2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName *p)
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
64 AuthorizationData child;
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
115 krb5_crypto crypto = NULL;
118 if (server && principals) {
119 ret = add_Principals(principals, server);
125 KRB5SignedPathData spd;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
152 * Fill in KRB5SignedPath
156 sp.delegated = principals;
157 sp.method_data = NULL;
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
192 krb5_principals *delegated,
197 krb5_crypto crypto = NULL;
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
204 KRB5SignedPathData spd;
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
221 free_KRB5SignedPath(&sp);
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
234 free_KRB5SignedPath(&sp);
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
241 krb5_crypto_destroy(context, crypto);
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
250 if (delegated && sp.delegated) {
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
258 ret = copy_Principals(*delegated, sp.delegated);
260 free_KRB5SignedPath(&sp);
266 free_KRB5SignedPath(&sp);
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 const krb5_principal delegated_proxy_principal,
283 hdb_entry_ex *client,
284 hdb_entry_ex *server,
285 hdb_entry_ex *krbtgt,
286 const EncryptionKey *server_check_key,
287 const EncryptionKey *server_sign_key,
288 const EncryptionKey *krbtgt_sign_key,
293 AuthorizationData *ad = tkt->authorization_data;
297 if (ad == NULL || ad->len == 0)
300 for (i = 0; i < ad->len; i++) {
301 AuthorizationData child;
303 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
306 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
307 ad->val[i].ad_data.length,
311 krb5_set_error_message(context, ret, "Failed to decode "
312 "IF_RELEVANT with %d", ret);
315 for (j = 0; j < child.len; j++) {
317 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
322 ret = krb5_pac_parse(context,
323 child.val[j].ad_data.data,
324 child.val[j].ad_data.length,
326 free_AuthorizationData(&child);
330 ret = krb5_pac_verify(context, pac, tkt->authtime,
332 server_check_key, NULL);
334 krb5_pac_free(context, pac);
338 ret = _kdc_pac_verify(context, client_principal,
339 delegated_proxy_principal,
340 client, server, krbtgt, &pac, &signed_pac);
342 krb5_pac_free(context, pac);
347 * Only re-sign PAC if we could verify it with the PAC
348 * function. The no-verify case happens when we get in
349 * a PAC from cross realm from a Windows domain and
350 * that there is no PAC verification function.
354 ret = _krb5_pac_sign(context, pac, tkt->authtime,
356 server_sign_key, krbtgt_sign_key, rspac);
358 krb5_pac_free(context, pac);
363 free_AuthorizationData(&child);
372 static krb5_error_code
373 check_tgs_flags(krb5_context context,
374 krb5_kdc_configuration *config,
375 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
377 KDCOptions f = b->kdc_options;
380 if(!tgt->flags.invalid || tgt->starttime == NULL){
381 kdc_log(context, config, 0,
382 "Bad request to validate ticket");
383 return KRB5KDC_ERR_BADOPTION;
385 if(*tgt->starttime > kdc_time){
386 kdc_log(context, config, 0,
387 "Early request to validate ticket");
388 return KRB5KRB_AP_ERR_TKT_NYV;
391 et->flags.invalid = 0;
392 }else if(tgt->flags.invalid){
393 kdc_log(context, config, 0,
394 "Ticket-granting ticket has INVALID flag set");
395 return KRB5KRB_AP_ERR_TKT_INVALID;
399 if(!tgt->flags.forwardable){
400 kdc_log(context, config, 0,
401 "Bad request for forwardable ticket");
402 return KRB5KDC_ERR_BADOPTION;
404 et->flags.forwardable = 1;
407 if(!tgt->flags.forwardable){
408 kdc_log(context, config, 0,
409 "Request to forward non-forwardable ticket");
410 return KRB5KDC_ERR_BADOPTION;
412 et->flags.forwarded = 1;
413 et->caddr = b->addresses;
415 if(tgt->flags.forwarded)
416 et->flags.forwarded = 1;
419 if(!tgt->flags.proxiable){
420 kdc_log(context, config, 0,
421 "Bad request for proxiable ticket");
422 return KRB5KDC_ERR_BADOPTION;
424 et->flags.proxiable = 1;
427 if(!tgt->flags.proxiable){
428 kdc_log(context, config, 0,
429 "Request to proxy non-proxiable ticket");
430 return KRB5KDC_ERR_BADOPTION;
433 et->caddr = b->addresses;
438 if(f.allow_postdate){
439 if(!tgt->flags.may_postdate){
440 kdc_log(context, config, 0,
441 "Bad request for post-datable ticket");
442 return KRB5KDC_ERR_BADOPTION;
444 et->flags.may_postdate = 1;
447 if(!tgt->flags.may_postdate){
448 kdc_log(context, config, 0,
449 "Bad request for postdated ticket");
450 return KRB5KDC_ERR_BADOPTION;
453 *et->starttime = *b->from;
454 et->flags.postdated = 1;
455 et->flags.invalid = 1;
456 }else if(b->from && *b->from > kdc_time + context->max_skew){
457 kdc_log(context, config, 0, "Ticket cannot be postdated");
458 return KRB5KDC_ERR_CANNOT_POSTDATE;
462 if(!tgt->flags.renewable || tgt->renew_till == NULL){
463 kdc_log(context, config, 0,
464 "Bad request for renewable ticket");
465 return KRB5KDC_ERR_BADOPTION;
467 et->flags.renewable = 1;
468 ALLOC(et->renew_till);
469 _kdc_fix_time(&b->rtime);
470 *et->renew_till = *b->rtime;
474 if(!tgt->flags.renewable || tgt->renew_till == NULL){
475 kdc_log(context, config, 0,
476 "Request to renew non-renewable ticket");
477 return KRB5KDC_ERR_BADOPTION;
479 old_life = tgt->endtime;
481 old_life -= *tgt->starttime;
483 old_life -= tgt->authtime;
484 et->endtime = *et->starttime + old_life;
485 if (et->renew_till != NULL)
486 et->endtime = min(*et->renew_till, et->endtime);
490 /* checks for excess flags */
491 if(f.request_anonymous && !config->allow_anonymous){
492 kdc_log(context, config, 0,
493 "Request for anonymous ticket");
494 return KRB5KDC_ERR_BADOPTION;
501 * Determine if constrained delegation is allowed from this client to this server
504 static krb5_error_code
505 check_constrained_delegation(krb5_context context,
506 krb5_kdc_configuration *config,
508 hdb_entry_ex *client,
509 hdb_entry_ex *server,
510 krb5_const_principal target)
512 const HDB_Ext_Constrained_delegation_acl *acl;
517 * constrained_delegation (S4U2Proxy) only works within
518 * the same realm. We use the already canonicalized version
519 * of the principals here, while "target" is the principal
520 * provided by the client.
