1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7 /*
8 * kdc/do_as_req.c
9 *
10 * Copyright 1990,1991 by the Massachusetts Institute of Technology.
11 * All Rights Reserved.
12 *
13 * Export of this software from the United States of America may
14 * require a specific license from the United States Government.
15 * It is the responsibility of any person or organization contemplating
16 * export to obtain such a license before exporting.
17 *
18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19 * distribute this software and its documentation for any purpose and
20 * without fee is hereby granted, provided that the above copyright
21 * notice appear in all copies and that both that copyright notice and
22 * this permission notice appear in supporting documentation, and that
23 * the name of M.I.T. not be used in advertising or publicity pertaining
24 * to distribution of the software without specific, written prior
25 * permission. Furthermore if you modify this software you must label
26 * your software as modified software and not distribute it in such a
27 * fashion that it might be confused with the original M.I.T. software.
28 * M.I.T. makes no representations about the suitability of
29 * this software for any purpose. It is provided "as is" without express
30 * or implied warranty.
31 *
32 *
33 * KDC Routines to deal with AS_REQ's
34 */
35
36 #define NEED_SOCKETS
37 #include "k5-int.h"
38 #include "com_err.h"
39
40 #include <syslog.h>
41 #ifdef HAVE_NETINET_IN_H
42 #include <sys/types.h>
43 #include <netinet/in.h>
44 #ifndef hpux
45 #include <arpa/inet.h>
46 #endif /* hpux */
47 #endif /* HAVE_NETINET_IN_H */
48
49 #include "kdc_util.h"
50 #include "policy.h"
51 #include "adm.h"
52 #include "adm_proto.h"
53 #include "extern.h"
54
55 static krb5_error_code prepare_error_as (krb5_kdc_req *, int, krb5_data *,
56 krb5_data **, const char *);
57
58 /*ARGSUSED*/
59 krb5_error_code
process_as_req(krb5_kdc_req * request,krb5_data * req_pkt,const krb5_fulladdr * from,krb5_data ** response)60 process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
61 const krb5_fulladdr *from, krb5_data **response)
62 {
63 krb5_db_entry client, server;
64 krb5_kdc_rep reply;
65 krb5_enc_kdc_rep_part reply_encpart;
66 krb5_ticket ticket_reply;
67 krb5_enc_tkt_part enc_tkt_reply;
68 krb5_error_code errcode;
69 int c_nprincs = 0, s_nprincs = 0;
70 krb5_boolean more;
71 krb5_timestamp kdc_time, authtime, etime = 0;
72 krb5_keyblock session_key;
73 krb5_keyblock encrypting_key;
74 const char *status;
75 krb5_key_data *server_key, *client_key;
76 krb5_enctype useenctype;
77 #ifdef KRBCONF_KDC_MODIFIES_KDB
78 krb5_boolean update_client = 0;
79 #endif /* KRBCONF_KDC_MODIFIES_KDB */
80 krb5_data e_data;
81 register int i;
82 krb5_timestamp until, rtime;
83 long long tmp_client_times, tmp_server_times, tmp_realm_times;
84 char *cname = 0, *sname = 0;
85 const char *fromstring = 0;
86 char ktypestr[128];
87 char rep_etypestr[128];
88 char fromstringbuf[70];
89 void *pa_context = NULL;
90 struct in_addr from_in4; /* IPv4 address of sender */
91
92 ticket_reply.enc_part.ciphertext.data = 0;
93 e_data.data = 0;
94 (void) memset(&encrypting_key, 0, sizeof(krb5_keyblock));
95 reply.padata = 0; /* avoid bogus free in error_out */
96 (void) memset(&session_key, 0, sizeof(krb5_keyblock));
97 enc_tkt_reply.authorization_data = NULL;
98
99 ktypes2str(ktypestr, sizeof(ktypestr),
100 request->nktypes, request->ktype);
101
102 (void) memcpy(&from_in4, from->address->contents, /* SUNW */
103 sizeof (struct in_addr));
104
105 fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype),
106 &from_in4,
107 fromstringbuf, sizeof(fromstringbuf));
108 if (!fromstring)
109 fromstring = "<unknown>";
110
111 if (!request->client) {
112 status = "NULL_CLIENT";
