2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName *p)
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
64 AuthorizationData child;
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_const_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
115 krb5_crypto crypto = NULL;
118 if (server && principals) {
119 ret = add_Principals(principals, server);
125 KRB5SignedPathData spd;
127 spd.client = rk_UNCONST(client);
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
142 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, enctype, &key);
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
152 * Fill in KRB5SignedPath
156 sp.delegated = principals;
157 sp.method_data = NULL;
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
192 krb5_principals *delegated,
197 krb5_crypto crypto = NULL;
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
204 KRB5SignedPathData spd;
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
221 free_KRB5SignedPath(&sp);
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
229 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use correct kvno! */
232 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
235 free_KRB5SignedPath(&sp);
239 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
240 data.data, data.length,
242 krb5_crypto_destroy(context, crypto);
245 free_KRB5SignedPath(&sp);
246 kdc_log(context, config, 4,
247 "KRB5SignedPath not signed correctly, not marking as signed");
251 if (delegated && sp.delegated) {
253 *delegated = malloc(sizeof(*sp.delegated));
254 if (*delegated == NULL) {
255 free_KRB5SignedPath(&sp);
259 ret = copy_Principals(*delegated, sp.delegated);
261 free_KRB5SignedPath(&sp);
267 free_KRB5SignedPath(&sp);
279 static krb5_error_code
280 check_PAC(krb5_context context,
281 krb5_kdc_configuration *config,
282 const krb5_principal client_principal,
283 const krb5_principal delegated_proxy_principal,
284 hdb_entry_ex *client,
285 hdb_entry_ex *server,
286 hdb_entry_ex *krbtgt,
287 const EncryptionKey *server_check_key,
288 const EncryptionKey *server_sign_key,
289 const EncryptionKey *krbtgt_sign_key,
294 AuthorizationData *ad = tkt->authorization_data;
298 if (ad == NULL || ad->len == 0)
301 for (i = 0; i < ad->len; i++) {
302 AuthorizationData child;
304 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
307 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
308 ad->val[i].ad_data.length,
312 krb5_set_error_message(context, ret, "Failed to decode "
313 "IF_RELEVANT with %d", ret);
316 for (j = 0; j < child.len; j++) {
318 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
323 ret = krb5_pac_parse(context,
324 child.val[j].ad_data.data,
325 child.val[j].ad_data.length,
327 free_AuthorizationData(&child);
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
333 server_check_key, NULL);
335 krb5_pac_free(context, pac);
339 ret = _kdc_pac_verify(context, client_principal,
340 delegated_proxy_principal,
341 client, server, krbtgt, &pac, &signed_pac);
343 krb5_pac_free(context, pac);
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
357 server_sign_key, krbtgt_sign_key, rspac);
359 krb5_pac_free(context, pac);
364 free_AuthorizationData(&child);
370 is_anon_tgs_request_p(const KDC_REQ_BODY *b,
371 const EncTicketPart *tgt)
373 KDCOptions f = b->kdc_options;
376 * Versions of Heimdal from 1.0 to 7.6, inclusive, send both the
377 * request-anonymous and cname-in-addl-tkt flags for constrained
378 * delegation requests. A true anonymous TGS request will only
379 * have the request-anonymous flag set. (A corollary of this is
380 * that it is not possible to support anonymous constrained
381 * delegation requests, although they would be of limited utility.)
383 return tgt->flags.anonymous ||
384 (f.request_anonymous && !f.cname_in_addl_tkt && !b->additional_tickets);
391 static krb5_error_code
392 check_tgs_flags(astgs_request_t r, KDC_REQ_BODY *b,
393 krb5_const_principal tgt_name,
394 const EncTicketPart *tgt, EncTicketPart *et)
396 krb5_context context = r->context;
397 KDCOptions f = b->kdc_options;
400 if (!tgt->flags.invalid || tgt->starttime == NULL) {
401 _kdc_audit_addreason((kdc_request_t)r,
402 "Bad request to validate ticket");
403 return KRB5KDC_ERR_BADOPTION;
405 if(*tgt->starttime > kdc_time){
406 _kdc_audit_addreason((kdc_request_t)r,
407 "Early request to validate ticket");
408 return KRB5KRB_AP_ERR_TKT_NYV;
411 et->flags.invalid = 0;
412 } else if (tgt->flags.invalid) {
413 _kdc_audit_addreason((kdc_request_t)r,
414 "Ticket-granting ticket has INVALID flag set");
415 return KRB5KRB_AP_ERR_TKT_INVALID;
419 if (!tgt->flags.forwardable) {
420 _kdc_audit_addreason((kdc_request_t)r,
421 "Bad request for forwardable ticket");
422 return KRB5KDC_ERR_BADOPTION;
424 et->flags.forwardable = 1;
427 if (!tgt->flags.forwardable) {
428 _kdc_audit_addreason((kdc_request_t)r,
429 "Request to forward non-forwardable ticket");
430 return KRB5KDC_ERR_BADOPTION;
432 et->flags.forwarded = 1;
433 et->caddr = b->addresses;
435 if(tgt->flags.forwarded)
436 et->flags.forwarded = 1;
439 if (!tgt->flags.proxiable) {
440 _kdc_audit_addreason((kdc_request_t)r,
441 "Bad request for proxiable ticket");
442 return KRB5KDC_ERR_BADOPTION;
444 et->flags.proxiable = 1;
447 if (!tgt->flags.proxiable) {
448 _kdc_audit_addreason((kdc_request_t)r,
449 "Request to proxy non-proxiable ticket");
450 return KRB5KDC_ERR_BADOPTION;
453 et->caddr = b->addresses;
458 if(f.allow_postdate){
459 if (!tgt->flags.may_postdate) {
460 _kdc_audit_addreason((kdc_request_t)r,
461 "Bad request for post-datable ticket");
462 return KRB5KDC_ERR_BADOPTION;
464 et->flags.may_postdate = 1;
467 if (!tgt->flags.may_postdate) {
468 _kdc_audit_addreason((kdc_request_t)r,
469 "Bad request for postdated ticket");
470 return KRB5KDC_ERR_BADOPTION;
473 *et->starttime = *b->from;
474 et->flags.postdated = 1;
475 et->flags.invalid = 1;
476 } else if (b->from && *b->from > kdc_time + context->max_skew) {
477 _kdc_audit_addreason((kdc_request_t)r,
478 "Ticket cannot be postdated");
479 return KRB5KDC_ERR_CANNOT_POSTDATE;
483 if (!tgt->flags.renewable || tgt->renew_till == NULL) {
484 _kdc_audit_addreason((kdc_request_t)r,
485 "Bad request for renewable ticket");
486 return KRB5KDC_ERR_BADOPTION;
488 et->flags.renewable = 1;
489 ALLOC(et->renew_till);
490 _kdc_fix_time(&b->rtime);
491 *et->renew_till = *b->rtime;
495 if (!tgt->flags.renewable || tgt->renew_till == NULL) {
496 _kdc_audit_addreason((kdc_request_t)r,
497 "Request to renew non-renewable ticket");
498 return KRB5KDC_ERR_BADOPTION;
500 old_life = tgt->endtime;
502 old_life -= *tgt->starttime;
504 old_life -= tgt->authtime;
505 et->endtime = *et->starttime + old_life;
506 if (et->renew_till != NULL)
507 et->endtime = min(*et->renew_till, et->endtime);
511 * RFC 8062 section 3 defines an anonymous ticket as one containing
512 * the anonymous principal and the anonymous ticket flag.