522 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
523 ret = KRB5KDC_ERR_BADOPTION;
524 kdc_log(context, config, 0,
525 "Bad request for constrained delegation");
529 if (clientdb->hdb_check_constrained_delegation) {
530 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
534 /* if client delegates to itself, that ok */
535 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
538 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
540 krb5_clear_error_message(context);
545 for (i = 0; i < acl->len; i++) {
546 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
550 ret = KRB5KDC_ERR_BADOPTION;
552 kdc_log(context, config, 0,
553 "Bad request for constrained delegation");
558 * Determine if s4u2self is allowed from this client to this server
560 * For example, regardless of the principal being impersonated, if the
561 * 'client' and 'server' are the same, then it's safe.
564 static krb5_error_code
565 check_s4u2self(krb5_context context,
566 krb5_kdc_configuration *config,
568 hdb_entry_ex *client,
569 krb5_const_principal server)
573 /* if client does a s4u2self to itself, that ok */
574 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
577 if (clientdb->hdb_check_s4u2self) {
578 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
582 ret = KRB5KDC_ERR_BADOPTION;
591 static krb5_error_code
592 verify_flags (krb5_context context,
593 krb5_kdc_configuration *config,
594 const EncTicketPart *et,
597 if(et->endtime < kdc_time){
598 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
599 return KRB5KRB_AP_ERR_TKT_EXPIRED;
601 if(et->flags.invalid){
602 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
603 return KRB5KRB_AP_ERR_TKT_NYV;
612 static krb5_error_code
613 fix_transited_encoding(krb5_context context,
614 krb5_kdc_configuration *config,
615 krb5_boolean check_policy,
616 const TransitedEncoding *tr,
618 const char *client_realm,
619 const char *server_realm,
620 const char *tgt_realm)
622 krb5_error_code ret = 0;
623 char **realms, **tmp;
624 unsigned int num_realms;
627 switch (tr->tr_type) {
628 case DOMAIN_X500_COMPRESS:
632 * Allow empty content of type 0 because that is was Microsoft
633 * generates in their TGT.
635 if (tr->contents.length == 0)
637 kdc_log(context, config, 0,
638 "Transited type 0 with non empty content");
639 return KRB5KDC_ERR_TRTYPE_NOSUPP;
641 kdc_log(context, config, 0,
642 "Unknown transited type: %u", tr->tr_type);
643 return KRB5KDC_ERR_TRTYPE_NOSUPP;
646 ret = krb5_domain_x500_decode(context,
653 krb5_warn(context, ret,
654 "Decoding transited encoding");
657 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
658 /* not us, so add the previous realm to transited set */
659 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
663 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
669 realms[num_realms] = strdup(tgt_realm);
670 if(realms[num_realms] == NULL){
676 if(num_realms == 0) {
677 if(strcmp(client_realm, server_realm))
678 kdc_log(context, config, 0,
679 "cross-realm %s -> %s", client_realm, server_realm);
683 for(i = 0; i < num_realms; i++)
684 l += strlen(realms[i]) + 2;
688 for(i = 0; i < num_realms; i++) {
690 strlcat(rs, ", ", l);
691 strlcat(rs, realms[i], l);
693 kdc_log(context, config, 0,
694 "cross-realm %s -> %s via [%s]",
695 client_realm, server_realm, rs);
700 ret = krb5_check_transited(context, client_realm,
702 realms, num_realms, NULL);
704 krb5_warn(context, ret, "cross-realm %s -> %s",
705 client_realm, server_realm);
708 et->flags.transited_policy_checked = 1;
710 et->transited.tr_type = DOMAIN_X500_COMPRESS;
711 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
713 krb5_warn(context, ret, "Encoding transited encoding");
715 for(i = 0; i < num_realms; i++)
722 static krb5_error_code
723 tgs_make_reply(krb5_context context,
724 krb5_kdc_configuration *config,
726 krb5_const_principal tgt_name,
727 const EncTicketPart *tgt,
728 const krb5_keyblock *replykey,
730 const EncryptionKey *serverkey,
731 const krb5_keyblock *sessionkey,
733 AuthorizationData *auth_data,
734 hdb_entry_ex *server,
735 krb5_principal server_principal,
736 const char *server_name,
737 hdb_entry_ex *client,
738 krb5_principal client_principal,
739 hdb_entry_ex *krbtgt,
740 krb5_enctype krbtgt_etype,
742 const krb5_data *rspac,
743 const METHOD_DATA *enc_pa_data,
750 KDCOptions f = b->kdc_options;
754 memset(&rep, 0, sizeof(rep));
755 memset(&et, 0, sizeof(et));
756 memset(&ek, 0, sizeof(ek));
759 rep.msg_type = krb_tgs_rep;
761 et.authtime = tgt->authtime;
762 _kdc_fix_time(&b->till);
763 et.endtime = min(tgt->endtime, *b->till);
765 *et.starttime = kdc_time;
767 ret = check_tgs_flags(context, config, b, tgt, &et);
771 /* We should check the transited encoding if:
772 1) the request doesn't ask not to be checked
773 2) globally enforcing a check
774 3) principal requires checking
775 4) we allow non-check per-principal, but principal isn't marked as allowing this
776 5) we don't globally allow this
779 #define GLOBAL_FORCE_TRANSITED_CHECK \
780 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
781 #define GLOBAL_ALLOW_PER_PRINCIPAL \
782 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
783 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
784 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
786 /* these will consult the database in future release */
787 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
788 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
790 ret = fix_transited_encoding(context, config,
791 !f.disable_transited_check ||
792 GLOBAL_FORCE_TRANSITED_CHECK ||
793 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
