2005-07-11 05:16:55 +04:00
/*
2008-10-27 13:35:07 +03:00
* Copyright ( c ) 1997 - 2007 Kungliga Tekniska Högskolan
* ( Royal Institute of Technology , Stockholm , Sweden ) .
* All rights reserved .
2005-07-11 05:16:55 +04:00
*
2008-10-27 13:35:07 +03:00
* Redistribution and use in source and binary forms , with or without
* modification , are permitted provided that the following conditions
* are met :
2005-07-11 05:16:55 +04:00
*
2008-10-27 13:35:07 +03:00
* 1. Redistributions of source code must retain the above copyright
* notice , this list of conditions and the following disclaimer .
2005-07-11 05:16:55 +04:00
*
2008-10-27 13:35:07 +03:00
* 2. Redistributions in binary form must reproduce the above copyright
* notice , this list of conditions and the following disclaimer in the
* documentation and / or other materials provided with the distribution .
2005-07-11 05:16:55 +04:00
*
2008-10-27 13:35:07 +03:00
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission .
2005-07-11 05:16:55 +04:00
*
2008-10-27 13:35:07 +03:00
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ` ` AS IS ' ' AND
* ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING , BUT NOT LIMITED TO , THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED . IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT , INDIRECT , INCIDENTAL , SPECIAL , EXEMPLARY , OR CONSEQUENTIAL
* DAMAGES ( INCLUDING , BUT NOT LIMITED TO , PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES ; LOSS OF USE , DATA , OR PROFITS ; OR BUSINESS INTERRUPTION )
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN CONTRACT , STRICT
* LIABILITY , OR TORT ( INCLUDING NEGLIGENCE OR OTHERWISE ) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE , EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE .
2005-07-11 05:16:55 +04:00
*/
# include "kdc_locl.h"
2008-08-26 21:35:52 +04:00
RCSID ( " $Id$ " ) ;
2005-07-11 05:16:55 +04:00
# define MAX_TIME ((time_t)((1U << 31) - 1))
2006-11-07 09:59:56 +03:00
void
_kdc_fix_time ( time_t * * t )
2005-07-11 05:16:55 +04:00
{
if ( * t = = NULL ) {
ALLOC ( * t ) ;
* * t = MAX_TIME ;
}
if ( * * t = = 0 ) * * t = MAX_TIME ; /* fix for old clients */
}
static int
realloc_method_data ( METHOD_DATA * md )
{
PA_DATA * pa ;
pa = realloc ( md - > val , ( md - > len + 1 ) * sizeof ( * md - > val ) ) ;
if ( pa = = NULL )
return ENOMEM ;
md - > val = pa ;
md - > len + + ;
return 0 ;
}
static void
set_salt_padata ( METHOD_DATA * md , Salt * salt )
{
if ( salt ) {
realloc_method_data ( md ) ;
md - > val [ md - > len - 1 ] . padata_type = salt - > type ;
2006-11-07 09:59:56 +03:00
der_copy_octet_string ( & salt - > salt ,
& md - > val [ md - > len - 1 ] . padata_value ) ;
2005-07-11 05:16:55 +04:00
}
}
2007-06-13 09:44:24 +04:00
const PA_DATA *
_kdc_find_padata ( const KDC_REQ * req , int * start , int type )
2005-07-11 05:16:55 +04:00
{
2007-06-13 09:44:24 +04:00
if ( req - > padata = = NULL )
return NULL ;
2005-07-11 05:16:55 +04:00
while ( * start < req - > padata - > len ) {
( * start ) + + ;
if ( req - > padata - > val [ * start - 1 ] . padata_type = = type )
return & req - > padata - > val [ * start - 1 ] ;
}
return NULL ;
}
2008-08-26 21:35:52 +04:00
/*
* This is a hack to allow predefined weak services , like afs to
* still use weak types
*/
krb5_boolean
2009-06-08 13:06:16 +04:00
_kdc_is_weak_exception ( krb5_principal principal , krb5_enctype etype )
2008-08-26 21:35:52 +04:00
{
if ( principal - > name . name_string . len > 0 & &
strcmp ( principal - > name . name_string . val [ 0 ] , " afs " ) = = 0 & &
( etype = = ETYPE_DES_CBC_CRC
| | etype = = ETYPE_DES_CBC_MD4
| | etype = = ETYPE_DES_CBC_MD5 ) )
return TRUE ;
return FALSE ;
}
2007-08-22 10:46:34 +04:00
/*
* Detect if ` key ' is the using the the precomputed ` default_salt ' .
*/
static krb5_boolean
is_default_salt_p ( const krb5_salt * default_salt , const Key * key )
{
if ( key - > salt = = NULL )
return TRUE ;
if ( default_salt - > salttype ! = key - > salt - > type )
return FALSE ;
if ( krb5_data_cmp ( & default_salt - > saltvalue , & key - > salt - > salt ) )
return FALSE ;
return TRUE ;
}
2005-07-11 05:16:55 +04:00
/*
* return the first appropriate key of ` princ ' in ` ret_key ' . Look for
* all the etypes in ( ` etypes ' , ` len ' ) , stopping as soon as we find
* one , but preferring one that has default salt
*/
2006-11-07 09:59:56 +03:00
krb5_error_code
_kdc_find_etype ( krb5_context context , const hdb_entry_ex * princ ,
2008-10-27 13:35:07 +03:00
krb5_enctype * etypes , unsigned len ,
2006-11-07 09:59:56 +03:00
Key * * ret_key , krb5_enctype * ret_etype )
2005-07-11 05:16:55 +04:00
{
int i ;
krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP ;
2007-08-22 10:46:34 +04:00
krb5_salt def_salt ;
krb5_get_pw_salt ( context , princ - > entry . principal , & def_salt ) ;
2005-07-11 05:16:55 +04:00
for ( i = 0 ; ret ! = 0 & & i < len ; i + + ) {
Key * key = NULL ;
2008-08-26 21:35:52 +04:00
if ( krb5_enctype_valid ( context , etypes [ i ] ) ! = 0 & &
2009-06-08 13:06:16 +04:00
! _kdc_is_weak_exception ( princ - > entry . principal , etypes [ i ] ) )
2005-07-11 05:16:55 +04:00
continue ;
2005-12-15 23:38:24 +03:00
while ( hdb_next_enctype2key ( context , & princ - > entry , etypes [ i ] , & key ) = = 0 ) {
2005-07-11 05:16:55 +04:00
if ( key - > key . keyvalue . length = = 0 ) {
ret = KRB5KDC_ERR_NULL_KEY ;
continue ;
}
* ret_key = key ;
* ret_etype = etypes [ i ] ;
ret = 0 ;
2007-08-22 10:46:34 +04:00
if ( is_default_salt_p ( & def_salt , key ) ) {
krb5_free_salt ( context , def_salt ) ;
2005-07-11 05:16:55 +04:00
return ret ;
2007-08-22 10:46:34 +04:00
}
2005-07-11 05:16:55 +04:00
}
}
2007-08-22 10:46:34 +04:00
krb5_free_salt ( context , def_salt ) ;
2005-07-11 05:16:55 +04:00
return ret ;
}
2006-11-07 09:59:56 +03:00
krb5_error_code
_kdc_make_anonymous_principalname ( PrincipalName * pn )
2005-07-11 05:16:55 +04:00
{
pn - > name_type = KRB5_NT_PRINCIPAL ;
pn - > name_string . len = 1 ;
pn - > name_string . val = malloc ( sizeof ( * pn - > name_string . val ) ) ;
if ( pn - > name_string . val = = NULL )
return ENOMEM ;
pn - > name_string . val [ 0 ] = strdup ( " anonymous " ) ;
if ( pn - > name_string . val [ 0 ] = = NULL ) {
free ( pn - > name_string . val ) ;
pn - > name_string . val = NULL ;
return ENOMEM ;
}
return 0 ;
}
2006-11-07 09:59:56 +03:00
void
2008-10-27 13:35:07 +03:00
_kdc_log_timestamp ( krb5_context context ,
2006-11-07 09:59:56 +03:00
krb5_kdc_configuration * config ,
const char * type ,
2008-10-27 13:35:07 +03:00
KerberosTime authtime , KerberosTime * starttime ,
2006-11-07 09:59:56 +03:00
KerberosTime endtime , KerberosTime * renew_till )
2005-07-11 05:16:55 +04:00
{
2008-10-27 13:35:07 +03:00
char authtime_str [ 100 ] , starttime_str [ 100 ] ,
2005-08-20 10:00:50 +04:00
endtime_str [ 100 ] , renewtime_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , authtime ,
authtime_str , sizeof ( authtime_str ) , TRUE ) ;
2005-07-11 05:16:55 +04:00
if ( starttime )
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * starttime ,
starttime_str , sizeof ( starttime_str ) , TRUE ) ;
2005-07-11 05:16:55 +04:00
else
2005-08-09 07:04:47 +04:00
strlcpy ( starttime_str , " unset " , sizeof ( starttime_str ) ) ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , endtime ,
endtime_str , sizeof ( endtime_str ) , TRUE ) ;
2005-07-11 05:16:55 +04:00
