oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: move Services for User implementation out of krb5tgs.c

Browse Source 
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.

This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
This commit is contained in:
Luke Howard
2021-12-24 13:49:55 +11:00
parent 06f8985c55
commit 0287558838
6 changed files with 670 additions and 482 deletions
Download Patch File Download Diff File Expand all files Collapse all files

575
kdc/mssfu.c Normal file
View File

@@ -0,0 +1,575 @@
/*
* Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
/*
* [MS-SFU] Kerberos Protocol Extensions:
* Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
*/
/*
* Determine if constrained delegation is allowed from this client to this server
*/
static krb5_error_code
check_constrained_delegation(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
hdb_entry_ex *client,
hdb_entry_ex *server,
krb5_const_principal target)
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
size_t i;
/*
* constrained delegation (S4U2Proxy) only works within
* the same realm. We use the already canonicalized version
* of the principals here, while "target" is the principal
* provided by the client.
*/
if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 4,
"Bad request for constrained delegation");
return ret;
}
if (clientdb->hdb_check_constrained_delegation) {
ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
if (ret == 0)
return 0;
} else {
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
return 0;
ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
if (ret) {
krb5_clear_error_message(context);
return ret;
}
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
return 0;
}
}
ret = KRB5KDC_ERR_BADOPTION;
}
kdc_log(context, config, 4,
"Bad request for constrained delegation");
return ret;
}
static void
update_client_names(astgs_request_t r,
char **s4ucname,
krb5_principal *s4u_client_name,
hdb_entry_ex **s4u_client,
krb5_principal *s4u_canon_client_name,
krb5_pac *s4u_pac)
{
krb5_xfree(r->cname);
r->cname = *s4ucname;
*s4ucname = NULL;
r->client_princ = *s4u_client_name;
*s4u_client_name = NULL;
_kdc_free_ent(r->context, r->client);
r->client = *s4u_client;
*s4u_client = NULL;
krb5_free_principal(r->context, r->canon_client_princ);
r->canon_client_princ = *s4u_canon_client_name;
*s4u_canon_client_name = NULL;
krb5_pac_free(r->context, r->pac);
r->pac = *s4u_pac;
*s4u_pac = NULL;
}
/*
* Validate a protocol transition (S4U2Self) request. If present and
* successfully validated then the client in the request structure
* will be replaced with the impersonated client.
*/
static krb5_error_code
validate_protocol_transition(astgs_request_t r)
{
krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body;
EncTicketPart *ticket = &r->ticket->ticket;
hdb_entry_ex *s4u_client = NULL;
HDB *s4u_clientdb;
int flags = HDB_F_FOR_TGS_REQ;
krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
krb5_pac s4u_pac = NULL;
const PA_DATA *sdata;
char *s4ucname = NULL;
int i = 0;
krb5_crypto crypto;
krb5_data datack;
PA_S4U2Self self;
const char *str;
if (r->client == NULL)
return 0;
sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
if (sdata == NULL)
return 0;
memset(&self, 0, sizeof(self));
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
ret = decode_PA_S4U2Self(sdata->padata_value.data,
sdata->padata_value.length,
&self, NULL);
if (ret) {
_kdc_audit_addreason((kdc_request_t)r,
"Failed to decode PA-S4U2Self");
kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
goto out;
}
if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
_kdc_audit_addreason((kdc_request_t)r,
"PA-S4U2Self with unkeyed checksum");
kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
if (ret)
goto out;
ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
krb5_data_free(&datack);
kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
/* Allow HMAC_MD5 checksum with any key type */
if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
struct krb5_crypto_iov iov;
unsigned char csdata[16];
Checksum cs;
cs.checksum.length = sizeof(csdata);
cs.checksum.data = &csdata;
iov.data.data = datack.data;
iov.data.length = datack.length;
iov.flags = KRB5_CRYPTO_TYPE_DATA;
ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
KRB5_KU_OTHER_CKSUM, &iov, 1,
&cs);
if (ret == 0 &&
krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
} else {
ret = _kdc_verify_checksum(r->context,
crypto,
KRB5_KU_OTHER_CKSUM,
&datack,
&self.cksum);
}
krb5_data_free(&datack);
krb5_crypto_destroy(r->context, crypto);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
_kdc_audit_addreason((kdc_request_t)r,
"S4U2Self checksum failed");
kdc_log(r->context, r->config, 4,
"krb5_verify_checksum failed for S4U2Self: %s", msg);
krb5_free_error_message(r->context, msg);
goto out;
}
ret = _krb5_principalname2krb5_principal(r->context,
&s4u_client_name,
self.name,
self.realm);
if (ret)
goto out;
ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
if (ret)
goto out;
/*
* Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
* is probably not desirable!
