1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kdc/do_tgs_req.c - KDC Routines to deal with TGS_REQ's */
4 * Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
27 * Copyright (c) 2006-2008, Novell, Inc.
28 * All rights reserved.
30 * Redistribution and use in source and binary forms, with or without
31 * modification, are permitted provided that the following conditions are met:
33 * * Redistributions of source code must retain the above copyright notice,
34 * this list of conditions and the following disclaimer.
35 * * Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in the
37 * documentation and/or other materials provided with the distribution.
38 * * The copyright holder's name is not used to endorse or promote products
39 * derived from this software without specific prior written permission.
41 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
42 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
45 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
46 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
47 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
48 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
49 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
51 * POSSIBILITY OF SUCH DAMAGE.
57 #ifdef HAVE_NETINET_IN_H
58 #include <sys/types.h>
59 #include <netinet/in.h>
61 #include <arpa/inet.h>
68 #include "adm_proto.h"
71 static krb5_error_code
72 find_alternate_tgs(krb5_kdc_req *,krb5_db_entry **);
74 static krb5_error_code
75 prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
76 krb5_principal,krb5_data **,const char *, krb5_pa_data **);
79 prep_reprocess_req(krb5_kdc_req *,krb5_principal *);
83 process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
86 krb5_keyblock * subkey = 0;
87 krb5_keyblock * tgskey = 0;
88 krb5_kdc_req *request = 0;
89 krb5_db_entry *server = NULL;
91 krb5_enc_kdc_rep_part reply_encpart;
92 krb5_ticket ticket_reply, *header_ticket = 0;
94 krb5_enc_tkt_part enc_tkt_reply;
95 krb5_transited enc_tkt_transited;
97 krb5_error_code retval = 0;
98 krb5_keyblock encrypting_key;
99 krb5_timestamp kdc_time, authtime = 0;
100 krb5_keyblock session_key;
101 krb5_timestamp rtime;
102 krb5_keyblock *reply_key = NULL;
103 krb5_key_data *server_key;
104 char *cname = 0, *sname = 0, *altcname = 0;
105 krb5_last_req_entry *nolrarray[2], nolrentry;
106 krb5_enctype useenctype;
107 int errcode, errcode2;
110 const char *status = 0;
111 krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
112 krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
113 krb5_db_entry *client = NULL, *krbtgt = NULL;
114 krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
115 krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
116 unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
117 char *s4u_name = NULL;
118 krb5_boolean is_referral, db_ref_done = FALSE;
119 const char *emsg = NULL;
120 krb5_data *tgs_1 =NULL, *server_1 = NULL;
121 krb5_principal krbtgt_princ;
122 krb5_kvno ticket_kvno = 0;
123 struct kdc_request_state *state = NULL;
124 krb5_pa_data *pa_tgs_req; /*points into request*/
126 krb5_pa_data **e_data = NULL;
128 reply.padata = 0; /* For cleanup handler */
129 reply_encpart.enc_padata = 0;
130 enc_tkt_reply.authorization_data = NULL;
132 session_key.contents = NULL;
134 retval = decode_krb5_tgs_req(pkt, &request);
137 if (request->msg_type != KRB5_TGS_REQ) {
138 krb5_free_kdc_req(kdc_context, request);
139 return KRB5_BADMSGTYPE;
143 * setup_server_realm() sets up the global realm-specific data pointer.
145 if ((retval = setup_server_realm(request->server))) {
146 krb5_free_kdc_req(kdc_context, request);
149 errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
150 &krbtgt, &tgskey, &subkey, &pa_tgs_req);
151 if (header_ticket && header_ticket->enc_part2 &&
152 (errcode2 = krb5_unparse_name(kdc_context,
153 header_ticket->enc_part2->client,
155 status = "UNPARSING CLIENT";
162 status = "PROCESS_TGS";
166 if (!header_ticket) {
167 errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
168 status="UNEXPECTED NULL in header_ticket";
171 errcode = kdc_make_rstate(&state);
173 status = "making state";
176 scratch.length = pa_tgs_req->length;
177 scratch.data = (char *) pa_tgs_req->contents;
178 errcode = kdc_find_fast(&request, &scratch, subkey,
179 header_ticket->enc_part2->session, state, NULL);
181 status = "kdc_find_fast";
186 * Pointer to the encrypted part of the header ticket, which may be
187 * replaced to point to the encrypted part of the evidence ticket
188 * if constrained delegation is used. This simplifies the number of
189 * special cases for constrained delegation.
