libtommath: Fix possible integer overflow CVE-2023-36328
[heimdal.git] / kdc / fast.c
blobe7110db2ffebe22f6f2ca6a71618b20cfc1e7ef6
1 /*
2 * Copyright (c) 1997-2011 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
6 * Portions Copyright (c) 2010 - 2011 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
36 #include "kdc_locl.h"
38 static krb5_error_code
39 salt_fastuser_crypto(astgs_request_t r,
40 krb5_const_principal salt_principal,
41 krb5_enctype enctype,
42 krb5_crypto fast_crypto,
43 krb5_crypto *salted_crypto)
45 krb5_error_code ret;
46 krb5_principal client_princ = NULL;
47 krb5_data salt;
48 krb5_keyblock dkey;
49 size_t size;
51 *salted_crypto = NULL;
53 krb5_data_zero(&salt);
54 krb5_keyblock_zero(&dkey);
56 if (salt_principal == NULL) {
57 if (r->req.req_body.cname == NULL) {
58 ret = KRB5KRB_ERR_GENERIC;
59 goto out;
62 ret = _krb5_principalname2krb5_principal(r->context, &client_princ,
63 *(r->req.req_body.cname),
64 r->req.req_body.realm);
65 if (ret)
66 goto out;
68 salt_principal = client_princ;
71 ret = krb5_unparse_name(r->context, salt_principal, (char **)&salt.data);
72 if (ret)
73 goto out;
75 salt.length = strlen(salt.data);
77 kdc_log(r->context, r->config, 10,
78 "salt_fastuser_crypto: salt principal is %s (%d)",
79 (char *)salt.data, enctype);
81 ret = krb5_enctype_keysize(r->context, enctype, &size);
82 if (ret)
83 goto out;
85 ret = krb5_crypto_prfplus(r->context, fast_crypto, &salt,
86 size, &dkey.keyvalue);
87 if (ret)
88 goto out;
90 dkey.keytype = enctype;
92 ret = krb5_crypto_init(r->context, &dkey, ENCTYPE_NULL, salted_crypto);
93 if (ret)
94 goto out;
96 out:
97 krb5_free_keyblock_contents(r->context, &dkey);
98 krb5_data_free(&salt);
99 krb5_free_principal(r->context, client_princ);
101 return ret;
104 static krb5_error_code
105 get_fastuser_crypto(astgs_request_t r,
106 krb5_const_principal ticket_client,
107 krb5_enctype enctype,
108 krb5_crypto *crypto)
110 krb5_principal fast_princ;
111 HDB *fast_db;
112 hdb_entry *fast_user = NULL;
113 Key *cookie_key = NULL;
114 krb5_crypto fast_crypto = NULL;
115 krb5_error_code ret;
117 *crypto = NULL;
119 ret = krb5_make_principal(r->context, &fast_princ,
120 KRB5_WELLKNOWN_ORG_H5L_REALM,
121 KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie", NULL);
122 if (ret)
123 goto out;
125 ret = _kdc_db_fetch(r->context, r->config, fast_princ,
126 HDB_F_GET_FAST_COOKIE, NULL, &fast_db, &fast_user);
127 if (ret)
128 goto out;
130 if (enctype == KRB5_ENCTYPE_NULL)
131 ret = _kdc_get_preferred_key(r->context, r->config, fast_user,
132 "fast-cookie", &enctype, &cookie_key);
133 else
134 ret = hdb_enctype2key(r->context, fast_user, NULL,
135 enctype, &cookie_key);
136 if (ret)
137 goto out;
139 ret = krb5_crypto_init(r->context, &cookie_key->key,
140 ENCTYPE_NULL, &fast_crypto);
141 if (ret)
142 goto out;
144 ret = salt_fastuser_crypto(r, ticket_client,
145 cookie_key->key.keytype,
146 fast_crypto, crypto);
147 if (ret)
148 goto out;
150 out:
