Now that ETYPE_xxx names are macros to the KRB5_ENCTYPE_xxx
symbols there is no longer a need to cast to (krb5_enctype).
Change-Id: Ib561f6e45346abac7a53eb1db0bfef60ee3bcb74
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
Recent auditing changes (b1dcc1a4) introduced a leak into pa_enc_ts_validate()
where the encryption type name and error message could be leaked.
This patch fixes a compile error in the original commit.
r->canon_client_princ is always an alias to r->client->entry.principal in the
AS, but use it for consistency with the TGS. (In the TGS, it may also come from
te PAC.)
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.
This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
Annotate libkdc APIs with KDC_LIB_{CALL,FUNCTION} to ensure correct calling
convention and optimized DLL importing on Windows.
Ensure Windows and libtool export tables are consistent.
Now heim_audit_addkv() correctly supports multiple values, the other functions
that (by design) replace existing values with a single value should use the
heim_audit_setkv prefix.
A subsequent commit could add variants that support multiple values for
non-string types.
Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
The auth event details audit key (formerly, parameter to auth_status)
contained, variously, an encryption type name; a PKINIT client certificate
name; or, a GSS initiator name. Audit these instead using individual keys that
reflect the values' contents.
Preserve integer/boolean audit values as their native types; convert to strings
when logging only. This commit goes some way towards unifying the two auditing
APIs.
Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
with a view towards unifying the two APIs in a future commit.
The term "auth status" is replaced with "auth event", and the HDB auth_status
method is replaced with a more general purpose audit method which has access to
the entire request structure.
Return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, not HDB_ERR_NOENTRY, if a client
principal could not be found during pre-authentication.
This fixes a regression introduced with synthetic principals in 00358252d3.
We're logging SUCCESS even when the KDC sends error replies. That's
because we're returning success to process_request() even when we send
errors to clients. The error we want to send to the client, and that we
succeed or fail to send it, are different statuses.
Also, further move things into `r` and out of function arguments.
Remove the outpadata field from astgs_request_t, because it's not something we
wish to expose publically (yet it is something that Samba needs in the
client_access plugin API, to add Windows error information).
Instead, allocate rep->padata at the start of AS/TGS request handling, and
ensure it is valid for the lifetime of the request until it is encoded (at
which point it will be freed and set to NULL if zero length, to avoid sending a
zero length METHOD-DATA to the client).
(The previous approach of setting rep->padata to point to &r->outpadata was
fragile, because it required clearing the pointer before freeing the KDC-REP.)
Make client_access plugin API take a single argument, astgs_request_t. Note: in
order to avoid making r->outpadata public (it's an internal buffer), but allow
Samba to modify the reply pa data, some pointer magic is required.
Add a helper function that returns TRUE if a PAC should be included in ticket
authorization data, that can be called from both AS and TGS paths.
Per [MS-KILE] 3.3.5.3, PACs are always included for TGTs; for service
tickets, policy is governed by whether the client explicitly requested
a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
flag is set on the service principal entry.
Distinguish pre-authentication mechanisms that replace the reply key from those
that use the client's long-term key. In the general case, one is the inverse of
the other, however KRB5_PADATA_ENCRYPTED_CHALLENGE replaces the reply-key with
one derived from the long-term key.
PA_REPLACE_REPLY_KEY indicates that the kvno should be set to zero in the
reply; the absence of PA_USES_LONG_TERM_KEY indicates that the client's
long-term key may be included in the PAC (PAC_CREDENTIAL_INFO with Samba only).
Corrects e8984871.
Distinguish pre-authentication mechanisms that replace the reply key from those
that use the client's long-term key. In the general case, one is the inverse of
the other, however KRB5_PADATA_ENCRYPTED_CHALLENGE replaces the reply-key with
one derived from the long-term key.
PA_REPLACE_REPLY_KEY indicates that the kvno should be set to zero in the
reply; the absence of PA_USES_LONG_TERM_KEY indicates that the client's
long-term key may be included in the PAC (PAC_CREDENTIAL_INFO with Samba only).
PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES buffer
(legacy behavior) or if the attributes buffer indicates the AS client requested
one.
Only include the PAC_ATTRIBUTES PAC info buffer if we are issuing a TGT, as its
contents are not relevant to application services. (The buffer contains a bit
indicating whether the client explicitly or implicitly requested a PAC.)
Update the sample GSS pre-authentication authorizer plugin to allow the PAC to
be pinned to the authenticating user's SID.
There is still a race condition between the time the user authenticates and the
time the SID is looked up via LDAP, but it should be sufficient as an example;
if more security is required, then users should be enrolled with their SIDs.
Note the selected pre-authentication mechanism, and add a callback to allow the
pre-authentication mechanism to update the PAC immediately prior to signing.
Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.
Note: this changes the windc plugin ABI.
Use the UPN_DNS_INFO buffer of the PAC to include the canonical principal name.
Arguably we should use AD-LOGIN-ALIAS as defined in RFC6806, but we may not
always know all the principal's aliases, and this approach allows us to share
application service logic with Windows.
08e0305b introduced a patch to validate armor ticket PACs, but required that
the armor client principal was in the local realm (as it did not allow
_kdc_db_fetch() to fail).
Allow cross-realm FAST armor clients by using the same logic to look up the
client principal as the TGS itself does, i.e. use db_fetch_client() which
handles the case where the client is not local to the KDC.
Note: the armor PAC is only required to be validated when issuing a final,
non-referral service ticket, as this is the only point upon which device claims
should be inserted (according to my understanding).
Closes: #901
Add a new authorization data type to indicate a synthetic principal was used,
to allow synthetic clients acquired outside of PKINIT (e.g. with GSS-API
pre-authentication) to use the TGS.
Note: we continue to honor KRB5_AUTHDATA_INITIAL_VERIFIED_CAS to indicate that
it is OK for the client to be synthetic, even though it is only an indication
that the client *may* have been synthetic.
If the pre-authentication mechanism replaced the reply key, then the kvno in
the KDC-REP should be zero, as the reply is not encrypted in the client's
(versioned) long-term key.
Closes: #899