191 header_enc_tkt = header_ticket->enc_part2;
194 * We've already dealt with the AP_REQ authentication, so we can
195 * use header_ticket freely. The encrypted part (if any) has been
196 * decrypted with the session key.
199 /* XXX make sure server here has the proper realm...taken from AP_REQ
202 setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
203 if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
204 setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
205 setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
210 if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
211 status = "UNPARSING SERVER";
216 errcode = krb5_db_get_principal(kdc_context, request->server,
218 if (errcode && errcode != KRB5_KDB_NOENTRY) {
219 status = "LOOKING_UP_SERVER";
223 if (errcode == KRB5_KDB_NOENTRY) {
225 * might be a request for a TGT for some other realm; we
226 * should do our best to find such a TGS in this db
230 if ( krb5_is_tgs_principal(request->server) == TRUE) {
231 /* Principal is a name of krb ticket service */
232 if (krb5_princ_size(kdc_context, request->server) == 2) {
234 server_1 = krb5_princ_component(kdc_context,
236 tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
238 if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
239 errcode = find_alternate_tgs(request, &server);
245 status = "UNKNOWN_SERVER";
246 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
249 } else if ( db_ref_done == FALSE) {
250 retval = prep_reprocess_req(request, &krbtgt_princ);
252 krb5_free_principal(kdc_context, request->server);
253 retval = krb5_copy_principal(kdc_context, krbtgt_princ,
265 status = "UNKNOWN_SERVER";
266 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
270 if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
271 status = "TIME_OF_DAY";
275 if ((retval = validate_tgs_request(request, *server, header_ticket,
276 kdc_time, &status, &e_data))) {
278 status = "UNKNOWN_REASON";
279 errcode = retval + ERROR_TABLE_BASE_krb5;
283 if (!is_local_principal(header_enc_tkt->client))
284 setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
286 is_referral = krb5_is_tgs_principal(server->princ) &&
287 !krb5_principal_compare(kdc_context, tgs_server, server->princ);
289 /* Check for protocol transition */
290 errcode = kdc_process_s4u2self_req(kdc_context,
292 header_enc_tkt->client,
295 header_enc_tkt->session,
302 if (s4u_x509_user != NULL)
303 setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
306 * We pick the session keytype here....
308 * Some special care needs to be taken in the user-to-user
309 * case, since we don't know what keytypes the application server
310 * which is doing user-to-user authentication can support. We
311 * know that it at least must be able to support the encryption
312 * type of the session key in the TGT, since otherwise it won't be
313 * able to decrypt the U2U ticket! So we use that in preference
317 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
318 KDC_OPT_CNAME_IN_ADDL_TKT)) {
319 krb5_keyblock * st_sealing_key;
320 krb5_kvno st_srv_kvno;
322 krb5_db_entry *st_client;
325 * Get the key for the second ticket, and decrypt it.
327 if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
329 TRUE, /* match_enctype */
333 status = "2ND_TKT_SERVER";
336 errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
337 request->second_ticket[st_idx]);
338 krb5_free_keyblock(kdc_context, st_sealing_key);
340 status = "2ND_TKT_DECRYPT";
341 krb5_db_free_principal(kdc_context, st_client);
345 etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
346 if (!krb5_c_valid_enctype(etype)) {
347 status = "BAD_ETYPE_IN_2ND_TKT";
348 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
349 krb5_db_free_principal(kdc_context, st_client);
353 for (i = 0; i < request->nktypes; i++) {
354 if (request->ktype[i] == etype) {
360 if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
361 /* Do constrained delegation protocol and authorization checks */
362 errcode = kdc_process_s4u2proxy_req(kdc_context,
364 request->second_ticket[st_idx]->enc_part2,
366 header_ticket->enc_part2->client,
372 setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
374 assert(krb5_is_tgs_principal(header_ticket->server));
376 assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
379 /* "client" is not used for user2user */
380 krb5_db_free_principal(kdc_context, st_client);
385 * Select the keytype for the ticket session key.
