2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * [MS-SFU] Kerberos Protocol Extensions:
38 * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
39 * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
43 * Determine if constrained delegation is allowed from this client to this server
46 static krb5_error_code
47 check_constrained_delegation(krb5_context context
,
48 krb5_kdc_configuration
*config
,
52 krb5_const_principal target
)
54 const HDB_Ext_Constrained_delegation_acl
*acl
;
59 * constrained delegation (S4U2Proxy) only works within
60 * the same realm. We use the already canonicalized version
61 * of the principals here, while "target" is the principal
62 * provided by the client.
64 if (!krb5_realm_compare(context
, client
->principal
, server
->principal
)) {
65 ret
= KRB5KDC_ERR_BADOPTION
;
66 kdc_log(context
, config
, 4,
67 "Bad request for constrained delegation");
71 if (clientdb
->hdb_check_constrained_delegation
) {
72 ret
= clientdb
->hdb_check_constrained_delegation(context
, clientdb
, client
, target
);
76 /* if client delegates to itself, that ok */
77 if (krb5_principal_compare(context
, client
->principal
, server
->principal
) == TRUE
)
80 ret
= hdb_entry_get_ConstrainedDelegACL(client
, &acl
);
82 krb5_clear_error_message(context
);
87 for (i
= 0; i
< acl
->len
; i
++) {
88 if (krb5_principal_compare(context
, target
, &acl
->val
[i
]) == TRUE
)
92 ret
= KRB5KDC_ERR_BADOPTION
;
94 kdc_log(context
, config
, 4,
95 "Bad request for constrained delegation");
100 update_client_names(astgs_request_t r
,
102 krb5_principal
*s4u_client_name
,
104 hdb_entry
**s4u_client
,
105 krb5_principal
*s4u_canon_client_name
,
108 krb5_xfree(r
->cname
);
109 r
->cname
= *s4ucname
;
112 r
->client_princ
= *s4u_client_name
;
113 *s4u_client_name
= NULL
;
115 _kdc_free_ent(r
->context
, r
->clientdb
, r
->client
);
116 r
->client
= *s4u_client
;
118 r
->clientdb
= *s4u_clientdb
;
119 *s4u_clientdb
= NULL
;
121 krb5_free_principal(r
->context
, r
->canon_client_princ
);
122 r
->canon_client_princ
= *s4u_canon_client_name
;
123 *s4u_canon_client_name
= NULL
;
125 krb5_pac_free(r
->context
, r
->pac
);
131 * Validate a protocol transition (S4U2Self) request. If present and
132 * successfully validated then the client in the request structure
133 * will be replaced with the impersonated client.
136 static krb5_error_code
137 validate_protocol_transition(astgs_request_t r
)
140 KDC_REQ_BODY
*b
= &r
->req
.req_body
;
141 EncTicketPart
*ticket
= &r
->ticket
->ticket
;
142 hdb_entry
*s4u_client
= NULL
;
144 int flags
= HDB_F_FOR_TGS_REQ
;
145 krb5_principal s4u_client_name
= NULL
, s4u_canon_client_name
= NULL
;
146 krb5_pac s4u_pac
= NULL
;
147 const PA_DATA
*sdata
;
148 char *s4ucname
= NULL
;
155 if (r
->client
== NULL
)
158 sdata
= _kdc_find_padata(&r
->req
, &i
, KRB5_PADATA_FOR_USER
);
162 memset(&self
, 0, sizeof(self
));
164 if (b
->kdc_options
.canonicalize
)
165 flags
|= HDB_F_CANON
;
167 ret
= decode_PA_S4U2Self(sdata
->padata_value
.data
,
168 sdata
->padata_value
.length
,
171 _kdc_audit_addreason((kdc_request_t
)r
,
172 "Failed to decode PA-S4U2Self");
173 kdc_log(r
->context
, r
->config
, 4, "Failed to decode PA-S4U2Self");
177 if (!krb5_checksum_is_keyed(r
->context
, self
.cksum
.cksumtype
)) {
178 _kdc_audit_addreason((kdc_request_t
)r
,
179 "PA-S4U2Self with unkeyed checksum");
180 kdc_log(r
->context
, r
->config
, 4, "Reject PA-S4U2Self with unkeyed checksum");
181 ret
= KRB5KRB_AP_ERR_INAPP_CKSUM
;
185 ret
= _krb5_s4u2self_to_checksumdata(r
->context
, &self
, &datack
);
189 ret
= krb5_crypto_init(r
->context
, &ticket
->key
, 0, &crypto
);
191 const char *msg
= krb5_get_error_message(r
->context
, ret
