config, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION;
444 }
445 et->flags.may_postdate = 1;
446 }
447 if(f.postdated){
448 if(!tgt->flags.may_postdate){
449 kdc_log(context, config, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION;
452 }
453 if(b->from)
454 *et->starttime = *b->from;
455 et->flags.postdated = 1;
456 et->flags.invalid = 1;
457 }else if(b->from && *b->from > kdc_time + context->max_skew){
458 kdc_log(context, config, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE;
460 }
461
462 if(f.renewable){
463 if(!tgt->flags.renewable || tgt->renew_till == NULL){
464 kdc_log(context, config, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION;
467 }
468 et->flags.renewable = 1;
469 ALLOC(et->renew_till);
470 _kdc_fix_time(&b->rtime);
471 *et->renew_till = *b->rtime;
472 }
473 if(f.renew){
474 time_t old_life;
475 if(!tgt->flags.renewable || tgt->renew_till == NULL){
476 kdc_log(context, config, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION;
479 }
480 old_life = tgt->endtime;
481 if(tgt->starttime)
482 old_life -= *tgt->starttime;
483 else
484 old_life -= tgt->authtime;
485 et->endtime = *et->starttime + old_life;
486 if (et->renew_till != NULL)
487 et->endtime = min(*et->renew_till, et->endtime);
488 }
489
490 #if 0
491 /* checks for excess flags */
492 if(f.request_anonymous && !config->allow_anonymous){
493 kdc_log(context, config, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION;
496 }
497 #endif
498 return 0;
499 }
500
501 /*
502 * Determine if constrained delegation is allowed from this client to this server
503 */
504
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context,
507 krb5_kdc_configuration *config,
508 HDB *clientdb,
509 hdb_entry_ex *client,
510 hdb_entry_ex *server,
511 krb5_const_principal target)
512 {
513 const HDB_Ext_Constrained_delegation_acl *acl;
514 krb5_error_code ret;
515 size_t i;
516
517 /*
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
522 */
523 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
524 ret = KRB5KDC_ERR_BADOPTION;
525 kdc_log(context, config, 0,
526 "Bad request for constrained delegation");
527 return ret;
528 }
529
530 if (clientdb->hdb_check_constrained_delegation) {
531 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
532 if (ret == 0)
533 return 0;
534 } else {
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
537 return 0;
538
539 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
540 if (ret) {
541 krb5_clear_error_message(context);
542 return ret;
543 }
544
545 if (acl) {
546 for (i = 0; i < acl->len; i++) {
547 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
548 return 0;
549 }
550 }
551 ret = KRB5KDC_ERR_BADOPTION;
552 }
553 kdc_log(context, config, 0,
554 "Bad request for constrained delegation");
555 return ret;
556 }
557
558 /*
559 * Determine if s4u2self is allowed from this client to this server
560 *
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
563 */
564
565 static krb5_error_code
566 check_s4u2self(krb5_context context,
567 krb5_kdc_configuration *config,
568 HDB *clientdb,
569 hdb_entry_ex *client,
570 krb5_const_principal server)
571 {
572 krb5_error_code ret;
573
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
576 return 0;
577
578 if (clientdb->hdb_check_s4u2self) {
579 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
580 if (ret == 0)
581 return 0;
582 } else {
583 ret = KRB5KDC_ERR_BADOPTION;
584 }
585 return ret;
586 }
587
588 /*
589 *
590 */
591
592 static krb5_error_code
593 verify_flags (krb5_context context,
594 krb5_kdc_configuration *config,
595 const EncTicketPart *et,
596 const char *pstr)
597 {
598 if(et->endtime < kdc_time){
599 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED;
601 }
602 if(et->flags.invalid){
603 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
604 return KRB5KRB_AP_ERR_TKT_NYV;
605 }
606 return 0;
607 }
608
609 /*
610 *
611 */
612
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context,
615 krb5_kdc_configuration *config,
616 krb5_boolean check_policy,
617 const TransitedEncoding *tr,
618 EncTicketPart *et,
619 const char *client_realm,
620 const char *server_realm,
621 const char *tgt_realm)
622 {
623 krb5_error_code ret = 0;
624 char **realms, **tmp;
625 unsigned int num_realms;
626 size_t i;
627
628 switch (tr->tr_type) {
629 case DOMAIN_X500_COMPRESS:
630 break;
631 case 0:
632 /*
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
635 */
636 if (tr->contents.length == 0)
637 break;
638 kdc_log(context, config, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP;
641 default:
642 kdc_log(context, config, 0,
643 "Unknown transited type: %u", tr->tr_type);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP;
645 }
646
647 ret = krb5_domain_x500_decode(context,
648 tr->contents,
649 &realms,
650 &num_realms,
651 client_realm,
652 server_realm);
653 if(ret){
654 krb5_warn(context, ret,
655 "Decoding transited encoding");
656 return ret;
657 }
658 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
659 /* not us, so add the previous realm to transited set */
660 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
661 ret = ERANGE;
662 goto free_realms;
663 }
664 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
665 if(tmp == NULL){
666 ret = ENOMEM;
667 goto free_realms;
668 }
669 realms = tmp;
670 realms[num_realms] = strdup(tgt_realm);
671 if(realms[num_realms] == NULL){
672 ret = ENOMEM;
673 goto free_realms;
674 }
675 num_realms++;
676 }
677 if(num_realms == 0) {
678 if(strcmp(client_realm, server_realm))
679 kdc_log(context, config, 0,
680 "cross-realm %s -> %s", client_realm, server_realm);
681 } else {
682 size_t l = 0;
683 char *rs;
684 for(i = 0; i < num_realms; i++)
685 l += strlen(realms[i]) + 2;
686 rs = malloc(l);
687 if(rs != NULL) {
688 *rs = '\0';
689 for(i = 0; i < num_realms; i++) {
690 if(i > 0)
691 strlcat(rs, ", ", l);
692 strlcat(rs, realms[i], l);
693 }
694 kdc_log(context, config, 0,
695 "cross-realm %s -> %s via [%s]",
696 client_realm, server_realm, rs);
697 free(rs);
698 }
699 }
700 if(check_policy) {
701 ret = krb5_check_transited(context, client_realm,
702 server_realm,
703 realms, num_realms, NULL);
704 if(ret) {
705 krb5_warn(context, ret, "cross-realm %s -> %s",
706 client_realm, server_realm);
707 goto free_realms;
708 }
709 et->flags.transited_policy_checked = 1;
710 }
711 et->transited.tr_type = DOMAIN_X500_COMPRESS;
712 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
713 if(ret)
714 krb5_warn(context, ret, "Encoding transited encoding");
715 free_realms:
716 for(i = 0; i < num_realms; i++)
717 free(realms[i]);
718 free(realms);
719 return ret;
720 }
721
722
723 static krb5_error_code
724 tgs_make_reply(krb5_context context,
725 krb5_kdc_configuration *config,
726 KDC_REQ_BODY *b,
727 krb5_const_principal tgt_name,
728 const EncTicketPart *tgt,
729 const krb5_keyblock *replykey,
730 int rk_is_subkey,
731 const EncryptionKey *serverkey,
732 const krb5_keyblock *sessionkey,
733 krb5_kvno kvno,
734 AuthorizationData *auth_data,
735 hdb_entry_ex *server,
736 krb5_principal server_principal,
737 const char *server_name,
738 hdb_entry_ex *client,
739 krb5_principal client_principal,
740 hdb_entry_ex *krbtgt,
741 krb5_enctype krbtgt_etype,
742 krb5_principals spp,
743 const krb5_data *rspac,
744 const METHOD_DATA *enc_pa_data,
745 const char **e_text,
746 krb5_data *reply)
747 {
748 KDC_REP rep;
749 EncKDCRepPart ek;
750 EncTicketPart et;
751 KDCOptions f = b->kdc_options;
752 krb5_error_code ret;
753 int is_weak = 0;
754
755 memset(&rep, 0, sizeof(rep));
756 memset(&et, 0, sizeof(et));
757 memset(&ek, 0, sizeof(ek));
758
759 rep.pvno = 5;
760 rep.msg_type = krb_tgs_rep;
761
762 et.authtime = tgt->authtime;
763 _kdc_fix_time(&b->till);
764 et.endtime = min(tgt->endtime, *b->till);
765 ALLOC(et.starttime);
766 *et.starttime = kdc_time;
767
768 ret = check_tgs_flags(context, config, b, tgt, &et);
769 if(ret)
770 goto out;
771
772 /* We should check the transited encoding if:
