/*
* Function: kdb_get_entry
*
* Purpose: Gets an entry from the kerberos database and breaks
* it out into a krb5_db_entry and an osa_princ_ent_t.
*
* Arguments:
*
* handle (r) the server_handle
* principal (r) the principal to get
* kdb (w) krb5_db_entry to fill in
* adb (w) osa_princ_ent_rec to fill in
*
* when the caller is done with kdb and adb, kdb_free_entry must be
* called to release them. The adb record is filled in with the
* contents of the KRB5_TL_KADM_DATA record; if that record doesn't
* exist, an empty but valid adb record is returned.
*/
krb5_error_code
kdb_get_entry(kadm5_server_handle_t handle,
krb5_principal principal, krb5_db_entry *kdb,
osa_princ_ent_rec *adb)
{
krb5_error_code ret;
int nprincs;
krb5_boolean more;
krb5_tl_data tl_data;
XDR xdrs;
ret = krb5_db_get_principal(handle->context, principal, kdb, &nprincs,
&more);
if (ret)
return(ret);
if (more) {
krb5_db_free_principal(handle->context, kdb, nprincs);
return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
} else if (nprincs != 1) {
krb5_db_free_principal(handle->context, kdb, nprincs);
return(KADM5_UNK_PRINC);
}
if (adb) {
memset(adb, 0, sizeof(*adb));
tl_data.tl_data_type = KRB5_TL_KADM_DATA;
/*
* XXX Currently, lookup_tl_data always returns zero; it sets
* tl_data->tl_data_length to zero if the type isn't found.
* This should be fixed...
*/
if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data))
|| (tl_data.tl_data_length == 0)) {
/* there's no admin data. this can happen, if the admin
server is put into production after some principals
are created. In this case, return valid admin
data (which is all zeros with the hist_kvno filled
in), and when the entry is written, the admin
data will get stored correctly. */
adb->admin_history_kvno = hist_kvno;
return(ret);
}
/* Solaris Kerberos */
xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents,
tl_data.tl_data_length, XDR_DECODE);
if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
xdr_destroy(&xdrs);
krb5_db_free_principal(handle->context, kdb, 1);
return(KADM5_XDR_FAILURE);
}
xdr_destroy(&xdrs);
}
return(0);
}
/* Audit a successful or failed preauth attempt for *entp. Then reload *entp
* (by fetching sample_princ) so we can see the effect. */
static void
sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)
{
/* Both back ends ignore the request parameter for now. */
krb5_db_audit_as_req(ctx, NULL, *entp, *entp, authtime,
ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);
krb5_db_free_principal(ctx, *entp);
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));
}
/*
* Function: kdb_get_entry
*
* Purpose: Gets an entry from the kerberos database and breaks
* it out into a krb5_db_entry and an osa_princ_ent_t.
*
* Arguments:
*
* handle (r) the server_handle
* principal (r) the principal to get
* kdb (w) krb5_db_entry to create
* adb (w) osa_princ_ent_rec to fill in
*
* when the caller is done with kdb and adb, kdb_free_entry must be
* called to release them. The adb record is filled in with the
* contents of the KRB5_TL_KADM_DATA record; if that record doesn't
* exist, an empty but valid adb record is returned.
*/
krb5_error_code
kdb_get_entry(kadm5_server_handle_t handle,
krb5_principal principal, krb5_db_entry **kdb_ptr,
osa_princ_ent_rec *adb)
{
krb5_error_code ret;
krb5_tl_data tl_data;
XDR xdrs;
krb5_db_entry *kdb;
*kdb_ptr = NULL;
ret = krb5_db_get_principal(handle->context, principal,
KRB5_KDB_FLAG_ALIAS_OK, &kdb);
if (ret == KRB5_KDB_NOENTRY)
return(KADM5_UNK_PRINC);
if (ret)
return(ret);
if (adb) {
memset(adb, 0, sizeof(*adb));
tl_data.tl_data_type = KRB5_TL_KADM_DATA;
/*
* XXX Currently, lookup_tl_data always returns zero; it sets
* tl_data->tl_data_length to zero if the type isn't found.
* This should be fixed...
*/
if ((ret = krb5_dbe_lookup_tl_data(handle->context, kdb, &tl_data))
|| (tl_data.tl_data_length == 0)) {
/* there's no admin data. this can happen, if the admin
server is put into production after some principals
are created. In this case, return valid admin
data (which is all zeros with the hist_kvno filled
in), and when the entry is written, the admin
data will get stored correctly. */
adb->admin_history_kvno = INITIAL_HIST_KVNO;
*kdb_ptr = kdb;
return(ret);
}
xdrmem_create(&xdrs, (caddr_t)tl_data.tl_data_contents,
tl_data.tl_data_length, XDR_DECODE);
if (! xdr_osa_princ_ent_rec(&xdrs, adb)) {
xdr_destroy(&xdrs);
krb5_db_free_principal(handle->context, kdb);
return(KADM5_XDR_FAILURE);
}
xdr_destroy(&xdrs);
}
*kdb_ptr = kdb;
return(0);
}
static krb5_error_code
db_get_svc_princ(krb5_context ctx, krb5_principal princ,
krb5_flags flags, krb5_db_entry **server,
const char **status)
{
krb5_error_code ret;
ret = krb5_db_get_principal(ctx, princ, flags, server);
if (ret == KRB5_KDB_CANTLOCK_DB)
ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (ret != 0) {
*status = "LOOKING_UP_SERVER";
}
return ret;
}
/*ARGSUSED*/
void
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
krb5_error_code errcode;
krb5_timestamp rtime;
unsigned int s_flags = 0;
krb5_data encoded_req_body;
krb5_enctype useenctype;
struct as_req_state *state;
state = k5alloc(sizeof(*state), &errcode);
if (state == NULL) {
(*respond)(arg, errcode, NULL);
return;
}
state->respond = respond;
state->arg = arg;
state->request = request;
state->req_pkt = req_pkt;
state->from = from;
state->active_realm = kdc_active_realm;
errcode = kdc_make_rstate(kdc_active_realm, &state->rstate);
if (errcode != 0) {
(*respond)(arg, errcode, NULL);
return;
}
if (state->request->msg_type != KRB5_AS_REQ) {
state->status = "msg_type mismatch";
errcode = KRB5_BADMSGTYPE;
goto errout;
}
if (fetch_asn1_field((unsigned char *) req_pkt->data,
1, 4, &encoded_req_body) != 0) {
errcode = ASN1_BAD_ID;
state->status = "Finding req_body";
goto errout;
}
errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
state->rstate, &state->inner_body);
if (errcode) {
state->status = "error decoding FAST";
goto errout;
}
if (state->inner_body == NULL) {
/* Not a FAST request; copy the encoded request body. */
errcode = krb5_copy_data(kdc_context, &encoded_req_body,
&state->inner_body);
if (errcode) {
state->status = "storing req body";
goto errout;
}
}
state->rock.request = state->request;
state->rock.inner_body = state->inner_body;
state->rock.rstate = state->rstate;
state->rock.vctx = vctx;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->client,
&state->cname))) {
state->status = "UNPARSING_CLIENT";
goto errout;
}
limit_string(state->cname);
if (!state->request->server) {
state->status = "NULL_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->server,
&state->sname))) {
state->status = "UNPARSING_SERVER";
goto errout;
}
limit_string(state->sname);
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
/*
* Note that according to the referrals draft we should
* always canonicalize enterprise principal names.
*/
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
if (include_pac_p(kdc_context, state->request)) {
setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
errcode = krb5_db_get_principal(kdc_context, state->request->client,
state->c_flags, &state->client);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "CLIENT_NOT_FOUND";
if (vague_errors)
errcode = KRB5KRB_ERR_GENERIC;
else
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_CLIENT";
goto errout;
}
state->rock.client = state->client;
/*
* If the backend returned a principal that is not in the local
* realm, then we need to refer the client to that realm.
*/
if (!is_local_principal(kdc_active_realm, state->client->princ)) {
/* Entry is a referral to another realm */
state->status = "REFERRAL";
errcode = KRB5KDC_ERR_WRONG_REALM;
goto errout;
}
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
errcode = krb5_db_get_principal(kdc_context, state->request->server,
s_flags, &state->server);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "SERVER_NOT_FOUND";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_SERVER";
goto errout;
}
if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) {
state->status = "TIMEOFDAY";
goto errout;
}
state->authtime = state->kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(kdc_active_realm,
state->request, *state->client,
*state->server, state->kdc_time,
&state->status, &state->e_data))) {
if (!state->status)
state->status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype = select_session_keytype(kdc_active_realm, state->server,
state->request->nktypes,
state->request->ktype)) == 0) {
/* unsupported ktype */
state->status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto errout;
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
&state->session_key))) {
state->status = "RANDOM_KEY_FAILED";
goto errout;
}
/*
* Canonicalization is only effective if we are issuing a TGT
* (the intention is to allow support for Windows "short" realm
* aliases, nothing more).
*/
if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
krb5_is_tgs_principal(state->request->server) &&
krb5_is_tgs_principal(state->server->princ)) {
state->ticket_reply.server = state->server->princ;
} else {
state->ticket_reply.server = state->request->server;
}
state->enc_tkt_reply.flags = 0;
state->enc_tkt_reply.times.authtime = state->authtime;
setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL);
setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(state->request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_PROXIABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
state->enc_tkt_reply.session = &state->session_key;
if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
state->client_princ = *(state->client->princ);
} else {
state->client_princ = *(state->request->client);
/* The realm is always canonicalized */
state->client_princ.realm = state->client->princ->realm;
}
state->enc_tkt_reply.client = &state->client_princ;
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;
if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(state->enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID);
state->enc_tkt_reply.times.starttime = state->request->from;
} else
state->enc_tkt_reply.times.starttime = state->kdc_time;
kdc_get_ticket_endtime(kdc_active_realm,
state->enc_tkt_reply.times.starttime,
kdc_infinity, state->request->till, state->client,
state->server, &state->enc_tkt_reply.times.endtime);
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
!isflagset(state->client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
(state->enc_tkt_reply.times.endtime < state->request->till)) {
/* we set the RENEWABLE option for later processing */
setflag(state->request->kdc_options, KDC_OPT_RENEWABLE);
state->request->rtime = state->request->till;
}
rtime = (state->request->rtime == 0) ? kdc_infinity :
state->request->rtime;
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE)) {
/*
* XXX Should we squelch the output renew_till to be no
* earlier than the endtime of the ticket?
