2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <rfc2459_asn1.h>
46 _kdc_try_kx509_request(void *ptr
, size_t len
, struct Kx509Request
*req
, size_t *size
)
50 if (memcmp("\x00\x00\x02\x00", ptr
, 4) != 0)
52 return decode_Kx509Request(((unsigned char *)ptr
) + 4, len
- 4, req
, size
);
59 static const unsigned char version_2_0
[4] = {0 , 0, 2, 0};
61 static krb5_error_code
62 verify_req_hash(krb5_context context
,
63 const Kx509Request
*req
,
66 unsigned char digest
[SHA_DIGEST_LENGTH
];
69 if (req
->pk_hash
.length
!= sizeof(digest
)) {
70 krb5_set_error_message(context
, KRB5KDC_ERR_PREAUTH_FAILED
,
71 "pk-hash have wrong length: %lu",
72 (unsigned long)req
->pk_hash
.length
);
73 return KRB5KDC_ERR_PREAUTH_FAILED
;
78 key
->keyvalue
.data
, key
->keyvalue
.length
,
80 if (sizeof(digest
) != HMAC_size(&ctx
))
81 krb5_abortx(context
, "runtime error, hmac buffer wrong size in kx509");
82 HMAC_Update(&ctx
, version_2_0
, sizeof(version_2_0
));
83 HMAC_Update(&ctx
, req
->pk_key
.data
, req
->pk_key
.length
);
84 HMAC_Final(&ctx
, digest
, 0);
85 HMAC_CTX_cleanup(&ctx
);
87 if (memcmp(req
->pk_hash
.data
, digest
, sizeof(digest
)) != 0) {
88 krb5_set_error_message(context
, KRB5KDC_ERR_PREAUTH_FAILED
,
89 "pk-hash is not correct");
90 return KRB5KDC_ERR_PREAUTH_FAILED
;
95 static krb5_error_code
96 calculate_reply_hash(krb5_context context
,
105 HMAC_Init_ex(&ctx
, key
->keyvalue
.data
, key
->keyvalue
.length
,
107 ret
= krb5_data_alloc(rep
->hash
, HMAC_size(&ctx
));
109 HMAC_CTX_cleanup(&ctx
);
110 krb5_set_error_message(context
, ENOMEM
, "malloc: out of memory");
114 HMAC_Update(&ctx
, version_2_0
, sizeof(version_2_0
));
115 if (rep
->error_code
) {
116 int32_t t
= *rep
->error_code
;
118 unsigned char p
= (t
& 0xff);
119 HMAC_Update(&ctx
, &p
, 1);
123 if (rep
->certificate
)
124 HMAC_Update(&ctx
, rep
->certificate
->data
, rep
->certificate
->length
);
126 HMAC_Update(&ctx
, (unsigned char *)*rep
->e_text
, strlen(*rep
->e_text
));
128 HMAC_Final(&ctx
, rep
->hash
->data
, 0);
129 HMAC_CTX_cleanup(&ctx
);
135 * Build a certifate for `principal´ that will expire at `endtime´.
138 static krb5_error_code
139 build_certificate(krb5_context context
,
140 krb5_kdc_configuration
*config
,
141 const krb5_data
*key
,
143 krb5_principal principal
,
144 krb5_data
*certificate
)
147 const char *kx509_ca
;
148 hx509_ca_tbs tbs
= NULL
;
149 hx509_env env
= NULL
;
150 hx509_cert cert
= NULL
;
151 hx509_cert signer
= NULL
;
152 krb5_boolean def_bool
;
155 ret
= krb5_unparse_name_flags(context
, principal
,
156 KRB5_PRINCIPAL_UNPARSE_NO_REALM
,
161 ret
= hx509_env_add(context
->hx509ctx
, &env
, "principal-name-without-realm",
169 * Include the realm in the principal-name env var; the template
170 * might not use $principal-name-realm after all.