773 1) the request doesn't ask not to be checked
774 2) globally enforcing a check
775 3) principal requires checking
776 4) we allow non-check per-principal, but principal isn't marked as allowing this
777 5) we don't globally allow this
778 */
779
780 #define GLOBAL_FORCE_TRANSITED_CHECK \
781 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
782 #define GLOBAL_ALLOW_PER_PRINCIPAL \
783 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
784 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
785 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
786
787 /* these will consult the database in future release */
788 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
789 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
790
791 ret = fix_transited_encoding(context, config,
792 !f.disable_transited_check ||
793 GLOBAL_FORCE_TRANSITED_CHECK ||
794 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
795 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
796 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
797 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
798 &tgt->transited, &et,
799 krb5_principal_get_realm(context, client_principal),
800 krb5_principal_get_realm(context, server->entry.principal),
801 krb5_principal_get_realm(context, krbtgt->entry.principal));
802 if(ret)
803 goto out;
804
805 copy_Realm(&server_principal->realm, &rep.ticket.realm);
806 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
807 copy_Realm(&tgt_name->realm, &rep.crealm);
808 /*
809 if (f.request_anonymous)
810 _kdc_make_anonymous_principalname (&rep.cname);
811 else */
812
813 copy_PrincipalName(&tgt_name->name, &rep.cname);
814 rep.ticket.tkt_vno = 5;
815
816 ek.caddr = et.caddr;
817
818 {
819 time_t life;
820 life = et.endtime - *et.starttime;
821 if(client && client->entry.max_life)
822 life = min(life, *client->entry.max_life);
823 if(server->entry.max_life)
824 life = min(life, *server->entry.max_life);
825 et.endtime = *et.starttime + life;
826 }
827 if(f.renewable_ok && tgt->flags.renewable &&
828 et.renew_till == NULL && et.endtime < *b->till &&
829 tgt->renew_till != NULL)
830 {
831 et.flags.renewable = 1;
832 ALLOC(et.renew_till);
833 *et.renew_till = *b->till;
834 }
835 if(et.renew_till){
836 time_t renew;
837 renew = *et.renew_till - *et.starttime;
838 if(client && client->entry.max_renew)
839 renew = min(renew, *client->entry.max_renew);
840 if(server->entry.max_renew)
841 renew = min(renew, *server->entry.max_renew);
842 *et.renew_till = *et.starttime + renew;
843 }
844
845 if(et.renew_till){
846 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
847 *et.starttime = min(*et.starttime, *et.renew_till);
848 et.endtime = min(et.endtime, *et.renew_till);
849 }
850
851 *et.starttime = min(*et.starttime, et.endtime);
852
853 if(*et.starttime == et.endtime){
854 ret = KRB5KDC_ERR_NEVER_VALID;
855 goto out;
856 }
857 if(et.renew_till && et.endtime == *et.renew_till){
858 free(et.renew_till);
859 et.renew_till = NULL;
860 et.flags.renewable = 0;
861 }
862
863 et.flags.pre_authent = tgt->flags.pre_authent;
864 et.flags.hw_authent = tgt->flags.hw_authent;
865 et.flags.anonymous = tgt->flags.anonymous;
866 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
867
868 if(rspac->length) {
869 /*
870 * No not need to filter out the any PAC from the
871 * auth_data since it's signed by the KDC.
872 */
873 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
874 KRB5_AUTHDATA_WIN2K_PAC, rspac);
875 if (ret)
876 goto out;
877 }
878
879 if (auth_data) {
880 unsigned int i = 0;
881
882 /* XXX check authdata */
883
884 if (et.authorization_data == NULL) {
885 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
886 if (et.authorization_data == NULL) {
887 ret = ENOMEM;
888 krb5_set_error_message(context, ret, "malloc: out of memory");
889 goto out;
890 }
891 }
892 for(i = 0; i < auth_data->len ; i++) {
893 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
894 if (ret) {
895 krb5_set_error_message(context, ret, "malloc: out of memory");
896 goto out;
897 }
898 }
899
900 /* Filter out type KRB5SignedPath */
901 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
902 if (ret == 0) {
903 if (et.authorization_data->len == 1) {
904 free_AuthorizationData(et.authorization_data);
905 free(et.authorization_data);
906 et.authorization_data = NULL;
907 } else {
908 AuthorizationData *ad = et.authorization_data;
909 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
910 ad->len--;
911 }
912 }
913 }
914
915 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
916 if (ret)
917 goto out;
918 et.crealm = tgt_name->realm;
919 et.cname = tgt_name->name;
920
921 ek.key = et.key;
922 /* MIT must have at least one last_req */
923 ek.last_req.len = 1;
924 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
925 if (ek.last_req.val == NULL) {
926 ret = ENOMEM;
927 goto out;
928 }
929 ek.nonce = b->nonce;
930 ek.flags = et.flags;
931 ek.authtime = et.authtime;
932 ek.starttime = et.starttime;
933 ek.endtime = et.endtime;
934 ek.renew_till = et.renew_till;
935 ek.srealm = rep.ticket.realm;
936 ek.sname = rep.ticket.sname;
937
938 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
939 et.endtime, et.renew_till);
940
941 /* Don't sign cross realm tickets, they can't be checked anyway */
942 {
943 char *r = get_krbtgt_realm(&ek.sname);
944
945 if (r == NULL || strcmp(r, ek.srealm) == 0) {
946 ret = _kdc_add_KRB5SignedPath(context,
947 config,
948 krbtgt,
949 krbtgt_etype,
950 client_principal,
951 NULL,
952 spp,
953 &et);
954 if (ret)
955 goto out;
956 }
957 }
958
959 if (enc_pa_data->len) {
960 rep.padata = calloc(1, sizeof(*rep.padata));
961 if (rep.padata == NULL) {
962 ret = ENOMEM;
963 goto out;
964 }
965 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
966 if (ret)
967 goto out;
968 }
969
970 if (krb5_enctype_valid(context, serverkey->keytype) != 0
971 && _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
972 {
973 krb5_enctype_enable(context, serverkey->keytype);
974 is_weak = 1;
975 }
976
977
978 /* It is somewhat unclear where the etype in the following
979 encryption should come from. What we have is a session
980 key in the passed tgt, and a list of preferred etypes
981 *for the new ticket*. Should we pick the best possible
982 etype, given the keytype in the tgt, or should we look
983 at the etype list here as well? What if the tgt
984 session key is DES3 and we want a ticket with a (say)
985 CAST session key. Should the DES3 etype be added to the
986 etype list, even if we don't want a session key with
987 DES3? */
988 ret = _kdc_encode_reply(context, config, NULL, 0,
989 &rep, &et, &ek, serverkey->keytype,
990 kvno,
991 serverkey, 0, replykey, rk_is_subkey,
992 e_text, reply);
993 if (is_weak)
994 krb5_enctype_disable(context, serverkey->keytype);
995
996 out:
997 free_TGS_REP(&rep);
998 free_TransitedEncoding(&et.transited);
999 if(et.starttime)
1000 free(et.starttime);
1001 if(et.renew_till)
1002 free(et.renew_till);
1003 if(et.authorization_data) {
1004 free_AuthorizationData(et.authorization_data);
1005 free(et.authorization_data);
1006 }
1007 free_LastReq(&ek.last_req);
1008 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1009 free_EncryptionKey(&et.key);
1010 return ret;
1011 }
1012
1013 static krb5_error_code
1014 tgs_check_authenticator(krb5_context context,
1015 krb5_kdc_configuration *config,
1016 krb5_auth_context ac,
1017 KDC_REQ_BODY *b,
1018 const char **e_text,
1019 krb5_keyblock *key)
1020 {
1021 krb5_authenticator auth;
1022 size_t len = 0;
1023 unsigned char *buf;
1024 size_t buf_size;
1025 krb5_error_code ret;
1026 krb5_crypto crypto;
1027
1028 krb5_auth_con_getauthenticator(context, ac, &auth);
1029 if(auth->cksum == NULL){
1030 kdc_log(context, config, 0, "No authenticator in request");
1031 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1032 goto out;
1033 }
1034 /*
1035 * according to RFC1510 it doesn't need to be keyed,
1036 * but according to the latest draft it needs to.
