oysteikt/heimdal
0
0
Fork 0
Code Issues5 Pull Requests Releases Activity
Files
heimdal/kdc/ipc_csr_authorizer.c
Taylor R Campbell a142767598 Fix ctype.h misuse. 
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.

fix https://github.com/heimdal/heimdal/issues/1111
2023-05-26 14:10:11 -05:00

682 lines
19 KiB
C
Raw Permalink Blame History

/*
* Copyright (c) 2019 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* This plugin authorizes requested certificate SANs and EKUs by calling a
* service over IPC (Unix domain sockets on Linux/BSD/Illumos).
*
* The IPC protocol is request/response, with requests and responses sent as
*
* <length><string>
*
* where the <length> is 4 bytes, unsigned binary in network byte order, and
* <string> is an array of <length> bytes and does NOT include a NUL
* terminator.
*
* Requests are of the form:
*
* check <princ> <exttype>=<extvalue> ...
*
* where <princ> is a URL-escaped principal name, <exttype> is one of:
*
* - san_pkinit
* - san_xmpp
* - san_email
* - san_ms_upn
* - san_dnsname
* - eku
*
* and <extvalue> is a URL-escaped string representation of the SAN or OID.
*
* OIDs are in the form 1.2.3.4.5.6.
*
* Only characters other than alphanumeric, '@', '.', '-', '_', and '/' are
* URL-encoded.
*
* Responses are any of:
*
* - granted
* - denied
* - error message
*
* Example:
*
* C->S: check jane@TEST.H5L.SE san_dnsname=jane.foo.test.h5l.se eku=1.3.6.1.5.5.7.3.1
* S->C: granted
*
* Only digitalSignature and nonRepudiation key usages are allowed. Requested
* key usages are not sent to the CSR authorizer IPC server.
*/
#define _GNU_SOURCE 1
#include <sys/types.h>
#include <sys/stat.h>
#include <ctype.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <roken.h>
#include <heim-ipc.h>
#include <krb5.h>
#include <hx509.h>
#include <kdc.h>
#include <common_plugin.h>
#include <csr_authorizer_plugin.h>
/*
* string_encode_sz() and string_encode() encode principal names and such to be
* safe for use in our IPC text messages. They function very much like URL
* encoders, but '~' also gets encoded, and '.' and '@' do not.
*
* An unescaper is not needed here.
*/
static size_t
string_encode_sz(const char *in)
{
size_t sz = strlen(in);
while (*in) {
char c = *(in++);
switch (c) {
case '@':
case '.':
case '-':
case '_':
case '/':
continue;
default:
if (isalnum((unsigned char)c))
continue;
sz += 2;
}
}
return sz;
}
static char *
string_encode(const char *in)
{
size_t len = strlen(in);
size_t sz = string_encode_sz(in);
size_t i, k;
char *s;
if ((s = malloc(sz + 1)) == NULL)
return NULL;
s[sz] = '\0';
for (i = k = 0; i < len; i++) {
unsigned char c = ((const unsigned char *)in)[i];
switch (c) {
case '@':
case '.':
case '-':
case '_':
case '/':
s[k++] = c;
break;
default:
if (isalnum(c)) {
s[k++] = c;
} else {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
}
}
}
return s;
}
static int
cmd_append(struct rk_strpool **cmd, const char *s0, ...)
{
va_list ap;
const char *arg;
int ret = 0;
if ((*cmd = rk_strpoolprintf(*cmd, "%s", s0)) == NULL)
return ENOMEM;
va_start(ap, s0);
while ((arg = va_arg(ap, const char *))) {
char *s;
if ((s = string_encode(arg)) == NULL) {
rk_strpoolfree(*cmd);
*cmd = NULL;
ret = ENOMEM;
goto out;
}
*cmd = rk_strpoolprintf(*cmd, "%s", s);
free(s);
if (*cmd == NULL) {
ret = ENOMEM;
goto out;
}
}
out:
va_end(ap);
return ret;
}
/* Like strpbrk(), but from the end of the string */
static char *
strrpbrk(char *s, const char *accept)
{
char *last = NULL;
char *p = s;
do {
p = strpbrk(p, accept);
if (p != NULL) {
last = p;
p++;
}
} while (p != NULL);
return last;
}
/*
* For /get-tgts we need to support partial authorization of requests. The
* hx509_request APIs support that.
*
* Here we just step through the IPC server's response and mark the
* corresponding request elements authorized so that /get-tgts can issue or not
* issue TGTs according to which requested principals are authorized and which
* are not.