514 if (tgt->flags.anonymous &&
515 !_kdc_is_anonymous(context, tgt_name)) {
516 _kdc_audit_addreason((kdc_request_t)r,
517 "Anonymous ticket flag set without "
518 "anonymous principal");
519 return KRB5KDC_ERR_BADOPTION;
523 * RFC 8062 section 4.2 states that if the TGT is anonymous, the
524 * anonymous KDC option SHOULD be set, but it is not required.
525 * Treat an anonymous TGT as if the anonymous flag was set.
527 if (is_anon_tgs_request_p(b, tgt))
528 et->flags.anonymous = 1;
534 * Determine if constrained delegation is allowed from this client to this server
537 static krb5_error_code
538 check_constrained_delegation(krb5_context context,
539 krb5_kdc_configuration *config,
541 hdb_entry_ex *client,
542 hdb_entry_ex *server,
543 krb5_const_principal target)
545 const HDB_Ext_Constrained_delegation_acl *acl;
550 * constrained_delegation (S4U2Proxy) only works within
551 * the same realm. We use the already canonicalized version
552 * of the principals here, while "target" is the principal
553 * provided by the client.
555 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
556 ret = KRB5KDC_ERR_BADOPTION;
557 kdc_log(context, config, 4,
558 "Bad request for constrained delegation");
562 if (clientdb->hdb_check_constrained_delegation) {
563 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
567 /* if client delegates to itself, that ok */
568 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
571 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
573 krb5_clear_error_message(context);
578 for (i = 0; i < acl->len; i++) {
579 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
583 ret = KRB5KDC_ERR_BADOPTION;
585 kdc_log(context, config, 4,
586 "Bad request for constrained delegation");
591 * Determine if s4u2self is allowed from this client to this server
593 * For example, regardless of the principal being impersonated, if the
594 * 'client' and 'server' are the same, then it's safe.
597 static krb5_error_code
598 check_s4u2self(krb5_context context,
599 krb5_kdc_configuration *config,
601 hdb_entry_ex *client,
602 krb5_const_principal server)
606 /* if client does a s4u2self to itself, that ok */
607 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
610 if (clientdb->hdb_check_s4u2self) {
611 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
615 ret = KRB5KDC_ERR_BADOPTION;
624 static krb5_error_code
625 verify_flags (krb5_context context,
626 krb5_kdc_configuration *config,
627 const EncTicketPart *et,
630 if(et->endtime < kdc_time){
631 kdc_log(context, config, 4, "Ticket expired (%s)", pstr);
632 return KRB5KRB_AP_ERR_TKT_EXPIRED;
634 if(et->flags.invalid){
635 kdc_log(context, config, 4, "Ticket not valid (%s)", pstr);
636 return KRB5KRB_AP_ERR_TKT_NYV;
645 static krb5_error_code
646 fix_transited_encoding(krb5_context context,
647 krb5_kdc_configuration *config,
648 krb5_boolean check_policy,
649 const TransitedEncoding *tr,
651 const char *client_realm,
652 const char *server_realm,
653 const char *tgt_realm)
655 krb5_error_code ret = 0;
656 char **realms, **tmp;
657 unsigned int num_realms;
660 switch (tr->tr_type) {
661 case DOMAIN_X500_COMPRESS:
665 * Allow empty content of type 0 because that is was Microsoft
666 * generates in their TGT.
668 if (tr->contents.length == 0)
670 kdc_log(context, config, 4,
671 "Transited type 0 with non empty content");
672 return KRB5KDC_ERR_TRTYPE_NOSUPP;
674 kdc_log(context, config, 4,
675 "Unknown transited type: %u", tr->tr_type);
676 return KRB5KDC_ERR_TRTYPE_NOSUPP;
679 ret = krb5_domain_x500_decode(context,
686 krb5_warn(context, ret,
687 "Decoding transited encoding");
692 * If the realm of the presented tgt is neither the client nor the server
693 * realm, it is a transit realm and must be added to transited set.
695 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
696 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
700 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
706 realms[num_realms] = strdup(tgt_realm);
707 if(realms[num_realms] == NULL){
713 if(num_realms == 0) {
714 if(strcmp(client_realm, server_realm))
715 kdc_log(context, config, 4,
716 "cross-realm %s -> %s", client_realm, server_realm);
720 for(i = 0; i < num_realms; i++)
721 l += strlen(realms[i]) + 2;
725 for(i = 0; i < num_realms; i++) {
727 strlcat(rs, ", ", l);
728 strlcat(rs, realms[i], l);
730 kdc_log(context, config, 4,
731 "cross-realm %s -> %s via [%s]",
732 client_realm, server_realm, rs);
737 ret = krb5_check_transited(context, client_realm,
739 realms, num_realms, NULL);
741 krb5_warn(context, ret, "cross-realm %s -> %s",
742 client_realm, server_realm);
745 et->flags.transited_policy_checked = 1;
747 et->transited.tr_type = DOMAIN_X500_COMPRESS;
748 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
750 krb5_warn(context, ret, "Encoding transited encoding");
752 for(i = 0; i < num_realms; i++)
759 static krb5_error_code
760 tgs_make_reply(astgs_request_t r,
761 krb5_const_principal tgt_name,
762 const EncTicketPart *tgt,
763 const krb5_keyblock *replykey,
765 const EncryptionKey *serverkey,
766 const krb5_keyblock *sessionkey,
768 AuthorizationData *auth_data,
769 hdb_entry_ex *server,
770 krb5_principal server_principal,
771 hdb_entry_ex *client,
772 krb5_principal client_principal,
773 const char *tgt_realm,
774 hdb_entry_ex *krbtgt,
775 krb5_enctype krbtgt_etype,
777 const krb5_data *rspac,
778 const METHOD_DATA *enc_pa_data)
780 krb5_context context = r->context;
781 krb5_kdc_configuration *config = r->config;
782 KDC_REQ_BODY *b = &r->req.req_body;
783 const char **e_text = &r->e_text;
784 krb5_data *reply = r->reply;
788 KDCOptions f = b->kdc_options;
792 memset(&rep, 0, sizeof(rep));
793 memset(&et, 0, sizeof(et));
794 memset(&ek, 0, sizeof(ek));
797 rep.msg_type = krb_tgs_rep;
799 et.authtime = tgt->authtime;
800 _kdc_fix_time(&b->till);
801 et.endtime = min(tgt->endtime, *b->till);
803 *et.starttime = kdc_time;
805 ret = check_tgs_flags(r, b, tgt_name, tgt, &et);
809 /* We should check the transited encoding if:
810 1) the request doesn't ask not to be checked
811 2) globally enforcing a check
812 3) principal requires checking
813 4) we allow non-check per-principal, but principal isn't marked as allowing this
814 5) we don't globally allow this
817 #define GLOBAL_FORCE_TRANSITED_CHECK \
818 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
819 #define GLOBAL_ALLOW_PER_PRINCIPAL \
820 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
821 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
822 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
824 /* these will consult the database in future release */
825 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
826 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
828 ret = fix_transited_encoding(context, config,
829 !f.disable_transited_check ||
830 GLOBAL_FORCE_TRANSITED_CHECK ||
831 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
832 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
833 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
834 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
835 &tgt->transited, &et,
836 krb5_principal_get_realm(context, client_principal),
837 krb5_principal_get_realm(context, server->entry.principal),
842 ret = copy_Realm(&server_principal->realm, &rep.ticket.realm);
845 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
846 ret = copy_Realm(&tgt_name->realm, &rep.crealm);
851 * RFC 8062 states "if the ticket in the TGS request is an anonymous
852 * one, the client and client realm are copied from that ticket". So
853 * whilst the TGT flag check below is superfluous, it is included in
854 * order to follow the specification to its letter.