794 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
795 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
796 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
797 &tgt->transited, &et,
798 krb5_principal_get_realm(context, client_principal),
799 krb5_principal_get_realm(context, server->entry.principal),
800 krb5_principal_get_realm(context, krbtgt->entry.principal));
804 copy_Realm(&server_principal->realm, &rep.ticket.realm);
805 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
806 copy_Realm(&tgt_name->realm, &rep.crealm);
808 if (f.request_anonymous)
809 _kdc_make_anonymous_principalname (&rep.cname);
812 copy_PrincipalName(&tgt_name->name, &rep.cname);
813 rep.ticket.tkt_vno = 5;
817 et.caddr = tgt->caddr;
821 life = et.endtime - *et.starttime;
822 if(client && client->entry.max_life)
823 life = min(life, *client->entry.max_life);
824 if(server->entry.max_life)
825 life = min(life, *server->entry.max_life);
826 et.endtime = *et.starttime + life;
828 if(f.renewable_ok && tgt->flags.renewable &&
829 et.renew_till == NULL && et.endtime < *b->till &&
830 tgt->renew_till != NULL)
832 et.flags.renewable = 1;
833 ALLOC(et.renew_till);
834 *et.renew_till = *b->till;
838 renew = *et.renew_till - et.authtime;
839 if(client && client->entry.max_renew)
840 renew = min(renew, *client->entry.max_renew);
841 if(server->entry.max_renew)
842 renew = min(renew, *server->entry.max_renew);
843 *et.renew_till = et.authtime + renew;
847 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
848 *et.starttime = min(*et.starttime, *et.renew_till);
849 et.endtime = min(et.endtime, *et.renew_till);
852 *et.starttime = min(*et.starttime, et.endtime);
854 if(*et.starttime == et.endtime){
855 ret = KRB5KDC_ERR_NEVER_VALID;
858 if(et.renew_till && et.endtime == *et.renew_till){
860 et.renew_till = NULL;
861 et.flags.renewable = 0;
864 et.flags.pre_authent = tgt->flags.pre_authent;
865 et.flags.hw_authent = tgt->flags.hw_authent;
866 et.flags.anonymous = tgt->flags.anonymous;
867 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
871 * No not need to filter out the any PAC from the
872 * auth_data since it's signed by the KDC.
874 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
875 KRB5_AUTHDATA_WIN2K_PAC, rspac);
883 /* XXX check authdata */
885 if (et.authorization_data == NULL) {
886 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
887 if (et.authorization_data == NULL) {
889 krb5_set_error_message(context, ret, "malloc: out of memory");
893 for(i = 0; i < auth_data->len ; i++) {
894 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
896 krb5_set_error_message(context, ret, "malloc: out of memory");
901 /* Filter out type KRB5SignedPath */
902 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
904 if (et.authorization_data->len == 1) {
905 free_AuthorizationData(et.authorization_data);
906 free(et.authorization_data);
907 et.authorization_data = NULL;
909 AuthorizationData *ad = et.authorization_data;
910 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
916 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
919 et.crealm = tgt_name->realm;
920 et.cname = tgt_name->name;
923 /* MIT must have at least one last_req */
925 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
926 if (ek.last_req.val == NULL) {
932 ek.authtime = et.authtime;
933 ek.starttime = et.starttime;
934 ek.endtime = et.endtime;
935 ek.renew_till = et.renew_till;
936 ek.srealm = rep.ticket.realm;
937 ek.sname = rep.ticket.sname;
939 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
940 et.endtime, et.renew_till);
942 /* Don't sign cross realm tickets, they can't be checked anyway */
944 char *r = get_krbtgt_realm(&ek.sname);
946 if (r == NULL || strcmp(r, ek.srealm) == 0) {
947 ret = _kdc_add_KRB5SignedPath(context,
960 if (enc_pa_data->len) {
961 rep.padata = calloc(1, sizeof(*rep.padata));
962 if (rep.padata == NULL) {
966 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
971 if (krb5_enctype_valid(context, et.key.keytype) != 0
972 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
974 krb5_enctype_enable(context, et.key.keytype);
979 /* It is somewhat unclear where the etype in the following
980 encryption should come from. What we have is a session
981 key in the passed tgt, and a list of preferred etypes
982 *for the new ticket*. Should we pick the best possible
983 etype, given the keytype in the tgt, or should we look
984 at the etype list here as well? What if the tgt
985 session key is DES3 and we want a ticket with a (say)
986 CAST session key. Should the DES3 etype be added to the
987 etype list, even if we don't want a session key with
989 ret = _kdc_encode_reply(context, config,
990 &rep, &et, &ek, et.key.keytype,
992 serverkey, 0, replykey, rk_is_subkey,
995 krb5_enctype_disable(context, et.key.keytype);
999 free_TransitedEncoding(&et.transited);
1003 free(et.renew_till);
1004 if(et.authorization_data) {
1005 free_AuthorizationData(et.authorization_data);
1006 free(et.authorization_data);
1008 free_LastReq(&ek.last_req);
1009 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1010 free_EncryptionKey(&et.key);
1014 static krb5_error_code
1015 tgs_check_authenticator(krb5_context context,
1016 krb5_kdc_configuration *config,
1017 krb5_auth_context ac,
1019 const char **e_text,
1022 krb5_authenticator auth;
1026 krb5_error_code ret;
1029 krb5_auth_con_getauthenticator(context, ac, &auth);
1030 if(auth->cksum == NULL){
1031 kdc_log(context, config, 0, "No authenticator in request");
1032 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1036 * according to RFC1510 it doesn't need to be keyed,
1037 * but according to the latest draft it needs to.