*/
setflag(state->enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
state->enc_tkt_reply.times.renew_till =
min(rtime, state->enc_tkt_reply.times.starttime +
min(state->client->max_renewable_life,
min(state->server->max_renewable_life,
max_renewable_life_for_realm)));
} else
state->enc_tkt_reply.times.renew_till = 0; /* XXX */
/*
* starttime is optional, and treated as authtime if not present.
* so we can nuke it if it matches
*/
if (state->enc_tkt_reply.times.starttime ==
state->enc_tkt_reply.times.authtime)
state->enc_tkt_reply.times.starttime = 0;
state->enc_tkt_reply.caddrs = state->request->addresses;
state->enc_tkt_reply.authorization_data = 0;
/* If anonymous requests are being used, adjust the realm of the client
* principal. */
if (isflagset(state->request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) {
if (!krb5_principal_compare_any_realm(kdc_context,
state->request->client,
krb5_anonymous_principal())) {
errcode = KRB5KDC_ERR_BADOPTION;
state->status = "Anonymous requested but anonymous "
"principal not used.";
goto errout;
}
setflag(state->enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
krb5_free_principal(kdc_context, state->request->client);
state->request->client = NULL;
errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
&state->request->client);
if (errcode) {
state->status = "Copying anonymous principal";
goto errout;
}
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
/*
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
check_padata(kdc_context, &state->rock, state->req_pkt,
state->request, &state->enc_tkt_reply, &state->pa_context,
&state->e_data, &state->typed_e_data, finish_preauth,
state);
} else
finish_preauth(state, 0);
return;
errout:
finish_process_as_req(state, errcode);
}
int
main()
{
krb5_db_entry *ent;
osa_policy_ent_t pol;
krb5_pa_data **e_data;
const char *status;
char *defrealm;
int count;
CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));
/* Currently necessary for krb5_db_open to work. */
CHECK(krb5_get_default_realm(ctx, &defrealm));
/* If we can, revert to requiring all entries match sample_princ in
* iter_princ_handler */
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK(krb5_db_create(ctx, NULL));
CHECK(krb5_db_inited(ctx));
CHECK(krb5_db_fini(ctx));
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN));
CHECK(krb5_db_inited(ctx));
/* Manipulate a policy, leaving it in place at the end. */
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
CHECK(krb5_db_create_policy(ctx, &sample_policy));
CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);
CHECK(krb5_db_get_policy(ctx, polname, &pol));
check_policy(pol);
pol->pw_min_length--;
CHECK(krb5_db_put_policy(ctx, pol));
krb5_db_free_policy(ctx, pol);
CHECK(krb5_db_get_policy(ctx, polname, &pol));
CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);
krb5_db_free_policy(ctx, pol);
CHECK(krb5_db_delete_policy(ctx, polname));
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
CHECK(krb5_db_create_policy(ctx, &sample_policy));
count = 0;
CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));
CHECK_COND(count == 1);
/* Create a principal. */
CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==
KRB5_KDB_NOENTRY);
CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==
KRB5_KDB_NOENTRY);
CHECK(krb5_db_put_principal(ctx, &sample_entry));
/* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)
* but succeed with DB2, so don't check the result. */
(void)krb5_db_put_principal(ctx, &sample_entry);
/* But it should succeed in both back ends with KADM5_LOAD in mask. */
sample_entry.mask |= KADM5_LOAD;
CHECK(krb5_db_put_principal(ctx, &sample_entry));
sample_entry.mask &= ~KADM5_LOAD;
/* Fetch and compare the added principal. */
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));
check_entry(ent);
/* We can't set up a successful allowed-to-delegate check through existing
* APIs yet, but we can make a failed check. */
CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,
&sample_princ) != 0);
/* Exercise lockout code. */
/* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */
/* Initial state: last_success 1, last_failed 5, fail_auth_count 2,
* last admin unlock 6 */
/* Check succeeds due to last admin unlock. */
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));
/* Failure count resets to 1 due to last admin unlock. */
sim_preauth(8, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);
/* Failure count resets to 1 due to failcnt_interval */
sim_preauth(70, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);
/* Failure count resets to 0 due to successful preauth. */
sim_preauth(75, TRUE, &ent);
CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);
/* Failure count increments to 2 and stops incrementing. */
sim_preauth(80, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);
sim_preauth(100, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
sim_preauth(110, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
/* Check fails due to reaching maximum failure count. */
CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,
&e_data) == KRB5KDC_ERR_CLIENT_REVOKED);
/* Check succeeds after lockout_duration has passed. */
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));
/* Failure count resets to 1 on next failure. */
sim_preauth(240, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);
/* Exercise LDAP code to clear a policy reference and to set the key
* data on an existing principal. */
CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
CHECK(krb5_db_put_principal(ctx, ent));
CHECK(krb5_db_delete_policy(ctx, polname));
/* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
* from a load operation. */
ent->mask = (sample_entry.mask & ~KADM5_POLICY) | KADM5_LOAD;
CHECK(krb5_db_put_principal(ctx, ent));
/* Exercise LDAP code to create a new principal at a DN from
* KDB_TL_USER_INFO tl-data. */
CHECK(krb5_db_delete_principal(ctx, &sample_princ));
CHECK(krb5_db_put_principal(ctx, ent));
krb5_db_free_principal(ctx, ent);
/* Exercise principal iteration code. */
count = 0;
CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count));
CHECK_COND(count == 1);
CHECK(krb5_db_fini(ctx));
CHECK_COND(krb5_db_inited(ctx) != 0);
/* It might be nice to exercise krb5_db_destroy here, but the LDAP module
* doesn't support it. */
krb5_free_default_realm(ctx, defrealm);
krb5_free_context(ctx);
return 0;
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
krb5_data **response)
{
krb5_keyblock * subkey;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
krb5_transited enc_tkt_transited;
int newtransited = 0;
krb5_error_code retval = 0;
int nprincs = 0;
krb5_boolean more;
krb5_timestamp kdc_time, authtime=0;
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *tmp = 0;
const char *fromstring = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
/* krb5_address *noaddrarray[1]; */
krb5_enctype useenctype;
int errcode, errcode2;
register int i;
int firstpass = 1;
const char *status = 0;
char ktypestr[128];
char rep_etypestr[128];
char fromstringbuf[70];
long long tmp_server_times, tmp_realm_times;
(void) memset(&encrypting_key, 0, sizeof(krb5_keyblock));
(void) memset(&session_key, 0, sizeof(krb5_keyblock));
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
ktypes2str(ktypestr, sizeof(ktypestr),
request->nktypes, request->ktype);
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server)))
return retval;
fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
from->address->contents,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
}
limit_string(sname);
/* errcode = kdc_process_tgs_req(request, from, pkt, &req_authdat); */
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, &subkey);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
&cname))) {
status = "UNPARSING CLIENT";
errcode = errcode2;
goto cleanup;
}
limit_string(cname);
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
authtime = header_ticket->enc_part2->times.authtime;
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
nprincs = 1;
if ((errcode = krb5_db_get_principal(kdc_context, request->server, &server,
&nprincs, &more))) {
status = "LOOKING_UP_SERVER";
nprincs = 0;
goto cleanup;
}
tgt_again:
if (more) {
status = "NON_UNIQUE_PRINCIPAL";
errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
goto cleanup;
} else if (nprincs != 1) {
/*
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
*/
if (firstpass && krb5_is_tgs_principal(request->server) == TRUE) {
if (krb5_princ_size(kdc_context, request->server) == 2) {
krb5_data *server_1 =
krb5_princ_component(kdc_context, request->server, 1);
krb5_data *tgs_1 =
krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || server_1->length != tgs_1->length ||
memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs,
from, cname);
firstpass = 0;
goto tgt_again;
}
}
}
krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(request, server, header_ticket,
kdc_time, &status))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
/*
* We pick the session keytype here....
*
* Some special care needs to be taken in the user-to-user
* case, since we don't know what keytypes the application server
* which is doing user-to-user authentication can support. We
* know that it at least must be able to support the encryption
* type of the session key in the TGT, since otherwise it won't be
* able to decrypt the U2U ticket! So we use that in preference
* to anything else.
*/
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
/*
* Get the key for the second ticket, and decrypt it.
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
&st_sealing_key,
&st_srv_kvno))) {
status = "2ND_TKT_SERVER";
goto cleanup;
}
errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
request->second_ticket[st_idx]);
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
goto cleanup;
}
etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
for (i = 0; i < request->nktypes; i++) {
if (request->ktype[i] == etype) {
useenctype = etype;
break;
}
}
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
(useenctype = select_session_keytype(kdc_context, &server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
if (errcode) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto cleanup;
}
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
/*
* Fix header_ticket's starttime; if it's zero, fill in the
* authtime's value.
