- num_realms++;
- }
- if(num_realms == 0) {
- if(strcmp(client_realm, server_realm))
- kdc_log(context, config, 0,
- "cross-realm %s -> %s", client_realm, server_realm);
- } else {
- size_t l = 0;
- char *rs;
- for(i = 0; i < num_realms; i++)
- l += strlen(realms[i]) + 2;
- rs = malloc(l);
- if(rs != NULL) {
- *rs = '\0';
- for(i = 0; i < num_realms; i++) {
- if(i > 0)
- strlcat(rs, ", ", l);
- strlcat(rs, realms[i], l);
- }
- kdc_log(context, config, 0,
- "cross-realm %s -> %s via [%s]",
- client_realm, server_realm, rs);
- free(rs);
- }
- }
- if(check_policy) {
- ret = krb5_check_transited(context, client_realm,
- server_realm,
- realms, num_realms, NULL);
- if(ret) {
- krb5_warn(context, ret, "cross-realm %s -> %s",
- client_realm, server_realm);
- goto free_realms;
- }
- et->flags.transited_policy_checked = 1;
- }
- et->transited.tr_type = DOMAIN_X500_COMPRESS;
- ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents);
- if(ret)
- krb5_warn(context, ret, "Encoding transited encoding");
- free_realms:
- for(i = 0; i < num_realms; i++)
- free(realms[i]);
- free(realms);
- return ret;
-}
-
-
-static krb5_error_code
-tgs_make_reply(krb5_context context,
- krb5_kdc_configuration *config,
- KDC_REQ_BODY *b,
- EncTicketPart *tgt,
- EncTicketPart *adtkt,
- AuthorizationData *auth_data,
- hdb_entry *server,
- hdb_entry *client,
- krb5_principal client_principal,
- hdb_entry *krbtgt,
- EncryptionKey *tgtkey,
- krb5_enctype cetype,
- const char **e_text,
- krb5_data *reply)
-{
- KDC_REP rep;
- EncKDCRepPart ek;
- EncTicketPart et;
- KDCOptions f = b->kdc_options;
- krb5_error_code ret;
- krb5_enctype etype;
- Key *skey;
- EncryptionKey *ekey;
-
- if(adtkt) {
- int i;
- krb5_keytype kt;
- ekey = &adtkt->key;
- for(i = 0; i < b->etype.len; i++){
- ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt);
- if(ret)
- continue;
- if(adtkt->key.keytype == kt)
- break;
- }
- if(i == b->etype.len)
- return KRB5KDC_ERR_ETYPE_NOSUPP;
- etype = b->etype.val[i];
- }else{
- ret = find_keys(context, config,
- NULL, server, NULL, NULL, &skey, &etype,
- b->etype.val, b->etype.len);
- if(ret) {
- kdc_log(context, config, 0, "Server has no support for etypes");
- return ret;
- }
- ekey = &skey->key;
- }
-
- memset(&rep, 0, sizeof(rep));
- memset(&et, 0, sizeof(et));
- memset(&ek, 0, sizeof(ek));
-
- rep.pvno = 5;
- rep.msg_type = krb_tgs_rep;
-
- et.authtime = tgt->authtime;
- fix_time(&b->till);
- et.endtime = min(tgt->endtime, *b->till);
- ALLOC(et.starttime);
- *et.starttime = kdc_time;
-
- ret = check_tgs_flags(context, config, b, tgt, &et);
- if(ret)
- goto out;
-
- /* We should check the transited encoding if:
- 1) the request doesn't ask not to be checked
- 2) globally enforcing a check
- 3) principal requires checking
- 4) we allow non-check per-principal, but principal isn't marked as allowing this
- 5) we don't globally allow this
- */
-
-#define GLOBAL_FORCE_TRANSITED_CHECK \
- (config->trpolicy == TRPOLICY_ALWAYS_CHECK)
-#define GLOBAL_ALLOW_PER_PRINCIPAL \
- (config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
-#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
- (config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
-
-/* these will consult the database in future release */
-#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
-#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
-
- ret = fix_transited_encoding(context, config,
- !f.disable_transited_check ||
- GLOBAL_FORCE_TRANSITED_CHECK ||
- PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
- !((GLOBAL_ALLOW_PER_PRINCIPAL &&
- PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
- GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
- &tgt->transited, &et,
- *krb5_princ_realm(context, client_principal),
- *krb5_princ_realm(context, server->principal),
- *krb5_princ_realm(context, krbtgt->principal));
- if(ret)
- goto out;
-
- copy_Realm(krb5_princ_realm(context, server->principal),
- &rep.ticket.realm);
- _krb5_principal2principalname(&rep.ticket.sname, server->principal);
- copy_Realm(&tgt->crealm, &rep.crealm);
- if (f.request_anonymous)
- make_anonymous_principalname (&tgt->cname);
- else
- copy_PrincipalName(&tgt->cname, &rep.cname);
- rep.ticket.tkt_vno = 5;
-
- ek.caddr = et.caddr;
- if(et.caddr == NULL)
- et.caddr = tgt->caddr;
-
- {
- time_t life;
- life = et.endtime - *et.starttime;
- if(client && client->max_life)
- life = min(life, *client->max_life);
- if(server->max_life)
- life = min(life, *server->max_life);
- et.endtime = *et.starttime + life;
- }
- if(f.renewable_ok && tgt->flags.renewable &&
- et.renew_till == NULL && et.endtime < *b->till){
- et.flags.renewable = 1;
- ALLOC(et.renew_till);
- *et.renew_till = *b->till;
- }
- if(et.renew_till){
- time_t renew;
- renew = *et.renew_till - et.authtime;
- if(client && client->max_renew)
- renew = min(renew, *client->max_renew);
- if(server->max_renew)
- renew = min(renew, *server->max_renew);
- *et.renew_till = et.authtime + renew;
- }
-
- if(et.renew_till){
- *et.renew_till = min(*et.renew_till, *tgt->renew_till);
- *et.starttime = min(*et.starttime, *et.renew_till);
- et.endtime = min(et.endtime, *et.renew_till);
- }
-
- *et.starttime = min(*et.starttime, et.endtime);
-
- if(*et.starttime == et.endtime){
- ret = KRB5KDC_ERR_NEVER_VALID;
- goto out;
- }
- if(et.renew_till && et.endtime == *et.renew_till){
- free(et.renew_till);
- et.renew_till = NULL;
- et.flags.renewable = 0;
- }
-
- et.flags.pre_authent = tgt->flags.pre_authent;
- et.flags.hw_authent = tgt->flags.hw_authent;
- et.flags.anonymous = tgt->flags.anonymous;
- et.flags.ok_as_delegate = server->flags.ok_as_delegate;
-
-#ifdef _SAMBA_BUILD_
-
- {
-
- unsigned char *buf;
- size_t buf_size;
- size_t len;
-
- krb5_data pac;
- AD_IF_RELEVANT *if_relevant;
- ALLOC(if_relevant);
- if_relevant->len = 1;
- if_relevant->val = malloc(sizeof(*if_relevant->val));
- if_relevant->val[0].ad_type = KRB5_AUTHDATA_WIN2K_PAC;
- if_relevant->val[0].ad_data.data = NULL;
- if_relevant->val[0].ad_data.length = 0;
-
- /* Get PAC from Samba */
- ret = samba_get_pac(context, config,
- client->principal,
- tgtkey,
- ekey,
- &pac);
- if (ret) {
- free_AuthorizationData(if_relevant);
- goto out;
- }
-
- /* pac.data will be freed with this */
- if_relevant->val[0].ad_data.data = pac.data;
- if_relevant->val[0].ad_data.length = pac.length;
-
- ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, if_relevant, &len, ret);
-
- auth_data = NULL;
- ALLOC(auth_data);
- auth_data->len = 1;
- auth_data->val = malloc(sizeof(*auth_data->val));
- auth_data->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
- auth_data->val[0].ad_data.length = len;
- auth_data->val[0].ad_data.data = buf;
- if (ret) {
- goto out;
- }
- }
-
-#endif
- /* XXX Check enc-authorization-data */
- et.authorization_data = auth_data;
-
- krb5_generate_random_keyblock(context, etype, &et.key);
- et.crealm = tgt->crealm;
- et.cname = tgt->cname;
-
- ek.key = et.key;
- /* MIT must have at least one last_req */
- ek.last_req.len = 1;
- ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
- ek.nonce = b->nonce;
- ek.flags = et.flags;
