2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
39 * return the realm of a krbtgt-ticket or NULL
43 get_krbtgt_realm(const PrincipalName *p)
45 if(p->name_string.len == 2
46 && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
47 return p->name_string.val[1];
53 * The KDC might add a signed path to the ticket authorization data
54 * field. This is to avoid server impersonating clients and the
55 * request constrained delegation.
57 * This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
58 * entry of type KRB5SignedPath.
61 static krb5_error_code
62 find_KRB5SignedPath(krb5_context context,
63 const AuthorizationData *ad,
66 AuthorizationData child;
70 if (ad == NULL || ad->len == 0)
71 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75 if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
76 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
78 ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
79 ad->val[pos].ad_data.length,
83 krb5_set_error_string(context, "Failed to decode "
84 "IF_RELEVANT with %d", ret);
89 free_AuthorizationData(&child);
90 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
93 if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
94 free_AuthorizationData(&child);
95 return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
99 ret = der_copy_octet_string(&child.val[0].ad_data, data);
100 free_AuthorizationData(&child);
105 _kdc_add_KRB5SignedPath(krb5_context context,
106 krb5_kdc_configuration *config,
107 hdb_entry_ex *krbtgt,
108 krb5_enctype enctype,
109 krb5_const_principal server,
110 KRB5SignedPathPrincipals *principals,
116 krb5_crypto crypto = NULL;
119 if (server && principals) {
120 ret = add_KRB5SignedPathPrincipals(principals, server);
126 KRB5SignedPathData spd;
128 spd.encticket = *tkt;
129 spd.delegated = principals;
131 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
135 if (data.length != size)
136 krb5_abortx(context, "internal asn.1 encoder error");
141 ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
151 * Fill in KRB5SignedPath
155 sp.delegated = principals;
157 ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
158 data.data, data.length, &sp.cksum);
159 krb5_crypto_destroy(context, crypto);
164 ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
165 free_Checksum(&sp.cksum);
168 if (data.length != size)
169 krb5_abortx(context, "internal asn.1 encoder error");
173 * Add IF-RELEVANT(KRB5SignedPath) to the last slot in
174 * authorization data field.
177 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
178 KRB5_AUTHDATA_SIGNTICKET, &data);
179 krb5_data_free(&data);
184 static krb5_error_code
185 check_KRB5SignedPath(krb5_context context,
186 krb5_kdc_configuration *config,
187 hdb_entry_ex *krbtgt,
189 KRB5SignedPathPrincipals **delegated,
190 int require_signedpath)
194 krb5_crypto crypto = NULL;
198 ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
200 KRB5SignedPathData spd;
202 AuthorizationData *ad;
205 ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
206 krb5_data_free(&data);
210 spd.encticket = *tkt;
211 /* the KRB5SignedPath is the last entry */
212 ad = spd.encticket.authorization_data;
214 spd.encticket.authorization_data = NULL;
215 spd.delegated = sp.delegated;
217 ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
220 spd.encticket.authorization_data = ad;
222 free_KRB5SignedPath(&sp);
225 if (data.length != size)
226 krb5_abortx(context, "internal asn.1 encoder error");
230 ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
232 ret = krb5_crypto_init(context, &key->key, 0, &crypto);
235 free_KRB5SignedPath(&sp);
239 ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
240 data.data, data.length,
242 krb5_crypto_destroy(context, crypto);
245 free_KRB5SignedPath(&sp);
251 *delegated = malloc(sizeof(*sp.delegated));
252 if (*delegated == NULL) {
253 free_KRB5SignedPath(&sp);
257 ret = copy_KRB5SignedPathPrincipals(*delegated, sp.delegated);
259 free_KRB5SignedPath(&sp);
265 free_KRB5SignedPath(&sp);
268 if (require_signedpath)
269 return KRB5KDC_ERR_BADOPTION;
279 static krb5_error_code
280 check_PAC(krb5_context context,
281 krb5_kdc_configuration *config,
282 const krb5_principal client_principal,
283 hdb_entry_ex *client,
284 hdb_entry_ex *server,
285 const EncryptionKey *server_key,
286 const EncryptionKey *krbtgt_key,
289 int *require_signedpath)
291 AuthorizationData *ad = tkt->authorization_data;
295 if (ad == NULL || ad->len == 0)
298 for (i = 0; i < ad->len; i++) {
299 AuthorizationData child;
301 if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
304 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
305 ad->val[i].ad_data.length,
309 krb5_set_error_string(context, "Failed to decode "
310 "IF_RELEVANT with %d", ret);
313 for (j = 0; j < child.len; j++) {
315 if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
