oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
40317659b00aefc8abaeb2c80f983b391f1f432c
heimdal/lib/krb5/pkinit.c
Taylor R Campbell 9c1b2e963b krb5: Sprinkle const and rk_UNCONST to pacify -Wwrite-strings. 
Mostly for read-only iov or krb5_data.
2026-01-18 19:06:17 -06:00

3005 lines
82 KiB
C
Raw Blame History

/*
* Copyright (c) 2003 - 2016 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Portions Copyright (c) 2009 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5_locl.h"
struct krb5_dh_moduli {
char *name;
unsigned long bits;
heim_integer p;
heim_integer g;
heim_integer q;
};
#include <cms_asn1.h>
#include <pkcs8_asn1.h>
#include <pkcs9_asn1.h>
#include <pkcs12_asn1.h>
#include <pkinit_asn1.h>
#include <asn1_err.h>
#include <der.h>
#include <openssl/bn.h>
#include <openssl/param_build.h>
krb5_error_code
_krb5_pkinit_pkey2SubjectPublicKeyInfo(krb5_context context,
const EVP_PKEY *pkey,
SubjectPublicKeyInfo *spki)
{
unsigned char *buf = NULL;
unsigned char *p;
size_t len, size;
krb5_error_code ret;
len = i2d_PUBKEY(pkey, NULL);
if (len <= 0)
return _krb5_set_error_message_openssl(context,
HX509_CRYPTO_INTERNAL_ERROR,
"Failed to encode public key");
p = buf = malloc(len);
if (p == NULL)
return krb5_enomem(context);
if (i2d_PUBKEY(pkey, &p) != len) {
free(buf);
return _krb5_set_error_message_openssl(context,
HX509_CRYPTO_INTERNAL_ERROR,
"Failed to encode public key");
}
ret = decode_SubjectPublicKeyInfo(buf, len, spki, &size);
free(buf);
return ret;
}
/* Makes a EVP_PKEY * params object from modp DH p, g, q (q is optional) */
static EVP_PKEY *
dh_params_from_pg(krb5_context context,
const unsigned char *p, size_t plen,
const unsigned char *g, size_t glen,
const unsigned char *q, size_t qlen)
{
EVP_PKEY *params = NULL;
EVP_PKEY_CTX *ctx = NULL;
BIGNUM *p_bn = NULL;
BIGNUM *g_bn = NULL;
BIGNUM *q_bn = NULL;
OSSL_PARAM_BLD *bld = NULL;
OSSL_PARAM *par = NULL;
/* Convert raw bytes to BIGNUMs - OpenSSL 3.x requires BN for FFC params */
p_bn = BN_bin2bn(p, plen, NULL);
g_bn = BN_bin2bn(g, glen, NULL);
if (q && qlen)
q_bn = BN_bin2bn(q, qlen, NULL);
if (!p_bn || !g_bn || (q && qlen && !q_bn))
goto out;
/* Build OSSL_PARAM array */
bld = OSSL_PARAM_BLD_new();
if (!bld)
goto out;
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p_bn) ||
!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g_bn))
goto out;
if (q_bn && !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q_bn))
goto out;
par = OSSL_PARAM_BLD_to_param(bld);
if (!par)
goto out;
/*
* Always use DHX (X9.42 DH) for PKINIT - this produces the
* id-dhpublicnumber OID (1.2.840.10046.2.1) that PKINIT requires,
* rather than the PKCS#3 OID (1.2.840.113549.1.3.1) that "DH" uses.
*/
ctx = EVP_PKEY_CTX_new_from_name(context->ossl->libctx, "DHX",
context->ossl->propq);
if (!ctx)
goto out;
if (EVP_PKEY_fromdata_init(ctx) <= 0)
goto out;
if (EVP_PKEY_fromdata(ctx, &params, EVP_PKEY_KEY_PARAMETERS, par) <= 0)
params = NULL;
out:
OSSL_PARAM_free(par);
OSSL_PARAM_BLD_free(bld);
EVP_PKEY_CTX_free(ctx);
BN_free(p_bn);
BN_free(g_bn);
BN_free(q_bn);
return params;
}
/*
* Produce OpenSSL 3.x params from the p, g, q in a modp DH
* AlgorithmIdentifier returned by a KDC.
*
* Note that we don't validate the domain parameters.
*/
static krb5_error_code
dh_params_from_AI(krb5_context context,
heim_octet_string *ai_params,
EVP_PKEY **out)
{
DomainParameters dp;
krb5_error_code ret;
const unsigned char *p, *g, *q;
size_t plen, glen, qlen;
*out = NULL;
ret = decode_DomainParameters(ai_params->data, ai_params->length, &dp, NULL);
if (ret)
return ret;
/*
* heim_integer has the DER-encoding of the INTEGER. OpenSSL wants the
* unsigned, unpadded DER-encoding of the INTEGER. So we reject negative
* numbers and remove any padding, then use dh_params_from_pg().
*/
if (dp.p.negative || dp.g.negative || (dp.q && dp.q->negative))
return EINVAL;
p = dp.p.data;
plen = dp.p.length;
g = dp.g.data;
glen = dp.g.length;
q = dp.q ? dp.q->data : NULL;
qlen = dp.q ? dp.q->length : 0;
if (dp.p.length > 1 && p[0] == 0) { p++; plen--; }
if (dp.g.length > 1 && g[0] == 0) { g++; glen--; }
if (q && dp.q->length > 1 && q[0] == 0) { q++; qlen--; }
*out = dh_params_from_pg(context, p, plen, g, glen, q, qlen);
free_DomainParameters(&dp);
if (*out)
return 0;
return EINVAL;
}
static krb5_error_code
pkinit_make_dh_key(krb5_context context,
EVP_PKEY *params_in,
const char *group,
EVP_PKEY **pkey)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY_CTX *kctx = NULL;
EVP_PKEY *params = NULL;
OSSL_PARAM p[] = {
OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
(char *)group, 0),
OSSL_PARAM_END
};
*pkey = NULL;
if (params_in) {
if ((kctx = EVP_PKEY_CTX_new_from_pkey(context->ossl->libctx, params_in,
context->ossl->propq)) == NULL ||
EVP_PKEY_keygen_init(kctx) <= 0 ||
EVP_PKEY_keygen(kctx, pkey) <= 0)
*pkey = NULL;
} else {
if ((pctx = EVP_PKEY_CTX_new_from_name(context->ossl->libctx, "DHX",
context->ossl->propq)) == NULL ||
EVP_PKEY_paramgen_init(pctx) <= 0 ||
EVP_PKEY_CTX_set_params(pctx, p) <= 0 ||
EVP_PKEY_paramgen(pctx, &params) <= 0 ||
(kctx = EVP_PKEY_CTX_new_from_pkey(context->ossl->libctx, params,
context->ossl->propq)) == NULL ||
EVP_PKEY_keygen_init(kctx) <= 0 ||
EVP_PKEY_keygen(kctx, pkey) <= 0)
*pkey = NULL;
}
EVP_PKEY_CTX_free(kctx);
EVP_PKEY_CTX_free(pctx);
EVP_PKEY_free(params);
if (*pkey == NULL) {
char *s = _krb5_openssl_errors();
krb5_set_error_message(context, HX509_CRYPTO_INTERNAL_ERROR,
"Could not make a DH keyshare: %s",
s ? s : "<unknown OpenSSL error>");
free(s);
return HX509_CRYPTO_INTERNAL_ERROR;
}
return 0;
}
struct krb5_pk_cert {
hx509_cert cert;
};
static void
pk_copy_error(krb5_context context,
hx509_context hx509ctx,
int hxret,
const char *fmt,
...)