if ( renew_till )
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * renew_till ,
renewtime_str , sizeof ( renewtime_str ) , TRUE ) ;
2005-07-11 05:16:55 +04:00
else
2005-08-09 07:04:47 +04:00
strlcpy ( renewtime_str , " unset " , sizeof ( renewtime_str ) ) ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
kdc_log ( context , config , 5 ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
" %s authtime: %s starttime: %s endtime: %s renew till: %s " ,
2005-08-09 07:04:47 +04:00
type , authtime_str , starttime_str , endtime_str , renewtime_str ) ;
2005-07-11 05:16:55 +04:00
}
2006-04-24 13:36:24 +04:00
static void
2008-10-27 13:35:07 +03:00
log_patypes ( krb5_context context ,
2006-04-24 13:36:24 +04:00
krb5_kdc_configuration * config ,
METHOD_DATA * padata )
{
struct rk_strpool * p = NULL ;
char * str ;
int i ;
2008-10-27 13:35:07 +03:00
2006-04-24 13:36:24 +04:00
for ( i = 0 ; i < padata - > len ; i + + ) {
switch ( padata - > val [ i ] . padata_type ) {
case KRB5_PADATA_PK_AS_REQ :
p = rk_strpoolprintf ( p , " PK-INIT(ietf) " ) ;
break ;
case KRB5_PADATA_PK_AS_REQ_WIN :
p = rk_strpoolprintf ( p , " PK-INIT(win2k) " ) ;
break ;
case KRB5_PADATA_PA_PK_OCSP_RESPONSE :
p = rk_strpoolprintf ( p , " OCSP " ) ;
break ;
case KRB5_PADATA_ENC_TIMESTAMP :
p = rk_strpoolprintf ( p , " encrypted-timestamp " ) ;
break ;
default :
p = rk_strpoolprintf ( p , " %d " , padata - > val [ i ] . padata_type ) ;
break ;
}
if ( p & & i + 1 < padata - > len )
p = rk_strpoolprintf ( p , " , " ) ;
if ( p = = NULL ) {
kdc_log ( context , config , 0 , " out of memory " ) ;
return ;
}
}
2006-05-07 08:51:30 +04:00
if ( p = = NULL )
p = rk_strpoolprintf ( p , " none " ) ;
2006-04-24 13:36:24 +04:00
str = rk_strpoolcollect ( p ) ;
kdc_log ( context , config , 0 , " Client sent patypes: %s " , str ) ;
free ( str ) ;
}
/*
*
*/
2006-11-07 09:59:56 +03:00
krb5_error_code
_kdc_encode_reply ( krb5_context context ,
krb5_kdc_configuration * config ,
2008-10-27 13:35:07 +03:00
KDC_REP * rep , const EncTicketPart * et , EncKDCRepPart * ek ,
krb5_enctype etype ,
2006-11-07 09:59:56 +03:00
int skvno , const EncryptionKey * skey ,
2009-06-08 13:06:16 +04:00
int ckvno , const EncryptionKey * reply_key ,
2006-11-07 09:59:56 +03:00
const char * * e_text ,
krb5_data * reply )
2005-07-11 05:16:55 +04:00
{
unsigned char * buf ;
size_t buf_size ;
size_t len ;
krb5_error_code ret ;
krb5_crypto crypto ;
ASN1_MALLOC_ENCODE ( EncTicketPart , buf , buf_size , et , & len , ret ) ;
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " Failed to encode ticket: %s " ,
2005-07-11 05:16:55 +04:00
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
if ( buf_size ! = len ) {
free ( buf ) ;
kdc_log ( context , config , 0 , " Internal error in ASN.1 encoder " ) ;
* e_text = " KDC internal error " ;
return KRB5KRB_ERR_GENERIC ;
}
ret = krb5_crypto_init ( context , skey , etype , & crypto ) ;
if ( ret ) {
free ( buf ) ;
kdc_log ( context , config , 0 , " krb5_crypto_init failed: %s " ,
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
2008-10-27 13:35:07 +03:00
ret = krb5_encrypt_EncryptedData ( context ,
2005-07-11 05:16:55 +04:00
crypto ,
KRB5_KU_TICKET ,
buf ,
len ,
skvno ,
& rep - > ticket . enc_part ) ;
free ( buf ) ;
krb5_crypto_destroy ( context , crypto ) ;
if ( ret ) {
kdc_log ( context , config , 0 , " Failed to encrypt data: %s " ,
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
if ( rep - > msg_type = = krb_as_rep & & ! config - > encode_as_rep_as_tgs_rep )
ASN1_MALLOC_ENCODE ( EncASRepPart , buf , buf_size , ek , & len , ret ) ;
else
ASN1_MALLOC_ENCODE ( EncTGSRepPart , buf , buf_size , ek , & len , ret ) ;
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " Failed to encode KDC-REP: %s " ,
2005-07-11 05:16:55 +04:00
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
if ( buf_size ! = len ) {
free ( buf ) ;
kdc_log ( context , config , 0 , " Internal error in ASN.1 encoder " ) ;
* e_text = " KDC internal error " ;
return KRB5KRB_ERR_GENERIC ;
}
2009-06-08 13:06:16 +04:00
ret = krb5_crypto_init ( context , reply_key , 0 , & crypto ) ;
2005-07-11 05:16:55 +04:00
if ( ret ) {
free ( buf ) ;
kdc_log ( context , config , 0 , " krb5_crypto_init failed: %s " ,
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
if ( rep - > msg_type = = krb_as_rep ) {
krb5_encrypt_EncryptedData ( context ,
crypto ,
KRB5_KU_AS_REP_ENC_PART ,
buf ,
len ,
ckvno ,
& rep - > enc_part ) ;
free ( buf ) ;
ASN1_MALLOC_ENCODE ( AS_REP , buf , buf_size , rep , & len , ret ) ;
} else {
krb5_encrypt_EncryptedData ( context ,
crypto ,
KRB5_KU_TGS_REP_ENC_PART_SESSION ,
buf ,
len ,
ckvno ,
& rep - > enc_part ) ;
free ( buf ) ;
ASN1_MALLOC_ENCODE ( TGS_REP , buf , buf_size , rep , & len , ret ) ;
}
krb5_crypto_destroy ( context , crypto ) ;
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " Failed to encode KDC-REP: %s " ,
2005-07-11 05:16:55 +04:00
krb5_get_err_text ( context , ret ) ) ;
return ret ;
}
if ( buf_size ! = len ) {
free ( buf ) ;
kdc_log ( context , config , 0 , " Internal error in ASN.1 encoder " ) ;
* e_text = " KDC internal error " ;
return KRB5KRB_ERR_GENERIC ;
}
reply - > data = buf ;
reply - > length = buf_size ;
return 0 ;
}
2007-08-22 10:46:34 +04:00
/*
* Return 1 if the client have only older enctypes , this is for
* determining if the server should send ETYPE_INFO2 or not .
*/
static int
older_enctype ( krb5_enctype enctype )
{
switch ( enctype ) {
case ETYPE_DES_CBC_CRC :
case ETYPE_DES_CBC_MD4 :
case ETYPE_DES_CBC_MD5 :
case ETYPE_DES3_CBC_SHA1 :
case ETYPE_ARCFOUR_HMAC_MD5 :
case ETYPE_ARCFOUR_HMAC_MD5_56 :
2008-10-27 13:35:07 +03:00
/*
2008-03-19 02:17:42 +03:00
* The following three is " old " windows enctypes and is needed for
* windows 2000 hosts .
*/
case ETYPE_ARCFOUR_MD4 :
case ETYPE_ARCFOUR_HMAC_OLD :
case ETYPE_ARCFOUR_HMAC_OLD_EXP :
2007-08-22 10:46:34 +04:00
return 1 ;
default :
return 0 ;
}
}
/*
*
*/
2005-07-11 05:16:55 +04:00
static krb5_error_code
make_etype_info_entry ( krb5_context context , ETYPE_INFO_ENTRY * ent , Key * key )
{
ent - > etype = key - > key . keytype ;
if ( key - > salt ) {
#if 0
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
ALLOC ( ent - > salttype ) ;
2005-07-11 05:16:55 +04:00
if ( key - > salt - > type = = hdb_pw_salt )
* ent - > salttype = 0 ; /* or 1? or NULL? */
else if ( key - > salt - > type = = hdb_afs3_salt )
* ent - > salttype = 2 ;
else {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " unknown salt-type: %d " ,
2005-07-11 05:16:55 +04:00
key - > salt - > type ) ;
return KRB5KRB_ERR_GENERIC ;
}
/* according to `the specs', we can't send a salt if
we have AFS3 salted key , but that requires that you
* know * what cell you are using ( e . g by assuming
that the cell is the same as the realm in lower
case ) */
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
# elif 0
ALLOC ( ent - > salttype ) ;
2005-07-11 05:16:55 +04:00
* ent - > salttype = key - > salt - > type ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
# else
2008-10-27 13:35:07 +03:00
/*
2008-03-19 02:17:42 +03:00
* We shouldn ' t sent salttype since it is incompatible with the
* specification and it breaks windows clients . The afs
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
* salting problem is solved by using KRB5 - PADATA - AFS3 - SALT
* implemented in Heimdal 0.7 and later .