*/
static int
mark_piecemeal_authorized(krb5_context context,
hx509_request csr,
heim_octet_string *rep)
{
size_t san_idx = 0;
size_t eku_idx = 0;
char *s, *p, *rep2, *tok, *next = NULL;
int slow_path = 0;
int partial = 0;
int ret = 0;
/* We have a data, but we want a C string */
if ((rep2 = strndup(rep->data, rep->length)) == NULL)
return krb5_enomem(context);
/* The first token should be "denied"; skip it */
if ((s = strchr(rep2, ' ')) == NULL) {
free(rep2);
return EACCES;
}
s++;
while ((tok = strtok_r(s, ",", &next))) {
hx509_san_type san_type, san_type2;
char *s2 = NULL;
s = NULL; /* for strtok_r() */
if (strncmp(tok, "eku=", sizeof("eku=") -1) == 0) {
/*
* Very simplistic handling of partial authz for EKUs:
*
* - denial of an EKU -> deny the whole request
* - else below mark all EKUs approved
*/
if (strstr(tok, ":denied")) {
krb5_set_error_message(context, EACCES, "CSR denied because "
"EKU denied: %s", tok);
ret = EACCES;
break;
}
continue;
}
/*
* For SANs we check that the nth SAN in the response matches the nth
* SAN in the hx509_request.
*/
if (strncmp(tok, "san_pkinit=", sizeof("san_pkinit=") - 1) == 0) {
tok += sizeof("san_pkinit=") - 1;
san_type = HX509_SAN_TYPE_PKINIT;
} else if (strncmp(tok, "san_dnsname=", sizeof("san_dnsname=") -1) == 0) {
tok += sizeof("san_dnsname=") - 1;
san_type = HX509_SAN_TYPE_DNSNAME;
} else if (strncmp(tok, "san_email=", sizeof("san_email=") -1) == 0) {
tok += sizeof("san_email=") - 1;
san_type = HX509_SAN_TYPE_EMAIL;
} else if (strncmp(tok, "san_xmpp=", sizeof("san_xmpp=") -1) == 0) {
tok += sizeof("san_xmpp=") - 1;
san_type = HX509_SAN_TYPE_XMPP;
} else if (strncmp(tok, "san_ms_upn=", sizeof("san_ms_upn=") -1) == 0) {
tok += sizeof("san_ms_upn=") - 1;
san_type = HX509_SAN_TYPE_MS_UPN;
} else {
krb5_set_error_message(context, EACCES, "CSR denied because could "
"not parse token in response: %s", tok);
ret = EACCES;
break;
}
/*
* This token has to end in ":granted" or ":denied". Using our
* `strrpbrk()' means we can deal with principals names that have ':'
* in them.
*/
if ((p = strrpbrk(tok, ":")) == NULL) {
san_idx++;
continue;
}
*(p++) = '\0';
/* Now we get the nth SAN from the authorization */
ret = hx509_request_get_san(csr, san_idx, &san_type2, &s2);
if (ret == HX509_NO_ITEM) {
/* See below */
slow_path = 1;
break;
}
/* And we check that it matches the SAN in this token */
if (ret == 0) {
if (san_type != san_type2 ||
strcmp(tok, s2) != 0) {
/*
* We expect the tokens in the reply to be in the same order as
* in the request. If not, we must take a slow path where we
* have to sort requests and responses then iterate them in
* order.
*/
slow_path = 1;
hx509_xfree(s2);
break;
}
hx509_xfree(s2);
if (strcmp(p, "granted") == 0) {
ret = hx509_request_authorize_san(csr, san_idx);
} else {
partial = 1;
ret = hx509_request_reject_san(csr, san_idx);
}
if (ret)
break;
}
san_idx++;
}
if (slow_path) {
/*
* FIXME? Implement the slow path?
*
* Basically, we'd get all the SANs from the request into an array of
* {SAN, index} and sort that array, then all the SANs from the
* response into an array and sort it, then step a cursor through both,
* using the index from the first to mark SANs in the request
* authorized or rejected.