1041 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1044 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1045 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1046 auth->cksum->cksumtype);
1047 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1051 /* XXX should not re-encode this */
1052 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1054 const char *msg = krb5_get_error_message(context, ret);
1055 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1056 krb5_free_error_message(context, msg);
1059 if(buf_size != len) {
1061 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1062 *e_text = "KDC internal error";
1063 ret = KRB5KRB_ERR_GENERIC;
1066 ret = krb5_crypto_init(context, key, 0, &crypto);
1068 const char *msg = krb5_get_error_message(context, ret);
1070 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1071 krb5_free_error_message(context, msg);
1074 ret = krb5_verify_checksum(context,
1076 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1081 krb5_crypto_destroy(context, crypto);
1083 const char *msg = krb5_get_error_message(context, ret);
1084 kdc_log(context, config, 0,
1085 "Failed to verify authenticator checksum: %s", msg);
1086 krb5_free_error_message(context, msg);
1089 free_Authenticator(auth);
1099 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1101 const char *new_realm = krb5_config_get_string(context,
1112 need_referral(krb5_context context, krb5_kdc_configuration *config,
1113 const KDCOptions * const options, krb5_principal server,
1114 krb5_realm **realms)
1118 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1121 if (server->name.name_string.len == 1)
1122 name = server->name.name_string.val[0];
1123 else if (server->name.name_string.len == 3) {
1125 This is used to give referrals for the
1126 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1127 SPN form, which is used for inter-domain communication in AD
1129 name = server->name.name_string.val[2];
1130 kdc_log(context, config, 0, "Giving 3 part referral for %s", name);
1131 *realms = malloc(sizeof(char *)*2);
1132 if (*realms == NULL) {
1133 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1136 (*realms)[0] = strdup(name);
1137 (*realms)[1] = NULL;
1139 } else if (server->name.name_string.len > 1)
1140 name = server->name.name_string.val[1];
1144 kdc_log(context, config, 0, "Searching referral for %s", name);
1146 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1149 static krb5_error_code
1150 tgs_parse_request(krb5_context context,
1151 krb5_kdc_configuration *config,
1153 const PA_DATA *tgs_req,
1154 hdb_entry_ex **krbtgt,
1155 krb5_enctype *krbtgt_etype,
1156 krb5_ticket **ticket,
1157 const char **e_text,
1159 const struct sockaddr *from_addr,
1162 AuthorizationData **auth_data,
1163 krb5_keyblock **replykey,
1166 static char failed[] = "<unparse_name failed>";
1168 krb5_error_code ret;
1169 krb5_principal princ;
1170 krb5_auth_context ac = NULL;
1171 krb5_flags ap_req_options;
1172 krb5_flags verify_ap_req_flags;
1175 krb5_keyblock *subkey = NULL;
1177 krb5uint32 kvno = 0;
1178 krb5uint32 *kvno_ptr = NULL;
1185 memset(&ap_req, 0, sizeof(ap_req));
1186 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1188 const char *msg = krb5_get_error_message(context, ret);
1189 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1190 krb5_free_error_message(context, msg);
1194 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1195 /* XXX check for ticket.sname == req.sname */
1196 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1197 ret = KRB5KDC_ERR_POLICY; /* ? */
1201 _krb5_principalname2krb5_principal(context,
1203 ap_req.ticket.sname,
1204 ap_req.ticket.realm);
1206 if (ap_req.ticket.enc_part.kvno) {
1207 kvno = *ap_req.ticket.enc_part.kvno;
1210 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, kvno_ptr,
1213 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1215 ret = krb5_unparse_name(context, princ, &p);
1218 krb5_free_principal(context, princ);
1219 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1222 ret = HDB_ERR_NOT_FOUND_HERE;
1225 const char *msg = krb5_get_error_message(context, ret);
1227 ret = krb5_unparse_name(context, princ, &p);
1230 krb5_free_principal(context, princ);
1231 kdc_log(context, config, 0,
1232 "Ticket-granting ticket not found in database: %s", msg);
1233 krb5_free_error_message(context, msg);
1236 ret = KRB5KRB_AP_ERR_NOT_US;
1240 if(ap_req.ticket.enc_part.kvno &&
1241 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1244 ret = krb5_unparse_name (context, princ, &p);
1245 krb5_free_principal(context, princ);
1248 kdc_log(context, config, 0,
1249 "Ticket kvno = %d, DB kvno = %d (%s)",
1250 *ap_req.ticket.enc_part.kvno,
1251 (*krbtgt)->entry.kvno,
1255 ret = KRB5KRB_AP_ERR_BADKEYVER;
1259 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1261 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1262 ap_req.ticket.enc_part.etype, &tkey);
1264 char *str = NULL, *p = NULL;
1266 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1267 krb5_unparse_name(context, princ, &p);
1268 kdc_log(context, config, 0,
1269 "No server key with enctype %s found for %s",
1270 str ? str : "<unknown enctype>",
1271 p ? p : "<unparse_name failed>");
1274 ret = KRB5KRB_AP_ERR_BADKEYVER;
1278 if (b->kdc_options.validate)
1279 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1281 verify_ap_req_flags = 0;
1283 ret = krb5_verify_ap_req2(context,
1288 verify_ap_req_flags,
1291 KRB5_KU_TGS_REQ_AUTH);
1293 krb5_free_principal(context, princ);
1295 const char *msg = krb5_get_error_message(context, ret);
1296 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1297 krb5_free_error_message(context, msg);
1302 krb5_authenticator auth;
1304 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1306 *csec = malloc(sizeof(**csec));
1307 if (*csec == NULL) {
1308 krb5_free_authenticator(context, &auth);