319 ret = krb5_pac_parse(context,
320 child.val[j].ad_data.data,
321 child.val[j].ad_data.length,
323 free_AuthorizationData(&child);
327 ret = krb5_pac_verify(context, pac, tkt->authtime,
331 krb5_pac_free(context, pac);
335 ret = _kdc_pac_verify(context, client_principal,
336 client, server, &pac);
338 krb5_pac_free(context, pac);
341 *require_signedpath = 0;
343 ret = _krb5_pac_sign(context, pac, tkt->authtime,
345 server_key, krbtgt_key, rspac);
347 krb5_pac_free(context, pac);
352 free_AuthorizationData(&child);
361 static krb5_error_code
362 check_tgs_flags(krb5_context context,
363 krb5_kdc_configuration *config,
364 KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
366 KDCOptions f = b->kdc_options;
369 if(!tgt->flags.invalid || tgt->starttime == NULL){
370 kdc_log(context, config, 0,
371 "Bad request to validate ticket");
372 return KRB5KDC_ERR_BADOPTION;
374 if(*tgt->starttime > kdc_time){
375 kdc_log(context, config, 0,
376 "Early request to validate ticket");
377 return KRB5KRB_AP_ERR_TKT_NYV;
380 et->flags.invalid = 0;
381 }else if(tgt->flags.invalid){
382 kdc_log(context, config, 0,
383 "Ticket-granting ticket has INVALID flag set");
384 return KRB5KRB_AP_ERR_TKT_INVALID;
388 if(!tgt->flags.forwardable){
389 kdc_log(context, config, 0,
390 "Bad request for forwardable ticket");
391 return KRB5KDC_ERR_BADOPTION;
393 et->flags.forwardable = 1;
396 if(!tgt->flags.forwardable){
397 kdc_log(context, config, 0,
398 "Request to forward non-forwardable ticket");
399 return KRB5KDC_ERR_BADOPTION;
401 et->flags.forwarded = 1;
402 et->caddr = b->addresses;
404 if(tgt->flags.forwarded)
405 et->flags.forwarded = 1;
408 if(!tgt->flags.proxiable){
409 kdc_log(context, config, 0,
410 "Bad request for proxiable ticket");
411 return KRB5KDC_ERR_BADOPTION;
413 et->flags.proxiable = 1;
416 if(!tgt->flags.proxiable){
417 kdc_log(context, config, 0,
418 "Request to proxy non-proxiable ticket");
419 return KRB5KDC_ERR_BADOPTION;
422 et->caddr = b->addresses;
427 if(f.allow_postdate){
428 if(!tgt->flags.may_postdate){
429 kdc_log(context, config, 0,
430 "Bad request for post-datable ticket");
431 return KRB5KDC_ERR_BADOPTION;
433 et->flags.may_postdate = 1;
436 if(!tgt->flags.may_postdate){
437 kdc_log(context, config, 0,
438 "Bad request for postdated ticket");
439 return KRB5KDC_ERR_BADOPTION;
442 *et->starttime = *b->from;
443 et->flags.postdated = 1;
444 et->flags.invalid = 1;
445 }else if(b->from && *b->from > kdc_time + context->max_skew){
446 kdc_log(context, config, 0, "Ticket cannot be postdated");
447 return KRB5KDC_ERR_CANNOT_POSTDATE;
451 if(!tgt->flags.renewable){
452 kdc_log(context, config, 0,
453 "Bad request for renewable ticket");
454 return KRB5KDC_ERR_BADOPTION;
456 et->flags.renewable = 1;
457 ALLOC(et->renew_till);
458 _kdc_fix_time(&b->rtime);
459 *et->renew_till = *b->rtime;
463 if(!tgt->flags.renewable || tgt->renew_till == NULL){
464 kdc_log(context, config, 0,
465 "Request to renew non-renewable ticket");
466 return KRB5KDC_ERR_BADOPTION;
468 old_life = tgt->endtime;
470 old_life -= *tgt->starttime;
472 old_life -= tgt->authtime;
473 et->endtime = *et->starttime + old_life;
474 if (et->renew_till != NULL)
475 et->endtime = min(*et->renew_till, et->endtime);
479 /* checks for excess flags */
480 if(f.request_anonymous && !config->allow_anonymous){
481 kdc_log(context, config, 0,
482 "Request for anonymous ticket");
483 return KRB5KDC_ERR_BADOPTION;
493 static krb5_error_code
494 check_constrained_delegation(krb5_context context,
495 krb5_kdc_configuration *config,
496 hdb_entry_ex *client,
497 krb5_const_principal server)
499 const HDB_Ext_Constrained_delegation_acl *acl;
503 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
505 krb5_clear_error_string(context);
510 for (i = 0; i < acl->len; i++) {
511 if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
515 kdc_log(context, config, 0,
516 "Bad request for constrained delegation");
517 return KRB5KDC_ERR_BADOPTION;
524 static krb5_error_code
525 verify_flags (krb5_context context,
526 krb5_kdc_configuration *config,
527 const EncTicketPart *et,
530 if(et->endtime < kdc_time){
531 kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
532 return KRB5KRB_AP_ERR_TKT_EXPIRED;
534 if(et->flags.invalid){
535 kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
536 return KRB5KRB_AP_ERR_TKT_NYV;
545 static krb5_error_code
546 fix_transited_encoding(krb5_context context,
547 krb5_kdc_configuration *config,
548 krb5_boolean check_policy,
549 const TransitedEncoding *tr,
551 const char *client_realm,
552 const char *server_realm,
553 const char *tgt_realm)
555 krb5_error_code ret = 0;
556 char **realms, **tmp;
560 switch (tr->tr_type) {
561 case DOMAIN_X500_COMPRESS:
565 * Allow empty content of type 0 because that is was Microsoft
566 * generates in their TGT.
