| blob | b75c705f4fd9bdece63d4165bd3dc5cd0b9fbb76 |
1 /* kdc.c --- Process AS and TGS requests.
2 * Copyright (C) 2002, 2003, 2004, 2005 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
19 *
20 */
22 /* Note: only use syslog to report errors in this file. */
24 /* Get Shishid stuff. */
27 static int
29 {
42 /*
43 * The authentication server looks up the client and server principals
44 * named in the KRB_AS_REQ in its database, extracting their respective
45 * keys. If the requested client principal named in the request is not
46 * known because it doesn't exist in the KDC's principal database, then
47 * an error message with a KDC_ERR_C_PRINCIPAL_UNKNOWN is returned.
48 */
52 {
56 }
60 {
64 }
68 {
72 }
74 /* Find the client, e.g., simon@JOSEFSSON.ORG. */
78 {
83 }
85 {
89 SHISHI_KDC_ERR_C_PRINCIPAL_UNKNOWN);
94 }
98 {
103 }
105 /* Find the server, e.g., krbtgt/JOSEFSSON.ORG@JOSEFSSON.ORG. */
109 {
114 }
116 {
120 rc =
122 SHISHI_KDC_ERR_S_PRINCIPAL_UNKNOWN);
127 }
132 {
137 }
142 /*
143 * If required, the server pre-authenticates the request, and if the
144 * pre-authentication check fails, an error message with the code
145 * KDC_ERR_PREAUTH_FAILED is returned. If pre-authentication is
146 * required, but was not present in the request, an error message with
147 * the code KDC_ERR_PREAUTH_REQUIRED is returned and a METHOD-DATA
148 * object will be stored in the e-data field of the KRB-ERROR message to
149 * specify which pre-authentication mechanisms are acceptable. Usually
150 * this will include PA-ETYPE-INFO and/or PA-ETYPE-INFO2 elements as
151 * described below. If the server cannot accommodate any encryption type
152 * requested by the client, an error message with code
153 * KDC_ERR_ETYPE_NOSUPP is returned. Otherwise the KDC generates a
154 * 'random' session key[7].
155 */
157 /* XXX support pre-auth. */
159 /*
160 * When responding to an AS request, if there are multiple encryption
161 * keys registered for a client in the Kerberos database, then the etype
162 * field from the AS request is used by the KDC to select the encryption
163 * method to be used to protect the encrypted part of the KRB_AS_REP
164 * message which is sent to the client. If there is more than one
165 * supported strong encryption type in the etype list, the KDC SHOULD
166 * use the first valid strong etype for which an encryption key is
167 * available.
168 */
172 {
185 {
191 }
192 }
195 {
199 SHISHI_KDC_ERR_ETYPE_NOSUPP);
204 }
210 {
214 }
216 /* XXX Select "best" available key (highest kvno, best algorithm?)
217 here. The client etype should not influence this. */
221 {
225 }
226 /*
227 * When the user's key is generated from a password or pass phrase, the
228 * string-to-key function for the particular encryption key type is
229 * used, as specified in [@KCRYPTO]. The salt value and additional
230 * parameters for the string-to-key function have default values
231 * (specified by section 4 and by the encryption mechanism
232 * specification, respectively) that may be overridden by pre-
233 * authentication data (PA-PW-SALT, PA-AFS3-SALT, PA-ETYPE-INFO, PA-
234 * ETYPE-INFO2, etc). Since the KDC is presumed to store a copy of the
235 * resulting key only, these values should not be changed for password-
236 * based keys except when changing the principal's key.
237 *
238 * When the AS server is to include pre-authentication data in a KRB-
239 * ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-INFO,
240 * if the etype field of the client's AS-REQ lists at least one "newer"
241 * encryption type. Otherwise (when the etype field of the client's AS-
242 * REQ does not list any "newer" encryption types) it MUST send both,
243 * PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for each
244 * enctype). A "newer" enctype is any enctype first officially
245 * specified concurrently with or subsequent to the issue of this RFC.
246 * The enctypes DES, 3DES or RC4 and any defined in [RFC1510] are not
247 * newer enctypes.
248 *
249 * It is not possible to reliably generate a user's key given a pass
250 * phrase without contacting the KDC, since it will not be known whether
251 * alternate salt or parameter values are required.
252 *
253 */
255 /* XXX support pre-auth. */
257 /*
258 * The KDC will attempt to assign the type of the random session key
259 * from the list of methods in the etype field. The KDC will select the
260 * appropriate type using the list of methods provided together with
261 * information from the Kerberos database indicating acceptable
262 * encryption methods for the application server. The KDC will not issue
263 * tickets with a weak session key encryption type.
