Changeset 745 for trunk/server/source4/heimdal/kdc/kerberos5.c

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source4/heimdal/kdc/kerberos5.c (modified) (33 diffs)

trunk/server/source4/heimdal/kdc/kerberos5.c

@@ -34 +34 @@
 #include "kdc_locl.h"
 
-RCSID("$Id$");
-
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -61 +59 @@
 
 static void
-set_salt_padata (METHOD_DATA *md, Salt *salt)
+set_salt_padata(METHOD_DATA *md, Salt *salt)
 {
     if (salt) {
-        realloc_method_data(md);
-        md->val[md->len - 1].padata_type = salt->type;
-        der_copy_octet_string(&salt->salt,
-                              &md->val[md->len - 1].padata_value);
+       realloc_method_data(md);
+       md->val[md->len - 1].padata_type = salt->type;
+       der_copy_octet_string(&salt->salt,
+                             &md->val[md->len - 1].padata_value);
     }
 }
@@ -128 +126 @@
 _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
                 krb5_enctype *etypes, unsigned len,
-                Key **ret_key, krb5_enctype *ret_etype)
+                Key **ret_key)
 {
     int i;
@@ -149 +147 @@
             }
             *ret_key   = key;
-            *ret_etype = etypes[i];
             ret = 0;
             if (is_default_salt_p(&def_salt, key)) {
@@ -262 +259 @@
                   int skvno, const EncryptionKey *skey,
                   int ckvno, const EncryptionKey *reply_key,
+                  int rk_is_subkey,
                   const char **e_text,
                   krb5_data *reply)
@@ -273 +271 @@
     ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
     if(ret) {
-        kdc_log(context, config, 0, "Failed to encode ticket: %s",
-                krb5_get_err_text(context, ret));
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "Failed to encode ticket: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -286 +285 @@
     ret = krb5_crypto_init(context, skey, etype, &crypto);
     if (ret) {
+        const char *msg;
         free(buf);
-        kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
-                krb5_get_err_text(context, ret));
+        msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -302 +303 @@
     krb5_crypto_destroy(context, crypto);
     if(ret) {
-        kdc_log(context, config, 0, "Failed to encrypt data: %s",
-                krb5_get_err_text(context, ret));
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "Failed to encrypt data: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -312 +314 @@
         ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
     if(ret) {
-        kdc_log(context, config, 0, "Failed to encode KDC-REP: %s",
-                krb5_get_err_text(context, ret));
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -324 +327 @@
     ret = krb5_crypto_init(context, reply_key, 0, &crypto);
     if (ret) {
+        const char *msg = krb5_get_error_message(context, ret);
         free(buf);
-        kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
-                krb5_get_err_text(context, ret));
+        kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -342 +346 @@
         krb5_encrypt_EncryptedData(context,
                                    crypto,
-                                   KRB5_KU_TGS_REP_ENC_PART_SESSION,
+                                   rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION,
                                    buf,
                                    len,
@@ -352 +356 @@
     krb5_crypto_destroy(context, crypto);
     if(ret) {
-        kdc_log(context, config, 0, "Failed to encode KDC-REP: %s",
-                krb5_get_err_text(context, ret));
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
+        krb5_free_error_message(context, msg);
         return ret;
     }
@@ -896 +901 @@
     hdb_entry_ex *client = NULL, *server = NULL;
     HDB *clientdb;
-    krb5_enctype cetype, setype, sessionetype;
+    krb5_enctype setype, sessionetype;
     krb5_data e_data;
     EncTicketPart et;
@@ -906 +911 @@
     krb5_crypto crypto;
     Key *ckey, *skey;
-    EncryptionKey *reply_key;
+    EncryptionKey *reply_key = NULL, session_key;
     int flags = 0;
 #ifdef PKINIT
@@ -913 +918 @@
 
     memset(&rep, 0, sizeof(rep));
+    memset(&session_key, 0, sizeof(session_key));
     krb5_data_zero(&e_data);
+
+    ALLOC(rep.padata);
+    rep.padata->len = 0;
+    rep.padata->val = NULL;
 
     if (f.canonicalize)
@@ -979 +989 @@
 
     ret = _kdc_db_fetch(context, config, client_princ,
-                        HDB_F_GET_CLIENT | flags, &clientdb, &client);
-    if(ret){
-        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
-                krb5_get_err_text(context, ret));
+                        HDB_F_GET_CLIENT | flags, NULL,
+                        &clientdb, &client);
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+        kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
+        goto out;
+    } else if(ret){
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
+        krb5_free_error_message(context, msg);
         ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
         goto out;
     }
-
     ret = _kdc_db_fetch(context, config, server_princ,
-                        HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
-                        NULL, &server);
-    if(ret){
-        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
-                krb5_get_err_text(context, ret));
+                        HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
+                        NULL, NULL, &server);
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+        kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);
+        goto out;
+    } else if(ret){
+        const char *msg = krb5_get_error_message(context, ret);
+        kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
+        krb5_free_error_message(context, msg);
         ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto out;
@@ -1001 +1019 @@
 
