search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
windows: Do not make test in kadmin/
[heimdal.git] / kdc / ipc_csr_authorizer.c
blob7d77e7f812a4a0936958d8a252c7190cc77505e9
1 /*
2 * Copyright (c) 2019 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * This plugin authorizes requested certificate SANs and EKUs by calling a
36 * service over IPC (Unix domain sockets on Linux/BSD/Illumos).
37 *
38 * The IPC protocol is request/response, with requests and responses sent as
39 *
40 * <length><string>
41 *
42 * where the <length> is 4 bytes, unsigned binary in network byte order, and
43 * <string> is an array of <length> bytes and does NOT include a NUL
44 * terminator.
45 *
46 * Requests are of the form:
47 *
48 * check <princ> <exttype>=<extvalue> ...
49 *
50 * where <princ> is a URL-escaped principal name, <exttype> is one of:
51 *
52 * - san_pkinit
53 * - san_xmpp
54 * - san_email
55 * - san_ms_upn
56 * - san_dnsname
57 * - eku
58 *
59 * and <extvalue> is a URL-escaped string representation of the SAN or OID.
60 *
61 * OIDs are in the form 1.2.3.4.5.6.
62 *
63 * Only characters other than alphanumeric, '@', '.', '-', '_', and '/' are
64 * URL-encoded.
65 *
66 * Responses are any of:
67 *
68 * - granted
69 * - denied
70 * - error message
71 *
72 * Example:
73 *
74 * C->S: check jane@TEST.H5L.SE san_dnsname=jane.foo.test.h5l.se eku=1.3.6.1.5.5.7.3.1
75 * S->C: granted
76 *
77 * Only digitalSignature and nonRepudiation key usages are allowed. Requested
78 * key usages are not sent to the CSR authorizer IPC server.
79 */
80
81 #define _GNU_SOURCE 1
82
83 #include <sys/types.h>
84 #include <sys/stat.h>
85 #include <ctype.h>
86 #include <errno.h>
87 #include <stdlib.h>
88 #include <stdio.h>
89 #include <string.h>
90 #include <unistd.h>
91
92 #include <roken.h>
93 #include <heim-ipc.h>
94 #include <krb5.h>
95 #include <hx509.h>
96 #include <kdc.h>
97 #include <common_plugin.h>
98 #include <csr_authorizer_plugin.h>
99
100 /*
101 * string_encode_sz() and string_encode() encode principal names and such to be
102 * safe for use in our IPC text messages. They function very much like URL
103 * encoders, but '~' also gets encoded, and '.' and '@' do not.
104 *
105 * An unescaper is not needed here.
106 */
107 static size_t
108 string_encode_sz(const char *in)
109 {
110 size_t sz = strlen(in);
111
112 while (*in) {
113 char c = *(in++);
114
115 switch (c) {
116 case '@':
117 case '.':
118 case '-':
119 case '_':
120 case '/':
121 continue;
122 default:
123 if (isalnum(c))
124 continue;
125 sz += 2;
126 }
127 }
128 return sz;
129 }
130
131 static char *
132 string_encode(const char *in)
133 {
134 size_t len = strlen(in);
135 size_t sz = string_encode_sz(in);
136 size_t i, k;
137 char *s;
138
139 if ((s = malloc(sz + 1)) == NULL)
140 return NULL;
141 s[sz] = '\0';
142
143 for (i = k = 0; i < len; i++) {
144 unsigned char c = ((const unsigned char *)in)[i];
145
146 switch (c) {
147 case '@':
148 case '.':
149 case '-':
150 case '_':
151 case '/':
152 s[k++] = c;
153 break;
154 default:
155 if (isalnum(c)) {
156 s[k++] = c;
157 } else {
158 s[k++] = '%';
159 s[k++] = "0123456789abcdef"[(c&0xff)>>4];
160 s[k++] = "0123456789abcdef"[(c&0x0f)];
161 }
162 }
163 }
164 return s;
165 }
166
167 static int
168 cmd_append(struct rk_strpool **cmd, const char *s0, ...)