264 */
271 {
275 }
277 /*
278 * If the requested start time is absent, indicates a time in the past,
279 * or is within the window of acceptable clock skew for the KDC and the
280 * POSTDATE option has not been specified, then the start time of the
281 * ticket is set to the authentication server's current time. If it
282 * indicates a time in the future beyond the acceptable clock skew, but
283 * the POSTDATED option has not been specified then the error
284 * KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the requested start
285 * time is checked against the policy of the local realm (the
286 * administrator might decide to prohibit certain types or ranges of
287 * postdated tickets), and if acceptable, the ticket's start time is set
288 * as requested and the INVALID flag is set in the new ticket. The
289 * postdated ticket MUST be validated before use by presenting it to the
290 * KDC after the start time has been reached.
291 *
292 * The expiration time of the ticket will be set to the earlier of the
293 * requested endtime and a time determined by local policy, possibly
294 * determined using realm or principal specific factors. For example,
295 * the expiration time MAY be set to the earliest of the following:
296 *
297 * * The expiration time (endtime) requested in the KRB_AS_REQ
298 * message.
299 *
300 * * The ticket's start time plus the maximum allowable lifetime
301 * associated with the client principal from the authentication
302 * server's database.
303 *
304 * * The ticket's start time plus the maximum allowable lifetime
305 * associated with the server principal.
306 *
307 * * The ticket's start time plus the maximum lifetime set by the
308 * policy of the local realm.
309 *
310 * If the requested expiration time minus the start time (as determined
311 * above) is less than a site-determined minimum lifetime, an error
312 * message with code KDC_ERR_NEVER_VALID is returned. If the requested
313 * expiration time for the ticket exceeds what was determined as above,
314 * and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
315 * flag is set in the new ticket, and the renew-till value is set as if
316 * the 'RENEWABLE' option were requested (the field and option names are
317 * described fully in section 5.4.1).
318 *
319 * If the RENEWABLE option has been requested or if the RENEWABLE-OK
320 * option has been set and a renewable ticket is to be issued, then the
321 * renew-till field MAY be set to the earliest of:
322 *
323 * * Its requested value.
324 *
325 * * The start time of the ticket plus the minimum of the two
326 * maximum renewable lifetimes associated with the principals'
327 * database entries.
328 *
329 * * The start time of the ticket plus the maximum renewable
330 * lifetime set by the policy of the local realm.
331 *
332 */
336 {
339 }
341 {
347 {
351 }
354 {
356 till);
358 }
362 till);
365 }
367 /* XXX Do the time stuff above. */
369 /*
370 * The flags field of the new ticket will have the following options set
371 * if they have been requested and if the policy of the local realm
372 * allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE.
373 * If the new ticket is postdated (the start time is in the future), its
374 * INVALID flag will also be set.
375 */
384 {
385 /* XXX policy check from time. */
388 /* XXX set starttime to from */
389 }
395 {
397 /* XXX set renew-till from rtime */
398 }
400 /*
401 * If all of the above succeed, the server will encrypt the ciphertext
402 * part of the ticket using the encryption key extracted from the server
403 * principal's record in the Kerberos database using the encryption type
404 * associated with the server principal's key (this choice is NOT
405 * affected by the etype field in the request). It then formats a
406 * KRB_AS_REP message (see section 5.4.2), copying the addresses in the
407 * request into the caddr of the response, placing any required pre-
408 * authentication data into the padata of the response, and encrypts the
409 * ciphertext part in the client's key using an acceptable encryption
410 * method requested in the etype field of the request, or in some key
411 * specified by pre-authentication mechanisms being used.
412 */
416 {
420 }
424 {
428 }
432 {
436 }
440 {
444 }
448 {
452 }
455 {
463 }
467 fatal:
488 }
490 static int
492 {
506 {
510 }
512 /*
513 * The KRB_TGS_REQ message is processed in a manner similar to the
514 * KRB_AS_REQ message, but there are many additional checks to be
515 * performed. First, the Kerberos server MUST determine which server the
516 * accompanying ticket is for and it MUST select the appropriate key to
517 * decrypt it. For a normal KRB_TGS_REQ message, it will be for the
518 * ticket granting service, and the TGS's key will be used. If the TGT
519 * was issued by another realm, then the appropriate inter-realm key
520 * MUST be used. If the accompanying ticket is not a ticket-granting
521 * ticket for the current realm, but is for an application server in the
522 * current realm, the RENEW, VALIDATE, or PROXY options are specified in
523 * the request, and the server for which a ticket is requested is the
524 * server named in the accompanying ticket, then the KDC will decrypt
525 * the ticket in the authentication header using the key of the server
526 * for which it was issued. If no ticket can be found in the padata
527 * field, the KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
528 */
530 /* Find name of ticket granter, e.g., krbtgt/JOSEFSSON.ORG@JOSEFSSON.ORG. */
534 {
538 }
542 {
546 }
552 {
557 }
559 {
563 SHISHI_KRB_AP_ERR_NOT_US);
568 }
572 {
577 }
579 /* XXX use etype/kvno to select key. */
584 {
588 }
590 rc = shishi_ap_req_process_keyusage
593 {
597 }
599 /*
600 * 3.3.3.1. Checking for revoked tickets
601 *
602 * Whenever a request is made to the ticket-granting server, the
603 * presented ticket(s) is(are) checked against a hot-list of tickets
604 * which have been canceled. This hot-list might be implemented by
605 * storing a range of issue timestamps for 'suspect tickets'; if a
606 * presented ticket had an authtime in that range, it would be rejected.
