search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Include ec*.h files
[heimdal.git] / kdc / krb5tgs.c
blob635eb27e75aa6cf8e14731c6d921f751a98f7360
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 RCSID("$Id$");
37
38 /*
39 * return the realm of a krbtgt-ticket or NULL
40 */
41
42 static Realm
43 get_krbtgt_realm(const PrincipalName *p)
44 {
45 if(p->name_string.len == 2
46 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
47 return p->name_string.val[1];
48 else
49 return NULL;
50 }
51
52 /*
53 * The KDC might add a signed path to the ticket authorization data
54 * field. This is to avoid server impersonating clients and the
55 * request constrained delegation.
56 *
57 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
58 * entry of type KRB5SignedPath.
59 */
60
61 static krb5_error_code
62 find_KRB5SignedPath(krb5_context context,
63 const AuthorizationData *ad,
64 krb5_data *data)
65 {
66 AuthorizationData child;
67 krb5_error_code ret;
68 int pos;
69
70 if (ad == NULL || ad->len == 0)
71 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
72
73 pos = ad->len - 1;
74
75 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
76 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
77
78 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
79 ad->val[pos].ad_data.length,
80 &child,
81 NULL);
82 if (ret) {
83 krb5_set_error_message(context, ret, "Failed to decode "
84 "IF_RELEVANT with %d", ret);
85 return ret;
86 }
87
88 if (child.len != 1) {
89 free_AuthorizationData(&child);
90 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
91 }
92
93 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
94 free_AuthorizationData(&child);
95 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
96 }
97
98 if (data)
99 ret = der_copy_octet_string(&child.val[0].ad_data, data);
100 free_AuthorizationData(&child);
101 return ret;
102 }
103
104 krb5_error_code
105 _kdc_add_KRB5SignedPath(krb5_context context,
106 krb5_kdc_configuration *config,
107 hdb_entry_ex *krbtgt,
108 krb5_enctype enctype,
109 krb5_const_principal server,
110 krb5_principals principals,
111 EncTicketPart *tkt)
112 {
113 krb5_error_code ret;
114 KRB5SignedPath sp;
115 krb5_data data;
116 krb5_crypto crypto = NULL;
117 size_t size;
118
119 if (server && principals) {
120 ret = add_Principals(principals, server);
121 if (ret)
122 return ret;
123 }
124
125 {
126 KRB5SignedPathData spd;
127
128 spd.encticket = *tkt;
129 spd.delegated = principals;
130
131 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
132 &spd, &size, ret);
133 if (ret)
134 return ret;
135 if (data.length != size)
136 krb5_abortx(context, "internal asn.1 encoder error");
137 }
138
139 {
140 Key *key;
141 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
142 if (ret == 0)
143 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
144 if (ret) {
145 free(data.data);
146 return ret;
147 }
148 }
149
150 /*
151 * Fill in KRB5SignedPath
152 */
153
154 sp.etype = enctype;
155 sp.delegated = principals;
156
157 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
158 data.data, data.length, &sp.cksum);
159 krb5_crypto_destroy(context, crypto);
160 free(data.data);
161 if (ret)
162 return ret;
163
164 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
165 free_Checksum(&sp.cksum);
166 if (ret)
167 return ret;
168 if (data.length != size)
169 krb5_abortx(context, "internal asn.1 encoder error");
170
171
172 /*
173 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
174 * authorization data field.
175 */
176
177 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
178 KRB5_AUTHDATA_SIGNTICKET, &data);
179 krb5_data_free(&data);
180
181 return ret;
182 }
183
184 static krb5_error_code
185 check_KRB5SignedPath(krb5_context context,
186 krb5_kdc_configuration *config,
187 hdb_entry_ex *krbtgt,
188 EncTicketPart *tkt,
189 krb5_principals *delegated,
190 int *signedpath)
191 {
192 krb5_error_code ret;
193 krb5_data data;
194 krb5_crypto crypto = NULL;
195
196 if (delegated)
197 *delegated = NULL;
198
199 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
200 if (ret == 0) {
201 KRB5SignedPathData spd;
202 KRB5SignedPath sp;
203 AuthorizationData *ad;
204 size_t size;
205
206 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
207 krb5_data_free(&data);
208 if (ret)
209 return ret;
210
211 spd.encticket = *tkt;
212 /* the KRB5SignedPath is the last entry */
213 ad = spd.encticket.authorization_data;
214 if (--ad->len == 0)
215 spd.encticket.authorization_data = NULL;
216 spd.delegated = sp.delegated;
217
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219 &spd, &size, ret);
220 ad->len++;
221 spd.encticket.authorization_data = ad;
222 if (ret) {
223 free_KRB5SignedPath(&sp);
224 return ret;
225 }
226 if (data.length != size)
227 krb5_abortx(context, "internal asn.1 encoder error");
228
229 {
230 Key *key;
231 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
232 if (ret == 0)
233 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
234 if (ret) {
235 free(data.data);
236 free_KRB5SignedPath(&sp);
237 return ret;
238 }
239 }
240 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
241 data.data, data.length,
242 &sp.cksum);
243 krb5_crypto_destroy(context, crypto);
244 free(data.data);
245 if (ret) {
246 free_KRB5SignedPath(&sp);
247 return ret;
248 }
249
250 if (delegated && sp.delegated) {
251
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
255 return ENOMEM;
256 }
257
258 ret = copy_Principals(*delegated, sp.delegated);
259 if (ret) {
260 free_KRB5SignedPath(&sp);
261 free(*delegated);
262 *delegated = NULL;
263 return ret;
264 }
265 }
266 free_KRB5SignedPath(&sp);
267
268 *signedpath = 1;
269 }
270
271 return 0;
272 }
273
274 /*
275 *
276 */
277
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 hdb_entry_ex *client,
283 hdb_entry_ex *server,
284 const EncryptionKey *server_key,
285 const EncryptionKey *krbtgt_key,
286 EncTicketPart *tkt,
287 krb5_data *rspac,
288 int *signedpath)
289 {
290 AuthorizationData *ad = tkt->authorization_data;
291 unsigned i, j;
292 krb5_error_code ret;
293
294 if (ad == NULL || ad->len == 0)
295 return 0;
296
297 for (i = 0; i < ad->len; i++) {
298 AuthorizationData child;
299
300 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
301 continue;
302
303 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
304 ad->val[i].ad_data.length,
305 &child,
306 NULL);
307 if (ret) {
308 krb5_set_error_message(context, ret, "Failed to decode "
309 "IF_RELEVANT with %d", ret);