568 if (tr->contents.length == 0)
570 kdc_log(context, config, 0,
571 "Transited type 0 with non empty content");
572 return KRB5KDC_ERR_TRTYPE_NOSUPP;
574 kdc_log(context, config, 0,
575 "Unknown transited type: %u", tr->tr_type);
576 return KRB5KDC_ERR_TRTYPE_NOSUPP;
579 ret = krb5_domain_x500_decode(context,
586 krb5_warn(context, ret,
587 "Decoding transited encoding");
590 if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
591 /* not us, so add the previous realm to transited set */
592 if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
596 tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
602 realms[num_realms] = strdup(tgt_realm);
603 if(realms[num_realms] == NULL){
609 if(num_realms == 0) {
610 if(strcmp(client_realm, server_realm))
611 kdc_log(context, config, 0,
612 "cross-realm %s -> %s", client_realm, server_realm);
616 for(i = 0; i < num_realms; i++)
617 l += strlen(realms[i]) + 2;
621 for(i = 0; i < num_realms; i++) {
623 strlcat(rs, ", ", l);
624 strlcat(rs, realms[i], l);
626 kdc_log(context, config, 0,
627 "cross-realm %s -> %s via [%s]",
628 client_realm, server_realm, rs);
633 ret = krb5_check_transited(context, client_realm,
635 realms, num_realms, NULL);
637 krb5_warn(context, ret, "cross-realm %s -> %s",
638 client_realm, server_realm);
641 et->flags.transited_policy_checked = 1;
643 et->transited.tr_type = DOMAIN_X500_COMPRESS;
644 ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
646 krb5_warn(context, ret, "Encoding transited encoding");
648 for(i = 0; i < num_realms; i++)
655 static krb5_error_code
656 tgs_make_reply(krb5_context context,
657 krb5_kdc_configuration *config,
659 krb5_const_principal tgt_name,
660 const EncTicketPart *tgt,
661 const EncryptionKey *serverkey,
662 const krb5_keyblock *sessionkey,
664 AuthorizationData *auth_data,
665 hdb_entry_ex *server,
666 const char *server_name,
667 hdb_entry_ex *client,
668 krb5_principal client_principal,
669 hdb_entry_ex *krbtgt,
670 krb5_enctype krbtgt_etype,
671 KRB5SignedPathPrincipals *spp,
672 const krb5_data *rspac,
679 KDCOptions f = b->kdc_options;
682 memset(&rep, 0, sizeof(rep));
683 memset(&et, 0, sizeof(et));
684 memset(&ek, 0, sizeof(ek));
687 rep.msg_type = krb_tgs_rep;
689 et.authtime = tgt->authtime;
690 _kdc_fix_time(&b->till);
691 et.endtime = min(tgt->endtime, *b->till);
693 *et.starttime = kdc_time;
695 ret = check_tgs_flags(context, config, b, tgt, &et);
699 /* We should check the transited encoding if:
700 1) the request doesn't ask not to be checked
701 2) globally enforcing a check
702 3) principal requires checking
703 4) we allow non-check per-principal, but principal isn't marked as allowing this
704 5) we don't globally allow this
707 #define GLOBAL_FORCE_TRANSITED_CHECK \
708 (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
709 #define GLOBAL_ALLOW_PER_PRINCIPAL \
710 (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
711 #define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
712 (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
714 /* these will consult the database in future release */
715 #define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
716 #define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
718 ret = fix_transited_encoding(context, config,
719 !f.disable_transited_check ||
720 GLOBAL_FORCE_TRANSITED_CHECK ||
721 PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
722 !((GLOBAL_ALLOW_PER_PRINCIPAL &&
723 PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
724 GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
725 &tgt->transited, &et,
726 *krb5_princ_realm(context, client_principal),
727 *krb5_princ_realm(context, server->entry.principal),
728 *krb5_princ_realm(context, krbtgt->entry.principal));
732 copy_Realm(krb5_princ_realm(context, server->entry.principal),
734 _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
735 copy_Realm(&tgt_name->realm, &rep.crealm);
737 if (f.request_anonymous)
738 _kdc_make_anonymous_principalname (&rep.cname);
741 copy_PrincipalName(&tgt_name->name, &rep.cname);
742 rep.ticket.tkt_vno = 5;
746 et.caddr = tgt->caddr;
750 life = et.endtime - *et.starttime;
751 if(client && client->entry.max_life)
