2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * return the realm of a krbtgt-ticket or NULL
41 get_krbtgt_realm(const PrincipalName *p)
43 if(p->name_string.len == 2
44 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45 return p->name_string.val[1];
51 * The KDC might add a signed path to the ticket authorization data
52 * field. This is to avoid server impersonating clients and the
53 * request constrained delegation.
55 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56 * entry of type KRB5SignedPath.
59 static krb5_error_code
60 find_KRB5SignedPath(krb5_context context,
61 const AuthorizationData *ad,
64 AuthorizationData child;
68 if (ad == NULL || ad->len == 0)
69 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
73 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
76 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77 ad->val[pos].ad_data.length,
81 krb5_set_error_message(context, ret, "Failed to decode "
82 "IF_RELEVANT with %d", ret);
87 free_AuthorizationData(&child);
88 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
91 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92 free_AuthorizationData(&child);
93 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
97 ret = der_copy_octet_string(&child.val[0].ad_data, data);
98 free_AuthorizationData(&child);
103 _kdc_add_KRB5SignedPath(krb5_context context,
104 krb5_kdc_configuration *config,
105 hdb_entry_ex *krbtgt,
106 krb5_enctype enctype,
107 krb5_principal client,
108 krb5_const_principal server,
109 krb5_principals principals,
115 krb5_crypto crypto = NULL;
118 if (server && principals) {
119 ret = add_Principals(principals, server);
125 KRB5SignedPathData spd;
128 spd.authtime = tkt->authtime;
129 spd.delegated = principals;
130 spd.method_data = NULL;
132 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
136 if (data.length != size)
137 krb5_abortx(context, "internal asn.1 encoder error");
142 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
144 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
152 * Fill in KRB5SignedPath
156 sp.delegated = principals;
157 sp.method_data = NULL;
159 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160 data.data, data.length, &sp.cksum);
161 krb5_crypto_destroy(context, crypto);
166 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167 free_Checksum(&sp.cksum);
170 if (data.length != size)
171 krb5_abortx(context, "internal asn.1 encoder error");
175 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176 * authorization data field.
179 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180 KRB5_AUTHDATA_SIGNTICKET, &data);
181 krb5_data_free(&data);
186 static krb5_error_code
187 check_KRB5SignedPath(krb5_context context,
188 krb5_kdc_configuration *config,
189 hdb_entry_ex *krbtgt,
192 krb5_principals *delegated,
197 krb5_crypto crypto = NULL;
202 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
204 KRB5SignedPathData spd;
208 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209 krb5_data_free(&data);
214 spd.authtime = tkt->authtime;
215 spd.delegated = sp.delegated;
216 spd.method_data = sp.method_data;
218 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
221 free_KRB5SignedPath(&sp);
224 if (data.length != size)
225 krb5_abortx(context, "internal asn.1 encoder error");
229 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
231 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
234 free_KRB5SignedPath(&sp);
238 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239 data.data, data.length,
241 krb5_crypto_destroy(context, crypto);
244 free_KRB5SignedPath(&sp);
245 kdc_log(context, config, 5,
246 "KRB5SignedPath not signed correctly, not marking as signed");
250 if (delegated && sp.delegated) {
252 *delegated = malloc(sizeof(*sp.delegated));
253 if (*delegated == NULL) {
254 free_KRB5SignedPath(&sp);
258 ret = copy_Principals(*delegated, sp.delegated);
260 free_KRB5SignedPath(&sp);
266 free_KRB5SignedPath(&sp);
278 static krb5_error_code
279 check_PAC(krb5_context context,
280 krb5_kdc_configuration *config,
281 const krb5_principal client_principal,
282 const krb5_principal delegated_proxy_principal,
283 hdb_entry_ex *client,
284 hdb_entry_ex *server,
285 hdb_entry_ex *krbtgt,
286 const EncryptionKey *server_check_key,
287 const EncryptionKey *krbtgt_check_key,
288 const EncryptionKey *server_sign_key,
289 const EncryptionKey *krbtgt_sign_key,
294 AuthorizationData *ad = tkt->authorization_data;
298 if (ad == NULL || ad->len == 0)
301 for (i = 0; i < ad->len; i++) {
302 AuthorizationData child;
304 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
307 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
308 ad->val[i].ad_data.length,
312 krb5_set_error_message(context, ret, "Failed to decode "
313 "IF_RELEVANT with %d", ret);
316 for (j = 0; j < child.len; j++) {
318 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
323 ret = krb5_pac_parse(context,
324 child.val[j].ad_data.data,
325 child.val[j].ad_data.length,
327 free_AuthorizationData(&child);
331 ret = krb5_pac_verify(context, pac, tkt->authtime,
333 server_check_key, krbtgt_check_key);
335 krb5_pac_free(context, pac);
339 ret = _kdc_pac_verify(context, client_principal,
340 delegated_proxy_principal,
341 client, server, krbtgt, &pac, &signed_pac);
343 krb5_pac_free(context, pac);
348 * Only re-sign PAC if we could verify it with the PAC
349 * function. The no-verify case happens when we get in
350 * a PAC from cross realm from a Windows domain and
351 * that there is no PAC verification function.