310 return ret;
311 }
312 for (j = 0; j < child.len; j++) {
313
314 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
315 krb5_pac pac;
316
317 /* Found PAC */
318 ret = krb5_pac_parse(context,
319 child.val[j].ad_data.data,
320 child.val[j].ad_data.length,
321 &pac);
322 free_AuthorizationData(&child);
323 if (ret)
324 return ret;
325
326 ret = krb5_pac_verify(context, pac, tkt->authtime,
327 client_principal,
328 krbtgt_key, NULL);
329 if (ret) {
330 krb5_pac_free(context, pac);
331 return ret;
332 }
333
334 ret = _kdc_pac_verify(context, client_principal,
335 client, server, &pac);
336 if (ret) {
337 krb5_pac_free(context, pac);
338 return ret;
339 }
340 *signedpath = 1;
341
342 ret = _krb5_pac_sign(context, pac, tkt->authtime,
343 client_principal,
344 server_key, krbtgt_key, rspac);
345
346 krb5_pac_free(context, pac);
347
348 return ret;
349 }
350 }
351 free_AuthorizationData(&child);
352 }
353 return 0;
354 }
355
356 /*
357 *
358 */
359
360 static krb5_error_code
361 check_tgs_flags(krb5_context context,
362 krb5_kdc_configuration *config,
363 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
364 {
365 KDCOptions f = b->kdc_options;
366
367 if(f.validate){
368 if(!tgt->flags.invalid || tgt->starttime == NULL){
369 kdc_log(context, config, 0,
370 "Bad request to validate ticket");
371 return KRB5KDC_ERR_BADOPTION;
372 }
373 if(*tgt->starttime > kdc_time){
374 kdc_log(context, config, 0,
375 "Early request to validate ticket");
376 return KRB5KRB_AP_ERR_TKT_NYV;
377 }
378 /* XXX tkt = tgt */
379 et->flags.invalid = 0;
380 }else if(tgt->flags.invalid){
381 kdc_log(context, config, 0,
382 "Ticket-granting ticket has INVALID flag set");
383 return KRB5KRB_AP_ERR_TKT_INVALID;
384 }
385
386 if(f.forwardable){
387 if(!tgt->flags.forwardable){
388 kdc_log(context, config, 0,
389 "Bad request for forwardable ticket");
390 return KRB5KDC_ERR_BADOPTION;
391 }
392 et->flags.forwardable = 1;
393 }
394 if(f.forwarded){
395 if(!tgt->flags.forwardable){
396 kdc_log(context, config, 0,
397 "Request to forward non-forwardable ticket");
398 return KRB5KDC_ERR_BADOPTION;
399 }
400 et->flags.forwarded = 1;
401 et->caddr = b->addresses;
402 }
403 if(tgt->flags.forwarded)
404 et->flags.forwarded = 1;
405
406 if(f.proxiable){
407 if(!tgt->flags.proxiable){
408 kdc_log(context, config, 0,
409 "Bad request for proxiable ticket");
410 return KRB5KDC_ERR_BADOPTION;
411 }
412 et->flags.proxiable = 1;
413 }
414 if(f.proxy){
415 if(!tgt->flags.proxiable){
416 kdc_log(context, config, 0,
417 "Request to proxy non-proxiable ticket");
418 return KRB5KDC_ERR_BADOPTION;
419 }
420 et->flags.proxy = 1;
421 et->caddr = b->addresses;
422 }
423 if(tgt->flags.proxy)
424 et->flags.proxy = 1;
425
426 if(f.allow_postdate){
427 if(!tgt->flags.may_postdate){
428 kdc_log(context, config, 0,
429 "Bad request for post-datable ticket");
430 return KRB5KDC_ERR_BADOPTION;
431 }
432 et->flags.may_postdate = 1;
433 }
434 if(f.postdated){
435 if(!tgt->flags.may_postdate){
436 kdc_log(context, config, 0,
437 "Bad request for postdated ticket");
438 return KRB5KDC_ERR_BADOPTION;
439 }
440 if(b->from)
441 *et->starttime = *b->from;
442 et->flags.postdated = 1;
443 et->flags.invalid = 1;
444 }else if(b->from && *b->from > kdc_time + context->max_skew){
445 kdc_log(context, config, 0, "Ticket cannot be postdated");
446 return KRB5KDC_ERR_CANNOT_POSTDATE;
447 }
448
449 if(f.renewable){
450 if(!tgt->flags.renewable){
451 kdc_log(context, config, 0,
452 "Bad request for renewable ticket");
453 return KRB5KDC_ERR_BADOPTION;
454 }
455 et->flags.renewable = 1;
456 ALLOC(et->renew_till);
457 _kdc_fix_time(&b->rtime);
458 *et->renew_till = *b->rtime;
459 }
460 if(f.renew){
461 time_t old_life;
462 if(!tgt->flags.renewable || tgt->renew_till == NULL){
463 kdc_log(context, config, 0,
464 "Request to renew non-renewable ticket");
465 return KRB5KDC_ERR_BADOPTION;
466 }
467 old_life = tgt->endtime;
468 if(tgt->starttime)
469 old_life -= *tgt->starttime;
470 else
471 old_life -= tgt->authtime;
472 et->endtime = *et->starttime + old_life;
473 if (et->renew_till != NULL)
474 et->endtime = min(*et->renew_till, et->endtime);
475 }
476
477 #if 0
478 /* checks for excess flags */
479 if(f.request_anonymous && !config->allow_anonymous){
480 kdc_log(context, config, 0,
481 "Request for anonymous ticket");
482 return KRB5KDC_ERR_BADOPTION;
483 }
484 #endif
485 return 0;
486 }
487
488 /*
489 *
490 */
491
492 static krb5_error_code
493 check_constrained_delegation(krb5_context context,
494 krb5_kdc_configuration *config,
495 HDB *clientdb,
496 hdb_entry_ex *client,
497 krb5_const_principal server)
498 {
499 const HDB_Ext_Constrained_delegation_acl *acl;
500 krb5_error_code ret;
501 int i;
502
503 /* if client delegates to itself, that ok */
504 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
505 return 0;
506
507 if (clientdb->hdb_check_constrained_delegation) {
508 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
509 if (ret == 0)
510 return 0;
511 } else {
512 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
513 if (ret) {
514 krb5_clear_error_message(context);
515 return ret;
516 }
517
518 if (acl) {
519 for (i = 0; i < acl->len; i++) {
520 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
521 return 0;
522 }
523 }
524 ret = KRB5KDC_ERR_BADOPTION;
525 }
526 kdc_log(context, config, 0,
527 "Bad request for constrained delegation");
528 return ret;
529 }
530
531 /*
532 *
533 */
534
535 static krb5_error_code
536 verify_flags (krb5_context context,
537 krb5_kdc_configuration *config,
538 const EncTicketPart *et,
539 const char *pstr)
540 {
541 if(et->endtime < kdc_time){
542 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
543 return KRB5KRB_AP_ERR_TKT_EXPIRED;
544 }
545 if(et->flags.invalid){
546 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
547 return KRB5KRB_AP_ERR_TKT_NYV;
548 }
549 return 0;
550 }
551
552 /*
553 *
554 */
555
556 static krb5_error_code
557 fix_transited_encoding(krb5_context context,
558 krb5_kdc_configuration *config,
559 krb5_boolean check_policy,
560 const TransitedEncoding *tr,
561 EncTicketPart *et,
562 const char *client_realm,
563 const char *server_realm,
564 const char *tgt_realm)
565 {
566 krb5_error_code ret = 0;
567 char **realms, **tmp;
568 unsigned int num_realms;
569 int i;
570
571 switch (tr->tr_type) {
572 case DOMAIN_X500_COMPRESS:
573 break;
574 case 0:
575 /*
576 * Allow empty content of type 0 because that is was Microsoft
577 * generates in their TGT.
