search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libtommath: Fix possible integer overflow CVE-2023-36328
[heimdal.git] / kdc / kerberos5.c
blob45a72da0967a0f7be51a7365486f93b2eb12dd7c
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 #ifdef TIME_T_SIGNED
37 #if SIZEOF_TIME_T == 4
38 #define MAX_TIME ((time_t)INT32_MAX)
39 #elif SIZEOF_TIME_T == 8
40 #define MAX_TIME ((time_t)INT64_MAX)
41 #else
42 #error "Unexpected sizeof(time_t)"
43 #endif
44 #else
45
46 #if SIZEOF_TIME_T == 4
47 #define MAX_TIME ((time_t)UINT32_MAX)
48 #else
49 #define MAX_TIME ((time_t)UINT64_MAX)
50 #endif
51 #endif
52
53 #undef __attribute__
54 #define __attribute__(X)
55
56 void
57 _kdc_fix_time(time_t **t)
58 {
59 if(*t == NULL){
60 ALLOC(*t);
61 **t = MAX_TIME;
62 }
63 if(**t == 0) **t = MAX_TIME; /* fix for old clients */
64 }
65
66 static int
67 realloc_method_data(METHOD_DATA *md)
68 {
69 PA_DATA *pa;
70 pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
71 if(pa == NULL)
72 return ENOMEM;
73 md->val = pa;
74 md->len++;
75 return 0;
76 }
77
78 static krb5_error_code
79 set_salt_padata(METHOD_DATA *md, Salt *salt)
80 {
81 PA_DATA pa; /* do not free */
82
83 if (!salt)
84 return 0;
85 pa.padata_type = salt->type;
86 pa.padata_value = salt->salt;
87 return add_METHOD_DATA(md, &pa);
88 }
89
90 const PA_DATA*
91 _kdc_find_padata(const KDC_REQ *req, int *start, int type)
92 {
93 if (req->padata == NULL)
94 return NULL;
95
96 while((size_t)*start < req->padata->len){
97 (*start)++;
98 if(req->padata->val[*start - 1].padata_type == (unsigned)type)
99 return &req->padata->val[*start - 1];
100 }
101 return NULL;
102 }
103
104 /*
105 * This is a hack to allow predefined weak services, like afs to
106 * still use weak types
107 */
108
109 krb5_boolean
110 _kdc_is_weak_exception(krb5_principal principal, krb5_enctype etype)
111 {
112 if (principal->name.name_string.len > 0 &&
113 strcmp(principal->name.name_string.val[0], "afs") == 0 &&
114 (etype == ETYPE_DES_CBC_CRC
115 || etype == ETYPE_DES_CBC_MD4
116 || etype == ETYPE_DES_CBC_MD5))
117 return TRUE;
118 return FALSE;
119 }
120
121
122 /*
123 * Detect if `key' is the using the the precomputed `default_salt'.
124 */
125
126 static krb5_boolean
127 is_default_salt_p(const krb5_salt *default_salt, const Key *key)
128 {
129 if (key->salt == NULL)
130 return TRUE;
131 if (default_salt->salttype != key->salt->type)
132 return FALSE;
133 if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt) != 0)
134 return FALSE;
135 return TRUE;
136 }
137
138 /*
139 * Detect if `key' is the using the the precomputed `default_salt'
140 * (for des-cbc-crc) or any salt otherwise.
141 *
142 * This is for avoiding Kerberos v4 (yes really) keys in AS-REQ as
143 * that salt is strange, and a buggy client will try to use the
144 * principal as the salt and not the returned value.
145 */
146
147 static krb5_boolean
148 is_good_salt_p(const krb5_salt *default_salt, const Key *key)
149 {
150 if (key->key.keytype == KRB5_ENCTYPE_DES_CBC_CRC)
151 return is_default_salt_p(default_salt, key);
152
153 return TRUE;
154 }
155
156 krb5_boolean
157 _kdc_is_anon_request(const KDC_REQ *req)
158 {
159 const KDC_REQ_BODY *b = &req->req_body;
160
161 /*
162 * Versions of Heimdal from 0.9rc1 through 1.50 use bit 14 instead
163 * of 16 for request_anonymous, as indicated in the anonymous draft
164 * prior to version 11. Bit 14 is assigned to S4U2Proxy, but S4U2Proxy
165 * requests are only sent to the TGS and, in any case, would have an
166 * additional ticket present.
167 */
168 return b->kdc_options.request_anonymous ||
169 (b->kdc_options.cname_in_addl_tkt && !b->additional_tickets);
170 }
171
172 /*
173 * return the first appropriate key of `princ' in `ret_key'. Look for
174 * all the etypes in (`etypes', `len'), stopping as soon as we find
175 * one, but preferring one that has default salt.
176 *
177 * XXX This function does way way too much. Split it up!
178 *
179 * XXX `etypes' and `len' are always `b->etype.val' and `b->etype.len' -- the
180 * etype list from the KDC-REQ-BODY, which is available here as
181 * `r->req->req_body', so we could just stop having it passed in.
182 *
183 * XXX Picking an enctype(s) for PA-ETYPE-INFO* is rather different than
184 * picking an enctype for a ticket's session key. The former is what we do
185 * here when `(flags & KFE_IS_PREAUTH)', the latter otherwise.
186 */
187
188 krb5_error_code
189 _kdc_find_etype(astgs_request_t r, uint32_t flags,
190 krb5_enctype *etypes, unsigned len,
191 krb5_enctype *ret_enctype, Key **ret_key,
192 krb5_boolean *ret_default_salt)
193 {
194 krb5_boolean use_strongest_session_key;
195 krb5_boolean is_preauth = flags & KFE_IS_PREAUTH;
196 krb5_boolean is_tgs = flags & KFE_IS_TGS;
197 hdb_entry *princ;
198 krb5_principal request_princ;
199 krb5_error_code ret;
200 krb5_salt def_salt;
201 krb5_enctype enctype = ETYPE_NULL;
202 const krb5_enctype *p;
203 Key *key = NULL;
204 size_t i, k, m;
205
206 if (is_preauth && (flags & KFE_USE_CLIENT) &&
207 r->client->flags.synthetic)
208 return KRB5KDC_ERR_ETYPE_NOSUPP;
209
210 if ((flags & KFE_USE_CLIENT) && !r->client->flags.synthetic) {
211 princ = r->client;
212 request_princ = r->client_princ;
213 } else {
214 princ = r->server;
215 request_princ = r->server->principal;
216 }
217
218 use_strongest_session_key =
219 is_preauth ? r->config->preauth_use_strongest_session_key
220 : (is_tgs ? r->config->tgt_use_strongest_session_key :
221 r->config->svc_use_strongest_session_key);
222
223 /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
224 ret = krb5_get_pw_salt(r->context, request_princ, &def_salt);
225 if (ret)
226 return ret;
227
228 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
229
230 /*
231 * Pick an enctype that is in the intersection of:
232 *
233 * - permitted_enctypes (local policy)
234 * - requested enctypes (KDC-REQ-BODY's etype list)
235 * - the client's long-term keys' enctypes
236 * OR
237 * the server's configured etype list
238 *
239 * There are two sub-cases:
240 *
241 * - use local enctype preference (local policy)
242 * - use the client's preference list
243 */
244
245 if (use_strongest_session_key) {
246 /*
247 * Pick the strongest key that the KDC, target service, and
248 * client all support, using the local cryptosystem enctype
249 * list in strongest-to-weakest order to drive the search.
250 *
251 * This is not what RFC4120 says to do, but it encourages
252 * adoption of stronger enctypes. This doesn't play well with
253 * clients that have multiple Kerberos client implementations
254 * with different supported enctype lists sharing the same ccache.
255 */
256
257 /* drive the search with local supported enctypes list */
258 p = krb5_kerberos_enctypes(r->context);
259 for (i = 0;
260 p[i] != ETYPE_NULL && enctype == ETYPE_NULL;
261 i++) {
262 if (krb5_enctype_valid(r->context, p[i]) != 0 &&
263 !_kdc_is_weak_exception(princ->principal, p[i]))
264 continue;
265
266 /* check that the client supports it too */
267 for (k = 0; k < len && enctype == ETYPE_NULL; k++) {
268
269 if (p[i] != etypes[k])
270 continue;
271
272 if (!is_preauth && (flags & KFE_USE_CLIENT)) {
273 /*
274 * It suffices that the client says it supports this
275 * enctype in its KDC-REQ-BODY's etype list, which is what
276 * `etypes' is here.
277 */
278 enctype = p[i];
279 ret = 0;
280 break;
281 }
282
283 /* check target princ support */
284 key = NULL;
285 if (!is_preauth && !(flags & KFE_USE_CLIENT) && princ->etypes) {
286 /*
287 * Use the etypes list from the server's HDB entry instead
288 * of deriving it from its long-term keys. This allows an
289 * entry to have just one long-term key but record support
290 * for multiple enctypes.
291 */
292 for (m = 0; m < princ->etypes->len; m++) {
293 if (p[i] == princ->etypes->val[m]) {
294 enctype = p[i];
295 ret = 0;
296 break;
297 }
298 }
299 } else {
300 /*
301 * Use the entry's long-term keys as the source of its
302 * supported enctypes, either because we're making
303 * PA-ETYPE-INFO* or because we're selecting a session key
304 * enctype.
305 */
306 while (hdb_next_enctype2key(r->context, princ, NULL,
307 p[i], &key) == 0) {
308 if (key->key.keyvalue.length == 0) {
309 ret = KRB5KDC_ERR_NULL_KEY;
310 continue;
311 }
312 enctype = p[i];
313 ret = 0;
314 if (is_preauth && ret_key != NULL &&
315 !is_good_salt_p(&def_salt, key))
316 continue;
317 }
318 }
319 }
320 }
321 } else {
322 /*
323 * Pick the first key from the client's enctype list that is
324 * supported by the cryptosystem and by the given principal.
325 *
326 * RFC4120 says we SHOULD pick the first _strong_ key from the
327 * client's list... not the first key... If the admin disallows
328 * weak enctypes in krb5.conf and selects this key selection
329 * algorithm, then we get exactly what RFC4120 says.
330 */
331 for(i = 0; ret != 0 && i < len; i++) {
332
333 if (krb5_enctype_valid(r->context, etypes[i]) != 0 &&
334 !_kdc_is_weak_exception(princ->principal, etypes[i]))
335 continue;
336
337 key = NULL;
338 while (ret != 0 &&
339 hdb_next_enctype2key(r->context, princ, NULL,
340 etypes[i], &key) == 0) {
341 if (key->key.keyvalue.length == 0) {
342 ret = KRB5KDC_ERR_NULL_KEY;
343 continue;
344 }
345 enctype = etypes[i];
346 ret = 0;
347 if (is_preauth && ret_key != NULL &&
348 !is_good_salt_p(&def_salt, key))
349 continue;
350 }
351 }
352 }
353
354 if (ret == 0 && enctype == ETYPE_NULL) {
355 /*
356 * if the service principal is one for which there is a known 1DES
357 * exception and no other enctype matches both the client request and
358 * the service key list, provide a DES-CBC-CRC key.
359 */
360 if (ret_key == NULL &&
361 _kdc_is_weak_exception(princ->principal, ETYPE_DES_CBC_CRC)) {
362 ret = 0;
363 enctype = ETYPE_DES_CBC_CRC;
364 } else {
365 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
366 }
367 }
368
369 if (ret == 0) {
370 if (ret_enctype != NULL)
371 *ret_enctype = enctype;
372 if (ret_key != NULL)
373 *ret_key = key;
374 if (ret_default_salt != NULL)
375 *ret_default_salt = is_default_salt_p(&def_salt, key);
376 }
377
378 krb5_free_salt (r->context, def_salt);
379 return ret;
380 }
381
382 krb5_error_code
383 _kdc_make_anonymous_principalname (PrincipalName *pn)
384 {
385 pn->name_type = KRB5_NT_WELLKNOWN;
386 pn->name_string.len = 2;
387 pn->name_string.val = calloc(2, sizeof(*pn->name_string.val));
388 if (pn->name_string.val == NULL)
389 goto failed;
390
391 pn->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
392 if (pn->name_string.val[0] == NULL)
393 goto failed;
394
395 pn->name_string.val[1] = strdup(KRB5_ANON_NAME);
396 if (pn->name_string.val[1] == NULL)
397 goto failed;
398
399 return 0;
400
401 failed:
402 free_PrincipalName(pn);
403
404 pn->name_type = KRB5_NT_UNKNOWN;
405 pn->name_string.len = 0;
406 pn->name_string.val = NULL;
407
408 return ENOMEM;
409 }
410
411 static void
412 _kdc_r_log(astgs_request_t r, int level, const char *fmt, ...)