*/
krb5_set_error_message(context, EACCES, "CSR denied because "
"authorizer service did not include all "
"piecemeal grants/denials in order");
ret = EACCES;
}
/* Mark all the EKUs authorized */
for (eku_idx = 0; ret == 0; eku_idx++)
ret = hx509_request_authorize_eku(csr, eku_idx);
if (ret == HX509_NO_ITEM)
ret = 0;
if (ret == 0 && partial) {
krb5_set_error_message(context, EACCES, "CSR partially authorized");
ret = EACCES;
}
free(rep2);
return ret;
}
static krb5_error_code mark_authorized(hx509_request);
static int
call_svc(krb5_context context,
heim_ipc ipc,
hx509_request csr,
const char *cmd,
int piecemeal_check_ok)
{
heim_octet_string req, resp;
int ret;
req.data = (void *)(uintptr_t)cmd;
req.length = strlen(cmd);
resp.length = 0;
resp.data = NULL;
ret = heim_ipc_call(ipc, &req, &resp, NULL);
/* Check for all granted case */
if (ret == 0 &&
resp.length == sizeof("granted") - 1 &&
strncasecmp(resp.data, "granted", sizeof("granted") - 1) == 0) {
free(resp.data);
return mark_authorized(csr); /* Full approval */
}
/* Check for "denied ..." piecemeal authorization case */
if ((ret == 0 || ret == EACCES || ret == KRB5_PLUGIN_NO_HANDLE) &&
piecemeal_check_ok &&
resp.length > sizeof("denied") - 1 &&
strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) {
/* Piecemeal authorization */
ret = mark_piecemeal_authorized(context, csr, &resp);
/* mark_piecemeal_authorized() should return EACCES; just in case: */
if (ret == 0)
ret = EACCES;
free(resp.data);
return ret;
}
/* All other failure cases */
if (resp.data == NULL || resp.length == 0) {
krb5_set_error_message(context, ret, "CSR authorizer IPC service "
"failed silently");
free(resp.data);
return EACCES;
}
if (resp.length == sizeof("ignore") - 1 &&
strncasecmp(resp.data, "ignore", sizeof("ignore") - 1) == 0) {
/*
* In this case the server is saying "I can't handle this request, try
* some other authorizer plugin".
*/
free(resp.data);
return KRB5_PLUGIN_NO_HANDLE;
}
if (resp.length == sizeof("denied") - 1 &&
strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) {
krb5_set_error_message(context, ret, "CSR authorizer rejected %s",
cmd);
free(resp.data);
return EACCES;
}
if (resp.length > INT_MAX)
krb5_set_error_message(context, ret, "CSR authorizer rejected %s", cmd);
else
krb5_set_error_message(context, ret, "CSR authorizer rejected %s: %.*s",
cmd, resp.length, resp.data);
free(resp.data);
return ret;
}
static void
frees(char **s)
{
free(*s);
*s = NULL;
}
static krb5_error_code
mark_authorized(hx509_request csr)
{
size_t i;
char *s;
int ret = 0;
for (i = 0; ret == 0; i++) {
ret = hx509_request_get_eku(csr, i, &s);
if (ret == 0)
hx509_request_authorize_eku(csr, i);
frees(&s);
}
if (ret == HX509_NO_ITEM)
ret = 0;
for (i = 0; ret == 0; i++) {
hx509_san_type san_type;
ret = hx509_request_get_san(csr, i, &san_type, &s);
if (ret == 0)
hx509_request_authorize_san(csr, i);
frees(&s);
}
return ret == HX509_NO_ITEM ? 0 : ret;
}
static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx,
krb5_context context,
const char *app,
hx509_request csr,
krb5_const_principal client,
krb5_boolean *result)
{
struct rk_strpool *cmd = NULL;
krb5_error_code ret;
hx509_context hx509ctx = NULL;
heim_ipc ipc = NULL;
const char *svc;
KeyUsage ku;
size_t i;
char *princ = NULL;
char *s = NULL;
int do_check = 0;
int piecemeal_check_ok = 1;
if ((svc = krb5_config_get_string_default(context, NULL,
"ANY:org.h5l.csr_authorizer",
app ? app : "kdc",
"ipc_csr_authorizer", "service",
NULL)) == NULL)
return KRB5_PLUGIN_NO_HANDLE;
if ((ret = heim_ipc_init_context(svc, &ipc))) {
/*
* If the IPC authorizer is optional, then fallback on whatever is
* next.