__attribute__ ((__format__ (__printf__, 4, 5)));
/*
*
*/
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_pk_cert_free(struct krb5_pk_cert *cert)
{
if (cert->cert) {
hx509_cert_free(cert->cert);
}
free(cert);
}
static enum keyex_enum
select_dh_type(krb5_context context, krb5_pk_init_ctx ctx)
{
TD_DH_PARAMETERS *p = ctx->kdc_dh_algs;
hx509_cert cert = ctx->id->cert;
size_t i;
int seen_ec = 0;
int seen_modp = 0;
int prefer_ec =
krb5_config_get_bool_default(context, NULL, -1,
"libdefaults", "pkinit_prefer_ec", NULL);
/*
* The KDC offered key agreement algorithms; pick one we like. We
* prefer EC to modp DH.
*/
if (p) {
for (i = 0; i < p->len; i++) {
const heim_oid *oid = &p->val[i].algorithm;
if (der_heim_oid_cmp(oid, &asn1_oid_id_X25519) == 0 ||
der_heim_oid_cmp(oid, &asn1_oid_id_X448) == 0 ||
der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp256r1) == 0 ||
der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp384r1) == 0 ||
der_heim_oid_cmp(oid, &asn1_oid_id_ec_group_secp521r1) == 0)
seen_ec = 1;
else if (der_heim_oid_cmp(oid, &asn1_oid_id_dhpublicnumber) == 0 &&
p->val[i].parameters != NULL)
seen_modp = 1;
}
}
if (prefer_ec == -1 && cert) {
AlgorithmIdentifier alg;
/* Cert indicates EC support -> then use ECDH */
if (hx509_cert_get_SPKI_AlgorithmIdentifier(context->hx509ctx, cert,
&alg) == 0) {
if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_ecPublicKey) == 0)
prefer_ec = 1;
else if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_Ed25519) == 0)
prefer_ec = 1;
else if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_Ed448) == 0)
prefer_ec = 1;
free_AlgorithmIdentifier(&alg);
}
}
/* Whichever we preferred, if the KDC offered it, use that */
if (prefer_ec > 0 && seen_ec)
return USE_ECDH;
if (prefer_ec == 0 && seen_modp)
return USE_DH;
/* Whichever we preferred, if the KDC only offered the other, use that */
if (seen_ec)
return USE_ECDH;
if (seen_modp)
return USE_DH;
/*
* The KDC offered nothing (yet, perhaps because we have not yet tried, or
* perhaps it doesn't support telling us its preference).
*
* Prefer EC/X DH then.
*/
if (prefer_ec == -1)
prefer_ec = 1;
return prefer_ec ? USE_ECDH : USE_DH;
}
static krb5_error_code
select_dh_group(krb5_context context, EVP_PKEY **params, const char **group,
unsigned long min_bits, krb5_pk_init_ctx ctx)
{
const struct krb5_dh_moduli *m;
struct krb5_dh_moduli **moduli = ctx->m;
TD_DH_PARAMETERS *p = ctx->kdc_dh_algs;
krb5_error_code ret;
if (p) {
size_t i;
/*
* Pick the first DH modp group offered by the KDC. We do not validate
* this group if [libdefaults] pkinit_dh_trust_modp_kdc_choice is set
* to true. Since we're going to get a signature from the KDC and we
* validate the KDC's certificate, we can default this to TRUE.
*
* NOTE: If we ever try to build something like PKU2U w/ anonymous
* server support then we'll need to default this to FALSE for
* that case!
*/
if (!krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults",
"pkinit_dh_trust_modp_kdc_choice", NULL))
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
for (i = 0; i < p->len; i++) {
if (der_heim_oid_cmp(&p->val[i].algorithm,
&asn1_oid_id_dhpublicnumber) != 0 ||
p->val[i].parameters == NULL)
continue;
ret = dh_params_from_AI(context, p->val[i].parameters, params);
if (ret)
// XXX More trace/error info would be nice
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
return 0;
}
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
if (krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults",
"pkinit_dh_use_modp", NULL)) {
/*
* Use RFC 3526 Oakley groups (modp_*). MIT Kerberos only supports
* 1024 (disabled by default), 2048, and 4096. Default to 2048.
*/
if (min_bits == 0 || min_bits <= 2048) {
*group = "modp_2048";
return 0;
}
if (min_bits <= 4096) {
*group = "modp_4096";
return 0;
}
/* Larger sizes not supported by MIT, fall through to moduli file */
}
if (moduli[0] == NULL) {
krb5_set_error_message(context, EINVAL,
N_("Did not find a DH group parameter "
"matching requirement of %lu bits", ""),
min_bits);
return EINVAL;
}
if (min_bits == 0) {
m = moduli[0];
} else {
int i;
for (i = 0; moduli[i] != NULL; i++) {
if (moduli[i]->bits >= min_bits)
break;
}
if (moduli[i] == NULL) {
krb5_set_error_message(context, EINVAL,
N_("Did not find a DH group parameter "
"matching requirement of %lu bits", ""),
min_bits);
return EINVAL;
}
m = moduli[i];
}
*params = dh_params_from_pg(context, m->p.data, m->p.length,
m->g.data, m->g.length,
m->q.data ? m->q.data : NULL, m->q.length);
return 0;
}
struct certfind {
const char *type;
const heim_oid *oid;
};
/*
* Try searchin the key by to use by first looking for for PK-INIT
* EKU, then the Microsoft smart card EKU and last, no special EKU at all.