355 ret = _krb5_pac_sign(context, pac, tkt->authtime,
357 server_sign_key, krbtgt_sign_key, rspac);
359 krb5_pac_free(context, pac);
364 free_AuthorizationData(&child);
373 static krb5_error_code
374 check_tgs_flags(krb5_context context,
375 krb5_kdc_configuration *config,
376 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
378 KDCOptions f = b->kdc_options;
381 if(!tgt->flags.invalid || tgt->starttime == NULL){
382 kdc_log(context, config, 0,
383 "Bad request to validate ticket");
384 return KRB5KDC_ERR_BADOPTION;
386 if(*tgt->starttime > kdc_time){
387 kdc_log(context, config, 0,
388 "Early request to validate ticket");
389 return KRB5KRB_AP_ERR_TKT_NYV;
392 et->flags.invalid = 0;
393 }else if(tgt->flags.invalid){
394 kdc_log(context, config, 0,
395 "Ticket-granting ticket has INVALID flag set");
396 return KRB5KRB_AP_ERR_TKT_INVALID;
400 if(!tgt->flags.forwardable){
401 kdc_log(context, config, 0,
402 "Bad request for forwardable ticket");
403 return KRB5KDC_ERR_BADOPTION;
405 et->flags.forwardable = 1;
408 if(!tgt->flags.forwardable){
409 kdc_log(context, config, 0,
410 "Request to forward non-forwardable ticket");
411 return KRB5KDC_ERR_BADOPTION;
413 et->flags.forwarded = 1;
414 et->caddr = b->addresses;
416 if(tgt->flags.forwarded)
417 et->flags.forwarded = 1;
420 if(!tgt->flags.proxiable){
421 kdc_log(context, config, 0,
422 "Bad request for proxiable ticket");
423 return KRB5KDC_ERR_BADOPTION;
425 et->flags.proxiable = 1;
428 if(!tgt->flags.proxiable){
429 kdc_log(context, config, 0,
430 "Request to proxy non-proxiable ticket");
431 return KRB5KDC_ERR_BADOPTION;
434 et->caddr = b->addresses;
439 if(f.allow_postdate){
440 if(!tgt->flags.may_postdate){
441 kdc_log(context, config, 0,
442 "Bad request for post-datable ticket");
443 return KRB5KDC_ERR_BADOPTION;
445 et->flags.may_postdate = 1;
448 if(!tgt->flags.may_postdate){
449 kdc_log(context, config, 0,
450 "Bad request for postdated ticket");
451 return KRB5KDC_ERR_BADOPTION;
454 *et->starttime = *b->from;
455 et->flags.postdated = 1;
456 et->flags.invalid = 1;
457 }else if(b->from && *b->from > kdc_time + context->max_skew){
458 kdc_log(context, config, 0, "Ticket cannot be postdated");
459 return KRB5KDC_ERR_CANNOT_POSTDATE;
463 if(!tgt->flags.renewable || tgt->renew_till == NULL){
464 kdc_log(context, config, 0,
465 "Bad request for renewable ticket");
466 return KRB5KDC_ERR_BADOPTION;
468 et->flags.renewable = 1;
469 ALLOC(et->renew_till);
470 _kdc_fix_time(&b->rtime);
471 *et->renew_till = *b->rtime;
475 if(!tgt->flags.renewable || tgt->renew_till == NULL){
476 kdc_log(context, config, 0,
477 "Request to renew non-renewable ticket");
478 return KRB5KDC_ERR_BADOPTION;
480 old_life = tgt->endtime;
482 old_life -= *tgt->starttime;
484 old_life -= tgt->authtime;
485 et->endtime = *et->starttime + old_life;
486 if (et->renew_till != NULL)
487 et->endtime = min(*et->renew_till, et->endtime);
491 /* checks for excess flags */
492 if(f.request_anonymous && !config->allow_anonymous){
493 kdc_log(context, config, 0,
494 "Request for anonymous ticket");
495 return KRB5KDC_ERR_BADOPTION;
502 * Determine if constrained delegation is allowed from this client to this server
505 static krb5_error_code
506 check_constrained_delegation(krb5_context context,
507 krb5_kdc_configuration *config,
509 hdb_entry_ex *client,
510 hdb_entry_ex *server,
511 krb5_const_principal target)
513 const HDB_Ext_Constrained_delegation_acl *acl;
518 * constrained_delegation (S4U2Proxy) only works within
519 * the same realm. We use the already canonicalized version
520 * of the principals here, while "target" is the principal
521 * provided by the client.
523 if(!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
524 ret = KRB5KDC_ERR_BADOPTION;
525 kdc_log(context, config, 0,
526 "Bad request for constrained delegation");
530 if (clientdb->hdb_check_constrained_delegation) {
531 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
535 /* if client delegates to itself, that ok */
536 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
539 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
541 krb5_clear_error_message(context);
546 for (i = 0; i < acl->len; i++) {
547 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
551 ret = KRB5KDC_ERR_BADOPTION;
553 kdc_log(context, config, 0,
554 "Bad request for constrained delegation");
559 * Determine if s4u2self is allowed from this client to this server
561 * For example, regardless of the principal being impersonated, if the
562 * 'client' and 'server' are the same, then it's safe.
565 static krb5_error_code
566 check_s4u2self(krb5_context context,
567 krb5_kdc_configuration *config,
569 hdb_entry_ex *client,
570 krb5_const_principal server)
574 /* if client does a s4u2self to itself, that ok */
575 if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
578 if (clientdb->hdb_check_s4u2self) {
579 ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
583 ret = KRB5KDC_ERR_BADOPTION;
592 static krb5_error_code
593 verify_flags (krb5_context context,
594 krb5_kdc_configuration *config,
595 const EncTicketPart *et,
598 if(et->endtime < kdc_time){
599 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
600 return KRB5KRB_AP_ERR_TKT_EXPIRED;
602 if(et->flags.invalid){
603 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
604 return KRB5KRB_AP_ERR_TKT_NYV;
613 static krb5_error_code
614 fix_transited_encoding(krb5_context context,
615 krb5_kdc_configuration *config,
616 krb5_boolean check_policy,
617 const TransitedEncoding *tr,
619 const char *client_realm,
620 const char *server_realm,
621 const char *tgt_realm)
623 krb5_error_code ret = 0;
624 char **realms, **tmp;
625 unsigned int num_realms;
628 switch (tr->tr_type) {
629 case DOMAIN_X500_COMPRESS:
633 * Allow empty content of type 0 because that is was Microsoft
634 * generates in their TGT.
636 if (tr->contents.length == 0)
638 kdc_log(context, config, 0,
639 "Transited type 0 with non empty content");
640 return KRB5KDC_ERR_TRTYPE_NOSUPP;
642 kdc_log(context, config, 0,
643 "Unknown transited type: %u", tr->tr_type);
644 return KRB5KDC_ERR_TRTYPE_NOSUPP;
647 ret = krb5_domain_x500_decode(context,
654 krb5_warn(context, ret,
655 "Decoding transited encoding");
660 * If the realm of the presented tgt is neither the client nor the server
661 * realm, it is a transit realm and must be added to transited set.
