2 * Copyright (c) 1997-2011 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2010 - 2011 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 static krb5_error_code
39 salt_fastuser_crypto(astgs_request_t r
,
40 krb5_const_principal salt_principal
,
42 krb5_crypto fast_crypto
,
43 krb5_crypto
*salted_crypto
)
46 krb5_principal client_princ
= NULL
;
51 *salted_crypto
= NULL
;
53 krb5_data_zero(&salt
);
54 krb5_keyblock_zero(&dkey
);
56 if (salt_principal
== NULL
) {
57 if (r
->req
.req_body
.cname
== NULL
) {
58 ret
= KRB5KRB_ERR_GENERIC
;
62 ret
= _krb5_principalname2krb5_principal(r
->context
, &client_princ
,
63 *(r
->req
.req_body
.cname
),
64 r
->req
.req_body
.realm
);
68 salt_principal
= client_princ
;
71 ret
= krb5_unparse_name(r
->context
, salt_principal
, (char **)&salt
.data
);
75 salt
.length
= strlen(salt
.data
);
77 kdc_log(r
->context
, r
->config
, 10,
78 "salt_fastuser_crypto: salt principal is %s (%d)",
79 (char *)salt
.data
, enctype
);
81 ret
= krb5_enctype_keysize(r
->context
, enctype
, &size
);
85 ret
= krb5_crypto_prfplus(r
->context
, fast_crypto
, &salt
,
86 size
, &dkey
.keyvalue
);
90 dkey
.keytype
= enctype
;
92 ret
= krb5_crypto_init(r
->context
, &dkey
, ENCTYPE_NULL
, salted_crypto
);
97 krb5_free_keyblock_contents(r
->context
, &dkey
);
98 krb5_data_free(&salt
);
99 krb5_free_principal(r
->context
, client_princ
);
104 static krb5_error_code
105 get_fastuser_crypto(astgs_request_t r
,
106 krb5_const_principal ticket_client
,
107 krb5_enctype enctype
,
110 krb5_principal fast_princ
;
112 hdb_entry
*fast_user
= NULL
;
113 Key
*cookie_key
= NULL
;
114 krb5_crypto fast_crypto
= NULL
;
119 ret
= krb5_make_principal(r
->context
, &fast_princ
,
120 KRB5_WELLKNOWN_ORG_H5L_REALM
,
121 KRB5_WELLKNOWN_NAME
, "org.h5l.fast-cookie", NULL
);
125 ret
= _kdc_db_fetch(r
->context
, r
->config
, fast_princ
,
126 HDB_F_GET_FAST_COOKIE
, NULL
, &fast_db
, &fast_user
);
130 if (enctype
== KRB5_ENCTYPE_NULL
)
131 ret
= _kdc_get_preferred_key(r
->context
, r
->config
, fast_user
,
132 "fast-cookie", &enctype
, &cookie_key
);
134 ret
= hdb_enctype2key(r
->context
, fast_user
, NULL
,
135 enctype
, &cookie_key
);
139 ret
= krb5_crypto_init(r
->context
, &cookie_key
->key
,
140 ENCTYPE_NULL
, &fast_crypto
);
144 ret
= salt_fastuser_crypto(r
, ticket_client
,
145 cookie_key
->key
.keytype
,
146 fast_crypto
, crypto
);
152 _kdc_free_ent(r
->context
, fast_db
, fast_user
);
154 krb5_crypto_destroy(r
->context
, fast_crypto
);
155 krb5_free_principal(r
->context
, fast_princ
);
161 static krb5_error_code
162 fast_parse_cookie(astgs_request_t r
,
163 krb5_const_principal ticket_client
,
166 krb5_crypto crypto
= NULL
;
172 ret
= decode_KDCFastCookie(pa
->padata_value
.data
,
173 pa
->padata_value
.length
,
178 if (len
!= pa
->padata_value
.length
|| strcmp("H5L1", data
.version
) != 0) {
179 free_KDCFastCookie(&data
);
180 return KRB5KDC_ERR_POLICY
;
183 ret
= get_fastuser_crypto(r
, ticket_client
, data
.cookie
.etype
, &crypto
