| blob | 798236a98f88190060cd177e5768b65550da9d56 |
1 /*
2 * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
37 int
39 {
54 }
56 int
58 {
60 }
62 int
64 {
72 }
74 int
76 {
78 }
80 int
84 {
93 }
95 int
98 {
100 }
102 /*
103 * Some old databases may not have stored the salt with each key, which will
104 * break clients when aliases or canonicalization are used. Generate a
105 * default salt based on the real principal name in the entry to handle
106 * this case.
107 */
108 static krb5_error_code
110 {
111 krb5_error_code ret;
113 krb5_salt pwsalt;
130 }
139 }
144 }
146 static krb5_error_code
149 krb5_const_principal principal,
152 {
153 HDB_EntryOrAlias eoa;
156 krb5_error_code ret;
169 }
175 }
190 }
192 /* No alias chaining */
198 /*
199 * Whilst Windows does not canonicalize enterprise principal names if
200 * the canonicalize flag is unset, the original specification in
201 * draft-ietf-krb-wg-kerberos-referrals-03.txt says we should.
202 */
204 }
206 /* HDB_F_GET_ANY indicates request originated from KDC (not kadmin) */
210 /* `principal' was alias but canon not req'd */
213 }
220 }
222 krb5_error_code
225 {
226 krb5_error_code ret;
233 /* Decrypt the current keys */
238 }
239 /* Decrypt the key history too */
244 }
247 /* Decrypt the current keys */
252 }
256 /*
257 * Find and decrypt the keys from the history that we want,
258 * and swap them with the current keys
259 */
264 }
265 }
266 }
268 /*
269 * Generate default salt for any principals missing one; note such
270 * principals could include those for which a random (non-password)
271 * key was generated, but given the salt will be ignored by a keytab
272 * client it doesn't hurt to include the default salt.
273 */
278 }
279 }
282 }
284 static krb5_error_code
286 {
288 krb5_error_code code;
289 hdb_entry oldentry;
290 krb5_data value;
308 }
310 krb5_data akey;
316 }
320 }
321 }
324 }
326 static krb5_error_code
329 {
331 krb5_error_code code;
340 hdb_entry_alias entryalias;
351 }
355 }
357 }
359 /* Check if new aliases are already used for other entries */
360 static krb5_error_code
362 {
364 HDB_EntryOrAlias eoa;
384 /* New alias names an existing non-alias entry in the HDB */
389 /* New alias names an existing alias of a different entry */
392 /* New alias is a name that doesn't exist in the HDB */
398 }
400 }
402 /*
403 * Many HDB entries don't have `etypes' setup. Historically we use the
404 * enctypes of the selected keyset as the entry's supported enctypes, but that
405 * is problematic. By doing this at store time and, if need be, at fetch time,
406 * we can make sure to stop deriving supported etypes from keys in the long
407 * run. We also need kadm5/kadmin support for etypes. We'll use this function
408 * there to derive etypes when using a kadm5_principal_ent_t that lacks the new
409 * TL data for etypes.
410 */
411 krb5_error_code
413 {
424 /* There's no way that base_keys->val[i].keys.len == 0, but hey */
427 }
436 }
444 }
452 }
463 }
465 }
467 krb5_error_code
469 {
476 /* check if new aliases already is used */
495 }
507 }
521 /* remove aliases */
526 }
537 }
539 krb5_error_code
542 {
549 /*
550 * We don't check that we can delete the aliases because we
551 * assume that the DB is consistent. If we did check for alias
552 * consistency we'd also have to provide a way to fsck the DB,
553 * otherwise admins would have no way to recover -- papering
554 * over this here is less work, but we really ought to provide
555 * an HDB fsck.
556 */
562 }
564 }
570 }
574 }
576 /* PRF+(K_base, pad, keylen(etype)) */
577 static krb5_error_code
581 krb5int32 etype,
583 {
584 krb5_error_code ret;
586 krb5_data out;
603 }
605 /* PRF+(PRF+(K_base, princ, keylen(etype)), kvno, keylen(etype)) */
606 /* XXX Make it PRF+(PRF+(K_base, princ, keylen(K_base.etype)), and lift it, kvno, keylen(etype)) */
607 static krb5_error_code
610 krb5uint32 kvno,
612 krb5int32 etype,
614 {
616 EncryptionKey intermediate;
617 krb5_data pad;
629 /* Derive intermediate key for the given principal */
630 /* XXX Lift to optimize? */
638 /* Derive final key for `kvno' from intermediate key */
646 }
648 /*
649 * PRF+(PRF+(K_base, princ, keylen(etype)), kvno, keylen(etype)) for one
650 * enctype.