     /*
-     * Find the client key for reply encryption and pa-type salt, Pick
-     * the client key upfront before the other keys because that is
-     * going to affect what enctypes we are going to use in
-     * ETYPE-INFO{,2}.
+     * Select a session enctype from the list of the crypto systems
+     * supported enctype, is supported by the client and is one of the
+     * enctype of the enctype of the krbtgt.
+     *
+     * The later is used as a hint what enctype all KDC are supporting
+     * to make sure a newer version of KDC wont generate a session
+     * enctype that and older version of a KDC in the same realm can't
+     * decrypt.
+     *
+     * But if the KDC admin is paranoid and doesn't want to have "no
+     * the best" enctypes on the krbtgt, lets save the best pick from
+     * the client list and hope that that will work for any other
+     * KDCs.
      */
-
-    ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
-                          &ckey, &cetype);
-    if (ret) {
-        kdc_log(context, config, 0,
-                "Client (%s) has no support for etypes", client_name);
-        goto out;
+    {
+        const krb5_enctype *p;
+        krb5_enctype clientbest = ETYPE_NULL;
+        int i, j;
+
+        p = krb5_kerberos_enctypes(context);
+
+        sessionetype = ETYPE_NULL;
+
+        for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
+            if (krb5_enctype_valid(context, p[i]) != 0)
+                continue;
+
+            for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
+                Key *dummy;
+                /* check with client */
+                if (p[i] != b->etype.val[j])
+                    continue;
+                /* save best of union of { client, crypto system } */
+                if (clientbest == ETYPE_NULL)
+                    clientbest = p[i];
+                /* check with krbtgt */
+                ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
+                if (ret)
+                    continue;
+                sessionetype = p[i];
+            }
+        }
+        /* if krbtgt had no shared keys with client, pick clients best */
+        if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
+            sessionetype = clientbest;
+        } else if (sessionetype == ETYPE_NULL) {
+            kdc_log(context, config, 0,
+                    "Client (%s) from %s has no common enctypes with KDC"
+                    "to use for the session key",
+                    client_name, from);
+            goto out;
+        }
     }
 
@@ -1136 +1194 @@
             ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
             if (ret) {
-                kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
-                        krb5_get_err_text(context, ret));
+                const char *msg = krb5_get_error_message(context, ret);
+                kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+                krb5_free_error_message(context, msg);
                 free_EncryptedData(&enc_data);
                 continue;
@@ -1155 +1214 @@
             if(ret){
                 krb5_error_code ret2;
+                const char *msg = krb5_get_error_message(context, ret);
+
                 ret2 = krb5_enctype_to_string(context,
                                               pa_key->key.keytype, &str);
@@ -1162 +1223 @@
                         "Failed to decrypt PA-DATA -- %s "
                         "(enctype %s) error %s",
-                        client_name,
-                        str ? str : "unknown enctype",
-                        krb5_get_err_text(context, ret));
+                        client_name, str ? str : "unknown enctype", msg);
+                krb5_free_error_message(context, msg);
                 free(str);
 
@@ -1220 +1280 @@
             et.flags.pre_authent = 1;
 
-            ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str);
+            set_salt_padata(rep.padata, pa_key->salt);
+
+            reply_key = &pa_key->key;
+
+            ret = krb5_enctype_to_string(context, pa_key->key.keytype, &str);
             if (ret)
                 str = NULL;
@@ -1290 +1354 @@
          * If there is a client key, send ETYPE_INFO{,2}
          */
-        if (ckey) {
+        ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
+                              &ckey);
+        if (ret == 0) {
 
             /*
@@ -1361 +1427 @@
         goto out;
 