578 */
579 if (tr->contents.length == 0)
580 break;
581 kdc_log(context, config, 0,
582 "Transited type 0 with non empty content");
583 return KRB5KDC_ERR_TRTYPE_NOSUPP;
584 default:
585 kdc_log(context, config, 0,
586 "Unknown transited type: %u", tr->tr_type);
587 return KRB5KDC_ERR_TRTYPE_NOSUPP;
588 }
589
590 ret = krb5_domain_x500_decode(context,
591 tr->contents,
592 &realms,
593 &num_realms,
594 client_realm,
595 server_realm);
596 if(ret){
597 krb5_warn(context, ret,
598 "Decoding transited encoding");
599 return ret;
600 }
601 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
602 /* not us, so add the previous realm to transited set */
603 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
604 ret = ERANGE;
605 goto free_realms;
606 }
607 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
608 if(tmp == NULL){
609 ret = ENOMEM;
610 goto free_realms;
611 }
612 realms = tmp;
613 realms[num_realms] = strdup(tgt_realm);
614 if(realms[num_realms] == NULL){
615 ret = ENOMEM;
616 goto free_realms;
617 }
618 num_realms++;
619 }
620 if(num_realms == 0) {
621 if(strcmp(client_realm, server_realm))
622 kdc_log(context, config, 0,
623 "cross-realm %s -> %s", client_realm, server_realm);
624 } else {
625 size_t l = 0;
626 char *rs;
627 for(i = 0; i < num_realms; i++)
628 l += strlen(realms[i]) + 2;
629 rs = malloc(l);
630 if(rs != NULL) {
631 *rs = '\0';
632 for(i = 0; i < num_realms; i++) {
633 if(i > 0)
634 strlcat(rs, ", ", l);
635 strlcat(rs, realms[i], l);
636 }
637 kdc_log(context, config, 0,
638 "cross-realm %s -> %s via [%s]",
639 client_realm, server_realm, rs);
640 free(rs);
641 }
642 }
643 if(check_policy) {
644 ret = krb5_check_transited(context, client_realm,
645 server_realm,
646 realms, num_realms, NULL);
647 if(ret) {
648 krb5_warn(context, ret, "cross-realm %s -> %s",
649 client_realm, server_realm);
650 goto free_realms;
651 }
652 et->flags.transited_policy_checked = 1;
653 }
654 et->transited.tr_type = DOMAIN_X500_COMPRESS;
655 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
656 if(ret)
657 krb5_warn(context, ret, "Encoding transited encoding");
658 free_realms:
659 for(i = 0; i < num_realms; i++)
660 free(realms[i]);
661 free(realms);
662 return ret;
663 }
664
665
666 static krb5_error_code
667 tgs_make_reply(krb5_context context,
668 krb5_kdc_configuration *config,
669 KDC_REQ_BODY *b,
670 krb5_const_principal tgt_name,
671 const EncTicketPart *tgt,
672 const EncryptionKey *serverkey,
673 const krb5_keyblock *sessionkey,
674 krb5_kvno kvno,
675 AuthorizationData *auth_data,
676 hdb_entry_ex *server,
677 krb5_principal server_principal,
678 const char *server_name,
679 hdb_entry_ex *client,
680 krb5_principal client_principal,
681 hdb_entry_ex *krbtgt,
682 krb5_enctype krbtgt_etype,
683 krb5_principals spp,
684 const krb5_data *rspac,
685 const METHOD_DATA *enc_pa_data,
686 const char **e_text,
687 krb5_data *reply)
688 {
689 KDC_REP rep;
690 EncKDCRepPart ek;
691 EncTicketPart et;
692 KDCOptions f = b->kdc_options;
693 krb5_error_code ret;
694 int is_weak = 0;
695
696 memset(&rep, 0, sizeof(rep));
697 memset(&et, 0, sizeof(et));
698 memset(&ek, 0, sizeof(ek));
699
700 rep.pvno = 5;
701 rep.msg_type = krb_tgs_rep;
702
703 et.authtime = tgt->authtime;
704 _kdc_fix_time(&b->till);
705 et.endtime = min(tgt->endtime, *b->till);
706 ALLOC(et.starttime);
707 *et.starttime = kdc_time;
708
709 ret = check_tgs_flags(context, config, b, tgt, &et);
710 if(ret)
711 goto out;
712
713 /* We should check the transited encoding if:
714 1) the request doesn't ask not to be checked
715 2) globally enforcing a check
716 3) principal requires checking
717 4) we allow non-check per-principal, but principal isn't marked as allowing this
718 5) we don't globally allow this
719 */
720
721 #define GLOBAL_FORCE_TRANSITED_CHECK \
722 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
723 #define GLOBAL_ALLOW_PER_PRINCIPAL \
724 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
725 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
726 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
727
728 /* these will consult the database in future release */
729 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
730 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
731
732 ret = fix_transited_encoding(context, config,
733 !f.disable_transited_check ||
734 GLOBAL_FORCE_TRANSITED_CHECK ||
735 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
736 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
737 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
738 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
739 &tgt->transited, &et,
740 krb5_principal_get_realm(context, client_principal),
741 krb5_principal_get_realm(context, server->entry.principal),
742 krb5_principal_get_realm(context, krbtgt->entry.principal));
743 if(ret)
744 goto out;
745
746 copy_Realm(&server_principal->realm, &rep.ticket.realm);
747 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
748 copy_Realm(&tgt_name->realm, &rep.crealm);
749 /*
750 if (f.request_anonymous)
751 _kdc_make_anonymous_principalname (&rep.cname);
752 else */
753
754 copy_PrincipalName(&tgt_name->name, &rep.cname);
755 rep.ticket.tkt_vno = 5;
756
757 ek.caddr = et.caddr;
758 if(et.caddr == NULL)
759 et.caddr = tgt->caddr;
760
761 {
762 time_t life;
763 life = et.endtime - *et.starttime;
764 if(client && client->entry.max_life)
765 life = min(life, *client->entry.max_life);
766 if(server->entry.max_life)
767 life = min(life, *server->entry.max_life);
768 et.endtime = *et.starttime + life;
769 }
770 if(f.renewable_ok && tgt->flags.renewable &&
771 et.renew_till == NULL && et.endtime < *b->till){
772 et.flags.renewable = 1;
773 ALLOC(et.renew_till);
774 *et.renew_till = *b->till;
775 }
776 if(et.renew_till){
777 time_t renew;
778 renew = *et.renew_till - et.authtime;
779 if(client && client->entry.max_renew)
780 renew = min(renew, *client->entry.max_renew);
781 if(server->entry.max_renew)
782 renew = min(renew, *server->entry.max_renew);
783 *et.renew_till = et.authtime + renew;
784 }
785
786 if(et.renew_till){
787 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
788 *et.starttime = min(*et.starttime, *et.renew_till);
789 et.endtime = min(et.endtime, *et.renew_till);
790 }
791
792 *et.starttime = min(*et.starttime, et.endtime);
793
794 if(*et.starttime == et.endtime){
795 ret = KRB5KDC_ERR_NEVER_VALID;
796 goto out;
797 }
798 if(et.renew_till && et.endtime == *et.renew_till){
799 free(et.renew_till);
800 et.renew_till = NULL;
801 et.flags.renewable = 0;
802 }
803
804 et.flags.pre_authent = tgt->flags.pre_authent;
805 et.flags.hw_authent = tgt->flags.hw_authent;
806 et.flags.anonymous = tgt->flags.anonymous;
807 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
808
809 if(rspac->length) {
810 /*
811 * No not need to filter out the any PAC from the
812 * auth_data since it's signed by the KDC.