*/
ent - > salttype = NULL ;
2005-07-11 05:16:55 +04:00
# endif
krb5_copy_data ( context , & key - > salt - > salt ,
& ent - > salt ) ;
} else {
/* we return no salt type at all, as that should indicate
* the default salt type and make everybody happy . some
* systems ( like w2k ) dislike being told the salt type
* here . */
ent - > salttype = NULL ;
ent - > salt = NULL ;
}
return 0 ;
}
static krb5_error_code
2008-10-27 13:35:07 +03:00
get_pa_etype_info ( krb5_context context ,
2005-07-11 05:16:55 +04:00
krb5_kdc_configuration * config ,
2009-06-08 13:06:16 +04:00
METHOD_DATA * md , Key * ckey )
2005-07-11 05:16:55 +04:00
{
krb5_error_code ret = 0 ;
ETYPE_INFO pa ;
unsigned char * buf ;
size_t len ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
2009-06-08 13:06:16 +04:00
pa . len = 1 ;
pa . val = calloc ( 1 , sizeof ( pa . val [ 0 ] ) ) ;
2005-07-11 05:16:55 +04:00
if ( pa . val = = NULL )
return ENOMEM ;
2008-10-27 13:35:07 +03:00
2009-06-08 13:06:16 +04:00
ret = make_etype_info_entry ( context , & pa . val [ 0 ] , ckey ) ;
if ( ret ) {
free_ETYPE_INFO ( & pa ) ;
return ret ;
2005-07-11 05:16:55 +04:00
}
ASN1_MALLOC_ENCODE ( ETYPE_INFO , buf , len , & pa , & len , ret ) ;
free_ETYPE_INFO ( & pa ) ;
if ( ret )
return ret ;
ret = realloc_method_data ( md ) ;
if ( ret ) {
free ( buf ) ;
return ret ;
}
md - > val [ md - > len - 1 ] . padata_type = KRB5_PADATA_ETYPE_INFO ;
md - > val [ md - > len - 1 ] . padata_value . length = len ;
md - > val [ md - > len - 1 ] . padata_value . data = buf ;
return 0 ;
}
/*
*
*/
extern int _krb5_AES_string_to_default_iterator ;
static krb5_error_code
make_etype_info2_entry ( ETYPE_INFO2_ENTRY * ent , Key * key )
{
ent - > etype = key - > key . keytype ;
if ( key - > salt ) {
ALLOC ( ent - > salt ) ;
if ( ent - > salt = = NULL )
return ENOMEM ;
* ent - > salt = malloc ( key - > salt - > salt . length + 1 ) ;
if ( * ent - > salt = = NULL ) {
free ( ent - > salt ) ;
ent - > salt = NULL ;
return ENOMEM ;
}
memcpy ( * ent - > salt , key - > salt - > salt . data , key - > salt - > salt . length ) ;
( * ent - > salt ) [ key - > salt - > salt . length ] = ' \0 ' ;
} else
ent - > salt = NULL ;
ent - > s2kparams = NULL ;
switch ( key - > key . keytype ) {
2005-09-21 16:24:41 +04:00
case ETYPE_AES128_CTS_HMAC_SHA1_96 :
case ETYPE_AES256_CTS_HMAC_SHA1_96 :
2005-07-11 05:16:55 +04:00
ALLOC ( ent - > s2kparams ) ;
if ( ent - > s2kparams = = NULL )
return ENOMEM ;
ent - > s2kparams - > length = 4 ;
ent - > s2kparams - > data = malloc ( ent - > s2kparams - > length ) ;
if ( ent - > s2kparams - > data = = NULL ) {
free ( ent - > s2kparams ) ;
ent - > s2kparams = NULL ;
return ENOMEM ;
}
2008-10-27 13:35:07 +03:00
_krb5_put_int ( ent - > s2kparams - > data ,
_krb5_AES_string_to_default_iterator ,
2005-07-11 05:16:55 +04:00
ent - > s2kparams - > length ) ;
break ;
2005-09-21 16:24:41 +04:00
case ETYPE_DES_CBC_CRC :
case ETYPE_DES_CBC_MD4 :
case ETYPE_DES_CBC_MD5 :
/* Check if this was a AFS3 salted key */
if ( key - > salt & & key - > salt - > type = = hdb_afs3_salt ) {
ALLOC ( ent - > s2kparams ) ;
if ( ent - > s2kparams = = NULL )
return ENOMEM ;
ent - > s2kparams - > length = 1 ;
ent - > s2kparams - > data = malloc ( ent - > s2kparams - > length ) ;
if ( ent - > s2kparams - > data = = NULL ) {
free ( ent - > s2kparams ) ;
ent - > s2kparams = NULL ;
return ENOMEM ;
}
2008-10-27 13:35:07 +03:00
_krb5_put_int ( ent - > s2kparams - > data ,
2005-09-21 16:24:41 +04:00
1 ,
ent - > s2kparams - > length ) ;
}
break ;
2005-07-11 05:16:55 +04:00
default :
break ;
}
return 0 ;
}
/*
2007-08-22 10:46:34 +04:00
* Return an ETYPE - INFO2 . Enctypes are storted the same way as in the
* database ( client supported enctypes first , then the unsupported
* enctypes ) .
2005-07-11 05:16:55 +04:00
*/
static krb5_error_code
2008-10-27 13:35:07 +03:00
get_pa_etype_info2 ( krb5_context context ,
2005-07-11 05:16:55 +04:00
krb5_kdc_configuration * config ,
2009-06-08 13:06:16 +04:00
METHOD_DATA * md , Key * ckey )
2005-07-11 05:16:55 +04:00
{
krb5_error_code ret = 0 ;
ETYPE_INFO2 pa ;
unsigned char * buf ;
size_t len ;
2009-06-08 13:06:16 +04:00
pa . len = 1 ;
pa . val = calloc ( 1 , sizeof ( pa . val [ 0 ] ) ) ;
2005-07-11 05:16:55 +04:00
if ( pa . val = = NULL )
return ENOMEM ;
2008-10-27 13:35:07 +03:00
2009-06-08 13:06:16 +04:00
ret = make_etype_info2_entry ( & pa . val [ 0 ] , ckey ) ;
if ( ret ) {
free_ETYPE_INFO2 ( & pa ) ;
return ret ;
2005-07-11 05:16:55 +04:00
}
ASN1_MALLOC_ENCODE ( ETYPE_INFO2 , buf , len , & pa , & len , ret ) ;
free_ETYPE_INFO2 ( & pa ) ;
if ( ret )
return ret ;
ret = realloc_method_data ( md ) ;
if ( ret ) {
free ( buf ) ;
return ret ;
}
md - > val [ md - > len - 1 ] . padata_type = KRB5_PADATA_ETYPE_INFO2 ;
md - > val [ md - > len - 1 ] . padata_value . length = len ;
md - > val [ md - > len - 1 ] . padata_value . data = buf ;
return 0 ;
}
2007-01-10 04:57:32 +03:00
/*
*
*/
static void
log_as_req ( krb5_context context ,
krb5_kdc_configuration * config ,
krb5_enctype cetype ,
krb5_enctype setype ,
const KDC_REQ_BODY * b )
{
krb5_error_code ret ;
2009-06-08 13:06:16 +04:00
struct rk_strpool * p ;
2007-01-10 04:57:32 +03:00
char * str ;
int i ;
2008-10-27 13:35:07 +03:00
2009-06-08 13:06:16 +04:00
p = rk_strpoolprintf ( NULL , " %s " , " Client supported enctypes: " ) ;
2007-01-10 04:57:32 +03:00
for ( i = 0 ; i < b - > etype . len ; i + + ) {
ret = krb5_enctype_to_string ( context , b - > etype . val [ i ] , & str ) ;
if ( ret = = 0 ) {
p = rk_strpoolprintf ( p , " %s " , str ) ;
free ( str ) ;
} else
p = rk_strpoolprintf ( p , " %d " , b - > etype . val [ i ] ) ;
if ( p & & i + 1 < b - > etype . len )
p = rk_strpoolprintf ( p , " , " ) ;
if ( p = = NULL ) {
kdc_log ( context , config , 0 , " out of memory " ) ;
return ;
}
}
if ( p = = NULL )
p = rk_strpoolprintf ( p , " no encryption types " ) ;
2008-10-27 13:35:07 +03:00
2007-01-10 04:57:32 +03:00
{
char * cet ;
char * set ;
ret = krb5_enctype_to_string ( context , cetype , & cet ) ;
if ( ret = = 0 ) {
ret = krb5_enctype_to_string ( context , setype , & set ) ;
if ( ret = = 0 ) {
2009-06-08 13:06:16 +04:00
p = rk_strpoolprintf ( p , " , using %s/%s " , cet , set ) ;
2007-01-10 04:57:32 +03:00
free ( set ) ;
}
free ( cet ) ;
}
if ( ret ! = 0 )
2009-06-08 13:06:16 +04:00
p = rk_strpoolprintf ( p , " , using enctypes %d/%d " ,
cetype , setype ) ;
2007-01-10 04:57:32 +03:00
}
2008-10-27 13:35:07 +03:00
2009-06-08 13:06:16 +04:00
str = rk_strpoolcollect ( p ) ;
kdc_log ( context , config , 0 , " %s " , str ) ;
free ( str ) ;
2007-01-10 04:57:32 +03:00
{
2007-06-13 09:44:24 +04:00
char fixedstr [ 128 ] ;
2008-10-27 13:35:07 +03:00
unparse_flags ( KDCOptions2int ( b - > kdc_options ) , asn1_KDCOptions_units ( ) ,
2007-06-13 09:44:24 +04:00
fixedstr , sizeof ( fixedstr ) ) ;
if ( * fixedstr )
2009-06-08 13:06:16 +04:00
kdc_log ( context , config , 0 , " Requested flags: %s " , fixedstr ) ;
2007-01-10 04:57:32 +03:00
}
}
2005-07-11 05:16:55 +04:00
/*
* verify the flags on ` client ' and ` server ' , returning 0
* if they are OK and generating an error messages and returning
* and error code otherwise .
