search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/kadm5: find_db_spec do not leak 'info'
[heimdal.git] / kdc / mssfu.c
blob877b11d0580fc890931ce8e2380f9423a4599234
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 /*
37 * [MS-SFU] Kerberos Protocol Extensions:
38 * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
39 * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
40 */
41
42 /*
43 * Determine if constrained delegation is allowed from this client to this server
44 */
45
46 static krb5_error_code
47 check_constrained_delegation(krb5_context context,
48 krb5_kdc_configuration *config,
49 HDB *clientdb,
50 hdb_entry *client,
51 hdb_entry *server,
52 krb5_const_principal target)
53 {
54 const HDB_Ext_Constrained_delegation_acl *acl;
55 krb5_error_code ret;
56 size_t i;
57
58 /*
59 * constrained delegation (S4U2Proxy) only works within
60 * the same realm. We use the already canonicalized version
61 * of the principals here, while "target" is the principal
62 * provided by the client.
63 */
64 if (!krb5_realm_compare(context, client->principal, server->principal)) {
65 ret = KRB5KDC_ERR_BADOPTION;
66 kdc_log(context, config, 4,
67 "Bad request for constrained delegation");
68 return ret;
69 }
70
71 if (clientdb->hdb_check_constrained_delegation) {
72 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
73 if (ret == 0)
74 return 0;
75 } else {
76 /* if client delegates to itself, that ok */
77 if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
78 return 0;
79
80 ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
81 if (ret) {
82 krb5_clear_error_message(context);
83 return ret;
84 }
85
86 if (acl) {
87 for (i = 0; i < acl->len; i++) {
88 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
89 return 0;
90 }
91 }
92 ret = KRB5KDC_ERR_BADOPTION;
93 }
94 kdc_log(context, config, 4,
95 "Bad request for constrained delegation");
96 return ret;
97 }
98
99 static void
100 update_client_names(astgs_request_t r,
101 char **s4ucname,
102 krb5_principal *s4u_client_name,
103 HDB **s4u_clientdb,
104 hdb_entry **s4u_client,
105 krb5_principal *s4u_canon_client_name,
106 krb5_pac *s4u_pac)
107 {
108 krb5_xfree(r->cname);
109 r->cname = *s4ucname;
110 *s4ucname = NULL;
111
112 r->client_princ = *s4u_client_name;
113 *s4u_client_name = NULL;
114
115 _kdc_free_ent(r->context, r->clientdb, r->client);
116 r->client = *s4u_client;
117 *s4u_client = NULL;
118 r->clientdb = *s4u_clientdb;
119 *s4u_clientdb = NULL;
120
121 krb5_free_principal(r->context, r->canon_client_princ);
122 r->canon_client_princ = *s4u_canon_client_name;
123 *s4u_canon_client_name = NULL;
124
125 krb5_pac_free(r->context, r->pac);
126 r->pac = *s4u_pac;
127 *s4u_pac = NULL;
128 }
129
130 /*
131 * Validate a protocol transition (S4U2Self) request. If present and
132 * successfully validated then the client in the request structure
133 * will be replaced with the impersonated client.