413 __attribute__ ((__format__ (__printf__, 3, 4)))
414 {
415 va_list ap;
416 char *s;
417 va_start(ap, fmt);
418 s = kdc_log_msg_va(r->context, r->config, level, fmt, ap);
419 if(s) free(s);
420 va_end(ap);
421 }
422
423 void
424 _kdc_set_const_e_text(astgs_request_t r, const char *e_text)
425 {
426 /* We should never see this */
427 if (r->e_text) {
428 kdc_log(r->context, r->config, 1,
429 "trying to replace e-text \"%s\" with \"%s\"\n",
430 r->e_text, e_text);
431 return;
432 }
433
434 r->e_text = e_text;
435 kdc_log(r->context, r->config, 4, "%s", e_text);
436 }
437
438 void
439 _kdc_set_e_text(astgs_request_t r, const char *fmt, ...)
440 __attribute__ ((__format__ (__printf__, 2, 3)))
441 {
442 va_list ap;
443 char *e_text = NULL;
444 int vasprintf_ret;
445
446 va_start(ap, fmt);
447 vasprintf_ret = vasprintf(&e_text, fmt, ap);
448 va_end(ap);
449
450 if (vasprintf_ret < 0 || !e_text) {
451 /* not much else to do... */
452 kdc_log(r->context, r->config, 1,
453 "Could not set e_text: %s (out of memory)", fmt);
454 return;
455 }
456
457 /* We should never see this */
458 if (r->e_text) {
459 kdc_log(r->context, r->config, 1, "trying to replace e-text: %s\n",
460 e_text);
461 free(e_text);
462 return;
463 }
464
465 r->e_text = e_text;
466 r->e_text_buf = e_text;
467 kdc_log(r->context, r->config, 4, "%s", e_text);
468 }
469
470 void
471 _kdc_log_timestamp(astgs_request_t r, const char *type,
472 KerberosTime authtime, KerberosTime *starttime,
473 KerberosTime endtime, KerberosTime *renew_till)
474 {
475 krb5_kdc_configuration *config = r->config;
476 char authtime_str[100], starttime_str[100],
477 endtime_str[100], renewtime_str[100];
478
479 if (authtime)
480 kdc_audit_setkv_number((kdc_request_t)r, "auth", authtime);
481 if (starttime && *starttime)
482 kdc_audit_setkv_number((kdc_request_t)r, "start", *starttime);
483 if (endtime)
484 kdc_audit_setkv_number((kdc_request_t)r, "end", endtime);
485 if (renew_till && *renew_till)
486 kdc_audit_setkv_number((kdc_request_t)r, "renew", *renew_till);
487
488 krb5_format_time(r->context, authtime,
489 authtime_str, sizeof(authtime_str), TRUE);
490 if (starttime)
491 krb5_format_time(r->context, *starttime,
492 starttime_str, sizeof(starttime_str), TRUE);
493 else
494 strlcpy(starttime_str, "unset", sizeof(starttime_str));
495 krb5_format_time(r->context, endtime,
496 endtime_str, sizeof(endtime_str), TRUE);
497 if (renew_till)
498 krb5_format_time(r->context, *renew_till,
499 renewtime_str, sizeof(renewtime_str), TRUE);
500 else
501 strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
502
503 kdc_log(r->context, config, 4,
504 "%s authtime: %s starttime: %s endtime: %s renew till: %s",
505 type, authtime_str, starttime_str, endtime_str, renewtime_str);
506 }
507
508 /*
509 *
510 */
511
512 #ifdef PKINIT
513
514 static krb5_error_code
515 pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
516 {
517 pk_client_params *pkp = NULL;
518 char *client_cert = NULL;
519 krb5_error_code ret;
520
521 ret = _kdc_pk_rd_padata(r, pa, &pkp);
522 if (ret || pkp == NULL) {
523 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
524 _kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
525 r->cname);
526 goto out;
527 }
528
529 ret = _kdc_pk_check_client(r, pkp, &client_cert);
530 if (client_cert)
531 kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT,
532 "%s", client_cert);
533 if (ret) {
534 _kdc_set_e_text(r, "PKINIT certificate not allowed to "
535 "impersonate principal");
536 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
537 KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
538 goto out;
539 }
540
541 r->pa_endtime = _kdc_pk_endtime(pkp);
542 if (!r->client->flags.synthetic)
543 r->pa_max_life = _kdc_pk_max_life(pkp);
544
545 _kdc_r_log(r, 4, "PKINIT pre-authentication succeeded -- %s using %s",
546 r->cname, client_cert);
547
548 ret = _kdc_pk_mk_pa_reply(r, pkp);
549 if (ret) {
550 _kdc_set_e_text(r, "Failed to build PK-INIT reply");
551 goto out;
552 }
553 ret = _kdc_add_initial_verified_cas(r->context, r->config,
554 pkp, &r->et);
555
556 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
557 KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
558
559 out:
560 if (pkp)
561 _kdc_pk_free_client_param(r->context, pkp);
562 free(client_cert);
563
564 return ret;
565 }
566
567 #endif /* PKINIT */
568
569 static krb5_error_code
570 pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
571 {
572 gss_client_params *gcp = NULL;
573 char *client_name = NULL;
574 krb5_error_code ret;
575 int open = 0;
576
577 ret = _kdc_gss_rd_padata(r, pa, &gcp, &open);
578 if (ret && gcp == NULL)
579 return ret;
580
581 if (open) {
582 ret = _kdc_gss_check_client(r, gcp, &client_name);
583 if (client_name)
584 kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_GSS_INITIATOR,
585 "%s", client_name);
586 if (ret) {
587 _kdc_set_e_text(r, "GSS-API client not allowed to "
588 "impersonate principal");
589 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
590 KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
591 goto out;
592 }
593
594 r->pa_endtime = _kdc_gss_endtime(r, gcp);
595
596 _kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
597 r->cname, client_name);
598 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
599 KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
600
601 ret = _kdc_gss_mk_composite_name_ad(r, gcp);
602 if (ret) {
603 _kdc_set_e_text(r, "Failed to build GSS authorization data");
604 goto out;
605 }
606 }
607
608 ret = _kdc_gss_mk_pa_reply(r, gcp);
609 if (ret) {
610 if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
611 _kdc_set_e_text(r, "Failed to build GSS pre-authentication reply");
612 goto out;
613 }
614
615 ret = kdc_request_set_attribute((kdc_request_t)r,
616 HSTR("org.h5l.pa-gss-client-params"), gcp);
617 if (ret)
618 goto out;
619
620 out:
621 kdc_object_release(gcp);
622 free(client_name);
623
624 return ret;
625 }
626
627 static krb5_error_code
628 pa_gss_finalize_pac(astgs_request_t r)
629 {
630 gss_client_params *gcp;
631
632 gcp = kdc_request_get_attribute((kdc_request_t)r, HSTR("org.h5l.pa-gss-client-params"));
633
634 heim_assert(gcp != NULL, "invalid GSS-API client params");
635
636 return _kdc_gss_finalize_pac(r, gcp);
637 }
638
639 static krb5_error_code
640 pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
641 {
642 krb5_data pepper1, pepper2;
643 int invalidPassword = 0;
644 EncryptedData enc_data;
645 krb5_enctype aenctype;
646 krb5_error_code ret;
647 struct Key *k;
648 size_t size;
649 int i;
650
651 heim_assert(r->armor_crypto != NULL, "ENC-CHAL called for non FAST");
652
653 if (_kdc_is_anon_request(&r->req)) {
654 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
655 kdc_log(r->context, r->config, 4, "ENC-CHALL doesn't support anon");
656 return ret;
657 }
658
659 if (r->client->flags.locked_out) {
660 ret = KRB5KDC_ERR_CLIENT_REVOKED;
661 kdc_log(r->context, r->config, 0,
662 "Client (%s) is locked out", r->cname);
663 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
664 KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
665 return ret;
666 }
667
668 ret = decode_EncryptedData(pa->padata_value.data,
669 pa->padata_value.length,
670 &enc_data,
671 &size);
672 if (ret) {
673 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
674 _kdc_r_log(r, 4, "Failed to decode PA-DATA -- %s",
675 r->cname);
676 return ret;
677 }
678
679 pepper1.data = "clientchallengearmor";
680 pepper1.length = strlen(pepper1.data);
681 pepper2.data = "challengelongterm";
682 pepper2.length = strlen(pepper2.data);
683
684 krb5_crypto_getenctype(r->context, r->armor_crypto, &aenctype);
685
686 kdc_log(r->context, r->config, 5, "FAST armor enctype is: %d", (int)aenctype);
687
688 for (i = 0; i < r->client->keys.len; i++) {
689 krb5_crypto challengecrypto, longtermcrypto;
690 krb5_keyblock challengekey;
691
692 k = &r->client->keys.val[i];
693
694 ret = krb5_crypto_init(r->context, &k->key, 0, &longtermcrypto);
695 if (ret)
696 continue;
697
698 ret = krb5_crypto_fx_cf2(r->context, r->armor_crypto, longtermcrypto,
699 &pepper1, &pepper2, aenctype,
700 &challengekey);
701 if (ret) {
702 krb5_crypto_destroy(r->context, longtermcrypto);
703 continue;
704 }
705
706 ret = krb5_crypto_init(r->context, &challengekey, 0,
707 &challengecrypto);
708 krb5_free_keyblock_contents(r->context, &challengekey);
709 if (ret) {
710 krb5_crypto_destroy(r->context, longtermcrypto);
711 continue;
712 }
713
714 ret = _krb5_validate_pa_enc_challenge(r->context,
715 challengecrypto,
716 KRB5_KU_ENC_CHALLENGE_CLIENT,
717 &enc_data,
718 r->cname);
719 krb5_crypto_destroy(r->context, challengecrypto);
720 if (ret) {
721 const char *msg;
722 krb5_error_code ret2;
723 char *str = NULL;
724
725 krb5_crypto_destroy(r->context, longtermcrypto);
726
727 invalidPassword = (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY);
728 if (!invalidPassword) {
729 goto out;
730 }
731
732 ret2 = krb5_enctype_to_string(r->context, k->key.keytype, &str);
733 if (ret2)
734 str = NULL;
735 msg = krb5_get_error_message(r->context, ret);
736 _kdc_r_log(r, 2, "Failed to decrypt ENC-CHAL -- %s "
737 "(enctype %s) error %s",
738 r->cname, str ? str : "unknown enctype", msg);
739 krb5_free_error_message(r->context, msg);
740 free(str);
741
742 continue;
743 }
744
745 /*
746 * Found a key that the client used, lets pick that as the reply key
747 */
748
749 krb5_free_keyblock_contents(r->context, &r->reply_key);
750 ret = krb5_copy_keyblock_contents(r->context, &k->key, &r->reply_key);
751 if (ret) {
752 krb5_crypto_destroy(r->context, longtermcrypto);
753 goto out;
754 }
755
756 krb5_free_keyblock_contents(r->context, &challengekey);
757
758 /*
759 * Provide KDC authentication to the client, uses a different
760 * challenge key (different pepper).
