2 * Copyright (c) 2011 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
39 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
40 _krb5_fast_cf2(krb5_context context,
45 krb5_keyblock *armorkey,
46 krb5_crypto *armor_crypto)
48 krb5_crypto crypto1, crypto2;
52 ret = krb5_crypto_init(context, key1, 0, &crypto1);
56 ret = krb5_crypto_init(context, key2, 0, &crypto2);
58 krb5_crypto_destroy(context, crypto1);
62 pa1.data = rk_UNCONST(pepper1);
63 pa1.length = strlen(pepper1);
64 pa2.data = rk_UNCONST(pepper2);
65 pa2.length = strlen(pepper2);
67 ret = krb5_crypto_fx_cf2(context, crypto1, crypto2, &pa1, &pa2,
68 key1->keytype, armorkey);
69 krb5_crypto_destroy(context, crypto1);
70 krb5_crypto_destroy(context, crypto2);
75 ret = krb5_crypto_init(context, armorkey, 0, armor_crypto);
77 krb5_free_keyblock_contents(context, armorkey);
83 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
84 _krb5_fast_armor_key(krb5_context context,
85 krb5_keyblock *subkey,
86 krb5_keyblock *sessionkey,
87 krb5_keyblock *armorkey,
88 krb5_crypto *armor_crypto)
90 return _krb5_fast_cf2(context,
99 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
100 _krb5_fast_explicit_armor_key(krb5_context context,
101 krb5_keyblock *armorkey,
102 krb5_keyblock *subkey,
103 krb5_keyblock *explicit_armorkey,
104 krb5_crypto *explicit_armor_crypto)
106 return _krb5_fast_cf2(context,
112 explicit_armor_crypto);
115 static krb5_error_code
116 check_fast(krb5_context context, struct krb5_fast_state *state)
118 if (state && (state->flags & KRB5_FAST_EXPECTED)) {
119 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
120 "Expected FAST, but no FAST "
121 "was in the response from the KDC");
122 return KRB5KRB_AP_ERR_MODIFIED;
127 static krb5_error_code
128 make_local_fast_ap_fxarmor(krb5_context context,
129 krb5_ccache armor_ccache,
130 krb5_const_realm realm,
131 krb5_data *armor_value,
132 krb5_keyblock *armor_key,
133 krb5_crypto *armor_crypto)
135 krb5_auth_context auth_context = NULL;
136 krb5_creds cred, *credp = NULL;
139 krb5_const_realm tgs_realm;
141 krb5_data_zero(&empty);
142 memset(&cred, 0, sizeof(cred));
144 ret = krb5_auth_con_init (context, &auth_context);
148 ret = krb5_cc_get_principal(context, armor_ccache, &cred.client);
153 * Make sure we don't ask for a krbtgt/WELLKNOWN:ANONYMOUS
155 if (krb5_principal_is_anonymous(context, cred.client,
156 KRB5_ANON_MATCH_UNAUTHENTICATED))
159 tgs_realm = cred.client->realm;
161 ret = krb5_make_principal(context, &cred.server,
169 ret = krb5_get_credentials(context, 0, armor_ccache, &cred, &credp);
173 ret = krb5_auth_con_add_AuthorizationData(context, auth_context,
174 KRB5_AUTHDATA_FX_FAST_ARMOR,
179 ret = krb5_mk_req_extended(context,
188 ret = _krb5_fast_armor_key(context,
189 auth_context->local_subkey,
190 auth_context->keyblock,
198 krb5_auth_con_free(context, auth_context);
200 krb5_free_creds(context, credp);
201 krb5_free_principal(context, cred.server);
202 krb5_free_principal(context, cred.client);
208 static heim_base_once_t armor_service_once = HEIM_BASE_ONCE_INIT;
209 static heim_ipc armor_service = NULL;
212 fast_armor_init_ipc(void *ctx)
215 heim_ipc_init_context("ANY:org.h5l.armor-service", ipc);
219 static krb5_error_code
220 make_fast_ap_fxarmor(krb5_context context,
221 struct krb5_fast_state *state,
222 krb5_const_realm realm,
223 KrbFastArmor **armor)