134 */
135
136 static krb5_error_code
137 validate_protocol_transition(astgs_request_t r)
138 {
139 krb5_error_code ret;
140 KDC_REQ_BODY *b = &r->req.req_body;
141 EncTicketPart *ticket = &r->ticket->ticket;
142 hdb_entry *s4u_client = NULL;
143 HDB *s4u_clientdb;
144 int flags = HDB_F_FOR_TGS_REQ;
145 krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
146 krb5_pac s4u_pac = NULL;
147 const PA_DATA *sdata;
148 char *s4ucname = NULL;
149 int i = 0;
150 krb5_crypto crypto;
151 krb5_data datack;
152 PA_S4U2Self self;
153 const char *str;
154
155 if (r->client == NULL)
156 return 0;
157
158 sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
159 if (sdata == NULL)
160 return 0;
161
162 memset(&self, 0, sizeof(self));
163
164 if (b->kdc_options.canonicalize)
165 flags |= HDB_F_CANON;
166
167 ret = decode_PA_S4U2Self(sdata->padata_value.data,
168 sdata->padata_value.length,
169 &self, NULL);
170 if (ret) {
171 _kdc_audit_addreason((kdc_request_t)r,
172 "Failed to decode PA-S4U2Self");
173 kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
174 goto out;
175 }
176
177 if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
178 _kdc_audit_addreason((kdc_request_t)r,
179 "PA-S4U2Self with unkeyed checksum");
180 kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
181 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
182 goto out;
183 }
184
185 ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
186 if (ret)
187 goto out;
188
189 ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
190 if (ret) {
191 const char *msg = krb5_get_error_message(r->context, ret);
192 krb5_data_free(&datack);
193 kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
194 krb5_free_error_message(r->context, msg);
195 goto out;
196 }
197
198 /* Allow HMAC_MD5 checksum with any key type */
199 if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
200 struct krb5_crypto_iov iov;
201 unsigned char csdata[16];
202 Checksum cs;
203
204 cs.checksum.length = sizeof(csdata);
205 cs.checksum.data = &csdata;
206
207 iov.data.data = datack.data;
208 iov.data.length = datack.length;
209 iov.flags = KRB5_CRYPTO_TYPE_DATA;
210
211 ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
212 KRB5_KU_OTHER_CKSUM, &iov, 1,
213 &cs);
214 if (ret == 0 &&
215 krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
216 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
217 } else {
218 ret = _kdc_verify_checksum(r->context,
219 crypto,
220 KRB5_KU_OTHER_CKSUM,
221 &datack,
222 &self.cksum);
223 }
224 krb5_data_free(&datack);
225 krb5_crypto_destroy(r->context, crypto);
226 if (ret) {
227 const char *msg = krb5_get_error_message(r->context, ret);
228 _kdc_audit_addreason((kdc_request_t)r,
229 "S4U2Self checksum failed");
230 kdc_log(r->context, r->config, 4,
231 "krb5_verify_checksum failed for S4U2Self: %s", msg);
232 krb5_free_error_message(r->context, msg);
233 goto out;
234 }
235
236 ret = _krb5_principalname2krb5_principal(r->context,
237 &s4u_client_name,
238 self.name,
239 self.realm);
240 if (ret)
241 goto out;
242
243 ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
244 if (ret)
245 goto out;
246
247 /*
248 * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
249 * is probably not desirable!
250 */
251 ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
252 HDB_F_GET_CLIENT | flags, NULL,
253 &s4u_clientdb, &s4u_client);
254 if (ret) {
255 const char *msg;
256
257 /*
258 * If the client belongs to the same realm as our krbtgt, it
259 * should exist in the local database.
260 *
261 */
262 if (ret == HDB_ERR_NOENTRY)
263 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
264 msg = krb5_get_error_message(r->context, ret);
265 _kdc_audit_addreason((kdc_request_t)r,
266 "S4U2Self principal to impersonate not found");
267 kdc_log(r->context, r->config, 2,
268 "S4U2Self principal to impersonate %s not found in database: %s",
269 s4ucname, msg);
270 krb5_free_error_message(r->context, msg);
271 goto out;
272 }
273
274 /*
275 * Ignore require_pwchange and pw_end attributes (as Windows does),
276 * since S4U2Self is not password authentication.
277 */
278 s4u_client->flags.require_pwchange = FALSE;
279 free(s4u_client->pw_end);
280 s4u_client->pw_end = NULL;
281
282 ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
283 if (ret)
284 goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
285
286 ret = _kdc_pac_generate(r->context,
287 r->config,
288 s4u_client,
289 r->server,
290 NULL,
291 KRB5_PAC_WAS_GIVEN_IMPLICITLY,
292 &s4u_pac);
293 if (ret) {
294 kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
295 goto out;
296 }
297
298 /*
299 * Check that service doing the impersonating is
300 * requesting a ticket to it-self.
301 */
302 ret = _kdc_check_client_matches_target_service(r->context,
303 r->config,
304 r->clientdb,
305 r->client,
306 r->server,
307 r->server_princ);
308 if (ret) {
309 kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
310 "to impersonate to service "
311 "(tried for user %s to service %s)",
312 r->cname, s4ucname, r->sname);
313 goto out;
314 }
315
316 ret = krb5_copy_principal(r->context, s4u_client->principal,
317 &s4u_canon_client_name);
318 if (ret)
319 goto out;
320
321 /*
322 * If the service isn't trusted for authentication to
323 * delegation or if the impersonate client is disallowed
324 * forwardable, remove the forwardable flag.
