/* * Copyright (c) 2003 - 2016 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Portions Copyright (c) 2009 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "krb5_locl.h" struct krb5_dh_moduli { char *name; unsigned long bits; heim_integer p; heim_integer g; heim_integer q; }; #include #include #include #include #include #include #include #include #include krb5_error_code _krb5_pkinit_pkey2SubjectPublicKeyInfo(krb5_context context, const EVP_PKEY *pkey, SubjectPublicKeyInfo *spki) { unsigned char *buf = NULL; unsigned char *p; size_t len, size; krb5_error_code ret; len = i2d_PUBKEY(pkey, NULL); if (len <= 0) return _krb5_set_error_message_openssl(context, HX509_CRYPTO_INTERNAL_ERROR, "Failed to encode public key"); p = buf = malloc(len); if (p == NULL) return krb5_enomem(context); if (i2d_PUBKEY(pkey, &p) != len) { free(buf); return _krb5_set_error_message_openssl(context, HX509_CRYPTO_INTERNAL_ERROR, "Failed to encode public key"); } ret = decode_SubjectPublicKeyInfo(buf, len, spki, &size); free(buf); return ret; } /* Makes a EVP_PKEY * params object from modp DH p, g, q (q is optional) */ static EVP_PKEY * dh_params_from_pg(krb5_context context, const unsigned char *p, size_t plen, const unsigned char *g, size_t glen, const unsigned char *q, size_t qlen) { EVP_PKEY *params = NULL; EVP_PKEY_CTX *ctx = NULL; BIGNUM *p_bn = NULL; BIGNUM *g_bn = NULL; BIGNUM *q_bn = NULL; OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *par = NULL; /* Convert raw bytes to BIGNUMs - OpenSSL 3.x requires BN for FFC params */ p_bn = BN_bin2bn(p, plen, NULL); g_bn = BN_bin2bn(g, glen, NULL); if (q && qlen) q_bn = BN_bin2bn(q, qlen, NULL); if (!p_bn || !g_bn || (q && qlen && !q_bn)) goto out; /* Build OSSL_PARAM array */ bld = OSSL_PARAM_BLD_new(); if (!bld) goto out; if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p_bn) || !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g_bn)) goto out; if (q_bn && !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q_bn)) goto out; par = OSSL_PARAM_BLD_to_param(bld); if (!par) goto out; /* * Always use DHX (X9.42 DH) for PKINIT - this produces the * id-dhpublicnumber OID (1.2.840.10046.2.1) that PKINIT requires, * rather than the PKCS#3 OID (1.2.840.113549.1.3.1) that "DH" uses. */ ctx = EVP_PKEY_CTX_new_from_name(context->ossl->libctx, "DHX", context->ossl->propq); if (!ctx) goto out; if (EVP_PKEY_fromdata_init(ctx) <= 0) goto out; if (EVP_PKEY_fromdata(ctx, ¶ms, EVP_PKEY_KEY_PARAMETERS, par) <= 0) params = NULL; out: OSSL_PARAM_free(par); OSSL_PARAM_BLD_free(bld); EVP_PKEY_CTX_free(ctx); BN_free(p_bn); BN_free(g_bn); BN_free(q_bn); return params; } /* * Produce OpenSSL 3.x params from the p, g, q in a modp DH * AlgorithmIdentifier returned by a KDC. * * Note that we don't validate the domain parameters. */ static krb5_error_code dh_params_from_AI(krb5_context context, heim_octet_string *ai_params, EVP_PKEY **out) { DomainParameters dp; krb5_error_code ret; const unsigned char *p, *g, *q; size_t plen, glen, qlen; *out = NULL; ret = decode_DomainParameters(ai_params->data, ai_params->length, &dp, NULL); if (ret) return ret; /* * heim_integer has the DER-encoding of the INTEGER. OpenSSL wants the * unsigned, unpadded DER-encoding of the INTEGER. So we reject negative * numbers and remove any padding, then use dh_params_from_pg(). */ if (dp.p.negative || dp.g.negative || (dp.q && dp.q->negative)) return EINVAL; p = dp.p.data; plen = dp.p.length; g = dp.g.data; glen = dp.g.length; q = dp.q ? dp.q->data : NULL; qlen = dp.q ? dp.q->length : 0; if (dp.p.length > 1 && p[0] == 0) { p++; plen--; } if (dp.g.length > 1 && g[0] == 0) { g++; glen--; } if (q && dp.q->length > 1 && q[0] == 0) { q++; qlen--; } *out = dh_params_from_pg(context, p, plen, g, glen, q, qlen); free_DomainParameters(&dp); if (*out) return 0; return EINVAL; } static krb5_error_code pkinit_make_dh_key(krb5_context context, EVP_PKEY *params_in, const char *group, EVP_PKEY **pkey) { EVP_PKEY_CTX *pctx = NULL; EVP_PKEY_CTX *kctx = NULL; EVP_PKEY *params = NULL; OSSL_PARAM p[] = { OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, rk_UNCONST(group), 0), OSSL_PARAM_END }; *pkey = NULL; if (params_in) { if ((kctx = EVP_PKEY_CTX_new_from_pkey(context->ossl->libctx, params_in, context->ossl->propq)) == NULL || EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, pkey) <= 0) *pkey = NULL; } else { if ((pctx = EVP_PKEY_CTX_new_from_name(context->ossl->libctx, "DHX", context->ossl->propq)) == NULL || EVP_PKEY_paramgen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, p) <= 0 || EVP_PKEY_paramgen(pctx, ¶ms) <= 0 || (kctx = EVP_PKEY_CTX_new_from_pkey(context->ossl->libctx, params, context->ossl->propq)) == NULL || EVP_PKEY_keygen_init(kctx) <= 0 || EVP_PKEY_keygen(kctx, pkey) <= 0) *pkey = NULL; } EVP_PKEY_CTX_free(kctx); EVP_PKEY_CTX_free(pctx); EVP_PKEY_free(params); if (*pkey == NULL) { char *s = _krb5_openssl_errors(); krb5_set_error_message(context, HX509_CRYPTO_INTERNAL_ERROR, "Could not make a DH keyshare: %s", s ? s : ""); free(s); return HX509_CRYPTO_INTERNAL_ERROR; } return 0; } struct krb5_pk_cert { hx509_cert cert; }; static void pk_copy_error(krb5_context context, hx509_context hx509ctx, int hxret, const char *fmt, ...) __attribute__ ((__format__ (__printf__, 4, 5))); /* * */ KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_pk_cert_free(struct krb5_pk_cert *cert) { if (cert->cert) { hx509_cert_free(cert->cert); } free(cert); } static enum keyex_enum select_dh_type(krb5_context context, krb5_pk_init_ctx ctx) { TD_DH_PARAMETERS *p = ctx->kdc_dh_algs; hx509_cert cert = ctx->id->cert; size_t i; int seen_ec = 0; int seen_modp = 0; int prefer_ec = krb5_config_get_bool_default(context, NULL, -1, "libdefaults", "pkinit_prefer_ec", NULL); /* * The KDC offered key agreement algorithms; pick one we like. We * prefer EC to modp DH. */ if (p) { for (i = 0; i < p->len; i++) { const heim_oid *oid = &p->val[i].algorithm; if (der_heim_oid_cmp(oid, &asn1_oid_id_X25519) == 0 || der_heim_oid_cmp(oid, &asn1_oid_id_X448) == 0 || der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp256r1) == 0 || der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp384r1) == 0 || der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp521r1) == 0) seen_ec = 1; else if (der_heim_oid_cmp(oid, &asn1_oid_id_dhpublicnumber) == 0 && p->val[i].parameters != NULL) seen_modp = 1; } } if (prefer_ec == -1 && cert) { AlgorithmIdentifier alg; /* Cert indicates EC support -> then use ECDH */ if (hx509_cert_get_SPKI_AlgorithmIdentifier(context->hx509ctx, cert, &alg) == 0) { if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_ecPublicKey) == 0) prefer_ec = 1; else if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_Ed25519) == 0) prefer_ec = 1; else if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_Ed448) == 0) prefer_ec = 1; free_AlgorithmIdentifier(&alg); } } /* Whichever we preferred, if the KDC offered it, use that */ if (prefer_ec > 0 && seen_ec) return USE_ECDH; if (prefer_ec == 0 && seen_modp) return USE_DH; /* Whichever we preferred, if the KDC only offered the other, use that */ if (seen_ec) return USE_ECDH; if (seen_modp) return USE_DH; /* * The KDC offered nothing (yet, perhaps because we have not yet tried, or * perhaps it doesn't support telling us its preference). * * Prefer EC/X DH then. */ if (prefer_ec == -1) prefer_ec = 1; return prefer_ec ? USE_ECDH : USE_DH; } static krb5_error_code select_dh_group(krb5_context context, EVP_PKEY **params, const char **group, unsigned long min_bits, krb5_pk_init_ctx ctx) { const struct krb5_dh_moduli *m; struct krb5_dh_moduli **moduli = ctx->m; TD_DH_PARAMETERS *p = ctx->kdc_dh_algs; krb5_error_code ret; if (p) { size_t i; /* * Pick the first DH modp group offered by the KDC. We do not validate * this group if [libdefaults] pkinit_dh_trust_modp_kdc_choice is set * to true. Since we're going to get a signature from the KDC and we * validate the KDC's certificate, we can default this to TRUE. * * NOTE: If we ever try to build something like PKU2U w/ anonymous * server support then we'll need to default