151 if (fast_user)
152 _kdc_free_ent(r->context, fast_db, fast_user);
153 if (fast_crypto)
154 krb5_crypto_destroy(r->context, fast_crypto);
155 krb5_free_principal(r->context, fast_princ);
157 return ret;
161 static krb5_error_code
162 fast_parse_cookie(astgs_request_t r,
163 krb5_const_principal ticket_client,
164 const PA_DATA *pa)
166 krb5_crypto crypto = NULL;
167 krb5_error_code ret;
168 KDCFastCookie data;
169 krb5_data d1;
170 size_t len;
172 ret = decode_KDCFastCookie(pa->padata_value.data,
173 pa->padata_value.length,
174 &data, &len);
175 if (ret)
176 return ret;
178 if (len != pa->padata_value.length || strcmp("H5L1", data.version) != 0) {
179 free_KDCFastCookie(&data);
180 return KRB5KDC_ERR_POLICY;
183 ret = get_fastuser_crypto(r, ticket_client, data.cookie.etype, &crypto);
184 if (ret)
185 goto out;
187 ret = krb5_decrypt_EncryptedData(r->context, crypto,
188 KRB5_KU_H5L_COOKIE,
189 &data.cookie, &d1);
190 krb5_crypto_destroy(r->context, crypto);
191 if (ret)
192 goto out;
194 ret = decode_KDCFastState(d1.data, d1.length, &r->fast, &len);
195 krb5_data_free(&d1);
196 if (ret)
197 goto out;
199 if (r->fast.expiration < kdc_time) {
200 kdc_log(r->context, r->config, 2, "FAST cookie expired");
201 ret = KRB5KDC_ERR_POLICY;
202 goto out;
205 out:
206 free_KDCFastCookie(&data);
208 return ret;
211 static krb5_error_code
212 fast_add_cookie(astgs_request_t r,
213 krb5_const_principal ticket_client,
214 METHOD_DATA *method_data)
216 krb5_crypto crypto = NULL;
217 KDCFastCookie shell;
218 krb5_error_code ret;
219 krb5_data data;
220 size_t size;
222 memset(&shell, 0, sizeof(shell));
224 r->fast.expiration = kdc_time + FAST_EXPIRATION_TIME;
226 ASN1_MALLOC_ENCODE(KDCFastState, data.data, data.length,
227 &r->fast, &size, ret);
228 if (ret)
229 return ret;
230 heim_assert(size == data.length, "internal asn.1 encoder error");
232 ret = get_fastuser_crypto(r, ticket_client, KRB5_ENCTYPE_NULL, &crypto);
233 if (ret) {
234 kdc_log(r->context, r->config, 0,
235 "Failed to find FAST principal for cookie encryption: %d", ret);
236 goto out;
239 ret = krb5_encrypt_EncryptedData(r->context, crypto,
240 KRB5_KU_H5L_COOKIE,
241 data.data, data.length, 0,
242 &shell.cookie);
243 krb5_crypto_destroy(r->context, crypto);
244 if (ret)
245 goto out;
247 krb5_data_free(&data);
249 shell.version = "H5L1";
251 ASN1_MALLOC_ENCODE(KDCFastCookie, data.data, data.length,
252 &shell, &size, ret);
253 free_EncryptedData(&shell.cookie);
254 if (ret)
255 goto out;
256 heim_assert(size == data.length, "internal asn.1 encoder error");
258 ret = krb5_padata_add(r->context, method_data,
259 KRB5_PADATA_FX_COOKIE,
260 data.data, data.length);
261 if (ret == 0)
262 krb5_data_zero(&data);
264 out:
265 krb5_data_free(&data);
266 return ret;
269 krb5_error_code
270 _kdc_fast_mk_response(krb5_context context,
271 krb5_crypto armor_crypto,
272 METHOD_DATA *pa_data,
273 krb5_keyblock *strengthen_key,
274 KrbFastFinished *finished,
275 krb5uint32 nonce,