1309 kdc_log(context, config, 0, "malloc failed");
1312 **csec = auth->ctime;
1313 *cusec = malloc(sizeof(**cusec));
1314 if (*cusec == NULL) {
1315 krb5_free_authenticator(context, &auth);
1316 kdc_log(context, config, 0, "malloc failed");
1319 **cusec = auth->cusec;
1320 krb5_free_authenticator(context, &auth);
1324 ret = tgs_check_authenticator(context, config,
1325 ac, b, e_text, &(*ticket)->ticket.key);
1327 krb5_auth_con_free(context, ac);
1331 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1334 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1336 const char *msg = krb5_get_error_message(context, ret);
1337 krb5_auth_con_free(context, ac);
1338 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1339 krb5_free_error_message(context, msg);
1343 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1346 ret = krb5_auth_con_getkey(context, ac, &subkey);
1348 const char *msg = krb5_get_error_message(context, ret);
1349 krb5_auth_con_free(context, ac);
1350 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1351 krb5_free_error_message(context, msg);
1356 krb5_auth_con_free(context, ac);
1357 kdc_log(context, config, 0,
1358 "Failed to get key for enc-authorization-data");
1359 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1365 if (b->enc_authorization_data) {
1368 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1370 const char *msg = krb5_get_error_message(context, ret);
1371 krb5_auth_con_free(context, ac);
1372 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1373 krb5_free_error_message(context, msg);
1376 ret = krb5_decrypt_EncryptedData (context,
1379 b->enc_authorization_data,
1381 krb5_crypto_destroy(context, crypto);
1383 krb5_auth_con_free(context, ac);
1384 kdc_log(context, config, 0,
1385 "Failed to decrypt enc-authorization-data");
1386 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1390 if (*auth_data == NULL) {
1391 krb5_auth_con_free(context, ac);
1392 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1395 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1397 krb5_auth_con_free(context, ac);
1400 kdc_log(context, config, 0, "Failed to decode authorization data");
1401 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1406 krb5_auth_con_free(context, ac);
1409 free_AP_REQ(&ap_req);
1414 static krb5_error_code
1415 build_server_referral(krb5_context context,
1416 krb5_kdc_configuration *config,
1417 krb5_crypto session,
1418 krb5_const_realm referred_realm,
1419 const PrincipalName *true_principal_name,
1420 const PrincipalName *requested_principal,
1423 PA_ServerReferralData ref;
1424 krb5_error_code ret;
1429 memset(&ref, 0, sizeof(ref));
1431 if (referred_realm) {
1432 ALLOC(ref.referred_realm);
1433 if (ref.referred_realm == NULL)
1435 *ref.referred_realm = strdup(referred_realm);
1436 if (*ref.referred_realm == NULL)
1439 if (true_principal_name) {
1440 ALLOC(ref.true_principal_name);
1441 if (ref.true_principal_name == NULL)
1443 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1447 if (requested_principal) {
1448 ALLOC(ref.requested_principal_name);
1449 if (ref.requested_principal_name == NULL)
1451 ret = copy_PrincipalName(requested_principal,
1452 ref.requested_principal_name);
1457 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1458 data.data, data.length,
1460 free_PA_ServerReferralData(&ref);
1463 if (data.length != size)
1464 krb5_abortx(context, "internal asn.1 encoder error");
1466 ret = krb5_encrypt_EncryptedData(context, session,
1467 KRB5_KU_PA_SERVER_REFERRAL,
1468 data.data, data.length,
1474 ASN1_MALLOC_ENCODE(EncryptedData,
1475 outdata->data, outdata->length,
1477 free_EncryptedData(&ed);
1480 if (outdata->length != size)
1481 krb5_abortx(context, "internal asn.1 encoder error");
1485 free_PA_ServerReferralData(&ref);
1486 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1490 static krb5_error_code
1491 tgs_build_reply(krb5_context context,
1492 krb5_kdc_configuration *config,
1495 hdb_entry_ex *krbtgt,
1496 krb5_enctype krbtgt_etype,
1497 const krb5_keyblock *replykey,
1499 krb5_ticket *ticket,
1502 const char **e_text,
1503 AuthorizationData **auth_data,
1504 const struct sockaddr *from_addr)
1506 krb5_error_code ret;
1507 krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
1508 krb5_principal krbtgt_principal = NULL;
1509 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
1510 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1511 HDB *clientdb, *s4u2self_impersonated_clientdb;
1512 krb5_realm ref_realm = NULL;
1513 EncTicketPart *tgt = &ticket->ticket;
1514 krb5_principals spp = NULL;
1515 const EncryptionKey *ekey;
1516 krb5_keyblock sessionkey;
1520 hdb_entry_ex *krbtgt_out = NULL;
1522 METHOD_DATA enc_pa_data;
1527 EncTicketPart adtkt;
1533 int flags = HDB_F_FOR_TGS_REQ;
1535 memset(&sessionkey, 0, sizeof(sessionkey));
1536 memset(&adtkt, 0, sizeof(adtkt));
1537 krb5_data_zero(&rspac);
1538 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1543 if (b->kdc_options.canonicalize)
1544 flags |= HDB_F_CANON;
1546 if(b->kdc_options.enc_tkt_in_skey){
1551 krb5uint32 second_kvno = 0;
1552 krb5uint32 *kvno_ptr = NULL;
1554 if(b->additional_tickets == NULL ||
1555 b->additional_tickets->len == 0){
1556 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1557 kdc_log(context, config, 0,
1558 "No second ticket present in request");
1561 t = &b->additional_tickets->val[0];
1562 if(!get_krbtgt_realm(&t->sname)){
1563 kdc_log(context, config, 0,
1564 "Additional ticket is not a ticket-granting ticket");
1565 ret = KRB5KDC_ERR_POLICY;
1568 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1569 if(t->enc_part.kvno){
1570 second_kvno = *t->enc_part.kvno;
1571 kvno_ptr = &second_kvno;
1573 ret = _kdc_db_fetch(context, config, p,
1574 HDB_F_GET_KRBTGT, kvno_ptr,
1576 krb5_free_principal(context, p);
1578 if (ret == HDB_ERR_NOENTRY)