172 ret
= krb5_unparse_name(context
, principal
, &name
);
176 ret
= hx509_env_add(context
->hx509ctx
, &env
, "principal-name",
181 ret
= hx509_env_add(context
->hx509ctx
, &env
, "principal-name-realm",
182 krb5_principal_get_realm(context
, principal
));
186 /* Pick an issuer based on the crealm if we can */
187 kx509_ca
= krb5_config_get_string(context
, NULL
, "kdc",
188 krb5_principal_get_realm(context
,
191 if (kx509_ca
== NULL
)
192 kx509_ca
= config
->kx509_ca
;
198 ret
= hx509_certs_init(context
->hx509ctx
, config
->kx509_ca
, 0,
201 kdc_log(context
, config
, 0, "Failed to load CA %s",
205 ret
= hx509_query_alloc(context
->hx509ctx
, &q
);
207 hx509_certs_free(&certs
);
211 hx509_query_match_option(q
, HX509_QUERY_OPTION_PRIVATE_KEY
);
212 hx509_query_match_option(q
, HX509_QUERY_OPTION_KU_KEYCERTSIGN
);
214 ret
= hx509_certs_find(context
->hx509ctx
, certs
, q
, &signer
);
215 hx509_query_free(context
->hx509ctx
, q
);
216 hx509_certs_free(&certs
);
218 kdc_log(context
, config
, 0, "Failed to find a CA in %s",
224 ret
= hx509_ca_tbs_init(context
->hx509ctx
, &tbs
);
229 SubjectPublicKeyInfo spki
;
232 memset(&spki
, 0, sizeof(spki
));
234 spki
.subjectPublicKey
.data
= key
->data
;
235 spki
.subjectPublicKey
.length
= key
->length
* 8;
237 ret
= der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption
,
238 &spki
.algorithm
.algorithm
);
240 any
.data
= "\x05\x00";
242 spki
.algorithm
.parameters
= &any
;
244 ret
= hx509_ca_tbs_set_spki(context
->hx509ctx
, tbs
, &spki
);
245 der_free_oid(&spki
.algorithm
.algorithm
);
254 ret
= hx509_certs_init(context
->hx509ctx
, config
->kx509_template
, 0,
257 kdc_log(context
, config
, 0, "Failed to load template %s",
258 config
->kx509_template
);
261 ret
= hx509_get_one_cert(context
->hx509ctx
, certs
, &template);
262 hx509_certs_free(&certs
);
264 kdc_log(context
, config
, 0, "Failed to find template in %s",
265 config
->kx509_template
);
268 ret
= hx509_ca_tbs_set_template(context
->hx509ctx
, tbs
,
269 HX509_CA_TEMPLATE_SUBJECT
|
270 HX509_CA_TEMPLATE_KU
|
271 HX509_CA_TEMPLATE_EKU
,
273 hx509_cert_free(template);
278 def_bool
= krb5_config_get_bool_default(context
, NULL
, TRUE
, "kdc",
279 "kx509_include_pkinit_san",
281 if (krb5_config_get_bool_default(context
, NULL
, def_bool
, "kdc",
282 krb5_principal_get_realm(context
,
284 "kx509_include_pkinit_san",
286 ret
= hx509_ca_tbs_add_san_pkinit(context
->hx509ctx
, tbs
, name
);
291 hx509_ca_tbs_set_notAfter(context
->hx509ctx
, tbs
, endtime
);
293 hx509_ca_tbs_subject_expand(context
->hx509ctx
, tbs
, env
);
294 hx509_env_free(&env
);
296 ret
= hx509_ca_sign(context
->hx509ctx
, tbs
, signer
, &cert
);
297 hx509_cert_free(signer
);
301 hx509_ca_tbs_free(&tbs
);
303 ret
= hx509_cert_binary(context
->hx509ctx
, cert
, certificate
);
304 hx509_cert_free(cert
);
308 /* cleanup on success */
316 hx509_env_free(&env
);
318 hx509_ca_tbs_free(&tbs
);
320 hx509_cert_free(signer
);
321 krb5_set_error_message(context
, ret
, "cert creation failed");
326 kdc_kx509_verify_service_principal(krb5_context context
,
328 krb5_principal sprincipal
)
330 krb5_error_code ret
, aret
;
332 krb5_principal principal
= NULL
;
333 char *expected
= NULL
;
334 char localhost
[MAXHOSTNAMELEN
];
336 ret
= gethostname(localhost
, sizeof(localhost
) - 1);
339 krb5_set_error_message(context
, ret
,
340 N_("Failed to get local hostname", ""));
343 localhost
[sizeof(localhost
) - 1] = '\0';
345 ret
= krb5_make_principal(context
, &principal
, "", "kca_service",
350 bret
= krb5_principal_compare_any_realm(context
, sprincipal
, principal
);
352 goto out
; /* found a match */
