Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

krb5tgs.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 60.8 KB

Line
1	/*
2	* Copyright (c) 1997-2008 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include "kdc_locl.h"
35
36	/*
37	* return the realm of a krbtgt-ticket or NULL
38	*/
39
40	static Realm
41	get_krbtgt_realm(const PrincipalName *p)
42	{
43	if(p->name_string.len == 2
44	&& strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
45	return p->name_string.val[1];
46	else
47	return NULL;
48	}
49
50	/*
51	* The KDC might add a signed path to the ticket authorization data
52	* field. This is to avoid server impersonating clients and the
53	* request constrained delegation.
54	*
55	* This is done by storing a KRB5_AUTHDATA_IF_RELEVANT with a single
56	* entry of type KRB5SignedPath.
57	*/
58
59	static krb5_error_code
60	find_KRB5SignedPath(krb5_context context,
61	const AuthorizationData *ad,
62	krb5_data *data)
63	{
64	AuthorizationData child;
65	krb5_error_code ret;
66	int pos;
67
68	if (ad == NULL \|\| ad->len == 0)
69	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
70
71	pos = ad->len - 1;
72
73	if (ad->val[pos].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
74	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
75
76	ret = decode_AuthorizationData(ad->val[pos].ad_data.data,
77	ad->val[pos].ad_data.length,
78	&child,
79	NULL);
80	if (ret) {
81	krb5_set_error_message(context, ret, "Failed to decode "
82	"IF_RELEVANT with %d", ret);
83	return ret;
84	}
85
86	if (child.len != 1) {
87	free_AuthorizationData(&child);
88	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
89	}
90
91	if (child.val[0].ad_type != KRB5_AUTHDATA_SIGNTICKET) {
92	free_AuthorizationData(&child);
93	return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
94	}
95
96	if (data)
97	ret = der_copy_octet_string(&child.val[0].ad_data, data);
98	free_AuthorizationData(&child);
99	return ret;
100	}
101
102	krb5_error_code
103	_kdc_add_KRB5SignedPath(krb5_context context,
104	krb5_kdc_configuration *config,
105	hdb_entry_ex *krbtgt,
106	krb5_enctype enctype,
107	krb5_principal client,
108	krb5_const_principal server,
109	krb5_principals principals,
110	EncTicketPart *tkt)
111	{
112	krb5_error_code ret;
113	KRB5SignedPath sp;
114	krb5_data data;
115	krb5_crypto crypto = NULL;
116	size_t size;
117
118	if (server && principals) {
119	ret = add_Principals(principals, server);
120	if (ret)
121	return ret;
122	}
123
124	{
125	KRB5SignedPathData spd;
126
127	spd.client = client;
128	spd.authtime = tkt->authtime;
129	spd.delegated = principals;
130	spd.method_data = NULL;
131
132	ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
133	&spd, &size, ret);
134	if (ret)
135	return ret;
136	if (data.length != size)
137	krb5_abortx(context, "internal asn.1 encoder error");
138	}
139
140	{
141	Key *key;
142	ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);
143	if (ret == 0)
144	ret = krb5_crypto_init(context, &key->key, 0, &crypto);
145	if (ret) {
146	free(data.data);
147	return ret;
148	}
149	}
150
151	/*
152	* Fill in KRB5SignedPath
153	*/
154
155	sp.etype = enctype;
156	sp.delegated = principals;
157	sp.method_data = NULL;
158
159	ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
160	data.data, data.length, &sp.cksum);
161	krb5_crypto_destroy(context, crypto);
162	free(data.data);
163	if (ret)
164	return ret;
165
166	ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);
167	free_Checksum(&sp.cksum);
168	if (ret)
169	return ret;
170	if (data.length != size)
171	krb5_abortx(context, "internal asn.1 encoder error");
172
173
174	/*
175	* Add IF-RELEVANT(KRB5SignedPath) to the last slot in
176	* authorization data field.
177	*/
178
179	ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
180	KRB5_AUTHDATA_SIGNTICKET, &data);
181	krb5_data_free(&data);
182
183	return ret;
184	}
185
186	static krb5_error_code
187	check_KRB5SignedPath(krb5_context context,
188	krb5_kdc_configuration *config,
189	hdb_entry_ex *krbtgt,
190	krb5_principal cp,
191	EncTicketPart *tkt,
192	krb5_principals *delegated,
193	int *signedpath)
194	{
195	krb5_error_code ret;
196	krb5_data data;
197	krb5_crypto crypto = NULL;
198
199	if (delegated)
200	*delegated = NULL;
201
202	ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);
203	if (ret == 0) {
204	KRB5SignedPathData spd;
205	KRB5SignedPath sp;
206	size_t size;
207
208	ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
209	krb5_data_free(&data);
210	if (ret)
211	return ret;
212
213	spd.client = cp;
214	spd.authtime = tkt->authtime;
215	spd.delegated = sp.delegated;
216	spd.method_data = sp.method_data;
217
218	ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
219	&spd, &size, ret);
220	if (ret) {
221	free_KRB5SignedPath(&sp);
222	return ret;
223	}
224	if (data.length != size)
225	krb5_abortx(context, "internal asn.1 encoder error");
226
227	{
228	Key *key;
229	ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);
230	if (ret == 0)
231	ret = krb5_crypto_init(context, &key->key, 0, &crypto);
232	if (ret) {
233	free(data.data);
234	free_KRB5SignedPath(&sp);
235	return ret;
236	}
237	}
238	ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH,
239	data.data, data.length,
240	&sp.cksum);
241	krb5_crypto_destroy(context, crypto);
242	free(data.data);
243	if (ret) {
244	free_KRB5SignedPath(&sp);
245	kdc_log(context, config, 5,
246	"KRB5SignedPath not signed correctly, not marking as signed");
247	return 0;
248	}
249
250	if (delegated && sp.delegated) {
251
252	delegated = malloc(sizeof(sp.delegated));
253	if (*delegated == NULL) {
254	free_KRB5SignedPath(&sp);
255	return ENOMEM;
256	}
257
258	ret = copy_Principals(*delegated, sp.delegated);
259	if (ret) {
260	free_KRB5SignedPath(&sp);
261	free(*delegated);
262	*delegated = NULL;
263	return ret;
264	}
265	}
266	free_KRB5SignedPath(&sp);
267
268	*signedpath = 1;
269	}
270
271	return 0;
272	}
273
274	/*
275	*
276	*/
277
278	static krb5_error_code
279	check_PAC(krb5_context context,
280	krb5_kdc_configuration *config,
281	const krb5_principal client_principal,
282	hdb_entry_ex *client,
283	hdb_entry_ex *server,
284	hdb_entry_ex *krbtgt,
285	const EncryptionKey *server_key,
286	const EncryptionKey *krbtgt_check_key,
287	const EncryptionKey *krbtgt_sign_key,
288	EncTicketPart *tkt,
289	krb5_data *rspac,
290	int *signedpath)
291	{
292	AuthorizationData *ad = tkt->authorization_data;
293	unsigned i, j;
294	krb5_error_code ret;
295
296	if (ad == NULL \|\| ad->len == 0)
297	return 0;
298
299	for (i = 0; i < ad->len; i++) {
300	AuthorizationData child;
301
302	if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
303	continue;
304
305	ret = decode_AuthorizationData(ad->val[i].ad_data.data,
306	ad->val[i].ad_data.length,
307	&child,
308	NULL);
309	if (ret) {
310	krb5_set_error_message(context, ret, "Failed to decode "
311	"IF_RELEVANT with %d", ret);
312	return ret;
313	}
314	for (j = 0; j < child.len; j++) {
315
316	if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
317	int signed_pac = 0;
318	krb5_pac pac;
319
320	/* Found PAC */
321	ret = krb5_pac_parse(context,
322	child.val[j].ad_data.data,
323	child.val[j].ad_data.length,
324	&pac);
325	free_AuthorizationData(&child);
326	if (ret)
327	return ret;
328
329	ret = krb5_pac_verify(context, pac, tkt->authtime,
330	client_principal,
331	krbtgt_check_key, NULL);
332	if (ret) {
333	krb5_pac_free(context, pac);
334	return ret;
335	}
336
337	ret = _kdc_pac_verify(context, client_principal,
338	client, server, krbtgt, &pac, &signed_pac);
339	if (ret) {
340	krb5_pac_free(context, pac);
341	return ret;
342	}
343
344	/*
345	* Only re-sign PAC if we could verify it with the PAC
346	* function. The no-verify case happens when we get in
347	* a PAC from cross realm from a Windows domain and
348	* that there is no PAC verification function.