607 * In this way, a stolen ticket-granting ticket or renewable ticket
608 * cannot be used to gain additional tickets (renewals or otherwise)
609 * once the theft has been reported to the KDC for the realm in which
610 * the server resides. Any normal ticket obtained before it was reported
611 * stolen will still be valid (because they require no interaction with
612 * the KDC), but only until their normal expiration time. If TGT's have
613 * been issued for cross-realm authentication, use of the cross-realm
614 * TGT will not be affected unless the hot-list is propagated to the
615 * KDCs for the realms for which such cross-realm tickets were issued.
616 */
618 /* XXX Check if tgname@tgrealm is a valid TGT. */
620 /*
621 * Once the accompanying ticket has been decrypted, the user-supplied
622 * checksum in the Authenticator MUST be verified against the contents
623 * of the request, and the message rejected if the checksums do not
624 * match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
625 * is not collision-proof (with an error code of
626 * KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the
627 * KDC_ERR_SUMTYPE_NOSUPP error is returned. If the authorization-data
628 * are present, they are decrypted using the sub-session key from the
629 * Authenticator.
630 *
631 * If any of the decryptions indicate failed integrity checks, the
632 * KRB_AP_ERR_BAD_INTEGRITY error is returned.
633 */
635 /* XXX check that checksum in authenticator match tgsreq.req-body */
638 tgrealm);
640 /*
641 * As discussed in section 3.1.2, the KDC MUST send a valid KRB_TGS_REP
642 * message if it receives a KRB_TGS_REQ message identical to one it has
643 * recently processed. However, if the authenticator is a replay, but
644 * the rest of the request is not identical, then the KDC SHOULD return
645 * KRB_AP_ERR_REPEAT.
646 */
648 /* XXX Do replay stuff. */
650 /*
651 * The response will include a ticket for the requested server or for a
652 * ticket granting server of an intermediate KDC to be contacted to
653 * obtain the requested ticket. The Kerberos database is queried to
654 * retrieve the record for the appropriate server (including the key
655 * with which the ticket will be encrypted). If the request is for a
656 * ticket-granting ticket for a remote realm, and if no key is shared
657 * with the requested realm, then the Kerberos server will select the
658 * realm 'closest' to the requested realm with which it does share a
659 * key, and use that realm instead. Thss is theonly cases where the
660 * response for the KDC will be for a different server than that
661 * requested by the client.
662 */
666 {
670 }
672 /* XXX Do cross-realm handling. */
676 {
680 }
684 {
689 }
691 {
695 SHISHI_KDC_ERR_S_PRINCIPAL_UNKNOWN);
700 }
705 {
710 }
712 /* XXX Select "best" available key (highest kvno, best algorithm?)
713 here. The client etype should not influence this. */
717 {
721 }
723 /* Generate session key for the newly generated ticket, of same key
724 type as the selected long-term server key. XXX let the client
725 influence the etype? think of AES only server and RFC 1510
726 client. if client etype is not used here, the client cannot talk
727 to the server. perhaps just as good though. */
732 {
736 }
738 /*
739 * By default, the address field, the client's name and realm, the list
740 * of transited realms, the time of initial authentication, the
741 * expiration time, and the authorization data of the newly-issued
742 * ticket will be copied from the ticket-granting ticket (TGT) or
743 * renewable ticket. If the transited field needs to be updated, but the
744 * transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP error is
745 * returned.
746 */
750 {
753 }
755 rc = shishi_encticketpart_crealm
759 {
763 }
765 rc = shishi_encticketpart_client
769 {
773 }
777 {
781 }
783 /* XXX Copy more fields. Move copying into lib/? */
785 rc = shishi_encticketpart_endtime_set
791 {
795 }
799 {
803 }
807 {
811 }
816 /*
817 * If the request specifies an endtime, then the endtime of the new
818 * ticket is set to the minimum of (a) that request, (b) the endtime
819 * from the TGT, and (c) the starttime of the TGT plus the minimum of
820 * the maximum life for the application server and the maximum life for
821 * the local realm (the maximum life for the requesting principal was
822 * already applied when the TGT was issued). If the new ticket is to be
823 * a renewal, then the endtime above is replaced by the minimum of (a)
824 * the value of the renew_till field of the ticket and (b) the starttime
825 * for the new ticket plus the life (endtime-starttime) of the old
826 * ticket.