*/
if (!(header_ticket->enc_part2->times.starttime))
header_ticket->enc_part2->times.starttime =
header_ticket->enc_part2->times.authtime;
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_ticket->enc_part2->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0; /* optional...don't put it in */
/* It should be noted that local policy may affect the */
/* processing of any of these flags. For example, some */
/* realms may refuse to issue renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_FORWARDED))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_deltat old_life;
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
until = (request->till == 0) ? kdc_infinity : request->till;
/* SUNW */
tmp_server_times = (long long) enc_tkt_reply.times.starttime
+ server.max_life;
tmp_realm_times = (long long) enc_tkt_reply.times.starttime
+ max_life_for_realm;
enc_tkt_reply.times.endtime =
min(until,
min(tmp_server_times,
min(tmp_realm_times,
min(header_ticket->enc_part2->times.endtime,
KRB5_KDB_EXPIRATION)))); /* SUNW */
/*
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
min(enc_tkt_reply.times.starttime + max_life_for_realm,
min(header_ticket->enc_part2->times.endtime)));
*/
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
isflagset(header_ticket->enc_part2->flags,
TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
min(request->till,
min(KRB5_KDB_EXPIRATION,
header_ticket->enc_part2->times.renew_till));
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
/* already checked above in policy check to reject request for a
renewable ticket using a non-renewable ticket */
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
tmp_realm_times = (long long) enc_tkt_reply.times.starttime +
min(server.max_renewable_life,max_renewable_life_for_realm);
enc_tkt_reply.times.renew_till =
min(rtime,
min(header_ticket->enc_part2->times.renew_till,
min (tmp_realm_times, KRB5_KDB_EXPIRATION)));
} else {
enc_tkt_reply.times.renew_till = 0;
}
/*
* Set authtime to be the same as header_ticket's
*/
enc_tkt_reply.times.authtime = header_ticket->enc_part2->times.authtime;
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_PRE_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_HW_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
/* assemble any authorization data */
if (request->authorization_data.ciphertext.data) {
krb5_data scratch;
scratch.length = request->authorization_data.ciphertext.length;
if (!(scratch.data =
malloc(request->authorization_data.ciphertext.length))) {
status = "AUTH_NOMEM";
errcode = ENOMEM;
goto cleanup;
}
if ((errcode = krb5_c_decrypt(kdc_context,
header_ticket->enc_part2->session,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
0, &request->authorization_data,
&scratch))) {
status = "AUTH_ENCRYPT_FAIL";
free(scratch.data);
goto cleanup;
}
/* scratch now has the authorization data, so we decode it */
errcode = decode_krb5_authdata(&scratch, &(request->unenc_authdata));
free(scratch.data);
if (errcode) {
status = "AUTH_DECODE";
goto cleanup;
}
if ((errcode =
concat_authorization_data(request->unenc_authdata,
header_ticket->enc_part2->authorization_data,
&enc_tkt_reply.authorization_data))) {
status = "CONCAT_AUTH";
goto cleanup;
}
} else
enc_tkt_reply.authorization_data =
header_ticket->enc_part2->authorization_data;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.client = header_ticket->enc_part2->client;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_ticket->enc_part2->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_ticket->enc_part2->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "BAD_TRTYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_transited.tr_contents.data = 0;
enc_tkt_transited.tr_contents.length = 0;
enc_tkt_reply.transited = enc_tkt_transited;
if ((errcode =
add_to_transited(&header_ticket->enc_part2->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TR_FAIL";
goto cleanup;
}
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
unsigned int tlen;
char *tdots;
errcode = krb5_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
"bad realm transit path from '%s' to '%s' "
"via '%.*s%s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots);
else
krb5_klog_syslog (LOG_ERR,
"unexpected error checking transit from "
"'%s' to '%s' via '%.*s%s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots, error_message (errcode));
} else
krb5_klog_syslog (LOG_INFO, "not checking transit path");
if (reject_bad_transit
&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
if (tmp != NULL)
limit_string(tmp);
audit_krb5kdc_tgs_req_2ndtktmm(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
0, cname, sname);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ %s: 2ND_TKT_MISMATCH: "
"authtime %d, %s for %s, 2nd tkt client %s",
fromstring, authtime,
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tmp ? tmp : "<unknown>");
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
goto cleanup;
}
ticket_reply.enc_part.kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
&ticket_reply))) {
status = "2ND_TKT_ENCRYPT";
goto cleanup;
}
st_idx++;
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
&master_keyblock,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "TKT_ENCRYPT";
goto cleanup;
}
ticket_reply.enc_part.kvno = server_key->key_data_kvno;
}
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0; /* always */
reply.client = header_ticket->enc_part2->client;
reply.enc_part.kvno = 0; /* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields EXCEPT for authtime; its location
is used for ktime */
reply_encpart.times = enc_tkt_reply.times;
reply_encpart.times.authtime = header_ticket->enc_part2->times.authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0; /* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
subkey ? subkey :
header_ticket->enc_part2->session,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
if (ticket_reply.enc_part.ciphertext.data) {
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
ticket_reply.enc_part.ciphertext.data = NULL;
}
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
if (reply.enc_part.ciphertext.data) {
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
reply.enc_part.ciphertext.data = NULL;
}
cleanup:
if (status) {
audit_krb5kdc_tgs_req((struct in_addr *)from->address->contents,
(in_port_t)from->port, 0,
cname ? cname : "<unknown client>",
sname ? sname : "<unknown client>",
errcode);
if (!errcode)
rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ (%s) %s: %s: authtime %d, "
"%s%s %s for %s%s%s",
ktypestr,
fromstring, status, authtime,
!errcode ? rep_etypestr : "",
!errcode ? "," : "",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
errcode ? ", " : "",
errcode ? error_message(errcode) : "");
}
if (errcode) {
if (status == 0)
status = error_message (errcode);
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(request, header_ticket, errcode,
fromstring, response, status);
}
if (header_ticket)
krb5_free_ticket(kdc_context, header_ticket);
if (request)
krb5_free_kdc_req(kdc_context, request);
if (cname)
free(cname);
if (sname)
free(sname);
if (nprincs)
krb5_db_free_principal(kdc_context, &server, 1);
if (session_key.contents)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
return retval;
}
/*
* The request seems to be for a ticket-granting service somewhere else,
* but we don't have a ticket for the final TGS. Try to give the requestor
* some intermediate realm.
*/
static krb5_error_code
find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
{
krb5_error_code retval;
krb5_principal *plist = NULL, *pl2, tmpprinc;
krb5_data tmp;
krb5_db_entry *server = NULL;
*server_ptr = NULL;
/*
* Call to krb5_princ_component is normally not safe but is so
* here only because find_alternate_tgs() is only called from
* somewhere that has already checked the number of components in
* the principal.
*/
if ((retval = krb5_walk_realm_tree(kdc_context,
krb5_princ_realm(kdc_context, request->server),
krb5_princ_component(kdc_context, request->server, 1),
&plist, KRB5_REALM_BRANCH_CHAR)))
return retval;
/* move to the end */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local@local, so we
ignore it */
while (--pl2 > plist) {
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
if (retval == KRB5_KDB_NOENTRY)
continue;
else if (retval)
goto cleanup;
/* Found it. */
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc);
if (retval)
goto cleanup;
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
krb5_free_principal(kdc_context, request->server);
request->server = tmpprinc;
log_tgs_alt_tgt(request->server);
*server_ptr = server;
server = NULL;
goto cleanup;
}
retval = KRB5_KDB_NOENTRY;
cleanup:
krb5_free_realm_tree(kdc_context, plist);
krb5_db_free_principal(kdc_context, server);
return retval;
}
void
kdb5_use_mkey(int argc, char *argv[])
{
krb5_error_code retval;
char *mkey_fullname = NULL;
krb5_kvno use_kvno;
krb5_timestamp now, start_time;
krb5_actkvno_node *actkvno_list = NULL, *new_actkvno = NULL,
*prev_actkvno, *cur_actkvno;
krb5_db_entry *master_entry;
krb5_keylist_node *keylist_node;
krb5_boolean inserted = FALSE;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
memset(&master_princ, 0, sizeof(master_princ));
if (argc < 2 || argc > 3) {
/* usage calls exit */
usage();
}
use_kvno = atoi(argv[1]);
if (use_kvno == 0) {
com_err(progname, EINVAL, _("0 is an invalid KVNO value"));
exit_status++;
return;
} else {
/* verify use_kvno is valid */
for (keylist_node = master_keylist; keylist_node != NULL;
keylist_node = keylist_node->next) {
if (use_kvno == keylist_node->kvno)
break;
}
if (!keylist_node) {
com_err(progname, EINVAL, _("%d is an invalid KVNO value"),
use_kvno);
exit_status++;
return;
}
}
if ((retval = krb5_timeofday(util_context, &now))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
return;
}
if (argc == 3) {
time_t t = get_date(argv[2]);
if (t == -1) {
com_err(progname, 0, _("could not parse date-time string '%s'"),
argv[2]);
exit_status++;
return;
} else
start_time = (krb5_timestamp) t;
} else {
start_time = now;
}
/*
* Need to:
*
* 1. get mkey princ
* 2. get krb5_actkvno_node list
* 3. add use_kvno to actkvno list (sorted in right spot)
* 4. update mkey princ's tl data
* 5. put mkey princ.
*/
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
goto cleanup_return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval,
_("while looking up active version of master key"));
exit_status++;
goto cleanup_return;
}
/*
* If an entry already exists with the same kvno either delete it or if it's
* the only entry, just set its active time.
*/
for (prev_actkvno = NULL, cur_actkvno = actkvno_list;
cur_actkvno != NULL;
prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == use_kvno) {
/* delete it */
if (prev_actkvno) {
prev_actkvno->next = cur_actkvno->next;
cur_actkvno->next = NULL;
krb5_dbe_free_actkvno_list(util_context, cur_actkvno);
} else {
if (cur_actkvno->next) {
/* delete it from front of list */
actkvno_list = cur_actkvno->next;
cur_actkvno->next = NULL;
krb5_dbe_free_actkvno_list(util_context, cur_actkvno);
} else {
/* There's only one entry, go ahead and change the time */
cur_actkvno->act_time = start_time;
inserted = TRUE;
}
}
break;
}
}
if (!inserted) {
/* alloc enough space to hold new and existing key_data */
new_actkvno = (krb5_actkvno_node *) malloc(sizeof(krb5_actkvno_node));
if (new_actkvno == NULL) {
com_err(progname, ENOMEM, _("while adding new master key"));
exit_status++;
goto cleanup_return;
}
memset(new_actkvno, 0, sizeof(krb5_actkvno_node));
new_actkvno->act_kvno = use_kvno;
new_actkvno->act_time = start_time;
/* insert new act kvno node */
if (actkvno_list == NULL) {
/* new actkvno is the list */
actkvno_list = new_actkvno;
} else {
for (prev_actkvno = NULL, cur_actkvno = actkvno_list;
cur_actkvno != NULL;
prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {
if (new_actkvno->act_time < cur_actkvno->act_time) {
if (prev_actkvno) {
prev_actkvno->next = new_actkvno;
new_actkvno->next = cur_actkvno;
} else {
new_actkvno->next = actkvno_list;
actkvno_list = new_actkvno;
}
break;
} else if (cur_actkvno->next == NULL) {
/* end of line, just add new node to end of list */
cur_actkvno->next = new_actkvno;
break;
}
}
}
}
if (actkvno_list->act_time > now) {
com_err(progname, EINVAL,
_("there must be one master key currently active"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
actkvno_list))) {
com_err(progname, retval,
_("while updating actkvno data for master principal entry"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval, _("while updating the master key principal "
"modification time"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval,
_("while adding master key entry to the database"));
exit_status++;
goto cleanup_return;
}
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_free_principal(util_context, master_princ);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
void
kdb5_add_mkey(int argc, char *argv[])
{
int optchar;
krb5_error_code retval;
char *mkey_fullname;
char *pw_str = 0;
unsigned int pw_size = 0;
int do_stash = 0;
krb5_data pwd;
krb5_kvno new_mkey_kvno;
krb5_keyblock new_mkeyblock;
krb5_enctype new_master_enctype = ENCTYPE_UNKNOWN;
char *new_mkey_password;
krb5_db_entry *master_entry;
krb5_timestamp now;
/*
* The command table entry for this command causes open_db_and_mkey() to be
* called first to open the KDB and get the current mkey.
