1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/* kdc/fast_util.c */
3
/*
4
 * Copyright (C) 2009, 2015 by the Massachusetts Institute of Technology.
5
 * All rights reserved.
6
 *
7
 * Export of this software from the United States of America may
8
 *   require a specific license from the United States Government.
9
 *   It is the responsibility of any person or organization contemplating
10
 *   export to obtain such a license before exporting.
11
 *
12
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13
 * distribute this software and its documentation for any purpose and
14
 * without fee is hereby granted, provided that the above copyright
15
 * notice appear in all copies and that both that copyright notice and
16
 * this permission notice appear in supporting documentation, and that
17
 * the name of M.I.T. not be used in advertising or publicity pertaining
18
 * to distribution of the software without specific, written prior
19
 * permission.  Furthermore if you modify this software you must label
20
 * your software as modified software and not distribute it in such a
21
 * fashion that it might be confused with the original M.I.T. software.
22
 * M.I.T. makes no representations about the suitability of
23
 * this software for any purpose.  It is provided "as is" without express
24
 * or implied warranty.
25
 */
26

27
#include <k5-int.h>
28

29
#include "kdc_util.h"
30
#include "extern.h"
31

32
/* Let cookies be valid for ten minutes. */
33
#define COOKIE_LIFETIME 600
34

35
static krb5_error_code armor_ap_request
36
(struct kdc_request_state *state, krb5_fast_armor *armor)
37
{
38
    krb5_error_code retval = 0;
39
    krb5_auth_context authcontext = NULL;
40
    krb5_ticket *ticket = NULL;
41
    krb5_keyblock *subkey = NULL;
42
    kdc_realm_t *realm = state->realm_data;
43
    krb5_context context = realm->realm_context;
44

45
    assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST);
46
    krb5_clear_error_message(context);
47
    retval = krb5_auth_con_init(context, &authcontext);
48
    /*disable replay cache*/
49
    if (retval == 0)
50
        retval = krb5_auth_con_setflags(context, authcontext, 0);
51
    if (retval == 0)
52
        retval = krb5_rd_req(context, &authcontext, &armor->armor_value,
53
                             NULL /*server*/, realm->realm_keytab,
54
                             NULL, &ticket);
55
    if (retval != 0) {
56
        const char * errmsg = krb5_get_error_message(context, retval);
57
        k5_setmsg(context, retval, _("%s while handling ap-request armor"),
58
                  errmsg);
59
        krb5_free_error_message(context, errmsg);
60
    }
61
    if (retval == 0) {
62
        if (!krb5_principal_compare_any_realm(context, realm->realm_tgsprinc,
63
                                              ticket->server)) {
64
            k5_setmsg(context, KRB5KDC_ERR_SERVER_NOMATCH,
65
                      _("ap-request armor for something other than the local "
66
                        "TGS"));
67
            retval = KRB5KDC_ERR_SERVER_NOMATCH;
68
        }
69
    }
70
    if (retval == 0) {
71
        retval = krb5_auth_con_getrecvsubkey(context, authcontext, &subkey);
72
        if (retval != 0 || subkey == NULL) {
73
            k5_setmsg(context, KRB5KDC_ERR_POLICY,
74
                      _("ap-request armor without subkey"));
75
            retval = KRB5KDC_ERR_POLICY;
76
        }
77
    }
78
    if (retval == 0)
79
        retval = krb5_c_fx_cf2_simple(context,
80
                                      subkey, "subkeyarmor",
81
                                      ticket->enc_part2->session, "ticketarmor",
82
                                      &state->armor_key);
83
    if (ticket)
84
        krb5_free_ticket(context, ticket);
85
    if (subkey)
86
        krb5_free_keyblock(context, subkey);
87
    if (authcontext)
88
        krb5_auth_con_free(context, authcontext);
89
    return retval;
90
}
91

92
static krb5_error_code
93
encrypt_fast_reply(struct kdc_request_state *state,
94
                   const krb5_fast_response *response,
95
                   krb5_data **fx_fast_reply)
96
{
97
    krb5_context context = state->realm_data->realm_context;
98
    krb5_error_code retval = 0;
99
    krb5_enc_data encrypted_reply;
100
    krb5_data *encoded_response = NULL;
101