);
192 krb5_data_free(&datack
);
193 kdc_log(r
->context
, r
->config
, 4, "krb5_crypto_init failed: %s", msg
);
194 krb5_free_error_message(r
->context
, msg
);
198 /* Allow HMAC_MD5 checksum with any key type */
199 if (self
.cksum
.cksumtype
== CKSUMTYPE_HMAC_MD5
) {
200 struct krb5_crypto_iov iov
;
201 unsigned char csdata
[16];
204 cs
.checksum
.length
= sizeof(csdata
);
205 cs
.checksum
.data
= &csdata
;
207 iov
.data
.data
= datack
.data
;
208 iov
.data
.length
= datack
.length
;
209 iov
.flags
= KRB5_CRYPTO_TYPE_DATA
;
211 ret
= _krb5_HMAC_MD5_checksum(r
->context
, NULL
, &crypto
->key
,
212 KRB5_KU_OTHER_CKSUM
, &iov
, 1,
215 krb5_data_ct_cmp(&cs
.checksum
, &self
.cksum
.checksum
) != 0)
216 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
;
218 ret
= _kdc_verify_checksum(r
->context
,
224 krb5_data_free(&datack
);
225 krb5_crypto_destroy(r
->context
, crypto
);
227 const char *msg
= krb5_get_error_message(r
->context
, ret
);
228 _kdc_audit_addreason((kdc_request_t
)r
,
229 "S4U2Self checksum failed");
230 kdc_log(r
->context
, r
->config
, 4,
231 "krb5_verify_checksum failed for S4U2Self: %s", msg
);
232 krb5_free_error_message(r
->context
, msg
);
236 ret
= _krb5_principalname2krb5_principal(r
->context
,
243 ret
= krb5_unparse_name(r
->context
, s4u_client_name
, &s4ucname
);
248 * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
249 * is probably not desirable!
251 ret
= _kdc_db_fetch(r
->context
, r
->config
, s4u_client_name
,
252 HDB_F_GET_CLIENT
| flags
, NULL
,
253 &s4u_clientdb
, &s4u_client
);
258 * If the client belongs to the same realm as our krbtgt, it
259 * should exist in the local database.
262 if (ret
== HDB_ERR_NOENTRY
)
263 ret
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
264 msg
= krb5_get_error_message(r
->context
, ret
);
265 _kdc_audit_addreason((kdc_request_t
)r
,
266 "S4U2Self principal to impersonate not found");
267 kdc_log(r
->context
, r
->config
, 2,
268 "S4U2Self principal to impersonate %s not found in database: %s",
270 krb5_free_error_message(r
->context
, msg
);
275 * Ignore require_pwchange and pw_end attributes (as Windows does),
276 * since S4U2Self is not password authentication.
278 s4u_client
->flags
.require_pwchange
= FALSE
;
279 free(s4u_client
->pw_end
);
280 s4u_client
->pw_end
= NULL
;
282 ret
= kdc_check_flags(r
, FALSE
, s4u_client
, r
->server
);
284 goto out
; /* kdc_check_flags() calls _kdc_audit_addreason() */
286 ret
= _kdc_pac_generate(r
->context
,
291 KRB5_PAC_WAS_GIVEN_IMPLICITLY
,
294 kdc_log(r
->context
, r
->config
, 4, "PAC generation failed for -- %s", s4ucname
);
299 * Check that service doing the impersonating is
300 * requesting a ticket to it-self.
302 ret
= _kdc_check_client_matches_target_service(r
->context
,
309 kdc_log(r
->context
, r
->config
, 4, "S4U2Self: %s is not allowed "
310 "to impersonate to service "
311 "(tried for user %s to service %s)",
312 r
->cname
, s4ucname
, r
->sname
);
316 ret
= krb5_copy_principal(r
->context
, s4u_client
->principal
,
317 &s4u_canon_client_name
);
322 * If the service isn't trusted for authentication to
323 * delegation or if the impersonate client is disallowed
324 * forwardable, remove the forwardable flag.
326 if (r
->client
->flags
.trusted_for_delegation
&&
327 s4u_client
->flags
.forwardable
) {
328 str
= "[forwardable]";
330 b
->kdc_options
.forwardable
= 0;
333 kdc_log(r
->context
, r
->config
, 4, "s4u2self %s impersonating %s to "
334 "service %s %s", r
->cname
, s4ucname
, r
->sname
, str
);
337 * Replace all client information in the request with the
338 * impersonated client. (The audit entry containing the original
339 * client name will have been created before this point.)