761 */
762
763 pepper1.data = "kdcchallengearmor";
764 pepper1.length = strlen(pepper1.data);
765
766 ret = krb5_crypto_fx_cf2(r->context, r->armor_crypto, longtermcrypto,
767 &pepper1, &pepper2, aenctype,
768 &challengekey);
769 krb5_crypto_destroy(r->context, longtermcrypto);
770 if (ret)
771 goto out;
772
773 ret = krb5_crypto_init(r->context, &challengekey, 0, &challengecrypto);
774 krb5_free_keyblock_contents(r->context, &challengekey);
775 if (ret)
776 goto out;
777
778 ret = _krb5_make_pa_enc_challenge(r->context, challengecrypto,
779 KRB5_KU_ENC_CHALLENGE_KDC,
780 r->rep.padata);
781 krb5_crypto_destroy(r->context, challengecrypto);
782 if (ret)
783 goto out;
784
785 if (ret == 0)
786 ret = set_salt_padata(r->rep.padata, k->salt);
787
788 /*
789 * Success
790 */
791 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
792 KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
793 goto out;
794 }
795
796 if (invalidPassword) {
797 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
798 KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
799 ret = KRB5KDC_ERR_PREAUTH_FAILED;
800 } else {
801 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
802 }
803 out:
804 free_EncryptedData(&enc_data);
805
806 return ret;
807 }
808
809 static krb5_error_code
810 pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
811 {
812 EncryptedData enc_data;
813 krb5_error_code ret;
814 krb5_crypto crypto;
815 krb5_data ts_data;
816 PA_ENC_TS_ENC p;
817 size_t len;
818 Key *pa_key;
819 char *str;
820
821 if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) {
822 ret = KRB5KDC_ERR_POLICY;
823 kdc_log(r->context, r->config, 0,
824 "Armored encrypted timestamp pre-authentication is disabled");
825 return ret;
826 } else if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) {
827 ret = KRB5KDC_ERR_POLICY;
828 kdc_log(r->context, r->config, 0,
829 "Unarmored encrypted timestamp pre-authentication is disabled");
830 return ret;
831 }
832
833 if (r->client->flags.locked_out) {
834 ret = KRB5KDC_ERR_CLIENT_REVOKED;
835 kdc_log(r->context, r->config, 0,
836 "Client (%s) is locked out", r->cname);
837 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
838 KDC_AUTH_EVENT_CLIENT_LOCKED_OUT);
839 return ret;
840 }
841
842 ret = decode_EncryptedData(pa->padata_value.data,
843 pa->padata_value.length,
844 &enc_data,
845 &len);
846 if (ret) {
847 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
848 _kdc_r_log(r, 4, "Failed to decode PA-DATA -- %s",
849 r->cname);
850 goto out;
851 }
852
853 ret = hdb_enctype2key(r->context, r->client, NULL,
854 enc_data.etype, &pa_key);
855 if(ret){
856 char *estr;
857 _kdc_set_e_text(r, "No key matching enctype");
858 ret = KRB5KDC_ERR_ETYPE_NOSUPP;
859 if(krb5_enctype_to_string(r->context, enc_data.etype, &estr))
860 estr = NULL;
861 if(estr == NULL)
862 _kdc_r_log(r, 4,
863 "No client key matching pa-data (%d) -- %s",
864 enc_data.etype, r->cname);
865 else
866 _kdc_r_log(r, 4,
867 "No client key matching pa-data (%s) -- %s",
868 estr, r->cname);
869 free(estr);
870 free_EncryptedData(&enc_data);
871 goto out;
872 }
873
874 try_next_key:
875 ret = krb5_crypto_init(r->context, &pa_key->key, 0, &crypto);
876 if (ret) {
877 const char *msg = krb5_get_error_message(r->context, ret);
878 _kdc_r_log(r, 4, "krb5_crypto_init failed: %s", msg);
879 krb5_free_error_message(r->context, msg);
880 free_EncryptedData(&enc_data);
881 goto out;
882 }
883
884 ret = krb5_decrypt_EncryptedData (r->context,
885 crypto,
886 KRB5_KU_PA_ENC_TIMESTAMP,
887 &enc_data,
888 &ts_data);
889 krb5_crypto_destroy(r->context, crypto);
890 /*
891 * Since the user might have several keys with the same
892 * enctype but with different salting, we need to try all
893 * the keys with the same enctype.
894 */
895 if(ret){
896 krb5_error_code ret2;
897 const char *msg = krb5_get_error_message(r->context, ret);
898
899 ret2 = krb5_enctype_to_string(r->context,
900 pa_key->key.keytype, &str);
901 if (ret2)
902 str = NULL;
903 _kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s "
904 "(enctype %s) error %s",
905 r->cname, str ? str : "unknown enctype", msg);
906 krb5_xfree(str);
907 krb5_free_error_message(r->context, msg);
908 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
909 pa_key->key.keytype);
910 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
911 KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
912 if(hdb_next_enctype2key(r->context, r->client, NULL,
913 enc_data.etype, &pa_key) == 0)
914 goto try_next_key;
915
916 free_EncryptedData(&enc_data);
917
918 ret = KRB5KDC_ERR_PREAUTH_FAILED;
919 goto out;
920 }
921 free_EncryptedData(&enc_data);
922 ret = decode_PA_ENC_TS_ENC(ts_data.data,
923 ts_data.length,
924 &p,
925 &len);
926 krb5_data_free(&ts_data);
927 if(ret){
928 ret = KRB5KDC_ERR_PREAUTH_FAILED;
929 _kdc_r_log(r, 4, "Failed to decode PA-ENC-TS-ENC -- %s",
930 r->cname);
931 goto out;
932 }
933 if (labs(kdc_time - p.patimestamp) > r->context->max_skew) {
934 char client_time[100];
935
936 krb5_format_time(r->context, p.patimestamp,
937 client_time, sizeof(client_time), TRUE);
938
939 ret = KRB5KRB_AP_ERR_SKEW;
940 _kdc_r_log(r, 4, "Too large time skew, "
941 "client time %s is out by %u > %u seconds -- %s",
942 client_time,
943 (unsigned)labs(kdc_time - p.patimestamp),
944 r->context->max_skew,
945 r->cname);
946 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
947 KDC_AUTH_EVENT_CLIENT_TIME_SKEW);
948
949 /*
950 * The following is needed to make windows clients to
951 * retry using the timestamp in the error message, if
952 * there is a e_text, they become unhappy.
953 */
954 r->e_text = NULL;
955 free_PA_ENC_TS_ENC(&p);
956 goto out;
957 }
958 free_PA_ENC_TS_ENC(&p);
959
960 ret = set_salt_padata(r->rep.padata, pa_key->salt);
961 if (ret == 0)
962 ret = krb5_copy_keyblock_contents(r->context, &pa_key->key, &r->reply_key);
963 if (ret)
964 return ret;
965
966 ret = krb5_enctype_to_string(r->context, pa_key->key.keytype, &str);
967 if (ret)
968 str = NULL;
969 _kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
970 r->cname, str ? str : "unknown enctype");
971 krb5_xfree(str);
972 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_PA_ETYPE,
973 pa_key->key.keytype);
974 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
975 KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
976
977 ret = 0;
978
979 out:
980
981 return ret;
982 }
983
984 struct kdc_patypes {
985 int type;
986 const char *name;
987 unsigned int flags;
988 #define PA_ANNOUNCE 1
989 #define PA_REQ_FAST 2 /* only use inside fast */
990 #define PA_SYNTHETIC_OK 4
991 #define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */
992 #define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */
993 #define PA_HARDWARE_AUTH 32 /* PA mech uses hardware authentication */
994 krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa);
995 krb5_error_code (*finalize_pac)(astgs_request_t r);
996 void (*cleanup)(astgs_request_t r);
997 };
998
999 static const struct kdc_patypes pat[] = {
1000 #ifdef PKINIT
1001 {
1002 KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)",
1003 PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH,
1004 pa_pkinit_validate, NULL, NULL
1005 },
1006 {
1007 KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH,
1008 pa_pkinit_validate, NULL, NULL
1009 },
1010 {
1011 KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", PA_ANNOUNCE,
1012 NULL, NULL, NULL
1013 },
1014 #else
1015 { KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)", 0, NULL , NULL, NULL },
1016 { KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", 0, NULL, NULL, NULL },
1017 { KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", 0, NULL, NULL, NULL },
1018 #endif
1019 { KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL, NULL, NULL },
1020 {
1021 KRB5_PADATA_ENC_TIMESTAMP , "ENC-TS",
1022 PA_ANNOUNCE | PA_USES_LONG_TERM_KEY,
1023 pa_enc_ts_validate, NULL, NULL
1024 },
1025 {
1026 KRB5_PADATA_ENCRYPTED_CHALLENGE , "ENC-CHAL",
1027 PA_ANNOUNCE | PA_USES_LONG_TERM_KEY | PA_REQ_FAST,
1028 pa_enc_chal_validate, NULL, NULL
1029 },
1030 { KRB5_PADATA_REQ_ENC_PA_REP , "REQ-ENC-PA-REP", 0, NULL, NULL, NULL },
1031 { KRB5_PADATA_FX_FAST, "FX-FAST", PA_ANNOUNCE, NULL, NULL, NULL },
1032 { KRB5_PADATA_FX_ERROR, "FX-ERROR", 0, NULL, NULL, NULL },
1033 { KRB5_PADATA_FX_COOKIE, "FX-COOKIE", 0, NULL, NULL, NULL },
1034 {
1035 KRB5_PADATA_GSS , "GSS",
1036 PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY,
1037 pa_gss_validate, pa_gss_finalize_pac, NULL
1038 },
1039 };
1040
1041 static void
1042 log_patypes(astgs_request_t r, METHOD_DATA *padata)
1043 {
1044 krb5_kdc_configuration *config = r->config;
1045 struct rk_strpool *p = NULL;
1046 char *str;
1047 size_t n, m;
1048
1049 for (n = 0; n < padata->len; n++) {
1050 for (m = 0; m < sizeof(pat) / sizeof(pat[0]); m++) {
1051 if (padata->val[n].padata_type == pat[m].type) {
1052 p = rk_strpoolprintf(p, "%s", pat[m].name);
1053 break;
1054 }
1055 }
1056 if (m == sizeof(pat) / sizeof(pat[0]))
1057 p = rk_strpoolprintf(p, "%d", padata->val[n].padata_type);
1058 if (p && n + 1 < padata->len)
1059 p = rk_strpoolprintf(p, ", ");
1060 if (p == NULL) {
1061 kdc_log(r->context, config, 1, "out of memory");
1062 return;
1063 }
1064 }
1065 if (p == NULL)
1066 p = rk_strpoolprintf(p, "none");
1067
1068 str = rk_strpoolcollect(p);
1069 kdc_log(r->context, config, 4, "Client sent patypes: %s", str);
1070 kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
1071 "client-pa", "%s", str);
1072 free(str);
1073 }
1074
1075 static krb5_boolean
1076 pa_used_flag_isset(astgs_request_t r, unsigned int flag)
1077 {
1078 if (r->pa_used == NULL)
1079 return FALSE;
1080
1081 return (r->pa_used->flags & flag) == flag;
1082 }
1083
1084 /*
1085 *
1086 */
1087
1088 krb5_error_code
1089 _kdc_encode_reply(krb5_context context,
1090 krb5_kdc_configuration *config,
1091 astgs_request_t r, uint32_t nonce,
1092 krb5_enctype etype,
1093 int skvno, const EncryptionKey *skey,
1094 int ckvno,
1095 int rk_is_subkey,
1096 krb5_data *reply)
1097 {
1098 unsigned char *buf;
1099 size_t buf_size;
1100 size_t len = 0;
1101 krb5_error_code ret;
1102 krb5_crypto crypto;
1103 KDC_REP *rep = &r->rep;
1104 EncTicketPart *et = &r->et;