102
    assert(state->armor_key);
103
    retval = encode_krb5_fast_response(response, &encoded_response);
104
    if (retval== 0)
105
        retval = krb5_encrypt_helper(context, state->armor_key,
106
                                     KRB5_KEYUSAGE_FAST_REP,
107
                                     encoded_response, &encrypted_reply);
108
    if (encoded_response)
109
        krb5_free_data(context, encoded_response);
110
    encoded_response = NULL;
111
    if (retval == 0) {
112
        retval = encode_krb5_pa_fx_fast_reply(&encrypted_reply,
113
                                              fx_fast_reply);
114
        krb5_free_data_contents(context, &encrypted_reply.ciphertext);
115
    }
116
    return retval;
117
}
118

119

120
/*
121
 * This function will find the FAST padata and, if FAST is successfully
122
 * processed, will free the outer request and update the pointer to point to
123
 * the inner request.  checksummed_data points to the data that is in the
124
 * armored_fast_request checksum; either the pa-tgs-req or the kdc-req-body.
125
 */
126
krb5_error_code
127
kdc_find_fast(krb5_kdc_req **requestptr,
128
              krb5_data *checksummed_data,
129
              krb5_keyblock *tgs_subkey,
130
              krb5_keyblock *tgs_session,
131
              struct kdc_request_state *state,
132
              krb5_data **inner_body_out)
133
{
134
    krb5_context context = state->realm_data->realm_context;
135
    krb5_error_code retval = 0;
136
    krb5_pa_data *fast_padata;
137
    krb5_data scratch, plaintext, *inner_body = NULL;
138
    krb5_fast_req * fast_req = NULL;
139
    krb5_kdc_req *request = *requestptr;
140
    krb5_fast_armored_req *fast_armored_req = NULL;
141
    krb5_checksum *cksum;
142
    krb5_boolean cksum_valid;
143
    krb5_keyblock empty_keyblock;
144

145
    if (inner_body_out != NULL)
146
        *inner_body_out = NULL;
147
    scratch.data = NULL;
148
    krb5_clear_error_message(context);
149
    memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
150
    fast_padata = krb5int_find_pa_data(context, request->padata,
151
                                       KRB5_PADATA_FX_FAST);
152
    if (fast_padata !=  NULL){
153
        scratch.length = fast_padata->length;
154
        scratch.data = (char *) fast_padata->contents;
155
        retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req);
156
        if (retval == 0 &&fast_armored_req->armor) {
157
            switch (fast_armored_req->armor->armor_type) {
158
            case KRB5_FAST_ARMOR_AP_REQUEST:
159
                if (tgs_subkey) {
160
                    retval = KRB5KDC_ERR_PREAUTH_FAILED;
161
                    k5_setmsg(context, retval,
162
                              _("Ap-request armor not permitted with TGS"));
163
                    break;
164
                }
165
                retval = armor_ap_request(state, fast_armored_req->armor);
166
                break;
167
            default:
168
                k5_setmsg(context, KRB5KDC_ERR_PREAUTH_FAILED,
169
                          _("Unknown FAST armor type %d"),
170
                          fast_armored_req->armor->armor_type);
171
                retval = KRB5KDC_ERR_PREAUTH_FAILED;
172
            }
173
        }
174
        if (retval == 0 && !state->armor_key) {
175
            if (tgs_subkey)
176
                retval = krb5_c_fx_cf2_simple(context,
177
                                              tgs_subkey, "subkeyarmor",
178
                                              tgs_session, "ticketarmor",
179
                                              &state->armor_key);
180
            else {
181
                retval = KRB5KDC_ERR_PREAUTH_FAILED;
182
                k5_setmsg(context, retval,
183
                          _("No armor key but FAST armored request present"));
184
            }
185
        }
186
        if (retval == 0) {
187
            plaintext.length = fast_armored_req->enc_part.ciphertext.length;
188
            plaintext.data = k5alloc(plaintext.length, &retval);
189
        }
190
        if (retval == 0) {
191
            retval = krb5_c_decrypt(context, state->armor_key,
192
                                    KRB5_KEYUSAGE_FAST_ENC, NULL,
193
                                    &fast_armored_req->enc_part,
194
                                    &plaintext);
195
            if (retval == 0)
196
                retval = decode_krb5_fast_req(&plaintext, &fast_req);
197
            if (retval == 0 && inner_body_out != NULL) {
198
                retval = fetch_asn1_field((unsigned char *)plaintext.data,
199
                                          1, 2, &scratch);
200
                if (retval == 0) {
201
                    retval = krb5_copy_data(context, &scratch, &inner_body);
202
                }
203
            }
204
            if (plaintext.data)
205
                free(plaintext.data);
206
        }
207
        cksum = &fast_armored_req->req_checksum;
208
        if (retval == 0)
209
            retval = krb5_c_verify_checksum(context, state->armor_key,
210
                                            KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
211
                                            checksummed_data, cksum,
212
                                            &cksum_valid);
213
        if (retval == 0 && !cksum_valid) {
214
            retval = KRB5KRB_AP_ERR_MODIFIED;
215
            k5_setmsg(context, retval,
216
                      _("FAST req_checksum invalid; request modified"));
217
        }
218
        if (retval == 0) {
219
            if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) {
220
                retval = KRB5KDC_ERR_POLICY;
221
                k5_setmsg(context, retval,
222
                          _("Unkeyed checksum used in fast_req"));
223
            }
224
        }
225
        if (retval == 0) {
226
            if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) != 0)
227
                retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
228
        }
229
        if (retval == 0) {
230
            state->fast_options = fast_req->fast_options;
231
            fast_req->req_body->msg_type = request->msg_type;
232
            krb5_free_kdc_req(context, request);
233
            *requestptr = fast_req->req_body;
234
            fast_req->req_body = NULL;
235
        }
236
    }
237
    if (retval == 0 && inner_body_out != NULL) {
238
        *inner_body_out = inner_body;
239
        inner_body = NULL;
240
    }
241
    krb5_free_data(context, inner_body);
242
    if (fast_req)
243
        krb5_free_fast_req(context, fast_req);
244
    if (fast_armored_req)
245
        krb5_free_fast_armored_req(context, fast_armored_req);
246
    return retval;
247
}
248