*/
static krb5_error_code
find_cert(krb5_context context, struct krb5_pk_identity *id,
hx509_query *q, hx509_cert *cert)
{
struct certfind cf[4] = {
{ "MobileMe EKU", NULL },
{ "PKINIT EKU", NULL },
{ "MS EKU", NULL },
{ "any (or no)", NULL }
};
int ret = HX509_CERT_NOT_FOUND;
size_t i, start = 1;
unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
if (id->flags & PKINIT_BTMM)
start = 0;
cf[0].oid = &mobileMe;
cf[1].oid = &asn1_oid_id_pkekuoid;
cf[2].oid = &asn1_oid_id_pkinit_ms_eku;
cf[3].oid = NULL;
for (i = start; i < sizeof(cf)/sizeof(cf[0]); i++) {
ret = hx509_query_match_eku(q, cf[i].oid);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed setting %s OID", cf[i].type);
return ret;
}
ret = hx509_certs_find(context->hx509ctx, id->certs, q, cert);
if (ret == 0)
break;
pk_copy_error(context, context->hx509ctx, ret,
"Failed finding certificate with %s OID", cf[i].type);
}
return ret;
}
static krb5_error_code
create_signature(krb5_context context,
const heim_oid *eContentType,
krb5_data *eContent,
struct krb5_pk_identity *id,
hx509_peer_info peer,
krb5_data *sd_data)
{
int ret, flags = 0;
if (id->cert == NULL)
flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
ret = hx509_cms_create_signed_1(context->hx509ctx,
flags,
eContentType,
eContent->data,
eContent->length,
NULL,
id->cert,
peer,
NULL,
id->certs,
sd_data);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Create CMS signedData");
return ret;
}
return 0;
}
static int KRB5_LIB_CALL
cert2epi(hx509_context context, void *ctx, hx509_cert c)
{
ExternalPrincipalIdentifiers *ids = ctx;
ExternalPrincipalIdentifier id;
hx509_name subject = NULL;
void *p;
int ret;
if (ids->len > 10)
return 0;
memset(&id, 0, sizeof(id));
ret = hx509_cert_get_subject(c, &subject);
if (ret)
return ret;
if (hx509_name_is_null_p(subject) != 0) {
id.subjectName = calloc(1, sizeof(*id.subjectName));
if (id.subjectName == NULL) {
hx509_name_free(&subject);
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
ret = hx509_name_binary(subject, id.subjectName);
if (ret) {
hx509_name_free(&subject);
free_ExternalPrincipalIdentifier(&id);
return ret;
}
}
hx509_name_free(&subject);
id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
if (id.issuerAndSerialNumber == NULL) {
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
{
IssuerAndSerialNumber iasn;
hx509_name issuer;
size_t size = 0;
memset(&iasn, 0, sizeof(iasn));
ret = hx509_cert_get_issuer(c, &issuer);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ret = hx509_name_to_Name(issuer, &iasn.issuer);
hx509_name_free(&issuer);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
if (ret) {
free_IssuerAndSerialNumber(&iasn);
free_ExternalPrincipalIdentifier(&id);
return ret;
}
ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
id.issuerAndSerialNumber->data,
id.issuerAndSerialNumber->length,
&iasn, &size, ret);
free_IssuerAndSerialNumber(&iasn);
if (ret) {
free_ExternalPrincipalIdentifier(&id);
return ret;
}
if (id.issuerAndSerialNumber->length != size)
abort();
}
id.subjectKeyIdentifier = NULL;
p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
if (p == NULL) {
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
ids->val = p;
ids->val[ids->len] = id;
ids->len++;
return 0;
}
static krb5_error_code
build_edi(krb5_context context,
hx509_context hx509ctx,
hx509_certs certs,
ExternalPrincipalIdentifiers *ids)
{
return hx509_certs_iter_f(hx509ctx, certs, cert2epi, ids);
}
static krb5_error_code
make_supportedKDFs(krb5_context context, krb5_pk_init_ctx ctx, AuthPack *a)
{
char **kdfs;
krb5_error_code ret;
KDFAlgorithmId kdf;
memset(&kdf, 0, sizeof(kdf));
if (ctx->want_kdf_alg &&
der_heim_oid_cmp(ctx->want_kdf_alg, &asn1_oid_id_pkinit_kdf) == 0) {
if (a->supportedKDFs)
free_SupportedKDFs(a->supportedKDFs);
free(a->supportedKDFs);
a->supportedKDFs = NULL;
return 0;
}
if (a->supportedKDFs)
free_SupportedKDFs(a->supportedKDFs);
else if ((a->supportedKDFs =
calloc(1, sizeof(*a->supportedKDFs))) == NULL)
return krb5_enomem(context);
if (ctx->want_kdf_alg) {
ret = der_copy_oid(ctx->want_kdf_alg, &kdf.kdf_id);
if (ret)
return ret;
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
return ret;
}
kdfs = krb5_config_get_strings(context, NULL, "libdefaults", "pkinit_kdfs",
NULL);
if (kdfs) {
const heim_oid *oid = NULL;
size_t i;
/* XXX Extract this if-strcmp ladder into a utility function */
for (i = 0; kdfs[i]; i++) {
if (strcmp(kdfs[i], "ah-sha1") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha1;
else if (strcmp(kdfs[i], "ah-sha256") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha256;
else if (strcmp(kdfs[i], "ah-sha384") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha384;
else if (strcmp(kdfs[i], "ah-sha512") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha512;
if (oid == NULL)
continue; // XXX debug trace or error!
ret = der_copy_oid(oid, &kdf.kdf_id);
if (ret)
return ret;
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
if (ret)
return ret;
}
krb5_config_free_strings(kdfs);
return 0;
}
/*
* Indicate support for all of them. RFC 4556 is what we'll get if the KDC
* doesn't support any of these RFC 8636 ones.