813 */
814 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
815 KRB5_AUTHDATA_WIN2K_PAC, rspac);
816 if (ret)
817 goto out;
818 }
819
820 if (auth_data) {
821 unsigned int i = 0;
822
823 /* XXX check authdata */
824 if (et.authorization_data == NULL) {
825 ret = ENOMEM;
826 krb5_set_error_message(context, ret, "malloc: out of memory");
827 goto out;
828 }
829 for(i = 0; i < auth_data->len ; i++) {
830 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
831 if (ret) {
832 krb5_set_error_message(context, ret, "malloc: out of memory");
833 goto out;
834 }
835 }
836
837 /* Filter out type KRB5SignedPath */
838 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
839 if (ret == 0) {
840 if (et.authorization_data->len == 1) {
841 free_AuthorizationData(et.authorization_data);
842 free(et.authorization_data);
843 et.authorization_data = NULL;
844 } else {
845 AuthorizationData *ad = et.authorization_data;
846 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
847 ad->len--;
848 }
849 }
850 }
851
852 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
853 if (ret)
854 goto out;
855 et.crealm = tgt->crealm;
856 et.cname = tgt_name->name;
857
858 ek.key = et.key;
859 /* MIT must have at least one last_req */
860 ek.last_req.len = 1;
861 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
862 if (ek.last_req.val == NULL) {
863 ret = ENOMEM;
864 goto out;
865 }
866 ek.nonce = b->nonce;
867 ek.flags = et.flags;
868 ek.authtime = et.authtime;
869 ek.starttime = et.starttime;
870 ek.endtime = et.endtime;
871 ek.renew_till = et.renew_till;
872 ek.srealm = rep.ticket.realm;
873 ek.sname = rep.ticket.sname;
874
875 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
876 et.endtime, et.renew_till);
877
878 /* Don't sign cross realm tickets, they can't be checked anyway */
879 {
880 char *r = get_krbtgt_realm(&ek.sname);
881
882 if (r == NULL || strcmp(r, ek.srealm) == 0) {
883 ret = _kdc_add_KRB5SignedPath(context,
884 config,
885 krbtgt,
886 krbtgt_etype,
887 NULL,
888 spp,
889 &et);
890 if (ret)
891 goto out;
892 }
893 }
894
895 if (enc_pa_data->len) {
896 rep.padata = calloc(1, sizeof(*rep.padata));
897 if (rep.padata == NULL) {
898 ret = ENOMEM;
899 goto out;
900 }
901 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
902 if (ret)
903 goto out;
904 }
905
906 if (krb5_enctype_valid(context, et.key.keytype) != 0
907 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
908 {
909 krb5_enctype_enable(context, et.key.keytype);
910 is_weak = 1;
911 }
912
913
914 /* It is somewhat unclear where the etype in the following
915 encryption should come from. What we have is a session
916 key in the passed tgt, and a list of preferred etypes
917 *for the new ticket*. Should we pick the best possible
918 etype, given the keytype in the tgt, or should we look
919 at the etype list here as well? What if the tgt
920 session key is DES3 and we want a ticket with a (say)
921 CAST session key. Should the DES3 etype be added to the
922 etype list, even if we don't want a session key with
923 DES3? */
924 ret = _kdc_encode_reply(context, config,
925 &rep, &et, &ek, et.key.keytype,
926 kvno,
927 serverkey, 0, &tgt->key, e_text, reply);
928 if (is_weak)
929 krb5_enctype_disable(context, et.key.keytype);
930
931 out:
932 free_TGS_REP(&rep);
933 free_TransitedEncoding(&et.transited);
934 if(et.starttime)
935 free(et.starttime);
936 if(et.renew_till)
937 free(et.renew_till);
938 if(et.authorization_data) {
939 free_AuthorizationData(et.authorization_data);
940 free(et.authorization_data);
941 }
942 free_LastReq(&ek.last_req);
943 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
944 free_EncryptionKey(&et.key);
945 return ret;
946 }
947
948 static krb5_error_code
949 tgs_check_authenticator(krb5_context context,
950 krb5_kdc_configuration *config,
951 krb5_auth_context ac,
952 KDC_REQ_BODY *b,
953 const char **e_text,
954 krb5_keyblock *key)
955 {
956 krb5_authenticator auth;
957 size_t len;
958 unsigned char *buf;
959 size_t buf_size;
960 krb5_error_code ret;
961 krb5_crypto crypto;
962
963 krb5_auth_con_getauthenticator(context, ac, &auth);
964 if(auth->cksum == NULL){
965 kdc_log(context, config, 0, "No authenticator in request");
966 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
967 goto out;
968 }
969 /*
970 * according to RFC1510 it doesn't need to be keyed,
971 * but according to the latest draft it needs to.
972 */
973 if (
974 #if 0
975 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
976 ||
977 #endif
978 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
979 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
980 auth->cksum->cksumtype);
981 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
982 goto out;
983 }
984
985 /* XXX should not re-encode this */
986 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
987 if(ret){
988 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
989 krb5_get_err_text(context, ret));
990 goto out;
991 }
992 if(buf_size != len) {
993 free(buf);
994 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
995 *e_text = "KDC internal error";
996 ret = KRB5KRB_ERR_GENERIC;
997 goto out;
998 }
999 ret = krb5_crypto_init(context, key, 0, &crypto);
1000 if (ret) {
1001 free(buf);
1002 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1003 krb5_get_err_text(context, ret));
1004 goto out;
1005 }
1006 ret = krb5_verify_checksum(context,
1007 crypto,
1008 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1009 buf,
1010 len,
1011 auth->cksum);
1012 free(buf);
1013 krb5_crypto_destroy(context, crypto);
1014 if(ret){
1015 kdc_log(context, config, 0,
1016 "Failed to verify authenticator checksum: %s",
1017 krb5_get_err_text(context, ret));
1018 }
1019 out:
1020 free_Authenticator(auth);
1021 free(auth);
1022 return ret;
1023 }
1024
1025 /*
1026 *
1027 */
1028
1029 static const char *
1030 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1031 {
1032 const char *new_realm = krb5_config_get_string(context,
1033 NULL,
1034 "capaths",
1035 crealm,
1036 srealm,
1037 NULL);
1038 return new_realm;
1039 }
1040
1041
1042 static krb5_boolean
1043 need_referral(krb5_context context, krb5_kdc_configuration *config,
1044 const KDCOptions * const options, krb5_principal server,
1045 krb5_realm **realms)
1046 {
1047 const char *name;
1048
1049 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1050 return FALSE;
1051
1052 if (server->name.name_string.len == 1)
1053 name = server->name.name_string.val[0];
1054 else if (server->name.name_string.len > 1)
1055 name = server->name.name_string.val[1];
1056 else
1057 return FALSE;
1058
1059 kdc_log(context, config, 0, "Searching referral for %s", name);
1060
1061 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1062 }
1063
1064 static krb5_error_code
1065 tgs_parse_request(krb5_context context,
1066 krb5_kdc_configuration *config,
1067 KDC_REQ_BODY *b,
1068 const PA_DATA *tgs_req,
1069 hdb_entry_ex **krbtgt,
1070 krb5_enctype *krbtgt_etype,
1071 krb5_ticket **ticket,
