kinit: add --pk-anon-fast-armor option
Add the --pk-anon-fast-armor option, which acquires a temporary anonymous PKINIT TGT to use as a FAST armor key.
This commit is contained in:
		| @@ -78,6 +78,7 @@ int pk_enterprise_flag = 0; | |||||||
| struct hx509_certs_data *ent_user_id = NULL; | struct hx509_certs_data *ent_user_id = NULL; | ||||||
| char *pk_x509_anchors	= NULL; | char *pk_x509_anchors	= NULL; | ||||||
| int pk_use_enckey	= 0; | int pk_use_enckey	= 0; | ||||||
|  | int pk_anon_fast_armor	= 0; | ||||||
| static int canonicalize_flag = 0; | static int canonicalize_flag = 0; | ||||||
| static int enterprise_flag = 0; | static int enterprise_flag = 0; | ||||||
| static int ok_as_delegate_flag = 0; | static int ok_as_delegate_flag = 0; | ||||||
| @@ -183,6 +184,9 @@ static struct getargs args[] = { | |||||||
|  |  | ||||||
|     { "pk-use-enckey",	0,  arg_flag, &pk_use_enckey, |     { "pk-use-enckey",	0,  arg_flag, &pk_use_enckey, | ||||||
|       NP_("Use RSA encrypted reply (instead of DH)", ""), NULL }, |       NP_("Use RSA encrypted reply (instead of DH)", ""), NULL }, | ||||||
|  |  | ||||||
|  |     { "pk-anon-fast-armor",	0,  arg_flag, &pk_anon_fast_armor, | ||||||
|  |       NP_("use unauthenticated anonymous PKINIT as FAST armor", ""), NULL }, | ||||||
| #endif | #endif | ||||||
| #ifndef NO_NTLM | #ifndef NO_NTLM | ||||||
|     { "ntlm-domain",	0,  arg_string, &ntlm_domain, |     { "ntlm-domain",	0,  arg_string, &ntlm_domain, | ||||||
| @@ -620,6 +624,7 @@ get_new_tickets(krb5_context context, | |||||||
|     krb5_init_creds_context ctx = NULL; |     krb5_init_creds_context ctx = NULL; | ||||||
|     krb5_get_init_creds_opt *opt = NULL; |     krb5_get_init_creds_opt *opt = NULL; | ||||||
|     krb5_prompter_fct prompter = krb5_prompter_posix; |     krb5_prompter_fct prompter = krb5_prompter_posix; | ||||||
|  |  | ||||||
| #ifndef NO_NTLM | #ifndef NO_NTLM | ||||||
|     struct ntlm_buf ntlmkey; |     struct ntlm_buf ntlmkey; | ||||||
|     memset(&ntlmkey, 0, sizeof(ntlmkey)); |     memset(&ntlmkey, 0, sizeof(ntlmkey)); | ||||||
| @@ -785,7 +790,12 @@ get_new_tickets(krb5_context context, | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     if (fast_armor_cache_string) { |     if (fast_armor_cache_string) { | ||||||
| 	krb5_ccache fastid; | 	krb5_ccache fastid = NULL; | ||||||
|  |  | ||||||
|  | 	if (pk_anon_fast_armor) | ||||||
|  | 	    krb5_errx(context, 1, | ||||||
|  | 		N_("cannot specify FAST armor cache with FAST " | ||||||
|  | 		     "anonymous PKINIT option", "")); | ||||||
|  |  | ||||||
| 	ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid); | 	ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid); | ||||||
| 	if (ret) { | 	if (ret) { | ||||||
| @@ -798,6 +808,12 @@ get_new_tickets(krb5_context context, | |||||||
| 	    krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache"); | 	    krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache"); | ||||||
| 	    goto out; | 	    goto out; | ||||||
| 	} | 	} | ||||||
|  |     } else if (pk_anon_fast_armor) { | ||||||
|  | 	ret = krb5_init_creds_set_fast_anon_pkinit(context, ctx); | ||||||
|  | 	if (ret) { | ||||||
|  | 	    krb5_warn(context, ret, "krb5_init_creds_set_fast_anon_pkinit"); | ||||||
|  | 	    goto out; | ||||||
|  | 	} | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     if (use_keytab || keytab_str) { |     if (use_keytab || keytab_str) { | ||||||
| @@ -968,7 +984,6 @@ out: | |||||||
| 	krb5_init_creds_free(context, ctx); | 	krb5_init_creds_free(context, ctx); | ||||||
|     if (tempccache) |     if (tempccache) | ||||||
| 	krb5_cc_destroy(context, tempccache); | 	krb5_cc_destroy(context, tempccache); | ||||||
|  |  | ||||||
|     if (enctype) |     if (enctype) | ||||||
| 	free(enctype); | 	free(enctype); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -800,6 +800,60 @@ hx509_cms_verify_signed(hx509_context context, | |||||||
| 			heim_oid *contentType, | 			heim_oid *contentType, | ||||||
| 			heim_octet_string *content, | 			heim_octet_string *content, | ||||||
| 			hx509_certs *signer_certs) | 			hx509_certs *signer_certs) | ||||||
|  | { | ||||||
|  |     unsigned int verify_flags; | ||||||
|  |  | ||||||
|  |     return hx509_cms_verify_signed_ext(context, | ||||||
|  | 				       ctx, | ||||||
|  | 				       flags, | ||||||
|  | 				       data, | ||||||
|  | 				       length, | ||||||
|  | 				       signedContent, | ||||||
|  | 				       pool, | ||||||
|  | 				       contentType, | ||||||
|  | 				       content, | ||||||
