1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
5 * Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology.
8 * Export of this software from the United States of America may
9 * require a specific license from the United States Government.
10 * It is the responsibility of any person or organization contemplating
11 * export to obtain such a license before exporting.
13 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
14 * distribute this software and its documentation for any purpose and
15 * without fee is hereby granted, provided that the above copyright
16 * notice appear in all copies and that both that copyright notice and
17 * this permission notice appear in supporting documentation, and that
18 * the name of M.I.T. not be used in advertising or publicity pertaining
19 * to distribution of the software without specific, written prior
20 * permission. Furthermore if you modify this software you must label
21 * your software as modified software and not distribute it in such a
22 * fashion that it might be confused with the original M.I.T. software.
23 * M.I.T. makes no representations about the suitability of
24 * this software for any purpose. It is provided "as is" without express
25 * or implied warranty.
28 * KDC Routines to deal with TGS_REQ's
31 * Copyright (c) 2006-2008, Novell, Inc.
32 * All rights reserved.
34 * Redistribution and use in source and binary forms, with or without
35 * modification, are permitted provided that the following conditions are met:
37 * * Redistributions of source code must retain the above copyright notice,
38 * this list of conditions and the following disclaimer.
39 * * Redistributions in binary form must reproduce the above copyright
40 * notice, this list of conditions and the following disclaimer in the
41 * documentation and/or other materials provided with the distribution.
42 * * The copyright holder's name is not used to endorse or promote products
43 * derived from this software without specific prior written permission.
45 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
46 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
49 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
50 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
51 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
52 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
53 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
55 * POSSIBILITY OF SUCH DAMAGE.
61 #ifdef HAVE_NETINET_IN_H
62 #include <sys/types.h>
63 #include <netinet/in.h>
65 #include <arpa/inet.h>
72 #include "adm_proto.h"
75 static krb5_error_code
76 find_alternate_tgs(krb5_kdc_req *,krb5_db_entry **);
78 static krb5_error_code
79 prepare_error_tgs(struct kdc_request_state *, krb5_kdc_req *,krb5_ticket *,int,
80 krb5_principal,krb5_data **,const char *, krb5_data *);
83 prep_reprocess_req(krb5_kdc_req *,krb5_principal *);
87 process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
90 krb5_keyblock * subkey = 0;
91 krb5_keyblock * tgskey = 0;
92 krb5_kdc_req *request = 0;
93 krb5_db_entry *server = NULL;
95 krb5_enc_kdc_rep_part reply_encpart;
96 krb5_ticket ticket_reply, *header_ticket = 0;
98 krb5_enc_tkt_part enc_tkt_reply;
99 krb5_transited enc_tkt_transited;
100 int newtransited = 0;
101 krb5_error_code retval = 0;
102 krb5_keyblock encrypting_key;
103 krb5_timestamp kdc_time, authtime = 0;
104 krb5_keyblock session_key;
105 krb5_timestamp rtime;
106 krb5_keyblock *reply_key = NULL;
107 krb5_key_data *server_key;
108 char *cname = 0, *sname = 0, *altcname = 0;
109 krb5_last_req_entry *nolrarray[2], nolrentry;
110 krb5_enctype useenctype;
111 int errcode, errcode2;
114 const char *status = 0;
115 krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
116 krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
117 krb5_db_entry *client = NULL, *krbtgt = NULL;
118 krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
119 krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
120 unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
121 char *s4u_name = NULL;
122 krb5_boolean is_referral, db_ref_done = FALSE;
123 const char *emsg = NULL;
124 krb5_data *tgs_1 =NULL, *server_1 = NULL;
125 krb5_principal krbtgt_princ;
126 krb5_kvno ticket_kvno = 0;
127 struct kdc_request_state *state = NULL;
128 krb5_pa_data *pa_tgs_req; /*points into request*/
130 krb5_data e_data = empty_data(); /* backend-provided error data */
132 reply.padata = 0; /* For cleanup handler */
133 reply_encpart.enc_padata = 0;
134 enc_tkt_reply.authorization_data = NULL;
137 session_key.contents = NULL;
139 retval = decode_krb5_tgs_req(pkt, &request);
142 if (request->msg_type != KRB5_TGS_REQ) {
143 krb5_free_kdc_req(kdc_context, request);
144 return KRB5_BADMSGTYPE;
148 * setup_server_realm() sets up the global realm-specific data pointer.