*/
memset(&new_mkeyblock, 0, sizeof(new_mkeyblock));
memset(&master_princ, 0, sizeof(master_princ));
master_salt.data = NULL;
while ((optchar = getopt(argc, argv, "e:s")) != -1) {
switch(optchar) {
case 'e':
if (krb5_string_to_enctype(optarg, &new_master_enctype)) {
com_err(progname, EINVAL, _("%s is an invalid enctype"),
optarg);
exit_status++;
return;
}
break;
case 's':
do_stash++;
break;
case '?':
default:
usage();
return;
}
}
if (new_master_enctype == ENCTYPE_UNKNOWN)
new_master_enctype = global_params.enctype;
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
printf(_("Creating new master key for master key principal '%s'\n"),
mkey_fullname);
printf(_("You will be prompted for a new database Master Password.\n"));
printf(_("It is important that you NOT FORGET this password.\n"));
fflush(stdout);
pw_size = 1024;
pw_str = malloc(pw_size);
if (pw_str == NULL) {
com_err(progname, ENOMEM, _("while creating new master key"));
exit_status++;
goto cleanup_return;
}
retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
pw_str, &pw_size);
if (retval) {
com_err(progname, retval,
_("while reading new master key from keyboard"));
exit_status++;
goto cleanup_return;
}
new_mkey_password = pw_str;
pwd.data = new_mkey_password;
pwd.length = strlen(new_mkey_password);
retval = krb5_principal2salt(util_context, master_princ, &master_salt);
if (retval) {
com_err(progname, retval, _("while calculating master key salt"));
exit_status++;
goto cleanup_return;
}
retval = krb5_c_string_to_key(util_context, new_master_enctype,
&pwd, &master_salt, &new_mkeyblock);
if (retval) {
com_err(progname, retval,
_("while transforming master key from password"));
exit_status++;
goto cleanup_return;
}
new_mkey_kvno = get_next_kvno(util_context, master_entry);
retval = add_new_mkey(util_context, master_entry, &new_mkeyblock,
new_mkey_kvno);
if (retval) {
com_err(progname, retval,
_("adding new master key to master principal"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_timeofday(util_context, &now))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval, _("while updating the master key principal "
"modification time"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval, _("while adding master key entry to the "
"database"));
exit_status++;
goto cleanup_return;
}
if (do_stash) {
retval = krb5_db_store_master_key(util_context,
global_params.stash_file,
master_princ,
new_mkey_kvno,
&new_mkeyblock,
mkey_password);
if (retval) {
com_err(progname, errno, _("while storing key"));
printf(_("Warning: couldn't stash master key.\n"));
}
}
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
zap((char *)master_keyblock.contents, master_keyblock.length);
free(master_keyblock.contents);
zap((char *)new_mkeyblock.contents, new_mkeyblock.length);
free(new_mkeyblock.contents);
if (pw_str) {
zap(pw_str, pw_size);
free(pw_str);
}
free(master_salt.data);
krb5_free_unparsed_name(util_context, mkey_fullname);
return;
}
void
kdb5_purge_mkeys(int argc, char *argv[])
{
int optchar;
krb5_error_code retval;
char *mkey_fullname = NULL;
krb5_timestamp now;
krb5_db_entry *master_entry;
krb5_boolean force = FALSE, dry_run = FALSE, verbose = FALSE;
struct purge_args args;
char buf[5];
unsigned int i, j, k, num_kvnos_inuse, num_kvnos_purged;
unsigned int old_key_data_count;
krb5_actkvno_node *actkvno_list = NULL, *actkvno_entry, *prev_actkvno_entry;
krb5_mkey_aux_node *mkey_aux_list = NULL, *mkey_aux_entry, *prev_mkey_aux_entry;
krb5_key_data *old_key_data;
/*
* Verify that the master key list has been initialized before doing
* anything else.
*/
if (krb5_db_mkey_list_alias(util_context) == NULL) {
com_err(progname, KRB5_KDB_DBNOTINITED,
_("master keylist not initialized"));
exit_status++;
return;
}
memset(&master_princ, 0, sizeof(master_princ));
memset(&args, 0, sizeof(args));
optind = 1;
while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch(optchar) {
case 'f':
force = TRUE;
break;
case 'n':
dry_run = TRUE; /* mkey princ will not be modified */
force = TRUE; /* implied */
break;
case 'v':
verbose = TRUE;
break;
case '?':
default:
usage();
return;
}
}
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
if (!force) {
printf(_("Will purge all unused master keys stored in the '%s' "
"principal, are you sure?\n"), mkey_fullname);
printf(_("(type 'yes' to confirm)? "));
if (fgets(buf, sizeof(buf), stdin) == NULL) {
exit_status++;
goto cleanup_return;
}
if (strcmp(buf, "yes\n")) {
exit_status++;
goto cleanup_return;
}
printf(_("OK, purging unused master keys from '%s'...\n"),
mkey_fullname);
}
/* save the old keydata */
old_key_data_count = master_entry->n_key_data;
if (old_key_data_count == 1) {
if (verbose)
printf(_("There is only one master key which can not be "
"purged.\n"));
goto cleanup_return;
}
old_key_data = master_entry->key_data;
args.kvnos = (struct kvnos_in_use *) malloc(sizeof(struct kvnos_in_use) * old_key_data_count);
if (args.kvnos == NULL) {
retval = ENOMEM;
com_err(progname, ENOMEM, _("while allocating args.kvnos"));
exit_status++;
goto cleanup_return;
}
memset(args.kvnos, 0, sizeof(struct kvnos_in_use) * old_key_data_count);
args.num_kvnos = old_key_data_count;
args.kcontext = util_context;
/* populate the kvnos array with all the current mkvnos */
for (i = 0; i < old_key_data_count; i++)
args.kvnos[i].kvno = master_entry->key_data[i].key_data_kvno;
if ((retval = krb5_db_iterate(util_context,
NULL,
find_mkvnos_in_use,
(krb5_pointer) &args))) {
com_err(progname, retval, _("while finding master keys in use"));
exit_status++;
goto cleanup_return;
}
/*
* args.kvnos has been marked with the mkvno's that are currently protecting
* princ entries
*/
if (dry_run) {
printf(_("Would purge the following master key(s) from %s:\n"),
mkey_fullname);
} else {
printf(_("Purging the following master key(s) from %s:\n"),
mkey_fullname);
}
/* find # of keys still in use or print out verbose info */
for (i = num_kvnos_inuse = num_kvnos_purged = 0; i < args.num_kvnos; i++) {
if (args.kvnos[i].use_count > 0) {
num_kvnos_inuse++;
} else {
/* this key would be deleted */
if (args.kvnos[i].kvno == master_kvno) {
com_err(progname, KRB5_KDB_STORED_MKEY_NOTCURRENT,
_("master key stash file needs updating, command "
"aborting"));
exit_status++;
goto cleanup_return;
}
num_kvnos_purged++;
printf(_("KVNO: %d\n"), args.kvnos[i].kvno);
}
}
/* didn't find any keys to purge */
if (num_kvnos_inuse == args.num_kvnos) {
printf(_("All keys in use, nothing purged.\n"));
goto cleanup_return;
}
if (dry_run) {
/* bail before doing anything else */
printf(_("%d key(s) would be purged.\n"), num_kvnos_purged);
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_mkey_aux(util_context, master_entry, &mkey_aux_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up mkey aux data list"));
exit_status++;
goto cleanup_return;
}
master_entry->key_data = (krb5_key_data *) malloc(sizeof(krb5_key_data) * num_kvnos_inuse);
if (master_entry->key_data == NULL) {
retval = ENOMEM;
com_err(progname, ENOMEM, _("while allocating key_data"));
exit_status++;
goto cleanup_return;
}
memset(master_entry->key_data, 0, sizeof(krb5_key_data) * num_kvnos_inuse);
master_entry->n_key_data = num_kvnos_inuse; /* there's only 1 mkey per kvno */
/*
* Assuming that the latest mkey will not be purged because it will always
* be "in use" so this code will not bother with encrypting keys again.
*/
for (i = k = 0; i < old_key_data_count; i++) {
for (j = 0; j < args.num_kvnos; j++) {
if (args.kvnos[j].kvno == (krb5_kvno) old_key_data[i].key_data_kvno) {
if (args.kvnos[j].use_count != 0) {
master_entry->key_data[k++] = old_key_data[i];
break;
} else {
/* remove unused mkey */
/* adjust the actkno data */
for (prev_actkvno_entry = actkvno_entry = actkvno_list;
actkvno_entry != NULL;
actkvno_entry = actkvno_entry->next) {
if (actkvno_entry->act_kvno == args.kvnos[j].kvno) {
if (actkvno_entry == actkvno_list) {
/* remove from head */
actkvno_list = actkvno_entry->next;
prev_actkvno_entry = actkvno_list;
} else if (actkvno_entry->next == NULL) {
/* remove from tail */
prev_actkvno_entry->next = NULL;
} else {
/* remove in between */
prev_actkvno_entry->next = actkvno_entry->next;
}
actkvno_entry->next = NULL;
krb5_dbe_free_actkvno_list(util_context, actkvno_entry);
break; /* deleted entry, no need to loop further */
} else {
prev_actkvno_entry = actkvno_entry;
}
}
/* adjust the mkey aux data */
for (prev_mkey_aux_entry = mkey_aux_entry = mkey_aux_list;
mkey_aux_entry != NULL;
mkey_aux_entry = mkey_aux_entry->next) {
if (mkey_aux_entry->mkey_kvno == args.kvnos[j].kvno) {
if (mkey_aux_entry == mkey_aux_list) {
mkey_aux_list = mkey_aux_entry->next;
prev_mkey_aux_entry = mkey_aux_list;
} else if (mkey_aux_entry->next == NULL) {
prev_mkey_aux_entry->next = NULL;
} else {
prev_mkey_aux_entry->next = mkey_aux_entry->next;
}
mkey_aux_entry->next = NULL;
krb5_dbe_free_mkey_aux_list(util_context, mkey_aux_entry);
break; /* deleted entry, no need to loop further */
} else {
prev_mkey_aux_entry = mkey_aux_entry;
}
}
}
}
}
}
assert(k == num_kvnos_inuse);
if ((retval = krb5_dbe_update_actkvno(util_context, master_entry,
actkvno_list))) {
com_err(progname, retval,
_("while updating actkvno data for master principal entry"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_dbe_update_mkey_aux(util_context, master_entry,
mkey_aux_list))) {
com_err(progname, retval,
_("while updating mkey_aux data for master principal entry"));
exit_status++;
return;
}
if ((retval = krb5_timeofday(util_context, &now))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
goto cleanup_return;
}
if ((retval = krb5_dbe_update_mod_princ_data(util_context, master_entry,
now, master_princ))) {
com_err(progname, retval, _("while updating the master key principal "
"modification time"));
exit_status++;
goto cleanup_return;
}
master_entry->mask |= KADM5_KEY_DATA;
if ((retval = krb5_db_put_principal(util_context, master_entry))) {
(void) krb5_db_fini(util_context);
com_err(progname, retval,
_("while adding master key entry to the database"));
exit_status++;
goto cleanup_return;
}
printf(_("%d key(s) purged.\n"), num_kvnos_purged);
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
krb5_free_principal(util_context, master_princ);
free(args.kvnos);
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
krb5_dbe_free_mkey_aux_list(util_context, mkey_aux_list);
return;
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry = NULL;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
krb5_db_free_principal(util_context, master_entry);
free(output_str);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
/*
* The request seems to be for a ticket-granting service somewhere else,
* but we don't have a ticket for the final TGS. Try to give the requestor
* some intermediate realm.