349	*/
350	if (signed_pac) {
351	*signedpath = 1;
352	ret = _krb5_pac_sign(context, pac, tkt->authtime,
353	client_principal,
354	server_key, krbtgt_sign_key, rspac);
355	}
356	krb5_pac_free(context, pac);
357
358	return ret;
359	}
360	}
361	free_AuthorizationData(&child);
362	}
363	return 0;
364	}
365
366	/*
367	*
368	*/
369
370	static krb5_error_code
371	check_tgs_flags(krb5_context context,
372	krb5_kdc_configuration *config,
373	KDC_REQ_BODY b, const EncTicketPart tgt, EncTicketPart *et)
374	{
375	KDCOptions f = b->kdc_options;
376
377	if(f.validate){
378	if(!tgt->flags.invalid \|\| tgt->starttime == NULL){
379	kdc_log(context, config, 0,
380	"Bad request to validate ticket");
381	return KRB5KDC_ERR_BADOPTION;
382	}
383	if(*tgt->starttime > kdc_time){
384	kdc_log(context, config, 0,
385	"Early request to validate ticket");
386	return KRB5KRB_AP_ERR_TKT_NYV;
387	}
388	/* XXX tkt = tgt */
389	et->flags.invalid = 0;
390	}else if(tgt->flags.invalid){
391	kdc_log(context, config, 0,
392	"Ticket-granting ticket has INVALID flag set");
393	return KRB5KRB_AP_ERR_TKT_INVALID;
394	}
395
396	if(f.forwardable){
397	if(!tgt->flags.forwardable){
398	kdc_log(context, config, 0,
399	"Bad request for forwardable ticket");
400	return KRB5KDC_ERR_BADOPTION;
401	}
402	et->flags.forwardable = 1;
403	}
404	if(f.forwarded){
405	if(!tgt->flags.forwardable){
406	kdc_log(context, config, 0,
407	"Request to forward non-forwardable ticket");
408	return KRB5KDC_ERR_BADOPTION;
409	}
410	et->flags.forwarded = 1;
411	et->caddr = b->addresses;
412	}
413	if(tgt->flags.forwarded)
414	et->flags.forwarded = 1;
415
416	if(f.proxiable){
417	if(!tgt->flags.proxiable){
418	kdc_log(context, config, 0,
419	"Bad request for proxiable ticket");
420	return KRB5KDC_ERR_BADOPTION;
421	}
422	et->flags.proxiable = 1;
423	}
424	if(f.proxy){
425	if(!tgt->flags.proxiable){
426	kdc_log(context, config, 0,
427	"Request to proxy non-proxiable ticket");
428	return KRB5KDC_ERR_BADOPTION;
429	}
430	et->flags.proxy = 1;
431	et->caddr = b->addresses;
432	}
433	if(tgt->flags.proxy)
434	et->flags.proxy = 1;
435
436	if(f.allow_postdate){
437	if(!tgt->flags.may_postdate){
438	kdc_log(context, config, 0,
439	"Bad request for post-datable ticket");
440	return KRB5KDC_ERR_BADOPTION;
441	}
442	et->flags.may_postdate = 1;
443	}
444	if(f.postdated){
445	if(!tgt->flags.may_postdate){
446	kdc_log(context, config, 0,
447	"Bad request for postdated ticket");
448	return KRB5KDC_ERR_BADOPTION;
449	}
450	if(b->from)
451	et->starttime = b->from;
452	et->flags.postdated = 1;
453	et->flags.invalid = 1;
454	}else if(b->from && *b->from > kdc_time + context->max_skew){
455	kdc_log(context, config, 0, "Ticket cannot be postdated");
456	return KRB5KDC_ERR_CANNOT_POSTDATE;
457	}
458
459	if(f.renewable){
460	if(!tgt->flags.renewable \|\| tgt->renew_till == NULL){
461	kdc_log(context, config, 0,
462	"Bad request for renewable ticket");
463	return KRB5KDC_ERR_BADOPTION;
464	}
465	et->flags.renewable = 1;
466	ALLOC(et->renew_till);
467	_kdc_fix_time(&b->rtime);
468	et->renew_till = b->rtime;
469	}
470	if(f.renew){
471	time_t old_life;
472	if(!tgt->flags.renewable \|\| tgt->renew_till == NULL){
473	kdc_log(context, config, 0,
474	"Request to renew non-renewable ticket");
475	return KRB5KDC_ERR_BADOPTION;
476	}
477	old_life = tgt->endtime;
478	if(tgt->starttime)
479	old_life -= *tgt->starttime;
480	else
481	old_life -= tgt->authtime;
482	et->endtime = *et->starttime + old_life;
483	if (et->renew_till != NULL)
484	et->endtime = min(*et->renew_till, et->endtime);
485	}
486
487	#if 0
488	/* checks for excess flags */
489	if(f.request_anonymous && !config->allow_anonymous){
490	kdc_log(context, config, 0,
491	"Request for anonymous ticket");
492	return KRB5KDC_ERR_BADOPTION;
493	}
494	#endif
495	return 0;
496	}
497
498	/*
499	* Determine if constrained delegation is allowed from this client to this server
500	*/
501
502	static krb5_error_code
503	check_constrained_delegation(krb5_context context,
504	krb5_kdc_configuration *config,
505	HDB *clientdb,
506	hdb_entry_ex *client,
507	krb5_const_principal server)
508	{
509	const HDB_Ext_Constrained_delegation_acl *acl;
510	krb5_error_code ret;
511	int i;
512
513	/* if client delegates to itself, that ok */
514	if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
515	return 0;
516
517	if (clientdb->hdb_check_constrained_delegation) {
518	ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
519	if (ret == 0)
520	return 0;
521	} else {
522	ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
523	if (ret) {
524	krb5_clear_error_message(context);
525	return ret;
526	}
527
528	if (acl) {
529	for (i = 0; i < acl->len; i++) {
530	if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
531	return 0;
532	}
533	}
534	ret = KRB5KDC_ERR_BADOPTION;
535	}
536	kdc_log(context, config, 0,
537	"Bad request for constrained delegation");
538	return ret;
539	}
540
541	/*
542	* Determine if s4u2self is allowed from this client to this server
543	*
544	* For example, regardless of the principal being impersonated, if the
545	* 'client' and 'server' are the same, then it's safe.
546	*/
547
548	static krb5_error_code
549	check_s4u2self(krb5_context context,
550	krb5_kdc_configuration *config,
551	HDB *clientdb,
552	hdb_entry_ex *client,
553	krb5_const_principal server)
554	{
555	krb5_error_code ret;
556
557	/* if client does a s4u2self to itself, that ok */
558	if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
559	return 0;
560
561	if (clientdb->hdb_check_s4u2self) {
562	ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
563	if (ret == 0)
564	return 0;
565	} else {
566	ret = KRB5KDC_ERR_BADOPTION;
567	}
568	return ret;
569	}
570
571	/*
572	*
573	*/
574
575	static krb5_error_code
576	verify_flags (krb5_context context,
577	krb5_kdc_configuration *config,
578	const EncTicketPart *et,
579	const char *pstr)
580	{
581	if(et->endtime < kdc_time){
582	kdc_log(context, config, 0, "Ticket expired (%s)", pstr);
583	return KRB5KRB_AP_ERR_TKT_EXPIRED;
584	}
585	if(et->flags.invalid){
586	kdc_log(context, config, 0, "Ticket not valid (%s)", pstr);
587	return KRB5KRB_AP_ERR_TKT_NYV;
588	}
589	return 0;
590	}
591
592	/*
593	*
594	*/
595
596	static krb5_error_code
597	fix_transited_encoding(krb5_context context,
598	krb5_kdc_configuration *config,
599	krb5_boolean check_policy,
600	const TransitedEncoding *tr,
601	EncTicketPart *et,
602	const char *client_realm,
603	const char *server_realm,
604	const char *tgt_realm)
605	{
606	krb5_error_code ret = 0;
607	char realms, tmp;
608	unsigned int num_realms;
609	int i;
610
611	switch (tr->tr_type) {
612	case DOMAIN_X500_COMPRESS:
613	break;
614	case 0:
615	/*
616	* Allow empty content of type 0 because that is was Microsoft
617	* generates in their TGT.