663 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
664 if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
668 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
674 realms[num_realms] = strdup(tgt_realm);
675 if(realms[num_realms] == NULL){
681 if(num_realms == 0) {
682 if(strcmp(client_realm, server_realm))
683 kdc_log(context, config, 0,
684 "cross-realm %s -> %s", client_realm, server_realm);
688 for(i = 0; i < num_realms; i++)
689 l += strlen(realms[i]) + 2;
693 for(i = 0; i < num_realms; i++) {
695 strlcat(rs, ", ", l);
696 strlcat(rs, realms[i], l);
698 kdc_log(context, config, 0,
699 "cross-realm %s -> %s via [%s]",
700 client_realm, server_realm, rs);
705 ret = krb5_check_transited(context, client_realm,
707 realms, num_realms, NULL);
709 krb5_warn(context, ret, "cross-realm %s -> %s",
710 client_realm, server_realm);
713 et->flags.transited_policy_checked = 1;
715 et->transited.tr_type = DOMAIN_X500_COMPRESS;
716 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
718 krb5_warn(context, ret, "Encoding transited encoding");
720 for(i = 0; i < num_realms; i++)
727 static krb5_error_code
728 tgs_make_reply(krb5_context context,
729 krb5_kdc_configuration *config,
731 krb5_const_principal tgt_name,
732 const EncTicketPart *tgt,
733 const krb5_keyblock *replykey,
735 const EncryptionKey *serverkey,
736 const krb5_keyblock *sessionkey,
738 AuthorizationData *auth_data,
739 hdb_entry_ex *server,
740 krb5_principal server_principal,
741 const char *server_name,
742 hdb_entry_ex *client,
743 krb5_principal client_principal,
744 const char *tgt_realm,
745 hdb_entry_ex *krbtgt,
746 krb5_enctype krbtgt_etype,
748 const krb5_data *rspac,
749 const METHOD_DATA *enc_pa_data,
756 KDCOptions f = b->kdc_options;
760 memset(&rep, 0, sizeof(rep));
761 memset(&et, 0, sizeof(et));
762 memset(&ek, 0, sizeof(ek));
765 rep.msg_type = krb_tgs_rep;
767 et.authtime = tgt->authtime;
768 _kdc_fix_time(&b->till);
769 et.endtime = min(tgt->endtime, *b->till);
771 *et.starttime = kdc_time;
773 ret = check_tgs_flags(context, config, b, tgt, &et);
777 /* We should check the transited encoding if:
778 1) the request doesn't ask not to be checked
779 2) globally enforcing a check
780 3) principal requires checking
781 4) we allow non-check per-principal, but principal isn't marked as allowing this
782 5) we don't globally allow this
785 #define GLOBAL_FORCE_TRANSITED_CHECK \
786 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
787 #define GLOBAL_ALLOW_PER_PRINCIPAL \
788 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
789 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
790 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
792 /* these will consult the database in future release */
793 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
794 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
796 ret = fix_transited_encoding(context, config,
797 !f.disable_transited_check ||
798 GLOBAL_FORCE_TRANSITED_CHECK ||
799 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
800 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
801 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
802 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
803 &tgt->transited, &et,
804 krb5_principal_get_realm(context, client_principal),
805 krb5_principal_get_realm(context, server->entry.principal),
810 copy_Realm(&server_principal->realm, &rep.ticket.realm);
811 _krb5_principal2principalname(&rep.ticket.sname, server_principal);
812 copy_Realm(&tgt_name->realm, &rep.crealm);
814 if (f.request_anonymous)
815 _kdc_make_anonymous_principalname (&rep.cname);
818 copy_PrincipalName(&tgt_name->name, &rep.cname);
819 rep.ticket.tkt_vno = 5;
823 et.caddr = tgt->caddr;
827 life = et.endtime - *et.starttime;
828 if(client && client->entry.max_life)
829 life = min(life, *client->entry.max_life);
830 if(server->entry.max_life)
831 life = min(life, *server->entry.max_life);
832 et.endtime = *et.starttime + life;
834 if(f.renewable_ok && tgt->flags.renewable &&
835 et.renew_till == NULL && et.endtime < *b->till &&
836 tgt->renew_till != NULL)
838 et.flags.renewable = 1;
839 ALLOC(et.renew_till);
840 *et.renew_till = *b->till;
844 renew = *et.renew_till - et.authtime;
845 if(client && client->entry.max_renew)
846 renew = min(renew, *client->entry.max_renew);
847 if(server->entry.max_renew)
848 renew = min(renew, *server->entry.max_renew);
849 *et.renew_till = et.authtime + renew;
853 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
854 *et.starttime = min(*et.starttime, *et.renew_till);
855 et.endtime = min(et.endtime, *et.renew_till);
858 *et.starttime = min(*et.starttime, et.endtime);
860 if(*et.starttime == et.endtime){
861 ret = KRB5KDC_ERR_NEVER_VALID;
864 if(et.renew_till && et.endtime == *et.renew_till){
866 et.renew_till = NULL;
867 et.flags.renewable = 0;
870 et.flags.pre_authent = tgt->flags.pre_authent;
871 et.flags.hw_authent = tgt->flags.hw_authent;
872 et.flags.anonymous = tgt->flags.anonymous;
873 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
877 * No not need to filter out the any PAC from the
878 * auth_data since it's signed by the KDC.