169 {
170 va_list ap;
171 const char *arg;
172 int ret = 0;
173
174 if ((*cmd = rk_strpoolprintf(*cmd, "%s", s0)) == NULL)
175 return ENOMEM;
176
177 va_start(ap, s0);
178 while ((arg = va_arg(ap, const char *))) {
179 char *s;
180
181 if ((s = string_encode(arg)) == NULL) {
182 rk_strpoolfree(*cmd);
183 *cmd = NULL;
184 ret = ENOMEM;
185 goto out;
186 }
187 *cmd = rk_strpoolprintf(*cmd, "%s", s);
188 free(s);
189 if (*cmd == NULL) {
190 ret = ENOMEM;
191 goto out;
192 }
193 }
194
195 out:
196 va_end(ap);
197 return ret;
198 }
199
200 static int
201 call_svc(krb5_context context, heim_ipc ipc, const char *cmd)
202 {
203 heim_octet_string req, resp;
204 int ret;
205
206 req.data = (void *)(uintptr_t)cmd;
207 req.length = strlen(cmd);
208 resp.length = 0;
209 resp.data = NULL;
210 if ((ret = heim_ipc_call(ipc, &req, &resp, NULL))) {
211 if (resp.length && resp.length < INT_MAX) {
212 krb5_set_error_message(context, ret, "CSR denied: %.*s",
213 (int)resp.length, (const char *)resp.data);
214 ret = EACCES;
215 } else {
216 krb5_set_error_message(context, EACCES, "CSR denied because could "
217 "not reach CSR authorizer IPC service");
218 ret = EACCES;
219 }
220 return ret;
221 }
222 if (resp.data == NULL || resp.length == 0) {
223 free(resp.data);
224 krb5_set_error_message(context, ret, "CSR authorizer IPC service "
225 "failed silently");
226 return EACCES;
227 }
228 if (resp.length == sizeof("denied") - 1 &&
229 strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) {
230 free(resp.data);
231 krb5_set_error_message(context, ret, "CSR authorizer rejected %s",
232 cmd);
233 return EACCES;
234 }
235 if (resp.length == sizeof("granted") - 1 &&
236 strncasecmp(resp.data, "granted", sizeof("granted") - 1) == 0) {
237 free(resp.data);
238 return 0;
239 }
240 krb5_set_error_message(context, ret, "CSR authorizer failed %s: %.*s",
241 cmd, resp.length < INT_MAX ? (int)resp.length : 0,
242 resp.data);
243 return EACCES;
244 }
245
246 static void
247 frees(char **s)
248 {
249 free(*s);
250 *s = NULL;
251 }
252
253 static krb5_error_code
254 mark_authorized(hx509_request csr)
255 {
256 size_t i;
257 char *s;
258 int ret = 0;
259
260 for (i = 0; ret == 0; i++) {
261 ret = hx509_request_get_eku(csr, i, &s);
262 if (ret == 0)
263 hx509_request_authorize_eku(csr, i);
264 frees(&s);
265 }
266 if (ret == HX509_NO_ITEM)
267 ret = 0;
268
269 for (i = 0; ret == 0; i++) {
270 hx509_san_type san_type;
271 ret = hx509_request_get_san(csr, i, &san_type, &s);
272 if (ret == 0)
273 hx509_request_authorize_san(csr, i);
274 frees(&s);
275 }
276 return ret == HX509_NO_ITEM ? 0 : ret;
277 }
278
279 static KRB5_LIB_CALL krb5_error_code
280 authorize(void *ctx,
281 krb5_context context,
282 const char *app,
283 hx509_request csr,
284 krb5_const_principal client,
285 krb5_boolean *result)
286 {
287 struct rk_strpool *cmd = NULL;
288 krb5_error_code ret;
289 hx509_context hx509ctx = NULL;
290 heim_ipc ipc = NULL;
291 const char *svc;
292 KeyUsage ku;
293 size_t i;
294 char *princ = NULL;
295 char *s = NULL;
296 int do_check = 0;
297
298 if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
299 "ipc_csr_authorizer", "service", NULL))
300 == NULL)
301 return KRB5_PLUGIN_NO_HANDLE;
302
303 if ((ret = heim_ipc_init_context(svc, &ipc))) {
304 krb5_set_error_message(context, ret, "Could not set up IPC client "
305 "end-point for service %s", svc);
306 return ret;
307 }
308
309 if ((ret = hx509_context_init(&hx509ctx)))
310 goto out;
311
312 if ((ret = krb5_unparse_name(context, client, &princ)))
313 goto out;
314
315 if ((ret = cmd_append(&cmd, "check ", princ, NULL)))
316 goto enomem;
317 frees(&princ);
318
319 for (i = 0; ret == 0; i++) {
320 hx509_san_type san_type;
321
322 ret = hx509_request_get_san(csr, i, &san_type, &s);
323 if (ret)
324 break;
325 switch (san_type) {
326 case HX509_SAN_TYPE_EMAIL:
327 if ((ret = cmd_append(&cmd, " san_email=", s, NULL)))
328 goto enomem;
329 do_check = 1;
330 break;
331 case HX509_SAN_TYPE_DNSNAME:
332 if ((ret = cmd_append(&cmd, " san_dnsname=", s, NULL)))
333 goto enomem;
334 do_check = 1;
335 break;
336 case HX509_SAN_TYPE_XMPP:
337 if ((ret = cmd_append(&cmd, " san_xmpp=", s, NULL)))
338 goto enomem;
339 do_check = 1;
340 break;
341 case HX509_SAN_TYPE_PKINIT:
342 if ((ret = cmd_append(&cmd, " san_pkinit=", s, NULL)))
343 goto enomem;
344 do_check = 1;
345 break;
346 case HX509_SAN_TYPE_MS_UPN:
347 if ((ret = cmd_append(&cmd, " san_ms_upn=", s, NULL)))
348 goto enomem;
349 do_check = 1;
350 break;
351 default:
352 if ((ret = hx509_request_reject_san(csr, i)))
353 goto out;
354 break;
355 }
356 frees(&s);
357 }
358 if (ret == HX509_NO_ITEM)
359 ret = 0;
360 if (ret)
361 goto out;
362
363 for (i = 0; ret == 0; i++) {
364 ret = hx509_request_get_eku(csr, i, &s);
365 if (ret)
366 break;
367 if ((ret = cmd_append(&cmd, " eku=", s, NULL)))
368 goto enomem;
369 do_check = 1;
370 frees(&s);
371 }
372 if (ret == HX509_NO_ITEM)
373 ret = 0;
374 if (ret)
375 goto out;
376
377 ku = int2KeyUsage(0);
378 ku.digitalSignature = 1;
379 ku.nonRepudiation = 1;
380 hx509_request_authorize_ku(csr, ku);
381
382 if (do_check) {
383 if ((s = rk_strpoolcollect(cmd)) == NULL)
384 goto enomem;
385 cmd = NULL;
386 if ((ret = call_svc(context, ipc, s)))
387 goto out;
388 } /* else -> permit */
389
390 if ((ret = mark_authorized(csr)))
391 goto out;
392
393 *result = TRUE;
394 ret = 0;
395 goto out;
396
397 enomem:
398 ret = krb5_enomem(context);
399 goto out;
400
401 out:
402 heim_ipc_free_context(ipc);
403 hx509_context_free(&hx509ctx);
404 if (cmd)
405 rk_strpoolfree(cmd);
406 free(princ);
407 free(s);
408 return ret;
409 }
410
411 static KRB5_LIB_CALL krb5_error_code
412 ipc_csr_authorizer_init(krb5_context context, void **c)
413 {
414 *c = NULL;
415 return 0;
416 }
417
418 static KRB5_LIB_CALL void
419 ipc_csr_authorizer_fini(void *c)
420 {
421 }
422
423 static krb5plugin_csr_authorizer_ftable plug_desc =
424 { 1, ipc_csr_authorizer_init, ipc_csr_authorizer_fini, authorize };
425
426 static krb5plugin_csr_authorizer_ftable *plugs[] = { &plug_desc };
427
428 static uintptr_t
429 ipc_csr_authorizer_get_instance(const char *libname)
430 {
431 if (strcmp(libname, "krb5") == 0)
432 return krb5_get_instance(libname);
433 if (strcmp(libname, "kdc") == 0)
434 return kdc_get_instance(libname);
435 if (strcmp(libname, "hx509") == 0)
436 return hx509_get_instance(libname);
437 return 0;
438 }
439
440 krb5_plugin_load_ft kdc_csr_authorizer_plugin_load;
441
442 krb5_error_code KRB5_CALLCONV
443 kdc_csr_authorizer_plugin_load(heim_pcontext context,
444 krb5_get_instance_func_t *get_instance,
445 size_t *num_plugins,
446 krb5_plugin_common_ftable_cp **plugins)
447 {
448 *get_instance = ipc_csr_authorizer_get_instance;
449 *num_plugins = sizeof(plugs) / sizeof(plugs[0]);
450 *plugins = (krb5_plugin_common_ftable_cp *)plugs;
451 return 0;
452 }
Heimdal