827 *
828 * If the FORWARDED option has been requested, then the resulting ticket
829 * will contain the addresses specified by the client. This option will
830 * only be honored if the FORWARDABLE flag is set in the TGT. The PROXY
831 * option is similar; the resulting ticket will contain the addresses
832 * specified by the client. It will be honored only if the PROXIABLE
833 * flag in the TGT is set. The PROXY option will not be honored on
834 * requests for additional ticket-granting tickets.
835 *
836 * If the requested start time is absent, indicates a time in the past,
837 * or is within the window of acceptable clock skew for the KDC and the
838 * POSTDATE option has not been specified, then the start time of the
839 * ticket is set to the authentication server's current time. If it
840 * indicates a time in the future beyond the acceptable clock skew, but
841 * the POSTDATED option has not been specified or the MAY-POSTDATE flag
842 * is not set in the TGT, then the error KDC_ERR_CANNOT_POSTDATE is
843 * returned. Otherwise, if the ticket-granting ticket has the MAY-
844 * POSTDATE flag set, then the resulting ticket will be postdated and
845 * the requested starttime is checked against the policy of the local
846 * realm. If acceptable, the ticket's start time is set as requested,
847 * and the INVALID flag is set. The postdated ticket MUST be validated
848 * before use by presenting it to the KDC after the starttime has been
849 * reached. However, in no case may the starttime, endtime, or renew-
850 * till time of a newly-issued postdated ticket extend beyond the renew-
851 * till time of the ticket-granting ticket.
852 *
853 * If the ENC-TKT-IN-SKEY option has been specified and an additional
854 * ticket has been included in the request, it indicates that the client
855 * is using user- to-user authentication to prove its identity to a
856 * server that does not have access to a persistent key. Section 3.7
857 * describes the affect of this option on the entire Kerberos protocol.
858 * When generating the KRB_TGS_REP message, this option in the
859 * KRB_TGS_REQ message tells the KDC to decrypt the additional ticket
860 * using the key for the server to which the additional ticket was
861 * issued and verify that it is a ticket-granting ticket. If the name of
862 * the requested server is missing from the request, the name of the
863 * client in the additional ticket will be used. Otherwise the name of
864 * the requested server will be compared to the name of the client in
865 * the additional ticket and if different, the request will be rejected.
866 * If the request succeeds, the session key from the additional ticket
867 * will be used to encrypt the new ticket that is issued instead of
868 * using the key of the server for which the new ticket will be used.
869 *
870 * If the name of the server in the ticket that is presented to the KDC
871 * as part of the authentication header is not that of the ticket-
872 * granting server itself, the server is registered in the realm of the
873 * KDC, and the RENEW option is requested, then the KDC will verify that
874 * the RENEWABLE flag is set in the ticket, that the INVALID flag is not
875 * set in the ticket, and that the renew_till time is still in the
876 * future. If the VALIDATE option is requested, the KDC will check that
877 * the starttime has passed and the INVALID flag is set. If the PROXY
878 * option is requested, then the KDC will check that the PROXIABLE flag
879 * is set in the ticket. If the tests succeed, and the ticket passes the
880 * hotlist check described in the next section, the KDC will issue the
881 * appropriate new ticket.
882 */
884 /* XXX Set more things in ticket, as described above. */
888 {
892 }
894 /*
895 * The ciphertext part of the response in the KRB_TGS_REP message is
896 * encrypted in the sub-session key from the Authenticator, if present,
897 * or the session key from the ticket-granting ticket. It is not
898 * encrypted using the client's secret key. Furthermore, the client's
899 * key's expiration date and the key version number fields are left out
900 * since these values are stored along with the client's database
901 * record, and that record is not needed to satisfy a request based on a
902 * ticket-granting ticket.
903 */
905 rc = shishi_encticketpart_get_key
909 {
913 }
915 rc = shishi_authenticator_get_subkey
918 {
922 }
925 rc = shishi_tgs_rep_build
927 else
928 rc = shishi_tgs_rep_build
931 {
935 }
938 {
949 shishi_tkt_ticket
953 shishi_tkt_encticketpart
965 }
969 fatal:
998 }
1000 static int
1002 {
1008 {
1011 }
1017 {
1021 }
1022 else
1025 {
1029 }
1032 }
1034 static int
1036 {
1042 {
1046 }
1052 {
1056 }
1057 else
1060 {
1064 }
1067 }
1069 ssize_t
1071 {
1072 Shishi_asn1 node;
1078 {
1081 }
1084 {
1101 }
1104 {
1108 }
1111 }