);
187 ret
= krb5_decrypt_EncryptedData(r
->context
, crypto
,
190 krb5_crypto_destroy(r
->context
, crypto
);
194 ret
= decode_KDCFastState(d1
.data
, d1
.length
, &r
->fast
, &len
);
199 if (r
->fast
.expiration
< kdc_time
) {
200 kdc_log(r
->context
, r
->config
, 2, "FAST cookie expired");
201 ret
= KRB5KDC_ERR_POLICY
;
206 free_KDCFastCookie(&data
);
211 static krb5_error_code
212 fast_add_cookie(astgs_request_t r
,
213 krb5_const_principal ticket_client
,
214 METHOD_DATA
*method_data
)
216 krb5_crypto crypto
= NULL
;
222 memset(&shell
, 0, sizeof(shell
));
224 r
->fast
.expiration
= kdc_time
+ FAST_EXPIRATION_TIME
;
226 ASN1_MALLOC_ENCODE(KDCFastState
, data
.data
, data
.length
,
227 &r
->fast
, &size
, ret
);
230 heim_assert(size
== data
.length
, "internal asn.1 encoder error");
232 ret
= get_fastuser_crypto(r
, ticket_client
, KRB5_ENCTYPE_NULL
, &crypto
);
234 kdc_log(r
->context
, r
->config
, 0,
235 "Failed to find FAST principal for cookie encryption: %d", ret
);
239 ret
= krb5_encrypt_EncryptedData(r
->context
, crypto
,
241 data
.data
, data
.length
, 0,
243 krb5_crypto_destroy(r
->context
, crypto
);
247 krb5_data_free(&data
);
249 shell
.version
= "H5L1";
251 ASN1_MALLOC_ENCODE(KDCFastCookie
, data
.data
, data
.length
,
253 free_EncryptedData(&shell
.cookie
);
256 heim_assert(size
== data
.length
, "internal asn.1 encoder error");
258 ret
= krb5_padata_add(r
->context
, method_data
,
259 KRB5_PADATA_FX_COOKIE
,
260 data
.data
, data
.length
);
262 krb5_data_zero(&data
);
265 krb5_data_free(&data
);
270 _kdc_fast_mk_response(krb5_context context
,
271 krb5_crypto armor_crypto
,
272 METHOD_DATA
*pa_data
,
273 krb5_keyblock
*strengthen_key
,
274 KrbFastFinished
*finished
,
278 PA_FX_FAST_REPLY fxfastrep
;
279 KrbFastResponse fastrep
;
284 memset(&fxfastrep
, 0, sizeof(fxfastrep
));
285 memset(&fastrep
, 0, sizeof(fastrep
));
286 krb5_data_zero(data
);
289 fastrep
.padata
.val
= pa_data
->val
;
290 fastrep
.padata
.len
= pa_data
->len
;
292 fastrep
.strengthen_key
= strengthen_key
;
293 fastrep
.finished
= finished
;
294 fastrep
.nonce
= nonce
;
296 ASN1_MALLOC_ENCODE(KrbFastResponse
, buf
.data
, buf
.length
,
297 &fastrep
, &size
, ret
);
300 heim_assert(size
== buf
.length
, "internal asn.1 encoder error");
302 fxfastrep
.element
= choice_PA_FX_FAST_REPLY_armored_data
;
304 ret
= krb5_encrypt_EncryptedData(context
,
310 &fxfastrep
.u
.armored_data
.enc_fast_rep
);
311 krb5_data_free(&buf
);
315 ASN1_MALLOC_ENCODE(PA_FX_FAST_REPLY
, data
->data
, data
->length
,
316 &fxfastrep
, &size
, ret
);
317 free_PA_FX_FAST_REPLY(&fxfastrep
);
320 heim_assert(size
== data
->length
, "internal asn.1 encoder error");
327 _kdc_fast_mk_error(astgs_request_t r
,
328 METHOD_DATA
*error_method
,
329 krb5_crypto armor_crypto
,
330 const KDC_REQ_BODY
*req_body
,
331 krb5_error_code outer_error
,
332 krb5_principal error_client
,
333 krb5_principal error_server
,
334 time_t *csec
, int *cusec
,
335 krb5_data
*error_msg
)
341 krb5_data_zero(&e_data