113 errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
114 goto errout;
115 }
116 if ((errcode = krb5_unparse_name(kdc_context, request->client, &cname))) {
117 status = "UNPARSING_CLIENT";
118 goto errout;
119 }
120 limit_string(cname);
121 if (!request->server) {
122 status = "NULL_SERVER";
123 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
124 goto errout;
125 }
126 if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
127 status = "UNPARSING_SERVER";
128 goto errout;
129 }
130 limit_string(sname);
131
132 c_nprincs = 1;
133 if ((errcode = krb5_db_get_principal(kdc_context, request->client,
134 &client, &c_nprincs, &more))) {
135 status = "LOOKING_UP_CLIENT";
136 c_nprincs = 0;
137 goto errout;
138 }
139 if (more) {
140 status = "NON-UNIQUE_CLIENT";
141 errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
142 goto errout;
143 } else if (c_nprincs != 1) {
144 status = "CLIENT_NOT_FOUND";
145 #ifdef KRBCONF_VAGUE_ERRORS
146 errcode = KRB5KRB_ERR_GENERIC;
147 #else
148 errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
149 #endif
150 goto errout;
151 }
152
153 s_nprincs = 1;
154 if ((errcode = krb5_db_get_principal(kdc_context, request->server, &server,
155 &s_nprincs, &more))) {
156 status = "LOOKING_UP_SERVER";
157 goto errout;
158 }
159 if (more) {
160 status = "NON-UNIQUE_SERVER";
161 errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
162 goto errout;
163 } else if (s_nprincs != 1) {
164 status = "SERVER_NOT_FOUND";
165 errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
166 goto errout;
167 }
168
169 if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
170 status = "TIMEOFDAY";
171 goto errout;
172 }
173
174 if ((errcode = validate_as_request(request, client, server,
175 kdc_time, &status))) {
176 if (!status)
177 status = "UNKNOWN_REASON";
178 errcode += ERROR_TABLE_BASE_krb5;
179 goto errout;
180 }
181
182 /*
183 * Select the keytype for the ticket session key.
184 */
185 if ((useenctype = select_session_keytype(kdc_context, &server,
186 request->nktypes,
187 request->ktype)) == 0) {
188 /* unsupported ktype */
189 status = "BAD_ENCRYPTION_TYPE";
190 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
191 goto errout;
192 }
193
194 if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
195 &session_key))) {
196 /* random key failed */
197 status = "RANDOM_KEY_FAILED";
198 goto errout;
199 }
200
201 ticket_reply.server = request->server;
202
203 enc_tkt_reply.flags = 0;
204 setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
205
206 /* It should be noted that local policy may affect the */
207 /* processing of any of these flags. For example, some */
208 /* realms may refuse to issue renewable tickets */
209
210 if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
211 setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
212
213 if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
214 setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
215
216 if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
217 setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
218
219 enc_tkt_reply.session = &session_key;
220 enc_tkt_reply.client = request->client;
221 enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
222 enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
223
224 enc_tkt_reply.times.authtime = kdc_time;
225
226 if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
227 setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
228 setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
229 enc_tkt_reply.times.starttime = request->from;
230 } else
231 enc_tkt_reply.times.starttime = kdc_time;
232
233 until = (request->till == 0) ? kdc_infinity : request->till;
234 /* These numbers could easily be large
235 * use long long variables to ensure that they don't
236 * result in negative values when added.
