xref: /freebsd/crypto/heimdal/kdc/kerberos5.c (revision d4eeb02986980bf33dd56c41ceb9fc5f180c0d47)
1 /*
2  * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kdc_locl.h"
35 
36 #define MAX_TIME ((time_t)((1U << 31) - 1))
37 
38 void
39 _kdc_fix_time(time_t **t)
40 {
41     if(*t == NULL){
42 	ALLOC(*t);
43 	**t = MAX_TIME;
44     }
45     if(**t == 0) **t = MAX_TIME; /* fix for old clients */
46 }
47 
48 static int
49 realloc_method_data(METHOD_DATA *md)
50 {
51     PA_DATA *pa;
52     pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
53     if(pa == NULL)
54 	return ENOMEM;
55     md->val = pa;
56     md->len++;
57     return 0;
58 }
59 
60 static void
61 set_salt_padata(METHOD_DATA *md, Salt *salt)
62 {
63     if (salt) {
64        realloc_method_data(md);
65        md->val[md->len - 1].padata_type = salt->type;
66        der_copy_octet_string(&salt->salt,
67                              &md->val[md->len - 1].padata_value);
68     }
69 }
70 
71 const PA_DATA*
72 _kdc_find_padata(const KDC_REQ *req, int *start, int type)
73 {
74     if (req->padata == NULL)
75 	return NULL;
76 
77     while((size_t)*start < req->padata->len){
78 	(*start)++;
79 	if(req->padata->val[*start - 1].padata_type == (unsigned)type)
80 	    return &req->padata->val[*start - 1];
81     }
82     return NULL;
83 }
84 
85 /*
86  * This is a hack to allow predefined weak services, like afs to
87  * still use weak types
88  */
89 
90 krb5_boolean
91 _kdc_is_weak_exception(krb5_principal principal, krb5_enctype etype)
92 {
93     if (principal->name.name_string.len > 0 &&
94 	strcmp(principal->name.name_string.val[0], "afs") == 0 &&
95 	(etype == ETYPE_DES_CBC_CRC
96 	 || etype == ETYPE_DES_CBC_MD4
97 	 || etype == ETYPE_DES_CBC_MD5))
98 	return TRUE;
99     return FALSE;
100 }
101 
102 
103 /*
104  * Detect if `key' is the using the the precomputed `default_salt'.
105  */
106 
107 static krb5_boolean
108 is_default_salt_p(const krb5_salt *default_salt, const Key *key)
109 {
110     if (key->salt == NULL)
111 	return TRUE;
112     if (default_salt->salttype != key->salt->type)
113 	return FALSE;
114     if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
115 	return FALSE;
116     return TRUE;
117 }
118 
119 /*
120  * return the first appropriate key of `princ' in `ret_key'.  Look for
121  * all the etypes in (`etypes', `len'), stopping as soon as we find
122  * one, but preferring one that has default salt
123  */
124 
125 krb5_error_code
126 _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
127 		krb5_boolean is_preauth, hdb_entry_ex *princ,
128 		krb5_enctype *etypes, unsigned len,
129 		krb5_enctype *ret_enctype, Key **ret_key)
130 {
131     krb5_error_code ret;
132     krb5_salt def_salt;
133     krb5_enctype enctype = ETYPE_NULL;
134     Key *key;
135     int i;
136 
137     /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
138     ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
139     if (ret)
140 	return ret;
141 
142     ret = KRB5KDC_ERR_ETYPE_NOSUPP;
143 
144     if (use_strongest_session_key) {
145 	const krb5_enctype *p;
146 	krb5_enctype clientbest = ETYPE_NULL;
147 	int j;
148 
149 	/*
150 	 * Pick the strongest key that the KDC, target service, and
151 	 * client all support, using the local cryptosystem enctype
152 	 * list in strongest-to-weakest order to drive the search.
153 	 *
154 	 * This is not what RFC4120 says to do, but it encourages
155 	 * adoption of stronger enctypes.  This doesn't play well with
156 	 * clients that have multiple Kerberos client implementations
157 	 * available with different supported enctype lists.
158 	 */
159 
160 	/* drive the search with local supported enctypes list */
161 	p = krb5_kerberos_enctypes(context);
162 	for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
163 	    if (krb5_enctype_valid(context, p[i]) != 0)
164 		continue;
165 
166 	    /* check that the client supports it too */
167 	    for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
168 		if (p[i] != etypes[j])
169 		    continue;
170 		/* save best of union of { client, crypto system } */
171 		if (clientbest == ETYPE_NULL)
172 		    clientbest = p[i];
173 		/* check target princ support */
174 		ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
175 		if (ret)
176 		    continue;
177 		if (is_preauth && !is_default_salt_p(&def_salt, key))
178 		    continue;
179 		enctype = p[i];
180 	    }
181 	}
182 	if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
183 	    enctype = clientbest;
184 	else if (enctype == ETYPE_NULL)
185 	    ret = KRB5KDC_ERR_ETYPE_NOSUPP;
186 	if (ret == 0 && ret_enctype != NULL)
187 	    *ret_enctype = enctype;
188 	if (ret == 0 && ret_key != NULL)
189 	    *ret_key = key;
190     } else {
191 	/*
192 	 * Pick the first key from the client's enctype list that is
193 	 * supported by the cryptosystem and by the given principal.
194 	 *
195 	 * RFC4120 says we SHOULD pick the first _strong_ key from the
196 	 * client's list... not the first key...  If the admin disallows
197 	 * weak enctypes in krb5.conf and selects this key selection
198 	 * algorithm, then we get exactly what RFC4120 says.
199 	 */
200 	for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) {
201 
202 	    if (krb5_enctype_valid(context, etypes[i]) != 0 &&
203 		!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
204 		continue;
205 
206 	    while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
207 		if (key->key.keyvalue.length == 0) {
208 		    ret = KRB5KDC_ERR_NULL_KEY;
209 		    continue;
210 		}
211 		if (ret_key != NULL)
212 		    *ret_key = key;
213 		if (ret_enctype != NULL)
214 		    *ret_enctype = etypes[i];
215 		ret = 0;
216 		if (is_preauth && is_default_salt_p(&def_salt, key))
217 		    goto out;
218 	    }
219 	}
220     }
221 
222 out:
223     krb5_free_salt (context, def_salt);
224     return ret;
225 }
226 
227 krb5_error_code
228 _kdc_make_anonymous_principalname (PrincipalName *pn)
229 {
230     pn->name_type = KRB5_NT_PRINCIPAL;
231     pn->name_string.len = 1;
232     pn->name_string.val = malloc(sizeof(*pn->name_string.val));
233     if (pn->name_string.val == NULL)
234 	return ENOMEM;
235     pn->name_string.val[0] = strdup("anonymous");
236     if (pn->name_string.val[0] == NULL) {
237 	free(pn->name_string.val);
238 	pn->name_string.val = NULL;
239 	return ENOMEM;
240     }
241     return 0;
242 }
243 
244 void
245 _kdc_log_timestamp(krb5_context context,
246 		   krb5_kdc_configuration *config,
247 		   const char *type,
248 		   KerberosTime authtime, KerberosTime *starttime,
249 		   KerberosTime endtime, KerberosTime *renew_till)
250 {
251     char authtime_str[100], starttime_str[100],
252 	endtime_str[100], renewtime_str[100];
253 
254     krb5_format_time(context, authtime,
255 		     authtime_str, sizeof(authtime_str), TRUE);
256     if (starttime)
257 	krb5_format_time(context, *starttime,
258 			 starttime_str, sizeof(starttime_str), TRUE);
259     else
260 	strlcpy(starttime_str, "unset", sizeof(starttime_str));
261     krb5_format_time(context, endtime,
262 		     endtime_str, sizeof(endtime_str), TRUE);
263     if (renew_till)
264 	krb5_format_time(context, *renew_till,
265 			 renewtime_str, sizeof(renewtime_str), TRUE);