618	*/
619	if (tr->contents.length == 0)
620	break;
621	kdc_log(context, config, 0,
622	"Transited type 0 with non empty content");
623	return KRB5KDC_ERR_TRTYPE_NOSUPP;
624	default:
625	kdc_log(context, config, 0,
626	"Unknown transited type: %u", tr->tr_type);
627	return KRB5KDC_ERR_TRTYPE_NOSUPP;
628	}
629
630	ret = krb5_domain_x500_decode(context,
631	tr->contents,
632	&realms,
633	&num_realms,
634	client_realm,
635	server_realm);
636	if(ret){
637	krb5_warn(context, ret,
638	"Decoding transited encoding");
639	return ret;
640	}
641	if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
642	/* not us, so add the previous realm to transited set */
643	if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
644	ret = ERANGE;
645	goto free_realms;
646	}
647	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
648	if(tmp == NULL){
649	ret = ENOMEM;
650	goto free_realms;
651	}
652	realms = tmp;
653	realms[num_realms] = strdup(tgt_realm);
654	if(realms[num_realms] == NULL){
655	ret = ENOMEM;
656	goto free_realms;
657	}
658	num_realms++;
659	}
660	if(num_realms == 0) {
661	if(strcmp(client_realm, server_realm))
662	kdc_log(context, config, 0,
663	"cross-realm %s -> %s", client_realm, server_realm);
664	} else {
665	size_t l = 0;
666	char *rs;
667	for(i = 0; i < num_realms; i++)
668	l += strlen(realms[i]) + 2;
669	rs = malloc(l);
670	if(rs != NULL) {
671	*rs = '\0';
672	for(i = 0; i < num_realms; i++) {
673	if(i > 0)
674	strlcat(rs, ", ", l);
675	strlcat(rs, realms[i], l);
676	}
677	kdc_log(context, config, 0,
678	"cross-realm %s -> %s via [%s]",
679	client_realm, server_realm, rs);
680	free(rs);
681	}
682	}
683	if(check_policy) {
684	ret = krb5_check_transited(context, client_realm,
685	server_realm,
686	realms, num_realms, NULL);
687	if(ret) {
688	krb5_warn(context, ret, "cross-realm %s -> %s",
689	client_realm, server_realm);
690	goto free_realms;
691	}
692	et->flags.transited_policy_checked = 1;
693	}
694	et->transited.tr_type = DOMAIN_X500_COMPRESS;
695	ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
696	if(ret)
697	krb5_warn(context, ret, "Encoding transited encoding");
698	free_realms:
699	for(i = 0; i < num_realms; i++)
700	free(realms[i]);
701	free(realms);
702	return ret;
703	}
704
705
706	static krb5_error_code
707	tgs_make_reply(krb5_context context,
708	krb5_kdc_configuration *config,
709	KDC_REQ_BODY *b,
710	krb5_const_principal tgt_name,
711	const EncTicketPart *tgt,
712	const krb5_keyblock *replykey,
713	int rk_is_subkey,
714	const EncryptionKey *serverkey,
715	const krb5_keyblock *sessionkey,
716	krb5_kvno kvno,
717	AuthorizationData *auth_data,
718	hdb_entry_ex *server,
719	krb5_principal server_principal,
720	const char *server_name,
721	hdb_entry_ex *client,
722	krb5_principal client_principal,
723	hdb_entry_ex *krbtgt,
724	krb5_enctype krbtgt_etype,
725	krb5_principals spp,
726	const krb5_data *rspac,
727	const METHOD_DATA *enc_pa_data,
728	const char **e_text,
729	krb5_data *reply)
730	{
731	KDC_REP rep;
732	EncKDCRepPart ek;
733	EncTicketPart et;
734	KDCOptions f = b->kdc_options;
735	krb5_error_code ret;
736	int is_weak = 0;
737
738	memset(&rep, 0, sizeof(rep));
739	memset(&et, 0, sizeof(et));
740	memset(&ek, 0, sizeof(ek));
741
742	rep.pvno = 5;
743	rep.msg_type = krb_tgs_rep;
744
745	et.authtime = tgt->authtime;
746	_kdc_fix_time(&b->till);
747	et.endtime = min(tgt->endtime, *b->till);
748	ALLOC(et.starttime);
749	*et.starttime = kdc_time;
750
751	ret = check_tgs_flags(context, config, b, tgt, &et);
752	if(ret)
753	goto out;
754
755	/* We should check the transited encoding if:
756	1) the request doesn't ask not to be checked
757	2) globally enforcing a check
758	3) principal requires checking
759	4) we allow non-check per-principal, but principal isn't marked as allowing this
760	5) we don't globally allow this
761	*/
762
763	#define GLOBAL_FORCE_TRANSITED_CHECK \
764	(config->trpolicy == TRPOLICY_ALWAYS_CHECK)
765	#define GLOBAL_ALLOW_PER_PRINCIPAL \
766	(config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
767	#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
768	(config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
769
770	/* these will consult the database in future release */
771	#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
772	#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
773
774	ret = fix_transited_encoding(context, config,
775	!f.disable_transited_check \|\|
776	GLOBAL_FORCE_TRANSITED_CHECK \|\|
777	PRINCIPAL_FORCE_TRANSITED_CHECK(server) \|\|
778	!((GLOBAL_ALLOW_PER_PRINCIPAL &&
779	PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) \|\|
780	GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
781	&tgt->transited, &et,
782	krb5_principal_get_realm(context, client_principal),
783	krb5_principal_get_realm(context, server->entry.principal),
784	krb5_principal_get_realm(context, krbtgt->entry.principal));
785	if(ret)
786	goto out;
787
788	copy_Realm(&server_principal->realm, &rep.ticket.realm);
789	_krb5_principal2principalname(&rep.ticket.sname, server_principal);
790	copy_Realm(&tgt_name->realm, &rep.crealm);
791	/*
792	if (f.request_anonymous)
793	_kdc_make_anonymous_principalname (&rep.cname);
794	else */
795
796	copy_PrincipalName(&tgt_name->name, &rep.cname);
797	rep.ticket.tkt_vno = 5;
798
799	ek.caddr = et.caddr;
800	if(et.caddr == NULL)
801	et.caddr = tgt->caddr;
802
803	{
804	time_t life;
805	life = et.endtime - *et.starttime;
806	if(client && client->entry.max_life)
807	life = min(life, *client->entry.max_life);
808	if(server->entry.max_life)
809	life = min(life, *server->entry.max_life);
810	et.endtime = *et.starttime + life;
811	}
812	if(f.renewable_ok && tgt->flags.renewable &&
813	et.renew_till == NULL && et.endtime < *b->till &&
814	tgt->renew_till != NULL)
815	{
816	et.flags.renewable = 1;
817	ALLOC(et.renew_till);
818	et.renew_till = b->till;
819	}
820	if(et.renew_till){
821	time_t renew;
822	renew = *et.renew_till - et.authtime;
823	if(client && client->entry.max_renew)
824	renew = min(renew, *client->entry.max_renew);
825	if(server->entry.max_renew)
826	renew = min(renew, *server->entry.max_renew);
827	*et.renew_till = et.authtime + renew;
828	}
829
830	if(et.renew_till){
831	et.renew_till = min(et.renew_till, *tgt->renew_till);
832	et.starttime = min(et.starttime, *et.renew_till);
833	et.endtime = min(et.endtime, *et.renew_till);
834	}
835
836	et.starttime = min(et.starttime, et.endtime);
837
838	if(*et.starttime == et.endtime){
839	ret = KRB5KDC_ERR_NEVER_VALID;
840	goto out;
841	}
842	if(et.renew_till && et.endtime == *et.renew_till){
843	free(et.renew_till);
844	et.renew_till = NULL;
845	et.flags.renewable = 0;
846	}
847
848	et.flags.pre_authent = tgt->flags.pre_authent;
849	et.flags.hw_authent = tgt->flags.hw_authent;
850	et.flags.anonymous = tgt->flags.anonymous;
851	et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
852
853	if(rspac->length) {
854	/*
855	* No not need to filter out the any PAC from the
856	* auth_data since it's signed by the KDC.