249

250
krb5_error_code
251
kdc_make_rstate(kdc_realm_t *active_realm, struct kdc_request_state **out)
252
{
253
    struct kdc_request_state *state = malloc( sizeof(struct kdc_request_state));
254
    if (state == NULL)
255
        return ENOMEM;
256
    memset( state, 0, sizeof(struct kdc_request_state));
257
    state->realm_data = active_realm;
258
    *out = state;
259
    return 0;
260
}
261

262
void
263
kdc_free_rstate (struct kdc_request_state *s)
264
{
265
    if (s == NULL)
266
        return;
267
    if (s->armor_key)
268
        krb5_free_keyblock(s->realm_data->realm_context, s->armor_key);
269
    if (s->strengthen_key)
270
        krb5_free_keyblock(s->realm_data->realm_context, s->strengthen_key);
271
    k5_zapfree_pa_data(s->in_cookie_padata);
272
    k5_zapfree_pa_data(s->out_cookie_padata);
273
    free(s);
274
}
275

276
krb5_error_code
277
kdc_fast_response_handle_padata(struct kdc_request_state *state,
278
                                krb5_kdc_req *request,
279
                                krb5_kdc_rep *rep, krb5_enctype enctype)
280
{
281
    krb5_context context = state->realm_data->realm_context;
282
    krb5_error_code retval = 0;
283
    krb5_fast_finished finish;
284
    krb5_fast_response fast_response;
285
    krb5_data *encoded_ticket = NULL;
286
    krb5_data *encrypted_reply = NULL;
287
    krb5_pa_data *pa = NULL, **pa_array = NULL;
288
    krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
289
    krb5_pa_data *empty_padata[] = {NULL};
290
    krb5_keyblock *strengthen_key = NULL;
291

292
    if (!state->armor_key)
293
        return 0;
294
    memset(&finish, 0, sizeof(finish));
295
    retval = krb5_init_keyblock(context, enctype, 0, &strengthen_key);
296
    if (retval == 0)
297
        retval = krb5_c_make_random_key(context, enctype, strengthen_key);
298
    if (retval == 0) {
299
        state->strengthen_key = strengthen_key;
300
        strengthen_key = NULL;
301
    }
302