*/
static void
find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
krb5_boolean *more, int *nprincs,
const krb5_fulladdr *from, char *cname)
{
krb5_error_code retval;
krb5_principal *plist, *pl2;
krb5_data tmp;
*nprincs = 0;
*more = FALSE;
/*
* Call to krb5_princ_component is normally not safe but is so
* here only because find_alternate_tgs() is only called from
* somewhere that has already checked the number of components in
* the principal.
*/
if ((retval = krb5_walk_realm_tree(kdc_context,
krb5_princ_realm(kdc_context, request->server),
krb5_princ_component(kdc_context, request->server, 1),
&plist, KRB5_REALM_BRANCH_CHAR)))
return;
/* move to the end */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local@local, so we
ignore it */
while (--pl2 > plist) {
*nprincs = 1;
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
retval = krb5_db_get_principal(kdc_context, *pl2, server, nprincs, more);
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
if (retval) {
*nprincs = 0;
*more = FALSE;
krb5_free_realm_tree(kdc_context, plist);
return;
}
if (*more) {
krb5_db_free_principal(kdc_context, server, *nprincs);
continue;
} else if (*nprincs == 1) {
/* Found it! */
krb5_principal tmpprinc;
char *sname;
tmp = *krb5_princ_realm(kdc_context, *pl2);
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) {
krb5_db_free_principal(kdc_context, server, *nprincs);
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
continue;
}
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
krb5_free_principal(kdc_context, request->server);
request->server = tmpprinc;
if (krb5_unparse_name(kdc_context, request->server, &sname)) {
audit_krb5kdc_tgs_req_alt_tgt(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
0, cname, "<unparseable>", 0);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing alternate <un-unparseable> TGT");
} else {
limit_string(sname);
audit_krb5kdc_tgs_req_alt_tgt(
(struct in_addr *)from->address->contents,
(in_port_t)from->port,
0, cname, sname, 0);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ: issuing TGT %s", sname);
free(sname);
}
return;
}
krb5_db_free_principal(kdc_context, server, *nprincs);
continue;
}
*nprincs = 0;
*more = FALSE;
krb5_free_realm_tree(kdc_context, plist);
return;
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const krb5_fulladdr *from, krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_keyblock *header_key = NULL;
krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_db_entry *stkt_server = NULL;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
int newtransited = 0;
krb5_error_code retval = 0;
krb5_keyblock encrypting_key;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key;
krb5_keyblock *reply_key = NULL;
krb5_key_data *server_key;
krb5_principal cprinc = NULL, sprinc = NULL, altcprinc = NULL;
krb5_last_req_entry *nolrarray[2], nolrentry;
int errcode;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
krb5_db_entry *client = NULL, *header_server = NULL;
krb5_db_entry *local_tgt, *local_tgt_storage = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
krb5_boolean is_referral;
const char *emsg = NULL;
krb5_kvno ticket_kvno = 0;
struct kdc_request_state *state = NULL;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
krb5_pa_data **e_data = NULL;
kdc_realm_t *kdc_active_realm = NULL;
krb5_audit_state *au_state = NULL;
krb5_data **auth_indicators = NULL;
memset(&reply, 0, sizeof(reply));
memset(&reply_encpart, 0, sizeof(reply_encpart));
memset(&ticket_reply, 0, sizeof(ticket_reply));
memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
/* Save pointer to client-requested service principal, in case of
* errors before a successful call to search_sprinc(). */
sprinc = request->server;
if (request->msg_type != KRB5_TGS_REQ) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return KRB5_BADMSGTYPE;
}
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
kdc_active_realm = setup_server_realm(handle, request->server);
if (kdc_active_realm == NULL) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return KRB5KDC_ERR_WRONG_REALM;
}
errcode = kdc_make_rstate(kdc_active_realm, &state);
if (errcode !=0) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return errcode;
}
/* Initialize audit state. */
errcode = kau_init_kdc_req(kdc_context, request, from, &au_state);
if (errcode) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return errcode;
}
/* Seed the audit trail with the request ID and basic information. */
kau_tgs_req(kdc_context, TRUE, au_state);
errcode = kdc_process_tgs_req(kdc_active_realm,
request, from, pkt, &header_ticket,
&header_server, &header_key, &subkey,
&pa_tgs_req);
if (header_ticket && header_ticket->enc_part2)
cprinc = header_ticket->enc_part2->client;
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
errcode = kau_make_tkt_id(kdc_context, header_ticket,
&au_state->tkt_in_id);
if (errcode) {
status = "GENERATE_TICKET_ID";
goto cleanup;
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey,
header_ticket->enc_part2->session, state, NULL);
/* Reset sprinc because kdc_find_fast() can replace request. */
sprinc = request->server;
if (errcode !=0) {
status = "FIND_FAST";
goto cleanup;
}
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage);
if (errcode) {
status = "GET_LOCAL_TGT";
goto cleanup;
}
/* Ignore (for now) the request modification due to FAST processing. */
au_state->request = request;
/*
* Pointer to the encrypted part of the header ticket, which may be
* replaced to point to the encrypted part of the evidence ticket
* if constrained delegation is used. This simplifies the number of
* special cases for constrained delegation.
*/
header_enc_tkt = header_ticket->enc_part2;
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
au_state->stage = SRVC_PRINC;
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
&status);
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
/* If we got a cross-realm TGS which is not the requested server, we are
* issuing a referral (or alternate TGT, which we treat similarly). */
is_referral = is_cross_tgs_principal(server->princ) &&
!krb5_principal_compare(kdc_context, request->server, server->princ);
au_state->stage = VALIDATE_POL;
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(kdc_active_realm,
request, *server, header_ticket,
kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_active_realm,
request,
header_enc_tkt->client,
server,
subkey,
header_enc_tkt->session,
kdc_time,
&s4u_x509_user,
&client,
&status);
if (s4u_x509_user != NULL || errcode != 0) {
if (s4u_x509_user != NULL)
au_state->s4u2self_user = s4u_x509_user->user_id.user;
if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
au_state->status = status;
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
au_state->s4u2self_user = NULL;
}
if (errcode)
goto cleanup;
if (s4u_x509_user != NULL) {
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
if (is_referral) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
status = "LOOKING_UP_SERVER";
goto cleanup;
}
}
/* Deal with user-to-user and constrained delegation */
errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
&stkt_server, &status);
if (errcode)
goto cleanup;
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_active_realm,
request,
request->second_ticket[st_idx]->enc_part2,
stkt_server,
header_ticket->enc_part2->client,
request->server,
&status);
if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
else if (errcode)
au_state->violation = LOCAL_POLICY;
au_state->status = status;
retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx],
&au_state->evid_tkt_id);
if (retval) {
status = "GENERATE_TICKET_ID";
errcode = retval;
goto cleanup;
}
kau_s4u2proxy(kdc_context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
assert(krb5_is_tgs_principal(header_ticket->server));
assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
client = stkt_server;
stkt_server = NULL;
} else if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
krb5_db_free_principal(kdc_context, stkt_server);
stkt_server = NULL;
} else
assert(stkt_server == NULL);
au_state->stage = ISSUE_TKT;
errcode = gen_session_key(kdc_active_realm, request, server, &session_key,
&status);
if (errcode)
goto cleanup;
/*
* subject_tkt will refer to the evidence ticket (for constrained
* delegation) or the TGT. The distinction from header_enc_tkt is
* necessary because the TGS signature only protects some fields:
* the others could be forged by a malicious server.
*/
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
subject_tkt = request->second_ticket[st_idx]->enc_part2;
else
subject_tkt = header_enc_tkt;
authtime = subject_tkt->times.authtime;
/* Extract auth indicators from the subject ticket, except for S4U2Proxy
* requests (where the client didn't authenticate). */
if (s4u_x509_user == NULL) {
errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
&auth_indicators);
if (errcode) {
status = "GET_AUTH_INDICATORS";
goto cleanup;
}
}
errcode = check_indicators(kdc_context, server, auth_indicators);
if (errcode) {
status = "HIGHER_AUTHENTICATION_REQUIRED";
goto cleanup;
}
if (is_referral)
ticket_reply.server = server->princ;
else
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = OPTS2FLAGS(request->kdc_options);
enc_tkt_reply.flags |= COPY_TKT_FLAGS(header_enc_tkt->flags);
enc_tkt_reply.times.starttime = 0;
if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
/* Indicate support for encrypted padata (RFC 6806). */
setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
/*
* If S4U2Self principal is not forwardable, then mark ticket as
* unforwardable. This behaviour matches Windows, but it is
* different to the MIT AS-REQ path, which returns an error
* (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
*
* Consider this block the S4U2Self equivalent to
* validate_forwardable().
*/
if (client != NULL &&
isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* Forwardable flag is propagated along referral path.