276 krb5_data *data)
278 PA_FX_FAST_REPLY fxfastrep;
279 KrbFastResponse fastrep;
280 krb5_error_code ret;
281 krb5_data buf;
282 size_t size;
284 memset(&fxfastrep, 0, sizeof(fxfastrep));
285 memset(&fastrep, 0, sizeof(fastrep));
286 krb5_data_zero(data);
288 if (pa_data) {
289 fastrep.padata.val = pa_data->val;
290 fastrep.padata.len = pa_data->len;
292 fastrep.strengthen_key = strengthen_key;
293 fastrep.finished = finished;
294 fastrep.nonce = nonce;
296 ASN1_MALLOC_ENCODE(KrbFastResponse, buf.data, buf.length,
297 &fastrep, &size, ret);
298 if (ret)
299 return ret;
300 heim_assert(size == buf.length, "internal asn.1 encoder error");
302 fxfastrep.element = choice_PA_FX_FAST_REPLY_armored_data;
304 ret = krb5_encrypt_EncryptedData(context,
305 armor_crypto,
306 KRB5_KU_FAST_REP,
307 buf.data,
308 buf.length,
310 &fxfastrep.u.armored_data.enc_fast_rep);
311 krb5_data_free(&buf);
312 if (ret)
313 return ret;
315 ASN1_MALLOC_ENCODE(PA_FX_FAST_REPLY, data->data, data->length,
316 &fxfastrep, &size, ret);
317 free_PA_FX_FAST_REPLY(&fxfastrep);
318 if (ret)
319 return ret;
320 heim_assert(size == data->length, "internal asn.1 encoder error");
322 return 0;
326 krb5_error_code
327 _kdc_fast_mk_error(astgs_request_t r,
328 METHOD_DATA *error_method,
329 krb5_crypto armor_crypto,
330 const KDC_REQ_BODY *req_body,
331 krb5_error_code outer_error,
332 krb5_principal error_client,
333 krb5_principal error_server,
334 time_t *csec, int *cusec,
335 krb5_data *error_msg)
337 krb5_error_code ret;
338 krb5_data e_data;
339 size_t size;
341 krb5_data_zero(&e_data);
343 heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error");
346 * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
348 if (armor_crypto || r->fast.fast_state.len) {
349 kdc_log(r->context, r->config, 5, "Adding FAST cookie for KRB-ERROR");
350 ret = fast_add_cookie(r, error_client, error_method);
351 if (ret) {
352 kdc_log(r->context, r->config, 1,
353 "Failed to add FAST cookie: %d", ret);
354 free_METHOD_DATA(error_method);
355 return ret;
359 if (armor_crypto) {
360 PA_FX_FAST_REPLY fxfastrep;
361 KrbFastResponse fastrep;
363 memset(&fxfastrep, 0, sizeof(fxfastrep));
364 memset(&fastrep, 0, sizeof(fastrep));
366 kdc_log(r->context, r->config, 5, "Making FAST inner KRB-ERROR");
368 /* first add the KRB-ERROR to the fast errors */
370 ret = krb5_mk_error(r->context,
371 outer_error,
372 r->e_text,
373 NULL,
374 error_client,
375 error_server,
376 csec,
377 cusec,
378 &e_data);
379 if (ret) {
380 kdc_log(r->context, r->config, 1,
381 "Failed to make inner KRB-ERROR: %d", ret);
382 return ret;
385 ret = krb5_padata_add(r->context, error_method,
386 KRB5_PADATA_FX_ERROR,
387 e_data.data, e_data.length);
388 if (ret) {
389 kdc_log(r->context, r->config, 1,
390 "Failed to make add FAST PADATA to inner KRB-ERROR: %d", ret);
391 krb5_data_free(&e_data);
392 return ret;
395 outer_error = KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED;
396 r->e_text = NULL;