387 if ((useenctype == 0) &&
388 (useenctype = select_session_keytype(kdc_context, server,
390 request->ktype)) == 0) {
391 /* unsupported ktype */
392 status = "BAD_ENCRYPTION_TYPE";
393 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
397 errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
400 /* random key failed */
401 status = "RANDOM_KEY_FAILED";
406 * subject_tkt will refer to the evidence ticket (for constrained
407 * delegation) or the TGT. The distinction from header_enc_tkt is
408 * necessary because the TGS signature only protects some fields:
409 * the others could be forged by a malicious server.
412 if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
413 subject_tkt = request->second_ticket[st_idx]->enc_part2;
415 subject_tkt = header_enc_tkt;
416 authtime = subject_tkt->times.authtime;
419 ticket_reply.server = server->princ;
421 ticket_reply.server = request->server; /* XXX careful for realm... */
423 enc_tkt_reply.flags = 0;
424 enc_tkt_reply.times.starttime = 0;
426 if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
427 setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
430 * Fix header_ticket's starttime; if it's zero, fill in the
433 if (!(header_enc_tkt->times.starttime))
434 header_enc_tkt->times.starttime = authtime;
435 setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
437 /* don't use new addresses unless forwarded, see below */
439 enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
440 /* noaddrarray[0] = 0; */
441 reply_encpart.caddrs = 0;/* optional...don't put it in */
442 reply_encpart.enc_padata = NULL;
445 * It should be noted that local policy may affect the
446 * processing of any of these flags. For example, some
447 * realms may refuse to issue renewable tickets
450 if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
451 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
453 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
455 * If S4U2Self principal is not forwardable, then mark ticket as
456 * unforwardable. This behaviour matches Windows, but it is
457 * different to the MIT AS-REQ path, which returns an error
458 * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
460 * Consider this block the S4U2Self equivalent to
461 * validate_forwardable().
463 if (client != NULL &&
464 isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
465 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
467 * Forwardable flag is propagated along referral path.
469 else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
470 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
472 * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
473 * S4U2Self in order for forwardable tickets to be returned.
475 else if (!is_referral &&
476 !isflagset(server->attributes,
477 KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
478 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
482 if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
483 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
485 /* include new addresses in ticket & reply */
487 enc_tkt_reply.caddrs = request->addresses;
488 reply_encpart.caddrs = request->addresses;
490 if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
491 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
493 if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
494 setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
496 if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
497 setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
499 /* include new addresses in ticket & reply */
501 enc_tkt_reply.caddrs = request->addresses;
502 reply_encpart.caddrs = request->addresses;
505 if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
506 setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
508 if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
509 setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
510 setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
511 enc_tkt_reply.times.starttime = request->from;
513 enc_tkt_reply.times.starttime = kdc_time;
515 if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
516 assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
517 /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
519 ticket_reply = *(header_ticket);
520 enc_tkt_reply = *(header_ticket->enc_part2);
521 enc_tkt_reply.authorization_data = NULL;
522 clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
525 if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
526 krb5_deltat old_life;
528 assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
529 /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
531 ticket_reply = *(header_ticket);
532 enc_tkt_reply = *(header_ticket->enc_part2);
533 enc_tkt_reply.authorization_data = NULL;
535 old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
537 enc_tkt_reply.times.starttime = kdc_time;
538 enc_tkt_reply.times.endtime =
539 min(header_ticket->enc_part2->times.renew_till,
540 kdc_time + old_life);
542 /* not a renew request */
543 enc_tkt_reply.times.starttime = kdc_time;
545 kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime,
546 header_enc_tkt->times.endtime, request->till,
547 client, server, &enc_tkt_reply.times.endtime);
549 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
550 (enc_tkt_reply.times.endtime < request->till) &&
551 isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
552 setflag(request->kdc_options, KDC_OPT_RENEWABLE);
554 min(request->till, header_enc_tkt->times.renew_till);
557 rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
559 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
560 /* already checked above in policy check to reject request for a
561 renewable ticket using a non-renewable ticket */
562 setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
563 enc_tkt_reply.times.renew_till =
565 min(header_enc_tkt->times.renew_till,
566 enc_tkt_reply.times.starttime +
567 min(server->max_renewable_life,
568 max_renewable_life_for_realm)));
570 enc_tkt_reply.times.renew_till = 0;
572 if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
573 setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
575 * Set authtime to be the same as header or evidence ticket's
577 enc_tkt_reply.times.authtime = authtime;
580 * Propagate the preauthentication flags through to the returned ticket.