880 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
881 KRB5_AUTHDATA_WIN2K_PAC, rspac);
889 /* XXX check authdata */
891 if (et.authorization_data == NULL) {
892 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
893 if (et.authorization_data == NULL) {
895 krb5_set_error_message(context, ret, "malloc: out of memory");
899 for(i = 0; i < auth_data->len ; i++) {
900 ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
902 krb5_set_error_message(context, ret, "malloc: out of memory");
907 /* Filter out type KRB5SignedPath */
908 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
910 if (et.authorization_data->len == 1) {
911 free_AuthorizationData(et.authorization_data);
912 free(et.authorization_data);
913 et.authorization_data = NULL;
915 AuthorizationData *ad = et.authorization_data;
916 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
922 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
925 et.crealm = tgt_name->realm;
926 et.cname = tgt_name->name;
929 /* MIT must have at least one last_req */
931 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
932 if (ek.last_req.val == NULL) {
938 ek.authtime = et.authtime;
939 ek.starttime = et.starttime;
940 ek.endtime = et.endtime;
941 ek.renew_till = et.renew_till;
942 ek.srealm = rep.ticket.realm;
943 ek.sname = rep.ticket.sname;
945 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
946 et.endtime, et.renew_till);
948 /* Don't sign cross realm tickets, they can't be checked anyway */
950 char *r = get_krbtgt_realm(&ek.sname);
952 if (r == NULL || strcmp(r, ek.srealm) == 0) {
953 ret = _kdc_add_KRB5SignedPath(context,
966 if (enc_pa_data->len) {
967 rep.padata = calloc(1, sizeof(*rep.padata));
968 if (rep.padata == NULL) {
972 ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
977 if (krb5_enctype_valid(context, et.key.keytype) != 0
978 && _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
980 krb5_enctype_enable(context, et.key.keytype);
985 /* It is somewhat unclear where the etype in the following
986 encryption should come from. What we have is a session
987 key in the passed tgt, and a list of preferred etypes
988 *for the new ticket*. Should we pick the best possible
989 etype, given the keytype in the tgt, or should we look
990 at the etype list here as well? What if the tgt
991 session key is DES3 and we want a ticket with a (say)
992 CAST session key. Should the DES3 etype be added to the
993 etype list, even if we don't want a session key with
995 ret = _kdc_encode_reply(context, config,
996 &rep, &et, &ek, et.key.keytype,
998 serverkey, 0, replykey, rk_is_subkey,
1001 krb5_enctype_disable(context, et.key.keytype);
1005 free_TransitedEncoding(&et.transited);
1009 free(et.renew_till);
1010 if(et.authorization_data) {
1011 free_AuthorizationData(et.authorization_data);
1012 free(et.authorization_data);
1014 free_LastReq(&ek.last_req);
1015 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
1016 free_EncryptionKey(&et.key);
1020 static krb5_error_code
1021 tgs_check_authenticator(krb5_context context,
1022 krb5_kdc_configuration *config,
1023 krb5_auth_context ac,
1025 const char **e_text,
1028 krb5_authenticator auth;
1032 krb5_error_code ret;
1035 krb5_auth_con_getauthenticator(context, ac, &auth);
1036 if(auth->cksum == NULL){
1037 kdc_log(context, config, 0, "No authenticator in request");
1038 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1042 * according to RFC1510 it doesn't need to be keyed,
1043 * but according to the latest draft it needs to.
1047 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1050 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1051 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1052 auth->cksum->cksumtype);
1053 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1057 /* XXX should not re-encode this */
1058 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1060 const char *msg = krb5_get_error_message(context, ret);
1061 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1062 krb5_free_error_message(context, msg);
1065 if(buf_size != len) {
1067 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1068 *e_text = "KDC internal error";
1069 ret = KRB5KRB_ERR_GENERIC;
1072 ret = krb5_crypto_init(context, key, 0, &crypto);
1074 const char *msg = krb5_get_error_message(context, ret);
1076 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1077 krb5_free_error_message(context, msg);
1080 ret = krb5_verify_checksum(context,
1082 KRB5_KU_TGS_REQ_AUTH_CKSUM,
1087 krb5_crypto_destroy(context, crypto);
1089 const char *msg = krb5_get_error_message(context, ret);
1090 kdc_log(context, config, 0,
1091 "Failed to verify authenticator checksum: %s", msg);
1092 krb5_free_error_message(context, msg);
1095 free_Authenticator(auth);
1105 find_rpath(krb5_context context, Realm crealm, Realm srealm)
1107 const char *new_realm = krb5_config_get_string(context,
1118 need_referral(krb5_context context, krb5_kdc_configuration *config,
1119 const KDCOptions * const options, krb5_principal server,
1120 krb5_realm **realms)
1124 if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1127 if (server->name.name_string.len == 1)
1128 name = server->name.name_string.val[0];
1129 else if (server->name.name_string.len > 1)
1130 name = server->name.name_string.val[1];
1134 kdc_log(context, config, 0, "Searching referral for %s", name);
1136 return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1139 static krb5_error_code
1140 tgs_parse_request(krb5_context context,
1141 krb5_kdc_configuration *config,
1143 const PA_DATA *tgs_req,
1144 hdb_entry_ex **krbtgt,
1145 krb5_enctype *krbtgt_etype,
1146 krb5_ticket **ticket,
1147 const char **e_text,
1149 const struct sockaddr *from_addr,
1152 AuthorizationData **auth_data,
1153 krb5_keyblock **replykey,
1156 static char failed[] = "<unparse_name failed>";
1158 krb5_error_code ret;
1159 krb5_principal princ;
1160 krb5_auth_context ac = NULL;
1161 krb5_flags ap_req_options;
1162 krb5_flags verify_ap_req_flags;
1165 krb5_keyblock *subkey = NULL;
1173 memset(&ap_req, 0, sizeof(ap_req));
1174 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1176 const char *msg = krb5_get_error_message(context, ret);
1177 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1178 krb5_free_error_message(context, msg);
1182 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1183 /* XXX check for ticket.sname == req.sname */
1184 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1185 ret = KRB5KDC_ERR_POLICY; /* ? */
1189 _krb5_principalname2krb5_principal(context,
1191 ap_req.ticket.sname,
1192 ap_req.ticket.realm);
1194 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1196 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1198 ret = krb5_unparse_name(context, princ, &p);
1201 krb5_free_principal(context, princ);
1202 kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1205 ret = HDB_ERR_NOT_FOUND_HERE;
1208 const char *msg = krb5_get_error_message(context, ret);