397 if (r->fast.flags.requested_hidden_names) {
398 error_client = NULL;
399 error_server = NULL;
401 csec = NULL;
402 cusec = NULL;
404 ret = _kdc_fast_mk_response(r->context, armor_crypto,
405 error_method, NULL, NULL,
406 req_body->nonce, &e_data);
407 free_METHOD_DATA(error_method);
408 if (ret) {
409 kdc_log(r->context, r->config, 1,
410 "Failed to make outer KRB-ERROR: %d", ret);
411 return ret;
414 ret = krb5_padata_add(r->context, error_method,
415 KRB5_PADATA_FX_FAST,
416 e_data.data, e_data.length);
417 if (ret) {
418 kdc_log(r->context, r->config, 1,
419 "Failed to make add FAST PADATA to outer KRB-ERROR: %d", ret);
420 return ret;
422 } else
423 kdc_log(r->context, r->config, 5, "Making non-FAST KRB-ERROR");
425 if (error_method && error_method->len) {
426 ASN1_MALLOC_ENCODE(METHOD_DATA, e_data.data, e_data.length,
427 error_method, &size, ret);
428 if (ret) {
429 kdc_log(r->context, r->config, 1,
430 "Failed to make encode METHOD-DATA: %d", ret);
431 return ret;
433 heim_assert(size == e_data.length, "internal asn.1 encoder error");
436 ret = krb5_mk_error(r->context,
437 outer_error,
438 r->e_text,
439 (e_data.length ? &e_data : NULL),
440 error_client,
441 error_server,
442 csec,
443 cusec,
444 error_msg);
445 krb5_data_free(&e_data);
447 if (ret)
448 kdc_log(r->context, r->config, 1,
449 "Failed to make encode KRB-ERROR: %d", ret);
451 return ret;
454 static krb5_error_code
455 fast_unwrap_request(astgs_request_t r,
456 krb5_ticket *tgs_ticket,
457 krb5_auth_context tgs_ac)
459 krb5_principal armor_server_principal = NULL;
460 char *armor_client_principal_name = NULL;
461 char *armor_server_principal_name = NULL;
462 PA_FX_FAST_REQUEST fxreq;
463 krb5_auth_context ac = NULL;
464 krb5_ticket *ticket = NULL;
465 krb5_flags ap_req_options;
466 krb5_keyblock armorkey;
467 krb5_keyblock explicit_armorkey;
468 krb5_error_code ret;
469 krb5_ap_req ap_req;
470 KrbFastReq fastreq;
471 const PA_DATA *pa;
472 krb5_data data;
473 size_t len;
474 int i = 0;
476 memset(&fxreq, 0, sizeof(fxreq));
477 memset(&fastreq, 0, sizeof(fastreq));
479 pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_FAST);
480 if (pa == NULL) {
481 if (tgs_ac && r->fast_asserted) {
482 kdc_log(r->context, r->config, 1,
483 "Client asserted FAST but did not include FX-FAST pa-data");
484 ret = KRB5KRB_AP_ERR_MODIFIED;
485 goto out;
488 kdc_log(r->context, r->config, 10, "Not a FAST request");
489 return 0;
492 ret = decode_PA_FX_FAST_REQUEST(pa->padata_value.data,
493 pa->padata_value.length,
494 &fxreq,
495 &len);
496 if (ret) {
497 kdc_log(r->context, r->config, 4,
498 "Failed to decode PA-FX-FAST-REQUEST: %d", ret);
499 goto out;
502 if (fxreq.element != choice_PA_FX_FAST_REQUEST_armored_data) {
503 kdc_log(r->context, r->config, 4,
504 "PA-FX-FAST-REQUEST contains unknown type: %d",
505 (int)fxreq.element);
506 ret = KRB5KDC_ERR_PREAUTH_FAILED;
507 goto out;
511 * If check for armor data or it's not a TGS-REQ with implicit
512 * armor.