this to FALSE for * that case! */ if (!krb5_config_get_bool_default(context, NULL, TRUE, "libdefaults", "pkinit_dh_trust_modp_kdc_choice", NULL)) return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; for (i = 0; i < p->len; i++) { if (der_heim_oid_cmp(&p->val[i].algorithm, &asn1_oid_id_dhpublicnumber) != 0 || p->val[i].parameters == NULL) continue; ret = dh_params_from_AI(context, p->val[i].parameters, params); if (ret) // XXX More trace/error info would be nice return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; return 0; } return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } if (krb5_config_get_bool_default(context, NULL, TRUE, "libdefaults", "pkinit_dh_use_modp", NULL)) { /* * Use RFC 3526 Oakley groups (modp_*). MIT Kerberos only supports * 1024 (disabled by default), 2048, and 4096. Default to 2048. */ if (min_bits == 0 || min_bits <= 2048) { *group = "modp_2048"; return 0; } if (min_bits <= 4096) { *group = "modp_4096"; return 0; } /* Larger sizes not supported by MIT, fall through to moduli file */ } if (moduli[0] == NULL) { krb5_set_error_message(context, EINVAL, N_("Did not find a DH group parameter " "matching requirement of %lu bits", ""), min_bits); return EINVAL; } if (min_bits == 0) { m = moduli[0]; } else { int i; for (i = 0; moduli[i] != NULL; i++) { if (moduli[i]->bits >= min_bits) break; } if (moduli[i] == NULL) { krb5_set_error_message(context, EINVAL, N_("Did not find a DH group parameter " "matching requirement of %lu bits", ""), min_bits); return EINVAL; } m = moduli[i]; } *params = dh_params_from_pg(context, m->p.data, m->p.length, m->g.data, m->g.length, m->q.data ? m->q.data : NULL, m->q.length); return 0; } struct certfind { const char *type; const heim_oid *oid; }; /* * Try searchin the key by to use by first looking for for PK-INIT * EKU, then the Microsoft smart card EKU and last, no special EKU at all. */ static krb5_error_code find_cert(krb5_context context, struct krb5_pk_identity *id, hx509_query *q, hx509_cert *cert) { struct certfind cf[4] = { { "MobileMe EKU", NULL }, { "PKINIT EKU", NULL }, { "MS EKU", NULL }, { "any (or no)", NULL } }; int ret = HX509_CERT_NOT_FOUND; size_t i, start = 1; unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; if (id->flags & PKINIT_BTMM) start = 0; cf[0].oid = &mobileMe; cf[1].oid = &asn1_oid_id_pkekuoid; cf[2].oid = &asn1_oid_id_pkinit_ms_eku; cf[3].oid = NULL; for (i = start; i < sizeof(cf)/sizeof(cf[0]); i++) { ret = hx509_query_match_eku(q, cf[i].oid); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed setting %s OID", cf[i].type); return ret; } ret = hx509_certs_find(context->hx509ctx, id->certs, q, cert); if (ret == 0) break; pk_copy_error(context, context->hx509ctx, ret, "Failed finding certificate with %s OID", cf[i].type); } return ret; } static krb5_error_code create_signature(krb5_context context, const heim_oid *eContentType, krb5_data *eContent, struct krb5_pk_identity *id, hx509_peer_info peer, krb5_data *sd_data) { int ret, flags = 0; if (id->cert == NULL) flags |= HX509_CMS_SIGNATURE_NO_SIGNER; ret = hx509_cms_create_signed_1(context->hx509ctx, flags, eContentType, eContent->data, eContent->length, NULL, id->cert, peer, NULL, id->certs, sd_data); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Create CMS signedData"); return ret; } return 0; } static int KRB5_LIB_CALL cert2epi(hx509_context context, void *ctx, hx509_cert c) { ExternalPrincipalIdentifiers *ids = ctx; ExternalPrincipalIdentifier id; hx509_name subject = NULL; void *p; int ret; if (ids->len > 10) return 0; memset(&id, 0, sizeof(id)); ret = hx509_cert_get_subject(c, &subject); if (ret) return ret; if (hx509_name_is_null_p(subject) != 0) { id.subjectName = calloc(1, sizeof(*id.subjectName)); if (id.subjectName == NULL) { hx509_name_free(&subject); free_ExternalPrincipalIdentifier(&id); return ENOMEM; } ret = hx509_name_binary(subject, id.subjectName); if (ret) { hx509_name_free(&subject); free_ExternalPrincipalIdentifier(&id); return ret; } } hx509_name_free(&subject); id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber)); if (id.issuerAndSerialNumber == NULL) { free_ExternalPrincipalIdentifier(&id); return ENOMEM; } { IssuerAndSerialNumber iasn; hx509_name issuer; size_t size = 0; memset(&iasn, 0, sizeof(iasn)); ret = hx509_cert_get_issuer(c, &issuer); if (ret) { free_ExternalPrincipalIdentifier(&id); return ret; } ret = hx509_name_to_Name(issuer, &iasn.issuer); hx509_name_free(&issuer); if (ret) { free_ExternalPrincipalIdentifier(&id); return ret; } ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); if (ret) { free_IssuerAndSerialNumber(&iasn); free_ExternalPrincipalIdentifier(&id); return ret; } ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, id.issuerAndSerialNumber->data, id.issuerAndSerialNumber->length, &iasn, &size, ret); free_IssuerAndSerialNumber(&iasn); if (ret) { free_ExternalPrincipalIdentifier(&id); return ret; } if (id.issuerAndSerialNumber->length != size) abort(); } id.subjectKeyIdentifier = NULL; p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); if (p == NULL) { free_ExternalPrincipalIdentifier(&id); return ENOMEM; } ids->val = p; ids->val[ids->len] = id; ids->len++; return 0; } static krb5_error_code build_edi(krb5_context context, hx509_context hx509ctx, hx509_certs certs, ExternalPrincipalIdentifiers *ids) { return hx509_certs_iter_f(hx509ctx, certs, cert2epi, ids); } static krb5_error_code make_supportedKDFs(krb5_context context, krb5_pk_init_ctx ctx, AuthPack *a) { char **kdfs; krb5_error_code ret; KDFAlgorithmId kdf; memset(&kdf, 0, sizeof(kdf)); if (ctx->want_kdf_alg && der_heim_oid_cmp(ctx->want_kdf_alg, &asn1_oid_id_pkinit_kdf) == 0) { if (a->supportedKDFs) free_SupportedKDFs(a->supportedKDFs); free(a->supportedKDFs); a->supportedKDFs = NULL; return 0; } if (a->supportedKDFs) free_SupportedKDFs(a->supportedKDFs); else if ((a->supportedKDFs = calloc(1, sizeof(*a->supportedKDFs))) == NULL) return krb5_enomem(context); if (ctx->want_kdf_alg) { ret = der_copy_oid(ctx->want_kdf_alg, &kdf.kdf_id); if (ret) return ret; ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); return ret; } kdfs = krb5_config_get_strings(context, NULL, "libdefaults", "pkinit_kdfs", NULL); if (kdfs) { const heim_oid *oid = NULL; size_t i; /* XXX Extract this if-strcmp ladder into a utility function */ for (i = 0; kdfs[i]; i++) { if (strcmp(kdfs[i], "ah-sha1") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha1; else if (strcmp(kdfs[i], "ah-sha256") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha256; else if (strcmp(kdfs[i], "ah-sha384") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha384; else if (strcmp(kdfs[i], "ah-sha512") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha512; if (oid == NULL) continue; // XXX debug trace or error! ret = der_copy_oid(oid, &kdf.kdf_id); if (ret) return ret; ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); if (ret) return ret; } krb5_config_free_strings(kdfs); return 0; } /* * Indicate support for all of them. RFC 4556 is what we'll get if the KDC * doesn't support any of these RFC 8636 ones. */ ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha256, &kdf.kdf_id); if (ret == 0) ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha384, &kdf.kdf_id); if (ret == 0) ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha512, &kdf.kdf_id); if (ret == 0) ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha1, &kdf.kdf_id); if (ret == 0) ret = add_SupportedKDFs(a->supportedKDFs, &kdf); der_free_oid(&kdf.kdf_id); return ret; } static krb5_error_code build_auth_pack(krb5_context context, unsigned nonce, krb5_pk_init_ctx ctx, const KDC_REQ_BODY *body, AuthPack *a) { size_t buf_size, len = 0; krb5_error_code ret; void *buf; krb5_timestamp sec; int32_t usec; Checksum checksum; krb5_clear_error_message(context); memset(&checksum, 0, sizeof(checksum)); krb5_us_timeofday(context, &sec, &usec); a->pkAuthenticator.ctime = sec; a->pkAuthenticator.nonce = nonce; ret = make_supportedKDFs(context, ctx, a); if (ret) return ret; ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret); if (ret) return ret; if (buf_size != len) krb5_abortx(context, "internal error in ASN.1 encoder"); ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_SHA1, buf, len, &checksum); free(buf); if (ret) return ret; ALLOC(a->pkAuthenticator.paChecksum, 1); if (a->pkAuthenticator.paChecksum == NULL) { return krb5_enomem(context); } ret = krb5_data_copy(a->pkAuthenticator.paChecksum, checksum.checksum.data, checksum.checksum.length); free_Checksum(&checksum); if (ret) return ret; if (ctx->keyex == USE_DH || ctx->keyex == USE_ECDH) { EVP_PKEY *params = NULL; krb5_data dhbuf; krb5_data_zero(&dhbuf); if (1 /* support_cached_dh */) { ALLOC(a->clientDHNonce, 1); if (a->clientDHNonce == NULL) { krb5_clear_error_message(context); return ENOMEM; } ret = krb5_data_alloc(a->clientDHNonce, 40); if (a->clientDHNonce == NULL) { krb5_clear_error_message(context); return ret; } ret = RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length); if (ret != 1) return KRB5_CRYPTO_INTERNAL; ret = krb5_copy_data(context, a->clientDHNonce, &ctx->clientDHNonce); if (ret) return ret; } if (ctx->keyex == USE_DH) { const char *group = NULL; const char *moduli_file = krb5_config_get_string(context, NULL, "libdefaults", "moduli", NULL); unsigned long dh_min_bits = krb5_config_get_int_default(context, NULL, 0, "libdefaults", "pkinit_dh_min_bits", NULL); ret = _krb5_parse_moduli(context, moduli_file, &ctx->m); if (ret) return ret; ret = select_dh_group(context, ¶ms, &group, dh_min_bits, ctx); if (ret) return ret; ret = pkinit_make_dh_key(context, params, group, &ctx->pkey); if (ret) return ret; /* * Prior to removing hcrypto and switching to OpenSSL 3.x we had * this comment: * * | The q parameter is required, but MSFT made it optional. * | It's only required in order to verify the domain parameters * | -- the security of the DH group --, but we validate groups * | against known groups rather than accepting arbitrary groups * | chosen by the peer, so we really don't need to have put it * | on the wire. Because these are Oakley groups, and the * | primes are Sophie Germain primes, q is p>>1 and we can * | compute it on the fly like MIT Kerberos does, but we'd have * | to implement BN_rshift1(). * * We use X9.42 DH (EVP_PKEY_DHX) which produces the * id-dhpublicnumber OID (1.2.840.10046.2.1) per RFC 3279 as * referenced by RFC 4556. * * The q parameter is optional on the wire -- RFC 4556 requires it * but Microsoft treats it as optional. We include q when available * (OpenSSL includes it if provided at key generation time). When * validating received params we don't care if q is missing because * we only accept configured groups anyways, so we don't need to * validate the peer's group. * * Note: the old comment about computing q = p>>1 for Sophie * Germain primes only applies to Oakley Group 2 (RFC 2409). The * RFC 3526 MODP groups are NOT Sophie Germain primes. */ } else { ret = _krb5_pkinit_make_ecdh_key(context, NULL, NULL, _krb5_pkinit_pick_curve(context, ctx), &ctx->pkey); if (ret) return ret; } ALLOC(a->clientPublicValue, 1); ret = _krb5_pkinit_pkey2SubjectPublicKeyInfo(context, ctx->pkey, a->clientPublicValue); if (ret) return ret; } { a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes)); if (a->supportedCMSTypes == NULL) return ENOMEM; ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) return ret; } return ret; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_ContentInfo(krb5_context context, const krb5_data *buf, const heim_oid *oid, struct ContentInfo *content_info) { krb5_error_code ret; ret = der_copy_oid(oid, &content_info->contentType); if (ret) return ret; ALLOC(content_info->content, 1); if (content_info->content == NULL) return ENOMEM; content_info->content->data = malloc(buf->length); if (content_info->content->data == NULL) return ENOMEM; memcpy(content_info->content->data, buf->data, buf->length); content_info->content->length = buf->length; return 0; } static krb5_error_code pk_mk_padata(krb5_context context, krb5_pk_init_ctx ctx, const KDC_REQ_BODY *req_body, unsigned nonce, METHOD_DATA *md) { struct ContentInfo content_info; krb5_error_code ret; const heim_oid *oid = NULL; size_t size = 0; krb5_data buf, sd_buf; int pa_type = -1; krb5_data_zero(&buf); krb5_data_zero(&sd_buf); memset(&content_info, 0, sizeof(content_info)); if (ctx->type == PKINIT_WIN2K) { AuthPack_Win2k ap; krb5_timestamp sec; int32_t usec; memset(&ap, 0, sizeof(ap)); /* fill in PKAuthenticator */ ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName); if (ret) { free_AuthPack_Win2k(&ap); krb5_clear_error_message(context); goto out; } ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm); if (ret) { free_AuthPack_Win2k(&ap); krb5_clear_error_message(context); goto out; } krb5_us_timeofday(context, &sec, &usec); ap.pkAuthenticator.ctime = sec; ap.pkAuthenticator.cusec = usec; ap.pkAuthenticator.nonce = nonce; ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length, &ap, &size, ret); free_AuthPack_Win2k(&ap); if (ret) { krb5_set_error_message(context, ret, N_("Failed encoding AuthPackWin: %d", ""), (int)ret); goto out; } if (buf.length != size) krb5_abortx(context, "internal ASN1 encoder error"); oid = &asn1_oid_id_pkcs7_data; } else if (ctx->type == PKINIT_27) { AuthPack ap; memset(&ap, 0, sizeof(ap)); ret = build_auth_pack(context, nonce, ctx, req_body, &ap); if (ret) { free_AuthPack(&ap); goto out; } ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret); free_AuthPack(&ap); if (ret) { krb5_set_error_message(context, ret, N_("Failed encoding AuthPack: %d", ""), (int)ret); goto out; } if (buf.length != size) krb5_abortx(context, "internal ASN1 encoder error"); oid = &asn1_oid_id_pkauthdata; } else krb5_abortx(context, "internal pkinit error"); ret = create_signature(context, oid, &buf, ctx->id, ctx->peer, &sd_buf); krb5_data_free(&buf); if (ret) goto out; ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &sd_buf, &buf); krb5_data_free(&sd_buf); if (ret) { krb5_set_error_message(context, ret, N_("ContentInfo wrapping of signedData failed","")); goto out; } if (ctx->type == PKINIT_WIN2K) { PA_PK_AS_REQ_Win2k winreq; pa_type = KRB5_PADATA_PK_AS_REQ_WIN; memset(&winreq, 0, sizeof(winreq)); winreq.signed_auth_pack = buf; ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length, &winreq, &size, ret); free_PA_PK_AS_REQ_Win2k(&winreq); } else if (ctx->type == PKINIT_27) { PA_PK_AS_REQ req; pa_type = KRB5_PADATA_PK_AS_REQ; memset(&req, 0, sizeof(req)); req.signedAuthPack = buf; if (ctx->trustedCertifiers) { req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); if (req.trustedCertifiers == NULL) { ret = krb5_enomem(context); free_PA_PK_AS_REQ(&req); goto out; } ret = build_edi(context, context->hx509ctx, ctx->id->anchors, req.trustedCertifiers); if (ret) { krb5_set_error_message(context, ret, N_("pk-init: failed to build " "trustedCertifiers", "")); free_PA_PK_AS_REQ(&req); goto out; } } req.kdcPkId = NULL; ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length, &req, &size, ret); free_PA_PK_AS_REQ(&req); } else krb5_abortx(context, "internal pkinit error"); if (ret) { krb5_set_error_message(context, ret, "PA-PK-AS-REQ %d", (int)ret); goto out; } if (buf.length != size) krb5_abortx(context, "Internal ASN1 encoder error"); ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length); if (ret) free(buf.data); if (ret == 0) ret = krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0); out: free_ContentInfo(&content_info); return ret; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_mk_padata(krb5_context context, void *c, int ic_flags, int win2k, const KDC_REQ_BODY *req_body, unsigned nonce, krb5_error_code error_code, TYPED_DATA *td, METHOD_DATA *md) { krb5_pk_init_ctx ctx = c; int win2k_compat; if (ctx->id->certs == NULL && ctx->anonymous == 0) { krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY, N_("PKINIT: No user certificate given", "")); return HEIM_PKINIT_NO_PRIVATE_KEY; } win2k_compat = krb5_config_get_bool_default(context, NULL, win2k, "realms", req_body->realm, "pkinit_win2k", NULL); if (win2k_compat) { ctx->require_binding = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_win2k_require_binding", NULL); ctx->type = PKINIT_WIN2K; } else ctx->type = PKINIT_27; ctx->require_eku = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_require_eku", NULL); if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK) ctx->require_eku = 0; if (ctx->id->flags & (PKINIT_BTMM | PKINIT_NO_KDC_ANCHOR)) ctx->require_eku = 0; ctx->require_krbtgt_otherName = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_require_krbtgt_otherName", NULL); if (ic_flags & KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK) ctx->require_krbtgt_otherName = FALSE; ctx->require_hostname_match = krb5_config_get_bool_default(context, NULL, FALSE, "realms", req_body->realm, "pkinit_require_hostname_match", NULL); ctx->trustedCertifiers = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_trustedCertifiers", NULL); return pk_mk_padata(context, ctx, req_body, nonce, md); } static krb5_error_code pk_verify_sign(krb5_context context, const void *data, size_t length, struct krb5_pk_identity *id, heim_oid *contentType, krb5_data *content, struct krb5_pk_cert **signer) { hx509_certs signer_certs; int ret; unsigned flags = 0, verify_flags = 0; *signer = NULL; if (id->flags & PKINIT_BTMM) { flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; flags |= HX509_CMS_VS_NO_KU_CHECK; flags |= HX509_CMS_VS_NO_VALIDATE; } if (id->flags & PKINIT_NO_KDC_ANCHOR) flags |= HX509_CMS_VS_NO_VALIDATE; ret = hx509_cms_verify_signed_ext(context->hx509ctx, id->verify_ctx, flags, data, length, NULL, id->certpool, contentType, content, &signer_certs, &verify_flags); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "CMS verify signed failed"); return ret; } heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) || (id->flags & PKINIT_NO_KDC_ANCHOR), "Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set"); if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0) goto out; *signer = calloc(1, sizeof(**signer)); if (*signer == NULL) { krb5_clear_error_message(context); ret = ENOMEM; goto out; } ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to get one of the signer certs"); goto out; } out: hx509_certs_free(&signer_certs); if (ret) { if (*signer) { hx509_cert_free((*signer)->cert); free(*signer); *signer = NULL; } } return ret; } static krb5_error_code get_reply_key_win(krb5_context context, const krb5_data *content, unsigned nonce, krb5_keyblock **key) { ReplyKeyPack_Win2k key_pack; krb5_error_code ret; size_t size; ret = decode_ReplyKeyPack_Win2k(content->data, content->length, &key_pack, &size); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack_Win2k(&key_pack); return ret; } if ((unsigned)key_pack.nonce != nonce) { krb5_set_error_message(context, ret, N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); return KRB5KRB_AP_ERR_MODIFIED; } *key = malloc (sizeof (**key)); if (*key == NULL) { free_ReplyKeyPack_Win2k(&key_pack); return krb5_enomem(context); } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack_Win2k(&key_pack); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } return ret; } static krb5_error_code get_reply_key(krb5_context context, const krb5_data *content, const krb5_data *req_buffer, krb5_keyblock **key) { ReplyKeyPack key_pack; krb5_error_code ret; size_t size; ret = decode_ReplyKeyPack(content->data, content->length, &key_pack, &size); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack(&key_pack); return ret; } { krb5_crypto crypto; /* * XXX Verify kp.replyKey is a allowed enctype in the * configuration file */ ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto); if (ret) { free_ReplyKeyPack(&key_pack); return ret; } ret = krb5_verify_checksum(context, crypto, 6, req_buffer->data, req_buffer->length, &key_pack.asChecksum); krb5_crypto_destroy(context, crypto); if (ret) { free_ReplyKeyPack(&key_pack); return ret; } } *key = malloc (sizeof (**key)); if (*key == NULL) { free_ReplyKeyPack(&key_pack); return krb5_enomem(context); } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack(&key_pack); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } return ret; } static krb5_error_code pk_verify_host(krb5_context context, const char *realm, struct krb5_pk_init_ctx_data *ctx, struct krb5_pk_cert *host) { krb5_error_code ret = 0; if (ctx->require_eku) { ret = hx509_cert_check_eku(context->hx509ctx, host->cert, &asn1_oid_id_pkkdcekuoid, 0); if (ret) { krb5_set_error_message(context, ret, N_("No PK-INIT KDC EKU in kdc certificate", "")); return ret; } } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; size_t i; int matched = 0; ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, &asn1_oid_id_pkinit_san, &list); if (ret) { krb5_set_error_message(context, ret, N_("Failed to find the PK-INIT " "subjectAltName in the KDC " "certificate", "")); return ret; } /* * subjectAltNames are multi-valued, and a single KDC may serve * multiple realms. The SAN validation here must accept * the KDC's cert if *any* of the SANs match the expected KDC. * It is OK for *some* of the SANs to not match, provided at least * one does. */ for (i = 0; matched == 0 && i < list.len; i++) { KRB5PrincipalName r; ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &r, NULL); if (ret) { krb5_set_error_message(context, ret, N_("Failed to decode the PK-INIT " "subjectAltName in the " "KDC certificate", "")); break; } if (r.principalName.name_string.len == 2 && strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) == 0 && strcmp(r.principalName.name_string.val[1], realm) == 0 && strcmp(r.realm, realm) == 0) matched = 1; free_KRB5PrincipalName(&r); } hx509_free_octet_string_list(&list); if (matched == 0 && (ctx->id->flags & PKINIT_NO_KDC_ANCHOR) == 0) { ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; /* XXX: Lost in translation... */ krb5_set_error_message(context, ret, N_("KDC has wrong realm name in " "the certificate", "")); } } if (ret) return ret; return ret; } static krb5_error_code pk_rd_pa_reply_enckey(krb5_context context, int type, const heim_octet_string *indata, const heim_oid *dataType, const char *realm, krb5_pk_init_ctx ctx, krb5_enctype etype, unsigned nonce, const krb5_data *req_buffer, PA_DATA *pa, krb5_keyblock **key) { krb5_error_code ret; struct krb5_pk_cert *host = NULL; krb5_data content; heim_octet_string unwrapped; heim_oid contentType = { 0, NULL }; int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT; if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_envelopedData, dataType)) { krb5_set_error_message(context, EINVAL, N_("PKINIT: Invalid content type", "")); return EINVAL; } if (ctx->type == PKINIT_WIN2K) flags |= HX509_CMS_UE_ALLOW_WEAK; ret = hx509_cms_unenvelope(context->hx509ctx, ctx->id->certs, flags, indata->data, indata->length, NULL, 0, &contentType, &content); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to unenvelope CMS data in PK-INIT reply"); return ret; } der_free_oid(&contentType); /* win2k uses ContentInfo */ if (type == PKINIT_WIN2K) { heim_oid type2; ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL); if (ret) { /* windows LH with interesting CMS packets */ size_t ph = 1 + der_length_len(content.length); unsigned char *ptr = malloc(content.length + ph); size_t l; memcpy(ptr + ph, content.data, content.length); ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length, ASN1_C_UNIV, CONS, UT_Sequence, &l); if (ret) { free(ptr); return ret; } free(content.data); content.data = ptr; content.length += ph; ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL); if (ret) goto out; } if (der_heim_oid_cmp(&type2, &asn1_oid_id_pkcs7_signedData)) { ret = EINVAL; /* XXX */ krb5_set_error_message(context, ret, N_("PKINIT: Invalid content type", "")); der_free_oid(&type2); der_free_octet_string(&unwrapped); goto out; } der_free_oid(&type2); krb5_data_free(&content); ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length); der_free_octet_string(&unwrapped); if (ret) { krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } } ret = pk_verify_sign(context, content.data, content.length, ctx->id, &contentType, &unwrapped, &host); if (ret == 0) { krb5_data_free(&content); ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length); der_free_octet_string(&unwrapped); } if (ret) goto out; heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR), "KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set"); if (host) { /* make sure that it is the kdc's certificate */ ret = pk_verify_host(context, realm, ctx, host); if (ret) goto out; ctx->kdc_verified = 1; } #if 0 if (type == PKINIT_WIN2K) { if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) != 0) { ret = KRB5KRB_AP_ERR_MSG_TYPE; krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid"); goto out; } } else { if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkrkeydata) != 0) { ret = KRB5KRB_AP_ERR_MSG_TYPE; krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid"); goto out; } } #endif switch(type) { case PKINIT_WIN2K: ret = get_reply_key(context, &content, req_buffer, key); if (ret != 0 && ctx->require_binding == 0) ret = get_reply_key_win(context, &content, nonce, key); break; case PKINIT_27: ret = get_reply_key(context, &content, req_buffer, key); break; } if (ret) goto out; /* XXX compare given etype with key->etype */ out: if (host) _krb5_pk_cert_free(host); der_free_oid(&contentType); krb5_data_free(&content); return ret; } /* * RFC 8062 section 7: * * The client then decrypts the KDC contribution key and verifies that * the ticket session key in the returned ticket is the combined key of * the KDC contribution key and the reply key. */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_kx_confirm(krb5_context context, krb5_pk_init_ctx ctx, krb5_keyblock *reply_key, krb5_keyblock *session_key, PA_DATA *pa_pkinit_kx) { krb5_error_code ret; EncryptedData ed; krb5_keyblock ck, sk_verify; krb5_crypto ck_crypto = NULL; krb5_crypto rk_crypto = NULL; size_t len; krb5_data data; krb5_data p1 = { sizeof("PKINIT") - 1, rk_UNCONST("PKINIT") }; krb5_data p2 = { sizeof("KEYEXCHANGE") - 1, rk_UNCONST("KEYEXCHANGE") }; heim_assert(ctx != NULL, "PKINIT context is non-NULL"); heim_assert(reply_key != NULL, "reply key is non-NULL"); heim_assert(session_key != NULL, "session key is non-NULL"); /* PA-PKINIT-KX is optional unless anonymous */ if (pa_pkinit_kx == NULL) return ctx->anonymous ? KRB5_KDCREP_MODIFIED : 0; memset(&ed, 0, sizeof(ed)); krb5_keyblock_zero(&ck); krb5_keyblock_zero(&sk_verify); krb5_data_zero(&data); ret = decode_EncryptedData(pa_pkinit_kx->padata_value.data, pa_pkinit_kx->padata_value.length, &ed, &len); if (ret) goto out; if (len != pa_pkinit_kx->padata_value.length) { ret = KRB5_KDCREP_MODIFIED; goto out; } ret = krb5_crypto_init(context, reply_key, 0, &rk_crypto); if (ret) goto out; ret = krb5_decrypt_EncryptedData(context, rk_crypto, KRB5_KU_PA_PKINIT_KX, &ed, &data); if (ret) goto out; ret = decode_EncryptionKey(data.data, data.length, &ck, &len); if (ret) goto out; ret = krb5_crypto_init(context, &ck, 0, &ck_crypto); if (ret) goto out; ret = krb5_crypto_fx_cf2(context, ck_crypto, rk_crypto, &p1, &p2, session_key->keytype, &sk_verify); if (ret) goto out; if (sk_verify.keytype != session_key->keytype || krb5_data_ct_cmp(&sk_verify.keyvalue, &session_key->keyvalue) != 0) { ret = KRB5_KDCREP_MODIFIED; goto out; } out: free_EncryptedData(&ed); krb5_free_keyblock_contents(context, &ck); krb5_free_keyblock_contents(context, &sk_verify); if (ck_crypto) krb5_crypto_destroy(context, ck_crypto); if (rk_crypto) krb5_crypto_destroy(context, rk_crypto); krb5_data_free(&data); return ret; } static krb5_error_code pk_rd_pa_reply_dh(krb5_context context, const heim_octet_string *indata, const heim_oid *dataType, const AS_REQ *a, krb5_pk_init_ctx ctx, const AS_REP *kdc_rep, const PA_PK_AS_REP *pk_rep, const DHNonce *c_n, const DHNonce *k_n, unsigned nonce, const heim_oid *kdf, PA_DATA *pa, krb5_keyblock **key) { unsigned char *dh_gen_key = NULL; struct krb5_pk_cert *host = NULL; BIGNUM *kdc_dh_pubkey = NULL; KDCDHKeyInfo kdc_dh_info; heim_oid contentType = { 0, NULL }; krb5_data content; krb5_error_code ret; int dh_gen_keylen = 0; size_t size; if (ctx->want_kdf_alg && kdf && der_heim_oid_cmp(ctx->want_kdf_alg, kdf) != 0) { krb5_set_error_message(context, ENOTSUP, "PKINIT: The KDC chose a PKINIT KDF other than the one requested by the user"); return ENOTSUP; } krb5_data_zero(&content); memset(&kdc_dh_info, 0, sizeof(kdc_dh_info)); if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_signedData, dataType)) { krb5_set_error_message(context, EINVAL, N_("PKINIT: Invalid content type", "")); return EINVAL; } ret = pk_verify_sign(context, indata->data, indata->length, ctx->id, &contentType, &content, &host); if (ret) goto out; heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR), "KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set"); if (host) { /* make sure that it is the kdc's certificate */ ret = pk_verify_host(context, a->req_body.realm, ctx, host); if (ret) goto out; ctx->kdc_verified = 1; } if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) { ret = KRB5KRB_AP_ERR_MSG_TYPE; krb5_set_error_message(context, ret, N_("pkinit - dh reply contains wrong oid", "")); goto out; } ret = decode_KDCDHKeyInfo(content.data, content.length, &kdc_dh_info, &size); if (ret) { krb5_set_error_message(context, ret, N_("pkinit - failed to decode " "KDC DH Key Info", "")); goto out; } if (kdc_dh_info.nonce != nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_set_error_message(context, ret, N_("PKINIT: DH nonce is wrong", "")); goto out; } if (kdc_dh_info.dhKeyExpiration) { if (k_n == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, N_("pkinit; got key expiration " "without server nonce", "")); goto out; } if (c_n == NULL) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, N_("pkinit; got DH reuse but no " "client nonce", "")); goto out; } } else { if (k_n) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, N_("pkinit: got server nonce " "without key expiration", "")); goto out; } c_n = NULL; } /* Almost exactly the same with OpenSSL 3.x APIs for DH and ECDH */ ret = _krb5_pk_rd_pa_reply_ossl_compute_key(context, ctx, kdc_dh_info.subjectPublicKey, &dh_gen_key, &dh_gen_keylen); if (ret) goto out; if (dh_gen_keylen <= 0) { ret = EINVAL; krb5_set_error_message(context, ret, N_("PKINIT: resulting DH key <= 0", "")); dh_gen_keylen = 0; goto out; } *key = malloc (sizeof (**key)); if (*key == NULL) { ret = krb5_enomem(context); goto out; } ret = _krb5_pk_kdf2(context, a, pk_rep, dh_gen_key, dh_gen_keylen, kdc_rep->enc_part.etype, c_n, *key); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT: can't create key from DH key", "")); free(*key); *key = NULL; goto out; } out: if (kdc_dh_pubkey) BN_free(kdc_dh_pubkey); if (dh_gen_key) { memset(dh_gen_key, 0, dh_gen_keylen); free(dh_gen_key); } if (host) _krb5_pk_cert_free(host); if (content.data) krb5_data_free(&content); der_free_oid(&contentType); free_KDCDHKeyInfo(&kdc_dh_info); return ret; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_rd_pa_reply(krb5_context context, void *c, const AS_REQ *a, const AS_REP *kdc_rep, unsigned nonce, const krb5_data *req_buffer, PA_DATA *pa, krb5_keyblock **key) { krb5_pk_init_ctx ctx = c; krb5_error_code ret; size_t size; /* Check for IETF PK-INIT first */ if (ctx->type == PKINIT_27) { PA_PK_AS_REP rep; heim_octet_string os, data; heim_oid oid; if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { krb5_set_error_message(context, EINVAL, N_("PKINIT: wrong padata recv", "")); return EINVAL; } ret = decode_PA_PK_AS_REP(pa->padata_value.data, pa->padata_value.length, &rep, &size); if (ret) { krb5_set_error_message(context, ret, N_("Failed to decode pkinit AS rep", "")); return ret; } switch (rep.element) { case choice_PA_PK_AS_REP_dhInfo: _krb5_debug(context, 5, "krb5_get_init_creds: using pkinit dh"); os = rep.u.dhInfo.dhSignedData; break; case choice_PA_PK_AS_REP_encKeyPack: _krb5_debug(context, 5, "krb5_get_init_creds: using kinit enc reply key"); os = rep.u.encKeyPack; break; default: { PA_PK_AS_REP_BTMM btmm; free_PA_PK_AS_REP(&rep); memset(&rep, 0, sizeof(rep)); _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key"); ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data, pa->padata_value.length, &btmm, &size); if (ret) { krb5_set_error_message(context, EINVAL, N_("PKINIT: -27 reply " "invalid content type", "")); return EINVAL; } if (btmm.dhSignedData || btmm.encKeyPack == NULL) { free_PA_PK_AS_REP_BTMM(&btmm); ret = EINVAL; krb5_set_error_message(context, ret, N_("DH mode not supported for BTMM mode", "")); return ret; } /* * Transform to IETF style PK-INIT reply so that free works below */ rep.element = choice_PA_PK_AS_REP_encKeyPack; rep.u.encKeyPack.data = btmm.encKeyPack->data; rep.u.encKeyPack.length = btmm.encKeyPack->length; btmm.encKeyPack->data = NULL; btmm.encKeyPack->length = 0; free_PA_PK_AS_REP_BTMM(&btmm); os = rep.u.encKeyPack; } } ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL); if (ret) { free_PA_PK_AS_REP(&rep); krb5_set_error_message(context, ret, N_("PKINIT: failed to unwrap CI", "")); return ret; } switch (rep.element) { case choice_PA_PK_AS_REP_dhInfo: ret = pk_rd_pa_reply_dh(context, &data, &oid, a, ctx, kdc_rep, &rep, ctx->clientDHNonce, rep.u.dhInfo.serverDHNonce, nonce, rep.u.dhInfo.kdf ? &rep.u.dhInfo.kdf->kdf_id : NULL, pa, key); break; case choice_PA_PK_AS_REP_encKeyPack: ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, a->req_body.realm, ctx, kdc_rep->enc_part.etype, nonce, req_buffer, pa, key); break; default: krb5_abortx(context, "pk-init as-rep case not possible to happen"); } der_free_octet_string(&data); der_free_oid(&oid); free_PA_PK_AS_REP(&rep); } else if (ctx->type == PKINIT_WIN2K) { PA_PK_AS_REP_Win2k w2krep; /* Check for Windows encoding of the AS-REP pa data */ #if 0 /* should this be ? */ if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv"); return EINVAL; } #endif memset(&w2krep, 0, sizeof(w2krep)); ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, pa->padata_value.length, &w2krep, &size); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT: Failed decoding windows " "pkinit reply %d", ""), (int)ret); return ret; } krb5_clear_error_message(context); switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); if (ret) { krb5_set_error_message(context, ret, N_("PKINIT: failed to unwrap CI", "")); return ret; } ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, a->req_body.realm, ctx, kdc_rep->enc_part.etype, nonce, req_buffer, pa, key); der_free_octet_string(&data); der_free_oid(&oid); break; } default: free_PA_PK_AS_REP_Win2k(&w2krep); ret = EINVAL; krb5_set_error_message(context, ret, N_("PKINIT: win2k reply invalid " "content type", "")); break; } } else { ret = EINVAL; krb5_set_error_message(context, ret, N_("PKINIT: unknown reply type", "")); } return ret; } struct prompter { krb5_context context; krb5_prompter_fct prompter; void *prompter_data; }; static int hx_pass_prompter(void *data, const hx509_prompt *prompter) { krb5_error_code ret; krb5_prompt prompt; krb5_data password_data; struct prompter *p = data; password_data.data = prompter->reply.data; password_data.length = prompter->reply.length; prompt.prompt = prompter->prompt; prompt.hidden = hx509_prompt_hidden(prompter->type); prompt.reply = &password_data; switch (prompter->type) { case HX509_PROMPT_TYPE_INFO: prompt.type = KRB5_PROMPT_TYPE_INFO; break; case HX509_PROMPT_TYPE_PASSWORD: case HX509_PROMPT_TYPE_QUESTION: default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; } ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { memset (prompter->reply.data, 0, prompter->reply.length); return 1; } return 0; } static krb5_error_code _krb5_pk_set_user_id(krb5_context context, krb5_principal principal, krb5_pk_init_ctx ctx, struct hx509_certs_data *certs) { hx509_certs c = hx509_certs_ref(certs); hx509_query *q = NULL; int ret; if (ctx->id->certs) hx509_certs_free(&ctx->id->certs); if (ctx->id->cert) { hx509_cert_free(ctx->id->cert); ctx->id->cert = NULL; } ctx->id->certs = c; ctx->anonymous = 0; ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Allocate query to find signing certificate"); return ret; } hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); if (ctx->want_sig_alg) { ret = hx509_query_match_key_algorithm(q, ctx->want_sig_alg); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed setting key algorithm query"); hx509_query_free(context->hx509ctx, q); return ret; } } if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) { ctx->id->flags |= PKINIT_BTMM; } ret = find_cert(context, ctx->id, q, &ctx->id->cert); hx509_query_free(context->hx509ctx, q); if (ret == 0 && _krb5_have_debug(context, 2)) { hx509_name name; char *str, *sn; heim_integer i; ret = hx509_cert_get_subject(ctx->id->cert, &name); if (ret) goto out; ret = hx509_name_to_string(name, &str); hx509_name_free(&name); if (ret) goto out; ret = hx509_cert_get_serialnumber(ctx->id->cert, &i); if (ret) { free(str); goto out; } ret = der_print_hex_heim_integer(&i, &sn); der_free_heim_integer(&i); if (ret) { free(str); goto out; } _krb5_debug(context, 2, "using cert: subject: %s sn: %s", str, sn); free(str); free(sn); } out: return ret; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pk_load_id(krb5_context context, struct krb5_pk_identity **ret_id, const char *user_id, const char *anchor_id, char * const *chain_list, char * const *revoke_list, krb5_prompter_fct prompter, void *prompter_data, char *password) { struct krb5_pk_identity *id = NULL; struct prompter p; krb5_error_code ret; *ret_id = NULL; /* load cert */ id = calloc(1, sizeof(*id)); if (id == NULL) return krb5_enomem(context); if (user_id) { hx509_lock lock; ret = hx509_lock_init(context->hx509ctx, &lock); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed init lock"); goto out; } if (password && password[0]) hx509_lock_add_password(lock, password); if (prompter) { p.context = context; p.prompter = prompter; p.prompter_data = prompter_data; ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); if (ret) { hx509_lock_free(lock); goto out; } } ret = hx509_certs_init(context->hx509ctx, user_id, 0, lock, &id->certs); hx509_lock_free(lock); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init cert certs"); goto out; } } else { id->certs = NULL; } ret = hx509_certs_init(context->hx509ctx, anchor_id, 0, NULL, &id->anchors); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init anchors"); goto out; } ret = hx509_certs_init(context->hx509ctx, "MEMORY:pkinit-cert-chain", 0, NULL, &id->certpool); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init chain"); goto out; } while (chain_list && *chain_list) { ret = hx509_certs_append(context->hx509ctx, id->certpool, NULL, *chain_list); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to load chain %s", *chain_list); goto out; } chain_list++; } if (revoke_list) { ret = hx509_revoke_init(context->hx509ctx, &id->revokectx); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init revoke list"); goto out; } while (*revoke_list) { ret = hx509_revoke_add_crl(context->hx509ctx, id->revokectx, *revoke_list); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to load revoke list"); goto out; } revoke_list++; } } else hx509_context_set_missing_revoke(context->hx509ctx, 1); ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init verify context"); goto out; } hx509_verify_attach_anchors(id->verify_ctx, id->anchors); hx509_verify_attach_revoke(id->verify_ctx, id->revokectx); out: if (ret) { hx509_verify_destroy_ctx(id->verify_ctx); hx509_certs_free(&id->certs); hx509_certs_free(&id->anchors); hx509_certs_free(&id->certpool); hx509_revoke_free(&id->revokectx); free(id); } else *ret_id = id; return ret; } /* * */ static void pk_copy_error(krb5_context context, hx509_context hx509ctx, int hxret, const char *fmt, ...) { va_list va; char *s, *f; int ret; va_start(va, fmt); ret = vasprintf(&f, fmt, va); va_end(va); if (ret == -1 || f == NULL) { krb5_clear_error_message(context); return; } s = hx509_get_error_string(hx509ctx, hxret); if (s == NULL) { krb5_clear_error_message(context); free(f); return; } krb5_set_error_message(context, hxret, "%s: %s", f, s); free(s); free(f); } static int