857	*/
858	ret = _kdc_tkt_add_if_relevant_ad(context, &et,
859	KRB5_AUTHDATA_WIN2K_PAC, rspac);
860	if (ret)
861	goto out;
862	}
863
864	if (auth_data) {
865	unsigned int i = 0;
866
867	/* XXX check authdata */
868
869	if (et.authorization_data == NULL) {
870	et.authorization_data = calloc(1, sizeof(*et.authorization_data));
871	if (et.authorization_data == NULL) {
872	ret = ENOMEM;
873	krb5_set_error_message(context, ret, "malloc: out of memory");
874	goto out;
875	}
876	}
877	for(i = 0; i < auth_data->len ; i++) {
878	ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
879	if (ret) {
880	krb5_set_error_message(context, ret, "malloc: out of memory");
881	goto out;
882	}
883	}
884
885	/* Filter out type KRB5SignedPath */
886	ret = find_KRB5SignedPath(context, et.authorization_data, NULL);
887	if (ret == 0) {
888	if (et.authorization_data->len == 1) {
889	free_AuthorizationData(et.authorization_data);
890	free(et.authorization_data);
891	et.authorization_data = NULL;
892	} else {
893	AuthorizationData *ad = et.authorization_data;
894	free_AuthorizationDataElement(&ad->val[ad->len - 1]);
895	ad->len--;
896	}
897	}
898	}
899
900	ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
901	if (ret)
902	goto out;
903	et.crealm = tgt->crealm;
904	et.cname = tgt_name->name;
905
906	ek.key = et.key;
907	/* MIT must have at least one last_req */
908	ek.last_req.len = 1;
909	ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
910	if (ek.last_req.val == NULL) {
911	ret = ENOMEM;
912	goto out;
913	}
914	ek.nonce = b->nonce;
915	ek.flags = et.flags;
916	ek.authtime = et.authtime;
917	ek.starttime = et.starttime;
918	ek.endtime = et.endtime;
919	ek.renew_till = et.renew_till;
920	ek.srealm = rep.ticket.realm;
921	ek.sname = rep.ticket.sname;
922
923	_kdc_log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
924	et.endtime, et.renew_till);
925
926	/* Don't sign cross realm tickets, they can't be checked anyway */
927	{
928	char *r = get_krbtgt_realm(&ek.sname);
929
930	if (r == NULL \|\| strcmp(r, ek.srealm) == 0) {
931	ret = _kdc_add_KRB5SignedPath(context,
932	config,
933	krbtgt,
934	krbtgt_etype,
935	client_principal,
936	NULL,
937	spp,
938	&et);
939	if (ret)
940	goto out;
941	}
942	}
943
944	if (enc_pa_data->len) {
945	rep.padata = calloc(1, sizeof(*rep.padata));
946	if (rep.padata == NULL) {
947	ret = ENOMEM;
948	goto out;
949	}
950	ret = copy_METHOD_DATA(enc_pa_data, rep.padata);
951	if (ret)
952	goto out;
953	}
954
955	if (krb5_enctype_valid(context, et.key.keytype) != 0
956	&& _kdc_is_weak_exception(server->entry.principal, et.key.keytype))
957	{
958	krb5_enctype_enable(context, et.key.keytype);
959	is_weak = 1;
960	}
961
962
963	/* It is somewhat unclear where the etype in the following
964	encryption should come from. What we have is a session
965	key in the passed tgt, and a list of preferred etypes
966	for the new ticket. Should we pick the best possible
967	etype, given the keytype in the tgt, or should we look
968	at the etype list here as well? What if the tgt
969	session key is DES3 and we want a ticket with a (say)
970	CAST session key. Should the DES3 etype be added to the
971	etype list, even if we don't want a session key with
972	DES3? */
973	ret = _kdc_encode_reply(context, config,
974	&rep, &et, &ek, et.key.keytype,
975	kvno,
976	serverkey, 0, replykey, rk_is_subkey,
977	e_text, reply);
978	if (is_weak)
979	krb5_enctype_disable(context, et.key.keytype);
980
981	out:
982	free_TGS_REP(&rep);
983	free_TransitedEncoding(&et.transited);
984	if(et.starttime)
985	free(et.starttime);
986	if(et.renew_till)
987	free(et.renew_till);
988	if(et.authorization_data) {
989	free_AuthorizationData(et.authorization_data);
990	free(et.authorization_data);
991	}
992	free_LastReq(&ek.last_req);
993	memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
994	free_EncryptionKey(&et.key);
995	return ret;
996	}
997
998	static krb5_error_code
999	tgs_check_authenticator(krb5_context context,
1000	krb5_kdc_configuration *config,
1001	krb5_auth_context ac,
1002	KDC_REQ_BODY *b,
1003	const char **e_text,
1004	krb5_keyblock *key)
1005	{
1006	krb5_authenticator auth;
1007	size_t len;
1008	unsigned char *buf;
1009	size_t buf_size;
1010	krb5_error_code ret;
1011	krb5_crypto crypto;
1012
1013	krb5_auth_con_getauthenticator(context, ac, &auth);
1014	if(auth->cksum == NULL){
1015	kdc_log(context, config, 0, "No authenticator in request");
1016	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1017	goto out;
1018	}
1019	/*
1020	* according to RFC1510 it doesn't need to be keyed,
1021	* but according to the latest draft it needs to.
1022	*/
1023	if (
1024	#if 0
1025	!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
1026	\|\|
1027	#endif
1028	!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
1029	kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
1030	auth->cksum->cksumtype);
1031	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
1032	goto out;
1033	}
1034
1035	/* XXX should not re-encode this */
1036	ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
1037	if(ret){
1038	const char *msg = krb5_get_error_message(context, ret);
1039	kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
1040	krb5_free_error_message(context, msg);
1041	goto out;
1042	}
1043	if(buf_size != len) {
1044	free(buf);
1045	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
1046	*e_text = "KDC internal error";
1047	ret = KRB5KRB_ERR_GENERIC;
1048	goto out;
1049	}
1050	ret = krb5_crypto_init(context, key, 0, &crypto);
1051	if (ret) {
1052	const char *msg = krb5_get_error_message(context, ret);
1053	free(buf);
1054	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1055	krb5_free_error_message(context, msg);
1056	goto out;
1057	}
1058	ret = krb5_verify_checksum(context,
1059	crypto,
1060	KRB5_KU_TGS_REQ_AUTH_CKSUM,
1061	buf,
1062	len,
1063	auth->cksum);
1064	free(buf);
1065	krb5_crypto_destroy(context, crypto);
1066	if(ret){
1067	const char *msg = krb5_get_error_message(context, ret);
1068	kdc_log(context, config, 0,
1069	"Failed to verify authenticator checksum: %s", msg);
1070	krb5_free_error_message(context, msg);
1071	}
1072	out:
1073	free_Authenticator(auth);
1074	free(auth);
1075	return ret;
1076	}
1077
1078	/*
1079	*
1080	*/
1081
1082	static const char *
1083	find_rpath(krb5_context context, Realm crealm, Realm srealm)
1084	{
1085	const char *new_realm = krb5_config_get_string(context,
1086	NULL,
1087	"capaths",
1088	crealm,
1089	srealm,
1090	NULL);
1091	return new_realm;
1092	}
1093
1094
1095	static krb5_boolean
1096	need_referral(krb5_context context, krb5_kdc_configuration *config,
1097	const KDCOptions * const options, krb5_principal server,
1098	krb5_realm **realms)
1099	{
1100	const char *name;
1101
1102	if(!options->canonicalize && server->name.name_type != KRB5_NT_SRV_INST)
1103	return FALSE;
1104
1105	if (server->name.name_string.len == 1)
1106	name = server->name.name_string.val[0];
1107	else if (server->name.name_string.len > 1)
1108	name = server->name.name_string.val[1];
1109	else
1110	return FALSE;
1111
1112	kdc_log(context, config, 0, "Searching referral for %s", name);
1113
1114	return _krb5_get_host_realm_int(context, name, FALSE, realms) == 0;
1115	}
1116
1117	static krb5_error_code
1118	tgs_parse_request(krb5_context context,
1119	krb5_kdc_configuration *config,
1120	KDC_REQ_BODY *b,
1121	const PA_DATA *tgs_req,
1122	hdb_entry_ex **krbtgt,
1123	krb5_enctype *krbtgt_etype,
1124	krb5_ticket **ticket,
1125	const char **e_text,
1126	const char *from,
1127	const struct sockaddr *from_addr,
1128	time_t **csec,
1129	int **cusec,
1130	AuthorizationData **auth_data,
1131	krb5_keyblock **replykey,
1132	int *rk_is_subkey)
1133	{
1134	krb5_ap_req ap_req;
1135	krb5_error_code ret;