266     else
267 	strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
268 
269     kdc_log(context, config, 5,
270 	    "%s authtime: %s starttime: %s endtime: %s renew till: %s",
271 	    type, authtime_str, starttime_str, endtime_str, renewtime_str);
272 }
273 
274 static void
275 log_patypes(krb5_context context,
276 	    krb5_kdc_configuration *config,
277 	    METHOD_DATA *padata)
278 {
279     struct rk_strpool *p = NULL;
280     char *str;
281     size_t i;
282 
283     for (i = 0; i < padata->len; i++) {
284 	switch(padata->val[i].padata_type) {
285 	case KRB5_PADATA_PK_AS_REQ:
286 	    p = rk_strpoolprintf(p, "PK-INIT(ietf)");
287 	    break;
288 	case KRB5_PADATA_PK_AS_REQ_WIN:
289 	    p = rk_strpoolprintf(p, "PK-INIT(win2k)");
290 	    break;
291 	case KRB5_PADATA_PA_PK_OCSP_RESPONSE:
292 	    p = rk_strpoolprintf(p, "OCSP");
293 	    break;
294 	case KRB5_PADATA_ENC_TIMESTAMP:
295 	    p = rk_strpoolprintf(p, "encrypted-timestamp");
296 	    break;
297 	default:
298 	    p = rk_strpoolprintf(p, "%d", padata->val[i].padata_type);
299 	    break;
300 	}
301 	if (p && i + 1 < padata->len)
302 	    p = rk_strpoolprintf(p, ", ");
303 	if (p == NULL) {
304 	    kdc_log(context, config, 0, "out of memory");
305 	    return;
306 	}
307     }
308     if (p == NULL)
309 	p = rk_strpoolprintf(p, "none");
310 
311     str = rk_strpoolcollect(p);
312     kdc_log(context, config, 0, "Client sent patypes: %s", str);
313     free(str);
314 }
315 
316 /*
317  *
318  */
319 
320 
321 krb5_error_code
322 _kdc_encode_reply(krb5_context context,
323 		  krb5_kdc_configuration *config,
324 		  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
325 		  krb5_enctype etype,
326 		  int skvno, const EncryptionKey *skey,
327 		  int ckvno, const EncryptionKey *reply_key,
328 		  int rk_is_subkey,
329 		  const char **e_text,
330 		  krb5_data *reply)
331 {
332     unsigned char *buf;
333     size_t buf_size;
334     size_t len = 0;
335     krb5_error_code ret;
336     krb5_crypto crypto;
337 
338     ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
339     if(ret) {
340 	const char *msg = krb5_get_error_message(context, ret);
341 	kdc_log(context, config, 0, "Failed to encode ticket: %s", msg);
342 	krb5_free_error_message(context, msg);
343 	return ret;
344     }
345     if(buf_size != len) {
346 	free(buf);
347 	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
348 	*e_text = "KDC internal error";
349 	return KRB5KRB_ERR_GENERIC;
350     }
351 
352     ret = krb5_crypto_init(context, skey, etype, &crypto);
353     if (ret) {
354         const char *msg;
355 	free(buf);
356 	msg = krb5_get_error_message(context, ret);
357 	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
358 	krb5_free_error_message(context, msg);
359 	return ret;
360     }
361 
362     ret = krb5_encrypt_EncryptedData(context,
363 				     crypto,
364 				     KRB5_KU_TICKET,
365 				     buf,
366 				     len,
367 				     skvno,
368 				     &rep->ticket.enc_part);
369     free(buf);
370     krb5_crypto_destroy(context, crypto);
371     if(ret) {
372 	const char *msg = krb5_get_error_message(context, ret);
373 	kdc_log(context, config, 0, "Failed to encrypt data: %s", msg);
374 	krb5_free_error_message(context, msg);
375 	return ret;
376     }
377 
378     if(rep->msg_type == krb_as_rep && !config->encode_as_rep_as_tgs_rep)
379 	ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret);
380     else
381 	ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
382     if(ret) {
383 	const char *msg = krb5_get_error_message(context, ret);
384 	kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
385 	krb5_free_error_message(context, msg);
386 	return ret;
387     }
388     if(buf_size != len) {
389 	free(buf);
390 	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
391 	*e_text = "KDC internal error";
392 	return KRB5KRB_ERR_GENERIC;
393     }
394     ret = krb5_crypto_init(context, reply_key, 0, &crypto);
395     if (ret) {
396 	const char *msg = krb5_get_error_message(context, ret);
397 	free(buf);
398 	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
399 	krb5_free_error_message(context, msg);
400 	return ret;
401     }
402     if(rep->msg_type == krb_as_rep) {
403 	krb5_encrypt_EncryptedData(context,
404 				   crypto,
405 				   KRB5_KU_AS_REP_ENC_PART,
406 				   buf,
407 				   len,
408 				   ckvno,
409 				   &rep->enc_part);
410 	free(buf);
411 	ASN1_MALLOC_ENCODE(AS_REP, buf, buf_size, rep, &len, ret);
412     } else {
413 	krb5_encrypt_EncryptedData(context,
414 				   crypto,
415 				   rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION,
416 				   buf,
417 				   len,
418 				   ckvno,
419 				   &rep->enc_part);
420 	free(buf);
421 	ASN1_MALLOC_ENCODE(TGS_REP, buf, buf_size, rep, &len, ret);
422     }
423     krb5_crypto_destroy(context, crypto);
424     if(ret) {
425 	const char *msg = krb5_get_error_message(context, ret);
426 	kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
427 	krb5_free_error_message(context, msg);
428 	return ret;
429     }
430     if(buf_size != len) {
431 	free(buf);
432 	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
433 	*e_text = "KDC internal error";
434 	return KRB5KRB_ERR_GENERIC;
435     }
436     reply->data = buf;
437     reply->length = buf_size;
438     return 0;
439 }
440 
441 /*
442  * Return 1 if the client have only older enctypes, this is for
443  * determining if the server should send ETYPE_INFO2 or not.
444  */
445 
446 static int
447 older_enctype(krb5_enctype enctype)
448 {
449     switch (enctype) {
450     case ETYPE_DES_CBC_CRC:
451     case ETYPE_DES_CBC_MD4:
452     case ETYPE_DES_CBC_MD5:
453     case ETYPE_DES3_CBC_SHA1:
454     case ETYPE_ARCFOUR_HMAC_MD5:
455     case ETYPE_ARCFOUR_HMAC_MD5_56:
456     /*
457      * The following three is "old" windows enctypes and is needed for
458      * windows 2000 hosts.
459      */
460     case ETYPE_ARCFOUR_MD4:
461     case ETYPE_ARCFOUR_HMAC_OLD:
462     case ETYPE_ARCFOUR_HMAC_OLD_EXP:
463 	return 1;
464     default:
465 	return 0;
466     }
467 }
468 
469 /*
470  *
471  */
472 
473 static krb5_error_code
474 make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
475 {
476     ent->etype = key->key.keytype;
477     if(key->salt){
478 #if 0
479 	ALLOC(ent->salttype);
480 
481 	if(key->salt->type == hdb_pw_salt)
482 	    *ent->salttype = 0; /* or 1? or NULL? */
483 	else if(key->salt->type == hdb_afs3_salt)
484 	    *ent->salttype = 2;
485 	else {
486 	    kdc_log(context, config, 0, "unknown salt-type: %d",
487 		    key->salt->type);
488 	    return KRB5KRB_ERR_GENERIC;
489 	}
490 	/* according to `the specs', we can't send a salt if
491 	   we have AFS3 salted key, but that requires that you
492 	   *know* what cell you are using (e.g by assuming
493 	   that the cell is the same as the realm in lower
494 	   case) */
495 #elif 0
496 	ALLOC(ent->salttype);
497 	*ent->salttype = key->salt->type;
498 #else
499 	/*
500 	 * We shouldn't sent salttype since it is incompatible with the
501 	 * specification and it breaks windows clients.  The afs
502 	 * salting problem is solved by using KRB5-PADATA-AFS3-SALT
503 	 * implemented in Heimdal 0.7 and later.