582 if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
583 setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
585 if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
586 setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
588 /* starttime is optional, and treated as authtime if not present.
589 so we can nuke it if it matches */
590 if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
591 enc_tkt_reply.times.starttime = 0;
593 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
594 errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user,
596 } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
597 errcode = krb5_unparse_name(kdc_context, subject_tkt->client,
603 status = "UNPARSING S4U CLIENT";
607 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
608 krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
609 encrypting_key = *(t2enc->session);
612 * Find the server key
614 if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
615 -1, /* ignore keytype */
616 -1, /* Ignore salttype */
617 0, /* Get highest kvno */
619 status = "FINDING_SERVER_KEY";
624 * Convert server.key into a real key
625 * (it may be encrypted in the database)
627 if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
628 server_key, &encrypting_key,
630 status = "DECRYPT_SERVER_KEY";
635 if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
637 * Don't allow authorization data to be disabled if constrained
638 * delegation is requested. We don't want to deny the server
639 * the ability to validate that delegation was used.
641 clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
643 if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
645 * If we are not doing protocol transition/constrained delegation
646 * try to lookup the client principal so plugins can add additional
647 * authorization information.
649 * Always validate authorization data for constrained delegation
650 * because we must validate the KDC signatures.
652 if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) {
653 /* Generate authorization data so we can include it in ticket */
654 setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
655 /* Map principals from foreign (possibly non-AD) realms */
656 setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
658 assert(client == NULL); /* should not have been set already */
660 errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
665 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
666 !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
667 enc_tkt_reply.client = s4u_x509_user->user_id.user;
669 enc_tkt_reply.client = subject_tkt->client;
671 enc_tkt_reply.session = &session_key;
672 enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
673 enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
675 errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
676 subkey != NULL ? subkey :
677 header_ticket->enc_part2->session,
678 &encrypting_key, /* U2U or server key */
683 s4u_x509_user->user_id.user : NULL,
687 krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
689 status = "HANDLE_AUTHDATA";
695 * Only add the realm of the presented tgt to the transited list if
696 * it is different than the local realm (cross-realm) and it is different
697 * than the realm of the client (since the realm of the client is already
698 * implicitly part of the transited list and should not be explicitly
701 /* realm compare is like strcmp, but knows how to deal with these args */
702 if (realm_compare(header_ticket->server, tgs_server) ||
703 realm_compare(header_ticket->server, enc_tkt_reply.client)) {
704 /* tgt issued by local realm or issued by realm of client */
705 enc_tkt_reply.transited = header_enc_tkt->transited;
707 /* tgt issued by some other realm and not the realm of the client */
708 /* assemble new transited field into allocated storage */
709 if (header_enc_tkt->transited.tr_type !=
710 KRB5_DOMAIN_X500_COMPRESS) {
711 status = "BAD_TRTYPE";
712 errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
715 enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
716 enc_tkt_transited.magic = 0;
717 enc_tkt_transited.tr_contents.magic = 0;
718 enc_tkt_transited.tr_contents.data = 0;