856 if (et.flags.anonymous && !tgt->flags.anonymous)
857 _kdc_make_anonymous_principalname(&rep.cname);
859 ret = copy_PrincipalName(&tgt_name->name, &rep.cname);
862 rep.ticket.tkt_vno = 5;
868 life = et.endtime - *et.starttime;
869 if(client && client->entry.max_life)
870 life = min(life, *client->entry.max_life);
871 if(server->entry.max_life)
872 life = min(life, *server->entry.max_life);
873 et.endtime = *et.starttime + life;
875 if(f.renewable_ok && tgt->flags.renewable &&
876 et.renew_till == NULL && et.endtime < *b->till &&
877 tgt->renew_till != NULL)
879 et.flags.renewable = 1;
880 ALLOC(et.renew_till);
881 *et.renew_till = *b->till;
885 renew = *et.renew_till - *et.starttime;
886 if(client && client->entry.max_renew)
887 renew = min(renew, *client->entry.max_renew);
888 if(server->entry.max_renew)
889 renew = min(renew, *server->entry.max_renew);
890 *et.renew_till = *et.starttime + renew;
894 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
895 *et.starttime = min(*et.starttime, *et.renew_till);
896 et.endtime = min(et.endtime, *et.renew_till);
899 *et.starttime = min(*et.starttime, et.endtime);
901 if(*et.starttime == et.endtime){
902 ret = KRB5KDC_ERR_NEVER_VALID;
905 if(et.renew_till && et.endtime == *et.renew_till){
907 et.renew_till = NULL;
908 et.flags.renewable = 0;
911 et.flags.pre_authent = tgt->flags.pre_authent;
912 et.flags.hw_authent = tgt->flags.hw_authent;
913 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
915 /* See MS-KILE 3.3.5.1 */
916 if (!server->entry.flags.forwardable)
917 et.flags.forwardable = 0;
918 if (!server->entry.flags.proxiable)
919 et.flags.proxiable = 0;
922 * For anonymous tickets, we should filter out positive authorization data
923 * that could reveal the client's identity, and return a policy error for
924 * restrictive authorization data. Policy for unknown authorization types
925 * is implementation dependent.
927 if (rspac->length && !et.flags.anonymous) {
929 * No not need to filter out the any PAC from the
930 * auth_data since it's signed by the KDC.
932 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
933 KRB5_AUTHDATA_WIN2K_PAC, rspac);
941 /* XXX check authdata */
943 if (et.authorization_data == NULL) {
944 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
945 if (et.authorization_data == NULL) {
947 krb5_set_error_message(context, ret, "malloc: out of memory");
951 for(i = 0; i < auth_data->len ; i++) {
952 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
954 krb5_set_error_message(context, ret, "malloc: out of memory");
959 /* Filter out type KRB5SignedPath */
960 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
962 if (et.authorization_data->len == 1) {
963 free_AuthorizationData(et.authorization_data);
964 free(et.authorization_data);
965 et.authorization_data = NULL;
967 AuthorizationData *ad = et.authorization_data;
968 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
974 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
977 et.crealm = rep.crealm;
978 et.cname = rep.cname;
981 /* MIT must have at least one last_req */
982 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
983 if (ek.last_req.val == NULL) {
987 ek.last_req.len = 1; /* set after alloc to avoid null deref on cleanup */
990 ek.authtime = et.authtime;
991 ek.starttime = et.starttime;
992 ek.endtime = et.endtime;
993 ek.renew_till = et.renew_till;
994 ek.srealm = rep.ticket.realm;
995 ek.sname = rep.ticket.sname;
997 _kdc_log_timestamp(r, "TGS-REQ", et.authtime, et.starttime,
998 et.endtime, et.renew_till);
1000 /* Don't sign cross realm tickets, they can't be checked anyway */
1002 char *realm = get_krbtgt_realm(&ek.sname);
1004 if (realm == NULL || strcmp(realm, ek.srealm) == 0) {
1005 ret = _kdc_add_KRB5SignedPath(context,
1018 if (enc_pa_data->len) {
1019 rep.padata = calloc(1, sizeof(*rep.padata));
1020 if (rep.padata == NULL) {
1024 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
1029 if (krb5_enctype_valid(context, serverkey->keytype) != 0
1030 && _kdc_is_weak_exception(server->entry.principal, serverkey->keytype))
1032 krb5_enctype_enable(context, serverkey->keytype);
1037 /* It is somewhat unclear where the etype in the following
1038 encryption should come from. What we have is a session
1039 key in the passed tgt, and a list of preferred etypes
1040 *for the new ticket*. Should we pick the best possible
1041 etype, given the keytype in the tgt, or should we look
1042 at the etype list here as well? What if the tgt
1043 session key is DES3 and we want a ticket with a (say)
1044 CAST session key. Should the DES3 etype be added to the
1045 etype list, even if we don't want a session key with
1047 ret = _kdc_encode_reply(context, config, NULL, 0,
1048 &rep, &et, &ek, serverkey->keytype,
1050 serverkey, 0, replykey, rk_is_subkey,
1053 krb5_enctype_disable(context, serverkey->keytype);
1055 r->reply_key.keytype = replykey->keytype;
1056 _log_astgs_req(r, serverkey->keytype);
1060 free_TransitedEncoding(&et.transited);
1064 free(et.renew_till);
1065 if(et.authorization_data) {
1066 free_AuthorizationData(et.authorization_data);
1067 free(et.authorization_data);
1069 free_LastReq(&ek.last_req);
1070 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1071 free_EncryptionKey(&et.key);
1075 static krb5_error_code
1076 tgs_check_authenticator(krb5_context context,
1077 krb5_kdc_configuration *config,
1078 krb5_auth_context ac,
1080 const char **e_text,
1083 krb5_authenticator auth;
1087 krb5_error_code ret;
1090 krb5_auth_con_getauthenticator(context, ac, &auth);
1091 if(auth->cksum == NULL){
1092 kdc_log(context, config, 4, "No authenticator in request");
1093 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1097 * according to RFC1510 it doesn't need to be keyed,
1098 * but according to the latest draft it needs to.