1579 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1582 ret = hdb_enctype2key(context, &uu->entry,
1583 t->enc_part.etype, &uukey);
1585 _kdc_free_ent(context, uu);
1586 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1589 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1590 _kdc_free_ent(context, uu);
1594 ret = verify_flags(context, config, &adtkt, spn);
1602 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1603 ret = krb5_unparse_name(context, sp, &spn);
1606 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1607 ret = krb5_unparse_name(context, cp, &cpn);
1610 unparse_flags (KDCOptions2int(b->kdc_options),
1611 asn1_KDCOptions_units(),
1612 opt_str, sizeof(opt_str));
1614 kdc_log(context, config, 0,
1615 "TGS-REQ %s from %s for %s [%s]",
1616 cpn, from, spn, opt_str);
1618 kdc_log(context, config, 0,
1619 "TGS-REQ %s from %s for %s", cpn, from, spn);
1626 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1627 NULL, NULL, &server);
1629 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1630 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1632 } else if (ret == HDB_ERR_WRONG_REALM) {
1635 ref_realm = strdup(server->entry.principal->realm);
1636 if (ref_realm == NULL) {
1641 kdc_log(context, config, 5,
1642 "Returning a referral to realm %s for "
1645 krb5_free_principal(context, sp);
1649 ret = krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1653 ret = krb5_unparse_name(context, sp, &spn);
1659 const char *new_rlm, *msg;
1663 if (!config->autodetect_referrals) {
1665 } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1667 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1669 kdc_log(context, config, 5, "krbtgt for realm %s "
1670 "not found, trying %s",
1672 krb5_free_principal(context, sp);
1674 krb5_make_principal(context, &sp, r,
1675 KRB5_TGS_NAME, new_rlm, NULL);
1676 ret = krb5_unparse_name(context, sp, &spn);
1682 ref_realm = strdup(new_rlm);
1686 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1687 if (strcmp(realms[0], sp->realm) != 0) {
1688 kdc_log(context, config, 5,
1689 "Returning a referral to realm %s for "
1690 "server %s that was not found",
1692 krb5_free_principal(context, sp);
1694 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1696 ret = krb5_unparse_name(context, sp, &spn);
1702 ref_realm = strdup(realms[0]);
1704 krb5_free_host_realm(context, realms);
1707 krb5_free_host_realm(context, realms);
1709 msg = krb5_get_error_message(context, ret);
1710 kdc_log(context, config, 0,
1711 "Server not found in database: %s: %s", spn, msg);
1712 krb5_free_error_message(context, msg);
1713 if (ret == HDB_ERR_NOENTRY)
1714 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1719 * Select enctype, return key and kvno.
1725 if(b->kdc_options.enc_tkt_in_skey) {
1728 for(i = 0; i < b->etype.len; i++)
1729 if (b->etype.val[i] == adtkt.key.keytype)
1731 if(i == b->etype.len) {
1732 kdc_log(context, config, 0,
1733 "Addition ticket have not matching etypes");
1734 krb5_clear_error_message(context);
1735 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1738 etype = b->etype.val[i];
1743 ret = _kdc_find_etype(context,
1744 config->tgs_use_strongest_session_key, FALSE,
1745 server, b->etype.val, b->etype.len, NULL,
1748 kdc_log(context, config, 0,
1749 "Server (%s) has no support for etypes", spn);
1753 etype = skey->key.keytype;
1754 kvno = server->entry.kvno;
1757 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1763 * Check that service is in the same realm as the krbtgt. If it's
1764 * not the same, it's someone that is using a uni-directional trust
1769 * Validate authoriation data
1772 ret = hdb_enctype2key(context, &krbtgt->entry,
1773 krbtgt_etype, &tkey_check);
1775 kdc_log(context, config, 0,
1776 "Failed to find key for krbtgt PAC check");
1780 /* Now refetch the primary krbtgt, and get the current kvno (the
1781 * sign check may have been on an old kvno, and the server may
1782 * have been an incoming trust) */
1783 ret = krb5_make_principal(context, &krbtgt_principal,
1784 krb5_principal_get_comp_string(context,
1785 krbtgt->entry.principal,
1788 krb5_principal_get_comp_string(context,
1789 krbtgt->entry.principal,
1792 kdc_log(context, config, 0,
1793 "Failed to generate krbtgt principal");
1797 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1798 krb5_free_principal(context, krbtgt_principal);
1800 krb5_error_code ret2;
1802 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1803 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1804 kdc_log(context, config, 0,
1805 "Request with wrong krbtgt: %s, %s not found in our database",
1806 (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
1811 ret = KRB5KRB_AP_ERR_NOT_US;
1815 /* The first realm is the realm of the service, the second is
1816 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1817 * encrypted to. The redirection via the krbtgt_out entry allows
1818 * the DB to possibly correct the case of the realm (Samba4 does
1819 * this) before the strcmp() */
1820 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1821 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1823 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1824 kdc_log(context, config, 0,
1825 "Request with wrong krbtgt: %s",
1826 (ret == 0) ? ktpn : "<unknown>");
1829 ret = KRB5KRB_AP_ERR_NOT_US;
1832 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1833 krbtgt_etype, &tkey_sign);
1835 kdc_log(context, config, 0,
1836 "Failed to find key for krbtgt PAC signature");
1840 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1841 NULL, &clientdb, &client);
1842 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1843 /* This is OK, we are just trying to find out if they have
1844 * been disabled or deleted in the meantime, missing secrets
1847 const char *krbtgt_realm, *msg;
1850 * If the client belongs to the same realm as our krbtgt, it
1851 * should exist in the local database.