651 */
652 static krb5_error_code
655 krb5uint32 kvno,
656 krb5int32 etype,
660 {
663 Key nk;
668 /*
669 * The enctypes of the base keys is the list of enctypes to derive keys
670 * for. Still, we derive all keys from the first base key.
671 */
681 /*
682 * FIXME We need to finish kdc/kadm5/kadmin support for the `etypes' so
683 * we can reduce the number of keys in keytabs to just those in current
684 * use and only of *one* enctype.
685 *
686 * What we could do is derive *one* key and for the others output a
687 * one-byte key of the intended enctype (which will never work).
688 *
689 * We'll never need any keys but the first one...
690 */
691 }
696 }
698 /* Helper for derive_keys_for_kr() */
699 static krb5_error_code
703 krb5int32 etype,
704 krb5uint32 kvno,
707 {
715 }
717 /* Possibly derive and install in `h' a keyset identified by `t' */
718 static krb5_error_code
725 krb5int32 etype,
726 krb5uint32 kvno_wanted,
727 KerberosTime t,
729 {
730 krb5_error_code ret;
731 hdb_keyset dks;
733 krb5uint32 kvno;
739 /*
740 * Compute `kvno' and `set_time' given `t' and `krp'.
741 *
742 * There be signed 32-bit time_t dragons here.
743 *
744 * (t - krp->epoch < 0) is better than (krp->epoch < t), making us more
745 * tolerant of signed 32-bit time_t here near 2038. Of course, we have
746 * signed 32-bit time_t dragons elsewhere.
747 */
756 /*
757 * Do not waste cycles computing keys not wanted or needed.
758 * A past kvno is too old if its set_time + rotation period is in the past
759 * by more than half a rotation period, since then no service ticket
760 * encrypted with keys of that kvno can still be extant.
761 *
762 * A future kvno is not coming up soon enough if we're more than a quarter
763 * of the rotation period away from it.
764 *
765 * Recall: the assumption for virtually-keyed principals is that services
766 * fetch their future keys frequently enough that they'll never miss having
767 * the keys they need.
768 */
774 }
779 }
781 /* Base key not found! */
787 }
789 }
798 }
800 /* Derive and install current keys, and possibly preceding or next keys */
801 static krb5_error_code
807 krb5int32 etype,
808 krb5uint32 kvno_wanted,
809 KerberosTime t,
811 KerberosTime future_epoch)
812 {
813 krb5_error_code ret;
815 /* derive_keys_for_kr() for current kvno and install as the current keys */
821 /* */
824 /*
825 * derive_keys_for_kr() for prev kvno if still needed -- it can only be
826 * needed if the prev kvno's start time is within this KR's epoch.
827 *
828 * Note that derive_keys_for_kr() can return without doing anything if this
829 * is isn't the current keyset. So these conditions need not be
830 * sufficiently narrow.
831 */
835 /*
836 * derive_keys_for_kr() for next kvno if near enough, but only if it
837 * doesn't start after the next KR's epoch.
838 */
847 }
852 }
854 /*
855 * Derive and install all keysets in `h' that `princ' needs at time `now'.
856 *
857 * This mutates the entry `h' to
858 *
859 * a) not have base keys,
860 * b) have keys derived from the base keys according to
861 * c) the key rotation periods for the base principal (possibly the same
862 * principal if it's a concrete principal with virtual keys), and the
863 * requested time, enctype, and kvno (all of which are optional, with zero
864 * implying some default).
865 *
866 * Arguments:
867 *
868 * - `flags' is the flags passed to `hdb_fetch_kvno()'
869 * - `princ' is the name of the principal we'll end up with in `h->entry'
870 * - `h_is_namespace' indicates whether `h' is for a namespace or a concrete
871 * principal (that might nonetheless have virtual/derived keys)
872 * - `t' is the time such that the derived keys are for kvnos needed at `t'
873 * - `etype' indicates what enctype to derive keys for (0 for all enctypes in
874 * `h->entry.etypes')
875 * - `kvno' requests a particular kvno, or all if zero
876 *
877 * The caller doesn't know if the principal needs key derivation -- we make
878 * that determination in this function.
879 *
880 * Note that this function is fully deterministic for any given set of
881 * arguments and HDB contents.
882 *
883 * Definitions:
884 *
885 * - A keyset is a set of keys for a single kvno.