1105 EncKDCRepPart *ek = &r->ek;
1106
1107 heim_assert(rep->padata != NULL, "reply padata uninitialized");
1108
1109 ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
1110 if(ret) {
1111 const char *msg = krb5_get_error_message(context, ret);
1112 kdc_log(context, config, 4, "Failed to encode ticket: %s", msg);
1113 krb5_free_error_message(context, msg);
1114 return ret;
1115 }
1116 if(buf_size != len)
1117 krb5_abortx(context, "Internal error in ASN.1 encoder");
1118
1119 ret = krb5_crypto_init(context, skey, etype, &crypto);
1120 if (ret) {
1121 const char *msg = krb5_get_error_message(context, ret);
1122 kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
1123 krb5_free_error_message(context, msg);
1124 free(buf);
1125 return ret;
1126 }
1127
1128 ret = krb5_encrypt_EncryptedData(context,
1129 crypto,
1130 KRB5_KU_TICKET,
1131 buf,
1132 len,
1133 skvno,
1134 &rep->ticket.enc_part);
1135 free(buf);
1136 krb5_crypto_destroy(context, crypto);
1137 if(ret) {
1138 const char *msg = krb5_get_error_message(context, ret);
1139 kdc_log(context, config, 4, "Failed to encrypt data: %s", msg);
1140 krb5_free_error_message(context, msg);
1141 return ret;
1142 }
1143
1144 if (r && r->armor_crypto) {
1145 KrbFastFinished finished;
1146 krb5_data data;
1147
1148 kdc_log(context, config, 4, "FAST armor protection");
1149
1150 memset(&finished, 0, sizeof(finished));
1151 krb5_data_zero(&data);
1152
1153 finished.timestamp = kdc_time;
1154 finished.usec = 0;
1155 finished.crealm = et->crealm;
1156 finished.cname = et->cname;
1157
1158 ASN1_MALLOC_ENCODE(Ticket, data.data, data.length,
1159 &rep->ticket, &len, ret);
1160 if (ret)
1161 return ret;
1162 if (data.length != len)
1163 krb5_abortx(context, "internal asn.1 error");
1164
1165 ret = krb5_create_checksum(context, r->armor_crypto,
1166 KRB5_KU_FAST_FINISHED, 0,
1167 data.data, data.length,
1168 &finished.ticket_checksum);
1169 krb5_data_free(&data);
1170 if (ret)
1171 return ret;
1172
1173 ret = _kdc_fast_mk_response(context, r->armor_crypto,
1174 rep->padata, &r->strengthen_key, &finished,
1175 nonce, &data);
1176 free_Checksum(&finished.ticket_checksum);
1177 if (ret)
1178 return ret;
1179
1180 free_METHOD_DATA(r->rep.padata);
1181
1182 ret = krb5_padata_add(context, rep->padata,
1183 KRB5_PADATA_FX_FAST,
1184 data.data, data.length);
1185 if (ret)
1186 return ret;
1187
1188 /*
1189 * Hide client name for privacy reasons
1190 */
1191 if (r->fast.flags.requested_hidden_names) {
1192 Realm anon_realm = KRB5_ANON_REALM;
1193
1194 free_Realm(&rep->crealm);
1195 ret = copy_Realm(&anon_realm, &rep->crealm);
1196 if (ret == 0) {
1197 free_PrincipalName(&rep->cname);
1198 ret = _kdc_make_anonymous_principalname(&rep->cname);
1199 }
1200 if (ret)
1201 return ret;
1202 }
1203 }
1204
1205 if (rep->padata->len == 0) {
1206 free_METHOD_DATA(rep->padata);
1207 free(rep->padata);
1208 rep->padata = NULL;
1209 }
1210
1211 if(rep->msg_type == krb_as_rep && !config->encode_as_rep_as_tgs_rep)
1212 ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret);
1213 else
1214 ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
1215 if(ret) {
1216 const char *msg = krb5_get_error_message(context, ret);
1217 kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg);
1218 krb5_free_error_message(context, msg);
1219 return ret;
1220 }
1221 if(buf_size != len) {
1222 free(buf);
1223 kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
1224 _kdc_set_e_text(r, "KDC internal error");
1225 return KRB5KRB_ERR_GENERIC;
1226 }
1227 ret = krb5_crypto_init(context, &r->reply_key, 0, &crypto);
1228 if (ret) {
1229 const char *msg = krb5_get_error_message(context, ret);
1230 free(buf);
1231 kdc_log(context, config, 4, "krb5_crypto_init failed: %s", msg);
1232 krb5_free_error_message(context, msg);
1233 return ret;
1234 }
1235 if(rep->msg_type == krb_as_rep) {
1236 ret = krb5_encrypt_EncryptedData(context,
1237 crypto,
1238 KRB5_KU_AS_REP_ENC_PART,
1239 buf,
1240 len,
1241 ckvno,
1242 &rep->enc_part);
1243 free(buf);
1244 if (ret == 0)
1245 ASN1_MALLOC_ENCODE(AS_REP, buf, buf_size, rep, &len, ret);
1246 } else {
1247 ret = krb5_encrypt_EncryptedData(context,
1248 crypto,
1249 rk_is_subkey ?
1250 KRB5_KU_TGS_REP_ENC_PART_SUB_KEY :
1251 KRB5_KU_TGS_REP_ENC_PART_SESSION,
1252 buf,
1253 len,
1254 ckvno,
1255 &rep->enc_part);
1256 free(buf);
1257 if (ret == 0)
1258 ASN1_MALLOC_ENCODE(TGS_REP, buf, buf_size, rep, &len, ret);
1259 }
1260 krb5_crypto_destroy(context, crypto);
1261 if(ret) {
1262 const char *msg = krb5_get_error_message(context, ret);
1263 kdc_log(context, config, 4, "Failed to encode KDC-REP: %s", msg);
1264 krb5_free_error_message(context, msg);
1265 return ret;
1266 }
1267 if(buf_size != len) {
1268 free(buf);
1269 kdc_log(context, config, 4, "Internal error in ASN.1 encoder");
1270 _kdc_set_e_text(r, "KDC internal error");
1271 return KRB5KRB_ERR_GENERIC;
1272 }
1273 reply->data = buf;
1274 reply->length = buf_size;
1275 return 0;
1276 }
1277
1278 /*
1279 *
1280 */
1281
1282 static krb5_error_code
1283 get_pa_etype_info(krb5_context context,
1284 krb5_kdc_configuration *config,
1285 METHOD_DATA *md, Key *ckey,
1286 krb5_boolean include_salt)
1287 {
1288 krb5_error_code ret = 0;
1289 ETYPE_INFO_ENTRY eie; /* do not free this one */
1290 ETYPE_INFO ei;
1291 PA_DATA pa;
1292 size_t len;
1293
1294 /*
1295 * Code moved here from what used to be make_etype_info_entry() because
1296 * using the ASN.1 compiler-generated SEQUENCE OF add functions makes that
1297 * old function's body and this one's small and clean.
1298 *
1299 * The following comment blocks were there:
1300 *
1301 * According to `the specs', we can't send a salt if we have AFS3 salted
1302 * key, but that requires that you *know* what cell you are using (e.g by
1303 * assuming that the cell is the same as the realm in lower case)
1304 *
1305 * We shouldn't sent salttype since it is incompatible with the
1306 * specification and it breaks windows clients. The afs salting problem
1307 * is solved by using KRB5-PADATA-AFS3-SALT implemented in Heimdal 0.7 and
1308 * later.
1309 *
1310 * We return no salt type at all, as that should indicate the default salt
1311 * type and make everybody happy. some systems (like w2k) dislike being
1312 * told the salt type here.
1313 */
1314
1315 pa.padata_type = KRB5_PADATA_ETYPE_INFO;
1316 pa.padata_value.data = NULL;
1317 pa.padata_value.length = 0;
1318 ei.len = 0;
1319 ei.val = NULL;
1320 eie.etype = ckey->key.keytype;
1321 eie.salttype = NULL;
1322 eie.salt = NULL;
1323 if (include_salt && ckey->salt)
1324 eie.salt = &ckey->salt->salt;
1325 ret = add_ETYPE_INFO(&ei, &eie);
1326 if (ret == 0)
1327 ASN1_MALLOC_ENCODE(ETYPE_INFO, pa.padata_value.data, pa.padata_value.length,
1328 &ei, &len, ret);
1329 if (ret == 0)
1330 add_METHOD_DATA(md, &pa);
1331 free_ETYPE_INFO(&ei);
1332 free_PA_DATA(&pa);
1333 return ret;
1334 }
1335
1336 /*
1337 *
1338 */
1339
1340 extern const int _krb5_AES_SHA1_string_to_default_iterator;
1341 extern const int _krb5_AES_SHA2_string_to_default_iterator;
1342
1343 static krb5_error_code
1344 make_s2kparams(int value, size_t len, krb5_data **ps2kparams)
1345 {
1346 krb5_data *s2kparams;
1347 krb5_error_code ret;
1348
1349 ALLOC(s2kparams);
1350 if (s2kparams == NULL)
1351 return ENOMEM;
1352 ret = krb5_data_alloc(s2kparams, len);
1353 if (ret) {
1354 free(s2kparams);
1355 return ret;
1356 }
1357 _krb5_put_int(s2kparams->data, value, len);
1358 *ps2kparams = s2kparams;
1359 return 0;
1360 }
1361
1362 static krb5_error_code
1363 make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent,
1364 Key *key,
1365 krb5_boolean include_salt)
1366 {
1367 krb5_error_code ret;
1368
1369 ent->etype = key->key.keytype;
1370 if (key->salt && include_salt) {
1371 ALLOC(ent->salt);
1372 if (ent->salt == NULL)
1373 return ENOMEM;
1374 *ent->salt = malloc(key->salt->salt.length + 1);
1375 if (*ent->salt == NULL) {
1376 free(ent->salt);
1377 ent->salt = NULL;
1378 return ENOMEM;
1379 }
1380 memcpy(*ent->salt, key->salt->salt.data, key->salt->salt.length);
1381 (*ent->salt)[key->salt->salt.length] = '\0';
1382 } else
1383 ent->salt = NULL;
1384
1385 ent->s2kparams = NULL;
1386
1387 switch (key->key.keytype) {
1388 case ETYPE_AES128_CTS_HMAC_SHA1_96:
1389 case ETYPE_AES256_CTS_HMAC_SHA1_96:
1390 ret = make_s2kparams(_krb5_AES_SHA1_string_to_default_iterator,
1391 4, &ent->s2kparams);
1392 break;
1393 case KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128:
1394 case KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192:
1395 ret = make_s2kparams(_krb5_AES_SHA2_string_to_default_iterator,
1396 4, &ent->s2kparams);
1397 break;
1398 case ETYPE_DES_CBC_CRC:
1399 case ETYPE_DES_CBC_MD4:
1400 case ETYPE_DES_CBC_MD5:
1401 /* Check if this was a AFS3 salted key */
1402 if(key->salt && key->salt->type == hdb_afs3_salt)
1403 ret = make_s2kparams(1, 1, &ent->s2kparams);
1404 else
1405 ret = 0;
1406 break;
1407 default:
1408 ret = 0;
1409 break;
1410 }
1411 return ret;
1412 }
1413
1414 /*
1415 * Return an ETYPE-INFO2. Enctypes are storted the same way as in the
1416 * database (client supported enctypes first, then the unsupported
1417 * enctypes).
1418 */
1419
1420 static krb5_error_code
1421 get_pa_etype_info2(krb5_context context,
1422 krb5_kdc_configuration *config,
1423 METHOD_DATA *md, Key *ckey,
1424 krb5_boolean include_salt)
1425 {
1426 krb5_error_code ret = 0;
1427 ETYPE_INFO2 pa;
1428 unsigned char *buf;
1429 size_t len;
1430
1431 pa.len = 1;
1432 pa.val = calloc(1, sizeof(pa.val[0]));
1433 if(pa.val == NULL)
1434 return ENOMEM;
1435
1436 ret = make_etype_info2_entry(&pa.val[0], ckey, include_salt);
1437 if (ret) {
1438 free_ETYPE_INFO2(&pa);
1439 return ret;
1440 }
1441
1442 ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret);
1443 free_ETYPE_INFO2(&pa);
1444 if(ret)
1445 return ret;
1446 ret = realloc_method_data(md);
1447 if(ret) {
1448 free(buf);
1449 return ret;
1450 }
1451 md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO2;
1452 md->val[md->len - 1].padata_value.length = len;
1453 md->val[md->len - 1].padata_value.data = buf;
1454 return 0;
1455 }
1456
1457 /*
1458 * Return 0 if the client has only older enctypes, this is for
1459 * determining if the server should send ETYPE_INFO2 or not.