);
343 heim_assert(r
!= NULL
, "invalid request in _kdc_fast_mk_error");
346 * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
348 if (armor_crypto
|| r
->fast
.fast_state
.len
) {
349 kdc_log(r
->context
, r
->config
, 5, "Adding FAST cookie for KRB-ERROR");
350 ret
= fast_add_cookie(r
, error_client
, error_method
);
352 kdc_log(r
->context
, r
->config
, 1,
353 "Failed to add FAST cookie: %d", ret
);
354 free_METHOD_DATA(error_method
);
360 PA_FX_FAST_REPLY fxfastrep
;
361 KrbFastResponse fastrep
;
363 memset(&fxfastrep
, 0, sizeof(fxfastrep
));
364 memset(&fastrep
, 0, sizeof(fastrep
));
366 kdc_log(r
->context
, r
->config
, 5, "Making FAST inner KRB-ERROR");
368 /* first add the KRB-ERROR to the fast errors */
370 ret
= krb5_mk_error(r
->context
,
380 kdc_log(r
->context
, r
->config
, 1,
381 "Failed to make inner KRB-ERROR: %d", ret
);
385 ret
= krb5_padata_add(r
->context
, error_method
,
386 KRB5_PADATA_FX_ERROR
,
387 e_data
.data
, e_data
.length
);
389 kdc_log(r
->context
, r
->config
, 1,
390 "Failed to make add FAST PADATA to inner KRB-ERROR: %d", ret
);
391 krb5_data_free(&e_data
);
395 outer_error
= KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
;
397 if (r
->fast
.flags
.requested_hidden_names
) {
404 ret
= _kdc_fast_mk_response(r
->context
, armor_crypto
,
405 error_method
, NULL
, NULL
,
406 req_body
->nonce
, &e_data
);
407 free_METHOD_DATA(error_method
);
409 kdc_log(r
->context
, r
->config
, 1,
410 "Failed to make outer KRB-ERROR: %d", ret
);
414 ret
= krb5_padata_add(r
->context
, error_method
,
416 e_data
.data
, e_data
.length
);
418 kdc_log(r
->context
, r
->config
, 1,
419 "Failed to make add FAST PADATA to outer KRB-ERROR: %d", ret
);
423 kdc_log(r
->context
, r
->config
, 5, "Making non-FAST KRB-ERROR");
425 if (error_method
&& error_method
->len
) {
426 ASN1_MALLOC_ENCODE(METHOD_DATA
, e_data
.data
, e_data
.length
,
427 error_method
, &size
, ret
);
429 kdc_log(r
->context
, r
->config
, 1,
430 "Failed to make encode METHOD-DATA: %d", ret
);
433 heim_assert(size
== e_data
.length
, "internal asn.1 encoder error");
436 ret
= krb5_mk_error(r
->context
,
439 (e_data
.length
? &e_data
: NULL
),
445 krb5_data_free(&e_data
);
448 kdc_log(r
->context
, r
->config
, 1,
449 "Failed to make encode KRB-ERROR: %d", ret
);
454 static krb5_error_code
455 fast_unwrap_request(astgs_request_t r
,
456 krb5_ticket
*tgs_ticket
,
457 krb5_auth_context tgs_ac
)
459 krb5_principal armor_server_principal
= NULL
;
460 char *armor_client_principal_name
= NULL
;
461 char *armor_server_principal_name
= NULL
;
462 PA_FX_FAST_REQUEST fxreq
;
463 krb5_auth_context ac
= NULL
;
464 krb5_ticket
*ticket
= NULL
;
465 krb5_flags ap_req_options
;
466 krb5_keyblock armorkey
;
467 krb5_keyblock explicit_armorkey
;
476 memset(&fxreq
, 0, sizeof(fxreq
));
477 memset(&fastreq
, 0, sizeof(fastreq
));
479 pa
= _kdc_find_padata(&r
->req
, &i
, KRB5_PADATA_FX_FAST
);
481 if (tgs_ac
&& r
->fast_asserted
) {
482 kdc_log(r
->context