341 update_client_names(r
, &s4ucname
, &s4u_client_name
,
342 &s4u_clientdb
, &s4u_client
,
343 &s4u_canon_client_name
, &s4u_pac
);
347 _kdc_free_ent(r
->context
, s4u_clientdb
, s4u_client
);
348 krb5_free_principal(r
->context
, s4u_client_name
);
349 krb5_xfree(s4ucname
);
350 krb5_free_principal(r
->context
, s4u_canon_client_name
);
351 krb5_pac_free(r
->context
, s4u_pac
);
353 free_PA_S4U2Self(&self
);
359 * Validate a constrained delegation (S4U2Proxy) request. If present
360 * and successfully validated then the client in the request structure
361 * will be replaced with the client from the evidence ticket.
364 static krb5_error_code
365 validate_constrained_delegation(astgs_request_t r
)
368 KDC_REQ_BODY
*b
= &r
->req
.req_body
;
369 int flags
= HDB_F_FOR_TGS_REQ
;
370 krb5_principal s4u_client_name
= NULL
, s4u_server_name
= NULL
;
371 krb5_principal s4u_canon_client_name
= NULL
;
372 krb5_pac s4u_pac
= NULL
;
373 uint64_t s4u_pac_attributes
;
374 char *s4ucname
= NULL
, *s4usname
= NULL
;
375 EncTicketPart evidence_tkt
;
377 hdb_entry
*s4u_client
= NULL
;
378 krb5_boolean ad_kdc_issued
= FALSE
;
381 krb5_const_realm local_realm
;
383 if (r
->client
== NULL
384 || b
->additional_tickets
== NULL
385 || b
->additional_tickets
->len
== 0
386 || b
->kdc_options
.cname_in_addl_tkt
== 0
387 || b
->kdc_options
.enc_tkt_in_skey
)
390 memset(&evidence_tkt
, 0, sizeof(evidence_tkt
));
392 krb5_principal_get_comp_string(r
->context
, r
->krbtgt
->principal
, 1);
395 * We require that the service's TGT has a PAC; this will have been
396 * validated prior to this function being called.
398 if (r
->pac
== NULL
) {
399 ret
= KRB5KDC_ERR_BADOPTION
;
400 _kdc_audit_addreason((kdc_request_t
)r
, "Missing PAC");
401 kdc_log(r
->context
, r
->config
, 4,
402 "Constrained delegation without PAC, %s/%s",
407 t
= &b
->additional_tickets
->val
[0];
409 ret
= hdb_enctype2key(r
->context
, r
->client
,
410 hdb_kvno2keys(r
->context
, r
->client
,
411 t
->enc_part
.kvno
? * t
->enc_part
.kvno
: 0),
412 t
->enc_part
.etype
, &clientkey
);
414 ret
= KRB5KDC_ERR_ETYPE_NOSUPP
; /* XXX */
418 ret
= krb5_decrypt_ticket(r
->context
, t
, &clientkey
->key
, &evidence_tkt
, 0);
420 _kdc_audit_addreason((kdc_request_t
)r
,
421 "Failed to decrypt constrained delegation ticket");
422 kdc_log(r
->context
, r
->config
, 4,
423 "failed to decrypt ticket for "
424 "constrained delegation from %s to %s ", r
->cname
, r
->sname
);
428 ret
= _krb5_principalname2krb5_principal(r
->context
,
431 evidence_tkt
.crealm
);
435 ret
= krb5_unparse_name(r
->context
, s4u_client_name
, &s4ucname
);
439 _kdc_audit_addkv((kdc_request_t
)r
, 0, "impersonatee", "%s", s4ucname
);
441 ret
= _krb5_principalname2krb5_principal(r
->context
,
448 ret
= krb5_unparse_name(r
->context
, s4u_server_name
, &s4usname
);
452 /* check that ticket is valid */
453 if (evidence_tkt
.flags
.forwardable
== 0) {
454 _kdc_audit_addreason((kdc_request_t
)r
,
455 "Missing forwardable flag on ticket for constrained delegation");
456 kdc_log(r
->context
, r
->config
, 4,
457 "Missing forwardable flag on ticket for "
458 "constrained delegation from %s (%s) as %s to %s ",
459 r
->cname
, s4usname
, s4ucname
, r
->sname
);
460 ret
= KRB5KDC_ERR_BADOPTION
;
464 ret
= check_constrained_delegation(r
->context
, r
->config
, r
->clientdb
,
465 r
->client
, r
->server
, r
->server_princ
);
467 _kdc_audit_addreason((kdc_request_t
)r
,
468 "Constrained delegation not allowed");
469 kdc_log(r
->context
, r
->config
, 4,
470 "constrained delegation from %s (%s) as %s to %s not allowed",
471 r
->cname
, s4usname
, s4ucname
, r
->sname
);
475 ret
= _kdc_verify_flags(r
->context
, r
->config
, &evidence_tkt
, s4ucname
);
477 _kdc_audit_addreason((kdc_request_t
)r
,
478 "Constrained delegation ticket expired or invalid");
482 /* Try lookup the delegated client in DB */
483 ret
= _kdc_db_fetch_client(r
->context
, r
->config
, flags
,
484 s4u_client_name
, s4ucname
, local_realm
,
485 &s4u_clientdb
, &s4u_client
);
489 if (s4u_client
!= NULL
) {
490 ret
= kdc_check_flags(r
, FALSE
, s4u_client
, r
->server
);
496 * TODO: pass in t->sname and t->realm and build
497 * a S4U_DELEGATION_INFO blob to the PAC.