*/
else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
!isflagset(server->attributes,
KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) ||
isflagset(request->kdc_options, KDC_OPT_PROXY)) {
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
/* We don't currently handle issuing anonymous tickets based on
* non-anonymous ones, so just ignore the option. */
if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS) &&
!isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
clear(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_timestamp old_starttime;
krb5_deltat old_life;
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
old_starttime = enc_tkt_reply.times.starttime ?
enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
old_life = enc_tkt_reply.times.endtime - old_starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
kdc_get_ticket_endtime(kdc_active_realm, enc_tkt_reply.times.starttime,
header_enc_tkt->times.endtime, request->till,
client, server, &enc_tkt_reply.times.endtime);
}
kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client,
server, &enc_tkt_reply);
/*
* Set authtime to be the same as header or evidence ticket's
*/
enc_tkt_reply.times.authtime = authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
altcprinc = s4u_x509_user->user_id.user;
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
altcprinc = subject_tkt->client;
} else {
altcprinc = NULL;
}
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
encrypting_key = *(t2enc->session);
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
/*
* Convert server.key into a real key
* (it may be encrypted in the database)
*/
if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
/*
* Don't allow authorization data to be disabled if constrained
* delegation is requested. We don't want to deny the server
* the ability to validate that delegation was used.
*/
clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
/*
* If we are not doing protocol transition/constrained delegation
* try to lookup the client principal so plugins can add additional
* authorization information.
*
* Always validate authorization data for constrained delegation
* because we must validate the KDC signatures.
*/
if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) {
/* Generate authorization data so we can include it in ticket */
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
/* Map principals from foreign (possibly non-AD) realms */
setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
assert(client == NULL); /* should not have been set already */
errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
c_flags, &client);
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (krb5_realm_compare(kdc_context, header_ticket->server, tgs_server) ||
krb5_realm_compare(kdc_context, header_ticket->server,
enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_enc_tkt->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "VALIDATE_TRANSIT_TYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
memset(&enc_tkt_reply.transited, 0, sizeof(enc_tkt_reply.transited));
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
if ((errcode =
add_to_transited(&header_enc_tkt->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TO_TRANSITED_LIST";
goto cleanup;
}
newtransited = 1;
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
server, header_server);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
}
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
errcode = kdc_check_transited_list (kdc_active_realm,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_enc_tkt->client),
krb5_princ_realm (kdc_context, request->server));
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else {
log_tgs_badtrans(kdc_context, cprinc, sprinc,
&enc_tkt_reply.transited.tr_contents, errcode);
}
} else
krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
if (kdc_active_realm->realm_reject_bad_transit &&
!isflagset(enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
au_state->violation = LOCAL_POLICY;
goto cleanup;
}
errcode = handle_authdata(kdc_context, c_flags, client, server,
header_server, local_tgt,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
header_key,
pkt,
request,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
auth_indicators,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
errcode);
status = "HANDLE_AUTHDATA";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
altcprinc = client2;
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
status = "2ND_TKT_MISMATCH";
au_state->status = status;
kau_u2u(kdc_context, FALSE, au_state);
goto cleanup;
}
ticket_kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
kau_u2u(kdc_context, TRUE, au_state);
st_idx++;
} else {
ticket_kvno = server_key->key_data_kvno;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "ENCRYPT_TICKET";
goto cleanup;
}
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
au_state->stage = ENCR_REP;
reply.msg_type = KRB5_TGS_REP;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
krb5int_find_pa_data(kdc_context, request->padata,
KRB5_PADATA_S4U_X509_USER) != NULL) {
errcode = kdc_make_s4u2self_rep(kdc_context,
subkey,
header_ticket->enc_part2->session,
s4u_x509_user,
&reply,
&reply_encpart);
if (errcode) {
status = "MAKE_S4U2SELF_PADATA";
au_state->status = status;
}
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
}
reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields */
reply_encpart.times = enc_tkt_reply.times;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrentry.magic = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0;/* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "MAKE_FAST_RESPONSE";
goto cleanup;
}
errcode =kdc_fast_handle_reply_key(state,
subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "MAKE_FAST_REPLY_KEY";
goto cleanup;
}
errcode = return_enc_padata(kdc_context, pkt, request,
reply_key, server, &reply_encpart,
is_referral &&
isflagset(s_flags,
KRB5_KDB_FLAG_CANONICALIZE));
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
}
errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id);
if (errcode) {
status = "GENERATE_TICKET_ID";
goto cleanup;
}
if (kdc_fast_hide_client(state))
reply.client = (krb5_principal)krb5_anonymous_principal();
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
reply_key,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
assert(status != NULL);
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
emsg = krb5_get_error_message (kdc_context, errcode);
au_state->status = status;
if (!errcode)
au_state->reply = &reply;
kau_tgs_req(kdc_context, errcode ? FALSE : TRUE, au_state);
kau_free_kdc_req(au_state);
log_tgs_req(kdc_context, from, request, &reply, cprinc,
sprinc, altcprinc, authtime,
c_flags, status, errcode, emsg);
if (errcode) {
krb5_free_error_message (kdc_context, emsg);
emsg = NULL;
}
if (errcode) {
int got_err = 0;
if (status == 0) {
status = krb5_get_error_message (kdc_context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > KRB_ERR_MAX)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
(server != NULL) ? server->princ : NULL,
response, status, e_data);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
if (header_ticket != NULL)
krb5_free_ticket(kdc_context, header_ticket);
if (request != NULL)
krb5_free_kdc_req(kdc_context, request);
if (state)
kdc_free_rstate(state);
krb5_db_free_principal(kdc_context, server);
krb5_db_free_principal(kdc_context, header_server);
krb5_db_free_principal(kdc_context, client);
krb5_db_free_principal(kdc_context, local_tgt_storage);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (s4u_x509_user != NULL)
krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
if (header_key != NULL)
krb5_free_keyblock(kdc_context, header_key);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
krb5_free_pa_data(kdc_context, e_data);
k5_free_data_ptr_list(auth_indicators);
return retval;
}
void
kdb5_list_mkeys(int argc, char *argv[])
{
krb5_error_code retval;
char *mkey_fullname = NULL, *output_str = NULL, enctype[BUFSIZ];
krb5_kvno act_kvno;
krb5_timestamp act_time;
krb5_actkvno_node *actkvno_list = NULL, *cur_actkvno;
krb5_db_entry *master_entry;
krb5_keylist_node *cur_kb_node;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
if (master_keylist == NULL) {
com_err(progname, 0, _("master keylist not initialized"));
exit_status++;
return;
}
/* assemble & parse the master key name */
if ((retval = krb5_db_setup_mkey_name(util_context,
global_params.mkey_name,
global_params.realm,
&mkey_fullname, &master_princ))) {
com_err(progname, retval, _("while setting up master key name"));
exit_status++;
return;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup_return;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list == NULL) {
act_kvno = master_entry->key_data[0].key_data_kvno;
} else {
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &act_kvno,
&act_mkey);
if (retval == KRB5_KDB_NOACTMASTERKEY) {
/* Maybe we went through a time warp, and the only keys
with activation dates have them set in the future? */
com_err(progname, retval, "");
/* Keep going. */
act_kvno = -1;
} else if (retval != 0) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup_return;
}
}
printf("Master keys for Principal: %s\n", mkey_fullname);
for (cur_kb_node = master_keylist; cur_kb_node != NULL;
cur_kb_node = cur_kb_node->next) {
if ((retval = krb5_enctype_to_name(cur_kb_node->keyblock.enctype,
FALSE, enctype, sizeof(enctype)))) {
com_err(progname, retval, _("while getting enctype description"));
exit_status++;
goto cleanup_return;
}
if (actkvno_list != NULL) {
act_time = -1; /* assume actkvno entry not found */
for (cur_actkvno = actkvno_list; cur_actkvno != NULL;
cur_actkvno = cur_actkvno->next) {
if (cur_actkvno->act_kvno == cur_kb_node->kvno) {
act_time = cur_actkvno->act_time;
break;
}
}
} else {
/*
* mkey princ doesn't have an active knvo list so assume the current
* key is active now
*/
if ((retval = krb5_timeofday(util_context, &act_time))) {
com_err(progname, retval, _("while getting current time"));
exit_status++;
goto cleanup_return;
}
}
if (cur_kb_node->kvno == act_kvno) {
/* * indicates kvno is currently active */
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s *\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
if (act_time != -1) {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, Active on: %s\n"),
cur_kb_node->kvno, enctype, strdate(act_time));
} else {
retval = asprintf(&output_str,
_("KVNO: %d, Enctype: %s, No activate time "
"set\n"), cur_kb_node->kvno, enctype);
}
}
if (retval == -1) {
com_err(progname, ENOMEM, _("asprintf could not allocate enough "
"memory to hold output"));
exit_status++;
goto cleanup_return;
}
printf("%s", output_str);
free(output_str);
output_str = NULL;
}
cleanup_return:
/* clean up */
(void) krb5_db_fini(util_context);
krb5_free_unparsed_name(util_context, mkey_fullname);
free(output_str);
krb5_free_principal(util_context, master_princ);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
return;
}
krb5_error_code
sam_get_db_entry(krb5_context context, krb5_principal client,
int *sam_type, struct _krb5_db_entry_new **db_entry)
{
struct _krb5_db_entry_new *assoc = NULL;
krb5_principal newp = NULL;
int probeslot;
void *ptr = NULL;
krb5_error_code retval;
if (db_entry)
*db_entry = NULL;
retval = krb5_copy_principal(context, client, &newp);
if (retval) {
com_err("krb5kdc", retval, "copying client name for preauth probe");
return retval;
}
probeslot = krb5_princ_size(context, newp)++;
ptr = realloc(krb5_princ_name(context, newp),
krb5_princ_size(context, newp) * sizeof(krb5_data));