- ek.authtime = et.authtime;
- ek.starttime = et.starttime;
- ek.endtime = et.endtime;
- ek.renew_till = et.renew_till;
- ek.srealm = rep.ticket.realm;
- ek.sname = rep.ticket.sname;
-
- log_timestamp(context, config, "TGS-REQ", et.authtime, et.starttime,
- et.endtime, et.renew_till);
-
- /* It is somewhat unclear where the etype in the following
- encryption should come from. What we have is a session
- key in the passed tgt, and a list of preferred etypes
- *for the new ticket*. Should we pick the best possible
- etype, given the keytype in the tgt, or should we look
- at the etype list here as well? What if the tgt
- session key is DES3 and we want a ticket with a (say)
- CAST session key. Should the DES3 etype be added to the
- etype list, even if we don't want a session key with
- DES3? */
- ret = encode_reply(context, config,
- &rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
- 0, &tgt->key, e_text, reply);
- out:
- free_TGS_REP(&rep);
- free_TransitedEncoding(&et.transited);
- if(et.starttime)
- free(et.starttime);
- if(et.renew_till)
- free(et.renew_till);
- free_LastReq(&ek.last_req);
- memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
- free_EncryptionKey(&et.key);
- return ret;
-}
-
-static krb5_error_code
-tgs_check_authenticator(krb5_context context,
- krb5_kdc_configuration *config,
- krb5_auth_context ac,
- KDC_REQ_BODY *b,
- const char **e_text,
- krb5_keyblock *key)
-{
- krb5_authenticator auth;
- size_t len;
- unsigned char *buf;
- size_t buf_size;
- krb5_error_code ret;
- krb5_crypto crypto;
-
- krb5_auth_con_getauthenticator(context, ac, &auth);
- if(auth->cksum == NULL){
- kdc_log(context, config, 0, "No authenticator in request");
- ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
- goto out;
- }
- /*
- * according to RFC1510 it doesn't need to be keyed,
- * but according to the latest draft it needs to.
- */
- if (
-#if 0
-!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
- ||
-#endif
- !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
- kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
- auth->cksum->cksumtype);
- ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
- goto out;
- }
-
- /* XXX should not re-encode this */
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
- if(ret){
- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- ret = krb5_crypto_init(context, key, 0, &crypto);
- if (ret) {
- free(buf);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- ret = krb5_verify_checksum(context,
- crypto,
- KRB5_KU_TGS_REQ_AUTH_CKSUM,
- buf,
- len,
- auth->cksum);
- free(buf);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- kdc_log(context, config, 0,
- "Failed to verify authenticator checksum: %s",
- krb5_get_err_text(context, ret));
- }
-out:
- free_Authenticator(auth);
- free(auth);
- return ret;
-}
-
-/*
- * return the realm of a krbtgt-ticket or NULL
- */
-
-static Realm
-get_krbtgt_realm(const PrincipalName *p)
-{
- if(p->name_string.len == 2
- && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
- return p->name_string.val[1];
- else
- return NULL;
-}
-
-static const char *
-find_rpath(krb5_context context, Realm crealm, Realm srealm)
-{
- const char *new_realm = krb5_config_get_string(context,
- NULL,
- "capaths",
- crealm,
- srealm,
- NULL);
- return new_realm;
-}
-
-
-static krb5_boolean
-need_referral(krb5_context context, krb5_principal server, krb5_realm **realms)
-{
- if(server->name.name_type != KRB5_NT_SRV_INST ||
- server->name.name_string.len != 2)
- return FALSE;
-