parse_integer(krb5_context context, char **p, const char *file, int lineno, const char *name, heim_integer *integer) { int ret; char *p1; p1 = strsep(p, " \t"); if (p1 == NULL) { krb5_set_error_message(context, EINVAL, N_("moduli file %s missing %s on line %d", ""), file, name, lineno); return EINVAL; } ret = der_parse_hex_heim_integer(p1, integer); if (ret) { krb5_set_error_message(context, ret, N_("moduli file %s failed parsing %s " "on line %d", ""), file, name, lineno); return ret; } return 0; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_parse_moduli_line(krb5_context context, const char *file, int lineno, char *p, struct krb5_dh_moduli **m) { struct krb5_dh_moduli *m1; char *p1; int ret; *m = NULL; m1 = calloc(1, sizeof(*m1)); if (m1 == NULL) return krb5_enomem(context); while (isspace((unsigned char)*p)) p++; if (*p == '#') { free(m1); return 0; } ret = EINVAL; p1 = strsep(&p, " \t"); if (p1 == NULL) { krb5_set_error_message(context, ret, N_("moduli file %s missing name on line %d", ""), file, lineno); goto out; } m1->name = strdup(p1); if (m1->name == NULL) { ret = krb5_enomem(context); goto out; } p1 = strsep(&p, " \t"); if (p1 == NULL) { krb5_set_error_message(context, ret, N_("moduli file %s missing bits on line %d", ""), file, lineno); goto out; } m1->bits = atoi(p1); if (m1->bits == 0) { krb5_set_error_message(context, ret, N_("moduli file %s has un-parsable " "bits on line %d", ""), file, lineno); goto out; } ret = parse_integer(context, &p, file, lineno, "p", &m1->p); if (ret) goto out; ret = parse_integer(context, &p, file, lineno, "g", &m1->g); if (ret) goto out; ret = parse_integer(context, &p, file, lineno, "q", &m1->q); if (ret) { m1->q.negative = 0; m1->q.length = 0; m1->q.data = 0; krb5_clear_error_message(context); } *m = m1; return 0; out: free(m1->name); der_free_heim_integer(&m1->p); der_free_heim_integer(&m1->g); der_free_heim_integer(&m1->q); free(m1); return ret; } static void free_moduli_element(struct krb5_dh_moduli *element) { free(element->name); der_free_heim_integer(&element->p); der_free_heim_integer(&element->g); der_free_heim_integer(&element->q); free(element); } KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_free_moduli(struct krb5_dh_moduli **moduli) { int i; for (i = 0; moduli[i] != NULL; i++) free_moduli_element(moduli[i]); free(moduli); } static const char *default_moduli_RFC2412_MODP_group2 = /* name */ "RFC2412-MODP-group2 " /* bits */ "1024 " /* p */ "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381" "FFFFFFFF" "FFFFFFFF " /* g */ "02 " /* q */ "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0" "FFFFFFFF" "FFFFFFFF"; static const char *default_moduli_rfc3526_MODP_group14 = /* name */ "rfc3526-MODP-group14 " /* bits */ "2048 " /* p */ "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD" "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245" "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED" "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D" "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F" "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D" "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B" "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9" "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510" "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF " /* g */ "02 " /* q */ "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68" "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E" "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122" "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6" "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E" "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF" "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36" "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D" "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964" "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288" "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF"; KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_parse_moduli(krb5_context context, const char *file, struct krb5_dh_moduli ***moduli) { /* name bits P G Q */ krb5_error_code ret; struct krb5_dh_moduli **m = NULL, **m2; char buf[4096]; FILE *f; int lineno = 0, n = 0; *moduli = NULL; m = calloc(1, sizeof(m[0]) * 3); if (m == NULL) return krb5_enomem(context); strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf)); ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]); if (ret) { _krb5_free_moduli(m); return ret; } n++; strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf)); ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]); if (ret) { _krb5_free_moduli(m); return ret; } n++; if (file == NULL) file = MODULI_FILE; { char *exp_file; if (_krb5_expand_path_tokens(context, file, 1, &exp_file) == 0) { f = fopen(exp_file, "r"); krb5_xfree(exp_file); } else { f = NULL; } } if (f == NULL) { *moduli = m; return 0; } rk_cloexec_file(f); while(fgets(buf, sizeof(buf), f) != NULL) { struct krb5_dh_moduli *element; buf[strcspn(buf, "\n")] = '\0'; lineno++; ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); if (ret) break; if (element == NULL) continue; m2 = realloc(m, (n + 2) * sizeof(m[0])); if (m2 == NULL) { free_moduli_element(element); ret = krb5_enomem(context); break; } m = m2; m[n] = element; m[n + 1] = NULL; n++; } if (ret) { _krb5_free_moduli(m); m = NULL; } *moduli = m; (void) fclose(f); return ret; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_dh_group_ok(krb5_context context, unsigned long bits, heim_integer *p, heim_integer *g, heim_integer *q, struct krb5_dh_moduli **moduli, char **name) { unsigned long dh_min_bits = krb5_config_get_int_default(context, NULL, 0, "libdefaults", "pkinit_dh_min_bits", NULL); int i; if (name) *name = NULL; if (dh_min_bits > 0 && bits < dh_min_bits) { krb5_set_error_message(context, KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, N_("PKINIT: DH group parameter not ok (group too small)", "")); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } for (i = 0; moduli[i] != NULL; i++) { if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 && der_heim_integer_cmp(&moduli[i]->p, p) == 0 && (q == NULL || moduli[i]->q.length == 0 || der_heim_integer_cmp(&moduli[i]->q, q) == 0)) { if (bits && bits > moduli[i]->bits) { krb5_set_error_message(context, KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, N_("PKINIT: DH group parameter %s " "not accepted, not enough bits " "generated", ""), moduli[i]->name); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } if (name) *name = strdup(moduli[i]->name); return 0; } } krb5_set_error_message(context, KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, N_("PKINIT: DH group parameter not ok", "")); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } KRB5_LIB_FUNCTION void KRB5_LIB_CALL _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) { krb5_pk_init_ctx ctx; if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL) return; ctx = opt->opt_private->pk_init_ctx; switch (ctx->keyex) { case USE_DH: case USE_ECDH: EVP_PKEY_free(ctx->pkey); break; case USE_RSA: break; } if (ctx->id) { hx509_verify_destroy_ctx(ctx->id->verify_ctx); hx509_certs_free(&ctx->id->certs); hx509_cert_free(ctx->id->cert); hx509_certs_free(&ctx->id->anchors); hx509_certs_free(&ctx->id->certpool); if (ctx->clientDHNonce) { krb5_free_data(NULL, ctx->clientDHNonce); ctx->clientDHNonce = NULL; } if (ctx->m) _krb5_free_moduli(ctx->m); free(ctx->id); ctx->id = NULL; } free(opt->opt_private->pk_init_ctx); opt->opt_private->pk_init_ctx = NULL; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pkinit_allowed_algs(krb5_context context, krb5_get_init_creds_opt *opt, const char *dh_alg, const char *sig_alg, const char *kdf_alg) { const heim_oid *oid = NULL; if (sig_alg) { /* * Signature algorithm preferences select certificates by public key * algorithm OID. */ if (strcasecmp(sig_alg, "ed25519") == 0) oid = ASN1_OID_ID_ED25519; else if (strcasecmp(sig_alg, "ed448") == 0) oid = ASN1_OID_ID_ED448; else if (strcasecmp(sig_alg, "rsa") == 0 || strcasecmp(sig_alg, "rsa-sha256") == 