1072 const char **e_text,
1073 const char *from,
1074 const struct sockaddr *from_addr,
1075 time_t **csec,
1076 int **cusec,
1077 AuthorizationData **auth_data)
1078 {
1079 krb5_ap_req ap_req;
1080 krb5_error_code ret;
1081 krb5_principal princ;
1082 krb5_auth_context ac = NULL;
1083 krb5_flags ap_req_options;
1084 krb5_flags verify_ap_req_flags;
1085 krb5_crypto crypto;
1086 Key *tkey;
1087
1088 *auth_data = NULL;
1089 *csec = NULL;
1090 *cusec = NULL;
1091
1092 memset(&ap_req, 0, sizeof(ap_req));
1093 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1094 if(ret){
1095 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
1096 krb5_get_err_text(context, ret));
1097 goto out;
1098 }
1099
1100 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1101 /* XXX check for ticket.sname == req.sname */
1102 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1103 ret = KRB5KDC_ERR_POLICY; /* ? */
1104 goto out;
1105 }
1106
1107 _krb5_principalname2krb5_principal(context,
1108 &princ,
1109 ap_req.ticket.sname,
1110 ap_req.ticket.realm);
1111
1112 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
1113
1114 if(ret) {
1115 char *p;
1116 ret = krb5_unparse_name(context, princ, &p);
1117 if (ret != 0)
1118 p = "<unparse_name failed>";
1119 krb5_free_principal(context, princ);
1120 kdc_log(context, config, 0,
1121 "Ticket-granting ticket not found in database: %s: %s",
1122 p, krb5_get_err_text(context, ret));
1123 if (ret == 0)
1124 free(p);
1125 ret = KRB5KRB_AP_ERR_NOT_US;
1126 goto out;
1127 }
1128
1129 if(ap_req.ticket.enc_part.kvno &&
1130 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1131 char *p;
1132
1133 ret = krb5_unparse_name (context, princ, &p);
1134 krb5_free_principal(context, princ);
1135 if (ret != 0)
1136 p = "<unparse_name failed>";
1137 kdc_log(context, config, 0,
1138 "Ticket kvno = %d, DB kvno = %d (%s)",
1139 *ap_req.ticket.enc_part.kvno,
1140 (*krbtgt)->entry.kvno,
1141 p);
1142 if (ret == 0)
1143 free (p);
1144 ret = KRB5KRB_AP_ERR_BADKEYVER;
1145 goto out;
1146 }
1147
1148 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1149
1150 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1151 ap_req.ticket.enc_part.etype, &tkey);
1152 if(ret){
1153 char *str = NULL, *p = NULL;
1154
1155 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1156 krb5_unparse_name(context, princ, &p);
1157 kdc_log(context, config, 0,
1158 "No server key with enctype %s found for %s",
1159 str ? str : "<unknown enctype>",
1160 p ? p : "<unparse_name failed>");
1161 free(str);
1162 free(p);
1163 ret = KRB5KRB_AP_ERR_BADKEYVER;
1164 goto out;
1165 }
1166
1167 if (b->kdc_options.validate)
1168 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1169 else
1170 verify_ap_req_flags = 0;
1171
1172 ret = krb5_verify_ap_req2(context,
1173 &ac,
1174 &ap_req,
1175 princ,
1176 &tkey->key,
1177 verify_ap_req_flags,
1178 &ap_req_options,
1179 ticket,
1180 KRB5_KU_TGS_REQ_AUTH);
1181
1182 krb5_free_principal(context, princ);
1183 if(ret) {
1184 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
1185 krb5_get_err_text(context, ret));
1186 goto out;
1187 }
1188
1189 {
1190 krb5_authenticator auth;
1191
1192 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1193 if (ret == 0) {
1194 *csec = malloc(sizeof(**csec));
1195 if (*csec == NULL) {
1196 krb5_free_authenticator(context, &auth);
1197 kdc_log(context, config, 0, "malloc failed");
1198 goto out;
1199 }
1200 **csec = auth->ctime;
1201 *cusec = malloc(sizeof(**cusec));
1202 if (*cusec == NULL) {
1203 krb5_free_authenticator(context, &auth);
1204 kdc_log(context, config, 0, "malloc failed");
1205 goto out;
1206 }
1207 **cusec = auth->cusec;
1208 krb5_free_authenticator(context, &auth);
1209 }
1210 }
1211
1212 ret = tgs_check_authenticator(context, config,
1213 ac, b, e_text, &(*ticket)->ticket.key);
1214 if (ret) {
1215 krb5_auth_con_free(context, ac);
1216 goto out;
1217 }
1218
1219 if (b->enc_authorization_data) {
1220 unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1221 krb5_keyblock *subkey;
1222 krb5_data ad;
1223
1224 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1225 if(ret){
1226 krb5_auth_con_free(context, ac);
1227 kdc_log(context, config, 0, "Failed to get remote subkey: %s",
1228 krb5_get_err_text(context, ret));
1229 goto out;
1230 }
1231 if(subkey == NULL){
1232 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1233 ret = krb5_auth_con_getkey(context, ac, &subkey);
1234 if(ret) {
1235 krb5_auth_con_free(context, ac);
1236 kdc_log(context, config, 0, "Failed to get session key: %s",
1237 krb5_get_err_text(context, ret));
1238 goto out;
1239 }
1240 }
1241 if(subkey == NULL){
1242 krb5_auth_con_free(context, ac);
1243 kdc_log(context, config, 0,
1244 "Failed to get key for enc-authorization-data");
1245 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1246 goto out;
1247 }
1248 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1249 krb5_free_keyblock(context, subkey);
1250 if (ret) {
1251 krb5_auth_con_free(context, ac);
1252 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1253 krb5_get_err_text(context, ret));
1254 goto out;
1255 }
1256 ret = krb5_decrypt_EncryptedData (context,
1257 crypto,
1258 usage,
1259 b->enc_authorization_data,
1260 &ad);
1261 krb5_crypto_destroy(context, crypto);
1262 if(ret){
1263 krb5_auth_con_free(context, ac);
1264 kdc_log(context, config, 0,
1265 "Failed to decrypt enc-authorization-data");
1266 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1267 goto out;
1268 }
1269 ALLOC(*auth_data);
1270 if (*auth_data == NULL) {
1271 krb5_auth_con_free(context, ac);
1272 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1273 goto out;
1274 }
1275 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1276 if(ret){
1277 krb5_auth_con_free(context, ac);
1278 free(*auth_data);
1279 *auth_data = NULL;
1280 kdc_log(context, config, 0, "Failed to decode authorization data");
1281 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1282 goto out;
1283 }
1284 }
1285
1286 krb5_auth_con_free(context, ac);
1287
1288 out:
1289 free_AP_REQ(&ap_req);
1290
1291 return ret;
1292 }
1293
1294 static krb5_error_code
1295 build_server_referral(krb5_context context,
1296 krb5_kdc_configuration *config,
1297 krb5_crypto session,
1298 krb5_const_realm referred_realm,
1299 const PrincipalName *true_principal_name,
1300 const PrincipalName *requested_principal,
1301 krb5_data *outdata)
1302 {
1303 PA_ServerReferralData ref;
1304 krb5_error_code ret;
1305 EncryptedData ed;
1306 krb5_data data;
1307 size_t size;
1308
1309 memset(&ref, 0, sizeof(ref));
1310
1311 if (referred_realm) {
1312 ALLOC(ref.referred_realm);
1313 if (ref.referred_realm == NULL)
1314 goto eout;
1315 *ref.referred_realm = strdup(referred_realm);
1316 if (*ref.referred_realm == NULL)
1317 goto eout;
1318 }
1319 if (true_principal_name) {
1320 ALLOC(ref.true_principal_name);
1321 if (ref.true_principal_name == NULL)
1322 goto eout;
1323 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1324 if (ret)
1325 goto eout;