*/
krb5_error_code
2009-06-18 05:08:46 +04:00
kdc_check_flags ( krb5_context context ,
krb5_kdc_configuration * config ,
hdb_entry_ex * client_ex , const char * client_name ,
hdb_entry_ex * server_ex , const char * server_name ,
krb5_boolean is_as_req )
2005-07-11 05:16:55 +04:00
{
2006-04-24 13:36:24 +04:00
if ( client_ex ! = NULL ) {
hdb_entry * client = & client_ex - > entry ;
2005-07-11 05:16:55 +04:00
/* check client */
2009-07-16 03:53:14 +04:00
if ( client - > flags . locked_out ) {
kdc_log ( context , config , 0 ,
" Client (%s) is locked out " , client_name ) ;
return KRB5KDC_ERR_POLICY ;
}
2005-07-11 05:16:55 +04:00
if ( client - > flags . invalid ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 ,
2005-07-11 05:16:55 +04:00
" Client (%s) has invalid bit set " , client_name ) ;
return KRB5KDC_ERR_POLICY ;
}
if ( ! client - > flags . client ) {
kdc_log ( context , config , 0 ,
2005-08-09 07:04:47 +04:00
" Principal may not act as client -- %s " , client_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_POLICY ;
}
if ( client - > valid_start & & * client - > valid_start > kdc_time ) {
2005-11-08 04:17:41 +03:00
char starttime_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * client - > valid_start ,
starttime_str , sizeof ( starttime_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
2008-10-27 13:35:07 +03:00
" Client not yet valid until %s -- %s " ,
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
starttime_str , client_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_CLIENT_NOTYET ;
}
if ( client - > valid_end & & * client - > valid_end < kdc_time ) {
2005-11-08 04:17:41 +03:00
char endtime_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * client - > valid_end ,
endtime_str , sizeof ( endtime_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
" Client expired at %s -- %s " ,
endtime_str , client_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_NAME_EXP ;
}
2008-10-27 13:35:07 +03:00
if ( client - > pw_end & & * client - > pw_end < kdc_time
2006-04-24 13:36:24 +04:00
& & ( server_ex = = NULL | | ! server_ex - > entry . flags . change_pw ) ) {
2005-11-08 04:17:41 +03:00
char pwend_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * client - > pw_end ,
pwend_str , sizeof ( pwend_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
2008-10-27 13:35:07 +03:00
" Client's key has expired at %s -- %s " ,
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
pwend_str , client_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_KEY_EXPIRED ;
}
}
/* check server */
2008-10-27 13:35:07 +03:00
2006-04-24 13:36:24 +04:00
if ( server_ex ! = NULL ) {
hdb_entry * server = & server_ex - > entry ;
2009-07-16 03:53:14 +04:00
if ( server - > flags . locked_out ) {
kdc_log ( context , config , 0 ,
" Client server locked out -- %s " , server_name ) ;
return KRB5KDC_ERR_POLICY ;
}
2005-07-11 05:16:55 +04:00
if ( server - > flags . invalid ) {
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
" Server has invalid flag set -- %s " , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_POLICY ;
}
if ( ! server - > flags . server ) {
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
" Principal may not act as server -- %s " , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_POLICY ;
}
if ( ! is_as_req & & server - > flags . initial ) {
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
" AS-REQ is required for server -- %s " , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_POLICY ;
}
if ( server - > valid_start & & * server - > valid_start > kdc_time ) {
2005-11-08 04:17:41 +03:00
char starttime_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * server - > valid_start ,
starttime_str , sizeof ( starttime_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2005-12-01 08:20:39 +03:00
" Server not yet valid until %s -- %s " ,
starttime_str , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_SERVICE_NOTYET ;
}
if ( server - > valid_end & & * server - > valid_end < kdc_time ) {
2005-11-08 04:17:41 +03:00
char endtime_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * server - > valid_end ,
endtime_str , sizeof ( endtime_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
2008-10-27 13:35:07 +03:00
" Server expired at %s -- %s " ,
2005-11-08 04:17:41 +03:00
endtime_str , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_SERVICE_EXP ;
}
if ( server - > pw_end & & * server - > pw_end < kdc_time ) {
2005-11-08 04:17:41 +03:00
char pwend_str [ 100 ] ;
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , * server - > pw_end ,
pwend_str , sizeof ( pwend_str ) , TRUE ) ;
2005-08-09 07:04:47 +04:00
kdc_log ( context , config , 0 ,
2008-10-27 13:35:07 +03:00
" Server's key has expired at -- %s " ,
2005-11-08 04:17:41 +03:00
pwend_str , server_name ) ;
2005-07-11 05:16:55 +04:00
return KRB5KDC_ERR_KEY_EXPIRED ;
}
}
return 0 ;
}
/*
* Return TRUE if ` from ' is part of ` addresses ' taking into consideration
* the configuration variables that tells us how strict we should be about
* these checks
*/
2006-11-07 09:59:56 +03:00
krb5_boolean
2008-10-27 13:35:07 +03:00
_kdc_check_addresses ( krb5_context context ,
2006-11-07 09:59:56 +03:00
krb5_kdc_configuration * config ,
HostAddresses * addresses , const struct sockaddr * from )
2005-07-11 05:16:55 +04:00
{
krb5_error_code ret ;
krb5_address addr ;
krb5_boolean result ;
2005-11-27 05:02:44 +03:00
krb5_boolean only_netbios = TRUE ;
int i ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
if ( config - > check_ticket_addresses = = 0 )
return TRUE ;
2006-04-24 13:36:24 +04:00
if ( addresses = = NULL )
2005-11-27 05:02:44 +03:00
return config - > allow_null_ticket_addresses ;
2008-10-27 13:35:07 +03:00
2005-11-27 05:02:44 +03:00
for ( i = 0 ; i < addresses - > len ; + + i ) {
2006-04-24 13:36:24 +04:00
if ( addresses - > val [ i ] . addr_type ! = KRB5_ADDRESS_NETBIOS ) {
only_netbios = FALSE ;
}
2005-11-27 05:02:44 +03:00
}
/* Windows sends it's netbios name, which I can only assume is
2006-04-24 13:36:24 +04:00
* used for the ' allowed workstations ' check . This is painful ,
* but we still want to check IP addresses if they happen to be
* present .
*/
2005-11-27 05:02:44 +03:00
if ( only_netbios )
2005-07-11 05:16:55 +04:00
return config - > allow_null_ticket_addresses ;
2006-04-24 13:36:24 +04:00
2005-07-11 05:16:55 +04:00
ret = krb5_sockaddr2address ( context , from , & addr ) ;
if ( ret )
return FALSE ;
result = krb5_address_search ( context , & addr , addresses ) ;
krb5_free_address ( context , & addr ) ;
return result ;
}
2007-01-10 04:57:32 +03:00
/*
*
*/
static krb5_boolean
send_pac_p ( krb5_context context , KDC_REQ * req )
{
krb5_error_code ret ;
PA_PAC_REQUEST pacreq ;
2007-06-13 09:44:24 +04:00
const PA_DATA * pa ;
2007-01-10 04:57:32 +03:00
int i = 0 ;
2008-10-27 13:35:07 +03:00
2007-01-10 04:57:32 +03:00
pa = _kdc_find_padata ( req , & i , KRB5_PADATA_PA_PAC_REQUEST ) ;
if ( pa = = NULL )
return TRUE ;
ret = decode_PA_PAC_REQUEST ( pa - > padata_value . data ,
pa - > padata_value . length ,
& pacreq ,
NULL ) ;
if ( ret )
return TRUE ;
i = pacreq . include_pac ;
free_PA_PAC_REQUEST ( & pacreq ) ;
if ( i = = 0 )
return FALSE ;
return TRUE ;
}
2009-06-08 13:06:16 +04:00
krb5_boolean
_kdc_is_anonymous ( krb5_context context , krb5_principal principal )
{
if ( principal - > name . name_type ! = KRB5_NT_WELLKNOWN | |
principal - > name . name_string . len ! = 2 | |
strcmp ( principal - > name . name_string . val [ 0 ] , KRB5_WELLKNOWN_NAME ) ! = 0 | |
strcmp ( principal - > name . name_string . val [ 1 ] , KRB5_ANON_NAME ) ! = 0 )
return 0 ;
return 1 ;
}
2007-01-10 04:57:32 +03:00
/*
*
*/
2005-07-11 05:16:55 +04:00
krb5_error_code
2008-10-27 13:35:07 +03:00
_kdc_as_rep ( krb5_context context ,
2005-07-11 05:16:55 +04:00
krb5_kdc_configuration * config ,
2008-10-27 13:35:07 +03:00
KDC_REQ * req ,
const krb5_data * req_buffer ,
2005-07-11 05:16:55 +04:00
krb5_data * reply ,
const char * from ,
2006-11-07 09:59:56 +03:00
struct sockaddr * from_addr ,
int datagram_reply )
2005-07-11 05:16:55 +04:00
{
KDC_REQ_BODY * b = & req - > req_body ;
AS_REP rep ;
KDCOptions f = b - > kdc_options ;
2006-03-11 07:03:12 +03:00
hdb_entry_ex * client = NULL , * server = NULL ;
2009-07-16 03:53:14 +04:00
HDB * clientdb ;
2006-11-07 09:59:56 +03:00
krb5_enctype cetype , setype , sessionetype ;
2007-06-13 09:44:24 +04:00
krb5_data e_data ;
2005-07-11 05:16:55 +04:00
EncTicketPart et ;
EncKDCRepPart ek ;
krb5_principal client_princ = NULL , server_princ = NULL ;
char * client_name = NULL , * server_name = NULL ;
krb5_error_code ret = 0 ;
const char * e_text = NULL ;
krb5_crypto crypto ;
Key * ckey , * skey ;
EncryptionKey * reply_key ;
2007-06-13 09:44:24 +04:00
int flags = 0 ;
2005-07-11 05:16:55 +04:00
# ifdef PKINIT
pk_client_params * pkp = NULL ;
# endif
memset ( & rep , 0 , sizeof ( rep ) ) ;
2007-06-13 09:44:24 +04:00
krb5_data_zero ( & e_data ) ;
if ( f . canonicalize )
flags | = HDB_F_CANON ;
2005-07-11 05:16:55 +04:00
if ( b - > sname = = NULL ) {
ret = KRB5KRB_ERR_GENERIC ;
e_text = " No server in request " ;
} else {
2007-06-13 09:44:24 +04:00
ret = _krb5_principalname2krb5_principal ( context ,
& server_princ ,
* ( b - > sname ) ,
b - > realm ) ;
if ( ret = = 0 )
ret = krb5_unparse_name ( context , server_princ , & server_name ) ;
2005-07-11 05:16:55 +04:00
}
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 ,
2006-11-07 09:59:56 +03:00
" AS-REQ malformed server name from %s " , from ) ;
2005-07-11 05:16:55 +04:00
goto out ;
}
if ( b - > cname = = NULL ) {
ret = KRB5KRB_ERR_GENERIC ;
e_text = " No client in request " ;
} else {
2009-06-30 06:11:14 +04:00
ret = _krb5_principalname2krb5_principal ( context ,
& client_princ ,
* ( b - > cname ) ,
b - > realm ) ;
if ( ret )
goto out ;
2009-06-08 13:06:16 +04:00
2005-07-11 05:16:55 +04:00
ret = krb5_unparse_name ( context , client_princ , & client_name ) ;
}
if ( ret ) {
2006-11-07 09:59:56 +03:00
kdc_log ( context , config , 0 ,
" AS-REQ malformed client name from %s " , from ) ;
2005-07-11 05:16:55 +04:00
goto out ;
}
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " AS-REQ %s from %s for %s " ,
2005-07-11 05:16:55 +04:00
client_name , from , server_name ) ;
2009-06-08 13:06:16 +04:00
/*
*
*/
if ( _kdc_is_anonymous ( context , client_princ ) ) {
if ( ! b - > kdc_options . request_anonymous ) {
kdc_log ( context , config , 0 , " Anonymous ticket w/o anonymous flag " ) ;
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN ;
goto out ;
}
} else if ( b - > kdc_options . request_anonymous ) {
kdc_log ( context , config , 0 ,
" Request for a anonymous ticket with non "
" anonymous client name: %s " , client_name ) ;
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN ;
goto out ;
}
/*
*
*/
2008-10-27 13:35:07 +03:00
ret = _kdc_db_fetch ( context , config , client_princ ,
2009-07-16 03:53:14 +04:00
HDB_F_GET_CLIENT | flags , & clientdb , & client ) ;
2005-07-11 05:16:55 +04:00
if ( ret ) {
kdc_log ( context , config , 0 , " UNKNOWN -- %s: %s " , client_name ,
krb5_get_err_text ( context , ret ) ) ;
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN ;
goto out ;
}
2006-05-07 08:51:30 +04:00
ret = _kdc_db_fetch ( context , config , server_princ ,
2006-11-07 09:59:56 +03:00
HDB_F_GET_SERVER | HDB_F_GET_KRBTGT ,
NULL , & server ) ;
2005-07-11 05:16:55 +04:00
if ( ret ) {
kdc_log ( context , config , 0 , " UNKNOWN -- %s: %s " , server_name ,
krb5_get_err_text ( context , ret ) ) ;
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ;
goto out ;
}
2009-06-08 13:06:16 +04:00
memset ( & et , 0 , sizeof ( et ) ) ;
memset ( & ek , 0 , sizeof ( ek ) ) ;
2007-01-10 04:57:32 +03:00
2009-06-08 13:06:16 +04:00
/*
* Find the client key for reply encryption and pa - type salt , Pick
* the client key upfront before the other keys because that is
* going to affect what enctypes we are going to use in
* ETYPE - INFO { , 2 } .