1210 ret = krb5_unparse_name(context, princ, &p);
1213 krb5_free_principal(context, princ);
1214 kdc_log(context, config, 0,
1215 "Ticket-granting ticket not found in database: %s", msg);
1216 krb5_free_error_message(context, msg);
1219 ret = KRB5KRB_AP_ERR_NOT_US;
1223 if(ap_req.ticket.enc_part.kvno &&
1224 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1227 ret = krb5_unparse_name (context, princ, &p);
1228 krb5_free_principal(context, princ);
1231 kdc_log(context, config, 0,
1232 "Ticket kvno = %d, DB kvno = %d (%s)",
1233 *ap_req.ticket.enc_part.kvno,
1234 (*krbtgt)->entry.kvno,
1238 ret = KRB5KRB_AP_ERR_BADKEYVER;
1242 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1244 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1245 ap_req.ticket.enc_part.etype, &tkey);
1247 char *str = NULL, *p = NULL;
1249 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1250 krb5_unparse_name(context, princ, &p);
1251 kdc_log(context, config, 0,
1252 "No server key with enctype %s found for %s",
1253 str ? str : "<unknown enctype>",
1254 p ? p : "<unparse_name failed>");
1257 ret = KRB5KRB_AP_ERR_BADKEYVER;
1261 if (b->kdc_options.validate)
1262 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1264 verify_ap_req_flags = 0;
1266 ret = krb5_verify_ap_req2(context,
1271 verify_ap_req_flags,
1274 KRB5_KU_TGS_REQ_AUTH);
1276 krb5_free_principal(context, princ);
1278 const char *msg = krb5_get_error_message(context, ret);
1279 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1280 krb5_free_error_message(context, msg);
1285 krb5_authenticator auth;
1287 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1289 *csec = malloc(sizeof(**csec));
1290 if (*csec == NULL) {
1291 krb5_free_authenticator(context, &auth);
1292 kdc_log(context, config, 0, "malloc failed");
1295 **csec = auth->ctime;
1296 *cusec = malloc(sizeof(**cusec));
1297 if (*cusec == NULL) {
1298 krb5_free_authenticator(context, &auth);
1299 kdc_log(context, config, 0, "malloc failed");
1302 **cusec = auth->cusec;
1303 krb5_free_authenticator(context, &auth);
1307 ret = tgs_check_authenticator(context, config,
1308 ac, b, e_text, &(*ticket)->ticket.key);
1310 krb5_auth_con_free(context, ac);
1314 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1317 ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1319 const char *msg = krb5_get_error_message(context, ret);
1320 krb5_auth_con_free(context, ac);
1321 kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1322 krb5_free_error_message(context, msg);
1326 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1329 ret = krb5_auth_con_getkey(context, ac, &subkey);
1331 const char *msg = krb5_get_error_message(context, ret);
1332 krb5_auth_con_free(context, ac);
1333 kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1334 krb5_free_error_message(context, msg);
1339 krb5_auth_con_free(context, ac);
1340 kdc_log(context, config, 0,
1341 "Failed to get key for enc-authorization-data");
1342 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1348 if (b->enc_authorization_data) {
1351 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1353 const char *msg = krb5_get_error_message(context, ret);
1354 krb5_auth_con_free(context, ac);
1355 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1356 krb5_free_error_message(context, msg);
1359 ret = krb5_decrypt_EncryptedData (context,
1362 b->enc_authorization_data,
1364 krb5_crypto_destroy(context, crypto);
1366 krb5_auth_con_free(context, ac);
1367 kdc_log(context, config, 0,
1368 "Failed to decrypt enc-authorization-data");
1369 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1373 if (*auth_data == NULL) {
1374 krb5_auth_con_free(context, ac);
1375 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1378 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1380 krb5_auth_con_free(context, ac);
1383 kdc_log(context, config, 0, "Failed to decode authorization data");
1384 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1389 krb5_auth_con_free(context, ac);
1392 free_AP_REQ(&ap_req);
1397 static krb5_error_code
1398 build_server_referral(krb5_context context,
1399 krb5_kdc_configuration *config,
1400 krb5_crypto session,
1401 krb5_const_realm referred_realm,
1402 const PrincipalName *true_principal_name,
1403 const PrincipalName *requested_principal,
1406 PA_ServerReferralData ref;
1407 krb5_error_code ret;
1412 memset(&ref, 0, sizeof(ref));
1414 if (referred_realm) {
1415 ALLOC(ref.referred_realm);
1416 if (ref.referred_realm == NULL)
1418 *ref.referred_realm = strdup(referred_realm);
1419 if (*ref.referred_realm == NULL)
1422 if (true_principal_name) {
1423 ALLOC(ref.true_principal_name);
1424 if (ref.true_principal_name == NULL)
1426 ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1430 if (requested_principal) {
1431 ALLOC(ref.requested_principal_name);
1432 if (ref.requested_principal_name == NULL)
1434 ret = copy_PrincipalName(requested_principal,
1435 ref.requested_principal_name);
1440 ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1441 data.data, data.length,
1443 free_PA_ServerReferralData(&ref);
1446 if (data.length != size)
1447 krb5_abortx(context, "internal asn.1 encoder error");
1449 ret = krb5_encrypt_EncryptedData(context, session,
1450 KRB5_KU_PA_SERVER_REFERRAL,
1451 data.data, data.length,
1457 ASN1_MALLOC_ENCODE(EncryptedData,
1458 outdata->data, outdata->length,
1460 free_EncryptedData(&ed);
1463 if (outdata->length != size)
1464 krb5_abortx(context, "internal asn.1 encoder error");
1468 free_PA_ServerReferralData(&ref);
1469 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1473 static krb5_error_code
1474 tgs_build_reply(krb5_context context,
1475 krb5_kdc_configuration *config,
1478 hdb_entry_ex *krbtgt,
1479 krb5_enctype krbtgt_etype,
1480 const krb5_keyblock *replykey,
1482 krb5_ticket *ticket,
1485 const char **e_text,
1486 AuthorizationData **auth_data,
1487 const struct sockaddr *from_addr)
1489 krb5_error_code ret;
1490 krb5_principal cp = NULL, sp = NULL, rsp = NULL, tp = NULL, dp = NULL;
1491 krb5_principal krbtgt_principal = NULL;
1492 char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
1493 hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
1494 HDB *clientdb, *s4u2self_impersonated_clientdb;
1495 krb5_realm ref_realm = NULL;
1496 EncTicketPart *tgt = &ticket->ticket;
1497 krb5_principals spp = NULL;
1498 const EncryptionKey *ekey;
1499 krb5_keyblock sessionkey;
1502 const char *tgt_realm = /* Realm of TGT issuer */
1503 krb5_principal_get_realm(context, krbtgt->entry.principal);
1505 hdb_entry_ex *krbtgt_out = NULL;
1507 METHOD_DATA enc_pa_data;
1512 EncTicketPart adtkt;
1518 int flags = HDB_F_FOR_TGS_REQ;
1520 memset(&sessionkey, 0, sizeof(sessionkey));
1521 memset(&adtkt, 0, sizeof(adtkt));
1522 krb5_data_zero(&rspac);
1523 memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1529 * Always to do CANON, see comment below about returned server principal (rsp).