237 */
238
239 tmp_client_times = (long long) enc_tkt_reply.times.starttime + client.max_life;
240
241 tmp_server_times = (long long) enc_tkt_reply.times.starttime + server.max_life;
242
243 tmp_realm_times = (long long) enc_tkt_reply.times.starttime + max_life_for_realm;
244
245 enc_tkt_reply.times.endtime =
246 min(until,
247 min(tmp_client_times,
248 min(tmp_server_times,
249 min(tmp_realm_times,KRB5_KDB_EXPIRATION))));
250
251 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
252 !isflagset(client.attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
253 (enc_tkt_reply.times.endtime < request->till)) {
254
255 /* we set the RENEWABLE option for later processing */
256
257 setflag(request->kdc_options, KDC_OPT_RENEWABLE);
258 request->rtime = request->till;
259 }
260 rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
261
262 if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
263 /*
264 * XXX Should we squelch the output renew_till to be no
265 * earlier than the endtime of the ticket?
266 */
267 setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
268 tmp_client_times = (double) enc_tkt_reply.times.starttime + client.max_renewable_life;
269
270 tmp_server_times = (double) enc_tkt_reply.times.starttime + server.max_renewable_life;
271
272 tmp_realm_times = (double) enc_tkt_reply.times.starttime + max_renewable_life_for_realm;
273
274 enc_tkt_reply.times.renew_till =
275 min(rtime, min(tmp_client_times,
276 min(tmp_server_times,
277 min(tmp_realm_times,KRB5_KDB_EXPIRATION))));
278 } else
279 enc_tkt_reply.times.renew_till = 0; /* XXX */
280
281 /* starttime is optional, and treated as authtime if not present.
282 so we can nuke it if it matches */
283 if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
284 enc_tkt_reply.times.starttime = 0;
285
286 enc_tkt_reply.caddrs = request->addresses;
287 enc_tkt_reply.authorization_data = 0;
288
289 /*
290 * Check the preauthentication if it is there.
291 */
292 if (request->padata) {
293 errcode = check_padata(kdc_context, &client, req_pkt, request,
294 &enc_tkt_reply, &pa_context, &e_data);
295 if (errcode) {
296 #ifdef KRBCONF_KDC_MODIFIES_KDB
297 /*
298 * Note: this doesn't work if you're using slave servers!!!
299 * It also causes the database to be modified (and thus
300 * need to be locked) frequently.
301 */
302 if (client.fail_auth_count < KRB5_MAX_FAIL_COUNT) {
303 client.fail_auth_count = client.fail_auth_count + 1;
304 if (client.fail_auth_count == KRB5_MAX_FAIL_COUNT) {
305 client.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
306 }
307 }
308 client.last_failed = kdc_time;
309 update_client = 1;
310 #endif
311 status = "PREAUTH_FAILED";
312 #ifdef KRBCONF_VAGUE_ERRORS
313 errcode = KRB5KRB_ERR_GENERIC;
314 #endif
315 goto errout;
316 }
317 }
318
319 /*
320 * Final check before handing out ticket: If the client requires
321 * preauthentication, verify that the proper kind of
322 * preauthentication was carried out.
323 */
324 status = missing_required_preauth(&client, &server, &enc_tkt_reply);
325 if (status) {
326 errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
327 get_preauth_hint_list(request, &client, &server, &e_data);
328 goto errout;
329 }
330
331 ticket_reply.enc_part2 = &enc_tkt_reply;
332
333 /*
334 * Find the server key
335 */
336 if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
337 -1, /* ignore keytype */
338 -1, /* Ignore salttype */
339 0, /* Get highest kvno */
340 &server_key))) {
341 status = "FINDING_SERVER_KEY";
342 goto errout;
343 }
344
345 /* convert server.key into a real key (it may be encrypted
346 in the database) */
347 if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock,
348 server_key, &encrypting_key,
349 NULL))) {
350 status = "DECRYPT_SERVER_KEY";
351 goto errout;
352 }
353
354 errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
355 krb5_free_keyblock_contents(kdc_context, &encrypting_key);
356 encrypting_key.contents = 0;
357 if (errcode) {
358 status = "ENCRYPTING_TICKET";
359 goto errout;
360 }
361 ticket_reply.enc_part.kvno = server_key->key_data_kvno;
362
363 /*
364 * Find the appropriate client key. We search in the order specified
365 * by request keytype list.