1326 }
1327 if (requested_principal) {
1328 ALLOC(ref.requested_principal_name);
1329 if (ref.requested_principal_name == NULL)
1330 goto eout;
1331 ret = copy_PrincipalName(requested_principal,
1332 ref.requested_principal_name);
1333 if (ret)
1334 goto eout;
1335 }
1336
1337 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1338 data.data, data.length,
1339 &ref, &size, ret);
1340 free_PA_ServerReferralData(&ref);
1341 if (ret)
1342 return ret;
1343 if (data.length != size)
1344 krb5_abortx(context, "internal asn.1 encoder error");
1345
1346 ret = krb5_encrypt_EncryptedData(context, session,
1347 KRB5_KU_PA_SERVER_REFERRAL,
1348 data.data, data.length,
1349 0 /* kvno */, &ed);
1350 free(data.data);
1351 if (ret)
1352 return ret;
1353
1354 ASN1_MALLOC_ENCODE(EncryptedData,
1355 outdata->data, outdata->length,
1356 &ed, &size, ret);
1357 free_EncryptedData(&ed);
1358 if (ret)
1359 return ret;
1360 if (outdata->length != size)
1361 krb5_abortx(context, "internal asn.1 encoder error");
1362
1363 return 0;
1364 eout:
1365 free_PA_ServerReferralData(&ref);
1366 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1367 return ENOMEM;
1368 }
1369
1370 static krb5_error_code
1371 tgs_build_reply(krb5_context context,
1372 krb5_kdc_configuration *config,
1373 KDC_REQ *req,
1374 KDC_REQ_BODY *b,
1375 hdb_entry_ex *krbtgt,
1376 krb5_enctype krbtgt_etype,
1377 krb5_ticket *ticket,
1378 krb5_data *reply,
1379 const char *from,
1380 const char **e_text,
1381 AuthorizationData **auth_data,
1382 const struct sockaddr *from_addr)
1383 {
1384 krb5_error_code ret;
1385 krb5_principal cp = NULL, sp = NULL;
1386 krb5_principal client_principal = NULL;
1387 char *spn = NULL, *cpn = NULL;
1388 hdb_entry_ex *server = NULL, *client = NULL;
1389 HDB *clientdb;
1390 krb5_realm ref_realm = NULL;
1391 EncTicketPart *tgt = &ticket->ticket;
1392 krb5_principals spp = NULL;
1393 const EncryptionKey *ekey;
1394 krb5_keyblock sessionkey;
1395 krb5_kvno kvno;
1396 krb5_data rspac;
1397
1398 METHOD_DATA enc_pa_data;
1399
1400 PrincipalName *s;
1401 Realm r;
1402 int nloop = 0;
1403 EncTicketPart adtkt;
1404 char opt_str[128];
1405 int signedpath = 0;
1406
1407 Key *tkey;
1408
1409 memset(&sessionkey, 0, sizeof(sessionkey));
1410 memset(&adtkt, 0, sizeof(adtkt));
1411 krb5_data_zero(&rspac);
1412 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1413
1414 s = b->sname;
1415 r = b->realm;
1416
1417 if(b->kdc_options.enc_tkt_in_skey){
1418 Ticket *t;
1419 hdb_entry_ex *uu;
1420 krb5_principal p;
1421 Key *uukey;
1422
1423 if(b->additional_tickets == NULL ||
1424 b->additional_tickets->len == 0){
1425 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1426 kdc_log(context, config, 0,
1427 "No second ticket present in request");
1428 goto out;
1429 }
1430 t = &b->additional_tickets->val[0];
1431 if(!get_krbtgt_realm(&t->sname)){
1432 kdc_log(context, config, 0,
1433 "Additional ticket is not a ticket-granting ticket");
1434 ret = KRB5KDC_ERR_POLICY;
1435 goto out;
1436 }
1437 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1438 ret = _kdc_db_fetch(context, config, p,
1439 HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
1440 NULL, &uu);
1441 krb5_free_principal(context, p);
1442 if(ret){
1443 if (ret == HDB_ERR_NOENTRY)
1444 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1445 goto out;
1446 }
1447 ret = hdb_enctype2key(context, &uu->entry,
1448 t->enc_part.etype, &uukey);
1449 if(ret){
1450 _kdc_free_ent(context, uu);
1451 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1452 goto out;
1453 }
1454 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1455 _kdc_free_ent(context, uu);
1456 if(ret)
1457 goto out;
1458
1459 ret = verify_flags(context, config, &adtkt, spn);
1460 if (ret)
1461 goto out;
1462
1463 s = &adtkt.cname;
1464 r = adtkt.crealm;
1465 }
1466
1467 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1468 ret = krb5_unparse_name(context, sp, &spn);
1469 if (ret)
1470 goto out;
1471 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1472 ret = krb5_unparse_name(context, cp, &cpn);
1473 if (ret)
1474 goto out;
1475 unparse_flags (KDCOptions2int(b->kdc_options),
1476 asn1_KDCOptions_units(),
1477 opt_str, sizeof(opt_str));
1478 if(*opt_str)
1479 kdc_log(context, config, 0,
1480 "TGS-REQ %s from %s for %s [%s]",
1481 cpn, from, spn, opt_str);
1482 else
1483 kdc_log(context, config, 0,
1484 "TGS-REQ %s from %s for %s", cpn, from, spn);
1485
1486 /*
1487 * Fetch server
1488 */
1489
1490 server_lookup:
1491 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
1492 NULL, &server);
1493
1494 if(ret){
1495 const char *new_rlm;
1496 Realm req_rlm;
1497 krb5_realm *realms;
1498
1499 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1500 if(nloop++ < 2) {
1501 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1502 if(new_rlm) {
1503 kdc_log(context, config, 5, "krbtgt for realm %s "
1504 "not found, trying %s",
1505 req_rlm, new_rlm);
1506 krb5_free_principal(context, sp);
1507 free(spn);
1508 krb5_make_principal(context, &sp, r,
1509 KRB5_TGS_NAME, new_rlm, NULL);
1510 ret = krb5_unparse_name(context, sp, &spn);
1511 if (ret)
1512 goto out;
1513
1514 if (ref_realm)
1515 free(ref_realm);
1516 ref_realm = strdup(new_rlm);
1517 goto server_lookup;
1518 }
1519 }
1520 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1521 if (strcmp(realms[0], sp->realm) != 0) {
1522 kdc_log(context, config, 5,
1523 "Returning a referral to realm %s for "
1524 "server %s that was not found",
1525 realms[0], spn);
1526 krb5_free_principal(context, sp);
1527 free(spn);
1528 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1529 realms[0], NULL);
1530 ret = krb5_unparse_name(context, sp, &spn);
1531 if (ret)
1532 goto out;
1533
1534 if (ref_realm)
1535 free(ref_realm);
1536 ref_realm = strdup(realms[0]);
1537
1538 krb5_free_host_realm(context, realms);
1539 goto server_lookup;
1540 }
1541 krb5_free_host_realm(context, realms);
1542 }
1543 kdc_log(context, config, 0,
1544 "Server not found in database: %s: %s", spn,
1545 krb5_get_err_text(context, ret));
1546 if (ret == HDB_ERR_NOENTRY)
1547 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1548 goto out;
1549 }
1550
1551 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1552 &clientdb, &client);
1553 if(ret) {
1554 const char *krbtgt_realm;
1555
1556 /*
1557 * If the client belongs to the same realm as our krbtgt, it
1558 * should exist in the local database.
1559 *
1560 */
1561
1562 krbtgt_realm =
1563 krb5_principal_get_comp_string(context,
1564 krbtgt->entry.principal, 1);
1565
1566 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1567 if (ret == HDB_ERR_NOENTRY)
1568 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1569 kdc_log(context, config, 1, "Client no longer in database: %s",
1570 cpn);
1571 goto out;
1572 }
1573
1574 kdc_log(context, config, 1, "Client not found in database: %s: %s",
1575 cpn, krb5_get_err_text(context, ret));
1576 }
1577
1578 /*
1579 * Select enctype, return key and kvno.