499 ret
= _kdc_check_pac(r
->context
, r
->config
, s4u_client_name
, s4u_server_name
,
500 s4u_client
, r
->server
, r
->krbtgt
, r
->client
,
501 &clientkey
->key
, &r
->ticket_key
->key
, &evidence_tkt
,
502 &ad_kdc_issued
, &s4u_pac
,
503 &s4u_canon_client_name
, &s4u_pac_attributes
);
505 const char *msg
= krb5_get_error_message(r
->context
, ret
);
506 _kdc_audit_addreason((kdc_request_t
)r
,
507 "Constrained delegation ticket PAC check failed");
508 kdc_log(r
->context
, r
->config
, 4,
509 "Verify delegated PAC failed to %s for client"
510 "%s (%s) as %s from %s with %s",
511 r
->sname
, r
->cname
, s4usname
, s4ucname
, r
->from
, msg
);
512 krb5_free_error_message(r
->context
, msg
);
516 if (s4u_pac
== NULL
|| !ad_kdc_issued
) {
517 ret
= KRB5KDC_ERR_BADOPTION
;
518 kdc_log(r
->context
, r
->config
, 4,
519 "Ticket not signed with PAC; service %s failed for "
520 "for delegation to %s for client %s (%s) from %s; (%s).",
521 r
->sname
, s4ucname
, s4usname
, r
->cname
, r
->from
,
522 s4u_pac
? "Ticket unsigned" : "No PAC");
523 _kdc_audit_addreason((kdc_request_t
)r
,
524 "Constrained delegation ticket not signed");
529 * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
530 * the canonical client name, but the user is local to our KDC, we
531 * can insert the canonical client name ourselves.
533 if (s4u_canon_client_name
== NULL
&& s4u_client
!= NULL
) {
534 ret
= krb5_copy_principal(r
->context
, s4u_client
->principal
,
535 &s4u_canon_client_name
);
540 kdc_log(r
->context
, r
->config
, 4, "constrained delegation for %s "
541 "from %s (%s) to %s", s4ucname
, r
->cname
, s4usname
, r
->sname
);
544 * Replace all client information in the request with the
545 * impersonated client. (The audit entry containing the original
546 * client name will have been created before this point.)
548 update_client_names(r
, &s4ucname
, &s4u_client_name
,
549 &s4u_clientdb
, &s4u_client
,
550 &s4u_canon_client_name
, &s4u_pac
);
551 r
->pac_attributes
= s4u_pac_attributes
;
555 _kdc_free_ent(r
->context
, s4u_clientdb
, s4u_client
);
556 krb5_free_principal(r
->context
, s4u_client_name
);
557 krb5_xfree(s4ucname
);
558 krb5_free_principal(r
->context
, s4u_server_name
);
559 krb5_xfree(s4usname
);
560 krb5_free_principal(r
->context
, s4u_canon_client_name
);
561 krb5_pac_free(r
->context
, s4u_pac
);
563 free_EncTicketPart(&evidence_tkt
);
573 _kdc_validate_services_for_user(astgs_request_t r
)
577 ret
= validate_protocol_transition(r
);
579 ret
= validate_constrained_delegation(r
);