1531 flags |= HDB_F_CANON;
1533 if(b->kdc_options.enc_tkt_in_skey){
1539 if(b->additional_tickets == NULL ||
1540 b->additional_tickets->len == 0){
1541 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1542 kdc_log(context, config, 0,
1543 "No second ticket present in request");
1546 t = &b->additional_tickets->val[0];
1547 if(!get_krbtgt_realm(&t->sname)){
1548 kdc_log(context, config, 0,
1549 "Additional ticket is not a ticket-granting ticket");
1550 ret = KRB5KDC_ERR_POLICY;
1553 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1554 ret = _kdc_db_fetch(context, config, p,
1555 HDB_F_GET_KRBTGT, t->enc_part.kvno,
1557 krb5_free_principal(context, p);
1559 if (ret == HDB_ERR_NOENTRY)
1560 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1563 ret = hdb_enctype2key(context, &uu->entry,
1564 t->enc_part.etype, &uukey);
1566 _kdc_free_ent(context, uu);
1567 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1570 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1571 _kdc_free_ent(context, uu);
1575 ret = verify_flags(context, config, &adtkt, spn);
1583 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1584 ret = krb5_unparse_name(context, sp, &spn);
1587 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1588 ret = krb5_unparse_name(context, cp, &cpn);
1591 unparse_flags (KDCOptions2int(b->kdc_options),
1592 asn1_KDCOptions_units(),
1593 opt_str, sizeof(opt_str));
1595 kdc_log(context, config, 0,
1596 "TGS-REQ %s from %s for %s [%s]",
1597 cpn, from, spn, opt_str);
1599 kdc_log(context, config, 0,
1600 "TGS-REQ %s from %s for %s", cpn, from, spn);
1607 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
1608 NULL, NULL, &server);
1610 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1611 kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1614 const char *new_rlm, *msg;
1618 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1620 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1622 kdc_log(context, config, 5, "krbtgt for realm %s "
1623 "not found, trying %s",
1625 krb5_free_principal(context, sp);
1627 krb5_make_principal(context, &sp, r,
1628 KRB5_TGS_NAME, new_rlm, NULL);
1629 ret = krb5_unparse_name(context, sp, &spn);
1635 ref_realm = strdup(new_rlm);
1639 } else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1640 if (strcmp(realms[0], sp->realm) != 0) {
1641 kdc_log(context, config, 5,
1642 "Returning a referral to realm %s for "
1643 "server %s that was not found",
1645 krb5_free_principal(context, sp);
1647 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1649 ret = krb5_unparse_name(context, sp, &spn);
1655 ref_realm = strdup(realms[0]);
1657 krb5_free_host_realm(context, realms);
1660 krb5_free_host_realm(context, realms);
1662 msg = krb5_get_error_message(context, ret);
1663 kdc_log(context, config, 0,
1664 "Server not found in database: %s: %s", spn, msg);
1665 krb5_free_error_message(context, msg);
1666 if (ret == HDB_ERR_NOENTRY)
1667 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1671 /* the name returned to the client depend on what was asked for,
1672 * return canonical name if kdc_options.canonicalize was set, the
1673 * client wants the true name of the principal, if not it just
1674 * wants the name its asked for.
1677 if (b->kdc_options.canonicalize)
1678 rsp = server->entry.principal;
1684 * Select enctype, return key and kvno.
1690 if(b->kdc_options.enc_tkt_in_skey) {
1693 for(i = 0; i < b->etype.len; i++)
1694 if (b->etype.val[i] == adtkt.key.keytype)
1696 if(i == b->etype.len) {
1697 kdc_log(context, config, 0,
1698 "Addition ticket have not matching etypes");
1699 krb5_clear_error_message(context);
1700 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1703 etype = b->etype.val[i];
1708 ret = _kdc_find_etype(context,
1709 krb5_principal_is_krbtgt(context, sp) ?
1710 config->tgt_use_strongest_session_key :
1711 config->svc_use_strongest_session_key, FALSE,
1712 server, b->etype.val, b->etype.len, NULL,
1715 kdc_log(context, config, 0,
1716 "Server (%s) has no support for etypes", spn);
1720 etype = skey->key.keytype;
1721 kvno = server->entry.kvno;
1724 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1730 * Check that service is in the same realm as the krbtgt. If it's
1731 * not the same, it's someone that is using a uni-directional trust
1736 * Validate authoriation data
1739 ret = hdb_enctype2key(context, &krbtgt->entry,
1740 krbtgt_etype, &tkey_check);
1742 kdc_log(context, config, 0,
1743 "Failed to find key for krbtgt PAC check");
1747 /* Now refetch the primary krbtgt, and get the current kvno (the
1748 * sign check may have been on an old kvno, and the server may
1749 * have been an incoming trust) */
1750 ret = krb5_make_principal(context, &krbtgt_principal,
1751 krb5_principal_get_comp_string(context,
1752 krbtgt->entry.principal,
1755 krb5_principal_get_comp_string(context,
1756 krbtgt->entry.principal,
1759 kdc_log(context, config, 0,
1760 "Failed to generate krbtgt principal");
1764 ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1765 krb5_free_principal(context, krbtgt_principal);
1767 krb5_error_code ret2;
1769 ret = krb5_unparse_name(context, krbtgt->entry.principal, &ktpn);
1770 ret2 = krb5_unparse_name(context, krbtgt_principal, &ktpn2);
1771 kdc_log(context, config, 0,
1772 "Request with wrong krbtgt: %s, %s not found in our database",
1773 (ret == 0) ? ktpn : "<unknown>", (ret2 == 0) ? ktpn2 : "<unknown>");
1778 ret = KRB5KRB_AP_ERR_NOT_US;
1782 /* The first realm is the realm of the service, the second is
1783 * krbtgt/<this>/@REALM component of the krbtgt DN the request was
1784 * encrypted to. The redirection via the krbtgt_out entry allows
1785 * the DB to possibly correct the case of the realm (Samba4 does
1786 * this) before the strcmp() */
1787 if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1788 krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1790 ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &ktpn);
1791 kdc_log(context, config, 0,
1792 "Request with wrong krbtgt: %s",
1793 (ret == 0) ? ktpn : "<unknown>");
1796 ret = KRB5KRB_AP_ERR_NOT_US;
1799 ret = hdb_enctype2key(context, &krbtgt_out->entry,
1800 krbtgt_etype, &tkey_sign);
1802 kdc_log(context, config, 0,
1803 "Failed to find key for krbtgt PAC signature");
1807 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
1808 NULL, &clientdb, &client);
1809 if(ret == HDB_ERR_NOT_FOUND_HERE) {
1810 /* This is OK, we are just trying to find out if they have
1811 * been disabled or deleted in the meantime, missing secrets
1814 const char *krbtgt_realm, *msg;
1817 * If the client belongs to the same realm as our krbtgt, it
1818 * should exist in the local database.