1580 */
1581
1582 {
1583 krb5_enctype etype;
1584
1585 if(b->kdc_options.enc_tkt_in_skey) {
1586 int i;
1587 ekey = &adtkt.key;
1588 for(i = 0; i < b->etype.len; i++)
1589 if (b->etype.val[i] == adtkt.key.keytype)
1590 break;
1591 if(i == b->etype.len) {
1592 kdc_log(context, config, 0,
1593 "Addition ticket have not matching etypes");
1594 krb5_clear_error_message(context);
1595 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1596 goto out;
1597 }
1598 etype = b->etype.val[i];
1599 kvno = 0;
1600 } else {
1601 Key *skey;
1602
1603 ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
1604 &skey, &etype);
1605 if(ret) {
1606 kdc_log(context, config, 0,
1607 "Server (%s) has no support for etypes", spn);
1608 goto out;
1609 }
1610 ekey = &skey->key;
1611 kvno = server->entry.kvno;
1612 }
1613
1614 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1615 if (ret)
1616 goto out;
1617 }
1618
1619 /*
1620 * Check that service is in the same realm as the krbtgt. If it's
1621 * not the same, it's someone that is using a uni-directional trust
1622 * backward.
1623 */
1624
1625 if (strcmp(krb5_principal_get_realm(context, sp),
1626 krb5_principal_get_comp_string(context,
1627 krbtgt->entry.principal,
1628 1)) != 0) {
1629 char *tpn;
1630 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1631 kdc_log(context, config, 0,
1632 "Request with wrong krbtgt: %s",
1633 (ret == 0) ? tpn : "<unknown>");
1634 if(ret == 0)
1635 free(tpn);
1636 ret = KRB5KRB_AP_ERR_NOT_US;
1637 goto out;
1638 }
1639
1640 /*
1641 * Validate authoriation data
1642 */
1643
1644 ret = hdb_enctype2key(context, &krbtgt->entry,
1645 krbtgt_etype, &tkey);
1646 if(ret) {
1647 kdc_log(context, config, 0,
1648 "Failed to find key for krbtgt PAC check");
1649 goto out;
1650 }
1651
1652 ret = check_PAC(context, config, cp,
1653 client, server, ekey, &tkey->key,
1654 tgt, &rspac, &signedpath);
1655 if (ret) {
1656 kdc_log(context, config, 0,
1657 "Verify PAC failed for %s (%s) from %s with %s",
1658 spn, cpn, from, krb5_get_err_text(context, ret));
1659 goto out;
1660 }
1661
1662 /* also check the krbtgt for signature */
1663 ret = check_KRB5SignedPath(context,
1664 config,
1665 krbtgt,
1666 tgt,
1667 &spp,
1668 &signedpath);
1669 if (ret) {
1670 kdc_log(context, config, 0,
1671 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1672 spn, cpn, from, krb5_get_err_text(context, ret));
1673 goto out;
1674 }
1675
1676 /*
1677 * Process request
1678 */
1679
1680 client_principal = cp;
1681
1682 if (client) {
1683 const PA_DATA *sdata;
1684 int i = 0;
1685
1686 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1687 if (sdata) {
1688 krb5_crypto crypto;
1689 krb5_data datack;
1690 PA_S4U2Self self;
1691 char *selfcpn = NULL;
1692 const char *str;
1693
1694 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1695 sdata->padata_value.length,
1696 &self, NULL);
1697 if (ret) {
1698 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1699 goto out;
1700 }
1701
1702 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1703 if (ret)
1704 goto out;
1705
1706 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1707 if (ret) {
1708 free_PA_S4U2Self(&self);
1709 krb5_data_free(&datack);
1710 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1711 krb5_get_err_text(context, ret));
1712 goto out;
1713 }
1714
1715 ret = krb5_verify_checksum(context,
1716 crypto,
1717 KRB5_KU_OTHER_CKSUM,
1718 datack.data,
1719 datack.length,
1720 &self.cksum);
1721 krb5_data_free(&datack);
1722 krb5_crypto_destroy(context, crypto);
1723 if (ret) {
1724 free_PA_S4U2Self(&self);
1725 kdc_log(context, config, 0,
1726 "krb5_verify_checksum failed for S4U2Self: %s",
1727 krb5_get_err_text(context, ret));
1728 goto out;
1729 }
1730
1731 ret = _krb5_principalname2krb5_principal(context,
1732 &client_principal,
1733 self.name,
1734 self.realm);
1735 free_PA_S4U2Self(&self);
1736 if (ret)
1737 goto out;
1738
1739 ret = krb5_unparse_name(context, client_principal, &selfcpn);
1740 if (ret)
1741 goto out;
1742
1743 /*
1744 * Check that service doing the impersonating is
1745 * requesting a ticket to it-self.
1746 */
1747 if (krb5_principal_compare(context, cp, sp) != TRUE) {
1748 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1749 "to impersonate some other user "
1750 "(tried for user %s to service %s)",
1751 cpn, selfcpn, spn);
1752 free(selfcpn);
1753 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1754 goto out;
1755 }
1756
1757 /*
1758 * If the service isn't trusted for authentication to
1759 * delegation, remove the forward flag.
1760 */
1761
1762 if (client->entry.flags.trusted_for_delegation) {
1763 str = "[forwardable]";
1764 } else {
1765 b->kdc_options.forwardable = 0;
1766 str = "";
1767 }
1768 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1769 "service %s %s", cpn, selfcpn, spn, str);
1770 free(selfcpn);
1771 }
1772 }
1773
1774 /*
1775 * Constrained delegation
1776 */
1777
1778 if (client != NULL
1779 && b->additional_tickets != NULL
1780 && b->additional_tickets->len != 0
1781 && b->kdc_options.enc_tkt_in_skey == 0)
1782 {
1783 int ad_signedpath = 0;
1784 Key *clientkey;
1785 Ticket *t;
1786 char *str;
1787
1788 /*
1789 * Require that the KDC have issued the service's krbtgt (not
1790 * self-issued ticket with kimpersonate(1).
1791 */
1792 if (!signedpath) {
1793 ret = KRB5KDC_ERR_BADOPTION;
1794 kdc_log(context, config, 0,
1795 "Constrained delegation done on service ticket %s/%s",
1796 cpn, spn);
1797 goto out;
1798 }
1799
1800 t = &b->additional_tickets->val[0];
1801
1802 ret = hdb_enctype2key(context, &client->entry,
1803 t->enc_part.etype, &clientkey);
1804 if(ret){
1805 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1806 goto out;
1807 }
1808
1809 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1810 if (ret) {
1811 kdc_log(context, config, 0,
1812 "failed to decrypt ticket for "
1813 "constrained delegation from %s to %s ", cpn, spn);
1814 goto out;
1815 }
1816
1817 /* check that ticket is valid */
1818 if (adtkt.flags.forwardable == 0) {
1819 kdc_log(context, config, 0,
1820 "Missing forwardable flag on ticket for "
1821 "constrained delegation from %s to %s ", cpn, spn);
1822 ret = KRB5KDC_ERR_BADOPTION;
1823 goto out;
1824 }
1825
1826 ret = check_constrained_delegation(context, config, clientdb,
1827 client, sp);
1828 if (ret) {
1829 kdc_log(context, config, 0,
1830 "constrained delegation from %s to %s not allowed",
1831 cpn, spn);
1832 goto out;
1833 }
1834
1835 ret = _krb5_principalname2krb5_principal(context,
1836 &client_principal,
1837 adtkt.cname,
1838 adtkt.crealm);
1839 if (ret)
1840 goto out;
1841
1842 ret = krb5_unparse_name(context, client_principal, &str);
1843 if (ret)
1844 goto out;
1845
1846 ret = verify_flags(context, config, &adtkt, str);
1847 if (ret) {
1848 free(str);
1849 goto out;
1850 }
1851
1852 /*
1853 * Check that the KDC issued the user's ticket.