752 life = min(life, *client->entry.max_life);
753 if(server->entry.max_life)
754 life = min(life, *server->entry.max_life);
755 et.endtime = *et.starttime + life;
757 if(f.renewable_ok && tgt->flags.renewable &&
758 et.renew_till == NULL && et.endtime < *b->till){
759 et.flags.renewable = 1;
760 ALLOC(et.renew_till);
761 *et.renew_till = *b->till;
765 renew = *et.renew_till - et.authtime;
766 if(client && client->entry.max_renew)
767 renew = min(renew, *client->entry.max_renew);
768 if(server->entry.max_renew)
769 renew = min(renew, *server->entry.max_renew);
770 *et.renew_till = et.authtime + renew;
774 *et.renew_till = min(*et.renew_till, *tgt->renew_till);
775 *et.starttime = min(*et.starttime, *et.renew_till);
776 et.endtime = min(et.endtime, *et.renew_till);
779 *et.starttime = min(*et.starttime, et.endtime);
781 if(*et.starttime == et.endtime){
782 ret = KRB5KDC_ERR_NEVER_VALID;
785 if(et.renew_till && et.endtime == *et.renew_till){
787 et.renew_till = NULL;
788 et.flags.renewable = 0;
791 et.flags.pre_authent = tgt->flags.pre_authent;
792 et.flags.hw_authent = tgt->flags.hw_authent;
793 et.flags.anonymous = tgt->flags.anonymous;
794 et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
797 /* XXX Check enc-authorization-data */
798 et.authorization_data = calloc(1, sizeof(*et.authorization_data));
799 if (et.authorization_data == NULL) {
803 ret = copy_AuthorizationData(auth_data, et.authorization_data);
807 /* Filter out type KRB5SignedPath */
808 ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
810 if (et.authorization_data->len == 1) {
811 free_AuthorizationData(et.authorization_data);
812 free(et.authorization_data);
813 et.authorization_data = NULL;
815 AuthorizationData *ad = et.authorization_data;
816 free_AuthorizationDataElement(&ad->val[ad->len - 1]);
824 * No not need to filter out the any PAC from the
825 * auth_data since it's signed by the KDC.
827 ret = _kdc_tkt_add_if_relevant_ad(context, &et,
828 KRB5_AUTHDATA_WIN2K_PAC,
834 ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
837 et.crealm = tgt->crealm;
838 et.cname = tgt_name->name;
841 /* MIT must have at least one last_req */
843 ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
844 if (ek.last_req.val == NULL) {
850 ek.authtime = et.authtime;
851 ek.starttime = et.starttime;
852 ek.endtime = et.endtime;
853 ek.renew_till = et.renew_till;
854 ek.srealm = rep.ticket.realm;
855 ek.sname = rep.ticket.sname;
857 _kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
858 et.endtime, et.renew_till);
860 /* Don't sign cross realm tickets, they can't be checked anyway */
862 char *r = get_krbtgt_realm(&ek.sname);
864 if (r == NULL || strcmp(r, ek.srealm) == 0) {
865 ret = _kdc_add_KRB5SignedPath(context,
877 /* It is somewhat unclear where the etype in the following
878 encryption should come from. What we have is a session
879 key in the passed tgt, and a list of preferred etypes
880 *for the new ticket*. Should we pick the best possible
881 etype, given the keytype in the tgt, or should we look
882 at the etype list here as well? What if the tgt
883 session key is DES3 and we want a ticket with a (say)
884 CAST session key. Should the DES3 etype be added to the
885 etype list, even if we don't want a session key with
887 ret = _kdc_encode_reply(context, config,
888 &rep, &et, &ek, et.key.keytype,
890 serverkey, 0, &tgt->key, e_text, reply);
893 free_TransitedEncoding(&et.transited);
898 if(et.authorization_data) {
899 free_AuthorizationData(et.authorization_data);
900 free(et.authorization_data);
902 free_LastReq(&ek.last_req);
903 memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
904 free_EncryptionKey(&et.key);
908 static krb5_error_code
909 tgs_check_authenticator(krb5_context context,
910 krb5_kdc_configuration *config,
911 krb5_auth_context ac,
916 krb5_authenticator auth;
923 krb5_auth_con_getauthenticator(context, ac, &auth);
924 if(auth->cksum == NULL){
925 kdc_log(context, config, 0, "No authenticator in request");
926 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
930 * according to RFC1510 it doesn't need to be keyed,
931 * but according to the latest draft it needs to.