1136	krb5_principal princ;
1137	krb5_auth_context ac = NULL;
1138	krb5_flags ap_req_options;
1139	krb5_flags verify_ap_req_flags;
1140	krb5_crypto crypto;
1141	Key *tkey;
1142	krb5_keyblock *subkey = NULL;
1143	unsigned usage;
1144
1145	*auth_data = NULL;
1146	*csec = NULL;
1147	*cusec = NULL;
1148	*replykey = NULL;
1149
1150	memset(&ap_req, 0, sizeof(ap_req));
1151	ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
1152	if(ret){
1153	const char *msg = krb5_get_error_message(context, ret);
1154	kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
1155	krb5_free_error_message(context, msg);
1156	goto out;
1157	}
1158
1159	if(!get_krbtgt_realm(&ap_req.ticket.sname)){
1160	/* XXX check for ticket.sname == req.sname */
1161	kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
1162	ret = KRB5KDC_ERR_POLICY; /* ? */
1163	goto out;
1164	}
1165
1166	_krb5_principalname2krb5_principal(context,
1167	&princ,
1168	ap_req.ticket.sname,
1169	ap_req.ticket.realm);
1170
1171	ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1172
1173	if(ret == HDB_ERR_NOT_FOUND_HERE) {
1174	char *p;
1175	ret = krb5_unparse_name(context, princ, &p);
1176	if (ret != 0)
1177	p = "<unparse_name failed>";
1178	krb5_free_principal(context, princ);
1179	kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1180	if (ret == 0)
1181	free(p);
1182	ret = HDB_ERR_NOT_FOUND_HERE;
1183	goto out;
1184	} else if(ret){
1185	const char *msg = krb5_get_error_message(context, ret);
1186	char *p;
1187	ret = krb5_unparse_name(context, princ, &p);
1188	if (ret != 0)
1189	p = "<unparse_name failed>";
1190	krb5_free_principal(context, princ);
1191	kdc_log(context, config, 0,
1192	"Ticket-granting ticket not found in database: %s", msg);
1193	krb5_free_error_message(context, msg);
1194	if (ret == 0)
1195	free(p);
1196	ret = KRB5KRB_AP_ERR_NOT_US;
1197	goto out;
1198	}
1199
1200	if(ap_req.ticket.enc_part.kvno &&
1201	ap_req.ticket.enc_part.kvno != (krbtgt)->entry.kvno){
1202	char *p;
1203
1204	ret = krb5_unparse_name (context, princ, &p);
1205	krb5_free_principal(context, princ);
1206	if (ret != 0)
1207	p = "<unparse_name failed>";
1208	kdc_log(context, config, 0,
1209	"Ticket kvno = %d, DB kvno = %d (%s)",
1210	*ap_req.ticket.enc_part.kvno,
1211	(*krbtgt)->entry.kvno,
1212	p);
1213	if (ret == 0)
1214	free (p);
1215	ret = KRB5KRB_AP_ERR_BADKEYVER;
1216	goto out;
1217	}
1218
1219	*krbtgt_etype = ap_req.ticket.enc_part.etype;
1220
1221	ret = hdb_enctype2key(context, &(*krbtgt)->entry,
1222	ap_req.ticket.enc_part.etype, &tkey);
1223	if(ret){
1224	char str = NULL, p = NULL;
1225
1226	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
1227	krb5_unparse_name(context, princ, &p);
1228	kdc_log(context, config, 0,
1229	"No server key with enctype %s found for %s",
1230	str ? str : "<unknown enctype>",
1231	p ? p : "<unparse_name failed>");
1232	free(str);
1233	free(p);
1234	ret = KRB5KRB_AP_ERR_BADKEYVER;
1235	goto out;
1236	}
1237
1238	if (b->kdc_options.validate)
1239	verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
1240	else
1241	verify_ap_req_flags = 0;
1242
1243	ret = krb5_verify_ap_req2(context,
1244	&ac,
1245	&ap_req,
1246	princ,
1247	&tkey->key,
1248	verify_ap_req_flags,
1249	&ap_req_options,
1250	ticket,
1251	KRB5_KU_TGS_REQ_AUTH);
1252
1253	krb5_free_principal(context, princ);
1254	if(ret) {
1255	const char *msg = krb5_get_error_message(context, ret);
1256	kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
1257	krb5_free_error_message(context, msg);
1258	goto out;
1259	}
1260
1261	{
1262	krb5_authenticator auth;
1263
1264	ret = krb5_auth_con_getauthenticator(context, ac, &auth);
1265	if (ret == 0) {
1266	csec = malloc(sizeof(*csec));
1267	if (*csec == NULL) {
1268	krb5_free_authenticator(context, &auth);
1269	kdc_log(context, config, 0, "malloc failed");
1270	goto out;
1271	}
1272	**csec = auth->ctime;
1273	cusec = malloc(sizeof(*cusec));
1274	if (*cusec == NULL) {
1275	krb5_free_authenticator(context, &auth);
1276	kdc_log(context, config, 0, "malloc failed");
1277	goto out;
1278	}
1279	**cusec = auth->cusec;
1280	krb5_free_authenticator(context, &auth);
1281	}
1282	}
1283
1284	ret = tgs_check_authenticator(context, config,
1285	ac, b, e_text, &(*ticket)->ticket.key);
1286	if (ret) {
1287	krb5_auth_con_free(context, ac);
1288	goto out;
1289	}
1290
1291	usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1292	*rk_is_subkey = 1;
1293
1294	ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1295	if(ret){
1296	const char *msg = krb5_get_error_message(context, ret);
1297	krb5_auth_con_free(context, ac);
1298	kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1299	krb5_free_error_message(context, msg);
1300	goto out;
1301	}
1302	if(subkey == NULL){
1303	usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1304	*rk_is_subkey = 0;
1305
1306	ret = krb5_auth_con_getkey(context, ac, &subkey);
1307	if(ret) {
1308	const char *msg = krb5_get_error_message(context, ret);
1309	krb5_auth_con_free(context, ac);
1310	kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1311	krb5_free_error_message(context, msg);
1312	goto out;
1313	}
1314	}
1315	if(subkey == NULL){
1316	krb5_auth_con_free(context, ac);
1317	kdc_log(context, config, 0,
1318	"Failed to get key for enc-authorization-data");
1319	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1320	goto out;
1321	}
1322
1323	*replykey = subkey;
1324
1325	if (b->enc_authorization_data) {
1326	krb5_data ad;
1327
1328	ret = krb5_crypto_init(context, subkey, 0, &crypto);
1329	if (ret) {
1330	const char *msg = krb5_get_error_message(context, ret);
1331	krb5_auth_con_free(context, ac);
1332	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1333	krb5_free_error_message(context, msg);
1334	goto out;
1335	}
1336	ret = krb5_decrypt_EncryptedData (context,
1337	crypto,
1338	usage,
1339	b->enc_authorization_data,
1340	&ad);
1341	krb5_crypto_destroy(context, crypto);
1342	if(ret){
1343	krb5_auth_con_free(context, ac);
1344	kdc_log(context, config, 0,
1345	"Failed to decrypt enc-authorization-data");
1346	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1347	goto out;
1348	}
1349	ALLOC(*auth_data);
1350	if (*auth_data == NULL) {
1351	krb5_auth_con_free(context, ac);
1352	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1353	goto out;
1354	}
1355	ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
1356	if(ret){
1357	krb5_auth_con_free(context, ac);
1358	free(*auth_data);
1359	*auth_data = NULL;
1360	kdc_log(context, config, 0, "Failed to decode authorization data");
1361	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1362	goto out;
1363	}
1364	}
1365
1366	krb5_auth_con_free(context, ac);
1367
1368	out:
1369	free_AP_REQ(&ap_req);
1370
1371	return ret;
1372	}
1373
1374	static krb5_error_code
1375	build_server_referral(krb5_context context,
1376	krb5_kdc_configuration *config,
1377	krb5_crypto session,
1378	krb5_const_realm referred_realm,
1379	const PrincipalName *true_principal_name,
1380	const PrincipalName *requested_principal,
1381	krb5_data *outdata)
1382	{
1383	PA_ServerReferralData ref;
1384	krb5_error_code ret;
1385	EncryptedData ed;
1386	krb5_data data;
1387	size_t size;
1388
1389	memset(&ref, 0, sizeof(ref));
1390
1391	if (referred_realm) {
1392	ALLOC(ref.referred_realm);
1393	if (ref.referred_realm == NULL)
1394	goto eout;
1395	*ref.referred_realm = strdup(referred_realm);
1396	if (*ref.referred_realm == NULL)
1397	goto eout;
1398	}
1399	if (true_principal_name) {
1400	ALLOC(ref.true_principal_name);
1401	if (ref.true_principal_name == NULL)
1402	goto eout;
1403	ret = copy_PrincipalName(true_principal_name, ref.true_principal_name);
1404	if (ret)
1405	goto eout;
1406	}
1407	if (requested_principal) {
1408	ALLOC(ref.requested_principal_name);