*/
ret = _kdc_find_etype ( context , client , b - > etype . val , b - > etype . len ,
& ckey , & cetype ) ;
if ( ret ) {
kdc_log ( context , config , 0 ,
" Client (%s) has no support for etypes " , client_name ) ;
2005-07-11 05:16:55 +04:00
goto out ;
2009-06-08 13:06:16 +04:00
}
2005-07-11 05:16:55 +04:00
2009-06-08 13:06:16 +04:00
/*
* Pre - auth processing
*/
2005-07-11 05:16:55 +04:00
if ( req - > padata ) {
2006-04-24 13:36:24 +04:00
int i ;
2007-06-13 09:44:24 +04:00
const PA_DATA * pa ;
2005-07-11 05:16:55 +04:00
int found_pa = 0 ;
2006-04-24 13:36:24 +04:00
log_patypes ( context , config , req - > padata ) ;
2005-07-11 05:16:55 +04:00
# ifdef PKINIT
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 ,
2005-07-11 05:16:55 +04:00
" Looking for PKINIT pa-data -- %s " , client_name ) ;
e_text = " No PKINIT PA found " ;
i = 0 ;
2009-06-08 13:06:16 +04:00
pa = _kdc_find_padata ( req , & i , KRB5_PADATA_PK_AS_REQ ) ;
2005-07-11 05:16:55 +04:00
if ( pa = = NULL ) {
i = 0 ;
2009-06-08 13:06:16 +04:00
pa = _kdc_find_padata ( req , & i , KRB5_PADATA_PK_AS_REQ_WIN ) ;
2005-07-11 05:16:55 +04:00
}
if ( pa ) {
char * client_cert = NULL ;
2009-06-08 13:06:16 +04:00
ret = _kdc_pk_rd_padata ( context , config , req , pa , client , & pkp ) ;
2005-07-11 05:16:55 +04:00
if ( ret ) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY ;
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 ,
" Failed to decode PKINIT PA-DATA -- %s " ,
2005-07-11 05:16:55 +04:00
client_name ) ;
goto ts_enc ;
}
if ( ret = = 0 & & pkp = = NULL )
goto ts_enc ;
ret = _kdc_pk_check_client ( context ,
config ,
2009-07-28 08:05:19 +04:00
clientdb ,
2005-12-15 23:38:24 +03:00
client ,
2005-07-11 05:16:55 +04:00
pkp ,
& client_cert ) ;
if ( ret ) {
e_text = " PKINIT certificate not allowed to "
" impersonate principal " ;
_kdc_pk_free_client_param ( context , pkp ) ;
2009-06-08 13:06:16 +04:00
2005-10-25 17:43:37 +04:00
kdc_log ( context , config , 0 , " %s " , e_text ) ;
2005-07-11 05:16:55 +04:00
pkp = NULL ;
2007-06-13 09:44:24 +04:00
goto out ;
2005-07-11 05:16:55 +04:00
}
2009-06-08 13:06:16 +04:00
2005-07-11 05:16:55 +04:00
found_pa = 1 ;
et . flags . pre_authent = 1 ;
2005-10-25 17:43:37 +04:00
kdc_log ( context , config , 0 ,
2008-10-27 13:35:07 +03:00
" PKINIT pre-authentication succeeded -- %s using %s " ,
2005-07-11 05:16:55 +04:00
client_name , client_cert ) ;
free ( client_cert ) ;
if ( pkp )
goto preauth_done ;
}
ts_enc :
# endif
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 , " Looking for ENC-TS pa-data -- %s " ,
2005-07-11 05:16:55 +04:00
client_name ) ;
i = 0 ;
e_text = " No ENC-TS found " ;
2006-11-07 09:59:56 +03:00
while ( ( pa = _kdc_find_padata ( req , & i , KRB5_PADATA_ENC_TIMESTAMP ) ) ) {
2005-07-11 05:16:55 +04:00
krb5_data ts_data ;
PA_ENC_TS_ENC p ;
size_t len ;
EncryptedData enc_data ;
Key * pa_key ;
2005-08-09 07:04:47 +04:00
char * str ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
found_pa = 1 ;
2008-10-27 13:35:07 +03:00
2009-06-08 13:06:16 +04:00
if ( b - > kdc_options . request_anonymous ) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY ;
kdc_log ( context , config , 0 , " ENC-TS doesn't support anon " ) ;
goto out ;
}
2005-07-11 05:16:55 +04:00
ret = decode_EncryptedData ( pa - > padata_value . data ,
pa - > padata_value . length ,
& enc_data ,
& len ) ;
if ( ret ) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY ;
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 , " Failed to decode PA-DATA -- %s " ,
2005-07-11 05:16:55 +04:00
client_name ) ;
goto out ;
}
2008-10-27 13:35:07 +03:00
ret = hdb_enctype2key ( context , & client - > entry ,
2005-12-15 23:38:24 +03:00
enc_data . etype , & pa_key ) ;
2005-07-11 05:16:55 +04:00
if ( ret ) {
char * estr ;
e_text = " No key matches pa-data " ;
2007-02-19 16:45:03 +03:00
ret = KRB5KDC_ERR_ETYPE_NOSUPP ;
2005-07-11 05:16:55 +04:00
if ( krb5_enctype_to_string ( context , enc_data . etype , & estr ) )
estr = NULL ;
if ( estr = = NULL )
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 ,
" No client key matching pa-data (%d) -- %s " ,
2005-07-11 05:16:55 +04:00
enc_data . etype , client_name ) ;
else
kdc_log ( context , config , 5 ,
2008-10-27 13:35:07 +03:00
" No client key matching pa-data (%s) -- %s " ,
2005-07-11 05:16:55 +04:00
estr , client_name ) ;
free ( estr ) ;
free_EncryptedData ( & enc_data ) ;
2009-07-16 03:53:14 +04:00
2005-07-11 05:16:55 +04:00
continue ;
}
try_next_key :
ret = krb5_crypto_init ( context , & pa_key - > key , 0 , & crypto ) ;
if ( ret ) {
kdc_log ( context , config , 0 , " krb5_crypto_init failed: %s " ,
krb5_get_err_text ( context , ret ) ) ;
free_EncryptedData ( & enc_data ) ;
continue ;
}
ret = krb5_decrypt_EncryptedData ( context ,
crypto ,
KRB5_KU_PA_ENC_TIMESTAMP ,
& enc_data ,
& ts_data ) ;
krb5_crypto_destroy ( context , crypto ) ;
2009-06-08 13:06:16 +04:00
/*
* Since the user might have several keys with the same
* enctype but with diffrent salting , we need to try all
* the keys with the same enctype .
*/
2005-07-11 05:16:55 +04:00
if ( ret ) {
2005-08-09 07:04:47 +04:00
krb5_error_code ret2 ;
2008-10-27 13:35:07 +03:00
ret2 = krb5_enctype_to_string ( context ,
2006-11-07 09:59:56 +03:00
pa_key - > key . keytype , & str ) ;
2005-08-09 07:04:47 +04:00
if ( ret2 )
str = NULL ;
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 5 ,
2005-08-09 07:04:47 +04:00
" Failed to decrypt PA-DATA -- %s "
" (enctype %s) error %s " ,
2005-08-20 10:00:50 +04:00
client_name ,
2008-10-27 13:35:07 +03:00
str ? str : " unknown enctype " ,
2005-08-09 07:04:47 +04:00
krb5_get_err_text ( context , ret ) ) ;
free ( str ) ;
2008-10-27 13:35:07 +03:00
if ( hdb_next_enctype2key ( context , & client - > entry ,
2005-07-11 05:16:55 +04:00
enc_data . etype , & pa_key ) = = 0 )
goto try_next_key ;
e_text = " Failed to decrypt PA-DATA " ;
2005-08-09 07:04:47 +04:00
free_EncryptedData ( & enc_data ) ;
2009-07-16 03:53:14 +04:00
if ( clientdb - > hdb_auth_status )
( clientdb - > hdb_auth_status ) ( context , clientdb , client , HDB_AUTH_WRONG_PASSWORD ) ;
2007-02-19 16:45:03 +03:00
ret = KRB5KDC_ERR_PREAUTH_FAILED ;
2005-07-11 05:16:55 +04:00
continue ;
}
free_EncryptedData ( & enc_data ) ;
ret = decode_PA_ENC_TS_ENC ( ts_data . data ,
ts_data . length ,
& p ,
& len ) ;
krb5_data_free ( & ts_data ) ;
if ( ret ) {
e_text = " Failed to decode PA-ENC-TS-ENC " ;
2007-02-19 16:45:03 +03:00
ret = KRB5KDC_ERR_PREAUTH_FAILED ;
2008-10-27 13:35:07 +03:00
kdc_log ( context , config ,
2005-07-11 05:16:55 +04:00
5 , " Failed to decode PA-ENC-TS_ENC -- %s " ,
client_name ) ;
continue ;
}
free_PA_ENC_TS_ENC ( & p ) ;
if ( abs ( kdc_time - p . patimestamp ) > context - > max_skew ) {
2006-11-07 09:59:56 +03:00
char client_time [ 100 ] ;
2006-11-08 04:48:35 +03:00
2008-10-27 13:35:07 +03:00
krb5_format_time ( context , p . patimestamp ,
client_time , sizeof ( client_time ) , TRUE ) ;
2006-11-07 09:59:56 +03:00
2006-11-08 04:48:35 +03:00
ret = KRB5KRB_AP_ERR_SKEW ;
kdc_log ( context , config , 0 ,
" Too large time skew, "
2008-10-27 13:35:07 +03:00
" client time %s is out by %u > %u seconds -- %s " ,
client_time ,
( unsigned ) abs ( kdc_time - p . patimestamp ) ,
2006-11-07 09:59:56 +03:00
context - > max_skew ,
client_name ) ;
2007-06-13 09:44:24 +04:00
# if 1
/* This code is from samba, needs testing */
2008-10-27 13:35:07 +03:00
/*
2006-03-25 13:34:51 +03:00
* the following is needed to make windows clients
* to retry using the timestamp in the error message
*
* this is maybe a bug in windows to not trying when e_text
* is present . . .