|  | 				       signer_certs, | ||||||
|  | 				       &verify_flags); | ||||||
|  | } | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * Decode SignedData and verify that the signature is correct. | ||||||
|  |  * | ||||||
|  |  * @param context A hx509 context. | ||||||
|  |  * @param ctx a hx509 verify context. | ||||||
|  |  * @param flags to control the behaivor of the function. | ||||||
|  |  *    - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage | ||||||
|  |  *    - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch | ||||||
|  |  *    - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. | ||||||
|  |  * @param data pointer to CMS SignedData encoded data. | ||||||
|  |  * @param length length of the data that data point to. | ||||||
|  |  * @param signedContent external data used for signature. | ||||||
|  |  * @param pool certificate pool to build certificates paths. | ||||||
|  |  * @param contentType free with der_free_oid(). | ||||||
|  |  * @param content the output of the function, free with | ||||||
|  |  * der_free_octet_string(). | ||||||
|  |  * @param signer_certs list of the cerficates used to sign this | ||||||
|  |  * request, free with hx509_certs_free(). | ||||||
|  |  * @param verify_flags flags indicating whether the certificate | ||||||
|  |  * was verified or not | ||||||
|  |  * | ||||||
|  |  * @return an hx509 error code. | ||||||
|  |  * | ||||||
|  |  * @ingroup hx509_cms | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | HX509_LIB_FUNCTION int HX509_LIB_CALL | ||||||
|  | hx509_cms_verify_signed_ext(hx509_context context, | ||||||
|  | 			    hx509_verify_ctx ctx, | ||||||
|  | 			    unsigned int flags, | ||||||
|  | 			    const void *data, | ||||||
|  | 			    size_t length, | ||||||
|  | 			    const heim_octet_string *signedContent, | ||||||
|  | 			    hx509_certs pool, | ||||||
|  | 			    heim_oid *contentType, | ||||||
|  | 			    heim_octet_string *content, | ||||||
|  | 			    hx509_certs *signer_certs, | ||||||
|  | 			    unsigned int *verify_flags) | ||||||
| { | { | ||||||
|     SignerInfo *signer_info; |     SignerInfo *signer_info; | ||||||
|     hx509_cert cert = NULL; |     hx509_cert cert = NULL; | ||||||
| @@ -810,6 +864,8 @@ hx509_cms_verify_signed(hx509_context context, | |||||||
|     size_t i; |     size_t i; | ||||||
|  |  | ||||||
|     *signer_certs = NULL; |     *signer_certs = NULL; | ||||||
|  |     *verify_flags = 0; | ||||||
|  |  | ||||||
|     content->data = NULL; |     content->data = NULL; | ||||||
|     content->length = 0; |     content->length = 0; | ||||||
|     contentType->length = 0; |     contentType->length = 0; | ||||||
| @@ -1038,21 +1094,18 @@ hx509_cms_verify_signed(hx509_context context, | |||||||
| 	    goto next_sigature; | 	    goto next_sigature; | ||||||
|  |  | ||||||
| 	/** | 	/** | ||||||
| 	 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the | 	 * If HX509_CMS_VS_NO_VALIDATE flags is set, return the signer | ||||||
| 	 * signing certificates and leave that up to the caller. | 	 * certificate unconditionally but do not set HX509_CMS_VSE_VALIDATED. | ||||||
| 	 */ | 	 */ | ||||||
|  |  | ||||||
| 	if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) { |  | ||||||
| 	ret = hx509_verify_path(context, ctx, cert, certs); | 	ret = hx509_verify_path(context, ctx, cert, certs); | ||||||
| 	    if (ret) | 	if (ret == 0 || (flags & HX509_CMS_VS_NO_VALIDATE)) { | ||||||
| 		goto next_sigature; | 	    if (ret == 0) | ||||||
| 	} | 		*verify_flags |= HX509_CMS_VSE_VALIDATED; | ||||||
|  |  | ||||||
| 	    ret = hx509_certs_add(context, *signer_certs, cert); | 	    ret = hx509_certs_add(context, *signer_certs, cert); | ||||||
| 	if (ret) | 	    if (ret == 0) | ||||||
| 	    goto next_sigature; |  | ||||||
|  |  | ||||||
| 		found_valid_sig++; | 		found_valid_sig++; | ||||||
|  | 	} | ||||||
|  |  | ||||||
|     next_sigature: |     next_sigature: | ||||||
| 	if (cert) | 	if (cert) | ||||||
|   | |||||||
| @@ -182,6 +182,9 @@ typedef enum { | |||||||
| #define HX509_CMS_VS_ALLOW_ZERO_SIGNER			0x04 | #define HX509_CMS_VS_ALLOW_ZERO_SIGNER			0x04 | ||||||
| #define HX509_CMS_VS_NO_VALIDATE			0x08 | #define HX509_CMS_VS_NO_VALIDATE			0x08 | ||||||
|  |  | ||||||
|  | /* flags from hx509_cms_verify_signed_ext (out verify_flags) */ | ||||||
|  | #define HX509_CMS_VSE_VALIDATED				0x01 | ||||||
|  |  | ||||||
| /* selectors passed to hx509_crypto_select and hx509_crypto_available */ | /* selectors passed to hx509_crypto_select and hx509_crypto_available */ | ||||||
| #define HX509_SELECT_ALL 0 | #define HX509_SELECT_ALL 0 | ||||||
| #define HX509_SELECT_DIGEST 1 | #define HX509_SELECT_DIGEST 1 | ||||||
|   | |||||||
| @@ -150,6 +150,7 @@ EXPORTS | |||||||
| 	hx509_cms_unenvelope | 	hx509_cms_unenvelope | ||||||
| 	hx509_cms_unwrap_ContentInfo | 	hx509_cms_unwrap_ContentInfo | ||||||
| 	hx509_cms_verify_signed | 	hx509_cms_verify_signed | ||||||
|  | 	hx509_cms_verify_signed_ext | ||||||
| 	hx509_cms_wrap_ContentInfo | 	hx509_cms_wrap_ContentInfo | ||||||
| 	hx509_context_free | 	hx509_context_free | ||||||
| 	hx509_context_init | 	hx509_context_init | ||||||
|   | |||||||
| @@ -137,6 +137,7 @@ HEIMDAL_X509_1.2 { | |||||||
| 		hx509_cms_unenvelope; | 		hx509_cms_unenvelope; | ||||||
| 		hx509_cms_unwrap_ContentInfo; | 		hx509_cms_unwrap_ContentInfo; | ||||||
| 		hx509_cms_verify_signed; | 		hx509_cms_verify_signed; | ||||||
|  | 		hx509_cms_verify_signed_ext; | ||||||
| 		hx509_cms_wrap_ContentInfo; | 		hx509_cms_wrap_ContentInfo; | ||||||
| 		hx509_context_free; | 		hx509_context_free; | ||||||
| 		hx509_context_init; | 		hx509_context_init; | ||||||
|   | |||||||
| @@ -96,12 +96,16 @@ typedef struct krb5_get_init_creds_ctx { | |||||||
| #define KRB5_FAST_REQUIRED 64 /* fast required by action of caller */ | #define KRB5_FAST_REQUIRED 64 /* fast required by action of caller */ | ||||||
| #define KRB5_FAST_DISABLED 128 | #define KRB5_FAST_DISABLED 128 | ||||||
| #define KRB5_FAST_AP_ARMOR_SERVICE 256 | #define KRB5_FAST_AP_ARMOR_SERVICE 256 | ||||||
|  | #define KRB5_FAST_ANON_PKINIT_ARMOR 512 | ||||||
|  | #define KRB5_FAST_KDC_VERIFIED 1024 | ||||||
| 	krb5_keyblock *reply_key; | 	krb5_keyblock *reply_key; | ||||||
| 	krb5_ccache armor_ccache; | 	krb5_ccache armor_ccache; | ||||||
| 	krb5_principal armor_service; | 	krb5_principal armor_service; | ||||||
| 	krb5_crypto armor_crypto; | 	krb5_crypto armor_crypto; | ||||||
| 	krb5_keyblock armor_key; | 	krb5_keyblock armor_key; | ||||||
| 	krb5_keyblock *strengthen_key; | 	krb5_keyblock *strengthen_key; | ||||||
|  | 	krb5_get_init_creds_opt *anon_pkinit_opt; | ||||||
|  | 	krb5_init_creds_context anon_pkinit_ctx; | ||||||
|     } fast_state; |     } fast_state; | ||||||
| } krb5_get_init_creds_ctx; | } krb5_get_init_creds_ctx; | ||||||
|  |  | ||||||
| @@ -180,7 +184,12 @@ free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx) | |||||||
|     if (ctx->fast_state.strengthen_key) |     if (ctx->fast_state.strengthen_key) | ||||||
| 	krb5_free_keyblock(context, ctx->fast_state.strengthen_key); | 	krb5_free_keyblock(context, ctx->fast_state.strengthen_key); | ||||||
|     krb5_free_keyblock_contents(context, &ctx->fast_state.armor_key); |     krb5_free_keyblock_contents(context, &ctx->fast_state.armor_key); | ||||||
|  |     if (ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) | ||||||
|  | 	krb5_cc_destroy(context, ctx->fast_state.armor_ccache); | ||||||
|  |     if (ctx->fast_state.anon_pkinit_ctx) | ||||||
|  | 	free_init_creds_ctx(context, ctx->fast_state.anon_pkinit_ctx); | ||||||
|  |     if (ctx->fast_state.anon_pkinit_opt) | ||||||
|  | 	krb5_get_init_creds_opt_free(context, ctx->fast_state.anon_pkinit_opt); | ||||||
|     krb5_data_free(&ctx->req_buffer); |     krb5_data_free(&ctx->req_buffer); | ||||||
|     krb5_free_cred_contents(context, &ctx->cred); |     krb5_free_cred_contents(context, &ctx->cred); | ||||||
|     free_METHOD_DATA(&ctx->md); |     free_METHOD_DATA(&ctx->md); | ||||||
| @@ -1692,6 +1701,21 @@ krb5_init_creds_set_fast_ccache(krb5_context context, | |||||||
| { | { | ||||||
|     ctx->fast_state.armor_ccache = fast_ccache; |     ctx->fast_state.armor_ccache = fast_ccache; | ||||||
|     ctx->fast_state.flags |= KRB5_FAST_REQUIRED; |     ctx->fast_state.flags |= KRB5_FAST_REQUIRED; | ||||||
|  |     ctx->fast_state.flags |= KRB5_FAST_KDC_VERIFIED; | ||||||
|  |     ctx->fast_state.flags &= ~(KRB5_FAST_ANON_PKINIT_ARMOR); | ||||||
|  |  | ||||||
|  |     return 0; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL | ||||||
|  | krb5_init_creds_set_fast_anon_pkinit(krb5_context context, | ||||||
|  | 				     krb5_init_creds_context ctx) | ||||||
|  | { | ||||||
|  |     if (ctx->fast_state.armor_ccache) | ||||||
|  | 	return EINVAL; | ||||||
|  |  | ||||||
|  |     ctx->fast_state.flags |= KRB5_FAST_REQUIRED; | ||||||
|  |     ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR; | ||||||
|     return 0; |     return 0; | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -1855,6 +1879,7 @@ fast_unwrap_error(krb5_context context, struct fast_state *state, KRB_ERROR *err | |||||||
| krb5_error_code | krb5_error_code | ||||||
| _krb5_make_fast_ap_fxarmor(krb5_context context, | _krb5_make_fast_ap_fxarmor(krb5_context context, | ||||||
| 			   krb5_ccache armor_ccache, | 			   krb5_ccache armor_ccache, | ||||||
|  | 			   krb5_const_realm realm, | ||||||
| 			   krb5_data *armor_value, | 			   krb5_data *armor_value, | ||||||
| 			   krb5_keyblock *armor_key, | 			   krb5_keyblock *armor_key, | ||||||
| 			   krb5_crypto *armor_crypto) | 			   krb5_crypto *armor_crypto) | ||||||
| @@ -1863,6 +1888,7 @@ _krb5_make_fast_ap_fxarmor(krb5_context context, | |||||||
|     krb5_creds cred, *credp = NULL; |     krb5_creds cred, *credp = NULL; | ||||||
|     krb5_error_code ret; |     krb5_error_code ret; | ||||||
|     krb5_data empty; |     krb5_data empty; | ||||||
|  |     krb5_const_realm tgs_realm; | ||||||
|  |  | ||||||
|     krb5_data_zero(&empty); |     krb5_data_zero(&empty); | ||||||
|  |  | ||||||
| @@ -1876,10 +1902,18 @@ _krb5_make_fast_ap_fxarmor(krb5_context context, | |||||||
|     if (ret) |     if (ret) | ||||||
| 	goto out; | 	goto out; | ||||||
|  |  | ||||||
|  |     /* | ||||||
|  |      * Make sure we don't ask for a krbtgt/WELLKNOWN:ANONYMOUS | ||||||
|  |      */ | ||||||
|  |     if (strcmp(cred.client->realm, KRB5_ANON_REALM) == 0) | ||||||
|  | 	tgs_realm = realm; | ||||||
|  |     else | ||||||
|  | 	tgs_realm = cred.client->realm; | ||||||
|  |  | ||||||
|     ret = krb5_make_principal(context, &cred.server, |     ret = krb5_make_principal(context, &cred.server, | ||||||
| 			      cred.client->realm, | 			      tgs_realm, | ||||||
| 			      KRB5_TGS_NAME, | 			      KRB5_TGS_NAME, | ||||||
| 			      cred.client->realm, | 			      tgs_realm, | ||||||
| 			      NULL); | 			      NULL); | ||||||
|     if (ret) { |     if (ret) { | ||||||
| 	krb5_free_principal(context, cred.client); | 	krb5_free_principal(context, cred.client); | ||||||
| @@ -2162,29 +2196,8 @@ fast_wrap_req(krb5_context context, struct fast_state *state, KDC_REQ *req) | |||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
| /** | static krb5_error_code | ||||||
|  * The core loop if krb5_get_init_creds() function family. Create the | init_creds_step(krb5_context context, | ||||||
|  * packets and have the caller send them off to the KDC. |  | ||||||
|  * |  | ||||||
|  * If the caller want all work been done for them, use |  | ||||||
|  * krb5_init_creds_get() instead. |  | ||||||
|  * |  | ||||||
|  * @param context a Kerberos 5 context. |  | ||||||
|  * @param ctx ctx krb5_init_creds_context context. |  | ||||||
|  * @param in input data from KDC, first round it should be reset by krb5_data_zer(). |  | ||||||
|  * @param out reply to KDC. |  | ||||||
|  * @param hostinfo KDC address info, first round it can be NULL. |  | ||||||
|  * @param flags status of the round, if |  | ||||||
|  *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round. |  | ||||||
|  * |  | ||||||
|  * @return 0 for success, or an Kerberos 5 error code, see |  | ||||||
|  *     krb5_get_error_message(). |  | ||||||
|  * |  | ||||||
|  * @ingroup krb5_credential |  | ||||||
|  */ |  | ||||||
|  |  | ||||||
| KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL |  | ||||||
| krb5_init_creds_step(krb5_context context, |  | ||||||
| 		krb5_init_creds_context ctx, | 		krb5_init_creds_context ctx, | ||||||
| 		krb5_data *in, | 		krb5_data *in, | ||||||
| 		krb5_data *out, | 		krb5_data *out, | ||||||
| @@ -2201,11 +2214,9 @@ krb5_init_creds_step(krb5_context context, | |||||||
|     if (ctx->as_req.req_body.cname == NULL) { |     if (ctx->as_req.req_body.cname == NULL) { | ||||||
| 	ret = init_as_req(context, ctx->flags, &ctx->cred, | 	ret = init_as_req(context, ctx->flags, &ctx->cred, | ||||||
| 			  ctx->addrs, ctx->etypes, &ctx->as_req); | 			  ctx->addrs, ctx->etypes, &ctx->as_req); | ||||||
| 	if (ret) { | 	if (ret) | ||||||
| 	    free_init_creds_ctx(context, ctx); |  | ||||||
| 	    return ret; | 	    return ret; | ||||||
|     } |     } | ||||||
|     } |  | ||||||
|  |  | ||||||
| #define MAX_PA_COUNTER 10 | #define MAX_PA_COUNTER 10 | ||||||
|     if (ctx->pa_counter > MAX_PA_COUNTER) { |     if (ctx->pa_counter > MAX_PA_COUNTER) { | ||||||
| @@ -2468,11 +2479,9 @@ krb5_init_creds_step(krb5_context context, | |||||||
|     if (ctx->as_req.req_body.cname == NULL) { |     if (ctx->as_req.req_body.cname == NULL) { | ||||||