1409	if (ref.requested_principal_name == NULL)
1410	goto eout;
1411	ret = copy_PrincipalName(requested_principal,
1412	ref.requested_principal_name);
1413	if (ret)
1414	goto eout;
1415	}
1416
1417	ASN1_MALLOC_ENCODE(PA_ServerReferralData,
1418	data.data, data.length,
1419	&ref, &size, ret);
1420	free_PA_ServerReferralData(&ref);
1421	if (ret)
1422	return ret;
1423	if (data.length != size)
1424	krb5_abortx(context, "internal asn.1 encoder error");
1425
1426	ret = krb5_encrypt_EncryptedData(context, session,
1427	KRB5_KU_PA_SERVER_REFERRAL,
1428	data.data, data.length,
1429	0 /* kvno */, &ed);
1430	free(data.data);
1431	if (ret)
1432	return ret;
1433
1434	ASN1_MALLOC_ENCODE(EncryptedData,
1435	outdata->data, outdata->length,
1436	&ed, &size, ret);
1437	free_EncryptedData(&ed);
1438	if (ret)
1439	return ret;
1440	if (outdata->length != size)
1441	krb5_abortx(context, "internal asn.1 encoder error");
1442
1443	return 0;
1444	eout:
1445	free_PA_ServerReferralData(&ref);
1446	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
1447	return ENOMEM;
1448	}
1449
1450	static krb5_error_code
1451	tgs_build_reply(krb5_context context,
1452	krb5_kdc_configuration *config,
1453	KDC_REQ *req,
1454	KDC_REQ_BODY *b,
1455	hdb_entry_ex *krbtgt,
1456	krb5_enctype krbtgt_etype,
1457	const krb5_keyblock *replykey,
1458	int rk_is_subkey,
1459	krb5_ticket *ticket,
1460	krb5_data *reply,
1461	const char *from,
1462	const char **e_text,
1463	AuthorizationData **auth_data,
1464	const struct sockaddr *from_addr)
1465	{
1466	krb5_error_code ret;
1467	krb5_principal cp = NULL, sp = NULL;
1468	krb5_principal client_principal = NULL;
1469	krb5_principal krbtgt_principal = NULL;
1470	char spn = NULL, cpn = NULL;
1471	hdb_entry_ex server = NULL, client = NULL, *s4u2self_impersonated_client = NULL;
1472	HDB clientdb, s4u2self_impersonated_clientdb;
1473	krb5_realm ref_realm = NULL;
1474	EncTicketPart *tgt = &ticket->ticket;
1475	krb5_principals spp = NULL;
1476	const EncryptionKey *ekey;
1477	krb5_keyblock sessionkey;
1478	krb5_kvno kvno;
1479	krb5_data rspac;
1480
1481	hdb_entry_ex *krbtgt_out = NULL;
1482
1483	METHOD_DATA enc_pa_data;
1484
1485	PrincipalName *s;
1486	Realm r;
1487	int nloop = 0;
1488	EncTicketPart adtkt;
1489	char opt_str[128];
1490	int signedpath = 0;
1491
1492	Key *tkey_check;
1493	Key *tkey_sign;
1494
1495	memset(&sessionkey, 0, sizeof(sessionkey));
1496	memset(&adtkt, 0, sizeof(adtkt));
1497	krb5_data_zero(&rspac);
1498	memset(&enc_pa_data, 0, sizeof(enc_pa_data));
1499
1500	s = b->sname;
1501	r = b->realm;
1502
1503	if(b->kdc_options.enc_tkt_in_skey){
1504	Ticket *t;
1505	hdb_entry_ex *uu;
1506	krb5_principal p;
1507	Key *uukey;
1508
1509	if(b->additional_tickets == NULL \|\|
1510	b->additional_tickets->len == 0){
1511	ret = KRB5KDC_ERR_BADOPTION; /* ? */
1512	kdc_log(context, config, 0,
1513	"No second ticket present in request");
1514	goto out;
1515	}
1516	t = &b->additional_tickets->val[0];
1517	if(!get_krbtgt_realm(&t->sname)){
1518	kdc_log(context, config, 0,
1519	"Additional ticket is not a ticket-granting ticket");
1520	ret = KRB5KDC_ERR_POLICY;
1521	goto out;
1522	}
1523	_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
1524	ret = _kdc_db_fetch(context, config, p,
1525	HDB_F_GET_KRBTGT, t->enc_part.kvno,
1526	NULL, &uu);
1527	krb5_free_principal(context, p);
1528	if(ret){
1529	if (ret == HDB_ERR_NOENTRY)
1530	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1531	goto out;
1532	}
1533	ret = hdb_enctype2key(context, &uu->entry,
1534	t->enc_part.etype, &uukey);
1535	if(ret){
1536	_kdc_free_ent(context, uu);
1537	ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1538	goto out;
1539	}
1540	ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
1541	_kdc_free_ent(context, uu);
1542	if(ret)
1543	goto out;
1544
1545	ret = verify_flags(context, config, &adtkt, spn);
1546	if (ret)
1547	goto out;
1548
1549	s = &adtkt.cname;
1550	r = adtkt.crealm;
1551	}
1552
1553	_krb5_principalname2krb5_principal(context, &sp, *s, r);
1554	ret = krb5_unparse_name(context, sp, &spn);
1555	if (ret)
1556	goto out;
1557	_krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
1558	ret = krb5_unparse_name(context, cp, &cpn);
1559	if (ret)
1560	goto out;
1561	unparse_flags (KDCOptions2int(b->kdc_options),
1562	asn1_KDCOptions_units(),
1563	opt_str, sizeof(opt_str));
1564	if(*opt_str)
1565	kdc_log(context, config, 0,
1566	"TGS-REQ %s from %s for %s [%s]",
1567	cpn, from, spn, opt_str);
1568	else
1569	kdc_log(context, config, 0,
1570	"TGS-REQ %s from %s for %s", cpn, from, spn);
1571
1572	/*
1573	* Fetch server
1574	*/
1575
1576	server_lookup:
1577	ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER \| HDB_F_CANON,
1578	NULL, NULL, &server);
1579
1580	if(ret == HDB_ERR_NOT_FOUND_HERE) {
1581	kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", sp);
1582	goto out;
1583	} else if(ret){
1584	const char new_rlm, msg;
1585	Realm req_rlm;
1586	krb5_realm *realms;
1587
1588	if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
1589	if(nloop++ < 2) {
1590	new_rlm = find_rpath(context, tgt->crealm, req_rlm);
1591	if(new_rlm) {
1592	kdc_log(context, config, 5, "krbtgt for realm %s "
1593	"not found, trying %s",
1594	req_rlm, new_rlm);
1595	krb5_free_principal(context, sp);
1596	free(spn);
1597	krb5_make_principal(context, &sp, r,
1598	KRB5_TGS_NAME, new_rlm, NULL);
1599	ret = krb5_unparse_name(context, sp, &spn);
1600	if (ret)
1601	goto out;
1602
1603	if (ref_realm)
1604	free(ref_realm);
1605	ref_realm = strdup(new_rlm);
1606	goto server_lookup;
1607	}
1608	}
1609	} else if(need_referral(context, config, &b->kdc_options, sp, &realms)) {
1610	if (strcmp(realms[0], sp->realm) != 0) {
1611	kdc_log(context, config, 5,
1612	"Returning a referral to realm %s for "
1613	"server %s that was not found",
1614	realms[0], spn);
1615	krb5_free_principal(context, sp);
1616	free(spn);
1617	krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
1618	realms[0], NULL);
1619	ret = krb5_unparse_name(context, sp, &spn);
1620	if (ret)
1621	goto out;
1622
1623	if (ref_realm)
1624	free(ref_realm);
1625	ref_realm = strdup(realms[0]);
1626
1627	krb5_free_host_realm(context, realms);
1628	goto server_lookup;
1629	}
1630	krb5_free_host_realm(context, realms);
1631	}
1632	msg = krb5_get_error_message(context, ret);
1633	kdc_log(context, config, 0,
1634	"Server not found in database: %s: %s", spn, msg);
1635	krb5_free_error_message(context, msg);
1636	if (ret == HDB_ERR_NOENTRY)
1637	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1638	goto out;
1639	}
1640
1641	/*
1642	* Select enctype, return key and kvno.
1643	*/
1644
1645	{
1646	krb5_enctype etype;
1647
1648	if(b->kdc_options.enc_tkt_in_skey) {
1649	int i;
1650	ekey = &adtkt.key;
1651	for(i = 0; i < b->etype.len; i++)
1652	if (b->etype.val[i] == adtkt.key.keytype)
1653	break;
1654	if(i == b->etype.len) {
1655	kdc_log(context, config, 0,
1656	"Addition ticket have not matching etypes");
1657	krb5_clear_error_message(context);
1658	ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1659	goto out;
1660	}
1661	etype = b->etype.val[i];
1662	kvno = 0;
1663	} else {
1664	Key *skey;
1665
1666	ret = _kdc_find_etype(context, server,
1667	b->etype.val, b->etype.len, &skey);
1668	if(ret) {
1669	kdc_log(context, config, 0,
1670	"Server (%s) has no support for etypes", spn);
1671	goto out;
1672	}
1673	ekey = &skey->key;
1674	etype = skey->key.keytype;
1675	kvno = server->entry.kvno;
1676	}
1677
1678	ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
1679	if (ret)
1680	goto out;
1681	}
1682
1683	/*
1684	* Check that service is in the same realm as the krbtgt. If it's
1685	* not the same, it's someone that is using a uni-directional trust
1686	* backward.