150 if ((retval = setup_server_realm(request->server))) {
151 krb5_free_kdc_req(kdc_context, request);
154 errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
155 &krbtgt, &tgskey, &subkey, &pa_tgs_req);
156 if (header_ticket && header_ticket->enc_part2 &&
157 (errcode2 = krb5_unparse_name(kdc_context,
158 header_ticket->enc_part2->client,
160 status = "UNPARSING CLIENT";
167 status = "PROCESS_TGS";
171 if (!header_ticket) {
172 errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
173 status="UNEXPECTED NULL in header_ticket";
176 errcode = kdc_make_rstate(&state);
178 status = "making state";
181 scratch.length = pa_tgs_req->length;
182 scratch.data = (char *) pa_tgs_req->contents;
183 errcode = kdc_find_fast(&request, &scratch, subkey,
184 header_ticket->enc_part2->session, state);
186 status = "kdc_find_fast";
191 * Pointer to the encrypted part of the header ticket, which may be
192 * replaced to point to the encrypted part of the evidence ticket
193 * if constrained delegation is used. This simplifies the number of
194 * special cases for constrained delegation.
196 header_enc_tkt = header_ticket->enc_part2;
199 * We've already dealt with the AP_REQ authentication, so we can
200 * use header_ticket freely. The encrypted part (if any) has been
201 * decrypted with the session key.
204 /* XXX make sure server here has the proper realm...taken from AP_REQ
207 setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
208 if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
209 setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
210 setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
215 if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
216 status = "UNPARSING SERVER";
221 errcode = krb5_db_get_principal(kdc_context, request->server,
223 if (errcode && errcode != KRB5_KDB_NOENTRY) {
224 status = "LOOKING_UP_SERVER";
228 if (errcode == KRB5_KDB_NOENTRY) {
230 * might be a request for a TGT for some other realm; we
231 * should do our best to find such a TGS in this db
235 if ( krb5_is_tgs_principal(request->server) == TRUE) {
236 /* Principal is a name of krb ticket service */
237 if (krb5_princ_size(kdc_context, request->server) == 2) {
239 server_1 = krb5_princ_component(kdc_context,
241 tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
243 if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
244 errcode = find_alternate_tgs(request, &server);
249 status = "UNKNOWN_SERVER";
250 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
253 } else if ( db_ref_done == FALSE) {
254 retval = prep_reprocess_req(request, &krbtgt_princ);
256 krb5_free_principal(kdc_context, request->server);
257 retval = krb5_copy_principal(kdc_context, krbtgt_princ,
269 status = "UNKNOWN_SERVER";
270 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
274 if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
275 status = "TIME_OF_DAY";
279 if ((retval = validate_tgs_request(request, *server, header_ticket,
280 kdc_time, &status, &e_data))) {
282 status = "UNKNOWN_REASON";
283 errcode = retval + ERROR_TABLE_BASE_krb5;
287 if (!is_local_principal(header_enc_tkt->client))
288 setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
290 is_referral = krb5_is_tgs_principal(server->princ) &&
291 !krb5_principal_compare(kdc_context, tgs_server, server->princ);
293 /* Check for protocol transition */
294 errcode = kdc_process_s4u2self_req(kdc_context,
296 header_enc_tkt->client,
299 header_enc_tkt->session,
306 if (s4u_x509_user != NULL)
307 setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
310 * We pick the session keytype here....
312 * Some special care needs to be taken in the user-to-user
313 * case, since we don't know what keytypes the application server
314 * which is doing user-to-user authentication can support. We
315 * know that it at least must be able to support the encryption
316 * type of the session key in the TGT, since otherwise it won't be
317 * able to decrypt the U2U ticket! So we use that in preference
321 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
322 KDC_OPT_CNAME_IN_ADDL_TKT)) {
323 krb5_keyblock * st_sealing_key;
324 krb5_kvno st_srv_kvno;
326 krb5_db_entry *st_client;
329 * Get the key for the second ticket, and decrypt it.