, r
->config
, 1,
483 "Client asserted FAST but did not include FX-FAST pa-data");
484 ret
= KRB5KRB_AP_ERR_MODIFIED
;
488 kdc_log(r
->context
, r
->config
, 10, "Not a FAST request");
492 ret
= decode_PA_FX_FAST_REQUEST(pa
->padata_value
.data
,
493 pa
->padata_value
.length
,
497 kdc_log(r
->context
, r
->config
, 4,
498 "Failed to decode PA-FX-FAST-REQUEST: %d", ret
);
502 if (fxreq
.element
!= choice_PA_FX_FAST_REQUEST_armored_data
) {
503 kdc_log(r
->context
, r
->config
, 4,
504 "PA-FX-FAST-REQUEST contains unknown type: %d",
506 ret
= KRB5KDC_ERR_PREAUTH_FAILED
;
511 * If check for armor data or it's not a TGS-REQ with implicit
514 if (fxreq
.u
.armored_data
.armor
== NULL
&& tgs_ac
== NULL
) {
515 kdc_log(r
->context
, r
->config
, 4,
516 "AS-REQ armor missing");
517 ret
= KRB5KDC_ERR_PREAUTH_FAILED
;
521 r
->explicit_armor_present
= fxreq
.u
.armored_data
.armor
!= NULL
&& tgs_ac
!= NULL
;
526 if (fxreq
.u
.armored_data
.armor
!= NULL
) {
528 krb5uint32
*kvno_ptr
= NULL
;
530 if (fxreq
.u
.armored_data
.armor
->armor_type
!= 1) {
531 kdc_log(r
->context
, r
->config
, 4,
532 "Incorrect AS-REQ armor type");
533 ret
= KRB5KDC_ERR_PREAUTH_FAILED
;
537 ret
= krb5_decode_ap_req(r
->context
,
538 &fxreq
.u
.armored_data
.armor
->armor_value
,
541 kdc_log(r
->context
, r
->config
, 4, "Failed to decode AP-REQ");
545 /* Save that principal that was in the request */
546 ret
= _krb5_principalname2krb5_principal(r
->context
,
547 &armor_server_principal
,
549 ap_req
.ticket
.realm
);
551 free_AP_REQ(&ap_req
);
555 if (ap_req
.ticket
.enc_part
.kvno
!= NULL
) {
556 kvno
= *ap_req
.ticket
.enc_part
.kvno
;
560 ret
= _kdc_db_fetch(r
->context
, r
->config
, armor_server_principal
,
561 HDB_F_GET_KRBTGT
| HDB_F_DELAY_NEW_KEYS
,
563 &r
->armor_serverdb
, &r
->armor_server
);
564 if(ret
== HDB_ERR_NOT_FOUND_HERE
) {
565 free_AP_REQ(&ap_req
);
566 kdc_log(r
->context
, r
->config
, 5,
567 "Armor key does not have secrets at this KDC, "
571 free_AP_REQ(&ap_req
);
572 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
576 ret
= hdb_enctype2key(r
->context
, r
->armor_server
, NULL
,
577 ap_req
.ticket
.enc_part
.etype
,
580 free_AP_REQ(&ap_req
);
584 ret
= krb5_verify_ap_req2(r
->context
, &ac
,
586 armor_server_principal
,
591 KRB5_KU_AP_REQ_AUTH
);
592 free_AP_REQ(&ap_req
);
596 ret
= krb5_unparse_name(r
->context
, armor_server_principal
,
597 &armor_server_principal_name
);
601 /* FIXME krb5_verify_ap_req2() also checks this */
602 ret
= _kdc_verify_flags(r
->context
, r
->config
,
603 &r
->armor_ticket
->ticket
,
604 armor_server_principal_name
);
606 kdc_audit_addreason((kdc_request_t
)r
,
607 "Armor TGT expired or invalid");
610 ticket
= r
->armor_ticket
;
612 heim_assert(tgs_ticket
!= NULL
, "TGS authentication context without ticket");
617 (void) krb5_unparse_name(r
->context
, ticket
->client
, &armor_client_principal_name
);
618 kdc_audit_addkv((kdc_request_t
)r
, 0, "armor_client_name", "%s",
619 armor_client_principal_name
?