1687	*/
1688
1689	/*
1690	* Validate authoriation data
1691	*/
1692
1693	ret = hdb_enctype2key(context, &krbtgt->entry,
1694	krbtgt_etype, &tkey_check);
1695	if(ret) {
1696	kdc_log(context, config, 0,
1697	"Failed to find key for krbtgt PAC check");
1698	goto out;
1699	}
1700
1701	/* Now refetch the primary krbtgt, and get the current kvno (the
1702	* sign check may have been on an old kvno, and the server may
1703	* have been an incoming trust) */
1704	ret = krb5_make_principal(context, &krbtgt_principal,
1705	krb5_principal_get_comp_string(context,
1706	krbtgt->entry.principal,
1707	1),
1708	KRB5_TGS_NAME,
1709	krb5_principal_get_comp_string(context,
1710	krbtgt->entry.principal,
1711	1), NULL);
1712	if(ret) {
1713	kdc_log(context, config, 0,
1714	"Failed to generate krbtgt principal");
1715	goto out;
1716	}
1717
1718	ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1719	krb5_free_principal(context, krbtgt_principal);
1720	if (ret) {
1721	krb5_error_code ret2;
1722	char tpn, tpn2;
1723	ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1724	ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
1725	kdc_log(context, config, 0,
1726	"Request with wrong krbtgt: %s, %s not found in our database",
1727	(ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
1728	if(ret == 0)
1729	free(tpn);
1730	if(ret2 == 0)
1731	free(tpn2);
1732	ret = KRB5KRB_AP_ERR_NOT_US;
1733	goto out;
1734	}
1735
1736	/* The first realm is the realm of the service, the second is
1737	* krbtgt/<this>/@REALM component of the krbtgt DN the request was
1738	* encrypted to. The redirection via the krbtgt_out entry allows
1739	* the DB to possibly correct the case of the realm (Samba4 does
1740	* this) before the strcmp() */
1741	if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1742	krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1743	char *tpn;
1744	ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
1745	kdc_log(context, config, 0,
1746	"Request with wrong krbtgt: %s",
1747	(ret == 0) ? tpn : "<unknown>");
1748	if(ret == 0)
1749	free(tpn);
1750	ret = KRB5KRB_AP_ERR_NOT_US;
1751	}
1752
1753	ret = hdb_enctype2key(context, &krbtgt_out->entry,
1754	krbtgt_etype, &tkey_sign);
1755	if(ret) {
1756	kdc_log(context, config, 0,
1757	"Failed to find key for krbtgt PAC signature");
1758	goto out;
1759	}
1760
1761	ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT \| HDB_F_CANON,
1762	NULL, &clientdb, &client);
1763	if(ret == HDB_ERR_NOT_FOUND_HERE) {
1764	/* This is OK, we are just trying to find out if they have
1765	* been disabled or deleted in the meantime, missing secrets
1766	* is OK */
1767	} else if(ret){
1768	const char krbtgt_realm, msg;
1769
1770	/*
1771	* If the client belongs to the same realm as our krbtgt, it
1772	* should exist in the local database.
1773	*
1774	*/
1775
1776	krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1777
1778	if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1779	if (ret == HDB_ERR_NOENTRY)
1780	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1781	kdc_log(context, config, 1, "Client no longer in database: %s",
1782	cpn);
1783	goto out;
1784	}
1785
1786	msg = krb5_get_error_message(context, ret);
1787	kdc_log(context, config, 1, "Client not found in database: %s", msg);
1788	krb5_free_error_message(context, msg);
1789	}
1790
1791	ret = check_PAC(context, config, cp,
1792	client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
1793	tgt, &rspac, &signedpath);
1794	if (ret) {
1795	const char *msg = krb5_get_error_message(context, ret);
1796	kdc_log(context, config, 0,
1797	"Verify PAC failed for %s (%s) from %s with %s",
1798	spn, cpn, from, msg);
1799	krb5_free_error_message(context, msg);
1800	goto out;
1801	}
1802
1803	/* also check the krbtgt for signature */
1804	ret = check_KRB5SignedPath(context,
1805	config,
1806	krbtgt,
1807	cp,
1808	tgt,
1809	&spp,
1810	&signedpath);
1811	if (ret) {
1812	const char *msg = krb5_get_error_message(context, ret);
1813	kdc_log(context, config, 0,
1814	"KRB5SignedPath check failed for %s (%s) from %s with %s",
1815	spn, cpn, from, msg);
1816	krb5_free_error_message(context, msg);
1817	goto out;
1818	}
1819
1820	/*
1821	* Process request
1822	*/
1823
1824	client_principal = cp;
1825
1826	if (client) {
1827	const PA_DATA *sdata;
1828	int i = 0;
1829
1830	sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
1831	if (sdata) {
1832	krb5_crypto crypto;
1833	krb5_data datack;
1834	PA_S4U2Self self;
1835	char *selfcpn = NULL;
1836	const char *str;
1837
1838	ret = decode_PA_S4U2Self(sdata->padata_value.data,
1839	sdata->padata_value.length,
1840	&self, NULL);
1841	if (ret) {
1842	kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
1843	goto out;
1844	}
1845
1846	ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
1847	if (ret)
1848	goto out;
1849
1850	ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
1851	if (ret) {
1852	const char *msg = krb5_get_error_message(context, ret);
1853	free_PA_S4U2Self(&self);
1854	krb5_data_free(&datack);
1855	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1856	krb5_free_error_message(context, msg);
1857	goto out;
1858	}
1859
1860	ret = krb5_verify_checksum(context,
1861	crypto,
1862	KRB5_KU_OTHER_CKSUM,
1863	datack.data,
1864	datack.length,
1865	&self.cksum);
1866	krb5_data_free(&datack);
1867	krb5_crypto_destroy(context, crypto);
1868	if (ret) {
1869	const char *msg = krb5_get_error_message(context, ret);
1870	free_PA_S4U2Self(&self);
1871	kdc_log(context, config, 0,
1872	"krb5_verify_checksum failed for S4U2Self: %s", msg);
1873	krb5_free_error_message(context, msg);
1874	goto out;
1875	}
1876
1877	ret = _krb5_principalname2krb5_principal(context,
1878	&client_principal,
1879	self.name,
1880	self.realm);
1881	free_PA_S4U2Self(&self);
1882	if (ret)
1883	goto out;
1884
1885	ret = krb5_unparse_name(context, client_principal, &selfcpn);
1886	if (ret)
1887	goto out;
1888
1889	/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1890	if(rspac.data) {
1891	krb5_pac p = NULL;
1892	krb5_data_free(&rspac);
1893	ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT \| HDB_F_CANON,
1894	NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1895	if (ret) {
1896	const char *msg;
1897
1898	/*
1899	* If the client belongs to the same realm as our krbtgt, it
1900	* should exist in the local database.
1901	*
1902	*/
1903
1904	if (ret == HDB_ERR_NOENTRY)
1905	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1906	msg = krb5_get_error_message(context, ret);
1907	kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg);
1908	krb5_free_error_message(context, msg);
1909	goto out;
1910	}
1911	ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1912	if (ret) {
1913	kdc_log(context, config, 0, "PAC generation failed for -- %s",
1914	selfcpn);
1915	goto out;
1916	}
1917	if (p != NULL) {
1918	ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1919	s4u2self_impersonated_client->entry.principal,
1920	ekey, &tkey_sign->key,
1921	&rspac);
1922	krb5_pac_free(context, p);
1923	if (ret) {
1924	kdc_log(context, config, 0, "PAC signing failed for -- %s",
1925	selfcpn);
1926	goto out;
1927	}
1928	}
1929	}
1930
1931	/*
1932	* Check that service doing the impersonating is
1933	* requesting a ticket to it-self.
1934	*/
1935	ret = check_s4u2self(context, config, clientdb, client, sp);
1936	if (ret) {
1937	kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1938	"to impersonate to service "
1939	"(tried for user %s to service %s)",
1940	cpn, selfcpn, spn);
1941	free(selfcpn);
1942	goto out;
1943	}
1944
1945	/*
1946	* If the service isn't trusted for authentication to
1947	* delegation, remove the forward flag.
1948	*/
1949
1950	if (client->entry.flags.trusted_for_delegation) {
1951	str = "[forwardable]";
1952	} else {
1953	b->kdc_options.forwardable = 0;
1954	str = "";
1955	}
1956	kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
1957	"service %s %s", cpn, selfcpn, spn, str);
1958	free(selfcpn);
1959	}
1960	}
1961
1962	/*
1963	* Constrained delegation
1964	*/
1965
1966	if (client != NULL
1967	&& b->additional_tickets != NULL
1968	&& b->additional_tickets->len != 0
1969	&& b->kdc_options.enc_tkt_in_skey == 0)
1970	{
1971	int ad_signedpath = 0;
1972	Key *clientkey;
1973	Ticket *t;
1974	char *str;
1975
1976	/*
1977	* Require that the KDC have issued the service's krbtgt (not
1978	* self-issued ticket with kimpersonate(1).
1979	*/
1980	if (!signedpath) {
1981	ret = KRB5KDC_ERR_BADOPTION;
1982	kdc_log(context, config, 0,
1983	"Constrained delegation done on service ticket %s/%s",
1984	cpn, spn);
1985	goto out;
1986	}
1987
1988	t = &b->additional_tickets->val[0];
1989
1990	ret = hdb_enctype2key(context, &client->entry,
1991	t->enc_part.etype, &clientkey);
1992	if(ret){
1993	ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
1994	goto out;
1995	}
1996
1997	ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
1998	if (ret) {
1999	kdc_log(context, config, 0,
2000	"failed to decrypt ticket for "
2001	"constrained delegation from %s to %s ", cpn, spn);
2002	goto out;
2003	}
2004
2005	/* check that ticket is valid */
2006	if (adtkt.flags.forwardable == 0) {
2007	kdc_log(context, config, 0,
2008	"Missing forwardable flag on ticket for "
2009	"constrained delegation from %s to %s ", cpn, spn);
2010	ret = KRB5KDC_ERR_BADOPTION;
2011	goto out;
2012	}
2013
2014	ret = check_constrained_delegation(context, config, clientdb,
2015	client, sp);
2016	if (ret) {
2017	kdc_log(context, config, 0,
2018	"constrained delegation from %s to %s not allowed",
2019	cpn, spn);
2020	goto out;
2021	}
2022
2023	ret = _krb5_principalname2krb5_principal(context,
2024	&client_principal,
2025	adtkt.cname,
2026	adtkt.crealm);
2027	if (ret)
2028	goto out;
2029
2030	ret = krb5_unparse_name(context, client_principal, &str);
2031	if (ret)
2032	goto out;
2033
2034	ret = verify_flags(context, config, &adtkt, str);
2035	if (ret) {
2036	free(str);
2037	goto out;
2038	}
2039
2040	/*
2041	* Check that the KDC issued the user's ticket.