719 enc_tkt_transited.tr_contents.length = 0;
720 enc_tkt_reply.transited = enc_tkt_transited;
722 add_to_transited(&header_enc_tkt->transited.tr_contents,
723 &enc_tkt_reply.transited.tr_contents,
724 header_ticket->server,
725 enc_tkt_reply.client,
727 status = "ADD_TR_FAIL";
732 if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
733 errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
736 status = "NON_TRANSITIVE";
740 if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
744 errcode = kdc_check_transited_list (kdc_context,
745 &enc_tkt_reply.transited.tr_contents,
746 krb5_princ_realm (kdc_context, header_enc_tkt->client),
747 krb5_princ_realm (kdc_context, request->server));
748 tlen = enc_tkt_reply.transited.tr_contents.length;
749 tdots = tlen > 125 ? "..." : "";
750 tlen = tlen > 125 ? 125 : tlen;
753 setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
754 } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
755 krb5_klog_syslog(LOG_INFO, _("bad realm transit path from '%s' "
756 "to '%s' via '%.*s%s'"),
757 cname ? cname : "<unknown client>",
758 sname ? sname : "<unknown server>", tlen,
759 enc_tkt_reply.transited.tr_contents.data, tdots);
761 emsg = krb5_get_error_message(kdc_context, errcode);
762 krb5_klog_syslog(LOG_ERR, _("unexpected error checking transit "
763 "from '%s' to '%s' via '%.*s%s': %s"),
764 cname ? cname : "<unknown client>",
765 sname ? sname : "<unknown server>", tlen,
766 enc_tkt_reply.transited.tr_contents.data, tdots,
768 krb5_free_error_message(kdc_context, emsg);
772 krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
773 if (reject_bad_transit
774 && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
775 errcode = KRB5KDC_ERR_POLICY;
776 status = "BAD_TRANSIT";
780 ticket_reply.enc_part2 = &enc_tkt_reply;
783 * If we are doing user-to-user authentication, then make sure
784 * that the client for the second ticket matches the request
785 * server, and then encrypt the ticket using the session key of
788 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
790 * Make sure the client for the second ticket matches
793 krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
794 krb5_principal client2 = t2enc->client;
795 if (!krb5_principal_compare(kdc_context, request->server, client2)) {
796 if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
798 if (altcname != NULL)
799 limit_string(altcname);
801 errcode = KRB5KDC_ERR_SERVER_NOMATCH;
802 status = "2ND_TKT_MISMATCH";
807 ticket_reply.enc_part.enctype = t2enc->session->enctype;
810 ticket_kvno = server_key->key_data_kvno;
813 errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
815 if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
816 krb5_free_keyblock_contents(kdc_context, &encrypting_key);
818 status = "TKT_ENCRYPT";
821 ticket_reply.enc_part.kvno = ticket_kvno;
822 /* Start assembling the response */
823 reply.msg_type = KRB5_TGS_REP;
824 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
825 find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
826 errcode = kdc_make_s4u2self_rep(kdc_context,
828 header_ticket->enc_part2->session,
833 status = "KDC_RETURN_S4U2SELF_PADATA";
838 reply.client = enc_tkt_reply.client;
839 reply.enc_part.kvno = 0;/* We are using the session key */
840 reply.ticket = &ticket_reply;
842 reply_encpart.session = &session_key;
843 reply_encpart.nonce = request->nonce;
845 /* copy the time fields */
846 reply_encpart.times = enc_tkt_reply.times;
848 /* starttime is optional, and treated as authtime if not present.
849 so we can nuke it if it matches */
850 if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
851 enc_tkt_reply.times.starttime = 0;
853 nolrentry.lr_type = KRB5_LRQ_NONE;
855 nolrarray[0] = &nolrentry;
857 reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
858 reply_encpart.key_exp = 0;/* ditto */
859 reply_encpart.flags = enc_tkt_reply.flags;
860 reply_encpart.server = ticket_reply.server;
862 /* use the session key in the ticket, unless there's a subsession key
864 reply.enc_part.enctype = subkey ? subkey->enctype :
865 header_ticket->enc_part2->session->enctype;
866 errcode = kdc_fast_response_handle_padata(state, request, &reply,