886 * - A keyset is relevant IFF:
887 * - it is the keyset for a time period identified by `t' in a
888 * corresponding KR
889 * - it is a keyset for a past time period for which there may be extant,
890 * not-yet-expired tickets that a service may need to decrypt
891 * - it is a keyset for an upcoming time period that a service will need to
892 * fetch before that time period becomes current, that way the service
893 * can have keytab entries for those keys in time for when the KDC starts
894 * encrypting service tickets to those keys
895 *
896 * This function derives the keyset(s) for the current KR first. The idea is
897 * to optimize the order of resulting keytabs so that the most likely keys to
898 * be used come first.
899 *
900 * Invariants:
901 *
902 * - KR metadata is sane because sanity is checked for when storing HDB
903 * entries
904 * - KRs are sorted by epoch in descending order; KR #0's epoch is the most
905 * recent
906 * - KR periods are non-zero (we divide by period)
907 * - kvnos are numerically ordered and correspond to time periods
908 * - within each KR, the kvnos for larger times are larger than (or equal
909 * to) the kvnos of earlier times
910 * - at KR boundaries, the first kvno of the newer boundary is larger than
911 * the kvno of the last time period of the previous KR
912 * - the time `t' must fall into exactly one KR period
913 * - the time `t' must fall into exactly one period within a KR period
914 * - at most two kvnos will be relevant from the KR that `t' falls into
915 * (the current kvno for `t', and possibly either the preceding, or the
916 * next)
917 * - at most one kvno from non-current KRs will be derived: possibly one for a
918 * preceding KR, and possibly one from an upcoming KR
919 *
920 * There can be:
921 *
922 * - no KR extension (not a namespace principal, and no virtual keys)
923 * - 1, 2, or 3 KRs (see above)
924 * - the newest KR may have the `deleted' flag, meaning "does not exist after
925 * this epoch"
926 *
927 * Note that the last time period in any older KR can be partial.
928 *
929 * Timeline diagram:
930 *
931 * .......|--+--+...+--|---+---+---+...+--|----+...
932 * T20 T10 T11 RT12 T1n T01
933 * ^ ^ ^ ^ ^ ^ ^ T00
934 * | | | T22 T2n | | ^
935 * ^ | T21 | | |
936 * princ | | epoch of | epoch of
937 * did | | middle KR | newest epoch
938 * not | | |
939 * exist! | start of Note that T1n
940 * | second kvno is shown as shorter
941 * | in 1st epoch than preceding periods
942 * |
943 * ^
944 * first KR's
945 * epoch, and start
946 * of its first kvno
947 *
948 * Tmn == the start of the Mth KR's Nth time period.
949 * (higher M -> older KR; lower M -> newer KR)
950 * (N is the reverse: lower N -> older time period in KR)
951 * T20 == start of oldest KR -- no keys before this time will be derived.
952 * T2n == last time period in oldest KR
953 * T10 == start of middle KR
954 * T1n == last time period in middle KR
955 * T00 == start of newest KR
956 * T0n == current time period in newest KR for wall clock time
957 */
958 static krb5_error_code
961 krb5_const_principal princ,
963 krb5_timestamp t,
964 krb5int32 etype,
965 krb5uint32 kvno,
967 {
968 HDB_Ext_KeyRotation kr;
969 HDB_Ext_KeySet base_keys;
979 /* Set the entry's principal name */
982 }
989 /* Installing keys invalidates `ckr', so we copy it */
993 }
995 /* Get the base keys from the entry, and remove them */
1001 /* Make sure we have h->entry.etypes */
1005 /* Keys not desired? Don't derive them! */
1010 }
1012 /* The principal name will be used in key derivation and error messages */
1016 /* Sanity check key rotations, determine current & last kr */
1022 else
1025 /*
1026 * Identify a current, next, and previous KRs if there are any.
1027 *
1028 * There can be up to three KRs, ordered by epoch, descending, making up a
1029 * timeline like:
1030 *
1031 * ...|---------|--------|------>
1032 * ^ | | |
1033 * | | | |
1034 * | | | Newest KR (kr.val[0])
1035 * | | Middle KR (kr.val[1])
1036 * | Oldest (last) KR (kr.val[2])
1037 * |
1038 * Before the begging of time for this namespace
1039 *
1040 * We step through these from future towards past looking for the best
1041 * future, current, and past KRs. The best current KR is one that has its
1042 * epoch nearest to `t' but in the past of `t'.
1043 *
1044 * We validate KRs before storing HDB entries with the KR extension, so we
1045 * can assume they are valid here. However, we do some validity checking,
1046 * and if they're not valid, we pick the best current KR and ignore the
1047 * others.
1048 *
1049 * In principle there cannot be two future KRs, but this function is
1050 * deterministic and takes a time value, so it should not enforce this just
1051 * so we can test. Enforcement of such rules should be done at store time.