2042	*/
2043	ret = check_KRB5SignedPath(context,
2044	config,
2045	krbtgt,
2046	cp,
2047	&adtkt,
2048	NULL,
2049	&ad_signedpath);
2050	if (ret == 0 && !ad_signedpath)
2051	ret = KRB5KDC_ERR_BADOPTION;
2052	if (ret) {
2053	const char *msg = krb5_get_error_message(context, ret);
2054	kdc_log(context, config, 0,
2055	"KRB5SignedPath check from service %s failed "
2056	"for delegation to %s for client %s "
2057	"from %s failed with %s",
2058	spn, str, cpn, from, msg);
2059	krb5_free_error_message(context, msg);
2060	free(str);
2061	goto out;
2062	}
2063
2064	kdc_log(context, config, 0, "constrained delegation for %s "
2065	"from %s to %s", str, cpn, spn);
2066	free(str);
2067	}
2068
2069	/*
2070	* Check flags
2071	*/
2072
2073	ret = kdc_check_flags(context, config,
2074	client, cpn,
2075	server, spn,
2076	FALSE);
2077	if(ret)
2078	goto out;
2079
2080	if((b->kdc_options.validate \|\| b->kdc_options.renew) &&
2081	!krb5_principal_compare(context,
2082	krbtgt->entry.principal,
2083	server->entry.principal)){
2084	kdc_log(context, config, 0, "Inconsistent request.");
2085	ret = KRB5KDC_ERR_SERVER_NOMATCH;
2086	goto out;
2087	}
2088
2089	/* check for valid set of addresses */
2090	if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
2091	ret = KRB5KRB_AP_ERR_BADADDR;
2092	kdc_log(context, config, 0, "Request from wrong address");
2093	goto out;
2094	}
2095
2096	/*
2097	* If this is an referral, add server referral data to the
2098	* auth_data reply .
2099	*/
2100	if (ref_realm) {
2101	PA_DATA pa;
2102	krb5_crypto crypto;
2103
2104	kdc_log(context, config, 0,
2105	"Adding server referral to %s", ref_realm);
2106
2107	ret = krb5_crypto_init(context, &sessionkey, 0, &crypto);
2108	if (ret)
2109	goto out;
2110
2111	ret = build_server_referral(context, config, crypto, ref_realm,
2112	NULL, s, &pa.padata_value);
2113	krb5_crypto_destroy(context, crypto);
2114	if (ret) {
2115	kdc_log(context, config, 0,
2116	"Failed building server referral");
2117	goto out;
2118	}
2119	pa.padata_type = KRB5_PADATA_SERVER_REFERRAL;
2120
2121	ret = add_METHOD_DATA(&enc_pa_data, &pa);
2122	krb5_data_free(&pa.padata_value);
2123	if (ret) {
2124	kdc_log(context, config, 0,
2125	"Add server referral METHOD-DATA failed");
2126	goto out;
2127	}
2128	}
2129
2130	/*
2131	*
2132	*/
2133
2134	ret = tgs_make_reply(context,
2135	config,
2136	b,
2137	client_principal,
2138	tgt,
2139	replykey,
2140	rk_is_subkey,
2141	ekey,
2142	&sessionkey,
2143	kvno,
2144	*auth_data,
2145	server,
2146	server->entry.principal,
2147	spn,
2148	client,
2149	cp,
2150	krbtgt_out,
2151	krbtgt_etype,
2152	spp,
2153	&rspac,
2154	&enc_pa_data,
2155	e_text,
2156	reply);
2157
2158	out:
2159	free(spn);
2160	free(cpn);
2161
2162	krb5_data_free(&rspac);
2163	krb5_free_keyblock_contents(context, &sessionkey);
2164	if(krbtgt_out)
2165	_kdc_free_ent(context, krbtgt_out);
2166	if(server)
2167	_kdc_free_ent(context, server);
2168	if(client)
2169	_kdc_free_ent(context, client);
2170	if(s4u2self_impersonated_client)
2171	_kdc_free_ent(context, s4u2self_impersonated_client);
2172
2173	if (client_principal && client_principal != cp)
2174	krb5_free_principal(context, client_principal);
2175	if (cp)
2176	krb5_free_principal(context, cp);
2177	if (sp)
2178	krb5_free_principal(context, sp);
2179	if (ref_realm)
2180	free(ref_realm);
2181	free_METHOD_DATA(&enc_pa_data);
2182
2183	free_EncTicketPart(&adtkt);
2184
2185	return ret;
2186	}
2187
2188	/*
2189	*
2190	*/
2191
2192	krb5_error_code
2193	_kdc_tgs_rep(krb5_context context,
2194	krb5_kdc_configuration *config,
2195	KDC_REQ *req,
2196	krb5_data *data,
2197	const char *from,
2198	struct sockaddr *from_addr,
2199	int datagram_reply)
2200	{
2201	AuthorizationData *auth_data = NULL;
2202	krb5_error_code ret;
2203	int i = 0;
2204	const PA_DATA *tgs_req;
2205
2206	hdb_entry_ex *krbtgt = NULL;
2207	krb5_ticket *ticket = NULL;
2208	const char *e_text = NULL;
2209	krb5_enctype krbtgt_etype = ETYPE_NULL;
2210
2211	krb5_keyblock *replykey = NULL;
2212	int rk_is_subkey = 0;
2213	time_t *csec = NULL;
2214	int *cusec = NULL;
2215
2216	if(req->padata == NULL){
2217	ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
2218	kdc_log(context, config, 0,
2219	"TGS-REQ from %s without PA-DATA", from);
2220	goto out;
2221	}
2222
2223	tgs_req = _kdc_find_padata(req, &i, KRB5_PADATA_TGS_REQ);
2224
2225	if(tgs_req == NULL){
2226	ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
2227
2228	kdc_log(context, config, 0,
2229	"TGS-REQ from %s without PA-TGS-REQ", from);
2230	goto out;
2231	}
2232	ret = tgs_parse_request(context, config,
2233	&req->req_body, tgs_req,
2234	&krbtgt,
2235	&krbtgt_etype,
2236	&ticket,
2237	&e_text,
2238	from, from_addr,
2239	&csec, &cusec,
2240	&auth_data,
2241	&replykey,
2242	&rk_is_subkey);
2243	if (ret == HDB_ERR_NOT_FOUND_HERE) {
2244	/* kdc_log() is called in tgs_parse_request() */
2245	goto out;
2246	}
2247	if (ret) {
2248	kdc_log(context, config, 0,
2249	"Failed parsing TGS-REQ from %s", from);
2250	goto out;
2251	}
2252
2253	ret = tgs_build_reply(context,
2254	config,
2255	req,
2256	&req->req_body,
2257	krbtgt,
2258	krbtgt_etype,
2259	replykey,
2260	rk_is_subkey,
2261	ticket,
2262	data,
2263	from,
2264	&e_text,
2265	&auth_data,
2266	from_addr);
2267	if (ret) {
2268	kdc_log(context, config, 0,
2269	"Failed building TGS-REP to %s", from);
2270	goto out;
2271	}
2272
2273	/* */
2274	if (datagram_reply && data->length > config->max_datagram_reply_length) {
2275	krb5_data_free(data);
2276	ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2277	e_text = "Reply packet too large";
2278	}
2279
2280	out:
2281	if (replykey)
2282	krb5_free_keyblock(context, replykey);
2283	if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
2284	krb5_mk_error(context,
2285	ret,
2286	NULL,
2287	NULL,
2288	NULL,
2289	NULL,
2290	csec,
2291	cusec,
2292	data);
2293	ret = 0;
2294	}
2295	free(csec);
2296	free(cusec);
2297	if (ticket)
2298	krb5_free_ticket(context, ticket);
2299	if(krbtgt)
2300	_kdc_free_ent(context, krbtgt);
2301
2302	if (auth_data) {
2303	free_AuthorizationData(auth_data);
2304	free(auth_data);
2305	}
2306
2307	return ret;
2308	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/heimdal/kdc/krb5tgs.c

Download in other formats: