search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/krb5: gen_priv_key do not leak error string
[heimdal.git] / kdc / ipc_csr_authorizer.c
blobfad3919a2a6bfbaee107c828f841dcb15eafc2c5
1 /*
2 * Copyright (c) 2019 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * This plugin authorizes requested certificate SANs and EKUs by calling a
36 * service over IPC (Unix domain sockets on Linux/BSD/Illumos).
37 *
38 * The IPC protocol is request/response, with requests and responses sent as
39 *
40 * <length><string>
41 *
42 * where the <length> is 4 bytes, unsigned binary in network byte order, and
43 * <string> is an array of <length> bytes and does NOT include a NUL
44 * terminator.
45 *
46 * Requests are of the form:
47 *
48 * check <princ> <exttype>=<extvalue> ...
49 *
50 * where <princ> is a URL-escaped principal name, <exttype> is one of:
51 *
52 * - san_pkinit
53 * - san_xmpp
54 * - san_email
55 * - san_ms_upn
56 * - san_dnsname
57 * - eku
58 *
59 * and <extvalue> is a URL-escaped string representation of the SAN or OID.
60 *
61 * OIDs are in the form 1.2.3.4.5.6.
62 *
63 * Only characters other than alphanumeric, '@', '.', '-', '_', and '/' are
64 * URL-encoded.
65 *
66 * Responses are any of:
67 *
68 * - granted
69 * - denied
70 * - error message
71 *
72 * Example:
73 *
74 * C->S: check jane@TEST.H5L.SE san_dnsname=jane.foo.test.h5l.se eku=1.3.6.1.5.5.7.3.1
75 * S->C: granted
76 *
77 * Only digitalSignature and nonRepudiation key usages are allowed. Requested
78 * key usages are not sent to the CSR authorizer IPC server.
79 */
80
81 #define _GNU_SOURCE 1
82
83 #include <sys/types.h>
84 #include <sys/stat.h>
85 #include <ctype.h>
86 #include <errno.h>
87 #include <stdlib.h>
88 #include <stdio.h>
89 #include <string.h>
90 #include <unistd.h>
91
92 #include <roken.h>
93 #include <heim-ipc.h>
94 #include <krb5.h>
95 #include <hx509.h>
96 #include <kdc.h>
97 #include <common_plugin.h>
98 #include <csr_authorizer_plugin.h>
99
100 /*
101 * string_encode_sz() and string_encode() encode principal names and such to be
102 * safe for use in our IPC text messages. They function very much like URL
103 * encoders, but '~' also gets encoded, and '.' and '@' do not.
104 *
105 * An unescaper is not needed here.
106 */
107 static size_t
108 string_encode_sz(const char *in)
109 {
110 size_t sz = strlen(in);
111
112 while (*in) {
113 char c = *(in++);
114
115 switch (c) {
116 case '@':
117 case '.':
118 case '-':
119 case '_':
120 case '/':
121 continue;
122 default:
123 if (isalnum(c))
124 continue;
125 sz += 2;
126 }
127 }
128 return sz;
129 }
130
131 static char *
132 string_encode(const char *in)
133 {
134 size_t len = strlen(in);
135 size_t sz = string_encode_sz(in);
136 size_t i, k;
137 char *s;
138
139 if ((s = malloc(sz + 1)) == NULL)
140 return NULL;
141 s[sz] = '\0';
142
143 for (i = k = 0; i < len; i++) {
144 unsigned char c = ((const unsigned char *)in)[i];
145
146 switch (c) {
147 case '@':
148 case '.':
149 case '-':
150 case '_':
151 case '/':
152 s[k++] = c;
153 break;
154 default:
155 if (isalnum(c)) {
156 s[k++] = c;
157 } else {
158 s[k++] = '%';
159 s[k++] = "0123456789abcdef"[(c&0xff)>>4];
160 s[k++] = "0123456789abcdef"[(c&0x0f)];
161 }
162 }
163 }
164 return s;
165 }
166
167 static int
168 cmd_append(struct rk_strpool **cmd, const char *s0, ...)