1822 krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1824 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1825 if (ret == HDB_ERR_NOENTRY)
1826 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1827 kdc_log(context, config, 1, "Client no longer in database: %s",
1832 msg = krb5_get_error_message(context, ret);
1833 kdc_log(context, config, 1, "Client not found in database: %s", msg);
1834 krb5_free_error_message(context, msg);
1837 ret = check_PAC(context, config, cp, NULL,
1838 client, server, krbtgt,
1839 &tkey_check->key, &tkey_check->key,
1840 ekey, &tkey_sign->key,
1841 tgt, &rspac, &signedpath);
1843 const char *msg = krb5_get_error_message(context, ret);
1844 kdc_log(context, config, 0,
1845 "Verify PAC failed for %s (%s) from %s with %s",
1846 spn, cpn, from, msg);
1847 krb5_free_error_message(context, msg);
1851 /* also check the krbtgt for signature */
1852 ret = check_KRB5SignedPath(context,
1860 const char *msg = krb5_get_error_message(context, ret);
1861 kdc_log(context, config, 0,
1862 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1863 spn, cpn, from, msg);
1864 krb5_free_error_message(context, msg);
1872 /* by default the tgt principal matches the client principal */
1877 const PA_DATA *sdata;
1880 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1887 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1888 sdata->padata_value.length,
1891 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1895 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1899 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1901 const char *msg = krb5_get_error_message(context, ret);
1902 free_PA_S4U2Self(&self);
1903 krb5_data_free(&datack);
1904 kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1905 krb5_free_error_message(context, msg);
1909 ret = krb5_verify_checksum(context,
1911 KRB5_KU_OTHER_CKSUM,
1915 krb5_data_free(&datack);
1916 krb5_crypto_destroy(context, crypto);
1918 const char *msg = krb5_get_error_message(context, ret);
1919 free_PA_S4U2Self(&self);
1920 kdc_log(context, config, 0,
1921 "krb5_verify_checksum failed for S4U2Self: %s", msg);
1922 krb5_free_error_message(context, msg);
1926 ret = _krb5_principalname2krb5_principal(context,
1930 free_PA_S4U2Self(&self);
1934 ret = krb5_unparse_name(context, tp, &tpn);
1938 ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
1939 NULL, &s4u2self_impersonated_clientdb,
1940 &s4u2self_impersonated_client);
1945 * If the client belongs to the same realm as our krbtgt, it
1946 * should exist in the local database.
1950 if (ret == HDB_ERR_NOENTRY)
1951 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1952 msg = krb5_get_error_message(context, ret);
1953 kdc_log(context, config, 2,
1954 "S4U2Self principal to impersonate %s not found in database: %s",
1956 krb5_free_error_message(context, msg);
1960 free(s4u2self_impersonated_client->entry.pw_end);
1961 s4u2self_impersonated_client->entry.pw_end = NULL;
1963 ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn,
1968 /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1971 krb5_data_free(&rspac);
1972 ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1974 kdc_log(context, config, 0, "PAC generation failed for -- %s",
1979 ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1980 s4u2self_impersonated_client->entry.principal,
1981 ekey, &tkey_sign->key,
1983 krb5_pac_free(context, p);
1985 kdc_log(context, config, 0, "PAC signing failed for -- %s",
1993 * Check that service doing the impersonating is
1994 * requesting a ticket to it-self.
1996 ret = check_s4u2self(context, config, clientdb, client, sp);
1998 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1999 "to impersonate to service "
2000 "(tried for user %s to service %s)",
2006 * If the service isn't trusted for authentication to
2007 * delegation or if the impersonate client is disallowed
2008 * forwardable, remove the forwardable flag.
2011 if (client->entry.flags.trusted_for_delegation &&
2012 s4u2self_impersonated_client->entry.flags.forwardable) {
2013 str = "[forwardable]";
2015 b->kdc_options.forwardable = 0;
2018 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
2019 "service %s %s", cpn, tpn, spn, str);
2024 * Constrained delegation
2028 && b->additional_tickets != NULL
2029 && b->additional_tickets->len != 0
2030 && b->kdc_options.enc_tkt_in_skey == 0)
2032 int ad_signedpath = 0;
2037 * Require that the KDC have issued the service's krbtgt (not
2038 * self-issued ticket with kimpersonate(1).