1102 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1105 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1106 kdc_log(context, config, 4, "Bad checksum type in authenticator: %d",
1107 auth->cksum->cksumtype);
1108 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1112 /* XXX should not re-encode this */
1113 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1115 const char *msg = krb5_get_error_message(context, ret);
1116 kdc_log(context, config, 4, "Failed to encode KDC-REQ-BODY: %s", msg);
1117 krb5_free_error_message(context, msg);
1120 if(buf_size != len) {
1122 kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
1123 *e_text = "KDC internal error";
1124 ret = KRB5KRB_ERR_GENERIC;
1127 ret = krb5_crypto_init(context, key, 0, &crypto);
1129 const char *msg = krb5_get_error_message(context, ret);
1131 kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
1132 krb5_free_error_message(context, msg);
1135 ret = krb5_verify_checksum(context,
1137 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1142 krb5_crypto_destroy(context, crypto);
1144 const char *msg = krb5_get_error_message(context, ret);
1145 kdc_log(context, config, 4,
1146 "Failed to verify authenticator checksum: %s", msg);
1147 krb5_free_error_message(context, msg);
1150 free_Authenticator(auth);
1156 need_referral(krb5_context context, krb5_kdc_configuration *config,
1157 const KDCOptions * const options, krb5_principal server,
1158 krb5_realm **realms)
1162 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1165 if (server->name.name_string.len == 1)
1166 name = server->name.name_string.val[0];
1167 else if (server->name.name_string.len == 3) {
1169 This is used to give referrals for the
1170 E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/DNSDOMAIN
1171 SPN form, which is used for inter-domain communication in AD
1173 name = server->name.name_string.val[2];
1174 kdc_log(context, config, 4, "Giving 3 part referral for %s", name);
1175 *realms = malloc(sizeof(char *)*2);
1176 if (*realms == NULL) {
1177 krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
1180 (*realms)[0] = strdup(name);
1181 (*realms)[1] = NULL;
1183 } else if (server->name.name_string.len > 1)
1184 name = server->name.name_string.val[1];
1188 kdc_log(context, config, 5, "Searching referral for %s", name);
1190 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1193 static krb5_error_code
1194 tgs_parse_request(astgs_request_t r,
1195 const PA_DATA *tgs_req,
1196 hdb_entry_ex **krbtgt,
1197 krb5_enctype *krbtgt_etype,
1198 krb5_ticket **ticket,
1199 const char **e_text,
1201 const struct sockaddr *from_addr,
1204 AuthorizationData **auth_data,
1205 krb5_keyblock **replykey,
1208 krb5_context context = r->context;
1209 krb5_kdc_configuration *config = r->config;
1210 KDC_REQ_BODY *b = &r->req.req_body;
1211 static char failed[] = "<unparse_name failed>";
1213 krb5_error_code ret;
1214 krb5_principal princ;
1215 krb5_auth_context ac = NULL;
1216 krb5_flags ap_req_options;
1217 krb5_flags verify_ap_req_flags;
1219 krb5uint32 krbtgt_kvno; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */
1220 krb5uint32 krbtgt_kvno_try;
1221 int kvno_search_tries = 4; /* number of kvnos to try when tkt_vno == 0 */
1222 const Keys *krbtgt_keys;/* keyset for TGT tkt_vno */
1224 krb5_keyblock *subkey = NULL;
1232 memset(&ap_req, 0, sizeof(ap_req));
1233 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1235 const char *msg = krb5_get_error_message(context, ret);
1236 kdc_log(context, config, 4, "Failed to decode AP-REQ: %s", msg);
1237 krb5_free_error_message(context, msg);
1241 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1242 /* XXX check for ticket.sname == req.sname */
1243 kdc_log(context, config, 4, "PA-DATA is not a ticket-granting ticket");
1244 ret = KRB5KDC_ERR_POLICY; /* ? */
1248 _krb5_principalname2krb5_principal(context,
1250 ap_req.ticket.sname,
1251 ap_req.ticket.realm);
1253 krbtgt_kvno = ap_req.ticket.enc_part.kvno ? *ap_req.ticket.enc_part.kvno : 0;
1254 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT,
1255 &krbtgt_kvno, NULL, krbtgt);
1257 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1258 /* XXX Factor out this unparsing of the same princ all over */
1260 ret = krb5_unparse_name(context, princ, &p);
1263 krb5_free_principal(context, princ);
1264 kdc_log(context, config, 5,
1265 "Ticket-granting ticket account %s does not have secrets at "
1266 "this KDC, need to proxy", p);
1269 ret = HDB_ERR_NOT_FOUND_HERE;
1271 } else if (ret == HDB_ERR_KVNO_NOT_FOUND) {
1273 ret = krb5_unparse_name(context, princ, &p);
1276 krb5_free_principal(context, princ);
1277 kdc_log(context, config, 5,
1278 "Ticket-granting ticket account %s does not have keys for "
1279 "kvno %d at this KDC", p, krbtgt_kvno);
1282 ret = HDB_ERR_KVNO_NOT_FOUND;
1284 } else if (ret == HDB_ERR_NO_MKEY) {
1286 ret = krb5_unparse_name(context, princ, &p);
1289 krb5_free_principal(context, princ);
1290 kdc_log(context, config, 5,
1291 "Missing master key for decrypting keys for ticket-granting "
1292 "ticket account %s with kvno %d at this KDC", p, krbtgt_kvno);
1295 ret = HDB_ERR_KVNO_NOT_FOUND;
1298 const char *msg = krb5_get_error_message(context, ret);
1300 ret = krb5_unparse_name(context, princ, &p);
1303 kdc_log(context, config, 4,
1304 "Ticket-granting ticket %s not found in database: %s", p, msg);
1305 krb5_free_principal(context, princ);
1306 krb5_free_error_message(context, msg);
1309 ret = KRB5KRB_AP_ERR_NOT_US;
1313 krbtgt_kvno_try = krbtgt_kvno ? krbtgt_kvno : (*krbtgt)->entry.kvno;
1314 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1317 krbtgt_keys = hdb_kvno2keys(context, &(*krbtgt)->entry, krbtgt_kvno_try);
1318 ret = hdb_enctype2key(context, &(*krbtgt)->entry, krbtgt_keys,
1319 ap_req.ticket.enc_part.etype, &tkey);
1320 if (ret && krbtgt_kvno == 0 && kvno_search_tries > 0) {
1321 kvno_search_tries--;
1325 char *str = NULL, *p = NULL;
1327 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1328 krb5_unparse_name(context, princ, &p);
1329 kdc_log(context, config, 4,
1330 "No server key with enctype %s found for %s",
1331 str ? str : "<unknown enctype>",
1332 p ? p : "<unparse_name failed>");
1335 ret = KRB5KRB_AP_ERR_BADKEYVER;
1339 if (b->kdc_options.validate)
1340 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1342 verify_ap_req_flags = 0;
