search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kafs: Fix a warning
[heimdal.git] / kdc / altsecid_gss_preauth_authorizer.c
blob6266083978f012b3df97a6c04d18a6dafd164815
1 /*
2 * Copyright (c) 2021, PADL Software Pty Ltd.
3 * All rights reserved.
4 *
5 * Portions Copyright (c) 2004 Kungliga Tekniska Högskolan
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 /*
36 * This plugin authorizes federated GSS-API pre-authentication clients by
37 * querying an AD DC in the KDC realm for the altSecurityIdentities
38 * attribute.
39 *
40 * For example, GSS-API initiator foo@AAA.H5L.SE using the eap-aes128
41 * mechanism to authenticate in realm H5L.SE would require a user entry
42 * where altSecurityIdentities equals either:
43 *
44 * EAP:foo@AAA.H5L.SE
45 * EAP-AES128:foo@AAA.H5L.SE
46 *
47 * (Stripping the mechanism name after the hyphen is a convention
48 * intended to allow mechanism variants to be grouped together.)
49 *
50 * Once the user entry is found, the name is canonicalized by reading the
51 * sAMAccountName attribute and concatenating it with the KDC realm,
52 * specifically the canonicalized realm of the WELLKNOWN/FEDERATED HDB
53 * entry.
54 *
55 * The KDC will need to have access to a default credentials cache, or
56 * OpenLDAP will need to be linked against a version of Cyrus SASL and
57 * Heimdal that supports keytab credentials.
58 */
59
60 #include "kdc_locl.h"
61
62 #include <resolve.h>
63 #include <common_plugin.h>
64 #include <heimqueue.h>
65
66 #include <gssapi/gssapi.h>
67 #include <gssapi_mech.h>
68
69 #include <ldap.h>
70
71 #include "gss_preauth_authorizer_plugin.h"
72
73 #ifndef PAC_REQUESTOR_SID
74 #define PAC_REQUESTOR_SID 18
75 #endif
76
77 struct ad_server_tuple {
78 HEIM_TAILQ_ENTRY(ad_server_tuple) link;
79 char *realm;
80 LDAP *ld;
81 #ifdef LDAP_OPT_X_SASL_GSS_CREDS
82 gss_cred_id_t gss_cred;
83 #endif
84 };
85
86 struct altsecid_gss_preauth_authorizer_context {
87 HEIM_TAILQ_HEAD(ad_server_tuple_list, ad_server_tuple) servers;
88 };
89
90 static int
91 sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *interact)
92 {
93 return LDAP_SUCCESS;
94 }
95
96 #ifdef LDAP_OPT_X_SASL_GSS_CREDS
97 static krb5_error_code
98 ad_acquire_cred(krb5_context context,
99 krb5_const_realm realm,
100 struct ad_server_tuple *server)
101 {
102 const char *keytab_name = NULL;
103 char *keytab_name_buf = NULL;
104 krb5_error_code ret;
105
106 OM_uint32 major, minor;
107 gss_key_value_element_desc client_keytab;
108 gss_key_value_set_desc cred_store;
109 gss_OID_set_desc desired_mechs;
110
111 desired_mechs.count = 1;
112 desired_mechs.elements = GSS_KRB5_MECHANISM;
113
114 keytab_name = krb5_config_get_string(context, NULL, "kdc", realm,
115 "gss_altsecid_authorizer_keytab_name", NULL);
116 if (keytab_name == NULL)
117 keytab_name = krb5_config_get_string(context, NULL, "kdc",
118 "gss_altsecid_authorizer_keytab_name", NULL);
119 if (keytab_name == NULL) {
120 ret = _krb5_kt_client_default_name(context, &keytab_name_buf);
121 if (ret)
122 return ret;
123
124 keytab_name = keytab_name_buf;
125 }
126
127 client_keytab.key = "client_keytab";
128 client_keytab.value = keytab_name;
129
130 cred_store.count = 1;
131 cred_store.elements = &client_keytab;
132
133 major = gss_acquire_cred_from(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
134 &desired_mechs, GSS_C_INITIATE,
135 &cred_store, &server->gss_cred, NULL, NULL);
136 if (GSS_ERROR(major))
137 ret = minor ? minor : KRB5_KT_NOTFOUND;
138 else
139 ret = 0;
140
141 krb5_xfree(keytab_name_buf);