867 subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
869 status = "Preparing FAST padata";
872 errcode =kdc_fast_handle_reply_key(state,
873 subkey?subkey:header_ticket->enc_part2->session, &reply_key);
875 status = "generating reply key";
878 errcode = return_enc_padata(kdc_context, pkt, request,
879 reply_key, server, &reply_encpart,
882 KRB5_KDB_FLAG_CANONICALIZE));
884 status = "KDC_RETURN_ENC_PADATA";
888 errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
893 status = "ENCODE_KDC_REP";
898 memset(ticket_reply.enc_part.ciphertext.data, 0,
899 ticket_reply.enc_part.ciphertext.length);
900 free(ticket_reply.enc_part.ciphertext.data);
901 /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
902 can use them in raw form if needed. But, we don't... */
903 memset(reply.enc_part.ciphertext.data, 0,
904 reply.enc_part.ciphertext.length);
905 free(reply.enc_part.ciphertext.data);
908 assert(status != NULL);
910 krb5_free_keyblock(kdc_context, reply_key);
912 emsg = krb5_get_error_message (kdc_context, errcode);
913 log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
914 c_flags, s4u_name, status, errcode, emsg);
916 krb5_free_error_message (kdc_context, emsg);
923 status = krb5_get_error_message (kdc_context, errcode);
926 errcode -= ERROR_TABLE_BASE_krb5;
927 if (errcode < 0 || errcode > 128)
928 errcode = KRB_ERR_GENERIC;
930 retval = prepare_error_tgs(state, request, header_ticket, errcode,
931 (server != NULL) ? server->princ : NULL,
932 response, status, e_data);
934 krb5_free_error_message (kdc_context, status);
939 if (header_ticket != NULL)
940 krb5_free_ticket(kdc_context, header_ticket);
942 krb5_free_kdc_req(kdc_context, request);
944 kdc_free_rstate(state);
949 krb5_db_free_principal(kdc_context, server);
950 krb5_db_free_principal(kdc_context, krbtgt);
951 krb5_db_free_principal(kdc_context, client);
952 if (session_key.contents != NULL)
953 krb5_free_keyblock_contents(kdc_context, &session_key);
955 free(enc_tkt_reply.transited.tr_contents.data);
956 if (s4u_x509_user != NULL)
957 krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
958 if (kdc_issued_auth_data != NULL)
959 krb5_free_authdata(kdc_context, kdc_issued_auth_data);
960 if (s4u_name != NULL)
963 krb5_free_keyblock(kdc_context, subkey);
965 krb5_free_keyblock(kdc_context, tgskey);
967 krb5_free_pa_data(kdc_context, reply.padata);
968 if (reply_encpart.enc_padata)
969 krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
970 if (enc_tkt_reply.authorization_data != NULL)
971 krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
972 krb5_free_pa_data(kdc_context, e_data);
977 static krb5_error_code
978 prepare_error_tgs (struct kdc_request_state *state,
979 krb5_kdc_req *request, krb5_ticket *ticket, int error,
980 krb5_principal canon_server,
981 krb5_data **response, const char *status,
982 krb5_pa_data **e_data)
985 krb5_error_code retval = 0;
986 krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
988 errpkt.ctime = request->nonce;
991 if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
994 errpkt.error = error;
995 errpkt.server = request->server;
996 if (ticket && ticket->enc_part2)
997 errpkt.client = ticket->enc_part2->client;
999 errpkt.client = NULL;
1000 errpkt.text.length = strlen(status);
1001 if (!(errpkt.text.data = strdup(status)))
1004 if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
1005 free(errpkt.text.data);
1009 if (e_data != NULL) {
1010 retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
1013 free(errpkt.text.data);
1016 errpkt.e_data = *e_data_asn1;
1018 errpkt.e_data = empty_data();
1021 retval = kdc_fast_handle_error(kdc_context, state, request, e_data,
1022 &errpkt, &fast_edata);
1026 free(errpkt.text.data);
1027 krb5_free_data(kdc_context, e_data_asn1);
1031 errpkt.e_data = *fast_edata;
1032 retval = krb5_mk_error(kdc_context, &errpkt, scratch);
1033 free(errpkt.text.data);
1034 krb5_free_data(kdc_context, e_data_asn1);
1035 krb5_free_data(kdc_context, fast_edata);
1039 *response = scratch;
1045 * The request seems to be for a ticket-granting service somewhere else,
1046 * but we don't have a ticket for the final TGS. Try to give the requestor
1047 * some intermediate realm.