if (ptr == NULL) {
retval = ENOMEM;
goto cleanup;
}
krb5_princ_name(context, newp) = ptr;
for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) {
if (*sam_type && *sam_type != sam_ptr->sam_type)
continue;
krb5_princ_component(context,newp,probeslot)->data = sam_ptr->name;
krb5_princ_component(context,newp,probeslot)->length =
strlen(sam_ptr->name);
retval = krb5_db_get_principal(context, newp, 0, &assoc);
if (!retval)
break;
}
cleanup:
if (ptr) {
krb5_princ_component(context,newp,probeslot)->data = 0;
krb5_princ_component(context,newp,probeslot)->length = 0;
krb5_free_principal(context, newp);
}
if (probeslot)
krb5_princ_size(context, newp)--;
if (retval)
return retval;
if (sam_ptr->sam_type) {
/* Found entry of type sam_ptr->sam_type */
if (sam_type)
*sam_type = sam_ptr->sam_type;
if (db_entry)
*db_entry = assoc;
else
krb5_db_free_principal(context, assoc);
return 0;
} else {
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
}
void
kdb5_update_princ_encryption(int argc, char *argv[])
{
struct update_enc_mkvno data = { 0 };
char *name_pattern = NULL;
int force = 0;
int optchar;
krb5_error_code retval;
krb5_actkvno_node *actkvno_list = 0;
krb5_db_entry *master_entry;
char *mkey_fullname = 0;
#ifdef BSD_REGEXPS
char *msg;
#endif
char *regexp = NULL;
krb5_keyblock *act_mkey;
krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context);
while ((optchar = getopt(argc, argv, "fnv")) != -1) {
switch (optchar) {
case 'f':
force = 1;
break;
case 'n':
data.dry_run = 1;
break;
case 'v':
data.verbose = 1;
break;
case '?':
case ':':
default:
usage();
}
}
if (argv[optind] != NULL) {
name_pattern = argv[optind];
if (argv[optind+1] != NULL)
usage();
}
retval = krb5_unparse_name(util_context, master_princ, &mkey_fullname);
if (retval) {
com_err(progname, retval, _("while formatting master principal name"));
exit_status++;
goto cleanup;
}
if (master_keylist == NULL) {
com_err(progname, retval, _("master keylist not initialized"));
exit_status++;
goto cleanup;
}
/* The glob_to_regexp code only cares if the "realm" parameter is
NULL or not; the string data is irrelevant. */
if (name_pattern == NULL)
name_pattern = "*";
if (glob_to_regexp(name_pattern, "hi", ®exp) != 0) {
com_err(progname, ENOMEM,
_("converting glob pattern '%s' to regular expression"),
name_pattern);
exit_status++;
goto cleanup;
}
if (
#ifdef SOLARIS_REGEXPS
((data.expbuf = compile(regexp, NULL, NULL)) == NULL)
#endif
#ifdef POSIX_REGEXPS
((regcomp(&data.preg, regexp, REG_NOSUB)) != 0)
#endif
#ifdef BSD_REGEXPS
((msg = (char *) re_comp(regexp)) != NULL)
#endif
) {
/* XXX syslog msg or regerr(regerrno) */
com_err(progname, 0, _("error compiling converted regexp '%s'"),
regexp);
exit_status++;
goto cleanup;
}
retval = krb5_db_get_principal(util_context, master_princ, 0,
&master_entry);
if (retval != 0) {
com_err(progname, retval, _("while getting master key principal %s"),
mkey_fullname);
exit_status++;
goto cleanup;
}
retval = krb5_dbe_lookup_actkvno(util_context, master_entry, &actkvno_list);
if (retval != 0) {
com_err(progname, retval, _("while looking up active kvno list"));
exit_status++;
goto cleanup;
}
retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno,
&act_mkey);
if (retval) {
com_err(progname, retval, _("while looking up active master key"));
exit_status++;
goto cleanup;
}
new_master_keyblock = *act_mkey;
if (!force &&
!data.dry_run &&
!are_you_sure(_("Re-encrypt all keys not using master key vno %u?"),
new_mkvno)) {
printf(_("OK, doing nothing.\n"));
exit_status++;
goto cleanup;
}
if (data.verbose) {
if (data.dry_run) {
printf(_("Principals whose keys WOULD BE re-encrypted to master "
"key vno %u:\n"), new_mkvno);
} else {
printf(_("Principals whose keys are being re-encrypted to master "
"key vno %u if necessary:\n"), new_mkvno);
}
}
if (!data.dry_run) {
/* Grab a write lock so we don't have to upgrade to a write lock and
* reopen the DB while iterating. */
retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE);
if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) {
com_err(progname, retval, _("trying to lock database"));
exit_status++;
}
}
retval = krb5_db_iterate(util_context, name_pattern,
update_princ_encryption_1, &data);
/* If exit_status is set, then update_princ_encryption_1 already
printed a message. */
if (retval != 0 && exit_status == 0) {
com_err(progname, retval, _("trying to process principal database"));
exit_status++;
}
if (!data.dry_run)
(void)krb5_db_unlock(util_context);
(void) krb5_db_fini(util_context);
if (data.dry_run) {
printf(_("%u principals processed: %u would be updated, %u already "
"current\n"),
data.re_match_count, data.updated, data.already_current);
} else {
printf(_("%u principals processed: %u updated, %u already current\n"),
data.re_match_count, data.updated, data.already_current);
}
cleanup:
free(regexp);
memset(&new_master_keyblock, 0, sizeof(new_master_keyblock));
krb5_free_unparsed_name(util_context, mkey_fullname);
krb5_dbe_free_actkvno_list(util_context, actkvno_list);
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_keyblock * tgskey = 0;
krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
krb5_transited enc_tkt_transited;
int newtransited = 0;
krb5_error_code retval = 0;
krb5_keyblock encrypting_key;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key;
krb5_timestamp rtime;
krb5_keyblock *reply_key = NULL;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
krb5_enctype useenctype;
int errcode, errcode2;
register int i;
int firstpass = 1;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
krb5_db_entry *client = NULL, *krbtgt = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
char *s4u_name = NULL;
krb5_boolean is_referral, db_ref_done = FALSE;
const char *emsg = NULL;
krb5_data *tgs_1 =NULL, *server_1 = NULL;
krb5_principal krbtgt_princ;
krb5_kvno ticket_kvno = 0;
struct kdc_request_state *state = NULL;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
krb5_pa_data **e_data = NULL;
reply.padata = 0; /* For cleanup handler */
reply_encpart.enc_padata = 0;
enc_tkt_reply.authorization_data = NULL;
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
if (request->msg_type != KRB5_TGS_REQ) {
krb5_free_kdc_req(kdc_context, request);
return KRB5_BADMSGTYPE;
}
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server))) {
krb5_free_kdc_req(kdc_context, request);
return retval;
}
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
&krbtgt, &tgskey, &subkey, &pa_tgs_req);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
&cname))) {
status = "UNPARSING CLIENT";
errcode = errcode2;
goto cleanup;
}
limit_string(cname);
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
errcode = kdc_make_rstate(&state);
if (errcode !=0) {
status = "making state";
goto cleanup;
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey,
header_ticket->enc_part2->session, state, NULL);
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
}
/*
* Pointer to the encrypted part of the header ticket, which may be
* replaced to point to the encrypted part of the evidence ticket
* if constrained delegation is used. This simplifies the number of
* special cases for constrained delegation.
*/
header_enc_tkt = header_ticket->enc_part2;
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
db_ref_done = FALSE;
ref_tgt_again:
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
}
limit_string(sname);
errcode = krb5_db_get_principal(kdc_context, request->server,
s_flags, &server);
if (errcode && errcode != KRB5_KDB_NOENTRY) {
status = "LOOKING_UP_SERVER";
goto cleanup;
}
tgt_again:
if (errcode == KRB5_KDB_NOENTRY) {
/*
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
*/
if (firstpass ) {
if ( krb5_is_tgs_principal(request->server) == TRUE) {
/* Principal is a name of krb ticket service */
if (krb5_princ_size(kdc_context, request->server) == 2) {
server_1 = krb5_princ_component(kdc_context,
request->server, 1);
tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
if (errcode == 0)
goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
} else if ( db_ref_done == FALSE) {
retval = prep_reprocess_req(request, &krbtgt_princ);
if (!retval) {
krb5_free_principal(kdc_context, request->server);
retval = krb5_copy_principal(kdc_context, krbtgt_princ,
&(request->server));
if (!retval) {
db_ref_done = TRUE;
if (sname != NULL)
free(sname);
goto ref_tgt_again;
}
}
}
}
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(request, *server, header_ticket,
kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
if (!is_local_principal(header_enc_tkt->client))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
is_referral = krb5_is_tgs_principal(server->princ) &&
!krb5_principal_compare(kdc_context, tgs_server, server->princ);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_context,
request,
header_enc_tkt->client,
server,
subkey,
header_enc_tkt->session,
kdc_time,
&s4u_x509_user,
&client,
&status);
if (errcode)
goto cleanup;
if (s4u_x509_user != NULL)
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
/*
* We pick the session keytype here....
*
* Some special care needs to be taken in the user-to-user
* case, since we don't know what keytypes the application server
* which is doing user-to-user authentication can support. We
* know that it at least must be able to support the encryption
* type of the session key in the TGT, since otherwise it won't be
* able to decrypt the U2U ticket! So we use that in preference
* to anything else.
*/
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
KDC_OPT_CNAME_IN_ADDL_TKT)) {
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
krb5_db_entry *st_client;
/*
* Get the key for the second ticket, and decrypt it.
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
c_flags,
TRUE, /* match_enctype */
&st_client,
&st_sealing_key,
&st_srv_kvno))) {
status = "2ND_TKT_SERVER";
goto cleanup;
}
errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
request->second_ticket[st_idx]);
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
krb5_db_free_principal(kdc_context, st_client);
goto cleanup;
}
etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
krb5_db_free_principal(kdc_context, st_client);
goto cleanup;
}
for (i = 0; i < request->nktypes; i++) {
if (request->ktype[i] == etype) {
useenctype = etype;
break;
}
}
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_context,
request,
request->second_ticket[st_idx]->enc_part2,
st_client,
header_ticket->enc_part2->client,
request->server,
&status);
if (errcode)
goto cleanup;
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
assert(krb5_is_tgs_principal(header_ticket->server));
assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
client = st_client;
} else {
/* "client" is not used for user2user */
krb5_db_free_principal(kdc_context, st_client);
}
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
(useenctype = select_session_keytype(kdc_context, server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
if (errcode) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto cleanup;
}
/*
* subject_tkt will refer to the evidence ticket (for constrained
* delegation) or the TGT. The distinction from header_enc_tkt is
* necessary because the TGS signature only protects some fields:
* the others could be forged by a malicious server.
*/
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
subject_tkt = request->second_ticket[st_idx]->enc_part2;
else
subject_tkt = header_enc_tkt;
authtime = subject_tkt->times.authtime;
if (is_referral)
ticket_reply.server = server->princ;
else
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
/*
* Fix header_ticket's starttime; if it's zero, fill in the
* authtime's value.