331 if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
333 TRUE, /* match_enctype */
337 status = "2ND_TKT_SERVER";
340 errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
341 request->second_ticket[st_idx]);
342 krb5_free_keyblock(kdc_context, st_sealing_key);
344 status = "2ND_TKT_DECRYPT";
345 krb5_db_free_principal(kdc_context, st_client);
349 etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
350 if (!krb5_c_valid_enctype(etype)) {
351 status = "BAD_ETYPE_IN_2ND_TKT";
352 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
353 krb5_db_free_principal(kdc_context, st_client);
357 for (i = 0; i < request->nktypes; i++) {
358 if (request->ktype[i] == etype) {
364 if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
365 /* Do constrained delegation protocol and authorization checks */
366 errcode = kdc_process_s4u2proxy_req(kdc_context,
368 request->second_ticket[st_idx]->enc_part2,
370 header_ticket->enc_part2->client,
376 setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
378 assert(krb5_is_tgs_principal(header_ticket->server));
380 assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
383 /* "client" is not used for user2user */
384 krb5_db_free_principal(kdc_context, st_client);
389 * Select the keytype for the ticket session key.
391 if ((useenctype == 0) &&
392 (useenctype = select_session_keytype(kdc_context, server,
394 request->ktype)) == 0) {
395 /* unsupported ktype */
396 status = "BAD_ENCRYPTION_TYPE";
397 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
401 errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
404 /* random key failed */
405 status = "RANDOM_KEY_FAILED";
410 * subject_tkt will refer to the evidence ticket (for constrained
411 * delegation) or the TGT. The distinction from header_enc_tkt is
412 * necessary because the TGS signature only protects some fields:
413 * the others could be forged by a malicious server.
416 if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
417 subject_tkt = request->second_ticket[st_idx]->enc_part2;
419 subject_tkt = header_enc_tkt;
420 authtime = subject_tkt->times.authtime;
423 ticket_reply.server = server->princ;
425 ticket_reply.server = request->server; /* XXX careful for realm... */
427 enc_tkt_reply.flags = 0;
428 enc_tkt_reply.times.starttime = 0;
430 if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
431 setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
434 * Fix header_ticket's starttime; if it's zero, fill in the
437 if (!(header_enc_tkt->times.starttime))
438 header_enc_tkt->times.starttime = authtime;
439 setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
441 /* don't use new addresses unless forwarded, see below */
443 enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
444 /* noaddrarray[0] = 0; */
445 reply_encpart.caddrs = 0;/* optional...don't put it in */
446 reply_encpart.enc_padata = NULL;
449 * It should be noted that local policy may affect the
450 * processing of any of these flags. For example, some
451 * realms may refuse to issue renewable tickets
454 if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
455 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
457 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
459 * If S4U2Self principal is not forwardable, then mark ticket as
460 * unforwardable. This behaviour matches Windows, but it is
461 * different to the MIT AS-REQ path, which returns an error
462 * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
464 * Consider this block the S4U2Self equivalent to
465 * validate_forwardable().
467 if (client != NULL &&
468 isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
469 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
471 * Forwardable flag is propagated along referral path.
473 else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
474 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
476 * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
477 * S4U2Self in order for forwardable tickets to be returned.
479 else if (!is_referral &&
480 !isflagset(server->attributes,
481 KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
482 clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
486 if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
487 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
489 /* include new addresses in ticket & reply */
491 enc_tkt_reply.caddrs = request->addresses;
492 reply_encpart.caddrs = request->addresses;
494 if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
495 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
497 if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
498 setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
500 if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
501 setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
503 /* include new addresses in ticket & reply */
505 enc_tkt_reply.caddrs = request->addresses;
506 reply_encpart.caddrs = request->addresses;
509 if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
510 setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
512 if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
513 setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
514 setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
515 enc_tkt_reply.times.starttime = request->from;
517 enc_tkt_reply.times.starttime = kdc_time;
519 if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
520 assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
521 /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
523 ticket_reply = *(header_ticket);
524 enc_tkt_reply = *(header_ticket->enc_part2);
525 enc_tkt_reply.authorization_data = NULL;
526 clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
529 if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
530 krb5_deltat old_life;
532 assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
533 /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
535 ticket_reply = *(header_ticket);
536 enc_tkt_reply = *(header_ticket->enc_part2);
537 enc_tkt_reply.authorization_data = NULL;
539 old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
541 enc_tkt_reply.times.starttime = kdc_time;
542 enc_tkt_reply.times.endtime =
543 min(header_ticket->enc_part2->times.renew_till,
544 kdc_time + old_life);
546 /* not a renew request */
547 enc_tkt_reply.times.starttime = kdc_time;
549 kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime,
550 header_enc_tkt->times.endtime, request->till,
551 client, server, &enc_tkt_reply.times.endtime);
553 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
554 (enc_tkt_reply.times.endtime < request->till) &&
555 isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
556 setflag(request->kdc_options, KDC_OPT_RENEWABLE);
558 min(request->till, header_enc_tkt->times.renew_till);
561 rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
563 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
564 /* already checked above in policy check to reject request for a
565 renewable ticket using a non-renewable ticket */
566 setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
567 enc_tkt_reply.times.renew_till =
569 min(header_enc_tkt->times.renew_till,
570 enc_tkt_reply.times.starttime +
571 min(server->max_renewable_life,
572 max_renewable_life_for_realm)));
574 enc_tkt_reply.times.renew_till = 0;
576 if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
577 setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
579 * Set authtime to be the same as header or evidence ticket's
581 enc_tkt_reply.times.authtime = authtime;
584 * Propagate the preauthentication flags through to the returned ticket.