620 armor_client_principal_name
:
623 if (ac
->remote_subkey
== NULL
) {
624 krb5_auth_con_free(r
->context
, ac
);
625 kdc_log(r
->context
, r
->config
, 2,
626 "FAST AP-REQ remote subkey missing");
627 ret
= KRB5KDC_ERR_PREAUTH_FAILED
;
631 r
->fast
.flags
.kdc_verified
=
632 !_kdc_is_anonymous_pkinit(r
->context
, ticket
->client
);
634 ret
= _krb5_fast_armor_key(r
->context
,
638 r
->explicit_armor_present
? NULL
: &r
->armor_crypto
);
642 if (r
->explicit_armor_present
) {
643 ret
= _krb5_fast_explicit_armor_key(r
->context
,
645 tgs_ac
->remote_subkey
,
651 krb5_free_keyblock_contents(r
->context
, &explicit_armorkey
);
654 krb5_free_keyblock_contents(r
->context
, &armorkey
);
656 ret
= krb5_decrypt_EncryptedData(r
->context
, r
->armor_crypto
,
658 &fxreq
.u
.armored_data
.enc_fast_req
,
661 kdc_log(r
->context
, r
->config
, 2,
662 "Failed to decrypt FAST request");
666 ret
= decode_KrbFastReq(data
.data
, data
.length
, &fastreq
, NULL
);
667 krb5_data_free(&data
);
672 * verify req-checksum of the outer body
676 * -- For TGS, contains the checksum performed over the type
677 * -- AP-REQ in the PA-TGS-REQ padata.
680 pa
= _kdc_find_padata(&r
->req
, &i
, KRB5_PADATA_TGS_REQ
);
682 kdc_log(r
->context
, r
->config
, 4,
683 "FAST TGS request missing TGS-REQ padata");
684 ret
= KRB5KRB_ERR_GENERIC
;
688 ret
= _kdc_verify_checksum(r
->context
, r
->armor_crypto
,
689 KRB5_KU_FAST_REQ_CHKSUM
,
691 &fxreq
.u
.armored_data
.req_checksum
);
693 kdc_log(r
->context
, r
->config
, 2,
694 "Bad checksum in FAST TGS request");
699 * -- For AS, contains the checksum performed over the type
700 * -- KDC-REQ-BODY for the req-body field of the KDC-REQ
703 ret
= _kdc_verify_checksum(r
->context
, r
->armor_crypto
,
704 KRB5_KU_FAST_REQ_CHKSUM
,
705 &r
->req
.req_body
._save
,
706 &fxreq
.u
.armored_data
.req_checksum
);
708 kdc_log(r
->context
, r
->config
, 2,
709 "Bad checksum in FAST AS request");
715 * check for unsupported mandatory options
717 if (FastOptions2int(fastreq
.fast_options
) & 0xfffc) {
718 kdc_log(r
->context
, r
->config
, 2,
719 "FAST unsupported mandatory option set");
720 ret
= KRB5_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS
;
724 r
->fast
.flags
.requested_hidden_names
= fastreq
.fast_options
.hide_client_names
;
726 /* KDC MUST ignore outer pa data preauth-14 - 6.5.5 */
728 free_METHOD_DATA(r
->req
.padata
);
730 ALLOC(r
->req
.padata
);
732 ret
= copy_METHOD_DATA(&fastreq
.padata
, r
->req
.padata
);
736 free_KDC_REQ_BODY(&r
->req
.req_body
);
737 ret
= copy_KDC_REQ_BODY(&fastreq
.req_body
, &r
->req
.req_body
);
741 kdc_log(r
->context
, r
->config
, 5, "Client selected FAST");
744 if (ac
&& ac
!= tgs_ac
)
745 krb5_auth_con_free(r
->context
, ac
);
747 krb5_free_principal(r
->context
, armor_server_principal
);
748 krb5_xfree(armor_client_principal_name
);
749 krb5_xfree(armor_server_principal_name
);
751 free_KrbFastReq(&fastreq
);
752 free_PA_FX_FAST_REQUEST(&fxreq
);
761 _kdc_fast_unwrap_request(astgs_request_t r
,
762 krb5_ticket
*tgs_ticket
,
763 krb5_auth_context tgs_ac
)
769 if (!r
->config
->enable_fast
)
772 ret
= fast_unwrap_request(r
, tgs_ticket
, tgs_ac
);
777 * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
779 pa
= _kdc_find_padata(&r
->req
, &i
, KRB5_PADATA_FX_COOKIE