1855 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1857 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1858 if (ret == HDB_ERR_NOENTRY)
1859 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1860 kdc_log(context, config, 1, "Client no longer in database: %s",
1865 msg = krb5_get_error_message(context, ret);
1866 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1867 krb5_free_error_message(context, msg);
1870 ret = check_PAC(context, config, cp, NULL,
1871 client, server, krbtgt,
1873 ekey, &tkey_sign->key,
1874 tgt, &rspac, &signedpath);
1876 const char *msg = krb5_get_error_message(context, ret);
1877 kdc_log(context, config, 0,
1878 "Verify PAC failed for %s (%s) from %s with %s",
1879 spn, cpn, from, msg);
1880 krb5_free_error_message(context, msg);
1884 /* also check the krbtgt for signature */
1885 ret = check_KRB5SignedPath(context,
1893 const char *msg = krb5_get_error_message(context, ret);
1894 kdc_log(context, config, 0,
1895 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1896 spn, cpn, from, msg);
1897 krb5_free_error_message(context, msg);
1905 /* by default the tgt principal matches the client principal */
1910 const PA_DATA *sdata;
1913 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1920 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1921 sdata->padata_value.length,
1924 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1928 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1932 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1934 const char *msg = krb5_get_error_message(context, ret);
1935 free_PA_S4U2Self(&self);
1936 krb5_data_free(&datack);
1937 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1938 krb5_free_error_message(context, msg);
1942 ret = krb5_verify_checksum(context,
1944 KRB5_KU_OTHER_CKSUM,
1948 krb5_data_free(&datack);
1949 krb5_crypto_destroy(context, crypto);
1951 const char *msg = krb5_get_error_message(context, ret);
1952 free_PA_S4U2Self(&self);
1953 kdc_log(context, config, 0,
1954 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1955 krb5_free_error_message(context, msg);
1959 ret = _krb5_principalname2krb5_principal(context,
1963 free_PA_S4U2Self(&self);
1967 ret = krb5_unparse_name(context, tp, &tpn);
1971 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1974 krb5_data_free(&rspac);
1975 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
1976 NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1981 * If the client belongs to the same realm as our krbtgt, it
1982 * should exist in the local database.
1986 if (ret == HDB_ERR_NOENTRY)
1987 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1988 msg = krb5_get_error_message(context, ret);
1989 kdc_log(context, config, 1,
1990 "S2U4Self principal to impersonate %s not found in database: %s",
1992 krb5_free_error_message(context, msg);
1995 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p);
1997 kdc_log(context, config, 0, "PAC generation failed for -- %s",
2002 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
2003 s4u2self_impersonated_client->entry.principal,
2004 ekey, &tkey_sign->key,
2006 krb5_pac_free(context, p);
2008 kdc_log(context, config, 0, "PAC signing failed for -- %s",
2016 * Check that service doing the impersonating is
2017 * requesting a ticket to it-self.
2019 ret = check_s4u2self(context, config, clientdb, client, sp);
2021 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
2022 "to impersonate to service "
2023 "(tried for user %s to service %s)",
2029 * If the service isn't trusted for authentication to
2030 * delegation, remove the forward flag.
2033 if (client->entry.flags.trusted_for_delegation) {
2034 str = "[forwardable]";
2036 b->kdc_options.forwardable = 0;
2039 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2040 "service %s %s", cpn, tpn, spn, str);
2045 * Constrained delegation
2049 && b->additional_tickets != NULL
2050 && b->additional_tickets->len != 0
2051 && b->kdc_options.enc_tkt_in_skey == 0)
2053 int ad_signedpath = 0;
2058 * Require that the KDC have issued the service's krbtgt (not
2059 * self-issued ticket with kimpersonate(1).
2062 ret = KRB5KDC_ERR_BADOPTION;
2063 kdc_log(context, config, 0,
2064 "Constrained delegation done on service ticket %s/%s",
2069 t = &b->additional_tickets->val[0];
2071 ret = hdb_enctype2key(context, &client->entry,
2072 t->enc_part.etype, &clientkey);
2074 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2078 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2080 kdc_log(context, config, 0,
2081 "failed to decrypt ticket for "
2082 "constrained delegation from %s to %s ", cpn, spn);
2086 ret = _krb5_principalname2krb5_principal(context,
2093 ret = krb5_unparse_name(context, tp, &tpn);
2097 ret = _krb5_principalname2krb5_principal(context,
2104 ret = krb5_unparse_name(context, dp, &dpn);
2108 /* check that ticket is valid */
2109 if (adtkt.flags.forwardable == 0) {
2110 kdc_log(context, config, 0,
2111 "Missing forwardable flag on ticket for "
2112 "constrained delegation from %s (%s) as %s to %s ",
2113 cpn, dpn, tpn, spn);
2114 ret = KRB5KDC_ERR_BADOPTION;
2118 ret = check_constrained_delegation(context, config, clientdb,
2119 client, server, sp);
2121 kdc_log(context, config, 0,
2122 "constrained delegation from %s (%s) as %s to %s not allowed",
2123 cpn, dpn, tpn, spn);
2127 ret = verify_flags(context, config, &adtkt, tpn);
2132 krb5_data_free(&rspac);
2135 * generate the PAC for the user.