225 KrbFastArmor *fxarmor = NULL;
229 if (fxarmor == NULL) {
234 if (state->flags & KRB5_FAST_AP_ARMOR_SERVICE) {
236 krb5_set_error_message(context, ENOTSUP, "Fast armor IPC service not supportted yet on Windows");
240 KERB_ARMOR_SERVICE_REPLY msg;
241 krb5_data request, reply;
243 heim_base_once_f(&armor_service_once, &armor_service, fast_armor_init_ipc);
244 if (armor_service == NULL) {
245 krb5_set_error_message(context, ENOENT, "Failed to open fast armor service");
250 krb5_data_zero(&reply);
252 request.data = rk_UNCONST(realm);
253 request.length = strlen(realm);
255 ret = heim_ipc_call(armor_service, &request, &reply, NULL);
257 krb5_set_error_message(context, ret, "Failed to get armor service credential");
261 ret = decode_KERB_ARMOR_SERVICE_REPLY(reply.data, reply.length, &msg, NULL);
262 krb5_data_free(&reply);
266 ret = copy_KrbFastArmor(fxarmor, &msg.armor);
268 free_KERB_ARMOR_SERVICE_REPLY(&msg);
272 ret = krb5_copy_keyblock_contents(context, &msg.armor_key, &state->armor_key);
273 free_KERB_ARMOR_SERVICE_REPLY(&msg);
277 ret = krb5_crypto_init(context, &state->armor_key, 0, &state->armor_crypto);
282 fxarmor->armor_type = 1;
284 ret = make_local_fast_ap_fxarmor(context,
287 &fxarmor->armor_value,
289 &state->armor_crypto);
300 free_KrbFastArmor(fxarmor);
306 static krb5_error_code
307 unwrap_fast_rep(krb5_context context,
308 struct krb5_fast_state *state,
310 KrbFastResponse *fastrep)
312 PA_FX_FAST_REPLY fxfastrep;
315 memset(&fxfastrep, 0, sizeof(fxfastrep));
317 ret = decode_PA_FX_FAST_REPLY(pa->padata_value.data,
318 pa->padata_value.length,
323 if (fxfastrep.element == choice_PA_FX_FAST_REPLY_armored_data) {
326 ret = krb5_decrypt_EncryptedData(context,
329 &fxfastrep.u.armored_data.enc_fast_rep,
334 ret = decode_KrbFastResponse(data.data, data.length, fastrep, NULL);
335 krb5_data_free(&data);
340 ret = KRB5KDC_ERR_PREAUTH_FAILED;
345 free_PA_FX_FAST_REPLY(&fxfastrep);
350 static krb5_error_code
351 set_anon_principal(krb5_context context, PrincipalName **p)
358 (*p)->name_type = KRB5_NT_PRINCIPAL;
360 ALLOC_SEQ(&(*p)->name_string, 2);
361 if ((*p)->name_string.val == NULL)
364 (*p)->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
365 if ((*p)->name_string.val[0] == NULL)
368 (*p)->name_string.val[1] = strdup(KRB5_ANON_NAME);
369 if ((*p)->name_string.val[1] == NULL)
375 if ((*p)->name_string.val) {
376 free((*p)->name_string.val[0]);
377 free((*p)->name_string.val[1]);
378 free((*p)->name_string.val);
383 return krb5_enomem(context);
387 _krb5_fast_create_armor(krb5_context context,
388 struct krb5_fast_state *state,
393 if (state->armor_crypto == NULL) {
394 if (state->armor_ccache || state->armor_ac || (state->flags & KRB5_FAST_AP_ARMOR_SERVICE)) {
396 * Instead of keeping state in FX_COOKIE in the KDC, we
397 * rebuild a new armor key for every request, because this
398 * is what the MIT KDC expect and RFC6113 is vage about
399 * what the behavior should be.
401 state->type = choice_PA_FX_FAST_REQUEST_armored_data;
403 return check_fast(context, state);
407 if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
408 if (state->armor_crypto)
409 krb5_crypto_destroy(context, state->armor_crypto);
410 krb5_free_keyblock_contents(context, &state->armor_key);
413 * If we have a armor auth context, its because the caller
414 * wants us to do an implicit FAST armor (TGS-REQ).