1344 ret = krb5_verify_ap_req2(context,
1349 verify_ap_req_flags,
1352 KRB5_KU_TGS_REQ_AUTH);
1353 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
1354 kvno_search_tries--;
1359 krb5_free_principal(context, princ);
1361 const char *msg = krb5_get_error_message(context, ret);
1362 kdc_log(context, config, 4, "Failed to verify AP-REQ: %s", msg);
1363 krb5_free_error_message(context, msg);
1368 krb5_authenticator auth;
1370 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1372 *csec = malloc(sizeof(**csec));
1373 if (*csec == NULL) {
1374 krb5_free_authenticator(context, &auth);
1375 kdc_log(context, config, 4, "malloc failed");
1378 **csec = auth->ctime;
1379 *cusec = malloc(sizeof(**cusec));
1380 if (*cusec == NULL) {
1381 krb5_free_authenticator(context, &auth);
1382 kdc_log(context, config, 4, "malloc failed");
1385 **cusec = auth->cusec;
1386 krb5_free_authenticator(context, &auth);
1390 ret = tgs_check_authenticator(context, config,
1391 ac, b, e_text, &(*ticket)->ticket.key);
1393 krb5_auth_con_free(context, ac);
1397 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1400 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1402 const char *msg = krb5_get_error_message(context, ret);
1403 krb5_auth_con_free(context, ac);
1404 kdc_log(context, config, 4, "Failed to get remote subkey: %s", msg);
1405 krb5_free_error_message(context, msg);
1409 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1412 ret = krb5_auth_con_getkey(context, ac, &subkey);
1414 const char *msg = krb5_get_error_message(context, ret);
1415 krb5_auth_con_free(context, ac);
1416 kdc_log(context, config, 4, "Failed to get session key: %s", msg);
1417 krb5_free_error_message(context, msg);
1422 krb5_auth_con_free(context, ac);
1423 kdc_log(context, config, 4,
1424 "Failed to get key for enc-authorization-data");
1425 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1431 if (b->enc_authorization_data) {
1434 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1436 const char *msg = krb5_get_error_message(context, ret);
1437 krb5_auth_con_free(context, ac);
1438 kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
1439 krb5_free_error_message(context, msg);
1442 ret = krb5_decrypt_EncryptedData (context,
1445 b->enc_authorization_data,
1447 krb5_crypto_destroy(context, crypto);
1449 krb5_auth_con_free(context, ac);
1450 kdc_log(context, config, 4,
1451 "Failed to decrypt enc-authorization-data");
1452 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1456 if (*auth_data == NULL) {
1457 krb5_auth_con_free(context, ac);
1458 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1461 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1463 krb5_auth_con_free(context, ac);
1466 kdc_log(context, config, 4, "Failed to decode authorization data");
1467 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1472 krb5_auth_con_free(context, ac);
1475 free_AP_REQ(&ap_req);
1480 static krb5_error_code
1481 build_server_referral(krb5_context context,
1482 krb5_kdc_configuration *config,
1483 krb5_crypto session,
1484 krb5_const_realm referred_realm,
1485 const PrincipalName *true_principal_name,
1486 const PrincipalName *requested_principal,
1489 PA_ServerReferralData ref;
1490 krb5_error_code ret;
1495 memset(&ref, 0, sizeof(ref));
1497 if (referred_realm) {
1498 ALLOC(ref.referred_realm);
1499 if (ref.referred_realm == NULL)
1501 *ref.referred_realm = strdup(referred_realm);
1502 if (*ref.referred_realm == NULL)
1505 if (true_principal_name) {
1506 ALLOC(ref.true_principal_name);
1507 if (ref.true_principal_name == NULL)
1509 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1513 if (requested_principal) {
1514 ALLOC(ref.requested_principal_name);
1515 if (ref.requested_principal_name == NULL)
1517 ret = copy_PrincipalName(requested_principal,
1518 ref.requested_principal_name);
1523 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1524 data.data, data.length,
1526 free_PA_ServerReferralData(&ref);
1529 if (data.length != size)
1530 krb5_abortx(context, "internal asn.1 encoder error");
1532 ret = krb5_encrypt_EncryptedData(context, session,
1533 KRB5_KU_PA_SERVER_REFERRAL,
1534 data.data, data.length,
1540 ASN1_MALLOC_ENCODE(EncryptedData,
1541 outdata->data, outdata->length,
1543 free_EncryptedData(&ed);
1546 if (outdata->length != size)
1547 krb5_abortx(context, "internal asn.1 encoder error");
1551 free_PA_ServerReferralData(&ref);
1552 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1556 static krb5_error_code
1557 tgs_build_reply(astgs_request_t priv,
1558 hdb_entry_ex *krbtgt,
1559 krb5_enctype krbtgt_etype,
1560 const krb5_keyblock *replykey,
1562 krb5_ticket *ticket,
1563 const char **e_text,
1564 AuthorizationData **auth_data,
1565 const struct sockaddr *from_addr)
1567 krb5_context context = priv->context;
1568 krb5_kdc_configuration *config = priv->config;
1569 KDC_REQ *req = &priv->req;
1570 KDC_REQ_BODY *b = &priv->req.req_body;
1571 const char *from = priv->from;
1572 krb5_error_code ret, ret2;
1573 krb5_principal cp = NULL, sp = NULL, rsp = NULL, tp = NULL, dp = NULL;
1574 krb5_principal krbtgt_out_principal = NULL;
1575 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL, *krbtgt_out_n = NULL;
1576 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1577 HDB *clientdb, *s4u2self_impersonated_clientdb;
1578 krb5_realm ref_realm = NULL;
1579 EncTicketPart *tgt = &ticket->ticket;
1580 krb5_principals spp = NULL;
1581 const EncryptionKey *ekey;
1582 krb5_keyblock sessionkey;
1585 const char *tgt_realm = /* Realm of TGT issuer */
1586 krb5_principal_get_realm(context, krbtgt->entry.principal);
1587 const char *our_realm = /* Realm of this KDC */
1588 krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1);
1589 char **capath = NULL;
1590 size_t num_capath = 0;
1592 hdb_entry_ex *krbtgt_out = NULL;
1594 METHOD_DATA enc_pa_data;
1598 EncTicketPart adtkt;
1604 int flags = HDB_F_FOR_TGS_REQ;
1606 memset(&sessionkey, 0, sizeof(sessionkey));
1607 memset(&adtkt, 0, sizeof(adtkt));
1608 krb5_data_zero(&rspac);
1609 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1615 * The canonicalize KDC option is passed as a hint to the backend, but
1616 * can typically be ignored. Per RFC 6806, names are not canonicalized
1617 * in response to a TGS request (although we make an exception, see
1618 * force-canonicalize below).