142
143 return ret;
144 }
145 #endif
146
147 static krb5_boolean
148 is_recoverable_ldap_err_p(int lret)
149 {
150 return
151 (lret == LDAP_SERVER_DOWN ||
152 lret == LDAP_TIMEOUT ||
153 lret == LDAP_UNAVAILABLE ||
154 lret == LDAP_BUSY ||
155 lret == LDAP_CONNECT_ERROR);
156 }
157
158 static krb5_error_code
159 ad_connect(krb5_context context,
160 krb5_const_realm realm,
161 struct ad_server_tuple *server)
162 {
163 krb5_error_code ret;
164 struct {
165 char *server;
166 int port;
167 } *s, *servers = NULL;
168 size_t i, num_servers = 0;
169
170 {
171 struct rk_dns_reply *r;
172 struct rk_resource_record *rr;
173 char *domain;
174
175 asprintf(&domain, "_ldap._tcp.%s", realm);
176 if (domain == NULL) {
177 ret = krb5_enomem(context);
178 goto out;
179 }
180
181 r = rk_dns_lookup(domain, "SRV");
182 free(domain);
183 if (r == NULL) {
184 krb5_set_error_message(context, KRB5KDC_ERR_SVC_UNAVAILABLE,
185 "Couldn't find AD DC in DNS");
186 ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
187 goto out;
188 }
189
190 for (rr = r->head ; rr != NULL; rr = rr->next) {
191 if (rr->type != rk_ns_t_srv)
192 continue;
193 s = realloc(servers, sizeof(*servers) * (num_servers + 1));
194 if (s == NULL) {
195 ret = krb5_enomem(context);
196 rk_dns_free_data(r);
197 goto out;
198 }
199 servers = s;
200 num_servers++;
201 servers[num_servers - 1].port = rr->u.srv->port;
202 servers[num_servers - 1].server = strdup(rr->u.srv->target);
203 }
204 rk_dns_free_data(r);
205 }
206
207 #ifdef LDAP_OPT_X_SASL_GSS_CREDS
208 if (server->gss_cred == GSS_C_NO_CREDENTIAL) {
209 ret = ad_acquire_cred(context, realm, server);
210 if (ret)
211 goto out;
212 }
213 #endif
214
215 for (i = 0; i < num_servers; i++) {
216 int lret, version = LDAP_VERSION3;
217 LDAP *ld;
218 char *url = NULL;
219
220 asprintf(&url, "ldap://%s:%d", servers[i].server, servers[i].port);
221 if (url == NULL) {
222 ret = krb5_enomem(context);
223 goto out;
224 }
225
226 lret = ldap_initialize(&ld, url);
227 free(url);
228 if (lret != LDAP_SUCCESS)
229 continue;
230
231 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
232 ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
233 #ifdef LDAP_OPT_X_SASL_GSS_CREDS
234 ldap_set_option(ld, LDAP_OPT_X_SASL_GSS_CREDS, server->gss_cred);
235 #endif
236
237 lret = ldap_sasl_interactive_bind_s(ld, NULL, "GSS-SPNEGO",
238 NULL, NULL, LDAP_SASL_QUIET,
239 sasl_interact, NULL);
240 if (lret != LDAP_SUCCESS) {
241 krb5_set_error_message(context, 0,
242 "Couldn't bind to AD DC %s:%d: %s",
243 servers[i].server, servers[i].port,
244 ldap_err2string(lret));
245 ldap_unbind_ext_s(ld, NULL, NULL);
246 continue;
247 }
248
249 server->ld = ld;
250 break;
251 }
252
253 ret = (server->ld != NULL) ? 0 : KRB5_KDC_UNREACH;
254
255 out:
256 for (i = 0; i < num_servers; i++)
257 free(servers[i].server);
258 free(servers);
259
260 if (ret && server->ld) {
261 ldap_unbind_ext_s(server->ld, NULL, NULL);
262 server->ld = NULL;
263 }
264
265 return ret;
266 }
267
268 static krb5_error_code
269 ad_lookup(krb5_context context,
270 krb5_const_realm realm,
271 struct ad_server_tuple *server,
272 gss_const_name_t initiator_name,
273 gss_const_OID mech_type,
274 krb5_principal *canon_principal,
275 heim_data_t *requestor_sid)
276 {
277 krb5_error_code ret;
278 OM_uint32 minor;
279 const char *mech_type_str, *p;
280 char *filter = NULL;
281 gss_buffer_desc initiator_name_buf = GSS_C_EMPTY_BUFFER;
282 LDAPMessage *m = NULL, *m0;
283 char *basedn = NULL;
284 int lret;
285 char *attrs[] = { "sAMAccountName", "objectSid", NULL };