514 if (fxreq.u.armored_data.armor == NULL && tgs_ac == NULL) {
515 kdc_log(r->context, r->config, 4,
516 "AS-REQ armor missing");
517 ret = KRB5KDC_ERR_PREAUTH_FAILED;
518 goto out;
521 r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
526 if (fxreq.u.armored_data.armor != NULL) {
527 krb5uint32 kvno;
528 krb5uint32 *kvno_ptr = NULL;
530 if (fxreq.u.armored_data.armor->armor_type != 1) {
531 kdc_log(r->context, r->config, 4,
532 "Incorrect AS-REQ armor type");
533 ret = KRB5KDC_ERR_PREAUTH_FAILED;
534 goto out;
537 ret = krb5_decode_ap_req(r->context,
538 &fxreq.u.armored_data.armor->armor_value,
539 &ap_req);
540 if(ret) {
541 kdc_log(r->context, r->config, 4, "Failed to decode AP-REQ");
542 goto out;
545 /* Save that principal that was in the request */
546 ret = _krb5_principalname2krb5_principal(r->context,
547 &armor_server_principal,
548 ap_req.ticket.sname,
549 ap_req.ticket.realm);
550 if (ret) {
551 free_AP_REQ(&ap_req);
552 goto out;
555 if (ap_req.ticket.enc_part.kvno != NULL) {
556 kvno = *ap_req.ticket.enc_part.kvno;
557 kvno_ptr = &kvno;
560 ret = _kdc_db_fetch(r->context, r->config, armor_server_principal,
561 HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS,
562 kvno_ptr,
563 &r->armor_serverdb, &r->armor_server);
564 if(ret == HDB_ERR_NOT_FOUND_HERE) {
565 free_AP_REQ(&ap_req);
566 kdc_log(r->context, r->config, 5,
567 "Armor key does not have secrets at this KDC, "
568 "need to proxy");
569 goto out;
570 } else if (ret) {
571 free_AP_REQ(&ap_req);
572 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
573 goto out;
576 ret = hdb_enctype2key(r->context, r->armor_server, NULL,
577 ap_req.ticket.enc_part.etype,
578 &r->armor_key);
579 if (ret) {
580 free_AP_REQ(&ap_req);
581 goto out;
584 ret = krb5_verify_ap_req2(r->context, &ac,
585 &ap_req,
586 armor_server_principal,
587 &r->armor_key->key,
589 &ap_req_options,
590 &r->armor_ticket,
591 KRB5_KU_AP_REQ_AUTH);
592 free_AP_REQ(&ap_req);
593 if (ret)
594 goto out;
596 ret = krb5_unparse_name(r->context, armor_server_principal,
597 &armor_server_principal_name);
598 if (ret)
599 goto out;
601 /* FIXME krb5_verify_ap_req2() also checks this */
602 ret = _kdc_verify_flags(r->context, r->config,
603 &r->armor_ticket->ticket,
604 armor_server_principal_name);
605 if (ret) {
606 kdc_audit_addreason((kdc_request_t)r,
607 "Armor TGT expired or invalid");
608 goto out;
610 ticket = r->armor_ticket;
611 } else {
612 heim_assert(tgs_ticket != NULL, "TGS authentication context without ticket");
613 ac = tgs_ac;
614 ticket = tgs_ticket;
617 (void) krb5_unparse_name(r->context, ticket->client, &armor_client_principal_name);
618 kdc_audit_addkv((kdc_request_t)r, 0, "armor_client_name", "%s",
619 armor_client_principal_name ?
620 armor_client_principal_name :
621 "<out of memory>");
623 if (ac->remote_subkey == NULL) {
624 krb5_auth_con_free(r->context, ac);
625 kdc_log(r->context, r->config, 2,
626 "FAST AP-REQ remote subkey missing");
627 ret = KRB5KDC_ERR_PREAUTH_FAILED;
628 goto out;
631 r->fast.flags.kdc_verified =
632 !_kdc_is_anonymous_pkinit(r->context, ticket->client);
634 ret = _krb5_fast_armor_key(r->context,
635 ac->remote_subkey,
636 &ticket->ticket.key,
637 &armorkey,
638 r->explicit_armor_present ? NULL : &r->armor_crypto);
639 if (ret)
640 goto out;
642 if (r->explicit_armor_present) {
643 ret = _krb5_fast_explicit_armor_key(r->context,
644 &armorkey,
645 tgs_ac->remote_subkey,
646 &explicit_armorkey,
647 &r->armor_crypto);
648 if (ret)
649 goto out;
651 krb5_free_keyblock_contents(r->context, &explicit_armorkey);
654 krb5_free_keyblock_contents(r->context, &armorkey);
656 ret = krb5_decrypt_EncryptedData(r->context, r->armor_crypto,
657 KRB5_KU_FAST_ENC,
658 &fxreq.u.armored_data.enc_fast_req,
659 &data);
660 if (ret) {
661 kdc_log(r->context, r->config, 2,
662 "Failed to decrypt FAST request");
663 goto out;
666 ret = decode_KrbFastReq(data.data, data.length, &fastreq, NULL);
667 krb5_data_free(&data);
668 if (ret)
669 goto out;
672 * verify req-checksum of the outer body
674 if (tgs_ac) {
676 * -- For TGS, contains the checksum performed over the type
677 * -- AP-REQ in the PA-TGS-REQ padata.