1052 */
1054 /* Minimal validation: order and period */
1058 }
1063 }
1065 /*
1066 * `t' is in the future of this KR's epoch, so it's a candidate for
1067 * either current or past KR.
1068 */
1076 /* This KR is in the future of `t', a candidate for next KR */
1078 }
1079 }
1081 /* No current KR -> too soon */
1085 /* Check that the principal has not been marked deleted */
1088 "virtual principal %s does not exist "
1089 "because last key rotation period "
1092 /*
1093 * Derive and set in `h' its current kvno and current keys.
1094 *
1095 * This will set h->entry.kvno as well.
1096 *
1097 * This may set up to TWO keysets for the current key rotation period:
1098 * - current keys (h->entry.keys and h->entry.kvno)
1099 * - possibly one future
1100 * OR
1101 * possibly one past keyset in hist_keys for the current_kr
1102 */
1108 /*
1109 * Derive and set in `h' its future keys for next KR if it is soon to be
1110 * current.
1111 *
1112 * We want to derive keys for the first kvno of the next (future) KR if
1113 * it's sufficiently close to `t', meaning within 1 period of the current
1114 * KR, but we want these keys to be available sooner, so 1.5 of the current
1115 * period.
1116 */
1121 /*
1122 * Derive and set in `h' its past keys for the previous KR if its last time
1123 * period could still have extant, unexpired service tickets encrypted in
1124 * its keys.
1125 */
1130 /*
1131 * Impose a bound on h->entry.max_life so that [when the KDC is the caller]
1132 * the KDC won't issue tickets longer lived than this.
1133 */
1144 }
1146 /*
1147 * In order for disparate keytab provisioning systems such as OSKT and our own
1148 * kadmin ext_keytab and httpkadmind's get-keys to coexist, we need to be able
1149 * to force keys set by the former to not become current keys until users of
1150 * the latter have had a chance to fetch those keys into their keytabs. To do
1151 * this we have to search the list of keys in the entry looking for the newest
1152 * keys older than `now - db->new_service_key_delay'.
1153 *
1154 * The context is that OSKT's krb5_keytab is very happy to change keys in a way
1155 * that requires all members of a cluster to rekey together. If one also
1156 * wishes to have cluster members that opt out of this and just fetch current,
1157 * past, and future keys periodically, then the keys set by OSKT need to not
1158 * come into effect until all the opt-out members have had a chance to fetch
1159 * the new keys.
1160 *
1161 * The assumption is that services will fetch new keys periodically, say, every
1162 * four hours. Then one can set `[hdb] new_service_key_delay = 8h' in the
1163 * configuration and new keys set by OSKT will not be used until 8h after they
1164 * are set.
1165 *
1166 * Naturally, this applies only to concrete principals with concrete keys.
1167 */
1168 static krb5_error_code
1172 krb5_timestamp now,
1173 krb5uint32 kvno,
1175 {
1177 HDB_Ext_KeySet keys;
1182 /*
1183 * If we want a specific kvno, or if the caller doesn't want new keys
1184 * delayed, or if there's no new-key delay configured, or we're not
1185 * fetching for use as a service principal, then we're out.
1186 */
1191 /* No history -> current keyset is the only one and therefore the best */
1196 /* Assume the current keyset is the best to start with */
1203 /* Current keyset starts out as best */
1207 /* Look for a better keyset in the history */
1210 /* No set_time? Ignore. Too new? Ignore */
1215 /*
1216 * Ignore the keyset with kvno 1 when the entry has better kvnos
1217 * because kadmin's `ank -r' command immediately changes the keys.
1218 */
1222 /*
1223 * This keyset's set_time older than the previous best? Ignore.
1224 * However, if the current best is the entry's current and that one
1225 * is too new, then don't ignore this one.
1226 */
1231 /*
1232 * If two good enough keysets have the same set_time, take the keyset
1233 * with the highest kvno.
1234 */
1238 /*
1239 * This keyset is clearly more current than the previous best keyset
1240 * but still old enough to use for encrypting tickets with.
1241 */
1244 }
1246 }
1248 /*
1249 * Make a WELLKNOWN/HOSTBASED-NAMESPACE/${svc}/${hostname} or
1250 * WELLKNOWN/HOSTBASED-NAMESPACE/${svc}/${hostname}/${domainname} principal
1251 * object, with the service and hostname components take from `wanted', but if
1252 * the service name is not in the list `db->virtual_hostbased_princ_svcs[]'
1253 * then use "_" (wildcard) instead. This way we can have different attributes
1254 * for different services in the same namespaces.
1255 *
1256 * For example, virtual hostbased service names for the "host" service might
1257 * have ok-as-delegate set, but ones for the "HTTP" service might not.
1258 */
1259 static krb5_error_code
1262 krb5_const_principal wanted,
1264 {
1283 }
1284 }
1288 /* First go around, need a namespace princ. Make it! */
1295 /* Support domain-based names */
1297 /* Caller frees `*namespace' on error */
1299 }
1301 /* Wrapper around db->hdb_fetch_kvno() that implements virtual princs/keys */
1302 static krb5_error_code
1305 krb5_const_principal princ,
1307 krb5_timestamp t,
1308 krb5int32 etype,
1309 krb5uint32 kvno,
1311 {
1331 /* Strip out any :port */
1335 /* Extra ':'s? No virtualization for you! */
1341 }
1342 }
1343 /* Count dots in `host' */
1346 hdots++;
1349 }
1355 /*
1356 * We break out of this loop with ret == 0 only if we found the HDB
1357 * entry we were looking for or the HDB entry for a matching namespace.
1358 *
1359 * Otherwise we break out with ret != 0, typically HDB_ERR_NOENTRY.
1360 *
1361 * First time through we lookup the principal as given.
1362 *
1363 * Next we lookup a namespace principal, stripping off hostname labels
1364 * from the left until we find one or get tired of looking or run out
1365 * of labels.
1366 */
1372 /*
1373 * Breadcrumb:
1374 *
1375 * - if we found a concrete principal, but it's been marked
1376 * as now-virtual, then we must keep going
1377 *
1378 * But this will be coded in the future.
1379 *
1380 * Maybe we can take attributes from the concrete principal...
1381 */
1383 /*
1384 * The namespace's hostname will not have more labels than maxdots + 1.
1385 * Thus we truncate immediately down to maxdots + 1 if we haven't yet.
1386 *
1387 * Example: with maxdots == 3,
1388 * foo.bar.baz.app.blah.example -> baz.app.blah.example
1389 */
1392 /* tmp != NULL because maxdots > 0 */
1393 tmp++;
1394 hdots--;
1395 }
1398 /* First go around, need a namespace princ. Make it! */
1400 /* Update the hostname component */
1407 /* Strip off left-most label for the next go-around */
1409 tmp++;
1410 hdots--;
1412 }
1414 /*
1415 * If unencrypted keys were requested, derive them. There may not be any
1416 * key derivation to do, but that's decided in derive_keys().
1417 */
1420 ent);
1425 }
1429 }
1431 /**
1432 * Fetch a principal's HDB entry, possibly generating virtual keys from base
1433 * keys according to strict key rotation schedules. If a time is given, other
1434 * than HDB I/O, this function is pure, thus usable for testing.
1435 *
1436 * HDB writers should use `db->hdb_fetch_kvno()' to avoid materializing virtual
1437 * principals.
1438 *
1439 * HDB readers should use this function rather than `db->hdb_fetch_kvno()'
1440 * unless they only want to see concrete principals and not bother generating
1441 * any virtual keys.
1442 *
1443 * @param context Context
1444 * @param db HDB
1445 * @param principal Principal name
1446 * @param flags Fetch flags
1447 * @param t For virtual keys, use this as the point in time (use zero to mean "now")
1448 * @param etype Key enctype (use KRB5_ENCTYPE_NULL to mean "preferred")
1449 * @param kvno Key version number (use zero to mean "current")
1450 * @param h Output HDB entry
1451 *
1452 * @return Zero on success, an error code otherwise.
1453 */
1454 krb5_error_code
1457 krb5_const_principal principal,
1459 krb5_timestamp t,
1460 krb5int32 etype,
1461 krb5uint32 kvno,
1463 {
1473 }
1475 size_t ASN1CALL
1477 {
1479 }
1481 size_t ASN1CALL
1483 {
1485 }
1487 size_t ASN1CALL
1489 {
1491 }
1493 void ASN1CALL
1495 {
1497 }
1499 void ASN1CALL
1501 {
1503 }
1505 void ASN1CALL
1507 {
1509 }
1511 size_t ASN1CALL
1513 {
1515 }
1517 size_t ASN1CALL
1519 {
1521 }
1523 size_t ASN1CALL
1525 {
1527 }
1529 int ASN1CALL
1534 {
1536 }
1538 int ASN1CALL
1543 {
1545 }
1547 int ASN1CALL
1552 {
1554 }
1556 int ASN1CALL
1561 {
1563 }
1565 int ASN1CALL
1570 {
1572 }
1574 int ASN1CALL
1579 {
1581 }