586 if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
587 setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
589 if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
590 setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
592 /* starttime is optional, and treated as authtime if not present.
593 so we can nuke it if it matches */
594 if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
595 enc_tkt_reply.times.starttime = 0;
597 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
598 errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user,
600 } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
601 errcode = krb5_unparse_name(kdc_context, subject_tkt->client,
607 status = "UNPARSING S4U CLIENT";
611 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
612 krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
613 encrypting_key = *(t2enc->session);
616 * Find the server key
618 if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
619 -1, /* ignore keytype */
620 -1, /* Ignore salttype */
621 0, /* Get highest kvno */
623 status = "FINDING_SERVER_KEY";
628 * Convert server.key into a real key
629 * (it may be encrypted in the database)
631 if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
632 server_key, &encrypting_key,
634 status = "DECRYPT_SERVER_KEY";
639 if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
641 * Don't allow authorization data to be disabled if constrained
642 * delegation is requested. We don't want to deny the server
643 * the ability to validate that delegation was used.
645 clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
647 if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
649 * If we are not doing protocol transition/constrained delegation
650 * try to lookup the client principal so plugins can add additional
651 * authorization information.
653 * Always validate authorization data for constrained delegation
654 * because we must validate the KDC signatures.
656 if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) {
657 /* Generate authorization data so we can include it in ticket */
658 setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
659 /* Map principals from foreign (possibly non-AD) realms */
660 setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
662 assert(client == NULL); /* should not have been set already */
664 errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
669 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
670 !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
671 enc_tkt_reply.client = s4u_x509_user->user_id.user;
673 enc_tkt_reply.client = subject_tkt->client;
675 enc_tkt_reply.session = &session_key;
676 enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
677 enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
679 errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
680 subkey != NULL ? subkey :
681 header_ticket->enc_part2->session,
682 &encrypting_key, /* U2U or server key */
687 s4u_x509_user->user_id.user : NULL,
691 krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
692 status = "HANDLE_AUTHDATA";
698 * Only add the realm of the presented tgt to the transited list if
699 * it is different than the local realm (cross-realm) and it is different
700 * than the realm of the client (since the realm of the client is already
701 * implicitly part of the transited list and should not be explicitly
704 /* realm compare is like strcmp, but knows how to deal with these args */
705 if (realm_compare(header_ticket->server, tgs_server) ||
706 realm_compare(header_ticket->server, enc_tkt_reply.client)) {
707 /* tgt issued by local realm or issued by realm of client */
708 enc_tkt_reply.transited = header_enc_tkt->transited;
710 /* tgt issued by some other realm and not the realm of the client */
711 /* assemble new transited field into allocated storage */
