From 46f285bcc93ec99b389397eaeb98ebf3ead85290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sun, 24 Jul 2011 21:16:42 -0700 Subject: [PATCH] encode fast state in the fast cookie --- kadmin/init.c | 8 ++ kdc/fast.c | 218 ++++++++++++++++++++++++++++++++---------------- kdc/kerberos5.c | 2 +- kdc/krb5tgs.c | 2 +- 4 files changed, 155 insertions(+), 75 deletions(-) diff --git a/kadmin/init.c b/kadmin/init.c index 19f7328fc..f9f4703df 100644 --- a/kadmin/init.c +++ b/kadmin/init.c @@ -232,6 +232,14 @@ init(struct init_options *opt, int argc, char **argv) krb5_free_principal(context, princ); + /* Create `WELLKNONW/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L' for FAST cookie */ + krb5_make_principal(context, &princ, "WELLKNOWN:ORG.H5L", + KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie", NULL); + create_random_entry(princ, 60*60, 60*60, + KRB5_KDB_REQUIRES_PRE_AUTH| + KRB5_KDB_DISALLOW_TGT_BASED); + krb5_free_principal(context, princ); + /* Create `default' */ { kadm5_principal_ent_rec ent; diff --git a/kdc/fast.c b/kdc/fast.c index 9ecba519c..8f663b0fe 100644 --- a/kdc/fast.c +++ b/kdc/fast.c @@ -35,6 +35,140 @@ #include "kdc_locl.h" +static krb5_error_code +get_fastuser_crypto(kdc_request_t r, krb5_enctype enctype, krb5_crypto *crypto) +{ + krb5_principal fast_princ; + hdb_entry_ex *fast_user = NULL; + Key *cookie_key = NULL; + krb5_error_code ret; + + *crypto = NULL; + + ret = krb5_make_principal(r->context, &fast_princ, + "WELLKNOWN:ORG.H5L", + "WELLKNOWN", "org.h5l.fast-cookie", NULL); + if (ret) + goto out; + + ret = _kdc_db_fetch(r->context, r->config, fast_princ, + HDB_F_GET_CLIENT, NULL, NULL, &fast_user); + krb5_free_principal(r->context, fast_princ); + if (ret) + goto out; + + if (enctype == KRB5_ENCTYPE_NULL) + ret = _kdc_get_preferred_key(r->context, r->config, fast_user, + "fast-cookie", &enctype, &cookie_key); + else + ret = hdb_enctype2key(r->context, &fast_user->entry, + enctype, &cookie_key); + if (ret) + goto out; + + ret = krb5_crypto_init(r->context, &cookie_key->key, 0, crypto); + if (ret) + goto out; + + out: + if (fast_user) + _kdc_free_ent(r->context, fast_user); + + return ret; +} + + +static krb5_error_code +fast_parse_cookie(kdc_request_t r, const PA_DATA *pa) +{ + krb5_crypto crypto = NULL; + krb5_error_code ret; + KDCFastCookie data; + krb5_data d1; + size_t len; + + ret = decode_KDCFastCookie(pa->padata_value.data, + pa->padata_value.length, + &data, &len); + if (ret) + return ret; + + if (len != pa->padata_value.length || strcmp("H5L1", data.version) != 0) { + free_KDCFastCookie(&data); + return KRB5KDC_ERR_POLICY; + } + + ret = get_fastuser_crypto(r, data.cookie.etype, &crypto); + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(r->context, crypto, + KRB5_KU_H5L_COOKIE, + &data.cookie, &d1); + krb5_crypto_destroy(r->context, crypto); + if (ret) + goto out; + + ret = decode_KDCFastState(d1.data, d1.length, &r->fast, &len); + krb5_data_free(&d1); + if (ret) + goto out; + + out: + free_KDCFastCookie(&data); + + return ret; +} + +static krb5_error_code +fast_add_cookie(kdc_request_t r, METHOD_DATA *method_data) +{ + krb5_crypto crypto = NULL; + KDCFastCookie shell; + krb5_error_code ret; + krb5_data data; + size_t size; + + memset(&shell, 0, sizeof(shell)); + + ASN1_MALLOC_ENCODE(KDCFastState, data.data, data.length, + &r->fast, &size, ret); + if (ret) + return ret; + heim_assert(size == data.length, "internal asn1 encoder error"); + + ret = get_fastuser_crypto(r, KRB5_ENCTYPE_NULL, &crypto); + if (ret) + goto out; + + ret = krb5_encrypt_EncryptedData(r->context, crypto, + KRB5_KU_H5L_COOKIE, + data.data, data.length, 0, + &shell.cookie); + krb5_crypto_destroy(r->context, crypto); + if (ret) + goto out; + + free(data.data); + + shell.version = "H5L1"; + + ASN1_MALLOC_ENCODE(KDCFastCookie, data.data, data.length, + &shell, &size, ret); + free_EncryptedData(&shell.cookie); + if (ret) + return ret; + heim_assert(size == data.length, "internal asn1 encoder error"); + + ret = krb5_padata_add(r->context, method_data, + KRB5_PADATA_FX_COOKIE, + data.data, data.length); + out: + if (ret) + free(data.data); + return ret; +} + krb5_error_code _kdc_fast_mk_response(krb5_context context, krb5_crypto armor_crypto, @@ -96,6 +230,7 @@ _kdc_fast_mk_response(krb5_context context, krb5_error_code _kdc_fast_mk_error(krb5_context context, + kdc_request_t r, METHOD_DATA *error_method, krb5_crypto armor_crypto, const KDC_REQ_BODY *req_body, @@ -147,11 +282,17 @@ _kdc_fast_mk_error(krb5_context context, e_text = NULL; } - ret = krb5_padata_add(context, error_method, - KRB5_PADATA_FX_COOKIE, - NULL, 0); - if (ret) + if (r) + ret = fast_add_cookie(r, error_method); + else + ret = krb5_padata_add(context, error_method, + KRB5_PADATA_FX_COOKIE, + NULL, 0); + if (ret) { + kdc_log(r->context, r->config, 0, "failed to add fast cookie with: %d", ret); + free_METHOD_DATA(error_method); return ret; + } ret = _kdc_fast_mk_response(context, armor_crypto, error_method, NULL, NULL, @@ -165,9 +306,6 @@ _kdc_fast_mk_error(krb5_context context, e_data.data, e_data.length); if (ret) return ret; - - if (ret) - return ret; } if (error_method && error_method->len) { @@ -193,72 +331,6 @@ _kdc_fast_mk_error(krb5_context context, return ret; } -static krb5_error_code -fast_parse_cookie(kdc_request_t r, const PA_DATA *pa) -{ - krb5_principal fast_princ; - hdb_entry_ex *fast_user = NULL; - krb5_crypto crypto = NULL; - Key *cookie_key = NULL; - krb5_error_code ret; - KDCFastCookie data; - krb5_data d1; - size_t len; - - ret = decode_KDCFastCookie(pa->padata_value.data, - pa->padata_value.length, - &data, &len); - if (ret) - return ret; - - if (len != pa->padata_value.length || strcmp("H5L1", data.version) != 0) { - free_KDCFastCookie(&data); - return KRB5KDC_ERR_POLICY; - } - - ret = krb5_make_principal(r->context, &fast_princ, - "WELLKNOWN:ORG.H5L", - "WELLKNOWN", "org.h5l.fast-cookie", NULL); - if (ret) - goto out; - - ret = _kdc_db_fetch(r->context, r->config, fast_princ, - HDB_F_GET_CLIENT, NULL, NULL, &fast_user); - krb5_free_principal(r->context, fast_princ); - if (ret) - goto out; - - ret = hdb_enctype2key(r->context, &fast_user->entry, - data.cookie.etype, &cookie_key); - if (ret) - goto out; - - ret = krb5_crypto_init(r->context, &cookie_key->key, 0, &crypto); - if (ret) - goto out; - - ret = krb5_decrypt_EncryptedData(r->context, crypto, - KRB5_KU_H5L_COOKIE, - &data.cookie, &d1); - krb5_crypto_destroy(r->context, crypto); - if (ret) - goto out; - - ret = decode_KDCFastState(d1.data, d1.length, &r->fast, &len); - krb5_data_free(&d1); - if (ret) - goto out; - - out: - free_KDCFastCookie(&data); - if (fast_user) - _kdc_free_ent(r->context, fast_user); - - return ret; -} - - - krb5_error_code _kdc_fast_unwrap_request(kdc_request_t r) { diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 1372831a9..d56bfdde0 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2158,7 +2158,7 @@ out: * In case of a non proxy error, build an error message. */ if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE) { - ret = _kdc_fast_mk_error(context, + ret = _kdc_fast_mk_error(context, r, &error_method, r->armor_crypto, &req->req_body, diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 1ad13e777..6bb903c00 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -2362,7 +2362,7 @@ out: kdc_log(context, config, 10, "tgs-req: sending error: %d to client", ret); - ret = _kdc_fast_mk_error(context, + ret = _kdc_fast_mk_error(context, NULL, &error_method, NULL, NULL,