679 i = 0;
680 pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_TGS_REQ);
681 if (pa == NULL) {
682 kdc_log(r->context, r->config, 4,
683 "FAST TGS request missing TGS-REQ padata");
684 ret = KRB5KRB_ERR_GENERIC;
685 goto out;
688 ret = _kdc_verify_checksum(r->context, r->armor_crypto,
689 KRB5_KU_FAST_REQ_CHKSUM,
690 &pa->padata_value,
691 &fxreq.u.armored_data.req_checksum);
692 if (ret) {
693 kdc_log(r->context, r->config, 2,
694 "Bad checksum in FAST TGS request");
695 goto out;
697 } else {
699 * -- For AS, contains the checksum performed over the type
700 * -- KDC-REQ-BODY for the req-body field of the KDC-REQ
701 * -- structure;
703 ret = _kdc_verify_checksum(r->context, r->armor_crypto,
704 KRB5_KU_FAST_REQ_CHKSUM,
705 &r->req.req_body._save,
706 &fxreq.u.armored_data.req_checksum);
707 if (ret) {
708 kdc_log(r->context, r->config, 2,
709 "Bad checksum in FAST AS request");
710 goto out;
715 * check for unsupported mandatory options
717 if (FastOptions2int(fastreq.fast_options) & 0xfffc) {
718 kdc_log(r->context, r->config, 2,
719 "FAST unsupported mandatory option set");
720 ret = KRB5_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS;
721 goto out;
724 r->fast.flags.requested_hidden_names = fastreq.fast_options.hide_client_names;
726 /* KDC MUST ignore outer pa data preauth-14 - 6.5.5 */
727 if (r->req.padata)
728 free_METHOD_DATA(r->req.padata);
729 else
730 ALLOC(r->req.padata);
732 ret = copy_METHOD_DATA(&fastreq.padata, r->req.padata);
733 if (ret)
734 goto out;
736 free_KDC_REQ_BODY(&r->req.req_body);
737 ret = copy_KDC_REQ_BODY(&fastreq.req_body, &r->req.req_body);
738 if (ret)
739 goto out;
741 kdc_log(r->context, r->config, 5, "Client selected FAST");
743 out:
744 if (ac && ac != tgs_ac)
745 krb5_auth_con_free(r->context, ac);
747 krb5_free_principal(r->context, armor_server_principal);
748 krb5_xfree(armor_client_principal_name);
749 krb5_xfree(armor_server_principal_name);
751 free_KrbFastReq(&fastreq);
752 free_PA_FX_FAST_REQUEST(&fxreq);
754 return ret;
760 krb5_error_code
761 _kdc_fast_unwrap_request(astgs_request_t r,
762 krb5_ticket *tgs_ticket,
763 krb5_auth_context tgs_ac)
765 krb5_error_code ret;
766 const PA_DATA *pa;
767 int i = 0;
769 if (!r->config->enable_fast)
770 return 0;
772 ret = fast_unwrap_request(r, tgs_ticket, tgs_ac);
773 if (ret)
774 return ret;
777 * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
779 pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_COOKIE);
780 if (pa) {
781 krb5_const_principal ticket_client = NULL;
783 if (tgs_ticket)
784 ticket_client = tgs_ticket->client;
786 ret = fast_parse_cookie(r, ticket_client, pa);
789 return ret;
793 * Strengthen reply key by mixing with a random key that is
794 * protected by FAST.