935 !krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
938 !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
939 kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
940 auth->cksum->cksumtype);
941 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
945 /* XXX should not re-encode this */
946 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
948 kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
949 krb5_get_err_text(context, ret));
952 if(buf_size != len) {
954 kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
955 *e_text = "KDC internal error";
956 ret = KRB5KRB_ERR_GENERIC;
959 ret = krb5_crypto_init(context, key, 0, &crypto);
962 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
963 krb5_get_err_text(context, ret));
966 ret = krb5_verify_checksum(context,
968 KRB5_KU_TGS_REQ_AUTH_CKSUM,
973 krb5_crypto_destroy(context, crypto);
975 kdc_log(context, config, 0,
976 "Failed to verify authenticator checksum: %s",
977 krb5_get_err_text(context, ret));
980 free_Authenticator(auth);
990 find_rpath(krb5_context context, Realm crealm, Realm srealm)
992 const char *new_realm = krb5_config_get_string(context,
1003 need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
1005 if(server->name.name_type != KRB5_NT_SRV_INST ||
1006 server->name.name_string.len != 2)
1009 return _krb5_get_host_realm_int(context, server->name.name_string.val[1],
1010 FALSE, realms) == 0;
1013 static krb5_error_code
1014 tgs_parse_request(krb5_context context,
1015 krb5_kdc_configuration *config,
1017 const PA_DATA *tgs_req,
1018 hdb_entry_ex **krbtgt,
1019 krb5_enctype *krbtgt_etype,
1020 krb5_ticket **ticket,
1021 const char **e_text,
1023 const struct sockaddr *from_addr,
1026 AuthorizationData **auth_data)
1029 krb5_error_code ret;
1030 krb5_principal princ;
1031 krb5_auth_context ac = NULL;
1032 krb5_flags ap_req_options;
1033 krb5_flags verify_ap_req_flags;
1041 memset(&ap_req, 0, sizeof(ap_req));
1042 ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1044 kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
1045 krb5_get_err_text(context, ret));
1049 if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1050 /* XXX check for ticket.sname == req.sname */
1051 kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1052 ret = KRB5KDC_ERR_POLICY; /* ? */
1056 _krb5_principalname2krb5_principal(context,
1058 ap_req.ticket.sname,
1059 ap_req.ticket.realm);
1061 ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
1065 ret = krb5_unparse_name(context, princ, &p);
1067 p = "<unparse_name failed>";
1068 krb5_free_principal(context, princ);
1069 kdc_log(context, config, 0,
1070 "Ticket-granting ticket not found in database: %s: %s",
1071 p, krb5_get_err_text(context, ret));
1074 ret = KRB5KRB_AP_ERR_NOT_US;
1078 if(ap_req.ticket.enc_part.kvno &&
1079 *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
1082 ret = krb5_unparse_name (context, princ, &p);
1083 krb5_free_principal(context, princ);
1085 p = "<unparse_name failed>";
1086 kdc_log(context, config, 0,
1087 "Ticket kvno = %d, DB kvno = %d (%s)",
1088 *ap_req.ticket.enc_part.kvno,
1089 (*krbtgt)->entry.kvno,
1093 ret = KRB5KRB_AP_ERR_BADKEYVER;
1097 *krbtgt_etype = ap_req.ticket.enc_part.etype;
1099 ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1100 ap_req.ticket.enc_part.etype, &tkey);
1102 char *str = NULL, *p = NULL;
1104 krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1105 krb5_unparse_name(context, princ, &p);
1106 kdc_log(context, config, 0,
1107 "No server key with enctype %s found for %s",
1108 str ? str : "<unknown enctype>",
1109 p ? p : "<unparse_name failed>");
1112 ret = KRB5KRB_AP_ERR_BADKEYVER;
1116 if (b->kdc_options.validate)
1117 verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1119 verify_ap_req_flags = 0;
1121 ret = krb5_verify_ap_req2(context,
1126 verify_ap_req_flags,
1129 KRB5_KU_TGS_REQ_AUTH);
1131 krb5_free_principal(context, princ);
1133 kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
1134 krb5_get_err_text(context, ret));
1139 krb5_authenticator auth;
1141 ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1143 *csec = malloc(sizeof(**csec));
1144 if (*csec == NULL) {
1145 krb5_free_authenticator(context, &auth);
1146 kdc_log(context, config, 0, "malloc failed");
1149 **csec = auth->ctime;
1150 *cusec = malloc(sizeof(**cusec));
1151 if (*cusec == NULL) {
1152 krb5_free_authenticator(context, &auth);
1153 kdc_log(context, config, 0, "malloc failed");
1156 **cusec = auth->cusec;
1157 krb5_free_authenticator(context, &auth);
1161 ret = tgs_check_authenticator(context, config,
1162 ac, b, e_text, &(*ticket)->ticket.key);
1164 krb5_auth_con_free(context, ac);
1168 if (b->enc_authorization_data) {
1169 unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1170 krb5_keyblock *subkey;
1173 ret = krb5_auth_con_getremotesubkey(context,
1177 krb5_auth_con_free(context, ac);
1178 kdc_log(context, config, 0, "Failed to get remote subkey: %s",
1179 krb5_get_err_text(context, ret));
1183 usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1184 ret = krb5_auth_con_getkey(context, ac, &subkey);
1186 krb5_auth_con_free(context, ac);