1854 */
1855 ret = check_KRB5SignedPath(context,
1856 config,
1857 krbtgt,
1858 &adtkt,
1859 NULL,
1860 &ad_signedpath);
1861 if (ret == 0 && !ad_signedpath)
1862 ret = KRB5KDC_ERR_BADOPTION;
1863 if (ret) {
1864 kdc_log(context, config, 0,
1865 "KRB5SignedPath check from service %s failed "
1866 "for delegation to %s for client %s "
1867 "from %s failed with %s",
1868 spn, str, cpn, from, krb5_get_err_text(context, ret));
1869 free(str);
1870 goto out;
1871 }
1872
1873 kdc_log(context, config, 0, "constrained delegation for %s "
1874 "from %s to %s", str, cpn, spn);
1875 free(str);
1876 }
1877
1878 /*
1879 * Check flags
1880 */
1881
1882 ret = kdc_check_flags(context, config,
1883 client, cpn,
1884 server, spn,
1885 FALSE);
1886 if(ret)
1887 goto out;
1888
1889 if((b->kdc_options.validate || b->kdc_options.renew) &&
1890 !krb5_principal_compare(context,
1891 krbtgt->entry.principal,
1892 server->entry.principal)){
1893 kdc_log(context, config, 0, "Inconsistent request.");
1894 ret = KRB5KDC_ERR_SERVER_NOMATCH;
1895 goto out;
1896 }
1897
1898 /* check for valid set of addresses */
1899 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
1900 ret = KRB5KRB_AP_ERR_BADADDR;
1901 kdc_log(context, config, 0, "Request from wrong address");
1902 goto out;
1903 }
1904
1905 /*
1906 * If this is an referral, add server referral data to the
1907 * auth_data reply .
1908 */
1909 if (ref_realm) {
1910 PA_DATA pa;
1911 krb5_crypto crypto;
1912
1913 kdc_log(context, config, 0,
1914 "Adding server referral to %s", ref_realm);
1915
1916 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
1917 if (ret)
1918 goto out;
1919
1920 ret = build_server_referral(context, config, crypto, ref_realm,
1921 NULL, s, &pa.padata_value);
1922 krb5_crypto_destroy(context, crypto);
1923 if (ret) {
1924 kdc_log(context, config, 0,
1925 "Failed building server referral");
1926 goto out;
1927 }
1928 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
1929
1930 ret = add_METHOD_DATA(&enc_pa_data, &pa);
1931 krb5_data_free(&pa.padata_value);
1932 if (ret) {
1933 kdc_log(context, config, 0,
1934 "Add server referral METHOD-DATA failed");
1935 goto out;
1936 }
1937 }
1938
1939 /*
1940 *
1941 */
1942
1943 ret = tgs_make_reply(context,
1944 config,
1945 b,
1946 client_principal,
1947 tgt,
1948 ekey,
1949 &sessionkey,
1950 kvno,
1951 *auth_data,
1952 server,
1953 sp,
1954 spn,
1955 client,
1956 cp,
1957 krbtgt,
1958 krbtgt_etype,
1959 spp,
1960 &rspac,
1961 &enc_pa_data,
1962 e_text,
1963 reply);
1964
1965 out:
1966 free(spn);
1967 free(cpn);
1968
1969 krb5_data_free(&rspac);
1970 krb5_free_keyblock_contents(context, &sessionkey);
1971 if(server)
1972 _kdc_free_ent(context, server);
1973 if(client)
1974 _kdc_free_ent(context, client);
1975
1976 if (client_principal && client_principal != cp)
1977 krb5_free_principal(context, client_principal);
1978 if (cp)
1979 krb5_free_principal(context, cp);
1980 if (sp)
1981 krb5_free_principal(context, sp);
1982 if (ref_realm)
1983 free(ref_realm);
1984 free_METHOD_DATA(&enc_pa_data);
1985
1986 free_EncTicketPart(&adtkt);
1987
1988 return ret;
1989 }
1990
1991 /*
1992 *
1993 */
1994
1995 krb5_error_code
1996 _kdc_tgs_rep(krb5_context context,
1997 krb5_kdc_configuration *config,
1998 KDC_REQ *req,
1999 krb5_data *data,
2000 const char *from,
2001 struct sockaddr *from_addr,
2002 int datagram_reply)
2003 {
2004 AuthorizationData *auth_data = NULL;
2005 krb5_error_code ret;
2006 int i = 0;
2007 const PA_DATA *tgs_req;
2008
2009 hdb_entry_ex *krbtgt = NULL;
2010 krb5_ticket *ticket = NULL;
2011 const char *e_text = NULL;
2012 krb5_enctype krbtgt_etype = ETYPE_NULL;
2013
2014 time_t *csec = NULL;
2015 int *cusec = NULL;
2016
2017 if(req->padata == NULL){
2018 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2019 kdc_log(context, config, 0,
2020 "TGS-REQ from %s without PA-DATA", from);
2021 goto out;
2022 }
2023
2024 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2025
2026 if(tgs_req == NULL){
2027 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2028
2029 kdc_log(context, config, 0,
2030 "TGS-REQ from %s without PA-TGS-REQ", from);
2031 goto out;
2032 }
2033 ret = tgs_parse_request(context, config,
2034 &req->req_body, tgs_req,
2035 &krbtgt,
2036 &krbtgt_etype,
2037 &ticket,
2038 &e_text,
2039 from, from_addr,
2040 &csec, &cusec,
2041 &auth_data);
2042 if (ret) {
2043 kdc_log(context, config, 0,
2044 "Failed parsing TGS-REQ from %s", from);
2045 goto out;
2046 }
2047
2048 ret = tgs_build_reply(context,
2049 config,
2050 req,
2051 &req->req_body,
2052 krbtgt,
2053 krbtgt_etype,
2054 ticket,
2055 data,
2056 from,
2057 &e_text,
2058 &auth_data,
2059 from_addr);
2060 if (ret) {
2061 kdc_log(context, config, 0,
2062 "Failed building TGS-REP to %s", from);
2063 goto out;
2064 }
2065
2066 /* */
2067 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2068 krb5_data_free(data);
2069 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2070 e_text = "Reply packet too large";
2071 }
2072
2073 out:
2074 if(ret && data->data == NULL){
2075 krb5_mk_error(context,
2076 ret,
2077 NULL,
2078 NULL,
2079 NULL,
2080 NULL,
2081 csec,
2082 cusec,
2083 data);
2084 }
2085 free(csec);
2086 free(cusec);
2087 if (ticket)
2088 krb5_free_ticket(context, ticket);
2089 if(krbtgt)
2090 _kdc_free_ent(context, krbtgt);
2091
2092 if (auth_data) {
2093 free_AuthorizationData(auth_data);
2094 free(auth_data);
2095 }
2096
2097 return 0;
2098 }
Heimdal