*/
e_text = NULL ;
2007-06-13 09:44:24 +04:00
# else
e_text = " Too large time skew " ;
# endif
2005-07-11 05:16:55 +04:00
goto out ;
}
et . flags . pre_authent = 1 ;
2005-08-09 07:04:47 +04:00
ret = krb5_enctype_to_string ( context , pa_key - > key . keytype , & str ) ;
if ( ret )
str = NULL ;
2005-07-11 05:16:55 +04:00
kdc_log ( context , config , 2 ,
2008-10-27 13:35:07 +03:00
" ENC-TS Pre-authentication succeeded -- %s using %s " ,
2005-08-09 07:04:47 +04:00
client_name , str ? str : " unknown enctype " ) ;
free ( str ) ;
2005-07-11 05:16:55 +04:00
break ;
}
# ifdef PKINIT
preauth_done :
# endif
if ( found_pa = = 0 & & config - > require_preauth )
goto use_pa ;
/* We come here if we found a pa-enc-timestamp, but if there
was some problem with it , other than too large skew */
if ( found_pa & & et . flags . pre_authent = = 0 ) {
kdc_log ( context , config , 0 , " %s -- %s " , e_text , client_name ) ;
e_text = NULL ;
goto out ;
}
} else if ( config - > require_preauth
2009-06-08 13:06:16 +04:00
| | b - > kdc_options . request_anonymous /* hack to force anon */
2005-11-06 17:15:34 +03:00
| | client - > entry . flags . require_preauth
2005-12-15 23:38:24 +03:00
| | server - > entry . flags . require_preauth ) {
2005-07-11 05:16:55 +04:00
METHOD_DATA method_data ;
PA_DATA * pa ;
unsigned char * buf ;
size_t len ;
2008-10-27 13:35:07 +03:00
use_pa :
2005-07-11 05:16:55 +04:00
method_data . len = 0 ;
method_data . val = NULL ;
ret = realloc_method_data ( & method_data ) ;
2009-06-08 13:06:16 +04:00
if ( ret ) {
free_METHOD_DATA ( & method_data ) ;
goto out ;
}
2005-07-11 05:16:55 +04:00
pa = & method_data . val [ method_data . len - 1 ] ;
pa - > padata_type = KRB5_PADATA_ENC_TIMESTAMP ;
pa - > padata_value . length = 0 ;
pa - > padata_value . data = NULL ;
# ifdef PKINIT
ret = realloc_method_data ( & method_data ) ;
2009-06-08 13:06:16 +04:00
if ( ret ) {
free_METHOD_DATA ( & method_data ) ;
goto out ;
}
2005-07-11 05:16:55 +04:00
pa = & method_data . val [ method_data . len - 1 ] ;
pa - > padata_type = KRB5_PADATA_PK_AS_REQ ;
pa - > padata_value . length = 0 ;
pa - > padata_value . data = NULL ;
2007-06-13 09:44:24 +04:00
ret = realloc_method_data ( & method_data ) ;
2009-06-08 13:06:16 +04:00
if ( ret ) {
free_METHOD_DATA ( & method_data ) ;
goto out ;
}
2007-06-13 09:44:24 +04:00
pa = & method_data . val [ method_data . len - 1 ] ;
pa - > padata_type = KRB5_PADATA_PK_AS_REQ_WIN ;
pa - > padata_value . length = 0 ;
pa - > padata_value . data = NULL ;
2005-07-11 05:16:55 +04:00
# endif
2008-10-27 13:35:07 +03:00
/*
2009-06-08 13:06:16 +04:00
* If there is a client key , send ETYPE_INFO { , 2 }
2006-11-07 09:59:56 +03:00
*/
2009-06-08 13:06:16 +04:00
if ( ckey ) {
/*
* RFC4120 requires :
* - If the client only knows about old enctypes , then send
* both info replies ( we send ' info ' first in the list ) .
* - If the client is ' modern ' , because it knows about ' new '
* enctype types , then only send the ' info2 ' reply .
*
* Before we send the full list of etype - info data , we pick
* the client key we would have used anyway below , just pick
* that instead .
*/
if ( older_enctype ( ckey - > key . keytype ) ) {
ret = get_pa_etype_info ( context , config ,
& method_data , ckey ) ;
if ( ret ) {
free_METHOD_DATA ( & method_data ) ;
goto out ;
}
}
ret = get_pa_etype_info2 ( context , config ,
& method_data , ckey ) ;
if ( ret ) {
free_METHOD_DATA ( & method_data ) ;
goto out ;
}
}
2005-07-11 05:16:55 +04:00
ASN1_MALLOC_ENCODE ( METHOD_DATA , buf , len , & method_data , & len , ret ) ;
free_METHOD_DATA ( & method_data ) ;
2007-02-19 16:38:11 +03:00
e_data . data = buf ;
e_data . length = len ;
e_text = " Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ " ,
2007-06-13 09:44:24 +04:00
2005-07-11 05:16:55 +04:00
ret = KRB5KDC_ERR_PREAUTH_REQUIRED ;
2007-02-19 16:38:11 +03:00
2005-07-11 05:16:55 +04:00
kdc_log ( context , config , 0 ,
" No preauth found, returning PREAUTH-REQUIRED -- %s " ,
client_name ) ;
2007-02-19 16:38:11 +03:00
goto out ;
2005-07-11 05:16:55 +04:00
}
2008-10-27 13:35:07 +03:00
2009-07-16 03:53:14 +04:00
if ( clientdb - > hdb_auth_status )
( clientdb - > hdb_auth_status ) ( context , clientdb , client ,
HDB_AUTH_SUCCESS ) ;
2006-11-07 09:59:56 +03:00
/*
2009-06-08 13:06:16 +04:00
* Verify flags after the user been required to prove its identity
* with in a preauth mech .
2006-11-07 09:59:56 +03:00
*/
2009-06-18 05:08:46 +04:00
ret = _kdc_check_access ( context , config , client , client_name ,
server , server_name ,
req , & e_data ) ;
2009-06-08 13:06:16 +04:00
if ( ret )
goto out ;
/*
* Selelct the best encryption type for the KDC with out regard to
* the client since the client never needs to read that data .
*/
2006-11-07 09:59:56 +03:00
ret = _kdc_get_preferred_key ( context , config ,
server , server_name ,
& setype , & skey ) ;
if ( ret )
goto out ;
2008-10-27 13:35:07 +03:00
/*
2007-06-13 09:44:24 +04:00
* Select a session enctype from the list of the crypto systems
* supported enctype , is supported by the client and is one of the
* enctype of the enctype of the krbtgt .
*
* The later is used as a hint what enctype all KDC are supporting
* to make sure a newer version of KDC wont generate a session
* enctype that and older version of a KDC in the same realm can ' t
* decrypt .
*
* But if the KDC admin is paranoid and doesn ' t want to have " no
* the best " enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs .
*/
2006-11-07 09:59:56 +03:00
{
const krb5_enctype * p ;
2007-06-13 09:44:24 +04:00
krb5_enctype clientbest = ETYPE_NULL ;
int i , j ;
2006-11-07 09:59:56 +03:00
p = krb5_kerberos_enctypes ( context ) ;
sessionetype = ETYPE_NULL ;
for ( i = 0 ; p [ i ] ! = ETYPE_NULL & & sessionetype = = ETYPE_NULL ; i + + ) {
if ( krb5_enctype_valid ( context , p [ i ] ) ! = 0 )
continue ;
2007-02-19 02:27:42 +03:00
for ( j = 0 ; j < b - > etype . len & & sessionetype = = ETYPE_NULL ; j + + ) {
2007-06-13 09:44:24 +04:00
Key * dummy ;
/* check with client */
if ( p [ i ] ! = b - > etype . val [ j ] )
2008-10-27 13:35:07 +03:00
continue ;
2007-06-13 09:44:24 +04:00
/* save best of union of { client, crypto system } */
if ( clientbest = = ETYPE_NULL )
clientbest = p [ i ] ;
/* check with krbtgt */
ret = hdb_enctype2key ( context , & server - > entry , p [ i ] , & dummy ) ;
2008-10-27 13:35:07 +03:00
if ( ret )
2007-06-13 09:44:24 +04:00
continue ;
sessionetype = p [ i ] ;
2006-11-07 09:59:56 +03:00
}
}
2007-06-13 09:44:24 +04:00
/* if krbtgt had no shared keys with client, pick clients best */
if ( clientbest ! = ETYPE_NULL & & sessionetype = = ETYPE_NULL ) {
sessionetype = clientbest ;
} else if ( sessionetype = = ETYPE_NULL ) {
kdc_log ( context , config , 0 ,
2006-11-07 09:59:56 +03:00
" Client (%s) from %s has no common enctypes with KDC "
2008-10-27 13:35:07 +03:00
" to use for the session key " ,
client_name , from ) ;
2006-11-07 09:59:56 +03:00
goto out ;
}
}
2007-01-10 04:57:32 +03:00
log_as_req ( context , config , cetype , setype , b ) ;
2005-07-11 05:16:55 +04:00
if ( f . renew | | f . validate | | f . proxy | | f . forwarded | | f . enc_tkt_in_skey
| | ( f . request_anonymous & & ! config - > allow_anonymous ) ) {
ret = KRB5KDC_ERR_BADOPTION ;
kdc_log ( context , config , 0 , " Bad KDC options -- %s " , client_name ) ;
goto out ;
}
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
rep . pvno = 5 ;
rep . msg_type = krb_as_rep ;
2009-06-08 13:06:16 +04:00
ret = copy_Realm ( & client - > entry . principal - > realm , & rep . crealm ) ;
if ( ret )
goto out ;
ret = _krb5_principal2principalname ( & rep . cname , client - > entry . principal ) ;
if ( ret )
goto out ;
2005-07-11 05:16:55 +04:00
rep . ticket . tkt_vno = 5 ;
2005-12-15 23:38:24 +03:00
copy_Realm ( & server - > entry . principal - > realm , & rep . ticket . realm ) ;
2008-10-27 13:35:07 +03:00
_krb5_principal2principalname ( & rep . ticket . sname ,
2005-12-15 23:38:24 +03:00
server - > entry . principal ) ;
2007-08-22 10:46:34 +04:00
/* java 1.6 expects the name to be the same type, lets allow that
* uncomplicated name - types . */
# define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
if ( CNT ( b , UNKNOWN ) | | CNT ( b , PRINCIPAL ) | | CNT ( b , SRV_INST ) | | CNT ( b , SRV_HST ) | | CNT ( b , SRV_XHST ) )
rep . ticket . sname . name_type = b - > sname - > name_type ;
# undef CNT
2005-07-11 05:16:55 +04:00
et . flags . initial = 1 ;
2005-12-15 23:38:24 +03:00
if ( client - > entry . flags . forwardable & & server - > entry . flags . forwardable )
2005-07-11 05:16:55 +04:00
et . flags . forwardable = f . forwardable ;
else if ( f . forwardable ) {
ret = KRB5KDC_ERR_POLICY ;
kdc_log ( context , config , 0 ,
" Ticket may not be forwardable -- %s " , client_name ) ;
goto out ;
}
2005-12-15 23:38:24 +03:00
if ( client - > entry . flags . proxiable & & server - > entry . flags . proxiable )
2005-07-11 05:16:55 +04:00
et . flags . proxiable = f . proxiable ;
else if ( f . proxiable ) {
ret = KRB5KDC_ERR_POLICY ;
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 ,
2005-07-11 05:16:55 +04:00
" Ticket may not be proxiable -- %s " , client_name ) ;
goto out ;
}
2005-12-15 23:38:24 +03:00
if ( client - > entry . flags . postdate & & server - > entry . flags . postdate )
2005-07-11 05:16:55 +04:00
et . flags . may_postdate = f . allow_postdate ;
else if ( f . allow_postdate ) {
ret = KRB5KDC_ERR_POLICY ;
kdc_log ( context , config , 0 ,
" Ticket may not be postdatable -- %s " , client_name ) ;
goto out ;
}
/* check for valid set of addresses */
2006-11-07 09:59:56 +03:00
if ( ! _kdc_check_addresses ( context , config , b - > addresses , from_addr ) ) {
2005-07-11 05:16:55 +04:00
ret = KRB5KRB_AP_ERR_BADADDR ;
kdc_log ( context , config , 0 ,
" Bad address list requested -- %s " , client_name ) ;
goto out ;
}
2009-06-08 13:06:16 +04:00
ret = copy_PrincipalName ( & rep . cname , & et . cname ) ;
if ( ret )
goto out ;
ret = copy_Realm ( & rep . crealm , & et . crealm ) ;
2007-01-10 04:57:32 +03:00
if ( ret )
goto out ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
{
time_t start ;
time_t t ;
start = et . authtime = kdc_time ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
if ( f . postdated & & req - > req_body . from ) {
ALLOC ( et . starttime ) ;
start = * et . starttime = * req - > req_body . from ;
et . flags . invalid = 1 ;
et . flags . postdated = 1 ; /* XXX ??? */
}
2006-11-07 09:59:56 +03:00
_kdc_fix_time ( & b - > till ) ;
2005-07-11 05:16:55 +04:00
t = * b - > till ;
/* be careful not overflowing */
2005-11-06 17:15:34 +03:00
if ( client - > entry . max_life )
t = start + min ( t - start , * client - > entry . max_life ) ;
2005-12-15 23:38:24 +03:00
if ( server - > entry . max_life )
t = start + min ( t - start , * server - > entry . max_life ) ;
2005-07-11 05:16:55 +04:00
#if 0
t = min ( t , start + realm - > max_life ) ;
# endif
et . endtime = t ;
if ( f . renewable_ok & & et . endtime < * b - > till ) {
f . renewable = 1 ;
if ( b - > rtime = = NULL ) {
ALLOC ( b - > rtime ) ;
* b - > rtime = 0 ;
}
if ( * b - > rtime < * b - > till )
* b - > rtime = * b - > till ;
}
if ( f . renewable & & b - > rtime ) {
t = * b - > rtime ;
if ( t = = 0 )
t = MAX_TIME ;
2005-11-06 17:15:34 +03:00
if ( client - > entry . max_renew )
t = start + min ( t - start , * client - > entry . max_renew ) ;
2005-12-15 23:38:24 +03:00
if ( server - > entry . max_renew )
t = start + min ( t - start , * server - > entry . max_renew ) ;
2005-07-11 05:16:55 +04:00
#if 0
t = min ( t , start + realm - > max_renew ) ;
# endif
ALLOC ( et . renew_till ) ;
* et . renew_till = t ;
et . flags . renewable = 1 ;
}
}
if ( f . request_anonymous )
et . flags . anonymous = 1 ;
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
if ( b - > addresses ) {
ALLOC ( et . caddr ) ;
copy_HostAddresses ( b - > addresses , et . caddr ) ;
}
2008-10-27 13:35:07 +03:00
2005-07-11 05:16:55 +04:00
et . transited . tr_type = DOMAIN_X500_COMPRESS ;
2008-10-27 13:35:07 +03:00
krb5_data_zero ( & et . transited . contents ) ;
2005-07-11 05:16:55 +04:00
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
* as 0 and as 0x80 ( meaning indefinite length ) apart , and is thus
* incapable of correctly decoding SEQUENCE OF ' s of zero length .
*
* To fix this , always send at least one no - op last_req
*
* If there ' s a pw_end or valid_end we will use that ,
* otherwise just a dummy lr .
*/
ek . last_req . val = malloc ( 2 * sizeof ( * ek . last_req . val ) ) ;
2008-03-19 02:17:42 +03:00
if ( ek . last_req . val = = NULL ) {
ret = ENOMEM ;
goto out ;
}
2005-07-11 05:16:55 +04:00
ek . last_req . len = 0 ;
2005-11-06 17:15:34 +03:00
if ( client - > entry . pw_end
2005-07-11 05:16:55 +04:00
& & ( config - > kdc_warn_pwexpire = = 0
2006-11-07 09:59:56 +03:00
| | kdc_time + config - > kdc_warn_pwexpire > = * client - > entry . pw_end ) ) {
2005-07-11 05:16:55 +04:00
ek . last_req . val [ ek . last_req . len ] . lr_type = LR_PW_EXPTIME ;
2005-11-06 17:15:34 +03:00
ek . last_req . val [ ek . last_req . len ] . lr_value = * client - > entry . pw_end ;
2005-07-11 05:16:55 +04:00
+ + ek . last_req . len ;
}
2005-11-06 17:15:34 +03:00
if ( client - > entry . valid_end ) {
2005-07-11 05:16:55 +04:00
ek . last_req . val [ ek . last_req . len ] . lr_type = LR_ACCT_EXPTIME ;
2005-11-06 17:15:34 +03:00
ek . last_req . val [ ek . last_req . len ] . lr_value = * client - > entry . valid_end ;
2005-07-11 05:16:55 +04:00
+ + ek . last_req . len ;
}
if ( ek . last_req . len = = 0 ) {
ek . last_req . val [ ek . last_req . len ] . lr_type = LR_NONE ;
ek . last_req . val [ ek . last_req . len ] . lr_value = 0 ;
+ + ek . last_req . len ;
}
ek . nonce = b - > nonce ;
2005-11-06 17:15:34 +03:00
if ( client - > entry . valid_end | | client - > entry . pw_end ) {
2005-07-11 05:16:55 +04:00
ALLOC ( ek . key_expiration ) ;
2005-11-06 17:15:34 +03:00
if ( client - > entry . valid_end ) {