354 ret
= KRB5KDC_ERR_SERVER_NOMATCH
;
356 aret
= krb5_unparse_name(context
, sprincipal
, &expected
);
360 krb5_set_error_message(context
, ret
,
361 "User %s used wrong Kx509 service "
362 "principal, expected: %s",
366 krb5_xfree(expected
);
367 krb5_free_principal(context
, principal
);
377 _kdc_do_kx509(krb5_context context
,
378 krb5_kdc_configuration
*config
,
379 const struct Kx509Request
*req
, krb5_data
*reply
,
380 const char *from
, struct sockaddr
*addr
)
383 krb5_ticket
*ticket
= NULL
;
384 krb5_flags ap_req_options
;
385 krb5_auth_context ac
= NULL
;
386 krb5_keytab id
= NULL
;
387 krb5_principal sprincipal
= NULL
, cprincipal
= NULL
;
391 krb5_keyblock
*key
= NULL
;
392 krb5_boolean def_bool
;
394 krb5_data_zero(reply
);
395 memset(&rep
, 0, sizeof(rep
));
397 if(!config
->enable_kx509
) {
398 kdc_log(context
, config
, 0,
399 "Rejected kx509 request (disabled) from %s", from
);
400 return KRB5KDC_ERR_POLICY
;
403 kdc_log(context
, config
, 0, "Kx509 request from %s", from
);
405 ret
= krb5_kt_resolve(context
, "HDBGET:", &id
);
407 kdc_log(context
, config
, 0, "Can't open database for digest");
411 ret
= krb5_rd_req(context
,
421 ret
= krb5_ticket_get_client(context
, ticket
, &cprincipal
);
425 def_bool
= krb5_config_get_bool_default(context
, NULL
, TRUE
, "kdc",
426 "require_initial_kca_tickets",
428 if (!ticket
->ticket
.flags
.initial
&&
429 krb5_config_get_bool_default(context
, NULL
, def_bool
, "kdc",
430 krb5_principal_get_realm(context
,
432 "require_initial_kca_tickets", NULL
)) {
433 ret
= KRB5KDC_ERR_POLICY
;
437 ret
= krb5_unparse_name(context
, cprincipal
, &cname
);
441 ret
= krb5_ticket_get_server(context
, ticket
, &sprincipal
);
445 ret
= kdc_kx509_verify_service_principal(context
, cname
, sprincipal
);
449 ret
= krb5_auth_con_getkey(context
, ac
, &key
);
450 if (ret
== 0 && key
== NULL
)
451 ret
= KRB5KDC_ERR_NULL_KEY
;
453 krb5_set_error_message(context
, ret
, "Kx509 can't get session key");
457 ret
= verify_req_hash(context
, req
, key
);
461 /* Verify that the key is encoded RSA key */
463 RSAPublicKey rsapkey
;
466 ret
= decode_RSAPublicKey(req
->pk_key
.data
, req
->pk_key
.length
,
467 &rsapkey
, &rsapkeysize
);
470 free_RSAPublicKey(&rsapkey
);
471 if (rsapkeysize
!= req
->pk_key
.length
) {
472 ret
= ASN1_EXTRA_DATA
;
477 ALLOC(rep
.certificate
);
478 if (rep
.certificate
== NULL
)
480 krb5_data_zero(rep
.certificate
);
482 if (rep
.hash
== NULL
)
484 krb5_data_zero(rep
.hash
);
486 ret
= build_certificate(context
, config
, &req
->pk_key
,
487 krb5_ticket_get_endtime(context
, ticket
),
488 cprincipal
, rep
.certificate
);
492 ret
= calculate_reply_hash(context
, key
, &rep
);
497 * Encode reply, [ version | Kx509Response ]
503 ASN1_MALLOC_ENCODE(Kx509Response
, data
.data
, data
.length
, &rep
,
506 krb5_set_error_message(context
, ret
, "Failed to encode kx509 reply");
509 if (size
!= data
.length
)
510 krb5_abortx(context
, "ASN1 internal error");
512 ret
= krb5_data_alloc(reply
, data
.length
+ sizeof(version_2_0
));
517 memcpy(reply
->data
, version_2_0
, sizeof(version_2_0
));
518 memcpy(((unsigned char *)reply
->data
) + sizeof(version_2_0
),
519 data
.data
, data
.length
);
523 kdc_log(context
, config
, 0, "Successful Kx509 request for %s", cname
);
527 krb5_auth_con_free(context
, ac
);
529 krb5_warn(context
, ret
, "Kx509 request from %s failed", from
);
531 krb5_free_ticket(context
, ticket
);
533 krb5_kt_close(context
, id
);
535 krb5_free_principal(context
, sprincipal
);
537 krb5_free_principal(context
, cprincipal
);
539 krb5_free_keyblock (context
, key
);
542 free_Kx509Response(&rep
);