return ret;
}
+static krb5_error_code
+fast_add_dummy_cookie(astgs_request_t r,
+ METHOD_DATA *method_data)
+{
+ krb5_error_code ret;
+ krb5_data data;
+ const krb5_data *dummy_fast_cookie = &r->config->dummy_fast_cookie;
+
+ if (dummy_fast_cookie->data == NULL)
+ return 0;
+
+ ret = krb5_data_copy(&data,
+ dummy_fast_cookie->data,
+ dummy_fast_cookie->length);
+ if (ret)
+ return ret;
+
+ ret = krb5_padata_add(r->context, method_data,
+ KRB5_PADATA_FX_COOKIE,
+ data.data, data.length);
+ if (ret) {
+ krb5_data_free(&data);
+ }
+
+ return ret;
+}
+
krb5_error_code
_kdc_fast_mk_response(krb5_context context,
krb5_crypto armor_crypto,
* FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
*/
if (armor_crypto || r->fast.fast_state.len) {
- kdc_log(r->context, r->config, 5, "Adding FAST cookie for KRB-ERROR");
- ret = fast_add_cookie(r, error_client, error_method);
- if (ret) {
- kdc_log(r->context, r->config, 1,
- "Failed to add FAST cookie: %d", ret);
- free_METHOD_DATA(error_method);
- return ret;
+ if (r->config->enable_fast_cookie) {
+ kdc_log(r->context, r->config, 5, "Adding FAST cookie for KRB-ERROR");
+ ret = fast_add_cookie(r, error_client, error_method);
+ if (ret) {
+ kdc_log(r->context, r->config, 1,
+ "Failed to add FAST cookie: %d", ret);
+ free_METHOD_DATA(error_method);
+ return ret;
+ }
+ } else {
+ kdc_log(r->context, r->config, 5, "Adding dummy FAST cookie for KRB-ERROR");
+ ret = fast_add_dummy_cookie(r, error_method);
+ if (ret) {
+ kdc_log(r->context, r->config, 1,
+ "Failed to add dummy FAST cookie: %d", ret);
+ free_METHOD_DATA(error_method);
+ return ret;
+ }
}
}
if (ret)
return ret;
- /*
- * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
- */
- pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_COOKIE);
- if (pa) {
- krb5_const_principal ticket_client = NULL;
+ if (r->config->enable_fast_cookie) {
+ /*
+ * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS.
+ */
+ pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_COOKIE);
+ if (pa) {
+ krb5_const_principal ticket_client = NULL;
- if (tgs_ticket)
- ticket_client = tgs_ticket->client;
+ if (tgs_ticket)
+ ticket_client = tgs_ticket->client;
- ret = fast_parse_cookie(r, ticket_client, pa);
+ ret = fast_parse_cookie(r, ticket_client, pa);
+ }
}
return ret;
#define PA_SYNTHETIC_OK 4
#define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */
#define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */
+#define PA_USES_FAST_COOKIE 32 /* Multi-step PA mech maintains state in PA-FX-COOKIE */
krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa);
krb5_error_code (*finalize_pac)(astgs_request_t r);
void (*cleanup)(astgs_request_t r);
{ KRB5_PADATA_FX_COOKIE, "FX-COOKIE", 0, NULL, NULL, NULL },
{
KRB5_PADATA_GSS , "GSS",
- PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY,
+ PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY | PA_USES_FAST_COOKIE,
pa_gss_validate, pa_gss_finalize_pac, NULL
},
};
continue;
if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST))
continue;
+ if (!r->config->enable_fast_cookie && (pat[n].flags & PA_USES_FAST_COOKIE))
+ continue;
kdc_log(r->context, config, 5,
"Looking for %s pa-data -- %s", pat[n].name, r->cname);
continue;
if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth)
continue;
+ if (!r->config->enable_fast_cookie && (pat[n].flags & PA_USES_FAST_COOKIE))
+ continue;
ret = krb5_padata_add(r->context, r->rep.padata,
pat[n].type, NULL, 0);