*/
ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha256, &kdf.kdf_id);
if (ret == 0)
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha384, &kdf.kdf_id);
if (ret == 0)
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha512, &kdf.kdf_id);
if (ret == 0)
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
ret = der_copy_oid(&asn1_oid_id_pkinit_kdf_ah_sha1, &kdf.kdf_id);
if (ret == 0)
ret = add_SupportedKDFs(a->supportedKDFs, &kdf);
der_free_oid(&kdf.kdf_id);
return ret;
}
static krb5_error_code
build_auth_pack(krb5_context context,
unsigned nonce,
krb5_pk_init_ctx ctx,
const KDC_REQ_BODY *body,
AuthPack *a)
{
size_t buf_size, len = 0;
krb5_error_code ret;
void *buf;
krb5_timestamp sec;
int32_t usec;
Checksum checksum;
krb5_clear_error_message(context);
memset(&checksum, 0, sizeof(checksum));
krb5_us_timeofday(context, &sec, &usec);
a->pkAuthenticator.ctime = sec;
a->pkAuthenticator.nonce = nonce;
ret = make_supportedKDFs(context, ctx, a);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
if (ret)
return ret;
if (buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_SHA1,
buf,
len,
&checksum);
free(buf);
if (ret)
return ret;
ALLOC(a->pkAuthenticator.paChecksum, 1);
if (a->pkAuthenticator.paChecksum == NULL) {
return krb5_enomem(context);
}
ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
checksum.checksum.data, checksum.checksum.length);
free_Checksum(&checksum);
if (ret)
return ret;
if (ctx->keyex == USE_DH || ctx->keyex == USE_ECDH) {
EVP_PKEY *params = NULL;
krb5_data dhbuf;
krb5_data_zero(&dhbuf);
if (1 /* support_cached_dh */) {
ALLOC(a->clientDHNonce, 1);
if (a->clientDHNonce == NULL) {
krb5_clear_error_message(context);
return ENOMEM;
}
ret = krb5_data_alloc(a->clientDHNonce, 40);
if (a->clientDHNonce == NULL) {
krb5_clear_error_message(context);
return ret;
}
ret = RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length);
if (ret != 1)
return KRB5_CRYPTO_INTERNAL;
ret = krb5_copy_data(context, a->clientDHNonce,
&ctx->clientDHNonce);
if (ret)
return ret;
}
if (ctx->keyex == USE_DH) {
const char *group = NULL;
const char *moduli_file =
krb5_config_get_string(context, NULL, "libdefaults", "moduli",
NULL);
unsigned long dh_min_bits =
krb5_config_get_int_default(context, NULL, 0,
"libdefaults",
"pkinit_dh_min_bits",
NULL);
ret = _krb5_parse_moduli(context, moduli_file, &ctx->m);
if (ret)
return ret;
ret = select_dh_group(context, &params, &group, dh_min_bits, ctx);
if (ret)
return ret;
ret = pkinit_make_dh_key(context, params, group, &ctx->pkey);
if (ret)
return ret;
/*
* Prior to removing hcrypto and switching to OpenSSL 3.x we had
* this comment:
*
* | The q parameter is required, but MSFT made it optional.
* | It's only required in order to verify the domain parameters
* | -- the security of the DH group --, but we validate groups
* | against known groups rather than accepting arbitrary groups
* | chosen by the peer, so we really don't need to have put it
* | on the wire. Because these are Oakley groups, and the
* | primes are Sophie Germain primes, q is p>>1 and we can
* | compute it on the fly like MIT Kerberos does, but we'd have
* | to implement BN_rshift1().
*
* We use X9.42 DH (EVP_PKEY_DHX) which produces the
* id-dhpublicnumber OID (1.2.840.10046.2.1) per RFC 3279 as
* referenced by RFC 4556.
*
* The q parameter is optional on the wire -- RFC 4556 requires it
* but Microsoft treats it as optional. We include q when available
* (OpenSSL includes it if provided at key generation time). When
* validating received params we don't care if q is missing because
* we only accept configured groups anyways, so we don't need to
* validate the peer's group.
*
* Note: the old comment about computing q = p>>1 for Sophie
* Germain primes only applies to Oakley Group 2 (RFC 2409). The
* RFC 3526 MODP groups are NOT Sophie Germain primes.
*/
} else {
ret = _krb5_pkinit_make_ecdh_key(context, NULL, NULL,
_krb5_pkinit_pick_curve(context,
ctx),
&ctx->pkey);
if (ret)
return ret;
}
ALLOC(a->clientPublicValue, 1);
ret = _krb5_pkinit_pkey2SubjectPublicKeyInfo(context, ctx->pkey,
a->clientPublicValue);
if (ret)
return ret;
}
{
a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
if (a->supportedCMSTypes == NULL)
return ENOMEM;
ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL,
ctx->id->cert,
&a->supportedCMSTypes->val,
&a->supportedCMSTypes->len);
if (ret)
return ret;
}
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pk_mk_ContentInfo(krb5_context context,
const krb5_data *buf,
const heim_oid *oid,
struct ContentInfo *content_info)
{
krb5_error_code ret;
ret = der_copy_oid(oid, &content_info->contentType);
if (ret)
return ret;
ALLOC(content_info->content, 1);
if (content_info->content == NULL)
return ENOMEM;
content_info->content->data = malloc(buf->length);
if (content_info->content->data == NULL)
return ENOMEM;
memcpy(content_info->content->data, buf->data, buf->length);
content_info->content->length = buf->length;
return 0;
}
static krb5_error_code
pk_mk_padata(krb5_context context,
krb5_pk_init_ctx ctx,
const KDC_REQ_BODY *req_body,
unsigned nonce,
METHOD_DATA *md)
{
struct ContentInfo content_info;
krb5_error_code ret;
const heim_oid *oid = NULL;
size_t size = 0;
krb5_data buf, sd_buf;
int pa_type = -1;
krb5_data_zero(&buf);
krb5_data_zero(&sd_buf);
memset(&content_info, 0, sizeof(content_info));
if (ctx->type == PKINIT_WIN2K) {
AuthPack_Win2k ap;
krb5_timestamp sec;
int32_t usec;
memset(&ap, 0, sizeof(ap));
/* fill in PKAuthenticator */
ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName);
if (ret) {
free_AuthPack_Win2k(&ap);
krb5_clear_error_message(context);
goto out;
}
ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm);
if (ret) {
free_AuthPack_Win2k(&ap);
krb5_clear_error_message(context);
goto out;
}
krb5_us_timeofday(context, &sec, &usec);
ap.pkAuthenticator.ctime = sec;
ap.pkAuthenticator.cusec = usec;
ap.pkAuthenticator.nonce = nonce;
ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length,
&ap, &size, ret);
free_AuthPack_Win2k(&ap);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed encoding AuthPackWin: %d", ""),
(int)ret);
goto out;
}
if (buf.length != size)
krb5_abortx(context, "internal ASN1 encoder error");
oid = &asn1_oid_id_pkcs7_data;
} else if (ctx->type == PKINIT_27) {
AuthPack ap;
memset(&ap, 0, sizeof(ap));
ret = build_auth_pack(context, nonce, ctx, req_body, &ap);
if (ret) {
free_AuthPack(&ap);
goto out;
}
ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
free_AuthPack(&ap);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed encoding AuthPack: %d", ""),
(int)ret);
goto out;
}
if (buf.length != size)
krb5_abortx(context, "internal ASN1 encoder error");
oid = &asn1_oid_id_pkauthdata;
} else
krb5_abortx(context, "internal pkinit error");
ret = create_signature(context, oid, &buf, ctx->id,
ctx->peer, &sd_buf);
krb5_data_free(&buf);
if (ret)
goto out;
ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &sd_buf, &buf);
krb5_data_free(&sd_buf);
if (ret) {
krb5_set_error_message(context, ret,
N_("ContentInfo wrapping of signedData failed",""));
goto out;
}
if (ctx->type == PKINIT_WIN2K) {
PA_PK_AS_REQ_Win2k winreq;
pa_type = KRB5_PADATA_PK_AS_REQ_WIN;
memset(&winreq, 0, sizeof(winreq));
winreq.signed_auth_pack = buf;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length,
&winreq, &size, ret);
free_PA_PK_AS_REQ_Win2k(&winreq);
} else if (ctx->type == PKINIT_27) {
PA_PK_AS_REQ req;
pa_type = KRB5_PADATA_PK_AS_REQ;
memset(&req, 0, sizeof(req));
req.signedAuthPack = buf;
if (ctx->trustedCertifiers) {
req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
if (req.trustedCertifiers == NULL) {
ret = krb5_enomem(context);
free_PA_PK_AS_REQ(&req);
goto out;
}
ret = build_edi(context, context->hx509ctx,
ctx->id->anchors, req.trustedCertifiers);
if (ret) {
krb5_set_error_message(context, ret,
N_("pk-init: failed to build "
"trustedCertifiers", ""));
free_PA_PK_AS_REQ(&req);
goto out;
}
}
req.kdcPkId = NULL;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
&req, &size, ret);
free_PA_PK_AS_REQ(&req);
} else
krb5_abortx(context, "internal pkinit error");
if (ret) {
krb5_set_error_message(context, ret, "PA-PK-AS-REQ %d", (int)ret);
goto out;
}
if (buf.length != size)
krb5_abortx(context, "Internal ASN1 encoder error");
ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length);
if (ret)
free(buf.data);
if (ret == 0)
ret = krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
out:
free_ContentInfo(&content_info);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pk_mk_padata(krb5_context context,
void *c,
int ic_flags,
int win2k,
const KDC_REQ_BODY *req_body,
unsigned nonce,
krb5_error_code error_code,
TYPED_DATA *td,
METHOD_DATA *md)
{
krb5_pk_init_ctx ctx = c;
int win2k_compat;
if (ctx->id->certs == NULL && ctx->anonymous == 0) {
krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
N_("PKINIT: No user certificate given", ""));
return HEIM_PKINIT_NO_PRIVATE_KEY;
}
win2k_compat = krb5_config_get_bool_default(context, NULL,
win2k,
"realms",
req_body->realm,
"pkinit_win2k",
NULL);
if (win2k_compat) {
ctx->require_binding =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_win2k_require_binding",
NULL);
ctx->type = PKINIT_WIN2K;
} else
ctx->type = PKINIT_27;
ctx->require_eku =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_require_eku",
NULL);
if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK)
ctx->require_eku = 0;
if (ctx->id->flags & (PKINIT_BTMM | PKINIT_NO_KDC_ANCHOR))
ctx->require_eku = 0;
ctx->require_krbtgt_otherName =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_require_krbtgt_otherName",
NULL);
if (ic_flags & KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK)
ctx->require_krbtgt_otherName = FALSE;
ctx->require_hostname_match =
krb5_config_get_bool_default(context, NULL,
FALSE,
"realms",
req_body->realm,
"pkinit_require_hostname_match",
NULL);
ctx->trustedCertifiers =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_trustedCertifiers",
NULL);
return pk_mk_padata(context, ctx, req_body, nonce, md);
}
static krb5_error_code
pk_verify_sign(krb5_context context,
const void *data,
size_t length,
struct krb5_pk_identity *id,
heim_oid *contentType,
krb5_data *content,
struct krb5_pk_cert **signer)
{
hx509_certs signer_certs;
int ret;
unsigned flags = 0, verify_flags = 0;
*signer = NULL;
if (id->flags & PKINIT_BTMM) {
flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
flags |= HX509_CMS_VS_NO_KU_CHECK;
flags |= HX509_CMS_VS_NO_VALIDATE;
}
if (id->flags & PKINIT_NO_KDC_ANCHOR)
flags |= HX509_CMS_VS_NO_VALIDATE;
ret = hx509_cms_verify_signed_ext(context->hx509ctx,
id->verify_ctx,
flags,
data,
length,
NULL,
id->certpool,
contentType,
content,
&signer_certs,
&verify_flags);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"CMS verify signed failed");
return ret;
}
heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) ||
(id->flags & PKINIT_NO_KDC_ANCHOR),
"Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set");
if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0)
goto out;
*signer = calloc(1, sizeof(**signer));
if (*signer == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
goto out;
}
ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to get one of the signer certs");
goto out;
}
out:
hx509_certs_free(&signer_certs);
if (ret) {
if (*signer) {
hx509_cert_free((*signer)->cert);
free(*signer);
*signer = NULL;
}
}
return ret;
}
static krb5_error_code
get_reply_key_win(krb5_context context,
const krb5_data *content,
unsigned nonce,
krb5_keyblock **key)
{
ReplyKeyPack_Win2k key_pack;
krb5_error_code ret;
size_t size;
ret = decode_ReplyKeyPack_Win2k(content->data,
content->length,
&key_pack,
&size);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT decoding reply key failed", ""));
free_ReplyKeyPack_Win2k(&key_pack);
return ret;
}
if ((unsigned)key_pack.nonce != nonce) {
krb5_set_error_message(context, ret,
N_("PKINIT enckey nonce is wrong", ""));
free_ReplyKeyPack_Win2k(&key_pack);
return KRB5KRB_AP_ERR_MODIFIED;
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
free_ReplyKeyPack_Win2k(&key_pack);
return krb5_enomem(context);
}
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack_Win2k(&key_pack);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT failed copying reply key", ""));
free(*key);
*key = NULL;
}
return ret;
}
static krb5_error_code
get_reply_key(krb5_context context,
const krb5_data *content,
const krb5_data *req_buffer,
krb5_keyblock **key)
{
ReplyKeyPack key_pack;
krb5_error_code ret;
size_t size;
ret = decode_ReplyKeyPack(content->data,
content->length,
&key_pack,
&size);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT decoding reply key failed", ""));
free_ReplyKeyPack(&key_pack);
return ret;
}
{
krb5_crypto crypto;
/*
* XXX Verify kp.replyKey is a allowed enctype in the
* configuration file
*/
ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto);
if (ret) {
free_ReplyKeyPack(&key_pack);
return ret;
}
ret = krb5_verify_checksum(context, crypto, 6,
req_buffer->data, req_buffer->length,
&key_pack.asChecksum);
krb5_crypto_destroy(context, crypto);
if (ret) {
free_ReplyKeyPack(&key_pack);
return ret;
}
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
free_ReplyKeyPack(&key_pack);
return krb5_enomem(context);
}
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack(&key_pack);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT failed copying reply key", ""));
free(*key);
*key = NULL;
}
return ret;
}
static krb5_error_code
pk_verify_host(krb5_context context,
const char *realm,
struct krb5_pk_init_ctx_data *ctx,
struct krb5_pk_cert *host)
{
krb5_error_code ret = 0;
if (ctx->require_eku) {
ret = hx509_cert_check_eku(context->hx509ctx, host->cert,
&asn1_oid_id_pkkdcekuoid, 0);
if (ret) {
krb5_set_error_message(context, ret,
N_("No PK-INIT KDC EKU in kdc certificate", ""));
return ret;
}
}
if (ctx->require_krbtgt_otherName) {
hx509_octet_string_list list;
size_t i;
int matched = 0;
ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
host->cert,
&asn1_oid_id_pkinit_san,
&list);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to find the PK-INIT "
"subjectAltName in the KDC "
"certificate", ""));
return ret;
}
/*
* subjectAltNames are multi-valued, and a single KDC may serve
* multiple realms. The SAN validation here must accept
* the KDC's cert if *any* of the SANs match the expected KDC.