| 	ret = init_as_req(context, ctx->flags, &ctx->cred, | 	ret = init_as_req(context, ctx->flags, &ctx->cred, | ||||||
| 			  ctx->addrs, ctx->etypes, &ctx->as_req); | 			  ctx->addrs, ctx->etypes, &ctx->as_req); | ||||||
| 	if (ret) { | 	if (ret) | ||||||
| 	    free_init_creds_ctx(context, ctx); |  | ||||||
| 	    return ret; | 	    return ret; | ||||||
|     } |     } | ||||||
|     } |  | ||||||
|  |  | ||||||
|     if (ctx->as_req.padata) { |     if (ctx->as_req.padata) { | ||||||
| 	free_METHOD_DATA(ctx->as_req.padata); | 	free_METHOD_DATA(ctx->as_req.padata); | ||||||
| @@ -2522,6 +2531,165 @@ krb5_init_creds_step(krb5_context context, | |||||||
|     return ret; |     return ret; | ||||||
| } | } | ||||||
|  |  | ||||||
|  | static krb5_error_code | ||||||
|  | fast_anon_pkinit_step(krb5_context context, | ||||||
|  | 		      krb5_init_creds_context ctx, | ||||||
|  | 		      krb5_data *in, | ||||||
|  | 		      krb5_data *out, | ||||||
|  | 		      krb5_krbhst_info *hostinfo, | ||||||
|  | 		      unsigned int *flags) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_const_realm realm = ctx->cred.client->realm; | ||||||
|  |     struct fast_state *state = &ctx->fast_state; | ||||||
|  |     krb5_init_creds_context anon_pk_ctx; | ||||||
|  |     krb5_principal principal = NULL; | ||||||
|  |     krb5_ccache ccache = NULL; | ||||||
|  |     krb5_creds cred; | ||||||
|  |  | ||||||
|  |     memset(&cred, 0, sizeof(cred)); | ||||||
|  |  | ||||||
|  |     if (state->anon_pkinit_opt == NULL) { | ||||||
|  | 	ret = krb5_get_init_creds_opt_alloc(context, &state->anon_pkinit_opt); | ||||||
|  | 	if (ret) | ||||||
|  | 	    goto out; | ||||||
|  |  | ||||||
|  | 	/* ticket lifetime matches FAST_EXPIRATION_TIME in kdc_locl.h */ | ||||||
|  | 	krb5_get_init_creds_opt_set_tkt_life(state->anon_pkinit_opt, 3 * 60); | ||||||
|  | 	krb5_get_init_creds_opt_set_anonymous(state->anon_pkinit_opt, TRUE); | ||||||
|  |  | ||||||
|  | 	ret = krb5_make_principal(context, &principal, realm, | ||||||
|  | 				  KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL); | ||||||
|  | 	if (ret) | ||||||
|  | 	    return ret; | ||||||
|  |  | ||||||
|  | 	ret = krb5_get_init_creds_opt_set_pkinit(context, | ||||||
|  | 						 state->anon_pkinit_opt, | ||||||
|  | 						 principal, | ||||||
|  | 						 NULL, NULL, NULL, NULL, | ||||||
|  | 						 KRB5_GIC_OPT_PKINIT_ANONYMOUS | | ||||||
|  | 						 KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR, | ||||||
|  | 						 NULL, NULL, NULL); | ||||||
|  | 	if (ret) | ||||||
|  | 	    goto out; | ||||||
|  |  | ||||||
|  | 	ret = krb5_init_creds_init(context, principal, NULL, NULL, | ||||||
|  | 				   ctx->cred.times.starttime, | ||||||
|  | 				   state->anon_pkinit_opt, | ||||||
|  | 				   &state->anon_pkinit_ctx); | ||||||
|  | 	if (ret) | ||||||
|  | 	    goto out; | ||||||
|  |  | ||||||
|  | 	heim_assert((state->anon_pkinit_ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) == 0, | ||||||
|  | 		    "Invalid recursive PKINIT armor state"); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     anon_pk_ctx = state->anon_pkinit_ctx; | ||||||
|  |  | ||||||
|  |     ret = init_creds_step(context, anon_pk_ctx, in, out, hostinfo, flags); | ||||||
|  |     if (ret || | ||||||
|  | 	(*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     ret = krb5_process_last_request(context, state->anon_pkinit_opt, anon_pk_ctx); | ||||||
|  |     if (ret) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache); | ||||||
|  |     if (ret) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     ret = krb5_init_creds_get_creds(context, anon_pk_ctx, &cred); | ||||||
|  |     if (ret) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     if (!cred.flags.b.enc_pa_rep) { | ||||||
|  | 	ret = KRB5KDC_ERR_BADOPTION; /* KDC does not support FAST */ | ||||||
|  | 	goto out; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     ret = krb5_cc_initialize(context, ccache, anon_pk_ctx->cred.client); | ||||||
|  |     if (ret) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     ret = krb5_cc_store_cred(context, ccache, &cred); | ||||||
|  |     if (ret) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|  |     if (_krb5_pk_is_kdc_verified(context, state->anon_pkinit_opt)) | ||||||
|  | 	state->flags |= KRB5_FAST_KDC_VERIFIED; | ||||||
|  |     else | ||||||
|  | 	state->flags &= ~(KRB5_FAST_KDC_VERIFIED); | ||||||
|  |  | ||||||
|  |     state->armor_ccache = ccache; | ||||||
|  |     ccache = NULL; | ||||||
|  |  | ||||||
|  |     free_init_creds_ctx(context, state->anon_pkinit_ctx); | ||||||
|  |     state->anon_pkinit_ctx = NULL; | ||||||
|  |  | ||||||
|  |     krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt); | ||||||
|  |     state->anon_pkinit_opt = NULL; | ||||||
|  |  | ||||||
|  |     *flags |= KRB5_INIT_CREDS_STEP_FLAG_CONTINUE; | ||||||
|  |  | ||||||
|  | out: | ||||||
|  |     krb5_free_principal(context, principal); | ||||||
|  |     krb5_free_cred_contents(context, &cred); | ||||||
|  |     if (ccache) | ||||||
|  | 	krb5_cc_destroy(context, ccache); | ||||||
|  |  | ||||||
|  |     return ret; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * The core loop if krb5_get_init_creds() function family. Create the | ||||||
|  |  * packets and have the caller send them off to the KDC. | ||||||
|  |  * | ||||||
|  |  * If the caller want all work been done for them, use | ||||||
|  |  * krb5_init_creds_get() instead. | ||||||
|  |  * | ||||||
|  |  * @param context a Kerberos 5 context. | ||||||
|  |  * @param ctx ctx krb5_init_creds_context context. | ||||||
|  |  * @param in input data from KDC, first round it should be reset by krb5_data_zer(). | ||||||
|  |  * @param out reply to KDC. | ||||||
|  |  * @param hostinfo KDC address info, first round it can be NULL. | ||||||
|  |  * @param flags status of the round, if | ||||||
|  |  *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round. | ||||||
|  |  * | ||||||
|  |  * @return 0 for success, or an Kerberos 5 error code, see | ||||||
|  |  *     krb5_get_error_message(). | ||||||
|  |  * | ||||||
|  |  * @ingroup krb5_credential | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL | ||||||
|  | krb5_init_creds_step(krb5_context context, | ||||||
|  | 		     krb5_init_creds_context ctx, | ||||||
|  | 		     krb5_data *in, | ||||||
|  | 		     krb5_data *out, | ||||||
|  | 		     krb5_krbhst_info *hostinfo, | ||||||
|  | 		     unsigned int *flags) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_data empty; | ||||||
|  |  | ||||||
|  |     krb5_data_zero(&empty); | ||||||
|  |  | ||||||
|  |     if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) && | ||||||
|  | 	ctx->fast_state.armor_ccache == NULL) { | ||||||
|  | 	ret = fast_anon_pkinit_step(context, ctx, in, out, | ||||||
|  | 				    hostinfo, flags); | ||||||
|  | 	if (ret || | ||||||
|  | 	    ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) || | ||||||
|  | 	    out->length) | ||||||
|  | 	    return ret; | ||||||
|  |  | ||||||
|  | 	in = ∅ | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     return init_creds_step(context, ctx, in, out, hostinfo, flags); | ||||||
|  | } | ||||||
|  |  | ||||||
| /** | /** | ||||||
|  * Extract the newly acquired credentials from krb5_init_creds_context |  * Extract the newly acquired credentials from krb5_init_creds_context | ||||||
|  * context. |  * context. | ||||||
|   | |||||||
| @@ -354,6 +354,7 @@ struct krb5_pk_identity { | |||||||
|     hx509_revoke_ctx revokectx; |     hx509_revoke_ctx revokectx; | ||||||
|     int flags; |     int flags; | ||||||
| #define PKINIT_BTMM 1 | #define PKINIT_BTMM 1 | ||||||
|  | #define PKINIT_NO_KDC_ANCHOR 2 | ||||||
| }; | }; | ||||||
|  |  | ||||||
| enum krb5_pk_type { | enum krb5_pk_type { | ||||||
| @@ -380,6 +381,7 @@ struct krb5_pk_init_ctx_data { | |||||||
|     unsigned int require_hostname_match:1; |     unsigned int require_hostname_match:1; | ||||||
|     unsigned int trustedCertifiers:1; |     unsigned int trustedCertifiers:1; | ||||||
|     unsigned int anonymous:1; |     unsigned int anonymous:1; | ||||||
|  |     unsigned int kdc_verified:1; | ||||||
| }; | }; | ||||||
|  |  | ||||||
| #endif /* PKINIT */ | #endif /* PKINIT */ | ||||||
|   | |||||||
| @@ -828,6 +828,7 @@ EXPORTS | |||||||
| 	krb5_init_creds_get_creds | 	krb5_init_creds_get_creds | ||||||
| 	krb5_init_creds_get_error | 	krb5_init_creds_get_error | ||||||
| 	krb5_init_creds_init | 	krb5_init_creds_init | ||||||
|  | 	krb5_init_creds_set_fast_anon_pkinit | ||||||
| 	krb5_init_creds_set_fast_ccache | 	krb5_init_creds_set_fast_ccache | ||||||
| 	krb5_init_creds_set_keytab | 	krb5_init_creds_set_keytab | ||||||
| 	krb5_init_creds_set_password | 	krb5_init_creds_set_password | ||||||
|   | |||||||
| @@ -787,7 +787,7 @@ _krb5_pk_mk_padata(krb5_context context, | |||||||
| 				     NULL); | 				     NULL); | ||||||
|     if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK) |     if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK) | ||||||
| 	ctx->require_eku = 0; | 	ctx->require_eku = 0; | ||||||
|     if (ctx->id->flags & PKINIT_BTMM) |     if (ctx->id->flags & (PKINIT_BTMM | PKINIT_NO_KDC_ANCHOR)) | ||||||
| 	ctx->require_eku = 0; | 	ctx->require_eku = 0; | ||||||
|  |  | ||||||
|     ctx->require_krbtgt_otherName = |     ctx->require_krbtgt_otherName = | ||||||
| @@ -829,18 +829,20 @@ pk_verify_sign(krb5_context context, | |||||||
| 	       struct krb5_pk_cert **signer) | 	       struct krb5_pk_cert **signer) | ||||||
| { | { | ||||||
|     hx509_certs signer_certs; |     hx509_certs signer_certs; | ||||||
|     int ret, flags = 0; |     int ret; | ||||||
|  |     unsigned flags = 0, verify_flags = 0; | ||||||
|  |  | ||||||
|  |     *signer = NULL; | ||||||
|  |  | ||||||
|     /* BTMM is broken in Leo and SnowLeo */ |  | ||||||
|     if (id->flags & PKINIT_BTMM) { |     if (id->flags & PKINIT_BTMM) { | ||||||
| 	flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; | 	flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; | ||||||
| 	flags |= HX509_CMS_VS_NO_KU_CHECK; | 	flags |= HX509_CMS_VS_NO_KU_CHECK; | ||||||
| 	flags |= HX509_CMS_VS_NO_VALIDATE; | 	flags |= HX509_CMS_VS_NO_VALIDATE; | ||||||
|     } |     } | ||||||
|  |     if (id->flags & PKINIT_NO_KDC_ANCHOR) | ||||||
|  | 	flags |= HX509_CMS_VS_NO_VALIDATE; | ||||||
|  |  | ||||||
|     *signer = NULL; |     ret = hx509_cms_verify_signed_ext(context->hx509ctx, | ||||||
|  |  | ||||||
|     ret = hx509_cms_verify_signed(context->hx509ctx, |  | ||||||
| 				      id->verify_ctx, | 				      id->verify_ctx, | ||||||
| 				      flags, | 				      flags, | ||||||
| 				      data, | 				      data, | ||||||
| @@ -849,13 +851,17 @@ pk_verify_sign(krb5_context context, | |||||||
| 				      id->certpool, | 				      id->certpool, | ||||||
| 				      contentType, | 				      contentType, | ||||||
| 				      content, | 				      content, | ||||||
| 				  &signer_certs); | 				      &signer_certs, | ||||||
|  | 				      &verify_flags); | ||||||
|     if (ret) { |     if (ret) { | ||||||
| 	pk_copy_error(context, context->hx509ctx, ret, | 	pk_copy_error(context, context->hx509ctx, ret, | ||||||
| 		      "CMS verify signed failed"); | 		      "CMS verify signed failed"); | ||||||
| 	return ret; | 	return ret; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0) | ||||||
|  | 	goto out; | ||||||
|  |  | ||||||
|     *signer = calloc(1, sizeof(**signer)); |     *signer = calloc(1, sizeof(**signer)); | ||||||
|     if (*signer == NULL) { |     if (*signer == NULL) { | ||||||
| 	krb5_clear_error_message(context); | 	krb5_clear_error_message(context); | ||||||
| @@ -1061,7 +1067,9 @@ pk_verify_host(krb5_context context, | |||||||
| 	    free_KRB5PrincipalName(&r); | 	    free_KRB5PrincipalName(&r); | ||||||
| 	} | 	} | ||||||
| 	hx509_free_octet_string_list(&list); | 	hx509_free_octet_string_list(&list); | ||||||
| 	if (matched == 0) { |  | ||||||
|  | 	if (matched == 0 && | ||||||
|  | 	    (ctx->id->flags & PKINIT_NO_KDC_ANCHOR) == 0) { | ||||||
| 	    ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; | 	    ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; | ||||||
| 	    /* XXX: Lost in translation... */ | 	    /* XXX: Lost in translation... */ | ||||||
| 	    krb5_set_error_message(context, ret, | 	    krb5_set_error_message(context, ret, | ||||||
| @@ -1192,10 +1200,16 @@ pk_rd_pa_reply_enckey(krb5_context context, | |||||||
|     ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length); |     ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length); | ||||||
|     der_free_octet_string(&unwrapped); |     der_free_octet_string(&unwrapped); | ||||||
|  |  | ||||||
|  |     heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR), | ||||||
|  | 		"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set"); | ||||||
|  |  | ||||||
|  |     if (host) { | ||||||
| 	/* make sure that it is the kdc's certificate */ | 	/* make sure that it is the kdc's certificate */ | ||||||
| 	ret = pk_verify_host(context, realm, hi, ctx, host); | 	ret = pk_verify_host(context, realm, hi, ctx, host); | ||||||
|     if (ret) { | 	if (ret) | ||||||
| 	    goto out; | 	    goto out; | ||||||
|  |  | ||||||
|  | 	ctx->kdc_verified = 1; | ||||||
|     } |     } | ||||||
|  |  | ||||||
| #if 0 | #if 0 | ||||||
| @@ -1374,11 +1388,18 @@ pk_rd_pa_reply_dh(krb5_context context, | |||||||
|     if (ret) |     if (ret) | ||||||
| 	goto out; | 	goto out; | ||||||
|  |  | ||||||
|  |     heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR), | ||||||
|  | 		"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set"); | ||||||
|  |  | ||||||
|  |     if (host) { | ||||||
| 	/* make sure that it is the kdc's certificate */ | 	/* make sure that it is the kdc's certificate */ | ||||||
| 	ret = pk_verify_host(context, realm, hi, ctx, host); | 	ret = pk_verify_host(context, realm, hi, ctx, host); | ||||||
| 	if (ret) | 	if (ret) | ||||||
| 	    goto out; | 	    goto out; | ||||||
|  |  | ||||||
|  | 	ctx->kdc_verified = 1; | ||||||
|  |     } | ||||||
|  |  | ||||||
|     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) { |     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) { | ||||||
| 	ret = KRB5KRB_AP_ERR_MSG_TYPE; | 	ret = KRB5KRB_AP_ERR_MSG_TYPE; | ||||||
| 	krb5_set_error_message(context, ret, | 	krb5_set_error_message(context, ret, | ||||||
| @@ -1836,12 +1857,6 @@ _krb5_pk_load_id(krb5_context context, | |||||||
|  |  | ||||||
|     *ret_id = NULL; |     *ret_id = NULL; | ||||||
|  |  | ||||||
|     if (anchor_id == NULL) { |  | ||||||
| 	krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA, |  | ||||||
| 			       N_("PKINIT: No anchor given", "")); |  | ||||||
| 	return HEIM_PKINIT_NO_VALID_CA; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     /* load cert */ |     /* load cert */ | ||||||
|  |  | ||||||
|     id = calloc(1, sizeof(*id)); |     id = calloc(1, sizeof(*id)); | ||||||
| @@ -2383,6 +2398,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, | |||||||
|     if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS) |     if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS) | ||||||
| 	opt->opt_private->pk_init_ctx->anonymous = 1; | 	opt->opt_private->pk_init_ctx->anonymous = 1; | ||||||
|  |  | ||||||
|  |     if ((flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) == 0 && | ||||||
|  | 	x509_anchors == NULL) { | ||||||
|  | 	krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA, | ||||||
|  | 			       N_("PKINIT: No anchor given", "")); | ||||||
|  | 	return HEIM_PKINIT_NO_VALID_CA; | ||||||
|  |     } | ||||||
|  |  | ||||||
|     ret = _krb5_pk_load_id(context, |     ret = _krb5_pk_load_id(context, | ||||||
| 			   &opt->opt_private->pk_init_ctx->id, | 			   &opt->opt_private->pk_init_ctx->id, | ||||||
| 			   user_id, | 			   user_id, | ||||||
| @@ -2402,9 +2424,10 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, | |||||||
|     } |     } | ||||||
|     if (flags & KRB5_GIC_OPT_PKINIT_BTMM) |     if (flags & KRB5_GIC_OPT_PKINIT_BTMM) | ||||||
| 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; | 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; | ||||||
|  |  | ||||||
|     if (principal && krb5_principal_is_lkdc(context, principal)) |     if (principal && krb5_principal_is_lkdc(context, principal)) | ||||||
| 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; | 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; | ||||||
|  |     if (flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) | ||||||
|  | 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_NO_KDC_ANCHOR; | ||||||
|  |  | ||||||
|     if (opt->opt_private->pk_init_ctx->id->certs) { |     if (opt->opt_private->pk_init_ctx->id->certs) { | ||||||
|         ret = _krb5_pk_set_user_id(context, |         ret = _krb5_pk_set_user_id(context, | ||||||
| @@ -2624,3 +2647,15 @@ krb5_pk_enterprise_cert(krb5_context context, | |||||||
|     return EINVAL; |     return EINVAL; | ||||||
| #endif | #endif | ||||||
| } | } | ||||||
|  |  | ||||||
|  | KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL | ||||||
|  | _krb5_pk_is_kdc_verified(krb5_context context, | ||||||
|  | 			 krb5_get_init_creds_opt *opt) | ||||||
|  | { | ||||||
|  |     if (opt == NULL || | ||||||
|  | 	opt->opt_private == NULL || | ||||||
|  | 	opt->opt_private->pk_init_ctx == NULL) | ||||||
|  | 	return FALSE; | ||||||
|  |  | ||||||
|  |     return opt->opt_private->pk_init_ctx->kdc_verified; | ||||||
|  | } | ||||||
|   | |||||||
| @@ -814,6 +814,7 @@ HEIMDAL_KRB5_2.0 { | |||||||
| 		krb5_process_last_request; | 		krb5_process_last_request; | ||||||
| 		krb5_init_creds_init; | 		krb5_init_creds_init; | ||||||
| 		krb5_init_creds_set_service; | 		krb5_init_creds_set_service; | ||||||
|  | 		krb5_init_creds_set_fast_anon_pkinit; | ||||||
| 		krb5_init_creds_set_fast_ccache; | 		krb5_init_creds_set_fast_ccache; | ||||||
| 		krb5_init_creds_set_keytab; | 		krb5_init_creds_set_keytab; | ||||||
| 		krb5_init_creds_get; | 		krb5_init_creds_get; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Luke Howard
					Luke Howard