504 	 */
505 	ent->salttype = NULL;
506 #endif
507 	krb5_copy_data(context, &key->salt->salt,
508 		       &ent->salt);
509     } else {
510 	/* we return no salt type at all, as that should indicate
511 	 * the default salt type and make everybody happy.  some
512 	 * systems (like w2k) dislike being told the salt type
513 	 * here. */
514 
515 	ent->salttype = NULL;
516 	ent->salt = NULL;
517     }
518     return 0;
519 }
520 
521 static krb5_error_code
522 get_pa_etype_info(krb5_context context,
523 		  krb5_kdc_configuration *config,
524 		  METHOD_DATA *md, Key *ckey)
525 {
526     krb5_error_code ret = 0;
527     ETYPE_INFO pa;
528     unsigned char *buf;
529     size_t len;
530 
531 
532     pa.len = 1;
533     pa.val = calloc(1, sizeof(pa.val[0]));
534     if(pa.val == NULL)
535 	return ENOMEM;
536 
537     ret = make_etype_info_entry(context, &pa.val[0], ckey);
538     if (ret) {
539 	free_ETYPE_INFO(&pa);
540 	return ret;
541     }
542 
543     ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);
544     free_ETYPE_INFO(&pa);
545     if(ret)
546 	return ret;
547     ret = realloc_method_data(md);
548     if(ret) {
549 	free(buf);
550 	return ret;
551     }
552     md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;
553     md->val[md->len - 1].padata_value.length = len;
554     md->val[md->len - 1].padata_value.data = buf;
555     return 0;
556 }
557 
558 /*
559  *
560  */
561 
562 extern int _krb5_AES_string_to_default_iterator;
563 
564 static krb5_error_code
565 make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
566 {
567     ent->etype = key->key.keytype;
568     if(key->salt) {
569 	ALLOC(ent->salt);
570 	if (ent->salt == NULL)
571 	    return ENOMEM;
572 	*ent->salt = malloc(key->salt->salt.length + 1);
573 	if (*ent->salt == NULL) {
574 	    free(ent->salt);
575 	    ent->salt = NULL;
576 	    return ENOMEM;
577 	}
578 	memcpy(*ent->salt, key->salt->salt.data, key->salt->salt.length);
579 	(*ent->salt)[key->salt->salt.length] = '\0';
580     } else
581 	ent->salt = NULL;
582 
583     ent->s2kparams = NULL;
584 
585     switch (key->key.keytype) {
586     case ETYPE_AES128_CTS_HMAC_SHA1_96:
587     case ETYPE_AES256_CTS_HMAC_SHA1_96:
588 	ALLOC(ent->s2kparams);
589 	if (ent->s2kparams == NULL)
590 	    return ENOMEM;
591 	ent->s2kparams->length = 4;
592 	ent->s2kparams->data = malloc(ent->s2kparams->length);
593 	if (ent->s2kparams->data == NULL) {
594 	    free(ent->s2kparams);
595 	    ent->s2kparams = NULL;
596 	    return ENOMEM;
597 	}
598 	_krb5_put_int(ent->s2kparams->data,
599 		      _krb5_AES_string_to_default_iterator,
600 		      ent->s2kparams->length);
601 	break;
602     case ETYPE_DES_CBC_CRC:
603     case ETYPE_DES_CBC_MD4:
604     case ETYPE_DES_CBC_MD5:
605 	/* Check if this was a AFS3 salted key */
606 	if(key->salt && key->salt->type == hdb_afs3_salt){
607 	    ALLOC(ent->s2kparams);
608 	    if (ent->s2kparams == NULL)
609 		return ENOMEM;
610 	    ent->s2kparams->length = 1;
611 	    ent->s2kparams->data = malloc(ent->s2kparams->length);
612 	    if (ent->s2kparams->data == NULL) {
613 		free(ent->s2kparams);
614 		ent->s2kparams = NULL;
615 		return ENOMEM;
616 	    }
617 	    _krb5_put_int(ent->s2kparams->data,
618 			  1,
619 			  ent->s2kparams->length);
620 	}
621 	break;
622     default:
623 	break;
624     }
625     return 0;
626 }
627 
628 /*
629  * Return an ETYPE-INFO2. Enctypes are storted the same way as in the
630  * database (client supported enctypes first, then the unsupported
631  * enctypes).
632  */
633 
634 static krb5_error_code
635 get_pa_etype_info2(krb5_context context,
636 		   krb5_kdc_configuration *config,
637 		   METHOD_DATA *md, Key *ckey)
638 {
639     krb5_error_code ret = 0;
640     ETYPE_INFO2 pa;
641     unsigned char *buf;
642     size_t len;
643 
644     pa.len = 1;
645     pa.val = calloc(1, sizeof(pa.val[0]));
646     if(pa.val == NULL)
647 	return ENOMEM;
648 
649     ret = make_etype_info2_entry(&pa.val[0], ckey);
650     if (ret) {
651 	free_ETYPE_INFO2(&pa);
652 	return ret;
653     }
654 
655     ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret);
656     free_ETYPE_INFO2(&pa);
657     if(ret)
658 	return ret;
659     ret = realloc_method_data(md);
660     if(ret) {
661 	free(buf);
662 	return ret;
663     }
664     md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO2;
665     md->val[md->len - 1].padata_value.length = len;
666     md->val[md->len - 1].padata_value.data = buf;
667     return 0;
668 }
669 
670 /*
671  *
672  */
673 
674 static void
675 log_as_req(krb5_context context,
676 	   krb5_kdc_configuration *config,
677 	   krb5_enctype cetype,
678 	   krb5_enctype setype,
679 	   const KDC_REQ_BODY *b)
680 {
681     krb5_error_code ret;
682     struct rk_strpool *p;
683     char *str;
684     size_t i;
685 
686     p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
687 
688     for (i = 0; i < b->etype.len; i++) {
689 	ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
690 	if (ret == 0) {
691 	    p = rk_strpoolprintf(p, "%s", str);
692 	    free(str);
693 	} else
694 	    p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
695 	if (p && i + 1 < b->etype.len)
696 	    p = rk_strpoolprintf(p, ", ");
697 	if (p == NULL) {
698 	    kdc_log(context, config, 0, "out of memory");
699 	    return;
700 	}
701     }
702     if (p == NULL)
703 	p = rk_strpoolprintf(p, "no encryption types");
704 
705     {
706 	char *cet;
707 	char *set;
708 
709 	ret = krb5_enctype_to_string(context, cetype, &cet);
710 	if(ret == 0) {
711 	    ret = krb5_enctype_to_string(context, setype, &set);
712 	    if (ret == 0) {
713 		p = rk_strpoolprintf(p, ", using %s/%s", cet, set);
714 		free(set);
715 	    }
716 	    free(cet);
717 	}
718 	if (ret != 0)
719 	    p = rk_strpoolprintf(p, ", using enctypes %d/%d",
720 				 cetype, setype);
721     }
722 
723     str = rk_strpoolcollect(p);
724     kdc_log(context, config, 0, "%s", str);
725     free(str);
726 
727     {
728 	char fixedstr[128];
729 	unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(),
730 		      fixedstr, sizeof(fixedstr));
731 	if(*fixedstr)
732 	    kdc_log(context, config, 0, "Requested flags: %s", fixedstr);
733     }
734 }
735 
736 /*
737  * verify the flags on `client' and `server', returning 0
738  * if they are OK and generating an error messages and returning
739  * and error code otherwise.