712 if (header_enc_tkt->transited.tr_type !=
713 KRB5_DOMAIN_X500_COMPRESS) {
714 status = "BAD_TRTYPE";
715 errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
718 enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
719 enc_tkt_transited.magic = 0;
720 enc_tkt_transited.tr_contents.magic = 0;
721 enc_tkt_transited.tr_contents.data = 0;
722 enc_tkt_transited.tr_contents.length = 0;
723 enc_tkt_reply.transited = enc_tkt_transited;
725 add_to_transited(&header_enc_tkt->transited.tr_contents,
726 &enc_tkt_reply.transited.tr_contents,
727 header_ticket->server,
728 enc_tkt_reply.client,
730 status = "ADD_TR_FAIL";
735 if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
736 errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
739 status = "NON_TRANSITIVE";
743 if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
747 errcode = kdc_check_transited_list (kdc_context,
748 &enc_tkt_reply.transited.tr_contents,
749 krb5_princ_realm (kdc_context, header_enc_tkt->client),
750 krb5_princ_realm (kdc_context, request->server));
751 tlen = enc_tkt_reply.transited.tr_contents.length;
752 tdots = tlen > 125 ? "..." : "";
753 tlen = tlen > 125 ? 125 : tlen;
756 setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
757 } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
758 krb5_klog_syslog (LOG_INFO,
759 "bad realm transit path from '%s' to '%s' "
761 cname ? cname : "<unknown client>",
762 sname ? sname : "<unknown server>",
764 enc_tkt_reply.transited.tr_contents.data,
767 emsg = krb5_get_error_message(kdc_context, errcode);
768 krb5_klog_syslog (LOG_ERR,
769 "unexpected error checking transit from "
770 "'%s' to '%s' via '%.*s%s': %s",
771 cname ? cname : "<unknown client>",
772 sname ? sname : "<unknown server>",
774 enc_tkt_reply.transited.tr_contents.data,
776 krb5_free_error_message(kdc_context, emsg);
780 krb5_klog_syslog (LOG_INFO, "not checking transit path");
781 if (reject_bad_transit
782 && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
783 errcode = KRB5KDC_ERR_POLICY;
784 status = "BAD_TRANSIT";
788 ticket_reply.enc_part2 = &enc_tkt_reply;
791 * If we are doing user-to-user authentication, then make sure
792 * that the client for the second ticket matches the request
793 * server, and then encrypt the ticket using the session key of
796 if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
798 * Make sure the client for the second ticket matches
801 krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
802 krb5_principal client2 = t2enc->client;
803 if (!krb5_principal_compare(kdc_context, request->server, client2)) {
804 if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
806 if (altcname != NULL)
807 limit_string(altcname);
809 errcode = KRB5KDC_ERR_SERVER_NOMATCH;
810 status = "2ND_TKT_MISMATCH";
815 ticket_reply.enc_part.enctype = t2enc->session->enctype;
818 ticket_kvno = server_key->key_data_kvno;
821 errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
823 if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
824 krb5_free_keyblock_contents(kdc_context, &encrypting_key);
826 status = "TKT_ENCRYPT";
829 ticket_reply.enc_part.kvno = ticket_kvno;
830 /* Start assembling the response */
831 reply.msg_type = KRB5_TGS_REP;
832 if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
833 find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
834 errcode = kdc_make_s4u2self_rep(kdc_context,
836 header_ticket->enc_part2->session,
841 status = "KDC_RETURN_S4U2SELF_PADATA";
846 reply.client = enc_tkt_reply.client;
847 reply.enc_part.kvno = 0;/* We are using the session key */
848 reply.ticket = &ticket_reply;
850 reply_encpart.session = &session_key;
851 reply_encpart.nonce = request->nonce;
853 /* copy the time fields */
854 reply_encpart.times = enc_tkt_reply.times;
856 /* starttime is optional, and treated as authtime if not present.