286 struct berval **values = NULL;
287
288 *canon_principal = NULL;
289 if (requestor_sid)
290 *requestor_sid = NULL;
291
292 mech_type_str = gss_oid_to_name(mech_type);
293 if (mech_type_str == NULL) {
294 ret = KRB5_PREAUTH_BAD_TYPE; /* should never happen */
295 goto out;
296 }
297
298 ret = KRB5_KDC_ERR_CLIENT_NOT_TRUSTED;
299
300 if (GSS_ERROR(gss_display_name(&minor, initiator_name,
301 &initiator_name_buf, NULL)))
302 goto out;
303
304 if ((p = strrchr(mech_type_str, '-')) != NULL) {
305 asprintf(&filter, "(&(objectClass=user)"
306 "(|(altSecurityIdentities=%.*s:%.*s)(altSecurityIdentities=%s:%.*s)))",
307 (int)(p - mech_type_str), mech_type_str,
308 (int)initiator_name_buf.length, (char *)initiator_name_buf.value,
309 mech_type_str,
310 (int)initiator_name_buf.length,
311 (char *)initiator_name_buf.value);
312 } else {
313 asprintf(&filter, "(&(objectClass=user)(altSecurityIdentities=%s:%.*s))",
314 mech_type_str,
315 (int)initiator_name_buf.length,
316 (char *)initiator_name_buf.value);
317 }
318 if (filter == NULL)
319 goto enomem;
320
321 lret = ldap_domain2dn(realm, &basedn);
322 if (lret != LDAP_SUCCESS)
323 goto out;
324
325 lret = ldap_search_ext_s(server->ld, basedn, LDAP_SCOPE_SUBTREE,
326 filter, attrs, 0,
327 NULL, NULL, NULL, 1, &m);
328 if (lret == LDAP_SIZELIMIT_EXCEEDED)
329 ret = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
330 else if (is_recoverable_ldap_err_p(lret))
331 ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
332 if (lret != LDAP_SUCCESS)
333 goto out;
334
335 m0 = ldap_first_entry(server->ld, m);
336 if (m0 == NULL)
337 goto out;
338
339 values = ldap_get_values_len(server->ld, m0, "sAMAccountName");
340 if (values == NULL ||
341 ldap_count_values_len(values) == 0)
342 goto out;
343
344 ret = krb5_make_principal(context, canon_principal, realm,
345 values[0]->bv_val, NULL);
346 if (ret)
347 goto out;
348
349 if (requestor_sid) {
350 ldap_value_free_len(values);
351
352 values = ldap_get_values_len(server->ld, m0, "objectSid");
353 if (values == NULL ||
354 ldap_count_values_len(values) == 0)
355 goto out;
356
357 *requestor_sid = heim_data_create(values[0]->bv_val, values[0]->bv_len);
358 if (*requestor_sid == NULL)
359 goto enomem;
360 }
361
362 goto out;
363
364 enomem:
365 ret = krb5_enomem(context);
366 goto out;
367
368 out:
369 if (ret) {
370 krb5_free_principal(context, *canon_principal);
371 *canon_principal = NULL;
372
373 if (requestor_sid) {
374 heim_release(*requestor_sid);
375 *requestor_sid = NULL;
376 }
377 }
378
379 ldap_value_free_len(values);
380 ldap_msgfree(m);
381 ldap_memfree(basedn);
382 free(filter);
383 gss_release_buffer(&minor, &initiator_name_buf);
384
385 return ret;
386 }
387
388 static KRB5_LIB_CALL krb5_error_code
389 authorize(void *ctx,
390 astgs_request_t r,
391 gss_const_name_t initiator_name,
392 gss_const_OID mech_type,
393 OM_uint32 ret_flags,
394 krb5_boolean *authorized,
395 krb5_principal *mapped_name)
396 {
397 struct altsecid_gss_preauth_authorizer_context *c = ctx;
398 struct ad_server_tuple *server = NULL;
399 krb5_error_code ret;
400 krb5_const_realm realm = krb5_principal_get_realm(r->context, r->client->entry.principal);
401 krb5_boolean reconnect_p = FALSE;
402 krb5_boolean is_tgs;
403 heim_data_t requestor_sid = NULL;
404
405 *authorized = FALSE;
406 *mapped_name = NULL;
407
408 if (!krb5_principal_is_federated(r->context, r->client->entry.principal) ||
409 (ret_flags & GSS_C_ANON_FLAG))
410 return KRB5_PLUGIN_NO_HANDLE;
411
412 is_tgs = krb5_principal_is_krbtgt(r->context, r->server_princ);