325 */
326 if (r->client->flags.trusted_for_delegation &&
327 s4u_client->flags.forwardable) {
328 str = "[forwardable]";
329 } else {
330 b->kdc_options.forwardable = 0;
331 str = "";
332 }
333 kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
334 "service %s %s", r->cname, s4ucname, r->sname, str);
335
336 /*
337 * Replace all client information in the request with the
338 * impersonated client. (The audit entry containing the original
339 * client name will have been created before this point.)
340 */
341 update_client_names(r, &s4ucname, &s4u_client_name,
342 &s4u_clientdb, &s4u_client,
343 &s4u_canon_client_name, &s4u_pac);
344
345 out:
346 if (s4u_client)
347 _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
348 krb5_free_principal(r->context, s4u_client_name);
349 krb5_xfree(s4ucname);
350 krb5_free_principal(r->context, s4u_canon_client_name);
351 krb5_pac_free(r->context, s4u_pac);
352
353 free_PA_S4U2Self(&self);
354
355 return ret;
356 }
357
358 /*
359 * Validate a constrained delegation (S4U2Proxy) request. If present
360 * and successfully validated then the client in the request structure
361 * will be replaced with the client from the evidence ticket.
362 */
363
364 static krb5_error_code
365 validate_constrained_delegation(astgs_request_t r)
366 {
367 krb5_error_code ret;
368 KDC_REQ_BODY *b = &r->req.req_body;
369 int flags = HDB_F_FOR_TGS_REQ;
370 krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
371 krb5_principal s4u_canon_client_name = NULL;
372 krb5_pac s4u_pac = NULL;
373 uint64_t s4u_pac_attributes;
374 char *s4ucname = NULL, *s4usname = NULL;
375 EncTicketPart evidence_tkt;
376 HDB *s4u_clientdb;
377 hdb_entry *s4u_client = NULL;
378 krb5_boolean ad_kdc_issued = FALSE;
379 Key *clientkey;
380 Ticket *t;
381 krb5_const_realm local_realm;
382
383 if (r->client == NULL
384 || b->additional_tickets == NULL
385 || b->additional_tickets->len == 0
386 || b->kdc_options.cname_in_addl_tkt == 0
387 || b->kdc_options.enc_tkt_in_skey)
388 return 0;
389
390 memset(&evidence_tkt, 0, sizeof(evidence_tkt));
391 local_realm =
392 krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
393
394 /*
395 * We require that the service's TGT has a PAC; this will have been
396 * validated prior to this function being called.
397 */
398 if (r->pac == NULL) {
399 ret = KRB5KDC_ERR_BADOPTION;
400 _kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
401 kdc_log(r->context, r->config, 4,
402 "Constrained delegation without PAC, %s/%s",
403 r->cname, r->sname);
404 goto out;
405 }
406
407 t = &b->additional_tickets->val[0];
408
409 ret = hdb_enctype2key(r->context, r->client,
410 hdb_kvno2keys(r->context, r->client,
411 t->enc_part.kvno ? * t->enc_part.kvno : 0),
412 t->enc_part.etype, &clientkey);
413 if (ret) {
414 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
415 goto out;
416 }
417
418 ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
419 if (ret) {
420 _kdc_audit_addreason((kdc_request_t)r,
421 "Failed to decrypt constrained delegation ticket");
422 kdc_log(r->context, r->config, 4,
423 "failed to decrypt ticket for "
424 "constrained delegation from %s to %s ", r->cname, r->sname);
425 goto out;
426 }
427
428 ret = _krb5_principalname2krb5_principal(r->context,
429 &s4u_client_name,
430 evidence_tkt.cname,
431 evidence_tkt.crealm);
432 if (ret)
433 goto out;
434
435 ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
436 if (ret)
437 goto out;
438
439 _kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
440
441 ret = _krb5_principalname2krb5_principal(r->context,
442 &s4u_server_name,
443 t->sname,
444 t->realm);
445 if (ret)
446 goto out;
447
448 ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
449 if (ret)
450 goto out;
451
452 /* check that ticket is valid */
453 if (evidence_tkt.flags.forwardable == 0) {
454 _kdc_audit_addreason((kdc_request_t)r,
455 "Missing forwardable flag on ticket for constrained delegation");
456 kdc_log(r->context, r->config, 4,
457 "Missing forwardable flag on ticket for "
458 "constrained delegation from %s (%s) as %s to %s ",
459 r->cname, s4usname, s4ucname, r->sname);
460 ret = KRB5KDC_ERR_BADOPTION;
461 goto out;
462 }
463
464 ret = check_constrained_delegation(r->context, r->config, r->clientdb,
465 r->client, r->server, r->server_princ);
466 if (ret) {
467 _kdc_audit_addreason((kdc_request_t)r,
468 "Constrained delegation not allowed");
469 kdc_log(r->context, r->config, 4,
470 "constrained delegation from %s (%s) as %s to %s not allowed",
471 r->cname, s4usname, s4ucname, r->sname);
472 goto out;
473 }
474
475 ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
476 if (ret) {
477 _kdc_audit_addreason((kdc_request_t)r,
478 "Constrained delegation ticket expired or invalid");
479 goto out;
480 }
481
482 /* Try lookup the delegated client in DB */
483 ret = _kdc_db_fetch_client(r->context, r->config, flags,
484 s4u_client_name, s4ucname, local_realm,
485 &s4u_clientdb, &s4u_client);
486 if (ret)
487 goto out;
488
489 if (s4u_client != NULL) {
490 ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
491 if (ret)
492 goto out;
493 }
494
495 /*
496 * TODO: pass in t->sname and t->realm and build
497 * a S4U_DELEGATION_INFO blob to the PAC.