);
781 krb5_const_principal ticket_client
= NULL
;
784 ticket_client
= tgs_ticket
->client
;
786 ret
= fast_parse_cookie(r
, ticket_client
, pa
);
793 * Strengthen reply key by mixing with a random key that is
797 _kdc_fast_strengthen_reply_key(astgs_request_t r
)
799 if (r
->armor_crypto
) {
800 krb5_keyblock new_reply_key
;
803 kdc_log(r
->context
, r
->config
, 5,
804 "FAST strengthen reply key with strengthen-key");
806 heim_assert(r
->reply_key
.keytype
!= KRB5_ENCTYPE_NULL
, "NULL reply key enctype");
808 ret
= krb5_generate_random_keyblock(r
->context
, r
->reply_key
.keytype
,
811 kdc_log(r
->context
, r
->config
, 0, "failed to prepare random keyblock");
815 ret
= _krb5_fast_cf2(r
->context
,
816 &r
->strengthen_key
, "strengthenkey",
817 &r
->reply_key
, "replykey",
818 &new_reply_key
, NULL
);
822 krb5_free_keyblock_contents(r
->context
, &r
->reply_key
);
823 r
->reply_key
= new_reply_key
;
830 * Zero and free KDCFastState
833 _kdc_free_fast_state(KDCFastState
*state
)
837 for (i
= 0; i
< state
->fast_state
.len
; i
++) {
838 PA_DATA
*pa
= &state
->fast_state
.val
[i
];
840 if (pa
->padata_value
.data
)
841 memset_s(pa
->padata_value
.data
, 0,
842 pa
->padata_value
.length
, pa
->padata_value
.length
);
844 free_KDCFastState(state
);
848 _kdc_fast_check_armor_pac(astgs_request_t r
, int flags
)
851 krb5_boolean ad_kdc_issued
= FALSE
;
852 krb5_pac mspac
= NULL
;
853 krb5_principal armor_client_principal
= NULL
;
855 hdb_entry
*armor_client
= NULL
;
856 char *armor_client_principal_name
= NULL
;
858 flags
|= HDB_F_ARMOR_PRINCIPAL
;
859 if (_kdc_synthetic_princ_used_p(r
->context
, r
->armor_ticket
))
860 flags
|= HDB_F_SYNTHETIC_OK
;
861 if (r
->req
.req_body
.kdc_options
.canonicalize
)
862 flags
|= HDB_F_CANON
;
864 ret
= _krb5_principalname2krb5_principal(r
->context
,
865 &armor_client_principal
,
866 r
->armor_ticket
->ticket
.cname
,
867 r
->armor_ticket
->ticket
.crealm
);
871 ret
= krb5_unparse_name(r
->context
, armor_client_principal
,
872 &armor_client_principal_name
);
876 ret
= _kdc_db_fetch_client(r
->context
, r
->config
, flags
,
877 armor_client_principal
, armor_client_principal_name
,
878 r
->req
.req_body
.realm
, &armor_db
, &armor_client
);
882 ret
= kdc_check_flags(r
, FALSE
, armor_client
, NULL
);
886 ret
= _kdc_check_pac(r
, armor_client_principal
, NULL
,
887 armor_client
, r
->armor_server
,
888 r
->armor_server
, r
->armor_server
,
889 &r
->armor_key
->key
, &r
->armor_key
->key
,
890 &r
->armor_ticket
->ticket
, &ad_kdc_issued
, &mspac
, NULL
, NULL
);
892 const char *msg
= krb5_get_error_message(r
->context
, ret
);
894 kdc_log(r
->context
, r
->config
, 4,
895 "Verify armor PAC (%s) failed for %s (%s) from %s with %s (%s)",
896 armor_client_principal_name
, r
->cname
, r
->sname
,
897 r
->from
, msg
, mspac
? "Ticket unsigned" : "No PAC");
899 krb5_free_error_message(r
->context
, msg
);
904 if (r
->explicit_armor_present
) {
905 r
->explicit_armor_clientdb
= armor_db
;
908 r
->explicit_armor_client
= armor_client
;
911 r
->explicit_armor_pac
= mspac
;
916 krb5_xfree(armor_client_principal_name
);
918 _kdc_free_ent(r
->context
, armor_db
, armor_client
);
919 krb5_free_principal(r
->context
, armor_client_principal
);
920 krb5_pac_free(r
->context
, mspac
);