366 */
367 client_key = (krb5_key_data *) NULL;
368 for (i = 0; i < request->nktypes; i++) {
369 useenctype = request->ktype[i];
370 if (!krb5_c_valid_enctype(useenctype))
371 continue;
372
373 if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
374 0, &client_key))
375 break;
376 }
377 if (!(client_key)) {
378 /* Cannot find an appropriate key */
379 status = "CANT_FIND_CLIENT_KEY";
380 errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
381 goto errout;
382 }
383
384 /* convert client.key_data into a real key */
385 if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock,
386 client_key, &encrypting_key,
387 NULL))) {
388 status = "DECRYPT_CLIENT_KEY";
389 goto errout;
390 }
391 encrypting_key.enctype = useenctype;
392
393 /* Start assembling the response */
394 reply.msg_type = KRB5_AS_REP;
395 reply.client = request->client;
396 reply.ticket = &ticket_reply;
397 reply_encpart.session = &session_key;
398 if ((errcode = fetch_last_req_info(&client, &reply_encpart.last_req))) {
399 status = "FETCH_LAST_REQ";
400 goto errout;
401 }
402 reply_encpart.nonce = request->nonce;
403
404 /*
405 * Take the minimum of expiration or pw_expiration if not zero.
406 */
407 if (client.expiration != 0 && client.pw_expiration != 0)
408 etime = min(client.expiration, client.pw_expiration);
409 else
410 etime = client.expiration ? client.expiration : client.pw_expiration;
411
412 reply_encpart.key_exp = etime;
413 reply_encpart.flags = enc_tkt_reply.flags;
414 reply_encpart.server = ticket_reply.server;
415
416 /* copy the time fields EXCEPT for authtime; it's location
417 is used for ktime */
418 reply_encpart.times = enc_tkt_reply.times;
419 reply_encpart.times.authtime = authtime = kdc_time;
420
421 reply_encpart.caddrs = enc_tkt_reply.caddrs;
422
423 /* Fetch the padata info to be returned */
424 errcode = return_padata(kdc_context, &client, req_pkt, request,
425 &reply, client_key, &encrypting_key, &pa_context);
426 if (errcode) {
427 status = "KDC_RETURN_PADATA";
428 goto errout;
429 }
430
431 /* now encode/encrypt the response */
432
433 reply.enc_part.enctype = encrypting_key.enctype;
434
435 errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &reply_encpart,
436 0, &encrypting_key, &reply, response);
437 krb5_free_keyblock_contents(kdc_context, &encrypting_key);
438 encrypting_key.contents = 0;
439 reply.enc_part.kvno = client_key->key_data_kvno;
440
441 if (errcode) {
442 status = "ENCODE_KDC_REP";
443 goto errout;
444 }
445
446 /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
447 can use them in raw form if needed. But, we don't... */
448 memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
449 free(reply.enc_part.ciphertext.data);
450
451 /* SUNW14resync:
452 * The third argument to audit_krb5kdc_as_req() is zero as the local
453 * portnumber is no longer passed to process_as_req().
454 */
455 audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port, 0,
456 cname, sname, 0);
457 rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
458 krb5_klog_syslog(LOG_INFO,
459 "AS_REQ (%s) %s: ISSUE: authtime %d, "
460 "%s, %s for %s",
461 ktypestr,
462 fromstring, authtime,
463 rep_etypestr,
464 cname, sname);
465
466 #ifdef KRBCONF_KDC_MODIFIES_KDB
467 /*
468 * If we get this far, we successfully did the AS_REQ.
