From 34b374b5e4c9097fdb94e8c34fb973352e687faa Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 7 Sep 2021 14:31:12 +1000
Subject: [PATCH] krb5: zero nonce before encoding for GSS preauth

Zero nonce before encoding KDC-REQ-BODY to be used as channel binding
application data in GSS-API pre-authentication. This is because the nonce may
change between AS-REQs and the channel binding data should be invariant between
calls to GSS_Init_sec_context().
---
 kdc/gss_preauth.c        |  6 +++++-
 lib/krb5/init_creds_pw.c | 11 ++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index bc066b353..8335d137b 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -191,6 +191,7 @@ _kdc_gss_rd_padata(astgs_request_t r,
 {
     krb5_error_code ret;
     size_t size;
+    KDC_REQ_BODY kdc_req_body;
 
     OM_uint32 minor;
     gss_client_params *gcp = NULL;
@@ -231,8 +232,11 @@ _kdc_gss_rd_padata(astgs_request_t r,
 
     _krb5_gss_data_to_buffer(&pa->padata_value, &input_token);
 
+    kdc_req_body = r->req.req_body;
+    kdc_req_body.nonce = 0;
+
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, cb.application_data.value,
-                       cb.application_data.length, &r->req.req_body,
+                       cb.application_data.length, &kdc_req_body,
                        &size, ret);
     heim_assert(ret || size == cb.application_data.length,
                 "internal asn1 encoder error");
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 515bbbd21..d67104a3f 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -1211,6 +1211,7 @@ gss_pa_step(krb5_context context,
     krb5_data req_body;
     PA_DATA *pa;
     krb5_data *input_token;
+    KDC_REQ_BODY kdc_req_body;
 
     krb5_data_zero(&req_body);
     krb5_data_zero(output_token);
@@ -1238,8 +1239,16 @@ gss_pa_step(krb5_context context,
 	goto out;
     }
 
+    /*
+     * Zero the nonce before encoding, as the nonce may change between
+     * AS-REQs and we don't know which step the GSS mechanism will
+     * honor the channel binding data.
+     */
+    kdc_req_body = ctx->as_req.req_body;
+    kdc_req_body.nonce = 0;
+
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, req_body.data, req_body.length,
-		       &ctx->as_req.req_body, &len, ret);
+		       &kdc_req_body, &len, ret);
     if (ret)
 	goto out;
     heim_assert(req_body.length == len, "ASN.1 internal error");