if ( client - > entry . pw_end )
2008-10-27 13:35:07 +03:00
* ek . key_expiration = min ( * client - > entry . valid_end ,
2005-12-15 23:38:24 +03:00
* client - > entry . pw_end ) ;
2005-07-11 05:16:55 +04:00
else
2005-11-06 17:15:34 +03:00
* ek . key_expiration = * client - > entry . valid_end ;
2005-07-11 05:16:55 +04:00
} else
2005-11-06 17:15:34 +03:00
* ek . key_expiration = * client - > entry . pw_end ;
2005-07-11 05:16:55 +04:00
} else
ek . key_expiration = NULL ;
ek . flags = et . flags ;
ek . authtime = et . authtime ;
if ( et . starttime ) {
ALLOC ( ek . starttime ) ;
* ek . starttime = * et . starttime ;
}
ek . endtime = et . endtime ;
if ( et . renew_till ) {
ALLOC ( ek . renew_till ) ;
* ek . renew_till = * et . renew_till ;
}
copy_Realm ( & rep . ticket . realm , & ek . srealm ) ;
copy_PrincipalName ( & rep . ticket . sname , & ek . sname ) ;
if ( et . caddr ) {
ALLOC ( ek . caddr ) ;
copy_HostAddresses ( et . caddr , ek . caddr ) ;
}
ALLOC ( rep . padata ) ;
rep . padata - > len = 0 ;
rep . padata - > val = NULL ;
# if PKINIT
if ( pkp ) {
2009-06-08 13:06:16 +04:00
e_text = " Failed to build PK-INIT reply " ;
2008-10-27 13:35:07 +03:00
ret = _kdc_pk_mk_pa_reply ( context , config , pkp , client ,
2009-06-08 13:06:16 +04:00
sessionetype , req , req_buffer ,
& reply_key , & et . key , rep . padata ) ;
2005-07-11 05:16:55 +04:00
if ( ret )
goto out ;
2007-01-10 04:57:32 +03:00
ret = _kdc_add_inital_verified_cas ( context ,
config ,
pkp ,
& et ) ;
if ( ret )
goto out ;
2009-06-08 13:06:16 +04:00
} else
2005-07-11 05:16:55 +04:00
# endif
2009-06-08 13:06:16 +04:00
if ( ckey ) {
reply_key = & ckey - > key ;
ret = krb5_generate_random_keyblock ( context , sessionetype , & et . key ) ;
if ( ret )
goto out ;
} else {
e_text = " Client have no reply key " ;
ret = KRB5KDC_ERR_CLIENT_NOTYET ;
goto out ;
}
ret = copy_EncryptionKey ( & et . key , & ek . key ) ;
if ( ret )
goto out ;
2005-07-11 05:16:55 +04:00
2009-06-08 13:06:16 +04:00
if ( ckey )
set_salt_padata ( rep . padata , ckey - > salt ) ;
2005-07-11 05:16:55 +04:00
2007-06-13 09:44:24 +04:00
/* Add signing of alias referral */
if ( f . canonicalize ) {
PA_ClientCanonicalized canon ;
krb5_data data ;
PA_DATA pa ;
krb5_crypto crypto ;
size_t len ;
memset ( & canon , 0 , sizeof ( canon ) ) ;
canon . names . requested_name = * b - > cname ;
2008-08-01 09:08:51 +04:00
canon . names . mapped_name = client - > entry . principal - > name ;
2007-06-13 09:44:24 +04:00
ASN1_MALLOC_ENCODE ( PA_ClientCanonicalizedNames , data . data , data . length ,
& canon . names , & len , ret ) ;
2008-10-27 13:35:07 +03:00
if ( ret )
2007-06-13 09:44:24 +04:00
goto out ;
if ( data . length ! = len )
krb5_abortx ( context , " internal asn.1 error " ) ;
/* sign using "returned session key" */
ret = krb5_crypto_init ( context , & et . key , 0 , & crypto ) ;
if ( ret ) {
free ( data . data ) ;
goto out ;
}
2008-10-27 13:35:07 +03:00
ret = krb5_create_checksum ( context , crypto ,
2007-06-13 09:44:24 +04:00
KRB5_KU_CANONICALIZED_NAMES , 0 ,
data . data , data . length ,
& canon . canon_checksum ) ;
free ( data . data ) ;
krb5_crypto_destroy ( context , crypto ) ;
if ( ret )
goto out ;
2008-10-27 13:35:07 +03:00
2007-06-13 09:44:24 +04:00
ASN1_MALLOC_ENCODE ( PA_ClientCanonicalized , data . data , data . length ,
& canon , & len , ret ) ;
free_Checksum ( & canon . canon_checksum ) ;
2008-10-27 13:35:07 +03:00
if ( ret )
2007-06-13 09:44:24 +04:00
goto out ;
if ( data . length ! = len )
krb5_abortx ( context , " internal asn.1 error " ) ;
pa . padata_type = KRB5_PADATA_CLIENT_CANONICALIZED ;
pa . padata_value = data ;
ret = add_METHOD_DATA ( rep . padata , & pa ) ;
free ( data . data ) ;
if ( ret )
goto out ;
}
2005-07-11 05:16:55 +04:00
if ( rep . padata - > len = = 0 ) {
free ( rep . padata ) ;
rep . padata = NULL ;
}
2007-01-10 04:57:32 +03:00
/* Add the PAC */
if ( send_pac_p ( context , req ) ) {
krb5_pac p = NULL ;
krb5_data data ;
ret = _kdc_pac_generate ( context , client , & p ) ;
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " PAC generation failed for -- %s " ,
2007-01-10 04:57:32 +03:00
client_name ) ;
goto out ;
}
if ( p ! = NULL ) {
ret = _krb5_pac_sign ( context , p , et . authtime ,
client - > entry . principal ,
2008-10-27 13:35:07 +03:00
& skey - > key , /* Server key */
2007-01-10 04:57:32 +03:00
& skey - > key , /* FIXME: should be krbtgt key */
& data ) ;
krb5_pac_free ( context , p ) ;
if ( ret ) {
2008-10-27 13:35:07 +03:00
kdc_log ( context , config , 0 , " PAC signing failed for -- %s " ,
2007-01-10 04:57:32 +03:00
client_name ) ;
goto out ;
}
ret = _kdc_tkt_add_if_relevant_ad ( context , & et ,
KRB5_AUTHDATA_WIN2K_PAC ,
& data ) ;
krb5_data_free ( & data ) ;
if ( ret )
goto out ;
}
2005-11-07 05:29:37 +03:00
}
2008-10-27 13:35:07 +03:00
_kdc_log_timestamp ( context , config , " AS-REQ " , et . authtime , et . starttime ,
2006-11-07 09:59:56 +03:00
et . endtime , et . renew_till ) ;
/* do this as the last thing since this signs the EncTicketPart */
ret = _kdc_add_KRB5SignedPath ( context ,
config ,
server ,
setype ,
NULL ,
NULL ,
& et ) ;
if ( ret )
goto out ;
2005-07-11 05:16:55 +04:00
2008-10-27 13:35:07 +03:00
ret = _kdc_encode_reply ( context , config ,
& rep , & et , & ek , setype , server - > entry . kvno ,
& skey - > key , client - > entry . kvno ,
2006-11-07 09:59:56 +03:00
reply_key , & e_text , reply ) ;
2005-07-11 05:16:55 +04:00
free_EncTicketPart ( & et ) ;
free_EncKDCRepPart ( & ek ) ;
2006-11-07 09:59:56 +03:00
if ( ret )
goto out ;
/* */
if ( datagram_reply & & reply - > length > config - > max_datagram_reply_length ) {
krb5_data_free ( reply ) ;
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG ;
e_text = " Reply packet too large " ;
}
out :
2005-07-11 05:16:55 +04:00
free_AS_REP ( & rep ) ;
if ( ret ) {
krb5_mk_error ( context ,
ret ,
e_text ,
2007-02-19 16:38:11 +03:00
( e_data . data ? & e_data : NULL ) ,
2005-07-11 05:16:55 +04:00
client_princ ,
server_princ ,
NULL ,
NULL ,
reply ) ;
ret = 0 ;
}
# ifdef PKINIT
if ( pkp )
_kdc_pk_free_client_param ( context , pkp ) ;
# endif
2007-02-19 16:38:11 +03:00
if ( e_data . data )
free ( e_data . data ) ;
2005-07-11 05:16:55 +04:00
if ( client_princ )
krb5_free_principal ( context , client_princ ) ;
free ( client_name ) ;
if ( server_princ )
krb5_free_principal ( context , server_princ ) ;
free ( server_name ) ;
if ( client )
2005-12-15 23:38:24 +03:00
_kdc_free_ent ( context , client ) ;
2005-07-11 05:16:55 +04:00
if ( server )
_kdc_free_ent ( context , server ) ;
return ret ;
}
2007-01-10 04:57:32 +03:00
/*
2008-10-27 13:35:07 +03:00
* Add the AuthorizationData ` data ´ of ` type ´ to the last element in
* the sequence of authorization_data in ` tkt ´ wrapped in an IF_RELEVANT
2007-01-10 04:57:32 +03:00
*/
krb5_error_code
_kdc_tkt_add_if_relevant_ad ( krb5_context context ,
EncTicketPart * tkt ,
int type ,
const krb5_data * data )
{
krb5_error_code ret ;
size_t size ;
if ( tkt - > authorization_data = = NULL ) {
tkt - > authorization_data = calloc ( 1 , sizeof ( * tkt - > authorization_data ) ) ;
if ( tkt - > authorization_data = = NULL ) {
2008-08-01 09:08:51 +04:00
krb5_set_error_message ( context , ENOMEM , " out of memory " ) ;
2007-01-10 04:57:32 +03:00
return ENOMEM ;
}
}
/* add the entry to the last element */
{
AuthorizationData ad = { 0 , NULL } ;
AuthorizationDataElement ade ;
ade . ad_type = type ;
ade . ad_data = * data ;
ret = add_AuthorizationData ( & ad , & ade ) ;
if ( ret ) {
2008-08-01 09:08:51 +04:00
krb5_set_error_message ( context , ret , " add AuthorizationData failed " ) ;
2007-01-10 04:57:32 +03:00
return ret ;
}
ade . ad_type = KRB5_AUTHDATA_IF_RELEVANT ;
2008-10-27 13:35:07 +03:00
ASN1_MALLOC_ENCODE ( AuthorizationData ,
ade . ad_data . data , ade . ad_data . length ,
2007-01-10 04:57:32 +03:00
& ad , & size , ret ) ;
free_AuthorizationData ( & ad ) ;
if ( ret ) {
2008-08-01 09:08:51 +04:00
krb5_set_error_message ( context , ret , " ASN.1 encode of "
" AuthorizationData failed " ) ;
2007-01-10 04:57:32 +03:00
return ret ;
}
if ( ade . ad_data . length ! = size )
krb5_abortx ( context , " internal asn.1 encoder error " ) ;
ret = add_AuthorizationData ( tkt - > authorization_data , & ade ) ;
der_free_octet_string ( & ade . ad_data ) ;
if ( ret ) {
2008-08-01 09:08:51 +04:00
krb5_set_error_message ( context , ret , " add AuthorizationData failed " ) ;
2007-01-10 04:57:32 +03:00
return ret ;
}
}
return 0 ;
}