* It is OK for *some* of the SANs to not match, provided at least
* one does.
*/
for (i = 0; matched == 0 && i < list.len; i++) {
KRB5PrincipalName r;
ret = decode_KRB5PrincipalName(list.val[i].data,
list.val[i].length,
&r,
NULL);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode the PK-INIT "
"subjectAltName in the "
"KDC certificate", ""));
break;
}
if (r.principalName.name_string.len == 2 &&
strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) == 0
&& strcmp(r.principalName.name_string.val[1], realm) == 0
&& strcmp(r.realm, realm) == 0)
matched = 1;
free_KRB5PrincipalName(&r);
}
hx509_free_octet_string_list(&list);
if (matched == 0 &&
(ctx->id->flags & PKINIT_NO_KDC_ANCHOR) == 0) {
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
/* XXX: Lost in translation... */
krb5_set_error_message(context, ret,
N_("KDC has wrong realm name in "
"the certificate", ""));
}
}
if (ret)
return ret;
return ret;
}
static krb5_error_code
pk_rd_pa_reply_enckey(krb5_context context,
int type,
const heim_octet_string *indata,
const heim_oid *dataType,
const char *realm,
krb5_pk_init_ctx ctx,
krb5_enctype etype,
unsigned nonce,
const krb5_data *req_buffer,
PA_DATA *pa,
krb5_keyblock **key)
{
krb5_error_code ret;
struct krb5_pk_cert *host = NULL;
krb5_data content;
heim_octet_string unwrapped;
heim_oid contentType = { 0, NULL };
int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_envelopedData, dataType)) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: Invalid content type", ""));
return EINVAL;
}
if (ctx->type == PKINIT_WIN2K)
flags |= HX509_CMS_UE_ALLOW_WEAK;
ret = hx509_cms_unenvelope(context->hx509ctx,
ctx->id->certs,
flags,
indata->data,
indata->length,
NULL,
0,
&contentType,
&content);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to unenvelope CMS data in PK-INIT reply");
return ret;
}
der_free_oid(&contentType);
/* win2k uses ContentInfo */
if (type == PKINIT_WIN2K) {
heim_oid type2;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret) {
/* windows LH with interesting CMS packets */
size_t ph = 1 + der_length_len(content.length);
unsigned char *ptr = malloc(content.length + ph);
size_t l;
memcpy(ptr + ph, content.data, content.length);
ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length,
ASN1_C_UNIV, CONS, UT_Sequence, &l);
if (ret) {
free(ptr);
return ret;
}
free(content.data);
content.data = ptr;
content.length += ph;
ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
if (ret)
goto out;
}
if (der_heim_oid_cmp(&type2, &asn1_oid_id_pkcs7_signedData)) {
ret = EINVAL; /* XXX */
krb5_set_error_message(context, ret,
N_("PKINIT: Invalid content type", ""));
der_free_oid(&type2);
der_free_octet_string(&unwrapped);
goto out;
}
der_free_oid(&type2);
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
}
ret = pk_verify_sign(context,
content.data,
content.length,
ctx->id,
&contentType,
&unwrapped,
&host);
if (ret == 0) {
krb5_data_free(&content);
ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
der_free_octet_string(&unwrapped);
}
if (ret)
goto out;
heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
if (host) {
/* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, realm, ctx, host);
if (ret)
goto out;
ctx->kdc_verified = 1;
}
#if 0
if (type == PKINIT_WIN2K) {
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) != 0) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
goto out;
}
} else {
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkrkeydata) != 0) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
goto out;
}
}
#endif
switch(type) {
case PKINIT_WIN2K:
ret = get_reply_key(context, &content, req_buffer, key);
if (ret != 0 && ctx->require_binding == 0)
ret = get_reply_key_win(context, &content, nonce, key);
break;
case PKINIT_27:
ret = get_reply_key(context, &content, req_buffer, key);
break;
}
if (ret)
goto out;
/* XXX compare given etype with key->etype */
out:
if (host)
_krb5_pk_cert_free(host);
der_free_oid(&contentType);
krb5_data_free(&content);
return ret;
}
/*
* RFC 8062 section 7:
*
* The client then decrypts the KDC contribution key and verifies that
* the ticket session key in the returned ticket is the combined key of
* the KDC contribution key and the reply key.