1460 */
1461
1462 static int
1463 newer_enctype_present(krb5_context context,
1464 struct KDC_REQ_BODY_etype *etype_list)
1465 {
1466 size_t i;
1467
1468 for (i = 0; i < etype_list->len; i++) {
1469 if (!krb5_is_enctype_old(context, etype_list->val[i]))
1470 return 1;
1471 }
1472 return 0;
1473 }
1474
1475 static krb5_error_code
1476 get_pa_etype_info_both(krb5_context context,
1477 krb5_kdc_configuration *config,
1478 struct KDC_REQ_BODY_etype *etype_list,
1479 METHOD_DATA *md, Key *ckey,
1480 krb5_boolean include_salt)
1481 {
1482 krb5_error_code ret;
1483
1484 /*
1485 * Windows 2019 (and earlier versions) always sends the salt
1486 * and Samba has testsuites that check this behaviour, so a
1487 * Samba AD DC will set this flag to match the AS-REP packet
1488 * more closely.
1489 */
1490 if (config->force_include_pa_etype_salt)
1491 include_salt = TRUE;
1492
1493 /*
1494 * RFC4120 requires:
1495 * When the AS server is to include pre-authentication data in a
1496 * KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not
1497 * PA-ETYPE-INFO, if the etype field of the client's AS-REQ lists
1498 * at least one "newer" encryption type. Otherwise (when the etype
1499 * field of the client's AS-REQ does not list any "newer" encryption
1500 * types), it MUST send both PA-ETYPE-INFO2 and PA-ETYPE-INFO (both
1501 * with an entry for each enctype). A "newer" enctype is any enctype
1502 * first officially specified concurrently with or subsequent to the
1503 * issue of this RFC. The enctypes DES, 3DES, or RC4 and any defined
1504 * in [RFC1510] are not "newer" enctypes.
1505 *
1506 * It goes on to state:
1507 * The preferred ordering of the "hint" pre-authentication data that
1508 * affect client key selection is: ETYPE-INFO2, followed by ETYPE-INFO,
1509 * followed by PW-SALT. As noted in Section 3.1.3, a KDC MUST NOT send
1510 * ETYPE-INFO or PW-SALT when the client's AS-REQ includes at least one
1511 * "newer" etype.
1512 */
1513
1514 ret = get_pa_etype_info2(context, config, md, ckey, include_salt);
1515 if (ret)
1516 return ret;
1517
1518 if (!newer_enctype_present(context, etype_list))
1519 ret = get_pa_etype_info(context, config, md, ckey, include_salt);
1520
1521 return ret;
1522 }
1523
1524 /*
1525 *
1526 */
1527
1528 void
1529 _log_astgs_req(astgs_request_t r, krb5_enctype setype)
1530 {
1531 const KDC_REQ_BODY *b = &r->req.req_body;
1532 krb5_enctype cetype = r->reply_key.keytype;
1533 krb5_error_code ret;
1534 struct rk_strpool *p;
1535 struct rk_strpool *s = NULL;
1536 char *str;
1537 char *cet;
1538 char *set;
1539 size_t i;
1540
1541 /*
1542 * we are collecting ``p'' and ``s''. The former is a textual
1543 * representation of the enctypes as strings which will be used
1544 * for debugging. The latter is a terse comma separated list of
1545 * the %d's of the enctypes to emit into our audit trail to
1546 * conserve space in the logs.
1547 */
1548
1549 p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
1550
1551 for (i = 0; i < b->etype.len; i++) {
1552 ret = krb5_enctype_to_string(r->context, b->etype.val[i], &str);
1553 if (ret == 0) {
1554 p = rk_strpoolprintf(p, "%s", str);
1555 free(str);
1556 } else
1557 p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
1558 if (p == NULL) {
1559 rk_strpoolfree(s);
1560 _kdc_r_log(r, 4, "out of memory");
1561 return;
1562 }
1563 s = rk_strpoolprintf(s, "%d", b->etype.val[i]);
1564 if (i + 1 < b->etype.len) {
1565 p = rk_strpoolprintf(p, ", ");
1566 s = rk_strpoolprintf(s, ",");
1567 }
1568 }
1569 if (p == NULL)
1570 p = rk_strpoolprintf(p, "no encryption types");
1571
1572 str = rk_strpoolcollect(s);
1573 if (str)
1574 kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE, "etypes", "%s",
1575 str);
1576 free(str);
1577
1578 ret = krb5_enctype_to_string(r->context, cetype, &cet);
1579 if(ret == 0) {
1580 ret = krb5_enctype_to_string(r->context, setype, &set);
1581 if (ret == 0) {
1582 p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
1583 free(set);
1584 }
1585 free(cet);
1586 }
1587 if (ret != 0)
1588 p = rk_strpoolprintf(p, ", using enctypes %d/%d",
1589 cetype, setype);
1590
1591 str = rk_strpoolcollect(p);
1592 if (str)
1593 _kdc_r_log(r, 4, "%s", str);
1594 free(str);
1595
1596 kdc_audit_addkv((kdc_request_t)r, 0, "etype", "%d/%d", cetype, setype);
1597
1598 {
1599 char fixedstr[128];
1600 int result;
1601
1602 result = unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(),
1603 fixedstr, sizeof(fixedstr));
1604 if (result > 0) {
1605 _kdc_r_log(r, 4, "Requested flags: %s", fixedstr);
1606 kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_EATWHITE,
1607 "flags", "%s", fixedstr);
1608 }
1609 }
1610 }
1611
1612 /*
1613 * verify the flags on `client' and `server', returning 0
1614 * if they are OK and generating an error messages and returning
1615 * and error code otherwise.
1616 */
1617
1618 KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
1619 kdc_check_flags(astgs_request_t r,
1620 krb5_boolean is_as_req,
1621 hdb_entry *client,
1622 hdb_entry *server)
1623 {
1624 if (client != NULL) {
1625 /* check client */
1626 if (client->flags.locked_out) {
1627 kdc_audit_addreason((kdc_request_t)r, "Client is locked out");
1628 return KRB5KDC_ERR_CLIENT_REVOKED;
1629 }
1630
1631 if (client->flags.invalid) {
1632 kdc_audit_addreason((kdc_request_t)r,
1633 "Client has invalid bit set");
1634 return KRB5KDC_ERR_POLICY;
1635 }
1636
1637 if (!client->flags.client) {
1638 kdc_audit_addreason((kdc_request_t)r,
1639 "Principal may not act as client");
1640 return KRB5KDC_ERR_POLICY;
1641 }
1642
1643 if (client->valid_start && *client->valid_start > kdc_time) {
1644 char starttime_str[100];
1645 krb5_format_time(r->context, *client->valid_start,
1646 starttime_str, sizeof(starttime_str), TRUE);
1647 kdc_audit_addreason((kdc_request_t)r, "Client not yet valid "
1648 "until %s", starttime_str);
1649 return KRB5KDC_ERR_CLIENT_NOTYET;
1650 }
1651
1652 if (client->valid_end && *client->valid_end < kdc_time) {
1653 char endtime_str[100];
1654 krb5_format_time(r->context, *client->valid_end,
1655 endtime_str, sizeof(endtime_str), TRUE);
1656 kdc_audit_addreason((kdc_request_t)r, "Client expired at %s",
1657 endtime_str);
1658 return KRB5KDC_ERR_NAME_EXP;
1659 }
1660
1661 if (client->flags.require_pwchange &&
1662 (server == NULL || !server->flags.change_pw))
1663 return KRB5KDC_ERR_KEY_EXPIRED;
1664
1665 if (client->pw_end && *client->pw_end < kdc_time
1666 && (server == NULL || !server->flags.change_pw)) {
1667 char pwend_str[100];
1668 krb5_format_time(r->context, *client->pw_end,
1669 pwend_str, sizeof(pwend_str), TRUE);
1670 kdc_audit_addreason((kdc_request_t)r, "Client's key has expired "
1671 "at %s", pwend_str);
1672 return KRB5KDC_ERR_KEY_EXPIRED;
1673 }
1674 }
1675
1676 /* check server */
1677
1678 if (server != NULL) {
1679 if (server->flags.locked_out) {
1680 kdc_audit_addreason((kdc_request_t)r, "Server locked out");
1681 return KRB5KDC_ERR_SERVICE_REVOKED;
1682 }
1683 if (server->flags.invalid) {
1684 kdc_audit_addreason((kdc_request_t)r,
1685 "Server has invalid flag set");
1686 return KRB5KDC_ERR_POLICY;
1687 }
1688 if (!server->flags.server) {
1689 kdc_audit_addreason((kdc_request_t)r,
1690 "Principal may not act as server");
1691 return KRB5KDC_ERR_POLICY;
1692 }
1693
1694 if (!is_as_req && server->flags.initial) {
1695 kdc_audit_addreason((kdc_request_t)r,
1696 "AS-REQ is required for server");
1697 return KRB5KDC_ERR_POLICY;
1698 }
1699
1700 if (server->valid_start && *server->valid_start > kdc_time) {
1701 char starttime_str[100];
1702 krb5_format_time(r->context, *server->valid_start,
1703 starttime_str, sizeof(starttime_str), TRUE);
1704 kdc_audit_addreason((kdc_request_t)r, "Server not yet valid "
1705 "until %s", starttime_str);
1706 return KRB5KDC_ERR_SERVICE_NOTYET;
1707 }
1708
1709 if (server->valid_end && *server->valid_end < kdc_time) {
1710 char endtime_str[100];
1711 krb5_format_time(r->context, *server->valid_end,
1712 endtime_str, sizeof(endtime_str), TRUE);
1713 kdc_audit_addreason((kdc_request_t)r, "Server expired at %s",
1714 endtime_str);
1715 return KRB5KDC_ERR_SERVICE_EXP;
1716 }
1717
1718 if (server->pw_end && *server->pw_end < kdc_time) {
1719 char pwend_str[100];
1720 krb5_format_time(r->context, *server->pw_end,
1721 pwend_str, sizeof(pwend_str), TRUE);
1722 kdc_audit_addreason((kdc_request_t)r, "Server's key has expired "
1723 "at %s", pwend_str);
1724 return KRB5KDC_ERR_KEY_EXPIRED;
1725 }
1726 }
1727 return 0;
1728 }
1729
1730 /*
1731 * Return TRUE if `from' is part of `addresses' taking into consideration
1732 * the configuration variables that tells us how strict we should be about
1733 * these checks
1734 */
1735
1736 krb5_boolean
1737 _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
1738 const struct sockaddr *from)
1739 {
1740 krb5_kdc_configuration *config = r->config;
1741 krb5_error_code ret;
1742 krb5_address addr;
1743 krb5_boolean result;
1744 krb5_boolean only_netbios = TRUE;
1745 size_t i;
1746
1747 if (!config->check_ticket_addresses && !config->warn_ticket_addresses)
1748 return TRUE;
1749
1750 /*
1751 * Fields of HostAddresses type are always OPTIONAL and should be non-
1752 * empty, but we check for empty just in case as our compiler doesn't
1753 * support size constraints on SEQUENCE OF.
1754 */
1755 if (addresses == NULL || addresses->len == 0)
1756 return config->allow_null_ticket_addresses;
1757
1758 for (i = 0; i < addresses->len; ++i) {
1759 if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
1760 only_netbios = FALSE;
1761 }
1762 }
1763
1764 /* Windows sends it's netbios name, which I can only assume is
1765 * used for the 'allowed workstations' check. This is painful,
1766 * but we still want to check IP addresses if they happen to be
1767 * present.
1768 */
1769
1770 if(only_netbios)
1771 return config->allow_null_ticket_addresses;
1772
1773 ret = krb5_sockaddr2address (r->context, from, &addr);
1774 if(ret)
1775 return FALSE;
1776
1777 result = krb5_address_search(r->context, &addr, addresses);
1778 krb5_free_address (r->context, &addr);
1779 return result;
1780 }
1781
1782 /*
1783 *
1784 */
1785 krb5_error_code
1786 _kdc_check_anon_policy(astgs_request_t r)
1787 {
1788 if (!r->config->allow_anonymous) {
1789 kdc_audit_addreason((kdc_request_t)r,
1790 "Anonymous tickets denied by local policy");
1791 return KRB5KDC_ERR_POLICY;
1792 }
1793
1794 return 0;
1795 }
1796
1797 /*
1798 * Determine whether the client requested a PAC be included
1799 * or excluded explictly, or whether it doesn't care.