169 {
170 va_list ap;
171 const char *arg;
172
173 if ((*cmd = rk_strpoolprintf(*cmd, "%s", s0)) == NULL)
174 return ENOMEM;
175
176 va_start(ap, s0);
177 while ((arg = va_arg(ap, const char *))) {
178 char *s;
179
180 if ((s = string_encode(arg)) == NULL)
181 return rk_strpoolfree(*cmd), *cmd = NULL, ENOMEM;
182 *cmd = rk_strpoolprintf(*cmd, "%s", s);
183 free(s);
184 if (*cmd == NULL)
185 return ENOMEM;
186 }
187 return 0;
188 }
189
190 static int
191 call_svc(krb5_context context, heim_ipc ipc, const char *cmd)
192 {
193 heim_octet_string req, resp;
194 int ret;
195
196 req.data = (void *)(uintptr_t)cmd;
197 req.length = strlen(cmd);
198 resp.length = 0;
199 resp.data = NULL;
200 if ((ret = heim_ipc_call(ipc, &req, &resp, NULL))) {
201 if (resp.length && resp.length < INT_MAX) {
202 krb5_set_error_message(context, ret, "CSR denied: %.*s",
203 (int)resp.length, (const char *)resp.data);
204 ret = EACCES;
205 } else {
206 krb5_set_error_message(context, EACCES, "CSR denied because could "
207 "not reach CSR authorizer IPC service");
208 ret = EACCES;
209 }
210 return ret;
211 }
212 if (resp.data == NULL || resp.length == 0) {
213 free(resp.data);
214 krb5_set_error_message(context, ret, "CSR authorizer IPC service "
215 "failed silently");
216 return EACCES;
217 }
218 if (resp.length == sizeof("denied") - 1 &&
219 strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) {
220 free(resp.data);
221 krb5_set_error_message(context, ret, "CSR authorizer rejected %s",
222 cmd);
223 return EACCES;
224 }
225 if (resp.length == sizeof("granted") - 1 &&
226 strncasecmp(resp.data, "granted", sizeof("granted") - 1) == 0) {
227 free(resp.data);
228 return 0;
229 }
230 krb5_set_error_message(context, ret, "CSR authorizer failed %s: %.*s",
231 cmd, resp.length < INT_MAX ? (int)resp.length : 0,
232 resp.data);
233 return EACCES;
234 }
235
236 static void
237 frees(char **s)
238 {
239 free(*s);
240 *s = NULL;
241 }
242
243 static krb5_error_code
244 mark_authorized(hx509_request csr)
245 {
246 size_t i;
247 char *s;
248 int ret = 0;
249
250 for (i = 0; ret == 0; i++) {
251 ret = hx509_request_get_eku(csr, i, &s);
252 if (ret == 0)
253 hx509_request_authorize_eku(csr, i);
254 frees(&s);
255 }
256 if (ret == HX509_NO_ITEM)
257 ret = 0;
258
259 for (i = 0; ret == 0; i++) {
260 hx509_san_type san_type;
261 ret = hx509_request_get_san(csr, i, &san_type, &s);
262 if (ret == 0)
263 hx509_request_authorize_san(csr, i);
264 frees(&s);
265 }
266 return ret == HX509_NO_ITEM ? 0 : ret;
267 }
268
269 static KRB5_LIB_CALL krb5_error_code
270 authorize(void *ctx,
271 krb5_context context,
272 const char *app,
273 hx509_request csr,
274 krb5_const_principal client,
275 krb5_boolean *result)
276 {
277 struct rk_strpool *cmd = NULL;
278 krb5_error_code ret;
279 hx509_context hx509ctx = NULL;
280 heim_ipc ipc = NULL;
281 const char *svc;
282 KeyUsage ku;
283 size_t i;
284 char *princ = NULL;
285 char *s = NULL;
286 int do_check = 0;
287
288 if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
289 "ipc_csr_authorizer", "service", NULL))
290 == NULL)
291 return KRB5_PLUGIN_NO_HANDLE;
292
293 if ((ret = heim_ipc_init_context(svc, &ipc))) {
294 krb5_set_error_message(context, ret, "Could not set up IPC client "
295 "end-point for service %s", svc);
296 return ret;
297 }
298
299 if ((ret = hx509_context_init(&hx509ctx)))
300 goto out;
301