1620 if (b->kdc_options.canonicalize)
1621 flags |= HDB_F_CANON;
1623 if(b->kdc_options.enc_tkt_in_skey){
1628 krb5uint32 second_kvno = 0;
1629 krb5uint32 *kvno_ptr = NULL;
1631 if(b->additional_tickets == NULL ||
1632 b->additional_tickets->len == 0){
1633 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1634 kdc_log(context, config, 4,
1635 "No second ticket present in request");
1638 t = &b->additional_tickets->val[0];
1639 if(!get_krbtgt_realm(&t->sname)){
1640 kdc_log(context, config, 4,
1641 "Additional ticket is not a ticket-granting ticket");
1642 ret = KRB5KDC_ERR_POLICY;
1645 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1646 if(t->enc_part.kvno){
1647 second_kvno = *t->enc_part.kvno;
1648 kvno_ptr = &second_kvno;
1650 ret = _kdc_db_fetch(context, config, p,
1651 HDB_F_GET_KRBTGT, kvno_ptr,
1653 krb5_free_principal(context, p);
1655 if (ret == HDB_ERR_NOENTRY)
1656 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1659 ret = hdb_enctype2key(context, &uu->entry, NULL,
1660 t->enc_part.etype, &uukey);
1662 _kdc_free_ent(context, uu);
1663 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1666 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1667 _kdc_free_ent(context, uu);
1671 ret = verify_flags(context, config, &adtkt, spn);
1679 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1680 ret = krb5_unparse_name(context, sp, &priv->sname);
1684 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1685 ret = krb5_unparse_name(context, cp, &priv->cname);
1689 unparse_flags (KDCOptions2int(b->kdc_options),
1690 asn1_KDCOptions_units(),
1691 opt_str, sizeof(opt_str));
1693 kdc_log(context, config, 4,
1694 "TGS-REQ %s from %s for %s [%s]",
1695 cpn, from, spn, opt_str);
1697 kdc_log(context, config, 4,
1698 "TGS-REQ %s from %s for %s", cpn, from, spn);
1705 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1706 NULL, NULL, &server);
1707 priv->server = server;
1708 if (ret == HDB_ERR_NOT_FOUND_HERE) {
1709 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", spn);
1711 } else if (ret == HDB_ERR_WRONG_REALM) {
1713 ref_realm = strdup(server->entry.principal->realm);
1714 if (ref_realm == NULL) {
1715 ret = krb5_enomem(context);
1719 kdc_log(context, config, 4,
1720 "Returning a referral to realm %s for "
1723 krb5_free_principal(context, sp);
1725 ret = krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1731 ret = krb5_unparse_name(context, sp, &priv->sname);
1738 const char *new_rlm, *msg;
1742 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1743 if (capath == NULL) {
1744 /* With referalls, hierarchical capaths are always enabled */
1745 ret2 = _krb5_find_capath(context, tgt->crealm, our_realm,
1746 req_rlm, TRUE, &capath, &num_capath);
1752 new_rlm = num_capath > 0 ? capath[--num_capath] : NULL;
1754 kdc_log(context, config, 5, "krbtgt from %s via %s for "
1755 "realm %s not found, trying %s", tgt->crealm,
1756 our_realm, req_rlm, new_rlm);
1759 ref_realm = strdup(new_rlm);
1760 if (ref_realm == NULL) {
1761 ret = krb5_enomem(context);
1765 krb5_free_principal(context, sp);
1767 krb5_make_principal(context, &sp, r,
1768 KRB5_TGS_NAME, ref_realm, NULL);
1771 ret = krb5_unparse_name(context, sp, &priv->sname);
1777 } else if (need_referral(context, config, &b->kdc_options, sp, &realms)) {
1778 if (strcmp(realms[0], sp->realm) != 0) {
1779 kdc_log(context, config, 4,
1780 "Returning a referral to realm %s for "
1781 "server %s that was not found",
1783 krb5_free_principal(context, sp);
1785 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1789 ret = krb5_unparse_name(context, sp, &priv->sname);
1791 krb5_free_host_realm(context, realms);
1797 ref_realm = strdup(realms[0]);
1799 krb5_free_host_realm(context, realms);
1802 krb5_free_host_realm(context, realms);
1804 msg = krb5_get_error_message(context, ret);
1805 kdc_log(context, config, 4,
1806 "Server not found in database: %s: %s", spn, msg);
1807 krb5_free_error_message(context, msg);
1808 if (ret == HDB_ERR_NOENTRY)
1809 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1814 * RFC 6806 notes that names MUST NOT be changed in the response to
1815 * a TGS request. Hence we ignore the setting of the canonicalize
1816 * KDC option. However, for legacy interoperability we do allow the
1817 * backend to override this by setting the force-canonicalize HDB
1818 * flag in the server entry.
1820 if (server->entry.flags.force_canonicalize)
1821 rsp = server->entry.principal;
1826 * Select enctype, return key and kvno.
1832 if(b->kdc_options.enc_tkt_in_skey) {
1835 for(i = 0; i < b->etype.len; i++)
1836 if (b->etype.val[i] == adtkt.key.keytype)
1838 if(i == b->etype.len) {
1839 kdc_log(context, config, 4,
1840 "Addition ticket have not matching etypes");
1841 krb5_clear_error_message(context);
1842 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1845 etype = b->etype.val[i];
1850 ret = _kdc_find_etype(priv, krb5_principal_is_krbtgt(context, sp)
1852 b->etype.val, b->etype.len, &etype, NULL,
1855 kdc_log(context, config, 4,
1856 "Server (%s) has no support for etypes", spn);
1859 ret = _kdc_get_preferred_key(context, config, server, spn,
1862 kdc_log(context, config, 4,
1863 "Server (%s) has no supported etypes", spn);
1867 kvno = server->entry.kvno;
1870 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1876 * Check that service is in the same realm as the krbtgt. If it's
1877 * not the same, it's someone that is using a uni-directional trust
1882 * Validate authoriation data
1885 ret = hdb_enctype2key(context, &krbtgt->entry, NULL, /* XXX use the right kvno! */
1886 krbtgt_etype, &tkey_check);
1888 kdc_log(context, config, 4,
1889 "Failed to find key for krbtgt PAC check");
1894 * Now refetch the primary krbtgt, and get the current kvno (the
1895 * sign check may have been on an old kvno, and the server may
1896 * have been an incoming trust)
1899 ret = krb5_make_principal(context,
1900 &krbtgt_out_principal,
1906 kdc_log(context, config, 4,
1907 "Failed to make krbtgt principal name object for "
1908 "authz-data signatures");
1911 ret = krb5_unparse_name(context, krbtgt_out_principal, &krbtgt_out_n);
1913 kdc_log(context, config, 4,
1914 "Failed to make krbtgt principal name object for "
1915 "authz-data signatures");
1919 ret = _kdc_db_fetch(context, config, krbtgt_out_principal,
1920 HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1923 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1924 kdc_log(context, config, 4,
1925 "No such principal %s (needed for authz-data signature keys) "
1926 "while processing TGS-REQ for service %s with krbtg %s",
1927 krbtgt_out_n, spn, (ret == 0) ? ktpn : "<unknown>");
1929 ret = KRB5KRB_AP_ERR_NOT_US;
1934 * The first realm is the realm of the service, the second is
1935 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1936 * encrypted to. The redirection via the krbtgt_out entry allows
1937 * the DB to possibly correct the case of the realm (Samba4 does
1938 * this) before the strcmp()
1940 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1941 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1943 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1944 kdc_log(context, config, 4,
1945 "Request with wrong krbtgt: %s",
1946 (ret == 0) ? ktpn : "<unknown>");
1949 ret = KRB5KRB_AP_ERR_NOT_US;
1953 ret = _kdc_get_preferred_key(context, config, krbtgt_out, krbtgt_out_n,
1956 kdc_log(context, config, 4,
1957 "Failed to find key for krbtgt PAC signature");
1960 ret = hdb_enctype2key(context, &krbtgt_out->entry, NULL,
1961 tkey_sign->key.keytype, &tkey_sign);
1963 kdc_log(context, config, 4,
1964 "Failed to find key for krbtgt PAC signature");
1968 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1969 NULL, &clientdb, &client);
1970 priv->client = client;
1971 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1972 /* This is OK, we are just trying to find out if they have
1973 * been disabled or deleted in the meantime, missing secrets
1976 const char *krbtgt_realm, *msg;
1979 * If the client belongs to the same realm as our krbtgt, it
1980 * should exist in the local database.