413
414 HEIM_TAILQ_FOREACH(server, &c->servers, link) {
415 if (strcmp(realm, server->realm) == 0)
416 break;
417 }
418
419 if (server == NULL) {
420 server = calloc(1, sizeof(*server));
421 if (server == NULL)
422 return krb5_enomem(r->context);
423
424 server->realm = strdup(realm);
425 if (server->realm == NULL) {
426 free(server);
427 return krb5_enomem(r->context);
428 }
429
430 HEIM_TAILQ_INSERT_HEAD(&c->servers, server, link);
431 }
432
433 do {
434 if (server->ld == NULL) {
435 ret = ad_connect(r->context, realm, server);
436 if (ret)
437 return ret;
438 }
439
440 ret = ad_lookup(r->context, realm, server,
441 initiator_name, mech_type,
442 mapped_name, is_tgs ? &requestor_sid : NULL);
443 if (ret == KRB5KDC_ERR_SVC_UNAVAILABLE) {
444 ldap_unbind_ext_s(server->ld, NULL, NULL);
445 server->ld = NULL;
446
447 /* try to reconnect iff we haven't already tried */
448 reconnect_p = !reconnect_p;
449 }
450
451 *authorized = (ret == 0);
452 } while (reconnect_p);
453
454 if (requestor_sid) {
455 krb5_kdc_request_set_attribute((kdc_request_t)r,
456 HSTR("org.h5l.gss-pa-requestor-sid"), requestor_sid);
457 heim_release(requestor_sid);
458 }
459
460 return ret;
461 }
462
463 static KRB5_LIB_CALL krb5_error_code
464 finalize_pac(void *ctx, astgs_request_t r)
465 {
466 heim_data_t requestor_sid;
467
468 requestor_sid = krb5_kdc_request_get_attribute((kdc_request_t)r,
469 HSTR("org.h5l.gss-pa-requestor-sid"));
470 if (requestor_sid == NULL)
471 return 0;
472
473 _kdc_audit_setkv_object((kdc_request_t)r, "gss_requestor_sid", requestor_sid);
474
475 return krb5_pac_add_buffer(r->context, r->pac, PAC_REQUESTOR_SID,
476 heim_data_get_data(requestor_sid));
477 }
478
479 static KRB5_LIB_CALL krb5_error_code
480 init(krb5_context context, void **contextp)
481 {
482 struct altsecid_gss_preauth_authorizer_context *c;
483
484 c = calloc(1, sizeof(*c));
485 if (c == NULL)
486 return krb5_enomem(context);
487
488 HEIM_TAILQ_INIT(&c->servers);
489
490 *contextp = c;
491 return 0;
492 }
493
494 static KRB5_LIB_CALL void
495 fini(void *context)
496 {
497 struct altsecid_gss_preauth_authorizer_context *c = context;
498 struct ad_server_tuple *server, *next;
499 OM_uint32 minor;
500
501 HEIM_TAILQ_FOREACH_SAFE(server, &c->servers, link, next) {
502 free(server->realm);
503 ldap_unbind_ext_s(server->ld, NULL, NULL);
504 #ifdef LDAP_OPT_X_SASL_GSS_CREDS
505 gss_release_cred(&minor, &server->gss_cred);
506 #endif
507 free(server);
508 }
509 }
510
511 static krb5plugin_gss_preauth_authorizer_ftable plug_desc =
512 { 1, init, fini, authorize, finalize_pac };
513
514 static krb5plugin_gss_preauth_authorizer_ftable *plugs[] = { &plug_desc };
515
516 static uintptr_t
517 altsecid_gss_preauth_authorizer_get_instance(const char *libname)
518 {
519 if (strcmp(libname, "krb5") == 0)
520 return krb5_get_instance(libname);
521 if (strcmp(libname, "kdc") == 0)
522 return kdc_get_instance(libname);
523 if (strcmp(libname, "gssapi") == 0)
524 return gss_get_instance(libname);
525 return 0;
526 }
527
528 krb5_plugin_load_ft kdc_gss_preauth_authorizer_plugin_load;
529
530 krb5_error_code KRB5_CALLCONV
531 kdc_gss_preauth_authorizer_plugin_load(heim_pcontext context,
532 krb5_get_instance_func_t *get_instance,
533 size_t *num_plugins,
534 krb5_plugin_common_ftable_cp **plugins)
535 {
536 *get_instance = altsecid_gss_preauth_authorizer_get_instance;
537 *num_plugins = sizeof(plugs) / sizeof(plugs[0]);
538 *plugins = (krb5_plugin_common_ftable_cp *)plugs;
539 return 0;
540 }
Heimdal