796 krb5_error_code
797 _kdc_fast_strengthen_reply_key(astgs_request_t r)
799 if (r->armor_crypto) {
800 krb5_keyblock new_reply_key;
801 krb5_error_code ret;
803 kdc_log(r->context, r->config, 5,
804 "FAST strengthen reply key with strengthen-key");
806 heim_assert(r->reply_key.keytype != KRB5_ENCTYPE_NULL, "NULL reply key enctype");
808 ret = krb5_generate_random_keyblock(r->context, r->reply_key.keytype,
809 &r->strengthen_key);
810 if (ret) {
811 kdc_log(r->context, r->config, 0, "failed to prepare random keyblock");
812 return ret;
815 ret = _krb5_fast_cf2(r->context,
816 &r->strengthen_key, "strengthenkey",
817 &r->reply_key, "replykey",
818 &new_reply_key, NULL);
819 if (ret)
820 return ret;
822 krb5_free_keyblock_contents(r->context, &r->reply_key);
823 r->reply_key = new_reply_key;
826 return 0;
830 * Zero and free KDCFastState
832 void
833 _kdc_free_fast_state(KDCFastState *state)
835 size_t i;
837 for (i = 0; i < state->fast_state.len; i++) {
838 PA_DATA *pa = &state->fast_state.val[i];
840 if (pa->padata_value.data)
841 memset_s(pa->padata_value.data, 0,
842 pa->padata_value.length, pa->padata_value.length);
844 free_KDCFastState(state);
847 krb5_error_code
848 _kdc_fast_check_armor_pac(astgs_request_t r, int flags)
850 krb5_error_code ret;
851 krb5_boolean ad_kdc_issued = FALSE;
852 krb5_pac mspac = NULL;
853 krb5_principal armor_client_principal = NULL;
854 HDB *armor_db;
855 hdb_entry *armor_client = NULL;
856 char *armor_client_principal_name = NULL;
858 flags |= HDB_F_ARMOR_PRINCIPAL;
859 if (_kdc_synthetic_princ_used_p(r->context, r->armor_ticket))
860 flags |= HDB_F_SYNTHETIC_OK;
861 if (r->req.req_body.kdc_options.canonicalize)
862 flags |= HDB_F_CANON;
864 ret = _krb5_principalname2krb5_principal(r->context,
865 &armor_client_principal,
866 r->armor_ticket->ticket.cname,
867 r->armor_ticket->ticket.crealm);
868 if (ret)
869 goto out;
871 ret = krb5_unparse_name(r->context, armor_client_principal,
872 &armor_client_principal_name);
873 if (ret)
874 goto out;
876 ret = _kdc_db_fetch_client(r->context, r->config, flags,
877 armor_client_principal, armor_client_principal_name,
878 r->req.req_body.realm, &armor_db, &armor_client);
879 if (ret)
880 goto out;
882 ret = kdc_check_flags(r, FALSE, armor_client, NULL);
883 if (ret)
884 goto out;
886 ret = _kdc_check_pac(r, armor_client_principal, NULL,
887 armor_client, r->armor_server,
888 r->armor_server, r->armor_server,
889 &r->armor_key->key, &r->armor_key->key,
890 &r->armor_ticket->ticket, &ad_kdc_issued, &mspac, NULL, NULL);
891 if (ret) {
892 const char *msg = krb5_get_error_message(r->context, ret);
894 kdc_log(r->context, r->config, 4,
895 "Verify armor PAC (%s) failed for %s (%s) from %s with %s (%s)",
896 armor_client_principal_name, r->cname, r->sname,
897 r->from, msg, mspac ? "Ticket unsigned" : "No PAC");
899 krb5_free_error_message(r->context, msg);
901 goto out;
904 if (r->explicit_armor_present) {
905 r->explicit_armor_clientdb = armor_db;
906 armor_db = NULL;
908 r->explicit_armor_client = armor_client;
909 armor_client = NULL;
911 r->explicit_armor_pac = mspac;
912 mspac = NULL;
915 out:
916 krb5_xfree(armor_client_principal_name);
917 if (armor_client)
918 _kdc_free_ent(r->context, armor_db, armor_client);
919 krb5_free_principal(r->context, armor_client_principal);
920 krb5_pac_free(r->context, mspac);
922 return ret;