1800 */
1801
1802 static uint64_t
1803 get_pac_attributes(krb5_context context, KDC_REQ *req)
1804 {
1805 krb5_error_code ret;
1806 PA_PAC_REQUEST pacreq;
1807 const PA_DATA *pa;
1808 int i = 0;
1809 uint32_t pac_attributes;
1810
1811 pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
1812 if (pa == NULL)
1813 return KRB5_PAC_WAS_GIVEN_IMPLICITLY;
1814
1815 ret = decode_PA_PAC_REQUEST(pa->padata_value.data,
1816 pa->padata_value.length,
1817 &pacreq,
1818 NULL);
1819 if (ret)
1820 return KRB5_PAC_WAS_GIVEN_IMPLICITLY;
1821
1822 pac_attributes = pacreq.include_pac ? KRB5_PAC_WAS_REQUESTED : 0;
1823 free_PA_PAC_REQUEST(&pacreq);
1824 return pac_attributes;
1825 }
1826
1827 /*
1828 *
1829 */
1830
1831 static krb5_error_code
1832 generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
1833 krb5_boolean is_tgs)
1834 {
1835 krb5_error_code ret;
1836 krb5_data data;
1837 uint16_t rodc_id;
1838 krb5_principal client;
1839 krb5_const_principal canon_princ = NULL;
1840
1841 r->pac_attributes = get_pac_attributes(r->context, &r->req);
1842 kdc_audit_setkv_number((kdc_request_t)r, "pac_attributes",
1843 r->pac_attributes);
1844
1845 if (!_kdc_include_pac_p(r))
1846 return 0;
1847
1848 /*
1849 * When a PA mech does not use the client's long-term key, the PAC
1850 * may include the client's long-term key (encrypted in the reply key)
1851 * for use by other shared secret authentication protocols, e.g. NTLM.
1852 * Validate a PA mech was actually used before doing this.
1853 */
1854
1855 ret = _kdc_pac_generate(r,
1856 r->client,
1857 r->server,
1858 r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
1859 ? &r->reply_key : NULL,
1860 r->pac_attributes,
1861 &r->pac);
1862 if (ret) {
1863 _kdc_r_log(r, 4, "PAC generation failed for -- %s",
1864 r->cname);
1865 return ret;
1866 }
1867 if (r->pac == NULL)
1868 return 0;
1869
1870 rodc_id = r->server->kvno >> 16;
1871
1872 /* libkrb5 expects ticket and PAC client names to match */
1873 ret = _krb5_principalname2krb5_principal(r->context, &client,
1874 r->et.cname, r->et.crealm);
1875 if (ret)
1876 return ret;
1877
1878 /*
1879 * Include the canonical name of the principal in the authorization
1880 * data, if the realms match (if they don't, then the KDC could
1881 * impersonate any realm. Windows always canonicalizes the realm,
1882 * but Heimdal permits aliases between realms.)
1883 */
1884 if (krb5_realm_compare(r->context, client, r->canon_client_princ)) {
1885 char *cpn = NULL;
1886
1887 canon_princ = r->canon_client_princ;
1888
1889 (void) krb5_unparse_name(r->context, canon_princ, &cpn);
1890 kdc_audit_addkv((kdc_request_t)r, 0, "canon_client_name", "%s",
1891 cpn ? cpn : "<unknown>");
1892 krb5_xfree(cpn);
1893 }
1894
1895 if (r->pa_used && r->pa_used->finalize_pac) {
1896 ret = r->pa_used->finalize_pac(r);
1897 if (ret)
1898 return ret;
1899 }
1900
1901 ret = _krb5_pac_sign(r->context,
1902 r->pac,
1903 r->et.authtime,
1904 client,
1905 &skey->key, /* Server key */
1906 &tkey->key, /* TGS key */
1907 rodc_id,
1908 NULL, /* UPN */
1909 canon_princ,
1910 is_tgs ? &r->pac_attributes : NULL,
1911 &data);
1912 krb5_free_principal(r->context, client);
1913 krb5_pac_free(r->context, r->pac);
1914 r->pac = NULL;
1915 if (ret) {
1916 _kdc_r_log(r, 4, "PAC signing failed for -- %s",
1917 r->cname);
1918 return ret;
1919 }
1920
1921 ret = _kdc_tkt_insert_pac(r->context, &r->et, &data);
1922 krb5_data_free(&data);
1923
1924 return ret;
1925 }
1926
1927 /*
1928 *
1929 */
1930
1931 krb5_boolean
1932 _kdc_is_anonymous(krb5_context context, krb5_const_principal principal)
1933 {
1934 return krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY);
1935 }
1936
1937 /*
1938 * Returns TRUE if principal is the unauthenticated anonymous identity,
1939 * i.e. WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS. Unfortunately due to
1940 * backwards compatibility logic in krb5_principal_is_anonymous() we
1941 * have to use our own implementation.
1942 */
1943
1944 krb5_boolean
1945 _kdc_is_anonymous_pkinit(krb5_context context, krb5_const_principal principal)
1946 {
1947 return _kdc_is_anonymous(context, principal) &&
1948 strcmp(principal->realm, KRB5_ANON_REALM) == 0;
1949 }
1950
1951 static int
1952 require_preauth_p(astgs_request_t r)
1953 {
1954 return r->config->require_preauth
1955 || r->client->flags.require_preauth
1956 || r->server->flags.require_preauth;
1957 }
1958
1959
1960 /*
1961 *
1962 */
1963
1964 static krb5_error_code
1965 add_enc_pa_rep(astgs_request_t r)
1966 {
1967 krb5_error_code ret;
1968 krb5_crypto crypto;
1969 Checksum checksum;
1970 krb5_data cdata;
1971 size_t len;
1972
1973 ret = krb5_crypto_init(r->context, &r->reply_key, 0, &crypto);
1974 if (ret)
1975 return ret;
1976
1977 ret = krb5_create_checksum(r->context, crypto,
1978 KRB5_KU_AS_REQ, 0,
1979 r->request.data, r->request.length,
1980 &checksum);
1981 krb5_crypto_destroy(r->context, crypto);
1982 if (ret)
1983 return ret;
1984
1985 ASN1_MALLOC_ENCODE(Checksum, cdata.data, cdata.length,
1986 &checksum, &len, ret);
1987 free_Checksum(&checksum);
1988 if (ret)
1989 return ret;
1990 heim_assert(cdata.length == len, "ASN.1 internal error");
1991
1992 if (r->ek.encrypted_pa_data == NULL) {
1993 ALLOC(r->ek.encrypted_pa_data);
1994 if (r->ek.encrypted_pa_data == NULL)
1995 return ENOMEM;
1996 }
1997 ret = krb5_padata_add(r->context, r->ek.encrypted_pa_data,
1998 KRB5_PADATA_REQ_ENC_PA_REP, cdata.data, cdata.length);
1999 if (ret)
2000 return ret;
2001
2002 if (!r->config->enable_fast)
2003 return 0;
2004
2005 return krb5_padata_add(r->context, r->ek.encrypted_pa_data,
2006 KRB5_PADATA_FX_FAST, NULL, 0);
2007 }
2008
2009 /*
2010 * Add an authorization data element indicating that a synthetic
2011 * principal was used, so that the TGS does not accidentally
2012 * synthesize a non-synthetic principal that has since been deleted.
2013 */
2014 static krb5_error_code
2015 add_synthetic_princ_ad(astgs_request_t r)
2016 {
2017 krb5_data data;
2018
2019 krb5_data_zero(&data);
2020
2021 return _kdc_tkt_add_if_relevant_ad(r->context, &r->et,
2022 KRB5_AUTHDATA_SYNTHETIC_PRINC_USED,
2023 &data);
2024 }
2025
2026 static krb5_error_code
2027 get_local_tgs(krb5_context context,
2028 krb5_kdc_configuration *config,
2029 krb5_const_realm realm,
2030 HDB **krbtgtdb,
2031 hdb_entry **krbtgt)
2032 {
2033 krb5_error_code ret;
2034 krb5_principal tgs_name;
2035
2036 *krbtgtdb = NULL;
2037 *krbtgt = NULL;
2038
2039 ret = krb5_make_principal(context,
2040 &tgs_name,
2041 realm,
2042 KRB5_TGS_NAME,
2043 realm,
2044 NULL);
2045 if (ret == 0)
2046 ret = _kdc_db_fetch(context, config, tgs_name,
2047 HDB_F_GET_KRBTGT, NULL, krbtgtdb, krbtgt);
2048
2049 krb5_free_principal(context, tgs_name);
2050 return ret;
2051 }
2052
2053 /*
2054 *
2055 */
2056
2057 krb5_error_code
2058 _kdc_as_rep(astgs_request_t r)
2059 {
2060 krb5_kdc_configuration *config = r->config;
2061 KDC_REQ *req = &r->req;
2062 const char *from = r->from;
2063 KDC_REQ_BODY *b = NULL;
2064 KDC_REP *rep = &r->rep;
2065 KDCOptions f;
2066 krb5_enctype setype;
2067 krb5_error_code ret = 0;
2068 Key *skey;
2069 int found_pa = 0;
2070 int i, flags = HDB_F_FOR_AS_REQ;
2071 const PA_DATA *pa;
2072 krb5_boolean is_tgs;
2073 const char *msg;
2074 Key *krbtgt_key;
2075
2076 memset(rep, 0, sizeof(*rep));
2077
2078 ALLOC(rep->padata);
2079 if (rep->padata == NULL) {
2080 ret = ENOMEM;
2081 krb5_set_error_message(r->context, ret, N_("malloc: out of memory", ""));
2082 goto out;
2083 }
2084
2085 /*
2086 * Look for FAST armor and unwrap
2087 */
2088 ret = _kdc_fast_unwrap_request(r, NULL, NULL);
2089 if (ret) {
2090 _kdc_r_log(r, 1, "FAST unwrap request from %s failed: %d", from, ret);
2091 goto out;
2092 }
2093
2094 b = &req->req_body;
2095 f = b->kdc_options;
2096
2097 if (f.canonicalize)
2098 flags |= HDB_F_CANON;
2099
2100 if (b->sname == NULL) {
2101 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
2102 _kdc_set_e_text(r, "No server in request");
2103 goto out;
2104 }
2105
2106 ret = _krb5_principalname2krb5_principal(r->context, &r->server_princ,
2107 *(b->sname), b->realm);
2108 if (!ret)
2109 ret = krb5_unparse_name(r->context, r->server_princ, &r->sname);
2110 if (ret) {
2111 kdc_log(r->context, config, 2,
2112 "AS_REQ malformed server name from %s", from);
2113 goto out;
2114 }
2115
2116 if (b->cname == NULL) {
2117 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2118 _kdc_set_e_text(r, "No client in request");
2119 goto out;
2120 }
2121
2122 ret = _krb5_principalname2krb5_principal(r->context, &r->client_princ,
2123 *(b->cname), b->realm);
2124 if (!ret)
2125 ret = krb5_unparse_name(r->context, r->client_princ, &r->cname);
2126 if (ret) {
2127 kdc_log(r->context, config, 2,
2128 "AS-REQ malformed client name from %s", from);
2129 goto out;
2130 }
2131
2132 kdc_log(r->context, config, 4, "AS-REQ %s from %s for %s",
2133 r->cname, r->from, r->sname);
2134
2135 is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
2136
2137 if (_kdc_is_anonymous(r->context, r->client_princ) &&
2138 !_kdc_is_anon_request(req)) {
2139 kdc_log(r->context, config, 2, "Anonymous client w/o anonymous flag");
2140 ret = KRB5KDC_ERR_BADOPTION;
2141 goto out;
2142 }
2143
2144 ret = _kdc_db_fetch(r->context, config, r->client_princ,
2145 HDB_F_GET_CLIENT | HDB_F_SYNTHETIC_OK | flags, NULL,
2146 &r->clientdb, &r->client);
2147 switch (ret) {
2148 case 0: /* Success */
2149 break;
2150 case HDB_ERR_NOT_FOUND_HERE:
2151 kdc_log(r->context, config, 5, "client %s does not have secrets at this KDC, need to proxy",
2152 r->cname);
2153 goto out;
2154 case HDB_ERR_WRONG_REALM: {
2155 char *fixed_client_name = NULL;
2156
2157 ret = krb5_unparse_name(r->context, r->client->principal,
2158 &fixed_client_name);
2159 if (ret) {
2160 goto out;
2161 }
2162
2163 kdc_log(r->context, config, 4, "WRONG_REALM - %s -> %s",
2164 r->cname, fixed_client_name);
2165 free(fixed_client_name);
2166
2167 r->e_text = NULL;
2168 ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto,
2169 &req->req_body,
2170 r->error_code = KRB5_KDC_ERR_WRONG_REALM,
2171 r->client->principal, r->server_princ,
2172 NULL, NULL, r->reply);
2173 goto out;
2174 }
2175 default:
2176 {
2177 msg = krb5_get_error_message(r->context, ret);
2178 kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->cname, msg);
2179 krb5_free_error_message(r->context, msg);
2180 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2181 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
2182 KDC_AUTH_EVENT_CLIENT_UNKNOWN);
2183 goto out;
2184 }
2185 }
2186 ret = _kdc_db_fetch(r->context, config, r->server_princ,
2187 HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS |
2188 flags | (is_tgs ? HDB_F_GET_KRBTGT : 0),
2189 NULL, &r->serverdb, &r->server);
2190 switch (ret) {
2191 case 0: /* Success */
2192 break;
2193 case HDB_ERR_NOT_FOUND_HERE:
2194 kdc_log(r->context, config, 5, "target %s does not have secrets at this KDC, need to proxy",
2195 r->sname);
2196 goto out;
2197 default:
2198 msg = krb5_get_error_message(r->context, ret);
2199 kdc_log(r->context, config, 4, "UNKNOWN -- %s: %s", r->sname, msg);
2200 krb5_free_error_message(r->context, msg);
2201 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
2202 goto out;
2203 }
2204
2205 /*
2206 * Select an enctype for the to-be-issued ticket's session key using the
2207 * intersection of the client's requested enctypes and the server's (like a
2208 * root krbtgt, but not necessarily) etypes from its HDB entry.