*/
ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
HDB_F_GET_CLIENT | flags, NULL,
&s4u_clientdb, &s4u_client);
if (ret) {
const char *msg;
/*
* If the client belongs to the same realm as our krbtgt, it
* should exist in the local database.
*
*/
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
msg = krb5_get_error_message(r->context, ret);
_kdc_audit_addreason((kdc_request_t)r,
"S4U2Self principal to impersonate not found");
kdc_log(r->context, r->config, 2,
"S4U2Self principal to impersonate %s not found in database: %s",
s4ucname, msg);
krb5_free_error_message(r->context, msg);
goto out;
}
/*
* Ignore require_pwchange and pw_end attributes (as Windows does),
* since S4U2Self is not password authentication.
*/
s4u_client->entry.flags.require_pwchange = FALSE;
free(s4u_client->entry.pw_end);
s4u_client->entry.pw_end = NULL;
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
if (ret)
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
ret = _kdc_pac_generate(r->context,
s4u_client,
r->server,
NULL,
KRB5_PAC_WAS_GIVEN_IMPLICITLY,
&s4u_pac);
if (ret) {
kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
goto out;
}
/*
* Check that service doing the impersonating is
* requesting a ticket to it-self.
*/
ret = _kdc_check_client_matches_target_service(r->context,
r->config,
r->clientdb,
r->client,
r->server,
r->server_princ);
if (ret) {
kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
"to impersonate to service "
"(tried for user %s to service %s)",
r->cname, s4ucname, r->sname);
goto out;
}
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
&s4u_canon_client_name);
if (ret)
goto out;
/*
* If the service isn't trusted for authentication to
* delegation or if the impersonate client is disallowed
* forwardable, remove the forwardable flag.
*/
if (r->client->entry.flags.trusted_for_delegation &&
s4u_client->entry.flags.forwardable) {
str = "[forwardable]";
} else {
b->kdc_options.forwardable = 0;
str = "";
}
kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
"service %s %s", r->cname, s4ucname, r->sname, str);
/*
* Replace all client information in the request with the
* impersonated client. (The audit entry containing the original
* client name will have been created before this point.)
*/
update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
&s4u_canon_client_name, &s4u_pac);
out:
if (s4u_client)
_kdc_free_ent(r->context, s4u_client);
krb5_free_principal(r->context, s4u_client_name);
krb5_xfree(s4ucname);
krb5_free_principal(r->context, s4u_canon_client_name);
krb5_pac_free(r->context, s4u_pac);
free_PA_S4U2Self(&self);
return ret;
}
/*
* Validate a constrained delegation (S4U2Proxy) request. If present
* and successfully validated then the client in the request structure
* will be replaced with the client from the evidence ticket.
*/
static krb5_error_code
validate_constrained_delegation(astgs_request_t r)
{
krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body;
int flags = HDB_F_FOR_TGS_REQ;
krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
krb5_principal s4u_canon_client_name = NULL;
krb5_pac s4u_pac = NULL;
uint64_t s4u_pac_attributes;
char *s4ucname = NULL, *s4usname = NULL;
EncTicketPart evidence_tkt;
hdb_entry_ex *s4u_client = NULL;
krb5_boolean ad_kdc_issued = FALSE;
Key *clientkey;
Ticket *t;
krb5_const_realm local_realm;
if (r->client == NULL
|| b->additional_tickets == NULL
|| b->additional_tickets->len == 0
|| b->kdc_options.cname_in_addl_tkt == 0
|| b->kdc_options.enc_tkt_in_skey)
return 0;
memset(&evidence_tkt, 0, sizeof(evidence_tkt));
local_realm =
krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1);
/*
* We require that the service's TGT has a PAC; this will have been
* validated prior to this function being called.
*/
if (r->pac == NULL) {
ret = KRB5KDC_ERR_BADOPTION;
_kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
kdc_log(r->context, r->config, 4,
"Constrained delegation without PAC, %s/%s",
r->cname, r->sname);
goto out;
}
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(r->context, &r->client->entry,
hdb_kvno2keys(r->context, &r->client->entry,
t->enc_part.kvno ? * t->enc_part.kvno : 0),
t->enc_part.etype, &clientkey);
if (ret) {
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
goto out;
}
ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
if (ret) {
_kdc_audit_addreason((kdc_request_t)r,
"Failed to decrypt constrained delegation ticket");
kdc_log(r->context, r->config, 4,
"failed to decrypt ticket for "
"constrained delegation from %s to %s ", r->cname, r->sname);
goto out;
}
ret = _krb5_principalname2krb5_principal(r->context,
&s4u_client_name,
evidence_tkt.cname,
evidence_tkt.crealm);
if (ret)
goto out;
ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
if (ret)
goto out;
_kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
ret = _krb5_principalname2krb5_principal(r->context,
&s4u_server_name,
t->sname,
t->realm);
if (ret)
goto out;
ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
if (ret)
goto out;
/* check that ticket is valid */
if (evidence_tkt.flags.forwardable == 0) {
_kdc_audit_addreason((kdc_request_t)r,
"Missing forwardable flag on ticket for constrained delegation");
kdc_log(r->context, r->config, 4,
"Missing forwardable flag on ticket for "
"constrained delegation from %s (%s) as %s to %s ",
r->cname, s4usname, s4ucname, r->sname);
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
ret = check_constrained_delegation(r->context, r->config, r->clientdb,
r->client, r->server, r->server_princ);
if (ret) {
_kdc_audit_addreason((kdc_request_t)r,
"Constrained delegation not allowed");
kdc_log(r->context, r->config, 4,
"constrained delegation from %s (%s) as %s to %s not allowed",
r->cname, s4usname, s4ucname, r->sname);
goto out;
}
ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
if (ret) {
_kdc_audit_addreason((kdc_request_t)r,
"Constrained delegation ticket expired or invalid");
goto out;
}
/* Try lookup the delegated client in DB */
ret = _kdc_db_fetch_client(r->context, r->config, flags,
s4u_client_name, s4ucname, local_realm,
NULL, &s4u_client);
if (ret)
goto out;
if (s4u_client != NULL) {
ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
if (ret)
goto out;
}
/*
* TODO: pass in t->sname and t->realm and build
* a S4U_DELEGATION_INFO blob to the PAC.
*/
ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
s4u_client, r->server, r->krbtgt, r->client,
&clientkey->key, &r->ticket_key->key, &evidence_tkt,
&ad_kdc_issued, &s4u_pac,
&s4u_canon_client_name, &s4u_pac_attributes);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
_kdc_audit_addreason((kdc_request_t)r,
"Constrained delegation ticket PAC check failed");
kdc_log(r->context, r->config, 4,
"Verify delegated PAC failed to %s for client"
"%s (%s) as %s from %s with %s",
r->sname, r->cname, s4usname, s4ucname, r->from, msg);
krb5_free_error_message(r->context, msg);
goto out;
}
if (s4u_pac == NULL || !ad_kdc_issued) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(r->context, r->config, 4,
"Ticket not signed with PAC; service %s failed for "
"for delegation to %s for client %s (%s) from %s; (%s).",
r->sname, s4ucname, s4usname, r->cname, r->from,
s4u_pac ? "Ticket unsigned" : "No PAC");
_kdc_audit_addreason((kdc_request_t)r,
"Constrained delegation ticket not signed");
goto out;
}
/*
* If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
* the canonical client name, but the user is local to our KDC, we
* can insert the canonical client name ourselves.
*/
if (s4u_canon_client_name == NULL && s4u_client != NULL) {
ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
&s4u_canon_client_name);
if (ret)
goto out;
}
kdc_log(r->context, r->config, 4, "constrained delegation for %s "
"from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
/*
* Replace all client information in the request with the
* impersonated client. (The audit entry containing the original
* client name will have been created before this point.)
*/
update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
&s4u_canon_client_name, &s4u_pac);
r->pac_attributes = s4u_pac_attributes;
out:
if (s4u_client)
_kdc_free_ent(r->context, s4u_client);
krb5_free_principal(r->context, s4u_client_name);
krb5_xfree(s4ucname);
krb5_free_principal(r->context, s4u_server_name);
krb5_xfree(s4usname);
krb5_free_principal(r->context, s4u_canon_client_name);
krb5_pac_free(r->context, s4u_pac);
free_EncTicketPart(&evidence_tkt);
return ret;
}
/*
*
*/
krb5_error_code
_kdc_validate_services_for_user(astgs_request_t r)
{
krb5_error_code ret;
ret = validate_protocol_transition(r);
if (ret == 0)
ret = validate_constrained_delegation(r);
return ret;
}