2041 ret = KRB5KDC_ERR_BADOPTION;
2042 kdc_log(context, config, 0,
2043 "Constrained delegation done on service ticket %s/%s",
2048 t = &b->additional_tickets->val[0];
2050 ret = hdb_enctype2key(context, &client->entry,
2051 t->enc_part.etype, &clientkey);
2053 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
2057 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
2059 kdc_log(context, config, 0,
2060 "failed to decrypt ticket for "
2061 "constrained delegation from %s to %s ", cpn, spn);
2065 ret = _krb5_principalname2krb5_principal(context,
2072 ret = krb5_unparse_name(context, tp, &tpn);
2076 ret = _krb5_principalname2krb5_principal(context,
2083 ret = krb5_unparse_name(context, dp, &dpn);
2087 /* check that ticket is valid */
2088 if (adtkt.flags.forwardable == 0) {
2089 kdc_log(context, config, 0,
2090 "Missing forwardable flag on ticket for "
2091 "constrained delegation from %s (%s) as %s to %s ",
2092 cpn, dpn, tpn, spn);
2093 ret = KRB5KDC_ERR_BADOPTION;
2097 ret = check_constrained_delegation(context, config, clientdb,
2098 client, server, sp);
2100 kdc_log(context, config, 0,
2101 "constrained delegation from %s (%s) as %s to %s not allowed",
2102 cpn, dpn, tpn, spn);
2106 ret = verify_flags(context, config, &adtkt, tpn);
2111 krb5_data_free(&rspac);
2114 * generate the PAC for the user.
2116 * TODO: pass in t->sname and t->realm and build
2117 * a S4U_DELEGATION_INFO blob to the PAC.
2119 ret = check_PAC(context, config, tp, dp,
2120 client, server, krbtgt,
2121 &clientkey->key, &tkey_check->key,
2122 ekey, &tkey_sign->key,
2123 &adtkt, &rspac, &ad_signedpath);
2125 const char *msg = krb5_get_error_message(context, ret);
2126 kdc_log(context, config, 0,
2127 "Verify delegated PAC failed to %s for client"
2128 "%s (%s) as %s from %s with %s",
2129 spn, cpn, dpn, tpn, from, msg);
2130 krb5_free_error_message(context, msg);
2135 * Check that the KDC issued the user's ticket.
2137 ret = check_KRB5SignedPath(context,
2145 const char *msg = krb5_get_error_message(context, ret);
2146 kdc_log(context, config, 0,
2147 "KRB5SignedPath check from service %s failed "
2148 "for delegation to %s for client %s (%s)"
2149 "from %s failed with %s",
2150 spn, tpn, dpn, cpn, from, msg);
2151 krb5_free_error_message(context, msg);
2155 if (!ad_signedpath) {
2156 ret = KRB5KDC_ERR_BADOPTION;
2157 kdc_log(context, config, 0,
2158 "Ticket not signed with PAC nor SignedPath service %s failed "
2159 "for delegation to %s for client %s (%s)"
2161 spn, tpn, dpn, cpn, from);
2165 kdc_log(context, config, 0, "constrained delegation for %s "
2166 "from %s (%s) to %s", tpn, cpn, dpn, spn);
2173 ret = kdc_check_flags(context, config,
2180 if((b->kdc_options.validate || b->kdc_options.renew) &&
2181 !krb5_principal_compare(context,
2182 krbtgt->entry.principal,
2183 server->entry.principal)){
2184 kdc_log(context, config, 0, "Inconsistent request.");
2185 ret = KRB5KDC_ERR_SERVER_NOMATCH;
2189 /* check for valid set of addresses */
2190 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2191 ret = KRB5KRB_AP_ERR_BADADDR;
2192 kdc_log(context, config, 0, "Request from wrong address");
2197 * If this is an referral, add server referral data to the
2204 kdc_log(context, config, 0,
2205 "Adding server referral to %s", ref_realm);
2207 ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2211 ret = build_server_referral(context, config, crypto, ref_realm,
2212 NULL, s, &pa.padata_value);
2213 krb5_crypto_destroy(context, crypto);
2215 kdc_log(context, config, 0,
2216 "Failed building server referral");
2219 pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2221 ret = add_METHOD_DATA(&enc_pa_data, &pa);
2222 krb5_data_free(&pa.padata_value);
2224 kdc_log(context, config, 0,
2225 "Add server referral METHOD-DATA failed");
2234 ret = tgs_make_reply(context,
2267 krb5_data_free(&rspac);
2268 krb5_free_keyblock_contents(context, &sessionkey);
2270 _kdc_free_ent(context, krbtgt_out);
2272 _kdc_free_ent(context, server);
2274 _kdc_free_ent(context, client);
2275 if(s4u2self_impersonated_client)
2276 _kdc_free_ent(context, s4u2self_impersonated_client);
2279 krb5_free_principal(context, tp);
2281 krb5_free_principal(context, cp);
2283 krb5_free_principal(context, dp);
2285 krb5_free_principal(context, sp);
2288 free_METHOD_DATA(&enc_pa_data);
2290 free_EncTicketPart(&adtkt);
2300 _kdc_tgs_rep(krb5_context context,
2301 krb5_kdc_configuration *config,
2305 struct sockaddr *from_addr,
2308 AuthorizationData *auth_data = NULL;
2309 krb5_error_code ret;
2311 const PA_DATA *tgs_req;
2313 hdb_entry_ex *krbtgt = NULL;
2314 krb5_ticket *ticket = NULL;
2315 const char *e_text = NULL;
2316 krb5_enctype krbtgt_etype = ETYPE_NULL;
2318 krb5_keyblock *replykey = NULL;
2319 int rk_is_subkey = 0;
2320 time_t *csec = NULL;
2323 if(req->padata == NULL){
2324 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2325 kdc_log(context, config, 0,
2326 "TGS-REQ from %s without PA-DATA", from);
2330 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2332 if(tgs_req == NULL){
2333 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2335 kdc_log(context, config, 0,
2336 "TGS-REQ from %s without PA-TGS-REQ", from);
2339 ret = tgs_parse_request(context, config,
2340 &req->req_body, tgs_req,
2350 if (ret == HDB_ERR_NOT_FOUND_HERE) {
2351 /* kdc_log() is called in tgs_parse_request() */
2355 kdc_log(context, config, 0,
2356 "Failed parsing TGS-REQ from %s", from);
2360 ret = tgs_build_reply(context,
2375 kdc_log(context, config, 0,
2376 "Failed building TGS-REP to %s", from);
2381 if (datagram_reply && data->length > config->max_datagram_reply_length) {
2382 krb5_data_free(data);
2383 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2384 e_text = "Reply packet too large";
2389 krb5_free_keyblock(context, replykey);
2390 if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2391 krb5_mk_error(context,
2405 krb5_free_ticket(context, ticket);
2407 _kdc_free_ent(context, krbtgt);
2410 free_AuthorizationData(auth_data);