2209 */
2210 ret = _kdc_find_etype(r, (is_tgs ? KFE_IS_TGS:0) | KFE_USE_CLIENT,
2211 b->etype.val, b->etype.len,
2212 &r->sessionetype, NULL, NULL);
2213 if (ret) {
2214 kdc_log(r->context, config, 4,
2215 "Client (%s) from %s has no common enctypes with KDC "
2216 "to use for the session key",
2217 r->cname, from);
2218 goto out;
2219 }
2220
2221 /*
2222 * Pre-auth processing
2223 */
2224
2225 if(req->padata){
2226 unsigned int n;
2227
2228 log_patypes(r, req->padata);
2229
2230 /* Check if preauth matching */
2231
2232 for (n = 0; !found_pa && n < sizeof(pat) / sizeof(pat[0]); n++) {
2233 if (pat[n].validate == NULL)
2234 continue;
2235 if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
2236 continue;
2237
2238 kdc_log(r->context, config, 5,
2239 "Looking for %s pa-data -- %s", pat[n].name, r->cname);
2240 i = 0;
2241 pa = _kdc_find_padata(req, &i, pat[n].type);
2242 if (pa) {
2243 if (r->client->flags.synthetic &&
2244 !(pat[n].flags & PA_SYNTHETIC_OK)) {
2245 kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
2246 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2247 goto out;
2248 }
2249 if (r->client->flags.require_hwauth &&
2250 !(pat[n].flags & PA_HARDWARE_AUTH)) {
2251 kdc_log(r->context, config, 4, "Hardware authentication required for %s", r->cname);
2252
2253 ret = KRB5KDC_ERR_POLICY;
2254 goto out;
2255 }
2256 kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s",
2257 pat[n].name);
2258 ret = pat[n].validate(r, pa);
2259 if (ret != 0) {
2260 krb5_error_code ret2;
2261 Key *ckey = NULL;
2262 krb5_boolean default_salt;
2263
2264 if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED &&
2265 !kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
2266 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
2267 KDC_AUTH_EVENT_PREAUTH_FAILED);
2268
2269 /*
2270 * If there is a client key, send ETYPE_INFO{,2}
2271 */
2272 ret2 = _kdc_find_etype(r, KFE_IS_PREAUTH|KFE_USE_CLIENT,
2273 b->etype.val, b->etype.len,
2274 NULL, &ckey, &default_salt);
2275 if (ret2 == 0) {
2276 ret2 = get_pa_etype_info_both(r->context, config, &b->etype,
2277 r->rep.padata, ckey, !default_salt);
2278 if (ret2 != 0)
2279 ret = ret2;
2280 }
2281 goto out;
2282 }
2283 if (!kdc_audit_getkv((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT))
2284 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
2285 KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
2286 kdc_log(r->context, config, 4,
2287 "%s pre-authentication succeeded -- %s",
2288 pat[n].name, r->cname);
2289 found_pa = 1;
2290 r->pa_used = &pat[n];
2291 r->et.flags.pre_authent = 1;
2292 }
2293 }
2294 }
2295
2296 if (found_pa == 0) {
2297 Key *ckey = NULL;
2298 size_t n;
2299 krb5_boolean default_salt;
2300
2301 if (r->client->flags.synthetic) {
2302 kdc_log(r->context, config, 4, "UNKNOWN -- %s", r->cname);
2303 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2304 goto out;
2305 }
2306
2307 for (n = 0; n < sizeof(pat) / sizeof(pat[0]); n++) {
2308 if ((pat[n].flags & PA_ANNOUNCE) == 0)
2309 continue;
2310
2311 if (!r->armor_crypto && (pat[n].flags & PA_REQ_FAST))
2312 continue;
2313 if (pat[n].type == KRB5_PADATA_PKINIT_KX && !r->config->allow_anonymous)
2314 continue;
2315 if (pat[n].type == KRB5_PADATA_ENC_TIMESTAMP) {
2316 if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp)
2317 continue;
2318 if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp)
2319 continue;
2320 }
2321 if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast)
2322 continue;
2323 if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth)
2324 continue;
2325
2326 ret = krb5_padata_add(r->context, r->rep.padata,
2327 pat[n].type, NULL, 0);
2328 if (ret)
2329 goto out;
2330 }
2331
2332 /*
2333 * If there is a client key, send ETYPE_INFO{,2}
2334 */
2335 ret = _kdc_find_etype(r, KFE_IS_PREAUTH|KFE_USE_CLIENT,
2336 b->etype.val, b->etype.len,
2337 NULL, &ckey, &default_salt);
2338 if (ret == 0) {
2339 ret = get_pa_etype_info_both(r->context, config, &b->etype,
2340 r->rep.padata, ckey, !default_salt);
2341 if (ret)
2342 goto out;
2343 }
2344
2345 /*
2346 * send requre preauth is its required or anon is requested,
2347 * anon is today only allowed via preauth mechanisms.
2348 */
2349 if (require_preauth_p(r) || _kdc_is_anon_request(&r->req)) {
2350 ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
2351 _kdc_set_e_text(r, "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ");
2352 goto out;
2353 }
2354
2355 if (ckey == NULL) {
2356 ret = KRB5KDC_ERR_CLIENT_NOTYET;
2357 _kdc_set_e_text(r, "Doesn't have a client key available");
2358 goto out;
2359 }
2360 krb5_free_keyblock_contents(r->context, &r->reply_key);
2361 ret = krb5_copy_keyblock_contents(r->context, &ckey->key, &r->reply_key);
2362 if (ret)
2363 goto out;
2364 }
2365
2366 r->canon_client_princ = r->client->principal;
2367
2368 /*
2369 * Verify flags after the user been required to prove its identity
2370 * with in a preauth mech.
2371 */
2372
2373 ret = _kdc_check_access(r);
2374 if(ret)
2375 goto out;
2376
2377 if (_kdc_is_anon_request(&r->req)) {
2378 ret = _kdc_check_anon_policy(r);
2379 if (ret) {
2380 _kdc_set_e_text(r, "Anonymous ticket requests are disabled");
2381 goto out;
2382 }
2383
2384 r->et.flags.anonymous = 1;
2385 }
2386
2387 kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
2388 KDC_AUTH_EVENT_CLIENT_AUTHORIZED);
2389
2390 /*
2391 * Select the best encryption type for the KDC without regard to
2392 * the client since the client never needs to read that data.
2393 */
2394
2395 ret = _kdc_get_preferred_key(r->context, config,
2396 r->server, r->sname,
2397 &setype, &skey);
2398 if(ret)
2399 goto out;
2400
2401 /* If server is not krbtgt, fetch local krbtgt key for signing authdata */
2402 if (is_tgs) {
2403 krbtgt_key = skey;
2404 } else {
2405 ret = get_local_tgs(r->context, config, r->server_princ->realm,
2406 &r->krbtgtdb, &r->krbtgt);
2407 if (ret)
2408 goto out;
2409
2410 ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
2411 r->server_princ->realm,
2412 NULL, &krbtgt_key);
2413 if (ret)
2414 goto out;
2415 }
2416
2417 if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey) {
2418 ret = KRB5KDC_ERR_BADOPTION;
2419 _kdc_set_e_text(r, "Bad KDC options");
2420 goto out;
2421 }
2422
2423 /*
2424 * Build reply
2425 */
2426 rep->pvno = 5;
2427 rep->msg_type = krb_as_rep;
2428
2429 if (!config->historical_anon_realm &&
2430 _kdc_is_anonymous(r->context, r->client_princ)) {
2431 Realm anon_realm = KRB5_ANON_REALM;
2432 ret = copy_Realm(&anon_realm, &rep->crealm);
2433 } else if (f.canonicalize || r->client->flags.force_canonicalize)
2434 ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
2435 else
2436 ret = copy_Realm(&r->client_princ->realm, &rep->crealm);
2437 if (ret)
2438 goto out;
2439 if (r->et.flags.anonymous)
2440 ret = _kdc_make_anonymous_principalname(&rep->cname);
2441 else if (f.canonicalize || r->client->flags.force_canonicalize)
2442 ret = _krb5_principal2principalname(&rep->cname, r->canon_client_princ);
2443 else
2444 ret = _krb5_principal2principalname(&rep->cname, r->client_princ);
2445 if (ret)
2446 goto out;
2447
2448 rep->ticket.tkt_vno = 5;
2449 if (f.canonicalize || r->server->flags.force_canonicalize)
2450 ret = copy_Realm(&r->server->principal->realm, &rep->ticket.realm);
2451 else
2452 ret = copy_Realm(&r->server_princ->realm, &rep->ticket.realm);
2453 if (ret)
2454 goto out;
2455 if (f.canonicalize || r->server->flags.force_canonicalize)
2456 _krb5_principal2principalname(&rep->ticket.sname,
2457 r->server->principal);
2458 else
2459 _krb5_principal2principalname(&rep->ticket.sname,
2460 r->server_princ);
2461 /* java 1.6 expects the name to be the same type, lets allow that
2462 * uncomplicated name-types. */
2463 #define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
2464 if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
2465 rep->ticket.sname.name_type = b->sname->name_type;
2466 #undef CNT
2467
2468 r->et.flags.initial = 1;
2469 if(r->client->flags.forwardable && r->server->flags.forwardable)
2470 r->et.flags.forwardable = f.forwardable;
2471 if(r->client->flags.proxiable && r->server->flags.proxiable)
2472 r->et.flags.proxiable = f.proxiable;
2473 else if (f.proxiable) {
2474 _kdc_set_e_text(r, "Ticket may not be proxiable");
2475 ret = KRB5KDC_ERR_POLICY;
2476 goto out;
2477 }
2478 if(r->client->flags.postdate && r->server->flags.postdate)
2479 r->et.flags.may_postdate = f.allow_postdate;
2480 else if (f.allow_postdate){
2481 _kdc_set_e_text(r, "Ticket may not be postdateable");
2482 ret = KRB5KDC_ERR_POLICY;
2483 goto out;
2484 }
2485
2486 if (b->addresses)
2487 kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
2488
2489 /* check for valid set of addresses */
2490 if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
2491 if (r->config->warn_ticket_addresses) {
2492 kdc_audit_setkv_bool((kdc_request_t)r, "wrongaddr", TRUE);
2493 } else {
2494 _kdc_set_e_text(r, "Request from wrong address");
2495 ret = KRB5KRB_AP_ERR_BADADDR;
2496 goto out;
2497 }
2498 }
2499
2500 ret = copy_PrincipalName(&rep->cname, &r->et.cname);
2501 if (ret)
2502 goto out;
2503 ret = copy_Realm(&rep->crealm, &r->et.crealm);
2504 if (ret)
2505 goto out;
2506
2507 {
2508 time_t start;
2509 time_t t;
2510
2511 start = r->et.authtime = kdc_time;
2512
2513 if(f.postdated && req->req_body.from){
2514 ALLOC(r->et.starttime);
2515 start = *r->et.starttime = *req->req_body.from;
2516 r->et.flags.invalid = 1;
2517 r->et.flags.postdated = 1; /* XXX ??? */
2518 }
2519 _kdc_fix_time(&b->till);
2520 t = *b->till;
2521
2522 /* be careful not to overflow */
2523
2524 /*
2525 * Pre-auth can override r->client->max_life if configured.