469 */
470 client.last_success = kdc_time;
471 client.fail_auth_count = 0;
472 update_client = 1;
473 #endif /* KRBCONF_KDC_MODIFIES_KDB */
474
475 errout:
476 if (pa_context)
477 free_padata_context(kdc_context, &pa_context);
478
479 if (status) {
480 const char *emsg = NULL;
481 if (errcode)
482 emsg = krb5_get_error_message (kdc_context, errcode);
483
484 audit_krb5kdc_as_req(&from_in4, (in_port_t)from->port,
485 0, cname, sname, errcode);
486 krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s: %s: %s for %s%s%s",
487 ktypestr,
488 fromstring, status,
489 cname ? cname : "<unknown client>",
490 sname ? sname : "<unknown server>",
491 errcode ? ", " : "",
492 errcode ? emsg : "");
493 if (errcode)
494 krb5_free_error_message (kdc_context, emsg);
495 }
496 if (errcode) {
497 int got_err = 0;
498 if (status == 0) {
499 status = krb5_get_error_message (kdc_context, errcode);
500 got_err = 1;
501 }
502 errcode -= ERROR_TABLE_BASE_krb5;
503 if (errcode < 0 || errcode > 128)
504 errcode = KRB_ERR_GENERIC;
505
506 errcode = prepare_error_as(request, errcode, &e_data, response,
507 status);
508 if (got_err) {
509 krb5_free_error_message (kdc_context, status);
510 status = 0;
511 }
512 }
513
514 if (enc_tkt_reply.authorization_data != NULL)
515 krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
516 if (encrypting_key.contents)
517 krb5_free_keyblock_contents(kdc_context, &encrypting_key);
518 if (reply.padata)
519 krb5_free_pa_data(kdc_context, reply.padata);
520
521 if (cname)
522 free(cname);
523 if (sname)
524 free(sname);
525 if (c_nprincs) {
526 #ifdef KRBCONF_KDC_MODIFIES_KDB
527 if (update_client) {
528 krb5_db_put_principal(kdc_context, &client, &c_nprincs);
529 /*
530 * ptooey. We want krb5_db_sync() or something like that.
531 */
532 krb5_db_fini(kdc_context);
533 if (kdc_active_realm->realm_dbname)
534 krb5_db_set_name(kdc_active_realm->realm_context,
535 kdc_active_realm->realm_dbname);
536 krb5_db_init(kdc_context);
537 /* Reset master key */
538 krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_mkey);
539 }
540 #endif /* KRBCONF_KDC_MODIFIES_KDB */
541 krb5_db_free_principal(kdc_context, &client, c_nprincs);
542 }
543 if (s_nprincs)
544 krb5_db_free_principal(kdc_context, &server, s_nprincs);
545 if (session_key.contents)
546 krb5_free_keyblock_contents(kdc_context, &session_key);
547 if (ticket_reply.enc_part.ciphertext.data) {
548 memset(ticket_reply.enc_part.ciphertext.data , 0,
549 ticket_reply.enc_part.ciphertext.length);
550 free(ticket_reply.enc_part.ciphertext.data);
551 }
552
553 krb5_free_data_contents(kdc_context, &e_data);
554
555 return errcode;
556 }
557
558 static krb5_error_code
prepare_error_as(krb5_kdc_req * request,int error,krb5_data * e_data,krb5_data ** response,const char * status)559 prepare_error_as (krb5_kdc_req *request, int error, krb5_data *e_data,
560 krb5_data **response, const char *status)
561 {
562 krb5_error errpkt;
563 krb5_error_code retval;
564 krb5_data *scratch;
565
566 errpkt.ctime = request->nonce;
567 errpkt.cusec = 0;
568
569 if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
570 &errpkt.susec)))
571 return(retval);
572 errpkt.error = error;
573 errpkt.server = request->server;
574 errpkt.client = request->client;
575 errpkt.text.length = strlen(status)+1;
576 if (!(errpkt.text.data = malloc(errpkt.text.length)))
577 return ENOMEM;
578 (void) strcpy(errpkt.text.data, status);
579
580 if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
581 free(errpkt.text.data);
582 return ENOMEM;
583 }
584 if (e_data && e_data->data) {
585 errpkt.e_data = *e_data;
586 } else {
587 errpkt.e_data.length = 0;
588 errpkt.e_data.data = 0;
589 }
590
591 retval = krb5_mk_error(kdc_context, &errpkt, scratch);
592 free(errpkt.text.data);
593 if (retval)
594 free(scratch);
595 else
596 *response = scratch;
597
598 return retval;
599 }
600