857 so we can nuke it if it matches */
858 if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
859 enc_tkt_reply.times.starttime = 0;
861 nolrentry.lr_type = KRB5_LRQ_NONE;
863 nolrarray[0] = &nolrentry;
865 reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
866 reply_encpart.key_exp = 0;/* ditto */
867 reply_encpart.flags = enc_tkt_reply.flags;
868 reply_encpart.server = ticket_reply.server;
870 /* use the session key in the ticket, unless there's a subsession key
872 reply.enc_part.enctype = subkey ? subkey->enctype :
873 header_ticket->enc_part2->session->enctype;
874 errcode = kdc_fast_response_handle_padata(state, request, &reply,
875 subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
877 status = "Preparing FAST padata";
880 errcode =kdc_fast_handle_reply_key(state,
881 subkey?subkey:header_ticket->enc_part2->session, &reply_key);
883 status = "generating reply key";
886 errcode = return_enc_padata(kdc_context, pkt, request,
887 reply_key, server, &reply_encpart,
890 KRB5_KDB_FLAG_CANONICALIZE));
892 status = "KDC_RETURN_ENC_PADATA";
896 errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
901 status = "ENCODE_KDC_REP";
906 memset(ticket_reply.enc_part.ciphertext.data, 0,
907 ticket_reply.enc_part.ciphertext.length);
908 free(ticket_reply.enc_part.ciphertext.data);
909 /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
910 can use them in raw form if needed. But, we don't... */
911 memset(reply.enc_part.ciphertext.data, 0,
912 reply.enc_part.ciphertext.length);
913 free(reply.enc_part.ciphertext.data);
916 assert(status != NULL);
918 krb5_free_keyblock(kdc_context, reply_key);
920 emsg = krb5_get_error_message (kdc_context, errcode);
921 log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
922 c_flags, s4u_name, status, errcode, emsg);
924 krb5_free_error_message (kdc_context, emsg);
931 status = krb5_get_error_message (kdc_context, errcode);
934 errcode -= ERROR_TABLE_BASE_krb5;
935 if (errcode < 0 || errcode > 128)
936 errcode = KRB_ERR_GENERIC;
938 retval = prepare_error_tgs(state, request, header_ticket, errcode,
939 (server != NULL) ? server->princ : NULL,
940 response, status, &e_data);
942 krb5_free_error_message (kdc_context, status);
947 if (header_ticket != NULL)
948 krb5_free_ticket(kdc_context, header_ticket);
950 krb5_free_kdc_req(kdc_context, request);
952 kdc_free_rstate(state);
957 krb5_db_free_principal(kdc_context, server);
958 krb5_db_free_principal(kdc_context, krbtgt);
959 krb5_db_free_principal(kdc_context, client);
960 if (session_key.contents != NULL)
961 krb5_free_keyblock_contents(kdc_context, &session_key);
963 free(enc_tkt_reply.transited.tr_contents.data);
964 if (s4u_x509_user != NULL)
965 krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
966 if (kdc_issued_auth_data != NULL)
967 krb5_free_authdata(kdc_context, kdc_issued_auth_data);
968 if (s4u_name != NULL)
971 krb5_free_keyblock(kdc_context, subkey);
973 krb5_free_keyblock(kdc_context, tgskey);
975 krb5_free_pa_data(kdc_context, reply.padata);
976 if (reply_encpart.enc_padata)
977 krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
978 if (enc_tkt_reply.authorization_data != NULL)
979 krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
980 krb5_free_data_contents(kdc_context, &e_data);
985 static krb5_error_code
986 prepare_error_tgs (struct kdc_request_state *state,
987 krb5_kdc_req *request, krb5_ticket *ticket, int error,
988 krb5_principal canon_server,
989 krb5_data **response, const char *status,
993 krb5_error_code retval = 0;
994 krb5_data *scratch, *fast_edata = NULL;
996 errpkt.ctime = request->nonce;
999 if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
1002 errpkt.error = error;
1003 errpkt.server = request->server;
1004 if (ticket && ticket->enc_part2)
1005 errpkt.client = ticket->enc_part2->client;
1007 errpkt.client = NULL;
1008 errpkt.text.length = strlen(status);
1009 if (!(errpkt.text.data = strdup(status)))
1012 if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
1013 free(errpkt.text.data);
1016 errpkt.e_data = *e_data;
1018 retval = kdc_fast_handle_error(kdc_context, state, request, NULL,
1019 &errpkt, &fast_edata);
1023 free(errpkt.text.data);
1027 errpkt.e_data = *fast_edata;
1028 retval = krb5_mk_error(kdc_context, &errpkt, scratch);
1029 free(errpkt.text.data);
1030 krb5_free_data(kdc_context, fast_edata);
1034 *response = scratch;
1040 * The request seems to be for a ticket-granting service somewhere else,
1041 * but we don't have a ticket for the final TGS. Try to give the requestor
1042 * some intermediate realm.