2526 *
2527 * See pre-auth methods, specifically PKINIT, which can get or derive
2528 * this from the client's certificate.
2529 */
2530 if (r->pa_max_life > 0)
2531 t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life));
2532 else if (r->client->max_life && *r->client->max_life)
2533 t = rk_time_add(start, min(rk_time_sub(t, start),
2534 *r->client->max_life));
2535
2536 if (r->server->max_life && *r->server->max_life)
2537 t = rk_time_add(start, min(rk_time_sub(t, start),
2538 *r->server->max_life));
2539
2540 /* Pre-auth can bound endtime as well */
2541 if (r->pa_endtime > 0)
2542 t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_endtime));
2543 #if 0
2544 t = min(t, rk_time_add(start, realm->max_life));
2545 #endif
2546 r->et.endtime = t;
2547
2548 if (start > r->et.endtime) {
2549 _kdc_set_e_text(r, "Requested effective lifetime is negative or too short");
2550 ret = KRB5KDC_ERR_NEVER_VALID;
2551 goto out;
2552 }
2553
2554 if(f.renewable_ok && r->et.endtime < *b->till){
2555 f.renewable = 1;
2556 if(b->rtime == NULL){
2557 ALLOC(b->rtime);
2558 *b->rtime = 0;
2559 }
2560 if(*b->rtime < *b->till)
2561 *b->rtime = *b->till;
2562 }
2563 if(f.renewable && b->rtime){
2564 t = *b->rtime;
2565 if(t == 0)
2566 t = MAX_TIME;
2567 if(r->client->max_renew && *r->client->max_renew)
2568 t = rk_time_add(start, min(rk_time_sub(t, start),
2569 *r->client->max_renew));
2570 if(r->server->max_renew && *r->server->max_renew)
2571 t = rk_time_add(start, min(rk_time_sub(t, start),
2572 *r->server->max_renew));
2573 #if 0
2574 t = min(t, rk_time_add(start, realm->max_renew));
2575 #endif
2576 ALLOC(r->et.renew_till);
2577 *r->et.renew_till = t;
2578 r->et.flags.renewable = 1;
2579 }
2580 }
2581
2582 if(b->addresses){
2583 ALLOC(r->et.caddr);
2584 copy_HostAddresses(b->addresses, r->et.caddr);
2585 }
2586
2587 r->et.transited.tr_type = domain_X500_Compress;
2588 krb5_data_zero(&r->et.transited.contents);
2589
2590 /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
2591 * as 0 and as 0x80 (meaning indefinite length) apart, and is thus
2592 * incapable of correctly decoding SEQUENCE OF's of zero length.
2593 *
2594 * To fix this, always send at least one no-op last_req
2595 *
2596 * If there's a pw_end or valid_end we will use that,
2597 * otherwise just a dummy lr.
2598 */
2599 r->ek.last_req.val = malloc(2 * sizeof(*r->ek.last_req.val));
2600 if (r->ek.last_req.val == NULL) {
2601 ret = ENOMEM;
2602 goto out;
2603 }
2604 r->ek.last_req.len = 0;
2605 if (r->client->pw_end
2606 && (config->kdc_warn_pwexpire == 0
2607 || kdc_time + config->kdc_warn_pwexpire >= *r->client->pw_end)) {
2608 r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_PW_EXPTIME;
2609 r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->pw_end;
2610 ++r->ek.last_req.len;
2611 }
2612 if (r->client->valid_end) {
2613 r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
2614 r->ek.last_req.val[r->ek.last_req.len].lr_value = *r->client->valid_end;
2615 ++r->ek.last_req.len;
2616 }
2617 if (r->ek.last_req.len == 0) {
2618 r->ek.last_req.val[r->ek.last_req.len].lr_type = LR_NONE;
2619 r->ek.last_req.val[r->ek.last_req.len].lr_value = 0;
2620 ++r->ek.last_req.len;
2621 }
2622 r->ek.nonce = b->nonce;
2623 if (r->client->valid_end || r->client->pw_end) {
2624 ALLOC(r->ek.key_expiration);
2625 if (r->client->valid_end) {
2626 if (r->client->pw_end)
2627 *r->ek.key_expiration = min(*r->client->valid_end,
2628 *r->client->pw_end);
2629 else
2630 *r->ek.key_expiration = *r->client->valid_end;
2631 } else
2632 *r->ek.key_expiration = *r->client->pw_end;
2633 } else
2634 r->ek.key_expiration = NULL;
2635 r->ek.flags = r->et.flags;
2636 r->ek.authtime = r->et.authtime;
2637 if (r->et.starttime) {
2638 ALLOC(r->ek.starttime);
2639 *r->ek.starttime = *r->et.starttime;
2640 }
2641 r->ek.endtime = r->et.endtime;
2642 if (r->et.renew_till) {
2643 ALLOC(r->ek.renew_till);
2644 *r->ek.renew_till = *r->et.renew_till;
2645 }
2646 ret = copy_Realm(&rep->ticket.realm, &r->ek.srealm);
2647 if (ret)
2648 goto out;
2649 ret = copy_PrincipalName(&rep->ticket.sname, &r->ek.sname);
2650 if (ret)
2651 goto out;
2652 if(r->et.caddr){
2653 ALLOC(r->ek.caddr);
2654 copy_HostAddresses(r->et.caddr, r->ek.caddr);
2655 }
2656
2657 /*
2658 * Check session and reply keys
2659 */
2660
2661 if (r->session_key.keytype == ETYPE_NULL) {
2662 ret = krb5_generate_random_keyblock(r->context, r->sessionetype, &r->session_key);
2663 if (ret)
2664 goto out;
2665 }
2666
2667 if (r->reply_key.keytype == ETYPE_NULL) {
2668 _kdc_set_e_text(r, "Client has no reply key");
2669 ret = KRB5KDC_ERR_CLIENT_NOTYET;
2670 goto out;
2671 }
2672
2673 ret = copy_EncryptionKey(&r->session_key, &r->et.key);
2674 if (ret)
2675 goto out;
2676
2677 ret = copy_EncryptionKey(&r->session_key, &r->ek.key);
2678 if (ret)
2679 goto out;
2680
2681 /* Add the PAC */
2682 if (!r->et.flags.anonymous) {
2683 ret = generate_pac(r, skey, krbtgt_key, is_tgs);
2684 if (ret)
2685 goto out;
2686 }
2687
2688 if (r->client->flags.synthetic) {
2689 ret = add_synthetic_princ_ad(r);
2690 if (ret)
2691 goto out;
2692 }
2693
2694 _kdc_log_timestamp(r, "AS-REQ", r->et.authtime,
2695 r->et.starttime, r->et.endtime,
2696 r->et.renew_till);
2697
2698 _log_astgs_req(r, setype);
2699
2700 /*
2701 * We always say we support FAST/enc-pa-rep
2702 */
2703
2704 r->et.flags.enc_pa_rep = r->ek.flags.enc_pa_rep = 1;
2705
2706 /*
2707 * update reply-key with strengthen-key
2708 */
2709
2710 ret = _kdc_fast_strengthen_reply_key(r);
2711 if (ret)
2712 goto out;
2713
2714 /*
2715 * Add REQ_ENC_PA_REP if client supports it
2716 */
2717
2718 i = 0;
2719 pa = _kdc_find_padata(req, &i, KRB5_PADATA_REQ_ENC_PA_REP);
2720 if (pa) {
2721
2722 ret = add_enc_pa_rep(r);
2723 if (ret) {
2724 msg = krb5_get_error_message(r->context, ret);
2725 _kdc_r_log(r, 4, "add_enc_pa_rep failed: %s: %d", msg, ret);
2726 krb5_free_error_message(r->context, msg);
2727 goto out;
2728 }
2729 }
2730
2731 /*
2732 * Last chance for plugins to update reply
2733 */
2734 ret = _kdc_finalize_reply(r);
2735 if (ret)
2736 goto out;
2737
2738 /*
2739 * Don't send kvno from client entry if the pre-authentication
2740 * mechanism replaced the reply key.
2741 */
2742
2743 ret = _kdc_encode_reply(r->context, config,
2744 r, req->req_body.nonce, setype,
2745 r->server->kvno, &skey->key,
2746 pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? 0 : r->client->kvno,
2747 0, r->reply);
2748 if (ret)
2749 goto out;
2750
2751 /*
2752 * Check if message is too large
2753 */
2754 if (r->datagram_reply && r->reply->length > config->max_datagram_reply_length) {
2755 krb5_data_free(r->reply);
2756 ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
2757 _kdc_set_e_text(r, "Reply packet too large");
2758 }
2759
2760 out:
2761 if (ret) {
2762 /* Overwrite ‘error_code’ only if we have an actual error. */
2763 r->error_code = ret;
2764 }
2765 {
2766 krb5_error_code ret2 = _kdc_audit_request(r);
2767 if (ret2) {
2768 krb5_data_free(r->reply);
2769 ret = ret2;
2770 }
2771 }
2772
2773 /*
2774 * In case of a non proxy error, build an error message.
2775 */
2776 if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0)
2777 ret = _kdc_fast_mk_error(r,
2778 r->rep.padata,
2779 r->armor_crypto,
2780 &req->req_body,
2781 r->error_code ? r->error_code : ret,
2782 r->client_princ,
2783 r->server_princ,
2784 NULL, NULL,
2785 r->reply);
2786
2787 if (r->pa_used && r->pa_used->cleanup)
2788 r->pa_used->cleanup(r);
2789
2790 free_AS_REP(&r->rep);
2791 free_EncTicketPart(&r->et);
2792 free_EncKDCRepPart(&r->ek);
2793 _kdc_free_fast_state(&r->fast);
2794
2795 if (r->client_princ) {
2796 krb5_free_principal(r->context, r->client_princ);
2797 r->client_princ = NULL;
2798 }
2799 if (r->server_princ){
2800 krb5_free_principal(r->context, r->server_princ);
2801 r->server_princ = NULL;
2802 }
2803 if (r->client)
2804 _kdc_free_ent(r->context, r->clientdb, r->client);
2805 if (r->server)
2806 _kdc_free_ent(r->context, r->serverdb, r->server);
2807 if (r->krbtgt)
2808 _kdc_free_ent(r->context, r->krbtgtdb, r->krbtgt);
2809 if (r->armor_crypto) {
2810 krb5_crypto_destroy(r->context, r->armor_crypto);
2811 r->armor_crypto = NULL;
2812 }
2813 if (r->armor_ticket)
2814 krb5_free_ticket(r->context, r->armor_ticket);
2815 if (r->armor_server)
2816 _kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
2817 krb5_free_keyblock_contents(r->context, &r->reply_key);
2818 krb5_free_keyblock_contents(r->context, &r->session_key);
2819 krb5_free_keyblock_contents(r->context, &r->strengthen_key);
2820 krb5_pac_free(r->context, r->pac);
2821
2822 return ret;
2823 }
Heimdal