416 if (state->armor_ac) {
417 heim_assert((state->flags & KRB5_FAST_AS_REQ) == 0, "FAST AS with AC");
419 ret = _krb5_fast_armor_key(context,
420 state->armor_ac->local_subkey,
421 state->armor_ac->keyblock,
423 &state->armor_crypto);
427 heim_assert((state->flags & KRB5_FAST_AS_REQ) != 0, "FAST TGS without AC");
429 if (state->armor_data) {
430 free_KrbFastArmor(state->armor_data);
431 free(state->armor_data);
433 ret = make_fast_ap_fxarmor(context, state, realm,
439 heim_abort("unknown state type: %d", (int)state->type);
447 _krb5_fast_wrap_req(krb5_context context,
448 struct krb5_fast_state *state,
449 krb5_data *checksum_data,
452 PA_FX_FAST_REQUEST fxreq;
455 krb5_data data, aschecksum_data;
458 if (state->flags & KRB5_FAST_DISABLED) {
459 _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
463 memset(&fxreq, 0, sizeof(fxreq));
464 memset(&fastreq, 0, sizeof(fastreq));
465 krb5_data_zero(&data);
466 krb5_data_zero(&aschecksum_data);
468 if (state->armor_crypto == NULL)
469 return check_fast(context, state);
471 state->flags |= KRB5_FAST_EXPECTED;
473 fastreq.fast_options.hide_client_names = 1;
475 ret = copy_KDC_REQ_BODY(&req->req_body, &fastreq.req_body);
480 * In the case of a AS-REQ, remove all account names. Want to this
481 * for TGS-REQ too, but due to layering this is tricky.
483 * 1. TGS-REQ need checksum of REQ-BODY
484 * 2. FAST needs checksum of TGS-REQ, so, FAST needs to happen after TGS-REQ
485 * 3. FAST privacy mangaling needs to happen before TGS-REQ does the checksum in 1.
487 * So lets not modify the bits for now for TGS-REQ
489 if (state->flags & KRB5_FAST_AS_REQ) {
490 free_KDC_REQ_BODY(&req->req_body);
492 req->req_body.realm = strdup(KRB5_ANON_REALM);
493 if (req->req_body.realm == NULL) {
494 ret = krb5_enomem(context);
498 ret = set_anon_principal(context, &req->req_body.cname);
502 ALLOC(req->req_body.till, 1);
503 *req->req_body.till = 0;
505 heim_assert(checksum_data == NULL, "checksum data not NULL");
507 ASN1_MALLOC_ENCODE(KDC_REQ_BODY,
508 aschecksum_data.data,
509 aschecksum_data.length,
514 heim_assert(aschecksum_data.length == size, "ASN.1 internal error");
516 checksum_data = &aschecksum_data;
520 ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
521 free_METHOD_DATA(req->padata);
525 ALLOC(req->padata, 1);
526 if (req->padata == NULL) {
527 ret = krb5_enomem(context);
532 ASN1_MALLOC_ENCODE(KrbFastReq, data.data, data.length, &fastreq, &size, ret);
535 heim_assert(data.length == size, "ASN.1 internal error");
537 fxreq.element = state->type;
539 if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
540 fxreq.u.armored_data.armor = state->armor_data;
541 state->armor_data = NULL;
545 heim_assert(state->armor_crypto != NULL,
546 "FAST armor key missing when FAST started");
548 ret = krb5_create_checksum(context, state->armor_crypto,
549 KRB5_KU_FAST_REQ_CHKSUM, 0,
551 checksum_data->length,
552 &fxreq.u.armored_data.req_checksum);
556 ret = krb5_encrypt_EncryptedData(context, state->armor_crypto,
561 &fxreq.u.armored_data.enc_fast_req);
562 krb5_data_free(&data);
567 krb5_data_free(&data);
568 heim_assert(false, "unknown FAST type, internal error");
571 ASN1_MALLOC_ENCODE(PA_FX_FAST_REQUEST, data.data, data.length, &fxreq, &size, ret);
574 heim_assert(data.length == size, "ASN.1 internal error");
577 ret = krb5_padata_add(context, req->padata, KRB5_PADATA_FX_FAST, data.data, data.length);
580 krb5_data_zero(&data);
583 free_KrbFastReq(&fastreq);
584 free_PA_FX_FAST_REQUEST(&fxreq);
585 krb5_data_free(&data);
586 krb5_data_free(&aschecksum_data);
592 _krb5_fast_unwrap_error(krb5_context context,
594 struct krb5_fast_state *state,
598 KrbFastResponse fastrep;
603 if (state->armor_crypto == NULL)
604 return check_fast(context, state);
606 memset(&fastrep, 0, sizeof(fastrep));
609 pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx);
611 ret = KRB5_KDCREP_MODIFIED;
612 krb5_set_error_message(context, ret,
613 N_("FAST fast response is missing FX-FAST", ""));
617 ret = unwrap_fast_rep(context, state, pa, &fastrep);
621 if (fastrep.strengthen_key || nonce != (int32_t)fastrep.nonce) {
622 ret = KRB5KDC_ERR_PREAUTH_FAILED;
627 pa = krb5_find_padata(fastrep.padata.val, fastrep.padata.len, KRB5_PADATA_FX_ERROR, &idx);
629 ret = KRB5_KDCREP_MODIFIED;
630 krb5_set_error_message(context, ret, N_("No wrapped error", ""));
634 free_KRB_ERROR(error);
636 ret = krb5_rd_error(context, &pa->padata_value, error);
641 _krb5_debug(context, 10, "FAST wrapped KBB_ERROR contained e_data: %d",
642 (int)error->e_data->length);
644 free_METHOD_DATA(md);
645 md->val = fastrep.padata.val;
646 md->len = fastrep.padata.len;
648 fastrep.padata.val = NULL;
649 fastrep.padata.len = 0;
652 free_KrbFastResponse(&fastrep);
657 _krb5_fast_unwrap_kdc_rep(krb5_context context, int32_t nonce,
658 krb5_data *chksumdata,
659 struct krb5_fast_state *state, AS_REP *rep)
661 KrbFastResponse fastrep;
666 if (state == NULL || state->armor_crypto == NULL || rep->padata == NULL)
667 return check_fast(context, state);
669 /* find PA_FX_FAST_REPLY */
671 pa = krb5_find_padata(rep->padata->val, rep->padata->len,
672 KRB5_PADATA_FX_FAST, &idx);
674 return check_fast(context, state);
676 memset(&fastrep, 0, sizeof(fastrep));
678 ret = unwrap_fast_rep(context, state, pa, &fastrep);
682 free_METHOD_DATA(rep->padata);
683 ret = copy_METHOD_DATA(&fastrep.padata, rep->padata);
687 if (fastrep.strengthen_key) {
688 if (state->strengthen_key)
689 krb5_free_keyblock(context, state->strengthen_key);
691 ret = krb5_copy_keyblock(context, fastrep.strengthen_key, &state->strengthen_key);
696 if (nonce != (int32_t)fastrep.nonce) {
697 ret = KRB5KDC_ERR_PREAUTH_FAILED;
700 if (fastrep.finished) {
702 krb5_realm crealm = NULL;
704 if (chksumdata == NULL) {
705 ret = KRB5KDC_ERR_PREAUTH_FAILED;
709 ret = krb5_verify_checksum(context, state->armor_crypto,
710 KRB5_KU_FAST_FINISHED,
711 chksumdata->data, chksumdata->length,
712 &fastrep.finished->ticket_checksum);
717 ret = copy_Realm(&fastrep.finished->crealm, &crealm);
720 free_Realm(&rep->crealm);
721 rep->crealm = crealm;
723 ret = copy_PrincipalName(&fastrep.finished->cname, &cname);
726 free_PrincipalName(&rep->cname);
728 } else if (chksumdata) {
729 /* expected fastrep.finish but didn't get it */
730 ret = KRB5KDC_ERR_PREAUTH_FAILED;
734 free_KrbFastResponse(&fastrep);
739 _krb5_fast_free(krb5_context context, struct krb5_fast_state *state)
741 if (state->armor_ccache) {
742 if (state->flags & KRB5_FAST_ANON_PKINIT_ARMOR)
743 krb5_cc_destroy(context, state->armor_ccache);
745 krb5_cc_close(context, state->armor_ccache);
747 if (state->armor_service)
748 krb5_free_principal(context, state->armor_service);
749 if (state->armor_crypto)
750 krb5_crypto_destroy(context, state->armor_crypto);
751 if (state->strengthen_key)
752 krb5_free_keyblock(context, state->strengthen_key);
753 krb5_free_keyblock_contents(context, &state->armor_key);
754 if (state->armor_data) {
755 free_KrbFastArmor(state->armor_data);
756 free(state->armor_data);
759 if (state->anon_pkinit_ctx)
760 krb5_init_creds_free(context, state->anon_pkinit_ctx);
761 if (state->anon_pkinit_opt)
762 krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
764 memset(state, 0, sizeof(*state));
768 _krb5_fast_anon_pkinit_step(krb5_context context,
769 krb5_init_creds_context ctx,
770 struct krb5_fast_state *state,
773 krb5_krbhst_info *hostinfo,
777 krb5_const_realm realm = _krb5_init_creds_get_cred_client(context, ctx)->realm;
778 krb5_init_creds_context anon_pk_ctx;
779 krb5_principal principal = NULL, anon_pk_client;
780 krb5_ccache ccache = NULL;
782 krb5_data data = { 3, rk_UNCONST("yes") };
784 memset(&cred, 0, sizeof(cred));
786 if (state->anon_pkinit_opt == NULL) {
787 ret = krb5_get_init_creds_opt_alloc(context, &state->anon_pkinit_opt);
791 krb5_get_init_creds_opt_set_tkt_life(state->anon_pkinit_opt, 60);
792 krb5_get_init_creds_opt_set_anonymous(state->anon_pkinit_opt, TRUE);
794 ret = krb5_make_principal(context, &principal, realm,
795 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
799 ret = krb5_get_init_creds_opt_set_pkinit(context,
800 state->anon_pkinit_opt,
802 NULL, NULL, NULL, NULL,
803 KRB5_GIC_OPT_PKINIT_ANONYMOUS |
804 KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR,
809 ret = krb5_init_creds_init(context, principal, NULL, NULL,
810 _krb5_init_creds_get_cred_starttime(context, ctx),
811 state->anon_pkinit_opt,
812 &state->anon_pkinit_ctx);
817 anon_pk_ctx = state->anon_pkinit_ctx;
819 ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, hostinfo, flags);
821 (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
824 ret = krb5_process_last_request(context, state->anon_pkinit_opt, anon_pk_ctx);
828 ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache);
832 ret = krb5_init_creds_get_creds(context, anon_pk_ctx, &cred);
836 if (!cred.flags.b.enc_pa_rep) {
837 ret = KRB5KDC_ERR_BADOPTION; /* KDC does not support FAST */
841 anon_pk_client = _krb5_init_creds_get_cred_client(context, anon_pk_ctx);
843 ret = krb5_cc_initialize(context, ccache, anon_pk_client);
847 ret = krb5_cc_store_cred(context, ccache, &cred);
851 ret = krb5_cc_set_config(context, ccache, cred.server,
852 "fast_avail", &data);
856 if (_krb5_pk_is_kdc_verified(context, state->anon_pkinit_opt))
857 state->flags |= KRB5_FAST_KDC_VERIFIED;
859 state->flags &= ~(KRB5_FAST_KDC_VERIFIED);
861 state->armor_ccache = ccache;
864 krb5_init_creds_free(context, state->anon_pkinit_ctx);
865 state->anon_pkinit_ctx = NULL;
867 krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
868 state->anon_pkinit_opt = NULL;
870 *flags |= KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
873 krb5_free_principal(context, principal);
874 krb5_free_cred_contents(context, &cred);
876 krb5_cc_destroy(context, ccache);