302 if ((ret = krb5_unparse_name(context, client, &princ)))
303 goto out;
304
305 if ((ret = cmd_append(&cmd, "check ", princ, NULL)))
306 goto enomem;
307 frees(&princ);
308
309 for (i = 0; ret == 0; i++) {
310 hx509_san_type san_type;
311
312 ret = hx509_request_get_san(csr, i, &san_type, &s);
313 if (ret)
314 break;
315 switch (san_type) {
316 case HX509_SAN_TYPE_EMAIL:
317 if ((ret = cmd_append(&cmd, " san_email=", s, NULL)))
318 goto enomem;
319 do_check = 1;
320 break;
321 case HX509_SAN_TYPE_DNSNAME:
322 if ((ret = cmd_append(&cmd, " san_dnsname=", s, NULL)))
323 goto enomem;
324 do_check = 1;
325 break;
326 case HX509_SAN_TYPE_XMPP:
327 if ((ret = cmd_append(&cmd, " san_xmpp=", s, NULL)))
328 goto enomem;
329 do_check = 1;
330 break;
331 case HX509_SAN_TYPE_PKINIT:
332 if ((ret = cmd_append(&cmd, " san_pkinit=", s, NULL)))
333 goto enomem;
334 do_check = 1;
335 break;
336 case HX509_SAN_TYPE_MS_UPN:
337 if ((ret = cmd_append(&cmd, " san_ms_upn=", s, NULL)))
338 goto enomem;
339 do_check = 1;
340 break;
341 default:
342 if ((ret = hx509_request_reject_san(csr, i)))
343 goto out;
344 break;
345 }
346 frees(&s);
347 }
348 if (ret == HX509_NO_ITEM)
349 ret = 0;
350 if (ret)
351 goto out;
352
353 for (i = 0; ret == 0; i++) {
354 ret = hx509_request_get_eku(csr, i, &s);
355 if (ret)
356 break;
357 if ((ret = cmd_append(&cmd, " eku=", s, NULL)))
358 goto enomem;
359 do_check = 1;
360 frees(&s);
361 }
362 if (ret == HX509_NO_ITEM)
363 ret = 0;
364 if (ret)
365 goto out;
366
367 ku = int2KeyUsage(0);
368 ku.digitalSignature = 1;
369 ku.nonRepudiation = 1;
370 hx509_request_authorize_ku(csr, ku);
371
372 if (do_check) {
373 if ((s = rk_strpoolcollect(cmd)) == NULL)
374 goto enomem;
375 cmd = NULL;
376 if ((ret = call_svc(context, ipc, s)))
377 goto out;
378 } /* else -> permit */
379
380 if ((ret = mark_authorized(csr)))
381 goto out;
382
383 *result = TRUE;
384 ret = 0;
385 goto out;
386
387 enomem:
388 ret = krb5_enomem(context);
389 goto out;
390
391 out:
392 heim_ipc_free_context(ipc);
393 hx509_context_free(&hx509ctx);
394 if (cmd)
395 rk_strpoolfree(cmd);
396 free(princ);
397 free(s);
398 return ret;
399 }
400
401 static KRB5_LIB_CALL krb5_error_code
402 ipc_csr_authorizer_init(krb5_context context, void **c)
403 {
404 *c = NULL;
405 return 0;
406 }
407
408 static KRB5_LIB_CALL void
409 ipc_csr_authorizer_fini(void *c)
410 {
411 }
412
413 static krb5plugin_csr_authorizer_ftable plug_desc =
414 { 1, ipc_csr_authorizer_init, ipc_csr_authorizer_fini, authorize };
415
416 static krb5plugin_csr_authorizer_ftable *plugs[] = { &plug_desc };
417
418 static uintptr_t
419 ipc_csr_authorizer_get_instance(const char *libname)
420 {
421 if (strcmp(libname, "krb5") == 0)
422 return krb5_get_instance(libname);
423 if (strcmp(libname, "kdc") == 0)
424 return kdc_get_instance(libname);
425 if (strcmp(libname, "hx509") == 0)
426 return hx509_get_instance(libname);
427 return 0;
428 }
429
430 krb5_plugin_load_ft kdc_csr_authorizer_plugin_load;
431
432 krb5_error_code KRB5_CALLCONV
433 kdc_csr_authorizer_plugin_load(heim_pcontext context,
434 krb5_get_instance_func_t *get_instance,
435 size_t *num_plugins,
436 krb5_plugin_common_ftable_cp **plugins)
437 {
438 *get_instance = ipc_csr_authorizer_get_instance;
439 *num_plugins = sizeof(plugs) / sizeof(plugs[0]);
440 *plugins = (krb5_plugin_common_ftable_cp *)plugs;
441 return 0;
442 }
Heimdal