*/
if (krb5_config_get_bool_default(context, NULL, FALSE,
app ? app : "kdc",
"ipc_csr_authorizer", "optional",
NULL))
return KRB5_PLUGIN_NO_HANDLE;
krb5_set_error_message(context, ret, "Could not set up IPC client "
"end-point for service %s", svc);
return ret;
}
if ((ret = hx509_context_init(&hx509ctx)))
goto out;
if ((ret = krb5_unparse_name(context, client, &princ)))
goto out;
if ((ret = cmd_append(&cmd, "check ", princ, NULL)))
goto enomem;
frees(&princ);
for (i = 0; ret == 0; i++) {
hx509_san_type san_type;
size_t p;
ret = hx509_request_get_san(csr, i, &san_type, &s);
if (ret)
break;
/*
* We cannot do a piecemeal check if any of the SANs could make the
* response ambiguous.
*/
p = strcspn(s, ",= ");
if (s[p] != '\0')
piecemeal_check_ok = 0;
if (piecemeal_check_ok && strstr(s, ":granted") != NULL)
piecemeal_check_ok = 0;
switch (san_type) {
case HX509_SAN_TYPE_EMAIL:
if ((ret = cmd_append(&cmd, " san_email=", s, NULL)))
goto enomem;
do_check = 1;
break;
case HX509_SAN_TYPE_DNSNAME:
if ((ret = cmd_append(&cmd, " san_dnsname=", s, NULL)))
goto enomem;
do_check = 1;
break;
case HX509_SAN_TYPE_XMPP:
if ((ret = cmd_append(&cmd, " san_xmpp=", s, NULL)))
goto enomem;
do_check = 1;
break;
case HX509_SAN_TYPE_PKINIT:
if ((ret = cmd_append(&cmd, " san_pkinit=", s, NULL)))
goto enomem;
do_check = 1;
break;
case HX509_SAN_TYPE_MS_UPN:
if ((ret = cmd_append(&cmd, " san_ms_upn=", s, NULL)))
goto enomem;
do_check = 1;
break;
default:
if ((ret = hx509_request_reject_san(csr, i)))
goto out;
break;
}
frees(&s);
}
if (ret == HX509_NO_ITEM)
ret = 0;
if (ret)
goto out;
for (i = 0; ret == 0; i++) {
ret = hx509_request_get_eku(csr, i, &s);
if (ret)
break;
if ((ret = cmd_append(&cmd, " eku=", s, NULL)))
goto enomem;
do_check = 1;
frees(&s);
}
if (ret == HX509_NO_ITEM)
ret = 0;
if (ret)
goto out;
ku = int2KeyUsage(0);
ku.digitalSignature = 1;
ku.nonRepudiation = 1;
hx509_request_authorize_ku(csr, ku);
if (do_check) {
s = rk_strpoolcollect(cmd);
cmd = NULL;
if (s == NULL)
goto enomem;
if ((ret = call_svc(context, ipc, csr, s, piecemeal_check_ok)))
goto out;
} /* else there was nothing to check -> permit */
*result = TRUE;
ret = 0;
goto out;
enomem:
ret = krb5_enomem(context);
goto out;
out:
heim_ipc_free_context(ipc);
hx509_context_free(&hx509ctx);
if (cmd)
rk_strpoolfree(cmd);
free(princ);
free(s);
return ret;
}
static KRB5_LIB_CALL krb5_error_code
ipc_csr_authorizer_init(krb5_context context, void **c)
{
*c = NULL;
return 0;
}
static KRB5_LIB_CALL void
ipc_csr_authorizer_fini(void *c)
{
}
static krb5plugin_csr_authorizer_ftable plug_desc =
{ 1, ipc_csr_authorizer_init, ipc_csr_authorizer_fini, authorize };
static krb5plugin_csr_authorizer_ftable *plugs[] = { &plug_desc };
static uintptr_t
ipc_csr_authorizer_get_instance(const char *libname)
{
if (strcmp(libname, "krb5") == 0)
return krb5_get_instance(libname);
if (strcmp(libname, "kdc") == 0)
return kdc_get_instance(libname);
if (strcmp(libname, "hx509") == 0)
return hx509_get_instance(libname);
return 0;
}
krb5_plugin_load_ft kdc_csr_authorizer_plugin_load;
krb5_error_code KRB5_CALLCONV
kdc_csr_authorizer_plugin_load(heim_pcontext context,
krb5_get_instance_func_t *get_instance,
size_t *num_plugins,
krb5_plugin_common_ftable_cp **plugins)
{
*get_instance = ipc_csr_authorizer_get_instance;
*num_plugins = sizeof(plugs) / sizeof(plugs[0]);
*plugins = (krb5_plugin_common_ftable_cp *)plugs;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink