search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fill in more bits
[heimdal.git] / kdc / fast.c
blobc0b2c4d3c9856c2709ad597955062bca3a7c20b9
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kdc_locl.h"
37
38 krb5_error_code
39 _kdc_fast_mk_response(krb5_context context,
40 krb5_crypto armor_crypto,
41 METHOD_DATA *pa_data,
42 krb5_keyblock *strengthen_key,
43 KrbFastFinished *finished,
44 krb5uint32 nonce,
45 krb5_data *data)
46 {
47 PA_FX_FAST_REPLY fxfastrep;
48 KrbFastResponse fastrep;
49 krb5_error_code ret;
50 krb5_data buf;
51 size_t size;
52
53 memset(&fxfastrep, 0, sizeof(fxfastrep));
54 memset(&fastrep, 0, sizeof(fastrep));
55 krb5_data_zero(data);
56
57 if (pa_data) {
58 fastrep.padata.val = pa_data->val;
59 fastrep.padata.len = pa_data->len;
60 }
61 fastrep.strengthen_key = strengthen_key;
62 fastrep.finished = finished;
63 fastrep.nonce = nonce;
64
65 ASN1_MALLOC_ENCODE(KrbFastResponse, buf.data, buf.length,
66 &fastrep, &size, ret);
67 if (ret)
68 return ret;
69 if (buf.length != size)
70 krb5_abortx(context, "internal asn.1 error");
71
72 fxfastrep.element = choice_PA_FX_FAST_REPLY_armored_data;
73
74 ret = krb5_encrypt_EncryptedData(context,
75 armor_crypto,
76 KRB5_KU_FAST_REP,
77 buf.data,
78 buf.length,
79 0,
80 &fxfastrep.u.armored_data.enc_fast_rep);
81 krb5_data_free(&buf);
82 if (ret)
83 return ret;
84
85 ASN1_MALLOC_ENCODE(PA_FX_FAST_REPLY, data->data, data->length,
86 &fxfastrep, &size, ret);
87 free_PA_FX_FAST_REPLY(&fxfastrep);
88 if (ret)
89 return ret;
90 if (data->length != size)
91 krb5_abortx(context, "internal asn.1 error");
92
93 return 0;
94 }
95
96
97 krb5_error_code
98 _kdc_fast_mk_error(krb5_context context,
99 METHOD_DATA *error_method,
100 krb5_crypto armor_crypto,
101 const KDC_REQ_BODY *req_body,
102 krb5_error_code outer_error,
103 const char *e_text,
104 krb5_principal error_client,
105 krb5_principal error_server,
106 time_t *csec, int *cusec,
107 krb5_data *error_msg)
108 {
109 krb5_error_code ret;
110 krb5_data e_data;
111 size_t size;
112
113 krb5_data_zero(&e_data);
114
115 if (armor_crypto) {
116 PA_FX_FAST_REPLY fxfastrep;
117 KrbFastResponse fastrep;
118
119 memset(&fxfastrep, 0, sizeof(fxfastrep));
120 memset(&fastrep, 0, sizeof(fastrep));
121
122 /* first add the KRB-ERROR to the fast errors */
123
124 ret = krb5_mk_error(context,
125 outer_error,
126 e_text,
127 NULL,
128 error_client,
129 error_server,
130 NULL,
131 NULL,
132 &e_data);
133 if (ret)
134 return ret;
135
136 ret = krb5_padata_add(context, error_method,
137 KRB5_PADATA_FX_ERROR,
138 e_data.data, e_data.length);
139 if (ret) {
140 krb5_data_free(&e_data);
141 return ret;
142 }
143
144 if (/* hide_principal */ 0) {
145 error_client = NULL;
146 error_server = NULL;
147 e_text = NULL;
148 }
149
150 ret = krb5_padata_add(context, error_method,
151 KRB5_PADATA_FX_COOKIE,
152 NULL, 0);
153 if (ret)
154 return ret;
155
156 ret = _kdc_fast_mk_response(context, armor_crypto,
157 error_method, NULL, NULL,
158 req_body->nonce, &e_data);
159 free_METHOD_DATA(error_method);
160 if (ret)
161 return ret;
162
163 ret = krb5_padata_add(context, error_method,
164 KRB5_PADATA_FX_FAST,
165 e_data.data, e_data.length);
166 if (ret)
167 return ret;
168
169 if (ret)
170 return ret;
171 }
172
173 if (error_method && error_method->len) {
174 ASN1_MALLOC_ENCODE(METHOD_DATA, e_data.data, e_data.length,
175 error_method, &size, ret);
176 if (ret)
177 return ret;
178 if (e_data.length != size)
179 krb5_abortx(context, "internal asn.1 error");
180 }
181
182 ret = krb5_mk_error(context,
183 outer_error,
184 e_text,
185 (e_data.length ? &e_data : NULL),
186 error_client,
187 error_server,
188 csec,
189 cusec,
190 error_msg);
191 krb5_data_free(&e_data);
192
193 return ret;
194 }
195
196
197 krb5_error_code
198 _kdc_fast_unwrap_request(kdc_request_t r)
199 {
200 krb5_principal armor_server = NULL;
201 hdb_entry_ex *armor_user = NULL;
202 PA_FX_FAST_REQUEST fxreq;
203 krb5_auth_context ac = NULL;
204 krb5_ticket *ticket = NULL;
205 krb5_flags ap_req_options;
206 Key *armor_key = NULL;
207 krb5_keyblock armorkey;
208 krb5_error_code ret;
209 krb5_ap_req ap_req;
210 unsigned char *buf;
211 KrbFastReq fastreq;
212 size_t len, size;
213 krb5_data data;
214 const PA_DATA *pa;
215 int i = 0;
216
217 pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_FAST);
218 if (pa == NULL)
219 return 0;
220
221 ret = decode_PA_FX_FAST_REQUEST(pa->padata_value.data,
222 pa->padata_value.length,
223 &fxreq,
224 &len);
225 if (ret)
226 goto out;
227 if (len != pa->padata_value.length) {
228 ret = KRB5KDC_ERR_PREAUTH_FAILED;
229 goto out;
230 }
231
232 if (fxreq.element != choice_PA_FX_FAST_REQUEST_armored_data) {
233 kdc_log(r->context, r->config, 0,
234 "AS-REQ FAST contain unknown type: %d", (int)fxreq.element);
235 ret = KRB5KDC_ERR_PREAUTH_FAILED;
236 goto out;
237 }
238
239 /* pull out armor key */
240 if (fxreq.u.armored_data.armor == NULL) {
241 kdc_log(r->context, r->config, 0,
242 "AS-REQ armor missing");
243 ret = KRB5KDC_ERR_PREAUTH_FAILED;
244 goto out;
245 }
246
247 if (fxreq.u.armored_data.armor->armor_type != 1) {
248 kdc_log(r->context, r->config, 0,
249 "AS-REQ armor type not ap-req");
250 ret = KRB5KDC_ERR_PREAUTH_FAILED;
251 goto out;
252 }
253
254 ret = krb5_decode_ap_req(r->context,
255 &fxreq.u.armored_data.armor->armor_value,
256 &ap_req);
257 if(ret) {
258 kdc_log(r->context, r->config, 0, "AP-REQ decode failed");
259 goto out;
260 }
261
262 /* Save that principal that was in the request */
263 ret = _krb5_principalname2krb5_principal(r->context,
264 &armor_server,
265 ap_req.ticket.sname,
266 ap_req.ticket.realm);
267 if (ret) {
268 free_AP_REQ(&ap_req);
269 goto out;
270 }
271
272 ret = _kdc_db_fetch(r->context, r->config, armor_server,
273 HDB_F_GET_SERVER, NULL, NULL, &armor_user);
274 if(ret == HDB_ERR_NOT_FOUND_HERE) {
275 kdc_log(r->context, r->config, 5,
276 "armor key does not have secrets at this KDC, "
277 "need to proxy");
278 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
279 goto out;
280 } if(ret){
281 free_AP_REQ(&ap_req);
282 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
283 goto out;
284 }
285
286 ret = hdb_enctype2key(r->context, &armor_user->entry,
287 ap_req.ticket.enc_part.etype,
288 &armor_key);
289 if (ret) {
290 free_AP_REQ(&ap_req);
291 goto out;
292 }
293
294 ret = krb5_verify_ap_req2(r->context, &ac,
295 &ap_req,
296 armor_server,
297 &armor_key->key,
298 0,
299 &ap_req_options,
300 &ticket,
301 KRB5_KU_AP_REQ_AUTH);
302 free_AP_REQ(&ap_req);
303 if (ret)
304 goto out;
305
306 if (ac->remote_subkey == NULL) {
307 krb5_auth_con_free(r->context, ac);
308 kdc_log(r->context, r->config, 0,
309 "FAST AP-REQ remote subkey missing");
310 ret = KRB5KDC_ERR_PREAUTH_FAILED;
311 goto out;
312 }
313
314 ret = _krb5_fast_armor_key(r->context,
315 ac->remote_subkey,
316 &ticket->ticket.key,
317 &armorkey,
318 &r->armor_crypto);
319 krb5_auth_con_free(r->context, ac);
320 krb5_free_ticket(r->context, ticket);
321 if (ret)
322 goto out;
323
324 krb5_free_keyblock_contents(r->context, &armorkey);
325
326 /* verify req-checksum of the outer body */
327
328 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, len, &r->req.req_body, &size, ret);
329 if (ret)
330 goto out;
331 if (size != len) {
332 ret = KRB5KDC_ERR_PREAUTH_FAILED;
333 goto out;
334 }
335
336 ret = krb5_verify_checksum(r->context, r->armor_crypto,
337 KRB5_KU_FAST_REQ_CHKSUM,
338 buf, len,
339 &fxreq.u.armored_data.req_checksum);
340 free(buf);
341 if (ret) {
342 kdc_log(r->context, r->config, 0,
343 "FAST request have a bad checksum");
344 goto out;
345 }
346
347 ret = krb5_decrypt_EncryptedData(r->context, r->armor_crypto,
348 KRB5_KU_FAST_ENC,
349 &fxreq.u.armored_data.enc_fast_req,
350 &data);
351 if (ret) {
352 kdc_log(r->context, r->config, 0,
353 "Failed to decrypt FAST request");
354 goto out;
355 }
356
357 ret = decode_KrbFastReq(data.data, data.length, &fastreq, &size);
358 if (ret) {
359 krb5_data_free(&data);
360 goto out;
361 }
362 if (data.length != size) {
363 krb5_data_free(&data);
364 ret = KRB5KDC_ERR_PREAUTH_FAILED;
365 goto out;
366 }
367 krb5_data_free(&data);
368
369 free_KDC_REQ_BODY(&r->req.req_body);
370 ret = copy_KDC_REQ_BODY(&fastreq.req_body, &r->req.req_body);
371 if (ret)
372 goto out;
373
374 /* check for unsupported mandatory options */
375 if (FastOptions2int(fastreq.fast_options) & 0xfffc) {
376 kdc_log(r->context, r->config, 0,
377 "FAST unsupported mandatory option set");
378 ret = KRB5KDC_ERR_PREAUTH_FAILED;
379 goto out;
380 }
381
382 /* KDC MUST ignore outer pa data preauth-14 - 6.5.5 */
383 if (r->req.padata)
384 free_METHOD_DATA(r->req.padata);
385 else
386 ALLOC(r->req.padata);
387
388 ret = copy_METHOD_DATA(&fastreq.padata, r->req.padata);
389 if (ret)
390 goto out;
391
392 free_KrbFastReq(&fastreq);
393 free_PA_FX_FAST_REQUEST(&fxreq);
394
395 out:
396 if (armor_server)
397 krb5_free_principal(r->context, armor_server);
398 if(armor_user)
399 _kdc_free_ent(r->context, armor_user);
400
401 return ret;
402 }
Heimdal