1049 static krb5_error_code
1050 find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
1052 krb5_error_code retval;
1053 krb5_principal *plist = NULL, *pl2, tmpprinc;
1055 krb5_db_entry *server = NULL;
1060 * Call to krb5_princ_component is normally not safe but is so
1061 * here only because find_alternate_tgs() is only called from
1062 * somewhere that has already checked the number of components in
1065 if ((retval = krb5_walk_realm_tree(kdc_context,
1066 krb5_princ_realm(kdc_context, request->server),
1067 krb5_princ_component(kdc_context, request->server, 1),
1068 &plist, KRB5_REALM_BRANCH_CHAR)))
1071 /* move to the end */
1072 for (pl2 = plist; *pl2; pl2++);
1074 /* the first entry in this array is for krbtgt/local@local, so we
1076 while (--pl2 > plist) {
1077 tmp = *krb5_princ_realm(kdc_context, *pl2);
1078 krb5_princ_set_realm(kdc_context, *pl2,
1079 krb5_princ_realm(kdc_context, tgs_server));
1080 retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
1081 krb5_princ_set_realm(kdc_context, *pl2, &tmp);
1082 if (retval == KRB5_KDB_NOENTRY)
1088 tmp = *krb5_princ_realm(kdc_context, *pl2);
1089 krb5_princ_set_realm(kdc_context, *pl2,
1090 krb5_princ_realm(kdc_context, tgs_server));
1091 retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc);
1094 krb5_princ_set_realm(kdc_context, *pl2, &tmp);
1096 krb5_free_principal(kdc_context, request->server);
1097 request->server = tmpprinc;
1098 log_tgs_alt_tgt(request->server);
1099 *server_ptr = server;
1103 retval = KRB5_KDB_NOENTRY;
1106 krb5_free_realm_tree(kdc_context, plist);
1107 krb5_db_free_principal(kdc_context, server);
1112 prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
1114 krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH;
1115 char **realms, **cpp, *temp_buf=NULL;
1116 krb5_data *comp1 = NULL, *comp2 = NULL;
1117 char *comp1_str = NULL;
1119 /* By now we know that server principal name is unknown.
1120 * If CANONICALIZE flag is set in the request
1121 * If req is not U2U authn. req
1122 * the requested server princ. has exactly two components
1124 * the name type is NT-SRV-HST
1125 * or name type is NT-UNKNOWN and
1126 * the 1st component is listed in conf file under host_based_services
1127 * the 1st component is not in a list in conf under "no_host_referral"
1128 * the 2d component looks like fully-qualified domain name (FQDN)
1129 * If all of these conditions are satisfied - try mapping the FQDN and
1130 * re-process the request as if client had asked for cross-realm TGT.
1132 if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) &&
1133 !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
1134 krb5_princ_size(kdc_context, request->server) == 2) {
1136 comp1 = krb5_princ_component(kdc_context, request->server, 0);
1137 comp2 = krb5_princ_component(kdc_context, request->server, 1);
1139 comp1_str = calloc(1,comp1->length+1);
1144 strlcpy(comp1_str,comp1->data,comp1->length+1);
1146 if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
1147 krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
1148 (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
1149 kdc_active_realm->realm_host_based_services != NULL &&
1150 (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
1151 comp1_str) == TRUE ||
1152 krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
1153 KRB5_CONF_ASTERISK) == TRUE))) &&
1154 (kdc_active_realm->realm_no_host_referral == NULL ||
1155 (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
1156 KRB5_CONF_ASTERISK) == FALSE &&
1157 krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
1158 comp1_str) == FALSE))) {
1160 if (memchr(comp2->data, '.', comp2->length) == NULL)
1162 temp_buf = calloc(1, comp2->length+1);
1167 strlcpy(temp_buf, comp2->data,comp2->length+1);
1168 retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
1171 /* no match found */
1172 kdc_err(kdc_context, retval, "unable to find realm of host");
1176 retval = KRB5KRB_AP_ERR_BADMATCH;
1179 if (realms[0] == 0) {
1181 retval = KRB5KRB_AP_ERR_BADMATCH;
1185 * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM
1186 * and use it as a principal in this req.
1188 retval = krb5_build_principal(kdc_context, krbtgt_princ,
1189 (*request->server).realm.length,
1190 (*request->server).realm.data,
1191 "krbtgt", realms[0], (char *)0);
1192 for (cpp = realms; *cpp; cpp++)