-    /*
-     * Select a session enctype from the list of the crypto systems
-     * supported enctype, is supported by the client and is one of the
-     * enctype of the enctype of the krbtgt.
-     *
-     * The later is used as a hint what enctype all KDC are supporting
-     * to make sure a newer version of KDC wont generate a session
-     * enctype that and older version of a KDC in the same realm can't
-     * decrypt.
-     *
-     * But if the KDC admin is paranoid and doesn't want to have "no
-     * the best" enctypes on the krbtgt, lets save the best pick from
-     * the client list and hope that that will work for any other
-     * KDCs.
-     */
-    {
-        const krb5_enctype *p;
-        krb5_enctype clientbest = ETYPE_NULL;
-        int i, j;
-
-        p = krb5_kerberos_enctypes(context);
-
-        sessionetype = ETYPE_NULL;
-
-        for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
-            if (krb5_enctype_valid(context, p[i]) != 0)
-                continue;
-
-            for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
-                Key *dummy;
-                /* check with client */
-                if (p[i] != b->etype.val[j])
-                    continue;
-                /* save best of union of { client, crypto system } */
-                if (clientbest == ETYPE_NULL)
-                    clientbest = p[i];
-                /* check with krbtgt */
-                ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
-                if (ret)
-                    continue;
-                sessionetype = p[i];
-            }
-        }
-        /* if krbtgt had no shared keys with client, pick clients best */
-        if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
-            sessionetype = clientbest;
-        } else if (sessionetype == ETYPE_NULL) {
-            kdc_log(context, config, 0,
-                    "Client (%s) from %s has no common enctypes with KDC"
-                    "to use for the session key",
-                    client_name, from);
-            goto out;
-        }
-    }
-
-    log_as_req(context, config, cetype, setype, b);
-
     if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
        || (f.request_anonymous && !config->allow_anonymous)) {
         ret = KRB5KDC_ERR_BADOPTION;
+        e_text = "Bad KDC options";
         kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
         goto out;
@@ -1450 +1460 @@
         et.flags.forwardable = f.forwardable;
     else if (f.forwardable) {
+        e_text = "Ticket may not be forwardable";
         ret = KRB5KDC_ERR_POLICY;
         kdc_log(context, config, 0,
@@ -1458 +1469 @@
         et.flags.proxiable = f.proxiable;
     else if (f.proxiable) {
+        e_text = "Ticket may not be proxiable";
         ret = KRB5KDC_ERR_POLICY;
         kdc_log(context, config, 0,
@@ -1466 +1478 @@
         et.flags.may_postdate = f.allow_postdate;
     else if (f.allow_postdate){
+        e_text = "Ticket may not be postdate";
         ret = KRB5KDC_ERR_POLICY;
         kdc_log(context, config, 0,
@@ -1474 +1487 @@
     /* check for valid set of addresses */
     if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
+        e_text = "Bad address list in requested";
         ret = KRB5KRB_AP_ERR_BADADDR;
         kdc_log(context, config, 0,
@@ -1612 +1626 @@
     }
 
-    ALLOC(rep.padata);
-    rep.padata->len = 0;
-    rep.padata->val = NULL;
-
 #if PKINIT
     if (pkp) {
@@ -1630 +1640 @@
         if (ret)
             goto out;
+
     } else
 #endif
-    if (ckey) {
-        reply_key = &ckey->key;
+    {
         ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
         if (ret)
             goto out;
-    } else {
+    }
+
+    if (reply_key == NULL) {
         e_text = "Client have no reply key";
         ret = KRB5KDC_ERR_CLIENT_NOTYET;
@@ -1646 +1658 @@
     if (ret)
         goto out;
-
-    if (ckey)
-        set_salt_padata (rep.padata, ckey->salt);
 
     /* Add signing of alias referral */
@@ -1748 +1757 @@
                                   server,
                                   setype,
+                                  client->entry.principal,
                                   NULL,
                                   NULL,
@@ -1754 +1764 @@
         goto out;
 
+    log_as_req(context, config, reply_key->keytype, setype, b);
+
     ret = _kdc_encode_reply(context, config,
                             &rep, &et, &ek, setype, server->entry.kvno,
                             &skey->key, client->entry.kvno,
-                            reply_key, &e_text, reply);
+                            reply_key, 0, &e_text, reply);
     free_EncTicketPart(&et);
     free_EncKDCRepPart(&ek);
@@ -1772 +1784 @@
 out:
     free_AS_REP(&rep);
-    if(ret){
+    if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){
         krb5_mk_error(context,
                       ret,