1037 */
1038 if (
1039 #if 0
1040 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1041 ||
1042 #endif
1043 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1044 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1045 auth->cksum->cksumtype);
1046 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1047 goto out;
1048 }
1049
1050 /* XXX should not re-encode this */
1051 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1052 if(ret){
1053 const char *msg = krb5_get_error_message(context, ret);
1054 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1055 krb5_free_error_message(context, msg);
1056 goto out;
1057 }
1058 if(buf_size != len) {
1059 free(buf);
1060 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1061 *e_text = "KDC internal error";
1062 ret = KRB5KRB_ERR_GENERIC;
1063 goto out;
1064 }
1065 ret = krb5_crypto_init(context, key, 0, &crypto);
1066 if (ret) {
1067 const char *msg = krb5_get_error_message(context, ret);
1068 free(buf);
1069 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1070 krb5_free_error_message(context, msg);
1071 goto out;
1072 }
1073 ret = krb5_verify_checksum(context,
1074 crypto,
1075 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1076 buf,
1077 len,
1078 auth->cksum);
1079 free(buf);
1080 krb5_crypto_destroy(context, crypto);
1081 if(ret){
1082 const char *msg = krb5_get_error_message(context, ret);
1083 kdc_log(context, config, 0,
1084 "Failed to verify authenticator checksum: %s", msg);
1085 krb5_free_error_message(context, msg);
1086 }
1087 out:
1088 free_Authenticator(auth);
1089 free(auth);
1090 return ret;
1091 }
1092
1093 static krb5_boolean
1094 need_referral(krb5_context context, krb5_kdc_configuration *config,
1095 const KDCOptions * const options, krb5_principal server,
1096 krb5_realm **realms)
1097 {
1098 const char *name;
1099
1100 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1101 return FALSE;
1102
1103 if (server->name.name_string.len == 1)
1104 name = server->name.name_string.val[0];
1105 else if (server->name.name_string.len == 3) {
1106 /*
1107 This is used to give referrals for the
1108 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1109 SPN form, which is used for inter-domain communication in AD
1110 */
1111 name = server->name.name_string.val[2];
1112 kdc_log(context, config, 0, "Giving 3 part referral for %s", name);
1113 *realms = malloc(sizeof(char *)*2);
1114 if (*realms == NULL) {
1115 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1116 return FALSE;
1117 }
1118 (*realms)[0] = strdup(name);
1119 (*realms)[1] = NULL;
1120 return TRUE;
1121 } else if (server->name.name_string.len > 1)
1122 name = server->name.name_string.val[1];
1123 else
1124 return FALSE;
1125
1126 kdc_log(context, config, 0, "Searching referral for %s", name);
1127
1128 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1129 }
1130
1131 static krb5_error_code
1132 tgs_parse_request(krb5_context context,
1133 krb5_kdc_configuration *config,
1134 KDC_REQ_BODY *b,
1135 const PA_DATA *tgs_req,
1136 hdb_entry_ex **krbtgt,
1137 krb5_enctype *krbtgt_etype,
1138 krb5_ticket **ticket,
1139 const char **e_text,
1140 const char *from,
1141 const struct sockaddr *from_addr,
1142 time_t **csec,
1143 int **cusec,
1144 AuthorizationData **auth_data,
1145 krb5_keyblock **replykey,
1146 int *rk_is_subkey)
1147 {
1148 static char failed[] = "<unparse_name failed>";
1149 krb5_ap_req ap_req;
1150 krb5_error_code ret;
1151 krb5_principal princ;
1152 krb5_auth_context ac = NULL;
1153 krb5_flags ap_req_options;
1154 krb5_flags verify_ap_req_flags;
1155 krb5_crypto crypto;
1156 krb5uint32 krbtgt_kvno; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */
1157 krb5uint32 krbtgt_kvno_try;
1158 int kvno_search_tries = 4; /* number of kvnos to try when tkt_vno == 0 */
1159 const Keys *krbtgt_keys;/* keyset for TGT tkt_vno */
1160 Key *tkey;
1161 krb5_keyblock *subkey = NULL;
1162 unsigned usage;
1163
1164 *auth_data = NULL;
1165 *csec = NULL;
1166 *cusec = NULL;
1167 *replykey = NULL;
1168
1169 memset(&ap_req, 0, sizeof(ap_req));
1170 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1171 if(ret){
1172 const char *msg = krb5_get_error_message(context, ret);
1173 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1174 krb5_free_error_message(context, msg);
1175 goto out;
1176 }
1177
1178 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1179 /* XXX check for ticket.sname == req.sname */
1180 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1181 ret = KRB5KDC_ERR_POLICY; /* ? */
1182 goto out;
1183 }
1184
1185 _krb5_principalname2krb5_principal(context,
1186 &princ,
1187 ap_req.ticket.sname,
1188 ap_req.ticket.realm);
1189
1190 krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
1191 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
1192 &krbtgt_kvno, NULL, krbtgt);
1193
1194 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1195 /* XXX Factor out this unparsing of the same princ all over */
1196 char *p;
1197 ret = krb5_unparse_name(context, princ, &p);
1198 if (ret != 0)
1199 p = failed;
1200 krb5_free_principal(context, princ);
1201 kdc_log(context, config, 5,
1202 "Ticket-granting ticket account %s does not have secrets at "
1203 "this KDC, need to proxy", p);
1204 if (ret == 0)
1205 free(p);
1206 ret = HDB_ERR_NOT_FOUND_HERE;
1207 goto out;
1208 } else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
1209 char *p;
1210 ret = krb5_unparse_name(context, princ, &p);
1211 if (ret != 0)
1212 p = failed;
1213 krb5_free_principal(context, princ);
1214 kdc_log(context, config, 5,
1215 "Ticket-granting ticket account %s does not have keys for "
1216 "kvno %d at this KDC", p, krbtgt_kvno);
1217 if (ret == 0)
1218 free(p);
1219 ret = HDB_ERR_KVNO_NOT_FOUND;
1220 goto out;
1221 } else if (ret == HDB_ERR_NO_MKEY) {
1222 char *p;
1223 ret = krb5_unparse_name(context, princ, &p);
1224 if (ret != 0)
1225 p = failed;
1226 krb5_free_principal(context, princ);
1227 kdc_log(context, config, 5,
1228 "Missing master key for decrypting keys for ticket-granting "
1229 "ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
1230 if (ret == 0)
1231 free(p);
1232 ret = HDB_ERR_KVNO_NOT_FOUND;
1233 goto out;
1234 } else if (ret) {
1235 const char *msg = krb5_get_error_message(context, ret);
1236 char *p;
1237 ret = krb5_unparse_name(context, princ, &p);
1238 if (ret != 0)
1239 p = failed;
1240 krb5_free_principal(context, princ);
1241 kdc_log(context, config, 0,
1242 "Ticket-granting ticket not found in database: %s", msg);
1243 krb5_free_error_message(context, msg);
1244 if (ret == 0)
1245 free(p);
1246 ret = KRB5KRB_AP_ERR_NOT_US;
1247 goto out;
1248 }
1249
1250 krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : (*krbtgt)->entry.kvno;
1251 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1252
1253 next_kvno:
1254 krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
1255 ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
1256 ap_req.ticket.enc_part.etype, &tkey);
1257 if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
1258 kvno_search_tries--;
1259 krbtgt_kvno_try--;
1260 goto next_kvno;
1261 } else if (ret) {
1262 char *str = NULL, *p = NULL;
1263
1264 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1265 krb5_unparse_name(context, princ, &p);
1266 kdc_log(context, config, 0,
1267 "No server key with enctype %s found for %s",
1268 str ? str : "<unknown enctype>",
1269 p ? p : "<unparse_name failed>");
1270 free(str);
1271 free(p);
1272 ret = KRB5KRB_AP_ERR_BADKEYVER;
1273 goto out;
1274 }
1275
1276 if (b->kdc_options.validate)
1277 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1278 else
1279 verify_ap_req_flags = 0;
1280
1281 ret = krb5_verify_ap_req2(context,
1282 &ac,
1283 &ap_req,
1284 princ,
1285 &tkey->key,
1286 verify_ap_req_flags,
1287 &ap_req_options,
1288 ticket,
1289 KRB5_KU_TGS_REQ_AUTH);
1290 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
1291 kvno_search_tries--;
1292 krbtgt_kvno_try--;
1293 goto next_kvno;
1294 }
1295
1296 krb5_free_principal(context, princ);
1297 if(ret) {
1298 const char *msg = krb5_get_error_message(context, ret);
1299 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1300 krb5_free_error_message(context, msg);
1301 goto out;
1302 }
1303
1304 {
1305 krb5_authenticator auth;
1306
1307 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1308 if (ret == 0) {
1309 *csec = malloc(sizeof(**csec));
1310 if (*csec == NULL) {
1311 krb5_free_authenticator(context, &auth);
1312 kdc_log(context, config, 0, "malloc failed");
1313 goto out;
1314 }
1315 **csec = auth->ctime;
1316 *cusec = malloc(sizeof(**cusec));
1317 if (*cusec == NULL) {
1318 krb5_free_authenticator(context, &auth);
1319 kdc_log(context, config, 0, "malloc failed");
1320 goto out;
1321 }
1322 **cusec = auth->cusec;
1323 krb5_free_authenticator(context, &auth);
1324 }
1325 }
1326
1327 ret = tgs_check_authenticator(context, config,
1328 ac, b, e_text, &(*ticket)->ticket.key);
1329 if (ret) {
1330 krb5_auth_con_free(context, ac);
1331 goto out;
1332 }
1333
1334 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1335 *rk_is_subkey = 1;
1336
1337 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1338 if(ret){
1339 const char *msg = krb5_get_error_message(context, ret);
1340 krb5_auth_con_free(context, ac);
1341 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1342 krb5_free_error_message(context, msg);
1343 goto out;
1344 }
1345 if(subkey == NULL){
1346 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1347 *rk_is_subkey = 0;
1348
1349 ret = krb5_auth_con_getkey(context, ac, &subkey);
1350 if(ret) {
1351 const char *msg = krb5_get_error_message(context, ret);
1352 krb5_auth_con_free(context, ac);
1353 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1354 krb5_free_error_message(context, msg);
1355 goto out;
1356 }
1357 }
1358 if(subkey == NULL){
1359 krb5_auth_con_free(context, ac);
1360 kdc_log(context, config, 0,
1361 "Failed to get key for enc-authorization-data");
1362 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1363 goto out;
1364 }
1365
1366 *replykey = subkey;
1367
1368 if (b->enc_authorization_data) {
1369 krb5_data ad;
1370
1371 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1372 if (ret) {
1373 const char *msg = krb5_get_error_message(context, ret);
1374 krb5_auth_con_free(context, ac);
1375 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1376 krb5_free_error_message(context, msg);
1377 goto out;
1378 }
1379 ret = krb5_decrypt_EncryptedData (context,
1380 crypto,
1381 usage,
1382 b->enc_authorization_data,
1383 &ad);
1384 krb5_crypto_destroy(context, crypto);
1385 if(ret){
1386 krb5_auth_con_free(context, ac);
1387 kdc_log(context, config, 0,
1388 "Failed to decrypt enc-authorization-data");
1389 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1390 goto out;
1391 }
1392 ALLOC(*auth_data);
1393 if (*auth_data == NULL) {
1394 krb5_auth_con_free(context, ac);
1395 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1396 goto out;
1397 }
1398 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1399 if(ret){
1400 krb5_auth_con_free(context, ac);
1401 free(*auth_data);
1402 *auth_data = NULL;
1403 kdc_log(context, config, 0, "Failed to decode authorization data");
1404 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1405 goto out;
1406 }
1407 }
1408
1409 krb5_auth_con_free(context, ac);
1410
1411 out:
1412 free_AP_REQ(&ap_req);
1413
1414 return ret;
1415 }
1416
1417 static krb5_error_code
1418 build_server_referral(krb5_context context,
1419 krb5_kdc_configuration *config,
1420 krb5_crypto session,
1421 krb5_const_realm referred_realm,
1422 const PrincipalName *true_principal_name,
1423 const PrincipalName *requested_principal,
1424 krb5_data *outdata)
1425 {
1426 PA_ServerReferralData ref;
1427 krb5_error_code ret;
1428 EncryptedData ed;
1429 krb5_data data;
1430 size_t size = 0;
1431
1432 memset(&ref, 0, sizeof(ref));
1433
1434 if (referred_realm) {
1435 ALLOC(ref.referred_realm);
1436 if (ref.referred_realm == NULL)
1437 goto eout;
1438 *ref.referred_realm = strdup(referred_realm);
1439 if (*ref.referred_realm == NULL)
1440 goto eout;
1441 }
1442 if (true_principal_name) {
1443 ALLOC(ref.true_principal_name);
1444 if (ref.true_principal_name == NULL)
1445 goto eout;
1446 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1447 if (ret)
1448 goto eout;
1449 }
1450 if (requested_principal) {
1451 ALLOC(ref.requested_principal_name);
1452 if (ref.requested_principal_name == NULL)
1453 goto eout;
1454 ret = copy_PrincipalName(requested_principal,
1455 ref.requested_principal_name);
1456 if (ret)
1457 goto eout;
1458 }
1459
1460 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1461 data.data, data.length,
1462 &ref, &size, ret);
1463 free_PA_ServerReferralData(&ref);
1464 if (ret)
1465 return ret;
1466 if (data.length != size)
1467 krb5_abortx(context, "internal asn.1 encoder error");
1468
1469 ret = krb5_encrypt_EncryptedData(context, session,
1470 KRB5_KU_PA_SERVER_REFERRAL,
1471 data.data, data.length,
1472 0 /* kvno */, &ed);
1473 free(data.data);
1474 if (ret)
1475 return ret;
1476
1477 ASN1_MALLOC_ENCODE(EncryptedData,
1478 outdata->data, outdata->length,
1479 &ed, &size, ret);
1480 free_EncryptedData(&ed);
1481 if (ret)
1482 return ret;
1483 if (outdata->length != size)
1484 krb5_abortx(context, "internal asn.1 encoder error");
1485
1486 return 0;
1487 eout:
1488 free_PA_ServerReferralData(&ref);
1489 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1490 return ENOMEM;
1491 }
1492
1493 static krb5_error_code
1494 tgs_build_reply(krb5_context context,
1495 krb5_kdc_configuration *config,
1496 KDC_REQ *req,
1497 KDC_REQ_BODY *b,
1498 hdb_entry_ex *krbtgt,
1499 krb5_enctype krbtgt_etype,
1500 const krb5_keyblock *replykey,
1501 int rk_is_subkey,
1502 krb5_ticket *ticket,
1503 krb5_data *reply,
1504 const char *from,
1505 const char **e_text,
1506 AuthorizationData **auth_data,
1507 const struct sockaddr *from_addr)
1508 {
1509 krb5_error_code ret;
1510 krb5_principal cp = NULL, sp = NULL, rsp = NULL, tp = NULL, dp = NULL;
1511 krb5_principal krbtgt_out_principal = NULL;
1512 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL, *krbtgt_out_n = NULL;
1513 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1514 HDB *clientdb, *s4u2self_impersonated_clientdb;
1515 krb5_realm ref_realm = NULL;
1516 EncTicketPart *tgt = &ticket->ticket;
1517 krb5_principals spp = NULL;
1518 const EncryptionKey *ekey;
1519 krb5_keyblock sessionkey;
1520 krb5_kvno kvno;
1521 krb5_data rspac;
1522 const char *tgt_realm = /* Realm of TGT issuer */
1523 krb5_principal_get_realm(context, krbtgt->entry.principal);
1524 const char *our_realm = /* Realm of this KDC */
1525 krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
1526 char **capath = NULL;
1527 size_t num_capath = 0;
1528
1529 hdb_entry_ex *krbtgt_out = NULL;
1530
1531 METHOD_DATA enc_pa_data;
1532
1533 PrincipalName *s;
1534 Realm r;
1535 EncTicketPart adtkt;
1536 char opt_str[128];
1537 int signedpath = 0;
1538
1539 Key *tkey_check;
1540 Key *tkey_sign;
1541 int flags = HDB_F_FOR_TGS_REQ;
1542
1543 memset(&sessionkey, 0, sizeof(sessionkey));
1544 memset(&adtkt, 0, sizeof(adtkt));
1545 krb5_data_zero(&rspac);
1546 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1547
1548 s = b->sname;
1549 r = b->realm;
1550
1551 /*
1552 * Always to do CANON, see comment below about returned server principal (rsp).
1553 */
1554 flags |= HDB_F_CANON;
1555
1556 if(b->kdc_options.enc_tkt_in_skey){
1557 Ticket *t;
1558 hdb_entry_ex *uu;
1559 krb5_principal p;
1560 Key *uukey;
1561 krb5uint32 second_kvno = 0;
1562 krb5uint32 *kvno_ptr = NULL;
1563
1564 if(b->additional_tickets == NULL ||
1565 b->additional_tickets->len == 0){
1566 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1567 kdc_log(context, config, 0,
1568 "No second ticket present in request");
1569 goto out;
1570 }
1571 t = &b->additional_tickets->val[0];
1572 if(!get_krbtgt_realm(&t->sname)){
1573 kdc_log(context, config, 0,
1574 "Additional ticket is not a ticket-granting ticket");
1575 ret = KRB5KDC_ERR_POLICY;
1576 goto out;
1577 }
1578 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1579 if(t->enc_part.kvno){
1580 second_kvno = *t->enc_part.kvno;
1581 kvno_ptr = &second_kvno;
1582 }
1583 ret = _kdc_db_fetch(context, config, p,
1584 HDB_F_GET_KRBTGT, kvno_ptr,
1585 NULL, &uu);
1586 krb5_free_principal(context, p);
1587 if(ret){
1588 if (ret == HDB_ERR_NOENTRY)
1589 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1590 goto out;
1591 }
1592 ret = hdb_enctype2key(context, &uu->entry, NULL,
1593 t->enc_part.etype, &uukey);
1594 if(ret){
1595 _kdc_free_ent(context, uu);
1596 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1597 goto out;
1598 }
1599 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1600 _kdc_free_ent(context, uu);
1601 if(ret)
1602 goto out;
1603
1604 ret = verify_flags(context, config, &adtkt, spn);
1605 if (ret)
1606 goto out;
1607
1608 s = &adtkt.cname;
1609 r = adtkt.crealm;
1610 }
1611
1612 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1613 ret = krb5_unparse_name(context, sp, &spn);
1614 if (ret)
1615 goto out;
1616 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1617 ret = krb5_unparse_name(context, cp, &cpn);
1618 if (ret)
1619 goto out;
1620 unparse_flags (KDCOptions2int(b->kdc_options),
1621 asn1_KDCOptions_units(),
1622 opt_str, sizeof(opt_str));
1623 if(*opt_str)
1624 kdc_log(context, config, 0,
1625 "TGS-REQ %s from %s for %s [%s]",
1626 cpn, from, spn, opt_str);
1627 else
1628 kdc_log(context, config, 0,
1629 "TGS-REQ %s from %s for %s", cpn, from, spn);
1630
1631 /*
1632 * Fetch server
1633 */
1634
1635 server_lookup:
1636 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1637 NULL, NULL, &server);
1638
1639 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1640 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1641 goto out;
1642 } else if (ret == HDB_ERR_WRONG_REALM) {
1643 free(ref_realm);
1644 ref_realm = strdup(server->entry.principal->realm);
1645 if (ref_realm == NULL) {
1646 ret = krb5_enomem(context);
1647 goto out;
1648 }
1649
1650 kdc_log(context, config, 5,
1651 "Returning a referral to realm %s for "
1652 "server %s.",
1653 ref_realm, spn);
1654 krb5_free_principal(context, sp);
1655 sp = NULL;
1656 ret = krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1657 ref_realm, NULL);
1658 if (ret)
1659 goto out;
1660 free(spn);
1661 spn = NULL;
1662 ret = krb5_unparse_name(context, sp, &spn);
1663 if (ret)
1664 goto out;
1665
1666 goto server_lookup;
1667 } else if (ret) {
1668 const char *new_rlm, *msg;
1669 Realm req_rlm;
1670 krb5_realm *realms;
1671
1672 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1673 if (capath == NULL) {
1674 /* With referalls, hierarchical capaths are always enabled */
1675 ret = _krb5_find_capath(context, tgt->crealm, our_realm,
1676 req_rlm, TRUE, &capath, &num_capath);
1677 if (ret)
1678 goto out;
1679 }
1680 new_rlm = num_capath > 0 ? capath[--num_capath] : NULL;
1681 if (new_rlm) {
1682 kdc_log(context, config, 5, "krbtgt from %s via %s for "
1683 "realm %s not found, trying %s", tgt->crealm,
1684 our_realm, req_rlm, new_rlm);
1685
1686 free(ref_realm);
1687 ref_realm = strdup(new_rlm);
1688 if (ref_realm == NULL) {
1689 ret = krb5_enomem(context);
1690 goto out;
1691 }
1692
1693 krb5_free_principal(context, sp);
1694 sp = NULL;
1695 krb5_make_principal(context, &sp, r,
1696 KRB5_TGS_NAME, ref_realm, NULL);
1697 free(spn);
1698 spn = NULL;
1699 ret = krb5_unparse_name(context, sp, &spn);
1700 if (ret)
1701 goto out;
1702 goto server_lookup;
1703 }
1704 } else if (need_referral(context, config, &b->kdc_options, sp, &realms)) {
1705 if (strcmp(realms[0], sp->realm) != 0) {
1706 kdc_log(context, config, 5,
1707 "Returning a referral to realm %s for "
1708 "server %s that was not found",
1709 realms[0], spn);
1710 krb5_free_principal(context, sp);
1711 sp = NULL;
1712 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1713 realms[0], NULL);
1714 free(spn);
1715 spn = NULL;
1716 ret = krb5_unparse_name(context, sp, &spn);
1717 if (ret) {
1718 krb5_free_host_realm(context, realms);
1719 goto out;
1720 }
1721
1722 free(ref_realm);
1723 ref_realm = strdup(realms[0]);
1724
1725 krb5_free_host_realm(context, realms);
1726 goto server_lookup;
1727 }
1728 krb5_free_host_realm(context, realms);
1729 }
1730 msg = krb5_get_error_message(context, ret);
1731 kdc_log(context, config, 0,
1732 "Server not found in database: %s: %s", spn, msg);
1733 krb5_free_error_message(context, msg);
1734 if (ret == HDB_ERR_NOENTRY)
1735 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1736 goto out;
1737 }
1738
1739 /* the name returned to the client depend on what was asked for,
1740 * return canonical name if kdc_options.canonicalize was set, the
1741 * client wants the true name of the principal, if not it just
1742 * wants the name its asked for.
1743 */
1744
1745 if (b->kdc_options.canonicalize)
1746 rsp = server->entry.principal;
1747 else
1748 rsp = sp;
1749
1750
1751 /*
1752 * Select enctype, return key and kvno.
1753 */
1754
1755 {
1756 krb5_enctype etype;
1757
1758 if(b->kdc_options.enc_tkt_in_skey) {
1759 size_t i;
1760 ekey = &adtkt.key;
1761 for(i = 0; i < b->etype.len; i++)
1762 if (b->etype.val[i] == adtkt.key.keytype)
1763 break;
1764 if(i == b->etype.len) {
1765 kdc_log(context, config, 0,
1766 "Addition ticket have not matching etypes");
1767 krb5_clear_error_message(context);
1768 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1769 goto out;
1770 }
1771 etype = b->etype.val[i];
1772 kvno = 0;
1773 } else {
1774 Key *skey;
1775
1776 ret = _kdc_find_etype(context,
1777 krb5_principal_is_krbtgt(context, sp) ?
1778 config->tgt_use_strongest_session_key :
1779 config->svc_use_strongest_session_key, FALSE,
1780 server, b->etype.val, b->etype.len, &etype,
1781 NULL);
1782 if(ret) {
1783 kdc_log(context, config, 0,
1784 "Server (%s) has no support for etypes", spn);
1785 goto out;
1786 }
1787 ret = _kdc_get_preferred_key(context, config, server, spn,
1788 NULL, &skey);
1789 if(ret) {
1790 kdc_log(context, config, 0,
1791 "Server (%s) has no supported etypes", spn);
1792 goto out;
1793 }
1794 ekey = &skey->key;
1795 kvno = server->entry.kvno;
1796 }
1797
1798 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1799 if (ret)
1800 goto out;
1801 }
1802
1803 /*
1804 * Check that service is in the same realm as the krbtgt. If it's
1805 * not the same, it's someone that is using a uni-directional trust
1806 * backward.
1807 */
1808
1809 /*
1810 * Validate authoriation data
1811 */
1812
1813 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
1814 krbtgt_etype, &tkey_check);
1815 if(ret) {
1816 kdc_log(context, config, 0,
1817 "Failed to find key for krbtgt PAC check");
1818 goto out;
1819 }
1820
1821 /*
1822 * Now refetch the primary krbtgt, and get the current kvno (the
1823 * sign check may have been on an old kvno, and the server may
1824 * have been an incoming trust)
1825 */
1826
1827 ret = krb5_make_principal(context,
1828 &krbtgt_out_principal,
1829 our_realm,
1830 KRB5_TGS_NAME,
1831 our_realm,
1832 NULL);
1833 if (ret) {
1834 kdc_log(context, config, 0,
1835 "Failed to make krbtgt principal name object for "
1836 "authz-data signatures");
1837 goto out;
1838 }
1839 ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
1840 if (ret) {
1841 kdc_log(context, config, 0,
1842 "Failed to make krbtgt principal name object for "
1843 "authz-data signatures");
1844 goto out;
1845 }
1846
1847 ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
1848 HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1849 if (ret) {
1850 char *ktpn = NULL;
1851 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1852 kdc_log(context, config, 0,
1853 "No such principal %s (needed for authz-data signature keys) "
1854 "while processing TGS-REQ for service %s with krbtg %s",
1855 krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
1856 free(ktpn);
1857 ret = KRB5KRB_AP_ERR_NOT_US;
1858 goto out;
1859 }
1860
1861 /*
1862 * The first realm is the realm of the service, the second is
1863 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1864 * encrypted to. The redirection via the krbtgt_out entry allows
1865 * the DB to possibly correct the case of the realm (Samba4 does
1866 * this) before the strcmp()
1867 */
1868 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1869 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1870 char *ktpn;
1871 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1872 kdc_log(context, config, 0,
1873 "Request with wrong krbtgt: %s",
1874 (ret == 0) ? ktpn : "<unknown>");
1875 if(ret == 0)
1876 free(ktpn);
1877 ret = KRB5KRB_AP_ERR_NOT_US;
1878 goto out;
1879 }
1880
1881 ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
1882 NULL, &tkey_sign);
1883 if (ret) {
1884 kdc_log(context, config, 0,
1885 "Failed to find key for krbtgt PAC signature");
1886 goto out;
1887 }
1888 ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
1889 tkey_sign->key.keytype, &tkey_sign);
1890 if(ret) {
1891 kdc_log(context, config, 0,
1892 "Failed to find key for krbtgt PAC signature");
1893 goto out;
1894 }
1895
1896 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1897 NULL, &clientdb, &client);
1898 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1899 /* This is OK, we are just trying to find out if they have
1900 * been disabled or deleted in the meantime, missing secrets
1901 * is OK */
1902 } else if(ret){
1903 const char *krbtgt_realm, *msg;
1904
1905 /*
1906 * If the client belongs to the same realm as our krbtgt, it
1907 * should exist in the local database.
1908 *
1909 */
1910
1911 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1912
1913 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1914 if (ret == HDB_ERR_NOENTRY)
1915 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1916 kdc_log(context, config, 1, "Client no longer in database: %s",
1917 cpn);
1918 goto out;
1919 }
1920
1921 msg = krb5_get_error_message(context, ret);
1922 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1923 krb5_free_error_message(context, msg);
1924 }
1925
1926 ret = check_PAC(context, config, cp, NULL,
1927 client, server, krbtgt,
1928 &tkey_check->key,
1929 ekey, &tkey_sign->key,
1930 tgt, &rspac, &signedpath);
1931 if (ret) {
1932 const char *msg = krb5_get_error_message(context, ret);
1933 kdc_log(context, config, 0,
1934 "Verify PAC failed for %s (%s) from %s with %s",
1935 spn, cpn, from, msg);
1936 krb5_free_error_message(context, msg);
1937 goto out;
1938 }
1939
1940 /* also check the krbtgt for signature */
1941 ret = check_KRB5SignedPath(context,
1942 config,
1943 krbtgt,
1944 cp,
1945 tgt,
1946 &spp,
1947 &signedpath);
1948 if (ret) {
1949 const char *msg = krb5_get_error_message(context, ret);
1950 kdc_log(context, config, 0,
1951 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1952 spn, cpn, from, msg);
1953 krb5_free_error_message(context, msg);
1954 goto out;
1955 }
1956
1957 /*
1958 * Process request
1959 */
1960
1961 /* by default the tgt principal matches the client principal */
1962 tp = cp;
1963 tpn = cpn;
1964
1965 if (client) {
1966 const PA_DATA *sdata;
1967 int i = 0;
1968
1969 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1970 if (sdata) {
1971 krb5_crypto crypto;
1972 krb5_data datack;
1973 PA_S4U2Self self;
1974 const char *str;
1975
1976 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1977 sdata->padata_value.length,
1978 &self, NULL);
1979 if (ret) {
1980 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1981 goto out;
1982 }
1983
1984 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1985 if (ret)
1986 goto out;
1987
1988 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1989 if (ret) {
1990 const char *msg = krb5_get_error_message(context, ret);
1991 free_PA_S4U2Self(&self);
1992 krb5_data_free(&datack);
1993 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1994 krb5_free_error_message(context, msg);
1995 goto out;
1996 }
1997
1998 ret = krb5_verify_checksum(context,
1999 crypto,
2000 KRB5_KU_OTHER_CKSUM,
2001 datack.data,
2002 datack.length,
2003 &self.cksum);
2004 krb5_data_free(&datack);
2005 krb5_crypto_destroy(context, crypto);
2006 if (ret) {
2007 const char *msg = krb5_get_error_message(context, ret);
2008 free_PA_S4U2Self(&self);
2009 kdc_log(context, config, 0,
2010 "krb5_verify_checksum failed for S4U2Self: %s", msg);
2011 krb5_free_error_message(context, msg);
2012 goto out;
2013 }
2014
2015 ret = _krb5_principalname2krb5_principal(context,
2016 &tp,
2017 self.name,
2018 self.realm);
2019 free_PA_S4U2Self(&self);
2020 if (ret)
2021 goto out;
2022
2023 ret = krb5_unparse_name(context, tp, &tpn);
2024 if (ret)
2025 goto out;
2026
2027 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
2028 if(rspac.data) {
2029 krb5_pac p = NULL;
2030 krb5_data_free(&rspac);
2031 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
2032 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
2033 if (ret) {
2034 const char *msg;
2035
2036 /*
2037 * If the client belongs to the same realm as our krbtgt, it
2038 * should exist in the local database.
2039 *
2040 */
2041
2042 if (ret == HDB_ERR_NOENTRY)
2043 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2044 msg = krb5_get_error_message(context, ret);
2045 kdc_log(context, config, 1,
2046 "S2U4Self principal to impersonate %s not found in database: %s",
2047 tpn, msg);
2048 krb5_free_error_message(context, msg);
2049 goto out;
2050 }
2051 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
2052 if (ret) {
2053 kdc_log(context, config, 0, "PAC generation failed for -- %s",
2054 tpn);
2055 goto out;
2056 }
2057 if (p != NULL) {
2058 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
2059 s4u2self_impersonated_client->entry.principal,
2060 ekey, &tkey_sign->key,
2061 &rspac);
2062 krb5_pac_free(context, p);
2063 if (ret) {
2064 kdc_log(context, config, 0, "PAC signing failed for -- %s",
2065 tpn);
2066 goto out;
2067 }
2068 }
2069 }
2070
2071 /*
2072 * Check that service doing the impersonating is
2073 * requesting a ticket to it-self.
2074 */
2075 ret = check_s4u2self(context, config, clientdb, client, sp);
2076 if (ret) {
2077 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
2078 "to impersonate to service "
2079 "(tried for user %s to service %s)",
2080 cpn, tpn, spn);
2081 goto out;
2082 }
2083
2084 /*
2085 * If the service isn't trusted for authentication to
2086 * delegation, remove the forward flag.
2087 */
2088
2089 if (client->entry.flags.trusted_for_delegation) {
2090 str = "[forwardable]";
2091 } else {
2092 b->kdc_options.forwardable = 0;
2093 str = "";
2094 }
2095 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2096 "service %s %s", cpn, tpn, spn, str);
2097 }
2098 }
2099
2100 /*
2101 * Constrained delegation
2102 */
2103
2104 if (client != NULL
2105 && b->additional_tickets != NULL
2106 && b->additional_tickets->len != 0
2107 && b->kdc_options.enc_tkt_in_skey == 0)
2108 {
2109 int ad_signedpath = 0;
2110 Key *clientkey;
2111 Ticket *t;
2112
2113 /*
2114 * Require that the KDC have issued the service's krbtgt (not
2115 * self-issued ticket with kimpersonate(1).
2116 */
2117 if (!signedpath) {
2118 ret = KRB5KDC_ERR_BADOPTION;
2119 kdc_log(context, config, 0,
2120 "Constrained delegation done on service ticket %s/%s",
2121 cpn, spn);
2122 goto out;
2123 }
2124
2125 t = &b->additional_tickets->val[0];
2126
2127 ret = hdb_enctype2key(context, &client->entry,
2128 hdb_kvno2keys(context, &client->entry,
2129 t->enc_part.kvno ? * t->enc_part.kvno : 0),
2130 t->enc_part.etype, &clientkey);
2131 if(ret){
2132 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2133 goto out;
2134 }
2135
2136 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2137 if (ret) {
2138 kdc_log(context, config, 0,
2139 "failed to decrypt ticket for "
2140 "constrained delegation from %s to %s ", cpn, spn);
2141 goto out;
2142 }
2143
2144 ret = _krb5_principalname2krb5_principal(context,
2145 &tp,
2146 adtkt.cname,
2147 adtkt.crealm);
2148 if (ret)
2149 goto out;
2150
2151 ret = krb5_unparse_name(context, tp, &tpn);
2152 if (ret)
2153 goto out;
2154
2155 ret = _krb5_principalname2krb5_principal(context,
2156 &dp,
2157 t->sname,
2158 t->realm);
2159 if (ret)
2160 goto out;
2161
2162 ret = krb5_unparse_name(context, dp, &dpn);
2163 if (ret)
2164 goto out;
2165
2166 /* check that ticket is valid */
2167 if (adtkt.flags.forwardable == 0) {
2168 kdc_log(context, config, 0,
2169 "Missing forwardable flag on ticket for "
2170 "constrained delegation from %s (%s) as %s to %s ",
2171 cpn, dpn, tpn, spn);
2172 ret = KRB5KDC_ERR_BADOPTION;
2173 goto out;
2174 }
2175
2176 ret = check_constrained_delegation(context, config, clientdb,
2177 client, server, sp);
2178 if (ret) {
2179 kdc_log(context, config, 0,
2180 "constrained delegation from %s (%s) as %s to %s not allowed",
2181 cpn, dpn, tpn, spn);
2182 goto out;
2183 }
2184
2185 ret = verify_flags(context, config, &adtkt, tpn);
2186 if (ret) {
2187 goto out;
2188 }
2189
2190 krb5_data_free(&rspac);
2191
2192 /*
2193 * generate the PAC for the user.
2194 *
2195 * TODO: pass in t->sname and t->realm and build
2196 * a S4U_DELEGATION_INFO blob to the PAC.
2197 */
2198 ret = check_PAC(context, config, tp, dp,
2199 client, server, krbtgt,
2200 &clientkey->key,
2201 ekey, &tkey_sign->key,
2202 &adtkt, &rspac, &ad_signedpath);
2203 if (ret) {
2204 const char *msg = krb5_get_error_message(context, ret);
2205 kdc_log(context, config, 0,
2206 "Verify delegated PAC failed to %s for client"
2207 "%s (%s) as %s from %s with %s",
2208 spn, cpn, dpn, tpn, from, msg);
2209 krb5_free_error_message(context, msg);
2210 goto out;
2211 }
2212
2213 /*
2214 * Check that the KDC issued the user's ticket.
2215 */
2216 ret = check_KRB5SignedPath(context,
2217 config,
2218 krbtgt,
2219 cp,
2220 &adtkt,
2221 NULL,
2222 &ad_signedpath);
2223 if (ret) {
2224 const char *msg = krb5_get_error_message(context, ret);
2225 kdc_log(context, config, 0,
2226 "KRB5SignedPath check from service %s failed "
2227 "for delegation to %s for client %s (%s)"
2228 "from %s failed with %s",
2229 spn, tpn, dpn, cpn, from, msg);
2230 krb5_free_error_message(context, msg);
2231 goto out;
2232 }
2233
2234 if (!ad_signedpath) {
2235 ret = KRB5KDC_ERR_BADOPTION;
2236 kdc_log(context, config, 0,
2237 "Ticket not signed with PAC nor SignedPath service %s failed "
2238 "for delegation to %s for client %s (%s)"
2239 "from %s",
2240 spn, tpn, dpn, cpn, from);
2241 goto out;
2242 }
2243
2244 kdc_log(context, config, 0, "constrained delegation for %s "
2245 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2246 }
2247
2248 /*
2249 * Check flags
2250 */
2251
2252 ret = kdc_check_flags(context, config,
2253 client, cpn,
2254 server, spn,
2255 FALSE);
2256 if(ret)
2257 goto out;
2258
2259 if((b->kdc_options.validate || b->kdc_options.renew) &&
2260 !krb5_principal_compare(context,
2261 krbtgt->entry.principal,
2262 server->entry.principal)){
2263 kdc_log(context, config, 0, "Inconsistent request.");
2264 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2265 goto out;
2266 }
2267
2268 /* check for valid set of addresses */
2269 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2270 ret = KRB5KRB_AP_ERR_BADADDR;
2271 kdc_log(context, config, 0, "Request from wrong address");
2272 goto out;
2273 }
2274
2275 /*
2276 * If this is an referral, add server referral data to the
2277 * auth_data reply .
2278 */
2279 if (ref_realm) {
2280 PA_DATA pa;
2281 krb5_crypto crypto;
2282
2283 kdc_log(context, config, 0,
2284 "Adding server referral to %s", ref_realm);
2285
2286 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2287 if (ret)
2288 goto out;
2289
2290 ret = build_server_referral(context, config, crypto, ref_realm,
2291 NULL, s, &pa.padata_value);
2292 krb5_crypto_destroy(context, crypto);
2293 if (ret) {
2294 kdc_log(context, config, 0,
2295 "Failed building server referral");
2296 goto out;
2297 }
2298 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2299
2300 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2301 krb5_data_free(&pa.padata_value);
2302 if (ret) {
2303 kdc_log(context, config, 0,
2304 "Add server referral METHOD-DATA failed");
2305 goto out;
2306 }
2307 }
2308
2309 /*
2310 *
2311 */
2312
2313 ret = tgs_make_reply(context,
2314 config,
2315 b,
2316 tp,
2317 tgt,
2318 replykey,
2319 rk_is_subkey,
2320 ekey,
2321 &sessionkey,
2322 kvno,
2323 *auth_data,
2324 server,
2325 rsp,
2326 spn,
2327 client,
2328 cp,
2329 krbtgt_out,
2330 tkey_sign->key.keytype,
2331 spp,
2332 &rspac,
2333 &enc_pa_data,
2334 e_text,
2335 reply);
2336
2337 out:
2338 if (tpn != cpn)
2339 free(tpn);
2340 free(spn);
2341 free(cpn);
2342 free(dpn);
2343 free(krbtgt_out_n);
2344 _krb5_free_capath(context, capath);
2345
2346 krb5_data_free(&rspac);
2347 krb5_free_keyblock_contents(context, &sessionkey);
2348 if(krbtgt_out)
2349 _kdc_free_ent(context, krbtgt_out);
2350 if(server)
2351 _kdc_free_ent(context, server);
2352 if(client)
2353 _kdc_free_ent(context, client);
2354 if(s4u2self_impersonated_client)
2355 _kdc_free_ent(context, s4u2self_impersonated_client);
2356
2357 if (tp && tp != cp)
2358 krb5_free_principal(context, tp);
2359 krb5_free_principal(context, cp);
2360 krb5_free_principal(context, dp);
2361 krb5_free_principal(context, sp);
2362 krb5_free_principal(context, krbtgt_out_principal);
2363 free(ref_realm);
2364 free_METHOD_DATA(&enc_pa_data);
2365
2366 free_EncTicketPart(&adtkt);
2367
2368 return ret;
2369 }
2370
2371 /*
2372 *
2373 */
2374
2375 krb5_error_code
2376 _kdc_tgs_rep(krb5_context context,
2377 krb5_kdc_configuration *config,
2378 KDC_REQ *req,
2379 krb5_data *data,
2380 const char *from,
2381 struct sockaddr *from_addr,
2382 int datagram_reply)
2383 {
2384 AuthorizationData *auth_data = NULL;
2385 krb5_error_code ret;
2386 int i = 0;
2387 const PA_DATA *tgs_req;
2388
2389 hdb_entry_ex *krbtgt = NULL;
2390 krb5_ticket *ticket = NULL;
2391 const char *e_text = NULL;
2392 krb5_enctype krbtgt_etype = ETYPE_NULL;
2393
2394 krb5_keyblock *replykey = NULL;
2395 int rk_is_subkey = 0;
2396 time_t *csec = NULL;
2397 int *cusec = NULL;
2398
2399 if(req->padata == NULL){
2400 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2401 kdc_log(context, config, 0,
2402 "TGS-REQ from %s without PA-DATA", from);
2403 goto out;
2404 }
2405
2406 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2407
2408 if(tgs_req == NULL){
2409 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2410
2411 kdc_log(context, config, 0,
2412 "TGS-REQ from %s without PA-TGS-REQ", from);
2413 goto out;
2414 }
2415 ret = tgs_parse_request(context, config,
2416 &req->req_body, tgs_req,
2417 &krbtgt,
2418 &krbtgt_etype,
2419 &ticket,
2420 &e_text,
2421 from, from_addr,
2422 &csec, &cusec,
2423 &auth_data,
2424 &replykey,
2425 &rk_is_subkey);
2426 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2427 /* kdc_log() is called in tgs_parse_request() */
2428 goto out;
2429 }
2430 if (ret) {
2431 kdc_log(context, config, 0,
2432 "Failed parsing TGS-REQ from %s", from);
2433 goto out;
2434 }
2435
2436 {
2437 const PA_DATA *pa = _kdc_find_padata(req, &i, KRB5_PADATA_FX_FAST);
2438 if (pa)
2439 kdc_log(context, config, 10, "Got TGS FAST request");
2440 }
2441
2442
2443 ret = tgs_build_reply(context,
2444 config,
2445 req,
2446 &req->req_body,
2447 krbtgt,
2448 krbtgt_etype,
2449 replykey,
2450 rk_is_subkey,
2451 ticket,
2452 data,
2453 from,
2454 &e_text,
2455 &auth_data,
2456 from_addr);
2457 if (ret) {
2458 kdc_log(context, config, 0,
2459 "Failed building TGS-REP to %s", from);
2460 goto out;
2461 }
2462
2463 /* */
2464 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2465 krb5_data_free(data);
2466 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2467 e_text = "Reply packet too large";
2468 }
2469
2470 out:
2471 if (replykey)
2472 krb5_free_keyblock(context, replykey);
2473
2474 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2475 /* XXX add fast wrapping on the error */
2476 METHOD_DATA error_method = { 0, NULL };
2477
2478
2479 kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret);
2480 ret = _kdc_fast_mk_error(context, NULL,
2481 &error_method,
2482 NULL,
2483 NULL,
2484 ret, NULL,
2485 NULL,
2486 NULL, NULL,
2487 csec, cusec,
2488 data);
2489 free_METHOD_DATA(&error_method);
2490 }
2491 free(csec);
2492 free(cusec);
2493 if (ticket)
2494 krb5_free_ticket(context, ticket);
2495 if(krbtgt)
2496 _kdc_free_ent(context, krbtgt);
2497
2498 if (auth_data) {
2499 free_AuthorizationData(auth_data);
2500 free(auth_data);
2501 }
2502
2503 return ret;
2504 }
Heimdal