- return _krb5_get_host_realm_int(context, server->name.name_string.val[1],
- FALSE, realms) == 0;
-}
-
-static krb5_error_code
-tgs_rep2(krb5_context context,
- krb5_kdc_configuration *config,
- KDC_REQ_BODY *b,
- PA_DATA *tgs_req,
- krb5_data *reply,
- const char *from,
- const struct sockaddr *from_addr,
- time_t **csec,
- int **cusec)
-{
- krb5_ap_req ap_req;
- krb5_error_code ret;
- krb5_principal princ;
- krb5_auth_context ac = NULL;
- krb5_ticket *ticket = NULL;
- krb5_flags ap_req_options;
- krb5_flags verify_ap_req_flags;
- const char *e_text = NULL;
- krb5_crypto crypto;
-
- hdb_entry *krbtgt = NULL;
- EncTicketPart *tgt;
- Key *tkey;
- krb5_enctype cetype;
- krb5_principal cp = NULL;
- krb5_principal sp = NULL;
- AuthorizationData *auth_data = NULL;
-
- *csec = NULL;
- *cusec = NULL;
-
- memset(&ap_req, 0, sizeof(ap_req));
- ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
- if(ret){
- kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
-
- if(!get_krbtgt_realm(&ap_req.ticket.sname)){
- /* XXX check for ticket.sname == req.sname */
- kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket");
- ret = KRB5KDC_ERR_POLICY; /* ? */
- goto out2;
- }
-
- _krb5_principalname2krb5_principal(&princ,
- ap_req.ticket.sname,
- ap_req.ticket.realm);
-
- ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_SERVER, &krbtgt);
-
- if(ret) {
- char *p;
- ret = krb5_unparse_name(context, princ, &p);
- if (ret != 0)
- p = "<unparse_name failed>";
- krb5_free_principal(context, princ);
- kdc_log(context, config, 0,
- "Ticket-granting ticket not found in database: %s: %s",
- p, krb5_get_err_text(context, ret));
- if (ret == 0)
- free(p);
- ret = KRB5KRB_AP_ERR_NOT_US;
- goto out2;
- }
-
- if(ap_req.ticket.enc_part.kvno &&
- *ap_req.ticket.enc_part.kvno != krbtgt->kvno){
- char *p;
-
- ret = krb5_unparse_name (context, princ, &p);
- krb5_free_principal(context, princ);
- if (ret != 0)
- p = "<unparse_name failed>";
- kdc_log(context, config, 0,
- "Ticket kvno = %d, DB kvno = %d (%s)",
- *ap_req.ticket.enc_part.kvno,
- krbtgt->kvno,
- p);
- if (ret == 0)
- free (p);
- ret = KRB5KRB_AP_ERR_BADKEYVER;
- goto out2;
- }
-
- ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
- if(ret){
- char *str;
- krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
- kdc_log(context, config, 0,
- "No server key found for %s", str);
- free(str);
- ret = KRB5KRB_AP_ERR_BADKEYVER;
- goto out2;
- }
-
- if (b->kdc_options.validate)
- verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
- else
- verify_ap_req_flags = 0;
-
- ret = krb5_verify_ap_req2(context,
- &ac,
- &ap_req,
- princ,
- &tkey->key,
- verify_ap_req_flags,
- &ap_req_options,
- &ticket,
- KRB5_KU_TGS_REQ_AUTH);
-
- krb5_free_principal(context, princ);
- if(ret) {
- kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
-
- {
- krb5_authenticator auth;
-
- ret = krb5_auth_con_getauthenticator(context, ac, &auth);
- if (ret == 0) {
- *csec = malloc(sizeof(**csec));
- if (*csec == NULL) {
- krb5_free_authenticator(context, &auth);
- kdc_log(context, config, 0, "malloc failed");
- goto out2;
- }
- **csec = auth->ctime;
- *cusec = malloc(sizeof(**cusec));
- if (*cusec == NULL) {
- krb5_free_authenticator(context, &auth);
- kdc_log(context, config, 0, "malloc failed");
- goto out2;
- }
- **csec = auth->cusec;
- krb5_free_authenticator(context, &auth);
- }
- }
-
- cetype = ap_req.authenticator.etype;
-
- tgt = &ticket->ticket;
-
- ret = tgs_check_authenticator(context, config,
- ac, b, &e_text, &tgt->key);
- if (ret) {
- krb5_auth_con_free(context, ac);
- goto out2;