303
    fast_response.padata = rep->padata;
304
    if (fast_response.padata == NULL)
305
        fast_response.padata = &empty_padata[0];
306
    fast_response.strengthen_key = state->strengthen_key;
307
    fast_response.nonce = request->nonce;
308
    fast_response.finished = &finish;
309
    finish.client = rep->client;
310
    pa_array = calloc(3, sizeof(*pa_array));
311
    if (pa_array == NULL)
312
        retval = ENOMEM;
313
    pa = calloc(1, sizeof(krb5_pa_data));
314
    if (retval == 0 && pa == NULL)
315
        retval = ENOMEM;
316
    if (retval == 0)
317
        retval = krb5_us_timeofday(context, &finish.timestamp, &finish.usec);
318
    if (retval == 0)
319
        retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
320
    if (retval == 0)
321
        retval = krb5int_c_mandatory_cksumtype(context,
322
                                               state->armor_key->enctype,
323
                                               &cksumtype);
324
    if (retval == 0)
325
        retval = krb5_c_make_checksum(context, cksumtype, state->armor_key,
326
                                      KRB5_KEYUSAGE_FAST_FINISHED,
327
                                      encoded_ticket, &finish.ticket_checksum);
328
    if (retval == 0)
329
        retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
330
    if (retval == 0) {
331
        pa[0].pa_type = KRB5_PADATA_FX_FAST;
332
        pa[0].length = encrypted_reply->length;
333
        pa[0].contents = (unsigned char *)  encrypted_reply->data;
334
        pa_array[0] = &pa[0];
335
        krb5_free_pa_data(context, rep->padata);
336
        rep->padata = pa_array;
337
        pa_array = NULL;
338
        free(encrypted_reply);
339
        encrypted_reply = NULL;
340
        pa = NULL;
341
    }
342
    if (pa)
343
        free(pa);
344
    if (pa_array)
345
        free(pa_array);
346
    if (encrypted_reply)
347
        krb5_free_data(context, encrypted_reply);
348
    if (encoded_ticket)
349
        krb5_free_data(context, encoded_ticket);
350
    if (strengthen_key != NULL)
351
        krb5_free_keyblock(context, strengthen_key);
352
    if (finish.ticket_checksum.contents)
353
        krb5_free_checksum_contents(context, &finish.ticket_checksum);
354
    return retval;
355
}
356

357

358
/*
359
 * We assume the caller is responsible for passing us an in_padata
360
 * sufficient to include in a FAST error.  In the FAST case we will
361
 * set *fast_edata_out to the edata to be included in the error; in
362
 * the non-FAST case we will set it to NULL.
363
 */
364
krb5_error_code
365
kdc_fast_handle_error(krb5_context context,
366
                      struct kdc_request_state *state,
367
                      krb5_kdc_req *request,
368
                      krb5_pa_data  **in_padata, krb5_error *err,
369
                      krb5_data **fast_edata_out)
370
{
371
    krb5_error_code retval = 0;
372
    krb5_fast_response resp;
373
    krb5_error fx_error;
374
    krb5_data *encoded_fx_error = NULL, *encrypted_reply = NULL;
375
    krb5_pa_data pa[1];
376
    krb5_pa_data *outer_pa[3];
377
    krb5_pa_data **inner_pa = NULL;
378
    size_t size = 0;
379

380
    *fast_edata_out = NULL;
381
    memset(outer_pa, 0, sizeof(outer_pa));
382
    if (state->armor_key == NULL)
383
        return 0;
384
    fx_error = *err;
385
    fx_error.e_data.data = NULL;
386
    fx_error.e_data.length = 0;
387
    for (size = 0; in_padata&&in_padata[size]; size++);
388
    inner_pa = calloc(size + 2, sizeof(krb5_pa_data *));
389
    if (inner_pa == NULL)
390
        retval = ENOMEM;
391
    if (retval == 0)
392
        for (size=0; in_padata&&in_padata[size]; size++)
393
            inner_pa[size] = in_padata[size];
394
    if (retval == 0)
395
        retval = encode_krb5_error(&fx_error, &encoded_fx_error);
396
    if (retval == 0) {
397
        pa[0].pa_type = KRB5_PADATA_FX_ERROR;
398
        pa[0].length = encoded_fx_error->length;
399
        pa[0].contents = (unsigned char *) encoded_fx_error->data;
400
        inner_pa[size++] = &pa[0];
401
    }
402
    if (retval == 0) {
403
        resp.padata = inner_pa;
404
        resp.nonce = request->nonce;
405
        resp.strengthen_key = NULL;
406
        resp.finished = NULL;
407
    }
408
    if (retval == 0)
409
        retval = encrypt_fast_reply(state, &resp, &encrypted_reply);
410
    if (inner_pa)
411
        free(inner_pa); /*contained storage from caller and our stack*/
412
    if (retval == 0) {
413
        pa[0].pa_type = KRB5_PADATA_FX_FAST;
414
        pa[0].length = encrypted_reply->length;
415
        pa[0].contents = (unsigned char *) encrypted_reply->data;
416
        outer_pa[0] = &pa[0];
417
    }
418
    retval = encode_krb5_padata_sequence(outer_pa, fast_edata_out);
419
    if (encrypted_reply)
420
        krb5_free_data(context, encrypted_reply);
421
    if (encoded_fx_error)
422
        krb5_free_data(context, encoded_fx_error);
423
    return retval;
424
}
425

426
krb5_error_code
427
kdc_fast_handle_reply_key(struct kdc_request_state *state,
428
                          krb5_keyblock *existing_key,
429
                          krb5_keyblock **out_key)
430
{
431
    krb5_context context = state->realm_data->realm_context;
432
    krb5_error_code retval = 0;
433

434
    if (state->armor_key)
435
        retval = krb5_c_fx_cf2_simple(context,
436
                                      state->strengthen_key, "strengthenkey",
437
                                      existing_key, "replykey", out_key);
438
    else
439
        retval = krb5_copy_keyblock(context, existing_key, out_key);
440
    return retval;
441
}
442

443
krb5_boolean
444
kdc_fast_hide_client(struct kdc_request_state *state)
445
{
446
    return (state->fast_options & KRB5_FAST_OPTION_HIDE_CLIENT_NAMES) != 0;
447
}
448

449
/* Create a pa-data entry with the specified type and contents. */
450
static krb5_error_code
451
make_padata(krb5_preauthtype pa_type, const void *contents, size_t len,
452
            krb5_pa_data **out)
453
{
454
    if (k5_alloc_pa_data(pa_type, len, out) != 0)
455
        return ENOMEM;
456
    memcpy((*out)->contents, contents, len);
457
    return 0;
458
}
459

460
/*
461
 * Derive the secure cookie encryption key from tgt_key and client_princ.  The
462
 * cookie key is derived with PRF+ using the concatenation of "COOKIE" and the
463
 * unparsed client principal name as input.
464
 */
465
static krb5_error_code
466
derive_cookie_key(krb5_context context, krb5_keyblock *tgt_key,
467
                  krb5_const_principal client_princ, krb5_keyblock **key_out)
468
{
469
    krb5_error_code ret;
470
    krb5_data d;
471
    char *princstr = NULL, *derive_input = NULL;
472

473
    *key_out = NULL;
474

475
    /* Construct the input string and derive the cookie key. */
476
    ret = krb5_unparse_name(context, client_princ, &princstr);
477
    if (ret)
478
        goto cleanup;
479
    if (asprintf(&derive_input, "COOKIE%s", princstr) < 0) {
480
        ret = ENOMEM;
481
        goto cleanup;
482
    }
483
    d = string2data(derive_input);
484
    ret = krb5_c_derive_prfplus(context, tgt_key, &d, ENCTYPE_NULL, key_out);
485

486
cleanup:
487
    krb5_free_unparsed_name(context, princstr);
488
    free(derive_input);
489
    return ret;
490
}
491

492
/* Derive the cookie key for the specified kvno in tgt.  tgt_key must be the
493
 * decrypted first key data entry in tgt. */
494
static krb5_error_code
495
get_cookie_key(krb5_context context, krb5_db_entry *tgt,
496
               krb5_keyblock *tgt_key, krb5_kvno kvno,
497
               krb5_const_principal client_princ, krb5_keyblock **key_out)
498
{
499
    krb5_error_code ret;
500
    krb5_keyblock storage, *key;
501
    krb5_key_data *kd;
502

503
    *key_out = NULL;
504
    memset(&storage, 0, sizeof(storage));
505

506
    if (kvno == current_kvno(tgt)) {
507
        /* Use the already-decrypted first key. */
508
        key = tgt_key;
509
    } else {
510
        /* The cookie used an older TGT key; find and decrypt it. */
511
        ret = krb5_dbe_find_enctype(context, tgt, -1, -1, kvno, &kd);
512
        if (ret)
513
            return ret;
514
        ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &storage, NULL);
515
        if (ret)
516
            return ret;
517
        key = &storage;
518
    }
519

520
    ret = derive_cookie_key(context, key, client_princ, key_out);
521
    krb5_free_keyblock_contents(context, &storage);
522
    return ret;
523
}
524

525
/* Return true if there is any overlap between padata types in cpadata
526
 * (from the cookie) and rpadata (from the request). */
527
static krb5_boolean
528
is_relevant(krb5_pa_data *const *cpadata, krb5_pa_data *const *rpadata)
529
{
530
    krb5_pa_data *const *p;
531

532
    for (p = cpadata; p != NULL && *p != NULL; p++) {
533
        if (krb5int_find_pa_data(NULL, rpadata, (*p)->pa_type) != NULL)
534
            return TRUE;
535
    }
536
    return FALSE;
537
}
538

539
/*
540
 * Locate and decode the FAST cookie in req, storing its contents in state for
541
 * later access by preauth modules.  If the cookie is expired, return
542
 * KRB5KDC_ERR_PREAUTH_EXPIRED if its contents are relevant to req, and ignore
543
 * it if they aren't.
544
 */
545
krb5_error_code
546
kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
547
                     krb5_kdc_req *req, krb5_db_entry *local_tgt,
548
                     krb5_keyblock *local_tgt_key)
549
{
550
    krb5_error_code ret;
551
    krb5_secure_cookie *cookie = NULL;
552
    krb5_timestamp now;
553
    krb5_keyblock *key = NULL;
554
    krb5_enc_data enc;
555
    krb5_pa_data *pa;
556
    krb5_kvno kvno;
557
    krb5_data plain = empty_data();
558

559
    pa = krb5int_find_pa_data(context, req->padata, KRB5_PADATA_FX_COOKIE);
560
    if (pa == NULL)
561
        return 0;
562

563
    /* If it's not an MIT version 1 cookie, ignore it.  It may be an empty
564
     * "MIT" cookie or a cookie generated by a different KDC implementation. */
565
    if (pa->length <= 8 || memcmp(pa->contents, "MIT1", 4) != 0)
566
        return 0;
567

568
    /* Extract the kvno and generate the corresponding cookie key. */
569
    kvno = load_32_be(pa->contents + 4);
570
    ret = get_cookie_key(context, local_tgt, local_tgt_key, kvno, req->client,
571
                         &key);
572
    if (ret)
573
        goto cleanup;
574

575
    /* Decrypt and decode the cookie. */
576
    memset(&enc, 0, sizeof(enc));
577
    enc.enctype = key->enctype;
578
    enc.ciphertext = make_data(pa->contents + 8, pa->length - 8);
579
    ret = alloc_data(&plain, pa->length - 8);
580
    if (ret)
581
        goto cleanup;
582
    ret = krb5_c_decrypt(context, key, KRB5_KEYUSAGE_PA_FX_COOKIE, NULL, &enc,
583
                         &plain);
584
    if (ret)
585
        goto cleanup;
586
    ret = decode_krb5_secure_cookie(&plain, &cookie);
587
    if (ret)
588
        goto cleanup;
589

590
    /* Check if the cookie is expired. */
591
    ret = krb5_timeofday(context, &now);
592
    if (ret)
593
        goto cleanup;
594
    if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) {
595
        /* Don't accept the cookie contents.  Only return an error if the
596
         * cookie is relevant to the request. */
597
        if (is_relevant(cookie->data, req->padata))
598
            ret = KRB5KDC_ERR_PREAUTH_EXPIRED;
599
        goto cleanup;
600
    }
601

602
    /* Steal the pa-data list pointer from the cookie and store it in state. */
603
    state->in_cookie_padata = cookie->data;
604
    cookie->data = NULL;
605

606
cleanup:
607
    zapfree(plain.data, plain.length);
608
    krb5_free_keyblock(context, key);
609
    k5_free_secure_cookie(context, cookie);
610
    return 0;
611
}
612

613
/* If state contains a cookie value for pa_type, set *out to the corresponding
614
 * data and return true.  Otherwise set *out to empty and return false. */
615
krb5_boolean
616
kdc_fast_search_cookie(struct kdc_request_state *state,
617
                       krb5_preauthtype pa_type, krb5_data *out)
618
{
619
    krb5_pa_data *pa;
620

621
    pa = krb5int_find_pa_data(NULL, state->in_cookie_padata, pa_type);
622
    if (pa == NULL) {
623
        *out = empty_data();
624
        return FALSE;
625
    } else {
626
        *out = make_data(pa->contents, pa->length);
627
        return TRUE;
628
    }
629
}
630

631
/* Set a cookie value in state for data, to be included in the outgoing
632
 * cookie.  Duplicate values are ignored. */
633
krb5_error_code
634
kdc_fast_set_cookie(struct kdc_request_state *state, krb5_preauthtype pa_type,
635
                    const krb5_data *data)
636
{
637
    krb5_pa_data **list = state->out_cookie_padata;
638
    size_t count;
639

640
    for (count = 0; list != NULL && list[count] != NULL; count++) {
641
        if (list[count]->pa_type == pa_type)
642
            return 0;
643
    }
644

645
    list = realloc(list, (count + 2) * sizeof(*list));
646
    if (list == NULL)
647
        return ENOMEM;
648
    state->out_cookie_padata = list;
649
    list[count] = list[count + 1] = NULL;
650
    return make_padata(pa_type, data->data, data->length, &list[count]);
651
}
652

653
/* Construct a cookie pa-data item using the cookie values from state, or a
654
 * trivial "MIT" cookie if no values are set. */
655
krb5_error_code
656
kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,
657
                     krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key,
658
                     krb5_const_principal client_princ,
659
                     krb5_pa_data **cookie_out)
660
{
661
    krb5_error_code ret;
662
    krb5_secure_cookie cookie;
663
    krb5_pa_data **contents = state->out_cookie_padata, *pa;
664
    krb5_keyblock *key = NULL;
665
    krb5_timestamp now;
666
    krb5_enc_data enc;
667
    krb5_data *der_cookie = NULL;
668
    size_t ctlen;
669

670
    *cookie_out = NULL;
671
    memset(&enc, 0, sizeof(enc));
672

673
    /* Make a trivial cookie if there are no contents to marshal or we don't
674
     * have a TGT entry to encrypt them. */
675
    if (contents == NULL || *contents == NULL || local_tgt_key == NULL)
676
        return make_padata(KRB5_PADATA_FX_COOKIE, "MIT", 3, cookie_out);
677

678
    ret = derive_cookie_key(context, local_tgt_key, client_princ, &key);
679
    if (ret)
680
        goto cleanup;
681

682
    /* Encode the cookie. */
683
    ret = krb5_timeofday(context, &now);
684
    if (ret)
685
        goto cleanup;
686
    cookie.time = ts2tt(now);
687
    cookie.data = contents;
688
    ret = encode_krb5_secure_cookie(&cookie, &der_cookie);
689
    if (ret)
690
        goto cleanup;
691

692
    /* Encrypt the cookie in key. */
693
    ret = krb5_c_encrypt_length(context, key->enctype, der_cookie->length,
694
                                &ctlen);
695
    if (ret)
696
        goto cleanup;
697
    ret = alloc_data(&enc.ciphertext, ctlen);
698
    if (ret)
699
        goto cleanup;
700
    ret = krb5_c_encrypt(context, key, KRB5_KEYUSAGE_PA_FX_COOKIE, NULL,
701
                         der_cookie, &enc);
702
    if (ret)
703
        goto cleanup;
704

705
    /* Construct the cookie pa-data entry. */
706
    ret = k5_alloc_pa_data(KRB5_PADATA_FX_COOKIE, 8 + enc.ciphertext.length,
707
                           &pa);
708
    memcpy(pa->contents, "MIT1", 4);
709
    store_32_be(current_kvno(local_tgt), pa->contents + 4);
710
    memcpy(pa->contents + 8, enc.ciphertext.data, enc.ciphertext.length);
711
    *cookie_out = pa;
712

713
cleanup:
714
    krb5_free_keyblock(context, key);
715
    if (der_cookie != NULL) {
716
        zapfree(der_cookie->data, der_cookie->length);
717
        free(der_cookie);
718
    }
719
    krb5_free_data_contents(context, &enc.ciphertext);
720
    return ret;
721
}
722

723