498 */
499 ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
500 s4u_client, r->server, r->krbtgt, r->client,
501 &clientkey->key, &r->ticket_key->key, &evidence_tkt,
502 &ad_kdc_issued, &s4u_pac,
503 &s4u_canon_client_name, &s4u_pac_attributes);
504 if (ret) {
505 const char *msg = krb5_get_error_message(r->context, ret);
506 _kdc_audit_addreason((kdc_request_t)r,
507 "Constrained delegation ticket PAC check failed");
508 kdc_log(r->context, r->config, 4,
509 "Verify delegated PAC failed to %s for client"
510 "%s (%s) as %s from %s with %s",
511 r->sname, r->cname, s4usname, s4ucname, r->from, msg);
512 krb5_free_error_message(r->context, msg);
513 goto out;
514 }
515
516 if (s4u_pac == NULL || !ad_kdc_issued) {
517 ret = KRB5KDC_ERR_BADOPTION;
518 kdc_log(r->context, r->config, 4,
519 "Ticket not signed with PAC; service %s failed for "
520 "for delegation to %s for client %s (%s) from %s; (%s).",
521 r->sname, s4ucname, s4usname, r->cname, r->from,
522 s4u_pac ? "Ticket unsigned" : "No PAC");
523 _kdc_audit_addreason((kdc_request_t)r,
524 "Constrained delegation ticket not signed");
525 goto out;
526 }
527
528 /*
529 * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
530 * the canonical client name, but the user is local to our KDC, we
531 * can insert the canonical client name ourselves.
532 */
533 if (s4u_canon_client_name == NULL && s4u_client != NULL) {
534 ret = krb5_copy_principal(r->context, s4u_client->principal,
535 &s4u_canon_client_name);
536 if (ret)
537 goto out;
538 }
539
540 kdc_log(r->context, r->config, 4, "constrained delegation for %s "
541 "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
542
543 /*
544 * Replace all client information in the request with the
545 * impersonated client. (The audit entry containing the original
546 * client name will have been created before this point.)
547 */
548 update_client_names(r, &s4ucname, &s4u_client_name,
549 &s4u_clientdb, &s4u_client,
550 &s4u_canon_client_name, &s4u_pac);
551 r->pac_attributes = s4u_pac_attributes;
552
553 out:
554 if (s4u_client)
555 _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
556 krb5_free_principal(r->context, s4u_client_name);
557 krb5_xfree(s4ucname);
558 krb5_free_principal(r->context, s4u_server_name);
559 krb5_xfree(s4usname);
560 krb5_free_principal(r->context, s4u_canon_client_name);
561 krb5_pac_free(r->context, s4u_pac);
562
563 free_EncTicketPart(&evidence_tkt);
564
565 return ret;
566 }
567
568 /*
569 *
570 */
571
572 krb5_error_code
573 _kdc_validate_services_for_user(astgs_request_t r)
574 {
575 krb5_error_code ret;
576
577 ret = validate_protocol_transition(r);
578 if (ret == 0)
579 ret = validate_constrained_delegation(r);
580
581 return ret;
582 }
Heimdal