2137 * TODO: pass in t->sname and t->realm and build
2138 * a S4U_DELEGATION_INFO blob to the PAC.
2140 ret = check_PAC(context, config, tp, dp,
2141 client, server, krbtgt,
2143 ekey, &tkey_sign->key,
2144 &adtkt, &rspac, &ad_signedpath);
2146 const char *msg = krb5_get_error_message(context, ret);
2147 kdc_log(context, config, 0,
2148 "Verify delegated PAC failed to %s for client"
2149 "%s (%s) as %s from %s with %s",
2150 spn, cpn, dpn, tpn, from, msg);
2151 krb5_free_error_message(context, msg);
2156 * Check that the KDC issued the user's ticket.
2158 ret = check_KRB5SignedPath(context,
2166 const char *msg = krb5_get_error_message(context, ret);
2167 kdc_log(context, config, 0,
2168 "KRB5SignedPath check from service %s failed "
2169 "for delegation to %s for client %s (%s)"
2170 "from %s failed with %s",
2171 spn, tpn, dpn, cpn, from, msg);
2172 krb5_free_error_message(context, msg);
2176 if (!ad_signedpath) {
2177 ret = KRB5KDC_ERR_BADOPTION;
2178 kdc_log(context, config, 0,
2179 "Ticket not signed with PAC nor SignedPath service %s failed "
2180 "for delegation to %s for client %s (%s)"
2182 spn, tpn, dpn, cpn, from);
2186 kdc_log(context, config, 0, "constrained delegation for %s "
2187 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2194 ret = kdc_check_flags(context, config,
2201 if((b->kdc_options.validate || b->kdc_options.renew) &&
2202 !krb5_principal_compare(context,
2203 krbtgt->entry.principal,
2204 server->entry.principal)){
2205 kdc_log(context, config, 0, "Inconsistent request.");
2206 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2210 /* check for valid set of addresses */
2211 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2212 ret = KRB5KRB_AP_ERR_BADADDR;
2213 kdc_log(context, config, 0, "Request from wrong address");
2218 * If this is an referral, add server referral data to the
2225 kdc_log(context, config, 0,
2226 "Adding server referral to %s", ref_realm);
2228 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2232 ret = build_server_referral(context, config, crypto, ref_realm,
2233 NULL, s, &pa.padata_value);
2234 krb5_crypto_destroy(context, crypto);
2236 kdc_log(context, config, 0,
2237 "Failed building server referral");
2240 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2242 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2243 krb5_data_free(&pa.padata_value);
2245 kdc_log(context, config, 0,
2246 "Add server referral METHOD-DATA failed");
2255 ret = tgs_make_reply(context,
2267 server->entry.principal,
2287 krb5_data_free(&rspac);
2288 krb5_free_keyblock_contents(context, &sessionkey);
2290 _kdc_free_ent(context, krbtgt_out);
2292 _kdc_free_ent(context, server);
2294 _kdc_free_ent(context, client);
2295 if(s4u2self_impersonated_client)
2296 _kdc_free_ent(context, s4u2self_impersonated_client);
2299 krb5_free_principal(context, tp);
2301 krb5_free_principal(context, cp);
2303 krb5_free_principal(context, dp);
2305 krb5_free_principal(context, sp);
2308 free_METHOD_DATA(&enc_pa_data);
2310 free_EncTicketPart(&adtkt);
2320 _kdc_tgs_rep(krb5_context context,
2321 krb5_kdc_configuration *config,
2325 struct sockaddr *from_addr,
2328 AuthorizationData *auth_data = NULL;
2329 krb5_error_code ret;
2331 const PA_DATA *tgs_req;
2333 hdb_entry_ex *krbtgt = NULL;
2334 krb5_ticket *ticket = NULL;
2335 const char *e_text = NULL;
2336 krb5_enctype krbtgt_etype = ETYPE_NULL;
2338 krb5_keyblock *replykey = NULL;
2339 int rk_is_subkey = 0;
2340 time_t *csec = NULL;
2343 if(req->padata == NULL){
2344 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2345 kdc_log(context, config, 0,
2346 "TGS-REQ from %s without PA-DATA", from);
2350 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2352 if(tgs_req == NULL){
2353 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2355 kdc_log(context, config, 0,
2356 "TGS-REQ from %s without PA-TGS-REQ", from);
2359 ret = tgs_parse_request(context, config,
2360 &req->req_body, tgs_req,
2370 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2371 /* kdc_log() is called in tgs_parse_request() */
2375 kdc_log(context, config, 0,
2376 "Failed parsing TGS-REQ from %s", from);
2380 ret = tgs_build_reply(context,
2395 kdc_log(context, config, 0,
2396 "Failed building TGS-REP to %s", from);
2401 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2402 krb5_data_free(data);
2403 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2404 e_text = "Reply packet too large";
2409 krb5_free_keyblock(context, replykey);
2410 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2411 krb5_mk_error(context,
2425 krb5_free_ticket(context, ticket);
2427 _kdc_free_ent(context, krbtgt);
2430 free_AuthorizationData(auth_data);