1044 static krb5_error_code
1045 find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
1047 krb5_error_code retval;
1048 krb5_principal *plist = NULL, *pl2, tmpprinc;
1050 krb5_db_entry *server = NULL;
1055 * Call to krb5_princ_component is normally not safe but is so
1056 * here only because find_alternate_tgs() is only called from
1057 * somewhere that has already checked the number of components in
1060 if ((retval = krb5_walk_realm_tree(kdc_context,
1061 krb5_princ_realm(kdc_context, request->server),
1062 krb5_princ_component(kdc_context, request->server, 1),
1063 &plist, KRB5_REALM_BRANCH_CHAR)))
1066 /* move to the end */
1067 for (pl2 = plist; *pl2; pl2++);
1069 /* the first entry in this array is for krbtgt/local@local, so we
1071 while (--pl2 > plist) {
1072 tmp = *krb5_princ_realm(kdc_context, *pl2);
1073 krb5_princ_set_realm(kdc_context, *pl2,
1074 krb5_princ_realm(kdc_context, tgs_server));
1075 retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
1076 krb5_princ_set_realm(kdc_context, *pl2, &tmp);
1077 if (retval == KRB5_KDB_NOENTRY)
1083 tmp = *krb5_princ_realm(kdc_context, *pl2);
1084 krb5_princ_set_realm(kdc_context, *pl2,
1085 krb5_princ_realm(kdc_context, tgs_server));
1086 retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc);
1089 krb5_princ_set_realm(kdc_context, *pl2, &tmp);
1091 krb5_free_principal(kdc_context, request->server);
1092 request->server = tmpprinc;
1093 log_tgs_alt_tgt(request->server);
1094 *server_ptr = server;
1098 retval = KRB5_KDB_NOENTRY;
1101 krb5_free_realm_tree(kdc_context, plist);
1102 krb5_db_free_principal(kdc_context, server);
1107 prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
1109 krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH;
1110 char **realms, **cpp, *temp_buf=NULL;
1111 krb5_data *comp1 = NULL, *comp2 = NULL;
1112 char *comp1_str = NULL;
1114 /* By now we know that server principal name is unknown.
1115 * If CANONICALIZE flag is set in the request
1116 * If req is not U2U authn. req
1117 * the requested server princ. has exactly two components
1119 * the name type is NT-SRV-HST
1120 * or name type is NT-UNKNOWN and
1121 * the 1st component is listed in conf file under host_based_services
1122 * the 1st component is not in a list in conf under "no_host_referral"
1123 * the 2d component looks like fully-qualified domain name (FQDN)
1124 * If all of these conditions are satisfied - try mapping the FQDN and
1125 * re-process the request as if client had asked for cross-realm TGT.
1127 if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) &&
1128 !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
1129 krb5_princ_size(kdc_context, request->server) == 2) {
1131 comp1 = krb5_princ_component(kdc_context, request->server, 0);
1132 comp2 = krb5_princ_component(kdc_context, request->server, 1);
1134 comp1_str = calloc(1,comp1->length+1);
1139 strlcpy(comp1_str,comp1->data,comp1->length+1);
1141 if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
1142 krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
1143 (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
1144 kdc_active_realm->realm_host_based_services != NULL &&
1145 (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
1146 comp1_str) == TRUE ||
1147 krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
1148 KRB5_CONF_ASTERISK) == TRUE))) &&
1149 (kdc_active_realm->realm_no_host_referral == NULL ||
1150 (krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
1151 KRB5_CONF_ASTERISK) == FALSE &&
1152 krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral,
1153 comp1_str) == FALSE))) {
1155 if (memchr(comp2->data, '.', comp2->length) == NULL)
1157 temp_buf = calloc(1, comp2->length+1);
1162 strlcpy(temp_buf, comp2->data,comp2->length+1);
1163 retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
1166 /* no match found */
1167 kdc_err(kdc_context, retval, "unable to find realm of host");
1171 retval = KRB5KRB_AP_ERR_BADMATCH;
1174 if (realms[0] == 0) {
1176 retval = KRB5KRB_AP_ERR_BADMATCH;
1180 * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM
1181 * and use it as a principal in this req.
1183 retval = krb5_build_principal(kdc_context, krbtgt_princ,
1184 (*request->server).realm.length,
1185 (*request->server).realm.data,
1186 "krbtgt", realms[0], (char *)0);
1187 for (cpp = realms; *cpp; cpp++)