740  */
741 
742 krb5_error_code
743 kdc_check_flags(krb5_context context,
744 		krb5_kdc_configuration *config,
745 		hdb_entry_ex *client_ex, const char *client_name,
746 		hdb_entry_ex *server_ex, const char *server_name,
747 		krb5_boolean is_as_req)
748 {
749     if(client_ex != NULL) {
750 	hdb_entry *client = &client_ex->entry;
751 
752 	/* check client */
753 	if (client->flags.locked_out) {
754 	    kdc_log(context, config, 0,
755 		    "Client (%s) is locked out", client_name);
756 	    return KRB5KDC_ERR_POLICY;
757 	}
758 
759 	if (client->flags.invalid) {
760 	    kdc_log(context, config, 0,
761 		    "Client (%s) has invalid bit set", client_name);
762 	    return KRB5KDC_ERR_POLICY;
763 	}
764 
765 	if(!client->flags.client){
766 	    kdc_log(context, config, 0,
767 		    "Principal may not act as client -- %s", client_name);
768 	    return KRB5KDC_ERR_POLICY;
769 	}
770 
771 	if (client->valid_start && *client->valid_start > kdc_time) {
772 	    char starttime_str[100];
773 	    krb5_format_time(context, *client->valid_start,
774 			     starttime_str, sizeof(starttime_str), TRUE);
775 	    kdc_log(context, config, 0,
776 		    "Client not yet valid until %s -- %s",
777 		    starttime_str, client_name);
778 	    return KRB5KDC_ERR_CLIENT_NOTYET;
779 	}
780 
781 	if (client->valid_end && *client->valid_end < kdc_time) {
782 	    char endtime_str[100];
783 	    krb5_format_time(context, *client->valid_end,
784 			     endtime_str, sizeof(endtime_str), TRUE);
785 	    kdc_log(context, config, 0,
786 		    "Client expired at %s -- %s",
787 		    endtime_str, client_name);
788 	    return KRB5KDC_ERR_NAME_EXP;
789 	}
790 
791 	if (client->pw_end && *client->pw_end < kdc_time
792 	    && (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
793 	    char pwend_str[100];
794 	    krb5_format_time(context, *client->pw_end,
795 			     pwend_str, sizeof(pwend_str), TRUE);
796 	    kdc_log(context, config, 0,
797 		    "Client's key has expired at %s -- %s",
798 		    pwend_str, client_name);
799 	    return KRB5KDC_ERR_KEY_EXPIRED;
800 	}
801     }
802 
803     /* check server */
804 
805     if (server_ex != NULL) {
806 	hdb_entry *server = &server_ex->entry;
807 
808 	if (server->flags.locked_out) {
809 	    kdc_log(context, config, 0,
810 		    "Client server locked out -- %s", server_name);
811 	    return KRB5KDC_ERR_POLICY;
812 	}
813 	if (server->flags.invalid) {
814 	    kdc_log(context, config, 0,
815 		    "Server has invalid flag set -- %s", server_name);
816 	    return KRB5KDC_ERR_POLICY;
817 	}
818 
819 	if(!server->flags.server){
820 	    kdc_log(context, config, 0,
821 		    "Principal may not act as server -- %s", server_name);
822 	    return KRB5KDC_ERR_POLICY;
823 	}
824 
825 	if(!is_as_req && server->flags.initial) {
826 	    kdc_log(context, config, 0,
827 		    "AS-REQ is required for server -- %s", server_name);
828 	    return KRB5KDC_ERR_POLICY;
829 	}
830 
831 	if (server->valid_start && *server->valid_start > kdc_time) {
832 	    char starttime_str[100];
833 	    krb5_format_time(context, *server->valid_start,
834 			     starttime_str, sizeof(starttime_str), TRUE);
835 	    kdc_log(context, config, 0,
836 		    "Server not yet valid until %s -- %s",
837 		    starttime_str, server_name);
838 	    return KRB5KDC_ERR_SERVICE_NOTYET;
839 	}
840 
841 	if (server->valid_end && *server->valid_end < kdc_time) {
842 	    char endtime_str[100];
843 	    krb5_format_time(context, *server->valid_end,
844 			     endtime_str, sizeof(endtime_str), TRUE);
845 	    kdc_log(context, config, 0,
846 		    "Server expired at %s -- %s",
847 		    endtime_str, server_name);
848 	    return KRB5KDC_ERR_SERVICE_EXP;
849 	}
850 
851 	if (server->pw_end && *server->pw_end < kdc_time) {
852 	    char pwend_str[100];
853 	    krb5_format_time(context, *server->pw_end,
854 			     pwend_str, sizeof(pwend_str), TRUE);
855 	    kdc_log(context, config, 0,
856 		    "Server's key has expired at -- %s",
857 		    pwend_str, server_name);
858 	    return KRB5KDC_ERR_KEY_EXPIRED;
859 	}
860     }
861     return 0;
862 }
863 
864 /*
865  * Return TRUE if `from' is part of `addresses' taking into consideration
866  * the configuration variables that tells us how strict we should be about
867  * these checks
868  */
869 
870 krb5_boolean
871 _kdc_check_addresses(krb5_context context,
872 		     krb5_kdc_configuration *config,
873 		     HostAddresses *addresses, const struct sockaddr *from)
874 {
875     krb5_error_code ret;
876     krb5_address addr;
877     krb5_boolean result;
878     krb5_boolean only_netbios = TRUE;
879     size_t i;
880 
881     if(config->check_ticket_addresses == 0)
882 	return TRUE;
883 
884     if(addresses == NULL)
885 	return config->allow_null_ticket_addresses;
886 
887     for (i = 0; i < addresses->len; ++i) {
888 	if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
889 	    only_netbios = FALSE;
890 	}
891     }
892 
893     /* Windows sends it's netbios name, which I can only assume is
894      * used for the 'allowed workstations' check.  This is painful,
895      * but we still want to check IP addresses if they happen to be
896      * present.
897      */
898 
899     if(only_netbios)
900 	return config->allow_null_ticket_addresses;
901 
902     ret = krb5_sockaddr2address (context, from, &addr);
903     if(ret)
904 	return FALSE;
905 
906     result = krb5_address_search(context, &addr, addresses);
907     krb5_free_address (context, &addr);
908     return result;
909 }
910 
911 /*
912  *
913  */
914 
915 static krb5_boolean
916 send_pac_p(krb5_context context, KDC_REQ *req)
917 {
918     krb5_error_code ret;
919     PA_PAC_REQUEST pacreq;
920     const PA_DATA *pa;
921     int i = 0;
922 
923     pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
924     if (pa == NULL)
925 	return TRUE;
926 
927     ret = decode_PA_PAC_REQUEST(pa->padata_value.data,
928 				pa->padata_value.length,
929 				&pacreq,
930 				NULL);
931     if (ret)
932 	return TRUE;
933     i = pacreq.include_pac;
934     free_PA_PAC_REQUEST(&pacreq);
935     if (i == 0)
936 	return FALSE;
937     return TRUE;
938 }
939 
940 krb5_boolean
941 _kdc_is_anonymous(krb5_context context, krb5_principal principal)
942 {
943     if (principal->name.name_type != KRB5_NT_WELLKNOWN ||
944 	principal->name.name_string.len != 2 ||
945 	strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
946 	strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
947 	return 0;
948     return 1;
949 }
950 
951 /*
952  *
953  */
954 
955 krb5_error_code
956 _kdc_as_rep(krb5_context context,
957 	    krb5_kdc_configuration *config,
958 	    KDC_REQ *req,
959 	    const krb5_data *req_buffer,
960 	    krb5_data *reply,
961 	    const char *from,
962 	    struct sockaddr *from_addr,
963 	    int datagram_reply)
964 {
965     KDC_REQ_BODY *b = &req->req_body;
966     AS_REP rep;
967     KDCOptions f = b->kdc_options;
968     hdb_entry_ex *client = NULL, *server = NULL;
969     HDB *clientdb;
970     krb5_enctype setype, sessionetype;
971     krb5_data e_data;
972     EncTicketPart et;
973     EncKDCRepPart ek;
974     krb5_principal client_princ = NULL, server_princ = NULL;
975     char *client_name = NULL, *server_name = NULL;
976     krb5_error_code ret = 0;
977     const char *e_text = NULL;
978     krb5_crypto crypto;
979     Key *ckey, *skey;
980     EncryptionKey *reply_key = NULL, session_key;
981     int flags = HDB_F_FOR_AS_REQ;
982 #ifdef PKINIT
983     pk_client_params *pkp = NULL;
984 #endif
985 
986     memset(&rep, 0, sizeof(rep));
987     memset(&session_key, 0, sizeof(session_key));
988     krb5_data_zero(&e_data);
989 
990     ALLOC(rep.padata);
991     rep.padata->len = 0;
992     rep.padata->val = NULL;
993 
994     if (f.canonicalize)
995 	flags |= HDB_F_CANON;
996 
997     if(b->sname == NULL){
998 	ret = KRB5KRB_ERR_GENERIC;
999 	e_text = "No server in request";
1000     } else{
1001 	ret = _krb5_principalname2krb5_principal (context,
1002 						  &server_princ,
1003 						  *(b->sname),
1004 						  b->realm);