1984 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1986 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1987 if (ret == HDB_ERR_NOENTRY)
1988 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1989 kdc_log(context, config, 4, "Client no longer in database: %s",
1994 msg = krb5_get_error_message(context, ret);
1995 kdc_log(context, config, 4, "Client not found in database: %s", msg);
1996 krb5_free_error_message(context, msg);
1999 ret = check_PAC(context, config, cp, NULL,
2000 client, server, krbtgt,
2002 ekey, &tkey_sign->key,
2003 tgt, &rspac, &signedpath);
2005 const char *msg = krb5_get_error_message(context, ret);
2006 kdc_log(context, config, 4,
2007 "Verify PAC failed for %s (%s) from %s with %s",
2008 spn, cpn, from, msg);
2009 krb5_free_error_message(context, msg);
2013 /* also check the krbtgt for signature */
2014 ret = check_KRB5SignedPath(context,
2022 const char *msg = krb5_get_error_message(context, ret);
2023 kdc_log(context, config, 4,
2024 "KRB5SignedPath check failed for %s (%s) from %s with %s",
2025 spn, cpn, from, msg);
2026 krb5_free_error_message(context, msg);
2034 /* by default the tgt principal matches the client principal */
2039 const PA_DATA *sdata;
2042 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
2044 struct astgs_request_desc imp_req;
2050 ret = decode_PA_S4U2Self(sdata->padata_value.data,
2051 sdata->padata_value.length,
2054 kdc_log(context, config, 4, "Failed to decode PA-S4U2Self");
2058 if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
2059 free_PA_S4U2Self(&self);
2060 kdc_log(context, config, 4, "Reject PA-S4U2Self with unkeyed checksum");
2061 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
2065 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
2069 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
2071 const char *msg = krb5_get_error_message(context, ret);
2072 free_PA_S4U2Self(&self);
2073 krb5_data_free(&datack);
2074 kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
2075 krb5_free_error_message(context, msg);
2079 /* Allow HMAC_MD5 checksum with any key type */
2080 if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
2081 struct krb5_crypto_iov iov;
2082 unsigned char csdata[16];
2085 cs.checksum.length = sizeof(csdata);
2086 cs.checksum.data = &csdata;
2088 iov.data.data = datack.data;
2089 iov.data.length = datack.length;
2090 iov.flags = KRB5_CRYPTO_TYPE_DATA;
2092 ret = _krb5_HMAC_MD5_checksum(context, NULL, &crypto->key,
2093 KRB5_KU_OTHER_CKSUM, &iov, 1,
2096 krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
2097 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2100 ret = krb5_verify_checksum(context,
2102 KRB5_KU_OTHER_CKSUM,
2107 krb5_data_free(&datack);
2108 krb5_crypto_destroy(context, crypto);
2110 const char *msg = krb5_get_error_message(context, ret);
2111 free_PA_S4U2Self(&self);
2112 kdc_log(context, config, 4,
2113 "krb5_verify_checksum failed for S4U2Self: %s", msg);
2114 krb5_free_error_message(context, msg);
2118 ret = _krb5_principalname2krb5_principal(context,
2122 free_PA_S4U2Self(&self);
2126 ret = krb5_unparse_name(context, tp, &tpn);
2130 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
2131 NULL, &s4u2self_impersonated_clientdb,
2132 &s4u2self_impersonated_client);
2137 * If the client belongs to the same realm as our krbtgt, it
2138 * should exist in the local database.
2142 if (ret == HDB_ERR_NOENTRY)
2143 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2144 msg = krb5_get_error_message(context, ret);
2145 kdc_log(context, config, 2,
2146 "S4U2Self principal to impersonate %s not found in database: %s",
2148 krb5_free_error_message(context, msg);
2152 /* Ignore require_pwchange and pw_end attributes (as Windows does),
2153 * since S4U2Self is not password authentication. */
2154 s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
2155 free(s4u2self_impersonated_client->entry.pw_end);
2156 s4u2self_impersonated_client->entry.pw_end = NULL;
2159 imp_req.client = s4u2self_impersonated_client;
2160 imp_req.client_princ = tp;
2162 ret = kdc_check_flags(&imp_req, FALSE);
2166 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
2169 krb5_data_free(&rspac);
2170 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
2172 kdc_log(context, config, 4, "PAC generation failed for -- %s",
2177 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
2178 s4u2self_impersonated_client->entry.principal,
2179 ekey, &tkey_sign->key,
2181 krb5_pac_free(context, p);
2183 kdc_log(context, config, 4, "PAC signing failed for -- %s",
2191 * Check that service doing the impersonating is
2192 * requesting a ticket to it-self.
2194 ret = check_s4u2self(context, config, clientdb, client, sp);
2196 kdc_log(context, config, 4, "S4U2Self: %s is not allowed "
2197 "to impersonate to service "
2198 "(tried for user %s to service %s)",
2204 * If the service isn't trusted for authentication to
2205 * delegation or if the impersonate client is disallowed
2206 * forwardable, remove the forwardable flag.
2209 if (client->entry.flags.trusted_for_delegation &&
2210 s4u2self_impersonated_client->entry.flags.forwardable) {
2211 str = "[forwardable]";
2213 b->kdc_options.forwardable = 0;
2216 kdc_log(context, config, 4, "s4u2self %s impersonating %s to "
2217 "service %s %s", cpn, tpn, spn, str);
2222 * Constrained delegation
2226 && b->additional_tickets != NULL
2227 && b->additional_tickets->len != 0
2228 && b->kdc_options.cname_in_addl_tkt
2229 && b->kdc_options.enc_tkt_in_skey == 0)
2231 int ad_signedpath = 0;
2236 * Require that the KDC have issued the service's krbtgt (not
2237 * self-issued ticket with kimpersonate(1).