1187 kdc_log(context, config, 0, "Failed to get session key: %s",
1188 krb5_get_err_text(context, ret));
1193 krb5_auth_con_free(context, ac);
1194 kdc_log(context, config, 0,
1195 "Failed to get key for enc-authorization-data");
1196 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1199 ret = krb5_crypto_init(context, subkey, 0, &crypto);
1201 krb5_auth_con_free(context, ac);
1202 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1203 krb5_get_err_text(context, ret));
1206 ret = krb5_decrypt_EncryptedData (context,
1209 b->enc_authorization_data,
1211 krb5_crypto_destroy(context, crypto);
1213 krb5_auth_con_free(context, ac);
1214 kdc_log(context, config, 0,
1215 "Failed to decrypt enc-authorization-data");
1216 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1219 krb5_free_keyblock(context, subkey);
1221 if (*auth_data == NULL) {
1222 krb5_auth_con_free(context, ac);
1223 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1226 ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1228 krb5_auth_con_free(context, ac);
1231 kdc_log(context, config, 0, "Failed to decode authorization data");
1232 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1237 krb5_auth_con_free(context, ac);
1240 free_AP_REQ(&ap_req);
1245 static krb5_error_code
1246 tgs_build_reply(krb5_context context,
1247 krb5_kdc_configuration *config,
1250 hdb_entry_ex *krbtgt,
1251 krb5_enctype krbtgt_etype,
1252 krb5_ticket *ticket,
1255 const char **e_text,
1256 AuthorizationData *auth_data,
1257 const struct sockaddr *from_addr,
1260 krb5_error_code ret;
1261 krb5_principal cp = NULL, sp = NULL;
1262 krb5_principal client_principal = NULL;
1263 char *spn = NULL, *cpn = NULL;
1264 hdb_entry_ex *server = NULL, *client = NULL;
1265 EncTicketPart *tgt = &ticket->ticket;
1266 KRB5SignedPathPrincipals *spp = NULL;
1267 const EncryptionKey *ekey;
1268 krb5_keyblock sessionkey;
1271 int cross_realm = 0;
1276 EncTicketPart adtkt;
1278 int require_signedpath = 0;
1280 memset(&sessionkey, 0, sizeof(sessionkey));
1281 memset(&adtkt, 0, sizeof(adtkt));
1282 krb5_data_zero(&rspac);
1287 if(b->kdc_options.enc_tkt_in_skey){
1293 if(b->additional_tickets == NULL ||
1294 b->additional_tickets->len == 0){
1295 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1296 kdc_log(context, config, 0,
1297 "No second ticket present in request");
1300 t = &b->additional_tickets->val[0];
1301 if(!get_krbtgt_realm(&t->sname)){
1302 kdc_log(context, config, 0,
1303 "Additional ticket is not a ticket-granting ticket");
1304 ret = KRB5KDC_ERR_POLICY;
1307 _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1308 ret = _kdc_db_fetch(context, config, p,
1309 HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
1311 krb5_free_principal(context, p);
1313 if (ret == HDB_ERR_NOENTRY)
1314 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1317 ret = hdb_enctype2key(context, &uu->entry,
1318 t->enc_part.etype, &uukey);
1320 _kdc_free_ent(context, uu);
1321 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1324 ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1325 _kdc_free_ent(context, uu);
1329 ret = verify_flags(context, config, &adtkt, spn);
1337 _krb5_principalname2krb5_principal(context, &sp, *s, r);
1338 ret = krb5_unparse_name(context, sp, &spn);
1341 _krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1342 ret = krb5_unparse_name(context, cp, &cpn);
1345 unparse_flags (KDCOptions2int(b->kdc_options),
1346 asn1_KDCOptions_units(),
1347 opt_str, sizeof(opt_str));
1349 kdc_log(context, config, 0,
1350 "TGS-REQ %s from %s for %s [%s]",
1351 cpn, from, spn, opt_str);
1353 kdc_log(context, config, 0,
1354 "TGS-REQ %s from %s for %s", cpn, from, spn);
1361 ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server);
1364 const char *new_rlm;
1368 if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1370 new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1372 kdc_log(context, config, 5, "krbtgt for realm %s "
1373 "not found, trying %s",
1375 krb5_free_principal(context, sp);
1377 krb5_make_principal(context, &sp, r,
1378 KRB5_TGS_NAME, new_rlm, NULL);
1379 ret = krb5_unparse_name(context, sp, &spn);
1382 auth_data = NULL; /* ms don't handle AD in referals */
1386 } else if(need_referral(context, sp, &realms)) {
1387 if (strcmp(realms[0], sp->realm) != 0) {
1388 kdc_log(context, config, 5,
1389 "Returning a referral to realm %s for "
1390 "server %s that was not found",
1392 krb5_free_principal(context, sp);
1394 krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1396 ret = krb5_unparse_name(context, sp, &spn);
1399 krb5_free_host_realm(context, realms);
1400 auth_data = NULL; /* ms don't handle AD in referals */
1403 krb5_free_host_realm(context, realms);
1405 kdc_log(context, config, 0,
1406 "Server not found in database: %s: %s", spn,
1407 krb5_get_err_text(context, ret));
1408 if (ret == HDB_ERR_NOENTRY)
1409 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1413 ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
1415 const char *krbtgt_realm;
1418 * If the client belongs to the same realm as our krbtgt, it
1419 * should exist in the local database.
1424 krb5_principal_get_comp_string(context,
1425 krbtgt->entry.principal, 1);
1427 if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1428 if (ret == HDB_ERR_NOENTRY)
1429 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1430 kdc_log(context, config, 1, "Client no longer in database: %s",
1435 kdc_log(context, config, 1, "Client not found in database: %s: %s",
1436 cpn, krb5_get_err_text(context, ret));
1442 * Check that service is in the same realm as the krbtgt. If it's
1443 * not the same, it's someone that is using a uni-directional trust
1447 if (strcmp(krb5_principal_get_realm(context, sp),
1448 krb5_principal_get_comp_string(context,
1449 krbtgt->entry.principal,
1452 ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1453 kdc_log(context, config, 0,
1454 "Request with wrong krbtgt: %s",
1455 (ret == 0) ? tpn : "<unknown>");
1458 ret = KRB5KRB_AP_ERR_NOT_US;
1466 client_principal = cp;
1469 const PA_DATA *sdata;
1472 sdata = _kdc_find_padata(req, &i, KRB5_PADATA_S4U2SELF);
1477 char *selfcpn = NULL;
1480 ret = decode_PA_S4U2Self(sdata->padata_value.data,
1481 sdata->padata_value.length,
1484 kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1488 ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1492 ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1494 free_PA_S4U2Self(&self);
1495 krb5_data_free(&datack);
1496 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1497 krb5_get_err_text(context, ret));
1501 ret = krb5_verify_checksum(context,
1503 KRB5_KU_OTHER_CKSUM,
1507 krb5_data_free(&datack);
1508 krb5_crypto_destroy(context, crypto);
1510 free_PA_S4U2Self(&self);
1511 kdc_log(context, config, 0,
1512 "krb5_verify_checksum failed for S4U2Self: %s",
1513 krb5_get_err_text(context, ret));
1517 ret = _krb5_principalname2krb5_principal(context,
1521 free_PA_S4U2Self(&self);
1525 ret = krb5_unparse_name(context, client_principal, &selfcpn);
1530 * Check that service doing the impersonating is
1531 * requesting a ticket to it-self.
1533 if (krb5_principal_compare(context, cp, sp) != TRUE) {
1534 kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1535 "to impersonate some other user "
1536 "(tried for user %s to service %s)",
1539 ret = KRB5KDC_ERR_BADOPTION; /* ? */
1544 * If the service isn't trusted for authentication to
1545 * delegation, remove the forward flag.
1548 if (client->entry.flags.trusted_for_delegation) {
1549 str = "[forwardable]";
1551 b->kdc_options.forwardable = 0;
1554 kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1555 "service %s %s", cpn, selfcpn, spn, str);
1561 * Constrained delegation
1565 && b->additional_tickets != NULL
1566 && b->additional_tickets->len != 0
1567 && b->kdc_options.enc_tkt_in_skey == 0)
1573 t = &b->additional_tickets->val[0];
1575 ret = hdb_enctype2key(context, &client->entry,
1576 t->enc_part.etype, &clientkey);
1578 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1582 ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1584 kdc_log(context, config, 0,
1585 "failed to decrypt ticket for "
1586 "constrained delegation from %s to %s ", spn, cpn);
1590 /* check that ticket is valid */
1592 if (adtkt.flags.forwardable == 0) {
1593 kdc_log(context, config, 0,
1594 "Missing forwardable flag on ticket for "
1595 "constrained delegation from %s to %s ", spn, cpn);
1596 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1600 ret = check_constrained_delegation(context, config, client, sp);
1602 kdc_log(context, config, 0,
1603 "constrained delegation from %s to %s not allowed",
1608 ret = _krb5_principalname2krb5_principal(context,
1615 ret = krb5_unparse_name(context, client_principal, &str);
1619 ret = verify_flags(context, config, &adtkt, str);
1626 * Check KRB5SignedPath in authorization data and add new entry to
1627 * make sure servers can't fake a ticket to us.
1630 ret = check_KRB5SignedPath(context,
1637 kdc_log(context, config, 0,
1638 "KRB5SignedPath check from service %s failed "
1639 "for delegation to %s for client %s "
1640 "from %s failed with %s",
1641 spn, str, cpn, from, krb5_get_err_text(context, ret));
1646 kdc_log(context, config, 0, "constrained delegation for %s "
1647 "from %s to %s", str, cpn, spn);
1651 * Also require that the KDC have issue the service's krbtgt
1652 * used to do the request.
1654 require_signedpath = 1;
1661 ret = _kdc_check_flags(context, config,
1668 if((b->kdc_options.validate || b->kdc_options.renew) &&
1669 !krb5_principal_compare(context,
1670 krbtgt->entry.principal,
1671 server->entry.principal)){
1672 kdc_log(context, config, 0, "Inconsistent request.");
1673 ret = KRB5KDC_ERR_SERVER_NOMATCH;
1677 /* check for valid set of addresses */
1678 if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
1679 ret = KRB5KRB_AP_ERR_BADADDR;
1680 kdc_log(context, config, 0, "Request from wrong address");
1685 * Select enctype, return key and kvno.
1691 if(b->kdc_options.enc_tkt_in_skey) {
1694 for(i = 0; i < b->etype.len; i++)
1695 if (b->etype.val[i] == adtkt.key.keytype)
1697 if(i == b->etype.len) {
1698 krb5_clear_error_string(context);
1699 return KRB5KDC_ERR_ETYPE_NOSUPP;
1701 etype = b->etype.val[i];
1706 ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
1709 kdc_log(context, config, 0,
1710 "Server (%s) has no support for etypes", spp);
1714 kvno = server->entry.kvno;
1717 ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1722 /* check PAC if not cross realm and if there is one */
1726 ret = hdb_enctype2key(context, &krbtgt->entry,
1727 krbtgt_etype, &tkey);
1729 kdc_log(context, config, 0,
1730 "Failed to find key for krbtgt PAC check");
1734 ret = check_PAC(context, config, client_principal,
1735 client, server, ekey, &tkey->key,
1736 tgt, &rspac, &require_signedpath);
1738 kdc_log(context, config, 0,
1739 "Verify PAC failed for %s (%s) from %s with %s",
1740 spn, cpn, from, krb5_get_err_text(context, ret));
1745 /* also check the krbtgt for signature */
1746 ret = check_KRB5SignedPath(context,
1751 require_signedpath);
1753 kdc_log(context, config, 0,
1754 "KRB5SignedPath check failed for %s (%s) from %s with %s",
1755 spn, cpn, from, krb5_get_err_text(context, ret));
1763 ret = tgs_make_reply(context,
1787 krb5_data_free(&rspac);
1788 krb5_free_keyblock_contents(context, &sessionkey);
1790 _kdc_free_ent(context, server);
1792 _kdc_free_ent(context, client);
1794 if (client_principal && client_principal != cp)
1795 krb5_free_principal(context, client_principal);
1797 krb5_free_principal(context, cp);
1799 krb5_free_principal(context, sp);
1801 free_EncTicketPart(&adtkt);
1811 _kdc_tgs_rep(krb5_context context,
1812 krb5_kdc_configuration *config,
1816 struct sockaddr *from_addr,
1819 AuthorizationData *auth_data = NULL;
1820 krb5_error_code ret;
1822 const PA_DATA *tgs_req;
1824 hdb_entry_ex *krbtgt = NULL;
1825 krb5_ticket *ticket = NULL;
1826 const char *e_text = NULL;
1827 krb5_enctype krbtgt_etype = ETYPE_NULL;
1829 time_t *csec = NULL;
1832 if(req->padata == NULL){
1833 ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
1834 kdc_log(context, config, 0,
1835 "TGS-REQ from %s without PA-DATA", from);
1839 tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
1841 if(tgs_req == NULL){
1842 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
1844 kdc_log(context, config, 0,
1845 "TGS-REQ from %s without PA-TGS-REQ", from);
1848 ret = tgs_parse_request(context, config,
1849 &req->req_body, tgs_req,
1858 kdc_log(context, config, 0,
1859 "Failed parsing TGS-REQ from %s", from);
1863 ret = tgs_build_reply(context,
1877 kdc_log(context, config, 0,
1878 "Failed building TGS-REP to %s", from);
1883 if (datagram_reply && data->length > config->max_datagram_reply_length) {
1884 krb5_data_free(data);
1885 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
1886 e_text = "Reply packet too large";
1890 if(ret && data->data == NULL){
1891 krb5_mk_error(context,
1904 krb5_free_ticket(context, ticket);
1906 _kdc_free_ent(context, krbtgt);
1909 free_AuthorizationData(auth_data);
projects / FreeBSD / releng / 9.2.git / blob