1005 	if (ret == 0)
1006 	    ret = krb5_unparse_name(context, server_princ, &server_name);
1007     }
1008     if (ret) {
1009 	kdc_log(context, config, 0,
1010 		"AS-REQ malformed server name from %s", from);
1011 	goto out;
1012     }
1013     if(b->cname == NULL){
1014 	ret = KRB5KRB_ERR_GENERIC;
1015 	e_text = "No client in request";
1016     } else {
1017 	ret = _krb5_principalname2krb5_principal (context,
1018 						  &client_princ,
1019 						  *(b->cname),
1020 						  b->realm);
1021 	if (ret)
1022 	    goto out;
1023 
1024 	ret = krb5_unparse_name(context, client_princ, &client_name);
1025     }
1026     if (ret) {
1027 	kdc_log(context, config, 0,
1028 		"AS-REQ malformed client name from %s", from);
1029 	goto out;
1030     }
1031 
1032     kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
1033 	    client_name, from, server_name);
1034 
1035     /*
1036      *
1037      */
1038 
1039     if (_kdc_is_anonymous(context, client_princ)) {
1040 	if (!b->kdc_options.request_anonymous) {
1041 	    kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
1042 	    ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1043 	    goto out;
1044 	}
1045     } else if (b->kdc_options.request_anonymous) {
1046 	kdc_log(context, config, 0,
1047 		"Request for a anonymous ticket with non "
1048 		"anonymous client name: %s", client_name);
1049 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1050 	goto out;
1051     }
1052 
1053     /*
1054      *
1055      */
1056 
1057     ret = _kdc_db_fetch(context, config, client_princ,
1058 			HDB_F_GET_CLIENT | flags, NULL,
1059 			&clientdb, &client);
1060     if(ret == HDB_ERR_NOT_FOUND_HERE) {
1061 	kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
1062 	goto out;
1063     } else if(ret){
1064 	const char *msg = krb5_get_error_message(context, ret);
1065 	kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
1066 	krb5_free_error_message(context, msg);
1067 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1068 	goto out;
1069     }
1070     ret = _kdc_db_fetch(context, config, server_princ,
1071 			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
1072 			NULL, NULL, &server);
1073     if(ret == HDB_ERR_NOT_FOUND_HERE) {
1074 	kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);
1075 	goto out;
1076     } else if(ret){
1077 	const char *msg = krb5_get_error_message(context, ret);
1078 	kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
1079 	krb5_free_error_message(context, msg);
1080 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1081 	goto out;
1082     }
1083 
1084     memset(&et, 0, sizeof(et));
1085     memset(&ek, 0, sizeof(ek));
1086 
1087     /*
1088      * Select a session enctype from the list of the crypto system
1089      * supported enctypes that is supported by the client and is one of
1090      * the enctype of the enctype of the service (likely krbtgt).
1091      *
1092      * The latter is used as a hint of what enctypes all KDC support,
1093      * to make sure a newer version of KDC won't generate a session
1094      * enctype that an older version of a KDC in the same realm can't
1095      * decrypt.
1096      */
1097     ret = _kdc_find_etype(context,
1098 			  krb5_principal_is_krbtgt(context, server_princ) ?
1099 			  config->tgt_use_strongest_session_key :
1100 			  config->svc_use_strongest_session_key, FALSE,
1101 			  client, b->etype.val, b->etype.len, &sessionetype,
1102 			  NULL);
1103     if (ret) {
1104 	kdc_log(context, config, 0,
1105 		"Client (%s) from %s has no common enctypes with KDC "
1106 		"to use for the session key",
1107 		client_name, from);
1108 	goto out;
1109     }
1110     /*
1111      * But if the KDC admin is paranoid and doesn't want to have "not
1112      * the best" enctypes on the krbtgt, lets save the best pick from
1113      * the client list and hope that that will work for any other
1114      * KDCs.
1115      */
1116 
1117     /*
1118      * Pre-auth processing
1119      */
1120 
1121     if(req->padata){
1122 	int i;
1123 	const PA_DATA *pa;
1124 	int found_pa = 0;
1125 
1126 	log_patypes(context, config, req->padata);
1127 
1128 #ifdef PKINIT
1129 	kdc_log(context, config, 5,
1130 		"Looking for PKINIT pa-data -- %s", client_name);
1131 
1132 	e_text = "No PKINIT PA found";
1133 
1134 	i = 0;
1135 	pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ);
1136 	if (pa == NULL) {
1137 	    i = 0;
1138 	    pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN);
1139 	}
1140 	if (pa) {
1141 	    char *client_cert = NULL;
1142 
1143 	    ret = _kdc_pk_rd_padata(context, config, req, pa, client, &pkp);
1144 	    if (ret) {
1145 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
1146 		kdc_log(context, config, 5,
1147 			"Failed to decode PKINIT PA-DATA -- %s",
1148 			client_name);
1149 		goto ts_enc;
1150 	    }
1151 	    if (ret == 0 && pkp == NULL)
1152 		goto ts_enc;
1153 
1154 	    ret = _kdc_pk_check_client(context,
1155 				       config,
1156 				       clientdb,
1157 				       client,
1158 				       pkp,
1159 				       &client_cert);
1160 	    if (ret) {
1161 		e_text = "PKINIT certificate not allowed to "
1162 		    "impersonate principal";
1163 		_kdc_pk_free_client_param(context, pkp);
1164 
1165 		kdc_log(context, config, 0, "%s", e_text);
1166 		pkp = NULL;
1167 		goto out;
1168 	    }
1169 
1170 	    found_pa = 1;
1171 	    et.flags.pre_authent = 1;
1172 	    kdc_log(context, config, 0,
1173 		    "PKINIT pre-authentication succeeded -- %s using %s",
1174 		    client_name, client_cert);
1175 	    free(client_cert);
1176 	    if (pkp)
1177 		goto preauth_done;
1178 	}
1179     ts_enc:
1180 #endif
1181 	kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
1182 		client_name);
1183 
1184 	i = 0;
1185 	e_text = "No ENC-TS found";
1186 	while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
1187 	    krb5_data ts_data;
1188 	    PA_ENC_TS_ENC p;
1189 	    size_t len;
1190 	    EncryptedData enc_data;
1191 	    Key *pa_key;
1192 	    char *str;
1193 
1194 	    found_pa = 1;
1195 
1196 	    if (b->kdc_options.request_anonymous) {
1197 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
1198 		kdc_log(context, config, 0, "ENC-TS doesn't support anon");
1199 		goto out;
1200 	    }
1201 
1202 	    ret = decode_EncryptedData(pa->padata_value.data,
1203 				       pa->padata_value.length,
1204 				       &enc_data,
1205 				       &len);
1206 	    if (ret) {
1207 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
1208 		kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s",
1209 			client_name);
1210 		goto out;
1211 	    }
1212 
1213 	    ret = hdb_enctype2key(context, &client->entry,
1214 				  enc_data.etype, &pa_key);
1215 	    if(ret){
1216 		char *estr;
1217 		e_text = "No key matches pa-data";
1218 		ret = KRB5KDC_ERR_ETYPE_NOSUPP;
1219 		if(krb5_enctype_to_string(context, enc_data.etype, &estr))
1220 		    estr = NULL;
1221 		if(estr == NULL)
1222 		    kdc_log(context, config, 5,
1223 			    "No client key matching pa-data (%d) -- %s",
1224 			    enc_data.etype, client_name);
1225 		else
1226 		    kdc_log(context, config, 5,
1227 			    "No client key matching pa-data (%s) -- %s",
1228 			    estr, client_name);
1229 		free(estr);
1230 		free_EncryptedData(&enc_data);
1231 
1232 		continue;
1233 	    }
1234 
1235 	try_next_key:
1236 	    ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
1237 	    if (ret) {
1238 		const char *msg = krb5_get_error_message(context, ret);
1239 		kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1240 		krb5_free_error_message(context, msg);
1241 		free_EncryptedData(&enc_data);
1242 		continue;
1243 	    }
1244 
1245 	    ret = krb5_decrypt_EncryptedData (context,
1246 					      crypto,
1247 					      KRB5_KU_PA_ENC_TIMESTAMP,
1248 					      &enc_data,
1249 					      &ts_data);
1250 	    krb5_crypto_destroy(context, crypto);
1251 	    /*
1252 	     * Since the user might have several keys with the same
1253 	     * enctype but with diffrent salting, we need to try all
1254 	     * the keys with the same enctype.
1255 	     */
1256 	    if(ret){
1257 		krb5_error_code ret2;
1258 		const char *msg = krb5_get_error_message(context, ret);
1259 
1260 		ret2 = krb5_enctype_to_string(context,
1261 					      pa_key->key.keytype, &str);
1262 		if (ret2)
1263 		    str = NULL;
1264 		kdc_log(context, config, 5,
1265 			"Failed to decrypt PA-DATA -- %s "
1266 			"(enctype %s) error %s",
1267 			client_name, str ? str : "unknown enctype", msg);
1268 		krb5_free_error_message(context, msg);
1269 		free(str);
1270 
1271 		if(hdb_next_enctype2key(context, &client->entry,
1272 					enc_data.etype, &pa_key) == 0)
1273 		    goto try_next_key;
1274 		e_text = "Failed to decrypt PA-DATA";
1275 
1276 		free_EncryptedData(&enc_data);
1277 
1278 		if (clientdb->hdb_auth_status)
1279 		    (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD);
1280 
1281 		ret = KRB5KDC_ERR_PREAUTH_FAILED;
1282 		continue;
1283 	    }
1284 	    free_EncryptedData(&enc_data);
1285 	    ret = decode_PA_ENC_TS_ENC(ts_data.data,
1286 				       ts_data.length,
1287 				       &p,
1288 				       &len);
1289 	    krb5_data_free(&ts_data);
1290 	    if(ret){
1291 		e_text = "Failed to decode PA-ENC-TS-ENC";
1292 		ret = KRB5KDC_ERR_PREAUTH_FAILED;
1293 		kdc_log(context, config,
1294 			5, "Failed to decode PA-ENC-TS_ENC -- %s",
1295 			client_name);
1296 		continue;
1297 	    }
1298 	    free_PA_ENC_TS_ENC(&p);
1299 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
1300 		char client_time[100];
1301 
1302 		krb5_format_time(context, p.patimestamp,
1303 				 client_time, sizeof(client_time), TRUE);
1304 
1305  		ret = KRB5KRB_AP_ERR_SKEW;
1306  		kdc_log(context, config, 0,
1307 			"Too large time skew, "
1308 			"client time %s is out by %u > %u seconds -- %s",
1309 			client_time,
1310 			(unsigned)abs(kdc_time - p.patimestamp),
1311 			context->max_skew,
1312 			client_name);
1313 
1314 		/*
1315 		 * The following is needed to make windows clients to
1316 		 * retry using the timestamp in the error message, if
1317 		 * there is a e_text, they become unhappy.
1318 		 */
1319 		e_text = NULL;
1320 		goto out;
1321 	    }
1322 	    et.flags.pre_authent = 1;
1323 
1324 	    set_salt_padata(rep.padata, pa_key->salt);
1325 
1326 	    reply_key = &pa_key->key;
1327 
1328 	    ret = krb5_enctype_to_string(context, pa_key->key.keytype, &str);
1329 	    if (ret)
1330 		str = NULL;
1331 
1332 	    kdc_log(context, config, 2,
1333 		    "ENC-TS Pre-authentication succeeded -- %s using %s",
1334 		    client_name, str ? str : "unknown enctype");
1335 	    free(str);
1336 	    break;
1337 	}
1338 #ifdef PKINIT
1339     preauth_done:
1340 #endif
1341 	if(found_pa == 0 && config->require_preauth)
1342 	    goto use_pa;
1343 	/* We come here if we found a pa-enc-timestamp, but if there
1344            was some problem with it, other than too large skew */
1345 	if(found_pa && et.flags.pre_authent == 0){
1346 	    kdc_log(context, config, 0, "%s -- %s", e_text, client_name);
1347 	    e_text = NULL;
1348 	    goto out;
1349 	}
1350     }else if (config->require_preauth
1351 	      || b->kdc_options.request_anonymous /* hack to force anon */
1352 	      || client->entry.flags.require_preauth
1353 	      || server->entry.flags.require_preauth) {
1354 	METHOD_DATA method_data;
1355 	PA_DATA *pa;
1356 	unsigned char *buf;
1357 	size_t len;
1358 
1359     use_pa:
1360 	method_data.len = 0;
1361 	method_data.val = NULL;
1362 
1363 	ret = realloc_method_data(&method_data);
1364 	if (ret) {
1365 	    free_METHOD_DATA(&method_data);
1366 	    goto out;
1367 	}
1368 	pa = &method_data.val[method_data.len-1];
1369 	pa->padata_type		= KRB5_PADATA_ENC_TIMESTAMP;
1370 	pa->padata_value.length	= 0;
1371 	pa->padata_value.data	= NULL;
1372 
1373 #ifdef PKINIT
1374 	ret = realloc_method_data(&method_data);
1375 	if (ret) {
1376 	    free_METHOD_DATA(&method_data);
1377 	    goto out;
1378 	}
1379 	pa = &method_data.val[method_data.len-1];
1380 	pa->padata_type		= KRB5_PADATA_PK_AS_REQ;
1381 	pa->padata_value.length	= 0;
1382 	pa->padata_value.data	= NULL;
1383 
1384 	ret = realloc_method_data(&method_data);
1385 	if (ret) {
1386 	    free_METHOD_DATA(&method_data);
1387 	    goto out;
1388 	}
1389 	pa = &method_data.val[method_data.len-1];
1390 	pa->padata_type		= KRB5_PADATA_PK_AS_REQ_WIN;
1391 	pa->padata_value.length	= 0;
1392 	pa->padata_value.data	= NULL;
1393 #endif
1394 
1395 	/*
1396 	 * If there is a client key, send ETYPE_INFO{,2}
1397 	 */
1398 	ret = _kdc_find_etype(context,
1399 			      config->preauth_use_strongest_session_key, TRUE,
1400 			      client, b->etype.val, b->etype.len, NULL, &ckey);
1401 	if (ret == 0) {
1402 
1403 	    /*
1404 	     * RFC4120 requires:
1405 	     * - If the client only knows about old enctypes, then send
1406 	     *   both info replies (we send 'info' first in the list).
1407 	     * - If the client is 'modern', because it knows about 'new'
1408 	     *   enctype types, then only send the 'info2' reply.
1409 	     *
1410 	     * Before we send the full list of etype-info data, we pick
1411 	     * the client key we would have used anyway below, just pick
1412 	     * that instead.
1413 	     */
1414 
1415 	    if (older_enctype(ckey->key.keytype)) {
1416 		ret = get_pa_etype_info(context, config,
1417 					&method_data, ckey);
1418 		if (ret) {
1419 		    free_METHOD_DATA(&method_data);
1420 		    goto out;
1421 		}
1422 	    }
1423 	    ret = get_pa_etype_info2(context, config,
1424 				     &method_data, ckey);
1425 	    if (ret) {
1426 		free_METHOD_DATA(&method_data);
1427 		goto out;
1428 	    }
1429 	}
1430 
1431 	ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
1432 	free_METHOD_DATA(&method_data);
1433 
1434 	e_data.data   = buf;
1435 	e_data.length = len;
1436 	e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
1437 
1438 	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
1439 
1440 	kdc_log(context, config, 0,
1441 		"No preauth found, returning PREAUTH-REQUIRED -- %s",
1442 		client_name);
1443 	goto out;
1444     }
1445 
1446     if (clientdb->hdb_auth_status)
1447 	(clientdb->hdb_auth_status)(context, clientdb, client,
1448 				    HDB_AUTH_SUCCESS);
1449 
1450     /*
1451      * Verify flags after the user been required to prove its identity
1452      * with in a preauth mech.
1453      */
1454 
1455     ret = _kdc_check_access(context, config, client, client_name,
1456 			    server, server_name,
1457 			    req, &e_data);
1458     if(ret)
1459 	goto out;
1460 
1461     /*
1462      * Selelct the best encryption type for the KDC with out regard to
1463      * the client since the client never needs to read that data.
1464      */
1465 
1466     ret = _kdc_get_preferred_key(context, config,
1467 				 server, server_name,
1468 				 &setype, &skey);
1469     if(ret)
1470 	goto out;
1471 
1472     if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
1473        || (f.request_anonymous && !config->allow_anonymous)) {
1474 	ret = KRB5KDC_ERR_BADOPTION;
1475 	e_text = "Bad KDC options";
1476 	kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
1477 	goto out;
1478     }
1479 
1480     rep.pvno = 5;
1481     rep.msg_type = krb_as_rep;
1482 
1483     ret = copy_Realm(&client->entry.principal->realm, &rep.crealm);
1484     if (ret)
1485 	goto out;
1486     ret = _krb5_principal2principalname(&rep.cname, client->entry.principal);
1487     if (ret)
1488 	goto out;
1489 
1490     rep.ticket.tkt_vno = 5;
1491     copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
1492     _krb5_principal2principalname(&rep.ticket.sname,
1493 				  server->entry.principal);
1494     /* java 1.6 expects the name to be the same type, lets allow that
1495      * uncomplicated name-types. */
1496 #define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
1497     if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
1498 	rep.ticket.sname.name_type = b->sname->name_type;
1499 #undef CNT
1500 
1501     et.flags.initial = 1;
1502     if(client->entry.flags.forwardable && server->entry.flags.forwardable)
1503 	et.flags.forwardable = f.forwardable;
1504     else if (f.forwardable) {
1505 	e_text = "Ticket may not be forwardable";
1506 	ret = KRB5KDC_ERR_POLICY;
1507 	kdc_log(context, config, 0,
1508 		"Ticket may not be forwardable -- %s", client_name);
1509 	goto out;
1510     }
1511     if(client->entry.flags.proxiable && server->entry.flags.proxiable)
1512 	et.flags.proxiable = f.proxiable;
1513     else if (f.proxiable) {
1514 	e_text = "Ticket may not be proxiable";
1515 	ret = KRB5KDC_ERR_POLICY;
1516 	kdc_log(context, config, 0,
1517 		"Ticket may not be proxiable -- %s", client_name);
1518 	goto out;
1519     }
1520     if(client->entry.flags.postdate && server->entry.flags.postdate)
1521 	et.flags.may_postdate = f.allow_postdate;
1522     else if (f.allow_postdate){
1523 	e_text = "Ticket may not be postdate";
1524 	ret = KRB5KDC_ERR_POLICY;
1525 	kdc_log(context, config, 0,
1526 		"Ticket may not be postdatable -- %s", client_name);
1527 	goto out;
1528     }
1529 
1530     /* check for valid set of addresses */
1531     if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
1532 	e_text = "Bad address list in requested";
1533 	ret = KRB5KRB_AP_ERR_BADADDR;
1534 	kdc_log(context, config, 0,
1535 		"Bad address list requested -- %s", client_name);
1536 	goto out;
1537     }
1538 
1539     ret = copy_PrincipalName(&rep.cname, &et.cname);
1540     if (ret)
1541 	goto out;
1542     ret = copy_Realm(&rep.crealm, &et.crealm);
1543     if (ret)
1544 	goto out;
1545 
1546     {
1547 	time_t start;
1548 	time_t t;
1549 
1550 	start = et.authtime = kdc_time;
1551 
1552 	if(f.postdated && req->req_body.from){
1553 	    ALLOC(et.starttime);
1554 	    start = *et.starttime = *req->req_body.from;
1555 	    et.flags.invalid = 1;
1556 	    et.flags.postdated = 1; /* XXX ??? */
1557 	}
1558 	_kdc_fix_time(&b->till);
1559 	t = *b->till;
1560 
1561 	/* be careful not overflowing */
1562 
1563 	if(client->entry.max_life)
1564 	    t = start + min(t - start, *client->entry.max_life);
1565 	if(server->entry.max_life)
1566 	    t = start + min(t - start, *server->entry.max_life);
1567 #if 0
1568 	t = min(t, start + realm->max_life);
1569 #endif
1570 	et.endtime = t;
1571 	if(f.renewable_ok && et.endtime < *b->till){
1572 	    f.renewable = 1;
1573 	    if(b->rtime == NULL){
1574 		ALLOC(b->rtime);
1575 		*b->rtime = 0;
1576 	    }
1577 	    if(*b->rtime < *b->till)
1578 		*b->rtime = *b->till;
1579 	}
1580 	if(f.renewable && b->rtime){
1581 	    t = *b->rtime;
1582 	    if(t == 0)
1583 		t = MAX_TIME;
1584 	    if(client->entry.max_renew)
1585 		t = start + min(t - start, *client->entry.max_renew);
1586 	    if(server->entry.max_renew)
1587 		t = start + min(t - start, *server->entry.max_renew);
1588 #if 0
1589 	    t = min(t, start + realm->max_renew);
1590 #endif
1591 	    ALLOC(et.renew_till);
1592 	    *et.renew_till = t;
1593 	    et.flags.renewable = 1;
1594 	}
1595     }
1596 
1597     if (f.request_anonymous)
1598 	et.flags.anonymous = 1;
1599 
1600     if(b->addresses){
1601 	ALLOC(et.caddr);
1602 	copy_HostAddresses(b->addresses, et.caddr);
1603     }
1604 
1605     et.transited.tr_type = DOMAIN_X500_COMPRESS;
1606     krb5_data_zero(&et.transited.contents);
1607 
1608     /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
1609      * as 0 and as 0x80 (meaning indefinite length) apart, and is thus
1610      * incapable of correctly decoding SEQUENCE OF's of zero length.
1611      *
1612      * To fix this, always send at least one no-op last_req
1613      *
1614      * If there's a pw_end or valid_end we will use that,
1615      * otherwise just a dummy lr.
1616      */
1617     ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
1618     if (ek.last_req.val == NULL) {
1619 	ret = ENOMEM;
1620 	goto out;
1621     }
1622     ek.last_req.len = 0;
1623     if (client->entry.pw_end
1624 	&& (config->kdc_warn_pwexpire == 0
1625 	    || kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) {
1626 	ek.last_req.val[ek.last_req.len].lr_type  = LR_PW_EXPTIME;
1627 	ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
1628 	++ek.last_req.len;
1629     }
1630     if (client->entry.valid_end) {
1631 	ek.last_req.val[ek.last_req.len].lr_type  = LR_ACCT_EXPTIME;
1632 	ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
1633 	++ek.last_req.len;
1634     }
1635     if (ek.last_req.len == 0) {
1636 	ek.last_req.val[ek.last_req.len].lr_type  = LR_NONE;
1637 	ek.last_req.val[ek.last_req.len].lr_value = 0;
1638 	++ek.last_req.len;
1639     }
1640     ek.nonce = b->nonce;
1641     if (client->entry.valid_end || client->entry.pw_end) {
1642 	ALLOC(ek.key_expiration);
1643 	if (client->entry.valid_end) {
1644 	    if (client->entry.pw_end)
1645 		*ek.key_expiration = min(*client->entry.valid_end,
1646 					 *client->entry.pw_end);
1647 	    else
1648 		*ek.key_expiration = *client->entry.valid_end;
1649 	} else
1650 	    *ek.key_expiration = *client->entry.pw_end;
1651     } else
1652 	ek.key_expiration = NULL;
1653     ek.flags = et.flags;
1654     ek.authtime = et.authtime;
1655     if (et.starttime) {
1656 	ALLOC(ek.starttime);
1657 	*ek.starttime = *et.starttime;
1658     }
1659     ek.endtime = et.endtime;
1660     if (et.renew_till) {
1661 	ALLOC(ek.renew_till);
1662 	*ek.renew_till = *et.renew_till;
1663     }
1664     copy_Realm(&rep.ticket.realm, &ek.srealm);
1665     copy_PrincipalName(&rep.ticket.sname, &ek.sname);
1666     if(et.caddr){
1667 	ALLOC(ek.caddr);
1668 	copy_HostAddresses(et.caddr, ek.caddr);
1669     }
1670 
1671 #if PKINIT
1672     if (pkp) {
1673         e_text = "Failed to build PK-INIT reply";
1674 	ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
1675 				  sessionetype, req, req_buffer,
1676 				  &reply_key, &et.key, rep.padata);
1677 	if (ret)
1678 	    goto out;
1679 	ret = _kdc_add_inital_verified_cas(context,
1680 					   config,
1681 					   pkp,
1682 					   &et);
1683 	if (ret)
1684 	    goto out;
1685 
1686     } else
1687 #endif
1688     {
1689 	ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
1690 	if (ret)
1691 	    goto out;
1692     }
1693 
1694     if (reply_key == NULL) {
1695 	e_text = "Client have no reply key";
1696 	ret = KRB5KDC_ERR_CLIENT_NOTYET;
1697 	goto out;
1698     }
1699 
1700     ret = copy_EncryptionKey(&et.key, &ek.key);
1701     if (ret)
1702 	goto out;
1703 
1704     /* Add signing of alias referral */
1705     if (f.canonicalize) {
1706 	PA_ClientCanonicalized canon;
1707 	krb5_data data;
1708 	PA_DATA pa;
1709 	krb5_crypto cryptox;
1710 	size_t len = 0;
1711 
1712 	memset(&canon, 0, sizeof(canon));
1713 
1714 	canon.names.requested_name = *b->cname;
1715 	canon.names.mapped_name = client->entry.principal->name;
1716 
1717 	ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
1718 			   &canon.names, &len, ret);
1719 	if (ret)
1720 	    goto out;
1721 	if (data.length != len)
1722 	    krb5_abortx(context, "internal asn.1 error");
1723 
1724 	/* sign using "returned session key" */
1725 	ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
1726 	if (ret) {
1727 	    free(data.data);
1728 	    goto out;
1729 	}
1730 
1731 	ret = krb5_create_checksum(context, cryptox,
1732 				   KRB5_KU_CANONICALIZED_NAMES, 0,
1733 				   data.data, data.length,
1734 				   &canon.canon_checksum);
1735 	free(data.data);
1736 	krb5_crypto_destroy(context, cryptox);
1737 	if (ret)
1738 	    goto out;
1739 
1740 	ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
1741 			   &canon, &len, ret);
1742 	free_Checksum(&canon.canon_checksum);
1743 	if (ret)
1744 	    goto out;
1745 	if (data.length != len)
1746 	    krb5_abortx(context, "internal asn.1 error");
1747 
1748 	pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
1749 	pa.padata_value = data;
1750 	ret = add_METHOD_DATA(rep.padata, &pa);
1751 	free(data.data);
1752 	if (ret)
1753 	    goto out;
1754     }
1755 
1756     if (rep.padata->len == 0) {
1757 	free(rep.padata);
1758 	rep.padata = NULL;
1759     }
1760 
1761     /* Add the PAC */
1762     if (send_pac_p(context, req)) {
1763 	krb5_pac p = NULL;
1764 	krb5_data data;
1765 
1766 	ret = _kdc_pac_generate(context, client, &p);
1767 	if (ret) {
1768 	    kdc_log(context, config, 0, "PAC generation failed for -- %s",
1769 		    client_name);
1770 	    goto out;
1771 	}
1772 	if (p != NULL) {
1773 	    ret = _krb5_pac_sign(context, p, et.authtime,
1774 				 client->entry.principal,
1775 				 &skey->key, /* Server key */
1776 				 &skey->key, /* FIXME: should be krbtgt key */
1777 				 &data);
1778 	    krb5_pac_free(context, p);
1779 	    if (ret) {
1780 		kdc_log(context, config, 0, "PAC signing failed for -- %s",
1781 			client_name);
1782 		goto out;
1783 	    }
1784 
1785 	    ret = _kdc_tkt_add_if_relevant_ad(context, &et,
1786 					      KRB5_AUTHDATA_WIN2K_PAC,
1787 					      &data);
1788 	    krb5_data_free(&data);
1789 	    if (ret)
1790 		goto out;
1791 	}
1792     }
1793 
1794     _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
1795 		       et.endtime, et.renew_till);
1796 
1797     /* do this as the last thing since this signs the EncTicketPart */
1798     ret = _kdc_add_KRB5SignedPath(context,
1799 				  config,
1800 				  server,
1801 				  setype,
1802 				  client->entry.principal,
1803 				  NULL,
1804 				  NULL,
1805 				  &et);
1806     if (ret)
1807 	goto out;
1808 
1809     log_as_req(context, config, reply_key->keytype, setype, b);
1810 
1811     ret = _kdc_encode_reply(context, config,
1812 			    &rep, &et, &ek, setype, server->entry.kvno,
1813 			    &skey->key, client->entry.kvno,
1814 			    reply_key, 0, &e_text, reply);
1815     free_EncTicketPart(&et);
1816     free_EncKDCRepPart(&ek);
1817     if (ret)
1818 	goto out;
1819 
1820     /* */
1821     if (datagram_reply && reply->length > config->max_datagram_reply_length) {
1822 	krb5_data_free(reply);
1823 	ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
1824 	e_text = "Reply packet too large";
1825     }
1826 
1827 out:
1828     free_AS_REP(&rep);
1829     if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE){
1830 	krb5_mk_error(context,
1831 		      ret,
1832 		      e_text,
1833 		      (e_data.data ? &e_data : NULL),
1834 		      client_princ,
1835 		      server_princ,
1836 		      NULL,
1837 		      NULL,
1838 		      reply);
1839 	ret = 0;
1840     }
1841 #ifdef PKINIT
1842     if (pkp)
1843 	_kdc_pk_free_client_param(context, pkp);
1844 #endif
1845     if (e_data.data)
1846         free(e_data.data);
1847     if (client_princ)
1848 	krb5_free_principal(context, client_princ);
1849     free(client_name);
1850     if (server_princ)
1851 	krb5_free_principal(context, server_princ);
1852     free(server_name);
1853     if(client)
1854 	_kdc_free_ent(context, client);
1855     if(server)
1856 	_kdc_free_ent(context, server);
1857     return ret;
1858 }
1859 
1860 /*
1861  * Add the AuthorizationData `data´ of `type´ to the last element in
1862  * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT
1863  */
1864 
1865 krb5_error_code
1866 _kdc_tkt_add_if_relevant_ad(krb5_context context,
1867 			    EncTicketPart *tkt,
1868 			    int type,
1869 			    const krb5_data *data)
1870 {
1871     krb5_error_code ret;
1872     size_t size = 0;
1873 
1874     if (tkt->authorization_data == NULL) {
1875 	tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
1876 	if (tkt->authorization_data == NULL) {
1877 	    krb5_set_error_message(context, ENOMEM, "out of memory");
1878 	    return ENOMEM;
1879 	}
1880     }
1881 
1882     /* add the entry to the last element */
1883     {
1884 	AuthorizationData ad = { 0, NULL };
1885 	AuthorizationDataElement ade;
1886 
1887 	ade.ad_type = type;
1888 	ade.ad_data = *data;
1889 
1890 	ret = add_AuthorizationData(&ad, &ade);
1891 	if (ret) {
1892 	    krb5_set_error_message(context, ret, "add AuthorizationData failed");
1893 	    return ret;
1894 	}
1895 
1896 	ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
1897 
1898 	ASN1_MALLOC_ENCODE(AuthorizationData,
1899 			   ade.ad_data.data, ade.ad_data.length,
1900 			   &ad, &size, ret);
1901 	free_AuthorizationData(&ad);
1902 	if (ret) {
1903 	    krb5_set_error_message(context, ret, "ASN.1 encode of "
1904 				   "AuthorizationData failed");
1905 	    return ret;
1906 	}
1907 	if (ade.ad_data.length != size)
1908 	    krb5_abortx(context, "internal asn.1 encoder error");
1909 
1910 	ret = add_AuthorizationData(tkt->authorization_data, &ade);
1911 	der_free_octet_string(&ade.ad_data);
1912 	if (ret) {
1913 	    krb5_set_error_message(context, ret, "add AuthorizationData failed");
1914 	    return ret;
1915 	}
1916     }
1917 
1918     return 0;
1919 }
1920