2240 ret = KRB5KDC_ERR_BADOPTION;
2241 kdc_log(context, config, 4,
2242 "Constrained delegation done on service ticket %s/%s",
2247 t = &b->additional_tickets->val[0];
2249 ret = hdb_enctype2key(context, &client->entry,
2250 hdb_kvno2keys(context, &client->entry,
2251 t->enc_part.kvno ? * t->enc_part.kvno : 0),
2252 t->enc_part.etype, &clientkey);
2254 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2258 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2260 kdc_log(context, config, 4,
2261 "failed to decrypt ticket for "
2262 "constrained delegation from %s to %s ", cpn, spn);
2266 ret = _krb5_principalname2krb5_principal(context,
2273 ret = krb5_unparse_name(context, tp, &tpn);
2277 ret = _krb5_principalname2krb5_principal(context,
2284 ret = krb5_unparse_name(context, dp, &dpn);
2288 /* check that ticket is valid */
2289 if (adtkt.flags.forwardable == 0) {
2290 kdc_log(context, config, 4,
2291 "Missing forwardable flag on ticket for "
2292 "constrained delegation from %s (%s) as %s to %s ",
2293 cpn, dpn, tpn, spn);
2294 ret = KRB5KDC_ERR_BADOPTION;
2298 ret = check_constrained_delegation(context, config, clientdb,
2299 client, server, sp);
2301 kdc_log(context, config, 4,
2302 "constrained delegation from %s (%s) as %s to %s not allowed",
2303 cpn, dpn, tpn, spn);
2307 ret = verify_flags(context, config, &adtkt, tpn);
2312 krb5_data_free(&rspac);
2315 * generate the PAC for the user.
2317 * TODO: pass in t->sname and t->realm and build
2318 * a S4U_DELEGATION_INFO blob to the PAC.
2320 ret = check_PAC(context, config, tp, dp,
2321 client, server, krbtgt,
2323 ekey, &tkey_sign->key,
2324 &adtkt, &rspac, &ad_signedpath);
2326 const char *msg = krb5_get_error_message(context, ret);
2327 kdc_log(context, config, 4,
2328 "Verify delegated PAC failed to %s for client"
2329 "%s (%s) as %s from %s with %s",
2330 spn, cpn, dpn, tpn, from, msg);
2331 krb5_free_error_message(context, msg);
2336 * Check that the KDC issued the user's ticket.
2338 ret = check_KRB5SignedPath(context,
2346 const char *msg = krb5_get_error_message(context, ret);
2347 kdc_log(context, config, 4,
2348 "KRB5SignedPath check from service %s failed "
2349 "for delegation to %s for client %s (%s)"
2350 "from %s failed with %s",
2351 spn, tpn, dpn, cpn, from, msg);
2352 krb5_free_error_message(context, msg);
2356 if (!ad_signedpath) {
2357 ret = KRB5KDC_ERR_BADOPTION;
2358 kdc_log(context, config, 4,
2359 "Ticket not signed with PAC nor SignedPath service %s failed "
2360 "for delegation to %s for client %s (%s)"
2362 spn, tpn, dpn, cpn, from);
2366 _kdc_audit_addkv((kdc_request_t)priv, 0, "impersonatee", "%s", tpn);
2367 kdc_log(context, config, 4, "constrained delegation for %s "
2368 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2375 ret = kdc_check_flags(priv, FALSE);
2379 if((b->kdc_options.validate || b->kdc_options.renew) &&
2380 !krb5_principal_compare(context,
2381 krbtgt->entry.principal,
2382 server->entry.principal)){
2383 kdc_log(context, config, 4, "Inconsistent request.");
2384 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2388 /* check for valid set of addresses */
2389 if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
2390 ret = KRB5KRB_AP_ERR_BADADDR;
2391 kdc_log(context, config, 4, "Request from wrong address");
2395 /* check local and per-principal anonymous ticket issuance policy */
2396 if (is_anon_tgs_request_p(b, tgt)) {
2397 ret = _kdc_check_anon_policy(priv);
2403 * If this is an referral, add server referral data to the
2410 kdc_log(context, config, 4,
2411 "Adding server referral to %s", ref_realm);
2413 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2417 ret = build_server_referral(context, config, crypto, ref_realm,
2418 NULL, s, &pa.padata_value);
2419 krb5_crypto_destroy(context, crypto);
2421 kdc_log(context, config, 4,
2422 "Failed building server referral");
2425 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2427 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2428 krb5_data_free(&pa.padata_value);
2430 kdc_log(context, config, 4,
2431 "Add server referral METHOD-DATA failed");
2440 ret = tgs_make_reply(priv,
2455 tkey_sign->key.keytype,
2465 _krb5_free_capath(context, capath);
2467 krb5_data_free(&rspac);
2468 krb5_free_keyblock_contents(context, &sessionkey);
2470 _kdc_free_ent(context, krbtgt_out);
2472 _kdc_free_ent(context, server);
2474 _kdc_free_ent(context, client);
2475 if(s4u2self_impersonated_client)
2476 _kdc_free_ent(context, s4u2self_impersonated_client);
2479 krb5_free_principal(context, tp);
2480 krb5_free_principal(context, cp);
2481 krb5_free_principal(context, dp);
2482 krb5_free_principal(context, sp);
2483 krb5_free_principal(context, krbtgt_out_principal);
2485 free_METHOD_DATA(&enc_pa_data);
2487 free_EncTicketPart(&adtkt);
2497 _kdc_tgs_rep(astgs_request_t r)
2499 krb5_context context = r->context;
2500 krb5_kdc_configuration *config = r->config;
2501 KDC_REQ *req = &r->req;
2502 krb5_data *data = r->reply;
2503 const char *from = r->from;
2504 struct sockaddr *from_addr = r->addr;
2505 int datagram_reply = r->datagram_reply;
2506 AuthorizationData *auth_data = NULL;
2507 krb5_error_code ret;
2509 const PA_DATA *tgs_req;
2511 hdb_entry_ex *krbtgt = NULL;
2512 krb5_ticket *ticket = NULL;
2513 const char *e_text = NULL;
2514 krb5_enctype krbtgt_etype = ETYPE_NULL;
2516 krb5_keyblock *replykey = NULL;
2517 int rk_is_subkey = 0;
2518 time_t *csec = NULL;
2521 if(req->padata == NULL){
2522 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2523 kdc_log(context, config, 4,
2524 "TGS-REQ from %s without PA-DATA", from);
2528 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2530 if(tgs_req == NULL){
2531 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2533 kdc_log(context, config, 4,
2534 "TGS-REQ from %s without PA-TGS-REQ", from);
2537 ret = tgs_parse_request(r, tgs_req,
2547 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2548 /* kdc_log() is called in tgs_parse_request() */
2552 kdc_log(context, config, 4,
2553 "Failed parsing TGS-REQ from %s", from);
2558 const PA_DATA *pa = _kdc_find_padata(req, &i, KRB5_PADATA_FX_FAST);
2560 kdc_log(context, config, 5, "Got TGS FAST request");
2564 ret = tgs_build_reply(r,
2574 kdc_log(context, config, 4,
2575 "Failed building TGS-REP to %s", from);
2580 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2581 krb5_data_free(data);
2582 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2583 e_text = "Reply packet too large";
2588 krb5_free_keyblock(context, replykey);
2590 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2591 /* XXX add fast wrapping on the error */
2592 METHOD_DATA error_method = { 0, NULL };
2595 kdc_log(context, config, 5, "tgs-req: sending error: %d to client", ret);
2596 ret = _kdc_fast_mk_error(r,
2605 free_METHOD_DATA(&error_method);
2610 krb5_free_ticket(context, ticket);
2612 _kdc_free_ent(context, krbtgt);
2615 free_AuthorizationData(auth_data);