*/
if (!(header_enc_tkt->times.starttime))
header_enc_tkt->times.starttime = authtime;
setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
/*
* If S4U2Self principal is not forwardable, then mark ticket as
* unforwardable. This behaviour matches Windows, but it is
* different to the MIT AS-REQ path, which returns an error
* (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
*
* Consider this block the S4U2Self equivalent to
* validate_forwardable().
*/
if (client != NULL &&
isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* Forwardable flag is propagated along referral path.
*/
else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
!isflagset(server->attributes,
KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_deltat old_life;
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
kdc_get_ticket_endtime(kdc_context, enc_tkt_reply.times.starttime,
header_enc_tkt->times.endtime, request->till,
client, server, &enc_tkt_reply.times.endtime);
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
min(request->till, header_enc_tkt->times.renew_till);
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
/* already checked above in policy check to reject request for a
renewable ticket using a non-renewable ticket */
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
enc_tkt_reply.times.renew_till =
min(rtime,
min(header_enc_tkt->times.renew_till,
enc_tkt_reply.times.starttime +
min(server->max_renewable_life,
max_renewable_life_for_realm)));
} else {
enc_tkt_reply.times.renew_till = 0;
}
if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
/*
* Set authtime to be the same as header or evidence ticket's
*/
enc_tkt_reply.times.authtime = authtime;
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user,
&s4u_name);
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
errcode = krb5_unparse_name(kdc_context, subject_tkt->client,
&s4u_name);
} else {
errcode = 0;
}
if (errcode) {
status = "UNPARSING S4U CLIENT";
goto cleanup;
}
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
encrypting_key = *(t2enc->session);
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
/*
* Convert server.key into a real key
* (it may be encrypted in the database)
*/
if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
/*
* Don't allow authorization data to be disabled if constrained
* delegation is requested. We don't want to deny the server
* the ability to validate that delegation was used.
*/
clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
/*
* If we are not doing protocol transition/constrained delegation
* try to lookup the client principal so plugins can add additional
* authorization information.
*
* Always validate authorization data for constrained delegation
* because we must validate the KDC signatures.
*/
if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) {
/* Generate authorization data so we can include it in ticket */
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
/* Map principals from foreign (possibly non-AD) realms */
setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
assert(client == NULL); /* should not have been set already */
errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
c_flags, &client);
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
tgskey,
pkt,
request,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
errcode);
status = "HANDLE_AUTHDATA";
goto cleanup;
}
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_enc_tkt->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "BAD_TRTYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_transited.magic = 0;
enc_tkt_transited.tr_contents.magic = 0;
enc_tkt_transited.tr_contents.data = 0;
enc_tkt_transited.tr_contents.length = 0;
enc_tkt_reply.transited = enc_tkt_transited;
if ((errcode =
add_to_transited(&header_enc_tkt->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TR_FAIL";
goto cleanup;
}
newtransited = 1;
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
server, krbtgt);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
}
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
unsigned int tlen;
char *tdots;
errcode = kdc_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_enc_tkt->client),
krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog(LOG_INFO, _("bad realm transit path from '%s' "
"to '%s' via '%.*s%s'"),
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>", tlen,
enc_tkt_reply.transited.tr_contents.data, tdots);
else {
emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog(LOG_ERR, _("unexpected error checking transit "
"from '%s' to '%s' via '%.*s%s': %s"),
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>", tlen,
enc_tkt_reply.transited.tr_contents.data, tdots,
emsg);
krb5_free_error_message(kdc_context, emsg);
emsg = NULL;
}
} else
krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
if (reject_bad_transit
&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
altcname = 0;
if (altcname != NULL)
limit_string(altcname);
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
status = "2ND_TKT_MISMATCH";
goto cleanup;
}
ticket_kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
st_idx++;
} else {
ticket_kvno = server_key->key_data_kvno;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "TKT_ENCRYPT";
goto cleanup;
}
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
errcode = kdc_make_s4u2self_rep(kdc_context,
subkey,
header_ticket->enc_part2->session,
s4u_x509_user,
&reply,
&reply_encpart);
if (errcode) {
status = "KDC_RETURN_S4U2SELF_PADATA";
goto cleanup;
}
}
reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields */
reply_encpart.times = enc_tkt_reply.times;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0;/* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "Preparing FAST padata";
goto cleanup;
}
errcode =kdc_fast_handle_reply_key(state,
subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "generating reply key";
goto cleanup;
}
errcode = return_enc_padata(kdc_context, pkt, request,
reply_key, server, &reply_encpart,
is_referral &&
isflagset(s_flags,
KRB5_KDB_FLAG_CANONICALIZE));
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
}
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
reply_key,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
assert(status != NULL);
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
emsg = krb5_get_error_message (kdc_context, errcode);
log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
c_flags, s4u_name, status, errcode, emsg);
if (errcode) {
krb5_free_error_message (kdc_context, emsg);
emsg = NULL;
}
if (errcode) {
int got_err = 0;
if (status == 0) {
status = krb5_get_error_message (kdc_context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
(server != NULL) ? server->princ : NULL,
response, status, e_data);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
if (header_ticket != NULL)
krb5_free_ticket(kdc_context, header_ticket);
if (request != NULL)
krb5_free_kdc_req(kdc_context, request);
if (state)
kdc_free_rstate(state);
if (cname != NULL)
free(cname);
if (sname != NULL)
free(sname);
krb5_db_free_principal(kdc_context, server);
krb5_db_free_principal(kdc_context, krbtgt);
krb5_db_free_principal(kdc_context, client);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (s4u_x509_user != NULL)
krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (s4u_name != NULL)
free(s4u_name);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
if (tgskey != NULL)
krb5_free_keyblock(kdc_context, tgskey);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
krb5_free_pa_data(kdc_context, e_data);
return retval;
}
/*
* Previously this code returned either a v4 key or a v5 key and you
* could tell from the enctype of the v5 key whether the v4 key was
* useful. Now we return both keys so the code can try both des3 and
* des decryption. We fail if the ticket doesn't have a v4 key.
* Also, note as a side effect, the v5 key is basically useless in
* the client case. It is still returned so the caller can free it.
*/
static int
kerb_get_principal(char *name, char *inst, /* could have wild cards */
Principal *principal,
int *more, /* more tuples than room for */
krb5_keyblock *k5key, krb5_kvno kvno,
int issrv, /* true if retrieving a service key */
krb5_deltat *k5life)
{
/* Note that this structure should not be passed to the
krb5_free* functions, because the pointers within it point
to data with other references. */
krb5_principal search;
krb5_db_entry entries; /* filled in by krb5_db_get_principal() */
int nprinc; /* how many found */
krb5_boolean more5; /* are there more? */
C_Block k;
short toggle = 0;
unsigned long *date;
char* text;
struct tm *tp;
krb5_key_data *pkey;
krb5_error_code retval;
*more = 0;
/* begin setting up the principal structure
* with the first info we have:
*/
memcpy( principal->name, name, 1 + strlen( name));
memcpy( principal->instance, inst, 1 + strlen( inst));
/* the principal-name format changed between v4 & v5:
* v4: name.instance@realm
* v5: realm/name/instance
* in v5, null instance means the null-component doesn't exist.
*/
if ((retval = krb5_425_conv_principal(kdc_context, name, inst,
local_realm, &search)))
return(0);
if ((retval = krb5_db_get_principal(kdc_context, search, &entries,
&nprinc, &more5))) {
krb5_free_principal(kdc_context, search);
return(0);
}
principal->key_low = principal->key_high = 0;
krb5_free_principal(kdc_context, search);
if (nprinc < 1) {
*more = (int)more5 || (nprinc > 1);
return(nprinc);
}
if (!issrv) {
if (krb5_dbe_find_enctype(kdc_context,
&entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4,
kvno,
&pkey) &&
krb5_dbe_find_enctype(kdc_context,
&entries,
ENCTYPE_DES_CBC_CRC,
-1,
kvno,
&pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: principal %s.%s isn't V4 compatible",
name, inst);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
} else {
if ( krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: failed to find key for %s.%s #%d",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
}
if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
memcpy( &principal->key_low, k, LONGLEN);
memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
}
memset(k, 0, sizeof k);
if (issrv) {
krb5_free_keyblock_contents (kdc_context, k5key);
if (krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_RAW,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_SHA1,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: failed to find key for %s.%s #%d (after having found it once)",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
compat_decrypt_key(pkey, k, k5key, issrv);
memset (k, 0, sizeof k);
}
/*
* Convert v5's entries struct to v4's Principal struct:
* v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes,
* and gets weirder above (128 * 300) seconds.
*/
principal->max_life = krb_time_to_life(0, entries.max_life);
if (k5life != NULL)
*k5life = entries.max_life;
/*
* This is weird, but the intent is that the expiration is the minimum
* of the principal expiration and key expiration
*/
principal->exp_date = (unsigned long)
entries.expiration && entries.pw_expiration ?
min(entries.expiration, entries.pw_expiration) :
(entries.pw_expiration ? entries.pw_expiration :
entries.expiration);
/* principal->mod_date = (unsigned long) entries.mod_date; */
/* Set the master key version to 1. It's not really useful because all keys
* will be encrypted in the same master key version, and digging out the
* actual key version will be harder than it's worth --proven */
/* principal->kdc_key_ver = entries.mkvno; */
principal->kdc_key_ver = 1;
principal->key_version = pkey->key_data_kvno;
/* We overload the attributes with the relevant v5 ones */
principal->attributes = 0;
if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_HW_AUTH) ||
isflagset(entries.attributes, KRB5_KDB_REQUIRES_PRE_AUTH)) {
principal->attributes |= V4_KDB_REQUIRES_PREAUTH;
}
if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
}
if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
principal->attributes |= V4_KDB_DISALLOW_SVR;
}
if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
}
/* set up v4 format of each date's text: */
for ( date = &principal->exp_date, text = principal->exp_date_txt;
toggle ^= 1;
date = &principal->mod_date, text = principal->mod_date_txt) {
tp = localtime( (time_t *) date);
sprintf( text, "%4d-%02d-%02d",
tp->tm_year > 1900 ? tp->tm_year : tp->tm_year + 1900,
tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */
}
/*
* free the storage held by the v5 entry struct,
* which was allocated by krb5_db_get_principal().
* this routine clears the keyblock's contents for us.
*/
krb5_db_free_principal(kdc_context, &entries, nprinc);
*more = (int) more5 || (nprinc > 1);
return( nprinc);
}