0) oid = &asn1_oid_id_pkcs1_rsaEncryption; else if ((oid = _krb5_ec_nidname2heim_oid(sig_alg)) == NULL) { krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG, "PKINIT: Signature/key algorithm %s unknown", sig_alg); return KRB5_KDC_ERR_INVALID_HASH_ALG; } opt->opt_private->pk_init_ctx->want_sig_alg = oid; } if (dh_alg) { if ((oid = _krb5_ec_nidname2heim_oid(dh_alg))) { opt->opt_private->pk_init_ctx->keyex = USE_ECDH; } else if (strncmp(dh_alg, "modp", sizeof("modp") - 1) == 0) { oid = &asn1_oid_id_dhpublicnumber; opt->opt_private->pk_init_ctx->keyex = USE_DH; } if (oid == NULL) { krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG, "PKINIT: Key agreement algorithm %s unknown", dh_alg); return KRB5_KDC_ERR_INVALID_HASH_ALG; } opt->opt_private->pk_init_ctx->want_dh_alg = oid; } if (kdf_alg) { if (strcmp(kdf_alg, "ah-sha1") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha1; else if (strcmp(kdf_alg, "ah-sha256") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha256; else if (strcmp(kdf_alg, "ah-sha384") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha384; else if (strcmp(kdf_alg, "ah-sha512") == 0) oid = &asn1_oid_id_pkinit_kdf_ah_sha512; else if (strcmp(kdf_alg, "RFC4556") == 0) /* * asn1_oid_id_pkinit_kdf is not a thing, but we'll use it * internally to mean "use only the RFC4556 KDF", and that we want * only for testing purposes (to test interop with older Heimdal * and MIT Kerberos KDCs). */ oid = &asn1_oid_id_pkinit_kdf; if (oid == NULL) { krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG, "PKINIT: Key derivation function algorithm %s unknown", kdf_alg); return KRB5_KDC_ERR_INVALID_HASH_ALG; } opt->opt_private->pk_init_ctx->want_kdf_alg = oid; } return 0; } KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_get_init_creds_opt *opt, krb5_principal principal, const char *user_id, const char *x509_anchors, char * const * pool, char * const * pki_revoke, int flags, krb5_prompter_fct prompter, void *prompter_data, char *password) { krb5_error_code ret; char **freeme1 = NULL; char **freeme2 = NULL; char *anchors = NULL; if (opt->opt_private == NULL) { krb5_set_error_message(context, EINVAL, N_("PKINIT: on non extendable opt", "")); return EINVAL; } opt->opt_private->pk_init_ctx = calloc(1, sizeof(*opt->opt_private->pk_init_ctx)); if (opt->opt_private->pk_init_ctx == NULL) return krb5_enomem(context); opt->opt_private->pk_init_ctx->require_binding = 0; opt->opt_private->pk_init_ctx->require_eku = 1; opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1; opt->opt_private->pk_init_ctx->peer = NULL; /* XXX implement krb5_appdefault_strings */ if (pool == NULL) pool = freeme1 = krb5_config_get_strings(context, NULL, "appdefaults", "pkinit_pool", NULL); if (pki_revoke == NULL) pki_revoke = freeme2 = krb5_config_get_strings(context, NULL, "appdefaults", "pkinit_revoke", NULL); if (x509_anchors == NULL) { krb5_appdefault_string(context, "kinit", krb5_principal_get_realm(context, principal), "pkinit_anchors", NULL, &anchors); x509_anchors = anchors; } if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS) opt->opt_private->pk_init_ctx->anonymous = 1; if ((flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) == 0 && x509_anchors == NULL) { krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA, N_("PKINIT: No anchor given", "")); return HEIM_PKINIT_NO_VALID_CA; } ret = _krb5_pk_load_id(context, &opt->opt_private->pk_init_ctx->id, user_id, x509_anchors, pool, pki_revoke, prompter, prompter_data, password); krb5_config_free_strings(freeme2); krb5_config_free_strings(freeme1); free(anchors); if (ret) { free(opt->opt_private->pk_init_ctx); opt->opt_private->pk_init_ctx = NULL; return ret; } if (flags & KRB5_GIC_OPT_PKINIT_BTMM) opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; if (principal && krb5_principal_is_lkdc(context, principal)) opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM; if (flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) opt->opt_private->pk_init_ctx->id->flags |= PKINIT_NO_KDC_ANCHOR; if (opt->opt_private->pk_init_ctx->id->certs) { ret = _krb5_pk_set_user_id(context, principal, opt->opt_private->pk_init_ctx, opt->opt_private->pk_init_ctx->id->certs); if (ret) { free(opt->opt_private->pk_init_ctx); opt->opt_private->pk_init_ctx = NULL; return ret; } } else opt->opt_private->pk_init_ctx->id->cert = NULL; if ((flags & KRB5_GIC_OPT_PKINIT_USE_ENCKEY) == 0) { /* Use key agreement (modp DH) or ECDH (including X curves) */ opt->opt_private->pk_init_ctx->keyex = select_dh_type(context, opt->opt_private->pk_init_ctx); } else { /* Use RSA key transport */ opt->opt_private->pk_init_ctx->keyex = USE_RSA; if (opt->opt_private->pk_init_ctx->id->certs == NULL) { krb5_set_error_message(context, EINVAL, N_("No anonymous pkinit support in RSA mode", "")); return EINVAL; } } return 0; } krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context, krb5_get_init_creds_opt *opt, struct hx509_certs_data *certs) { if (opt->opt_private == NULL) { krb5_set_error_message(context, EINVAL, N_("PKINIT: on non extendable opt", "")); return EINVAL; } if (opt->opt_private->pk_init_ctx == NULL) { krb5_set_error_message(context, EINVAL, N_("PKINIT: on pkinit context", "")); return EINVAL; } return _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs); } static int get_ms_san(hx509_context context, hx509_cert cert, char **upn) { hx509_octet_string_list list; int ret; *upn = NULL; ret = hx509_cert_find_subjectAltName_otherName(context, cert, &asn1_oid_id_pkinit_ms_san, &list); if (ret) return 0; if (list.len > 0 && list.val[0].length > 0) ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, upn, NULL); else ret = 1; hx509_free_octet_string_list(&list); return ret; } static int find_ms_san(hx509_context context, hx509_cert cert, void *ctx) { char *upn; int ret; ret = get_ms_san(context, cert, &upn); if (ret == 0) free(upn); return ret; } /* * Private since it need to be redesigned using krb5_get_init_creds() */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pk_enterprise_cert(krb5_context context, const char *user_id, krb5_const_realm realm, krb5_principal *principal, struct hx509_certs_data **res) { krb5_error_code ret; hx509_certs certs, result; hx509_cert cert = NULL; hx509_query *q; char *name; *principal = NULL; if (res) *res = NULL; if (user_id == NULL) { krb5_set_error_message(context, ENOENT, "no user id"); return ENOENT; } ret = hx509_certs_init(context->hx509ctx, user_id, 0, NULL, &certs); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to init cert certs"); goto out; } ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { krb5_set_error_message(context, ret, "out of memory"); hx509_certs_free(&certs); goto out; } hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); hx509_query_match_eku(q, &asn1_oid_id_pkinit_ms_eku); hx509_query_match_cmp_func(q, find_ms_san, NULL); ret = hx509_certs_filter(context->hx509ctx, certs, q, &result); hx509_query_free(context->hx509ctx, q); hx509_certs_free(&certs); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to find PKINIT certificate"); return ret; } ret = hx509_get_one_cert(context->hx509ctx, result, &cert); hx509_certs_free(&result); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to get one cert"); goto out; } ret = get_ms_san(context->hx509ctx, cert, &name); if (ret) { pk_copy_error(context, context->hx509ctx, ret, "Failed to get MS SAN"); goto out; } ret = krb5_make_principal(context, principal, realm, name, NULL); free(name); if (ret) goto out; krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL); if (res) { ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res); if (ret) goto out; ret = hx509_certs_add(context->hx509ctx, *res, cert); if (ret) { hx509_certs_free(res); goto out; } } out: hx509_cert_free(cert); return ret; } KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL _krb5_pk_is_kdc_verified(krb5_context context, krb5_get_init_creds_opt *opt) { if (opt == NULL || opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL) return FALSE; return opt->opt_private->pk_init_ctx->kdc_verified; }