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pk_kx_confirm(krb5_context context,
krb5_pk_init_ctx ctx,
krb5_keyblock *reply_key,
krb5_keyblock *session_key,
PA_DATA *pa_pkinit_kx)
{
krb5_error_code ret;
EncryptedData ed;
krb5_keyblock ck, sk_verify;
krb5_crypto ck_crypto = NULL;
krb5_crypto rk_crypto = NULL;
size_t len;
krb5_data data;
krb5_data p1 = { sizeof("PKINIT") - 1, rk_UNCONST("PKINIT") };
krb5_data p2 = { sizeof("KEYEXCHANGE") - 1, rk_UNCONST("KEYEXCHANGE") };
heim_assert(ctx != NULL, "PKINIT context is non-NULL");
heim_assert(reply_key != NULL, "reply key is non-NULL");
heim_assert(session_key != NULL, "session key is non-NULL");
/* PA-PKINIT-KX is optional unless anonymous */
if (pa_pkinit_kx == NULL)
return ctx->anonymous ? KRB5_KDCREP_MODIFIED : 0;
memset(&ed, 0, sizeof(ed));
krb5_keyblock_zero(&ck);
krb5_keyblock_zero(&sk_verify);
krb5_data_zero(&data);
ret = decode_EncryptedData(pa_pkinit_kx->padata_value.data,
pa_pkinit_kx->padata_value.length,
&ed, &len);
if (ret)
goto out;
if (len != pa_pkinit_kx->padata_value.length) {
ret = KRB5_KDCREP_MODIFIED;
goto out;
}
ret = krb5_crypto_init(context, reply_key, 0, &rk_crypto);
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData(context, rk_crypto,
KRB5_KU_PA_PKINIT_KX,
&ed, &data);
if (ret)
goto out;
ret = decode_EncryptionKey(data.data, data.length,
&ck, &len);
if (ret)
goto out;
ret = krb5_crypto_init(context, &ck, 0, &ck_crypto);
if (ret)
goto out;
ret = krb5_crypto_fx_cf2(context, ck_crypto, rk_crypto,
&p1, &p2, session_key->keytype,
&sk_verify);
if (ret)
goto out;
if (sk_verify.keytype != session_key->keytype ||
krb5_data_ct_cmp(&sk_verify.keyvalue, &session_key->keyvalue) != 0) {
ret = KRB5_KDCREP_MODIFIED;
goto out;
}
out:
free_EncryptedData(&ed);
krb5_free_keyblock_contents(context, &ck);
krb5_free_keyblock_contents(context, &sk_verify);
if (ck_crypto)
krb5_crypto_destroy(context, ck_crypto);
if (rk_crypto)
krb5_crypto_destroy(context, rk_crypto);
krb5_data_free(&data);
return ret;
}
static krb5_error_code
pk_rd_pa_reply_dh(krb5_context context,
const heim_octet_string *indata,
const heim_oid *dataType,
const AS_REQ *a,
krb5_pk_init_ctx ctx,
const AS_REP *kdc_rep,
const PA_PK_AS_REP *pk_rep,
const DHNonce *c_n,
const DHNonce *k_n,
unsigned nonce,
const heim_oid *kdf,
PA_DATA *pa,
krb5_keyblock **key)
{
unsigned char *dh_gen_key = NULL;
struct krb5_pk_cert *host = NULL;
BIGNUM *kdc_dh_pubkey = NULL;
KDCDHKeyInfo kdc_dh_info;
heim_oid contentType = { 0, NULL };
krb5_data content;
krb5_error_code ret;
int dh_gen_keylen = 0;
size_t size;
if (ctx->want_kdf_alg && kdf &&
der_heim_oid_cmp(ctx->want_kdf_alg, kdf) != 0) {
krb5_set_error_message(context, ENOTSUP,
"PKINIT: The KDC chose a PKINIT KDF other than the one requested by the user");
return ENOTSUP;
}
krb5_data_zero(&content);
memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_signedData, dataType)) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: Invalid content type", ""));
return EINVAL;
}
ret = pk_verify_sign(context,
indata->data,
indata->length,
ctx->id,
&contentType,
&content,
&host);
if (ret)
goto out;
heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
if (host) {
/* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, a->req_body.realm, ctx, host);
if (ret)
goto out;
ctx->kdc_verified = 1;
}
if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret,
N_("pkinit - dh reply contains wrong oid", ""));
goto out;
}
ret = decode_KDCDHKeyInfo(content.data,
content.length,
&kdc_dh_info,
&size);
if (ret) {
krb5_set_error_message(context, ret,
N_("pkinit - failed to decode "
"KDC DH Key Info", ""));
goto out;
}
if (kdc_dh_info.nonce != nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret,
N_("PKINIT: DH nonce is wrong", ""));
goto out;
}
if (kdc_dh_info.dhKeyExpiration) {
if (k_n == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
N_("pkinit; got key expiration "
"without server nonce", ""));
goto out;
}
if (c_n == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
N_("pkinit; got DH reuse but no "
"client nonce", ""));
goto out;
}
} else {
if (k_n) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
N_("pkinit: got server nonce "
"without key expiration", ""));
goto out;
}
c_n = NULL;
}
/* Almost exactly the same with OpenSSL 3.x APIs for DH and ECDH */
ret = _krb5_pk_rd_pa_reply_ossl_compute_key(context, ctx,
kdc_dh_info.subjectPublicKey,
&dh_gen_key,
&dh_gen_keylen);
if (ret)
goto out;
if (dh_gen_keylen <= 0) {
ret = EINVAL;
krb5_set_error_message(context, ret,
N_("PKINIT: resulting DH key <= 0", ""));
dh_gen_keylen = 0;
goto out;
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
ret = krb5_enomem(context);
goto out;
}
ret = _krb5_pk_kdf2(context, a, pk_rep, dh_gen_key, dh_gen_keylen,
kdc_rep->enc_part.etype, c_n, *key);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT: can't create key from DH key", ""));
free(*key);
*key = NULL;
goto out;
}
out:
if (kdc_dh_pubkey)
BN_free(kdc_dh_pubkey);
if (dh_gen_key) {
memset(dh_gen_key, 0, dh_gen_keylen);
free(dh_gen_key);
}
if (host)
_krb5_pk_cert_free(host);
if (content.data)
krb5_data_free(&content);
der_free_oid(&contentType);
free_KDCDHKeyInfo(&kdc_dh_info);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pk_rd_pa_reply(krb5_context context,
void *c,
const AS_REQ *a,
const AS_REP *kdc_rep,
unsigned nonce,
const krb5_data *req_buffer,
PA_DATA *pa,
krb5_keyblock **key)
{
krb5_pk_init_ctx ctx = c;
krb5_error_code ret;
size_t size;
/* Check for IETF PK-INIT first */
if (ctx->type == PKINIT_27) {
PA_PK_AS_REP rep;
heim_octet_string os, data;
heim_oid oid;
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: wrong padata recv", ""));
return EINVAL;
}
ret = decode_PA_PK_AS_REP(pa->padata_value.data,
pa->padata_value.length,
&rep,
&size);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode pkinit AS rep", ""));
return ret;
}
switch (rep.element) {
case choice_PA_PK_AS_REP_dhInfo:
_krb5_debug(context, 5, "krb5_get_init_creds: using pkinit dh");
os = rep.u.dhInfo.dhSignedData;
break;
case choice_PA_PK_AS_REP_encKeyPack:
_krb5_debug(context, 5, "krb5_get_init_creds: using kinit enc reply key");
os = rep.u.encKeyPack;
break;
default: {
PA_PK_AS_REP_BTMM btmm;
free_PA_PK_AS_REP(&rep);
memset(&rep, 0, sizeof(rep));
_krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key");
ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
pa->padata_value.length,
&btmm,
&size);
if (ret) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: -27 reply "
"invalid content type", ""));
return EINVAL;
}
if (btmm.dhSignedData || btmm.encKeyPack == NULL) {
free_PA_PK_AS_REP_BTMM(&btmm);
ret = EINVAL;
krb5_set_error_message(context, ret,
N_("DH mode not supported for BTMM mode", ""));
return ret;
}
/*
* Transform to IETF style PK-INIT reply so that free works below
*/
rep.element = choice_PA_PK_AS_REP_encKeyPack;
rep.u.encKeyPack.data = btmm.encKeyPack->data;
rep.u.encKeyPack.length = btmm.encKeyPack->length;
btmm.encKeyPack->data = NULL;
btmm.encKeyPack->length = 0;
free_PA_PK_AS_REP_BTMM(&btmm);
os = rep.u.encKeyPack;
}
}
ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
if (ret) {
free_PA_PK_AS_REP(&rep);
krb5_set_error_message(context, ret,
N_("PKINIT: failed to unwrap CI", ""));
return ret;
}
switch (rep.element) {
case choice_PA_PK_AS_REP_dhInfo:
ret = pk_rd_pa_reply_dh(context, &data, &oid, a, ctx, kdc_rep, &rep,
ctx->clientDHNonce,
rep.u.dhInfo.serverDHNonce,
nonce,
rep.u.dhInfo.kdf ? &rep.u.dhInfo.kdf->kdf_id : NULL,
pa, key);
break;
case choice_PA_PK_AS_REP_encKeyPack:
ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid,
a->req_body.realm, ctx,
kdc_rep->enc_part.etype, nonce, req_buffer,
pa, key);
break;
default:
krb5_abortx(context, "pk-init as-rep case not possible to happen");
}
der_free_octet_string(&data);
der_free_oid(&oid);
free_PA_PK_AS_REP(&rep);
} else if (ctx->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k w2krep;
/* Check for Windows encoding of the AS-REP pa data */
#if 0 /* should this be ? */
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_message(context, EINVAL,
"PKINIT: wrong padata recv");
return EINVAL;
}
#endif
memset(&w2krep, 0, sizeof(w2krep));
ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
pa->padata_value.length,
&w2krep,
&size);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT: Failed decoding windows "
"pkinit reply %d", ""), (int)ret);
return ret;
}
krb5_clear_error_message(context);
switch (w2krep.element) {
case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
heim_octet_string data;
heim_oid oid;
ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
&oid, &data, NULL);
free_PA_PK_AS_REP_Win2k(&w2krep);
if (ret) {
krb5_set_error_message(context, ret,
N_("PKINIT: failed to unwrap CI", ""));
return ret;
}
ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid,
a->req_body.realm, ctx,
kdc_rep->enc_part.etype, nonce, req_buffer,
pa, key);
der_free_octet_string(&data);
der_free_oid(&oid);
break;
}
default:
free_PA_PK_AS_REP_Win2k(&w2krep);
ret = EINVAL;
krb5_set_error_message(context, ret,
N_("PKINIT: win2k reply invalid "
"content type", ""));
break;
}
} else {
ret = EINVAL;
krb5_set_error_message(context, ret,
N_("PKINIT: unknown reply type", ""));
}
return ret;
}
struct prompter {
krb5_context context;
krb5_prompter_fct prompter;
void *prompter_data;
};
static int
hx_pass_prompter(void *data, const hx509_prompt *prompter)
{
krb5_error_code ret;
krb5_prompt prompt;
krb5_data password_data;
struct prompter *p = data;
password_data.data = prompter->reply.data;
password_data.length = prompter->reply.length;
prompt.prompt = prompter->prompt;
prompt.hidden = hx509_prompt_hidden(prompter->type);
prompt.reply = &password_data;
switch (prompter->type) {
case HX509_PROMPT_TYPE_INFO:
prompt.type = KRB5_PROMPT_TYPE_INFO;
break;
case HX509_PROMPT_TYPE_PASSWORD:
case HX509_PROMPT_TYPE_QUESTION:
default:
prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
break;
}
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
memset (prompter->reply.data, 0, prompter->reply.length);
return 1;
}
return 0;
}
static krb5_error_code
_krb5_pk_set_user_id(krb5_context context,
krb5_principal principal,
krb5_pk_init_ctx ctx,
struct hx509_certs_data *certs)
{
hx509_certs c = hx509_certs_ref(certs);
hx509_query *q = NULL;
int ret;
if (ctx->id->certs)
hx509_certs_free(&ctx->id->certs);
if (ctx->id->cert) {
hx509_cert_free(ctx->id->cert);
ctx->id->cert = NULL;
}
ctx->id->certs = c;
ctx->anonymous = 0;
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Allocate query to find signing certificate");
return ret;
}
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
if (ctx->want_sig_alg) {
ret = hx509_query_match_key_algorithm(q, ctx->want_sig_alg);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed setting key algorithm query");
hx509_query_free(context->hx509ctx, q);
return ret;
}
}
if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) {
ctx->id->flags |= PKINIT_BTMM;
}
ret = find_cert(context, ctx->id, q, &ctx->id->cert);
hx509_query_free(context->hx509ctx, q);
if (ret == 0 && _krb5_have_debug(context, 2)) {
hx509_name name;
char *str, *sn;
heim_integer i;
ret = hx509_cert_get_subject(ctx->id->cert, &name);
if (ret)
goto out;
ret = hx509_name_to_string(name, &str);
hx509_name_free(&name);
if (ret)
goto out;
ret = hx509_cert_get_serialnumber(ctx->id->cert, &i);
if (ret) {
free(str);
goto out;
}
ret = der_print_hex_heim_integer(&i, &sn);
der_free_heim_integer(&i);
if (ret) {
free(str);
goto out;
}
_krb5_debug(context, 2, "using cert: subject: %s sn: %s", str, sn);
free(str);
free(sn);
}
out:
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_pk_load_id(krb5_context context,
struct krb5_pk_identity **ret_id,
const char *user_id,
const char *anchor_id,
char * const *chain_list,
char * const *revoke_list,
krb5_prompter_fct prompter,
void *prompter_data,
char *password)
{
struct krb5_pk_identity *id = NULL;
struct prompter p;
krb5_error_code ret;
*ret_id = NULL;
/* load cert */
id = calloc(1, sizeof(*id));
if (id == NULL)
return krb5_enomem(context);
if (user_id) {
hx509_lock lock;
ret = hx509_lock_init(context->hx509ctx, &lock);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret, "Failed init lock");
goto out;
}
if (password && password[0])
hx509_lock_add_password(lock, password);
if (prompter) {
p.context = context;
p.prompter = prompter;
p.prompter_data = prompter_data;
ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
if (ret) {
hx509_lock_free(lock);
goto out;
}
}
ret = hx509_certs_init(context->hx509ctx, user_id, 0, lock, &id->certs);
hx509_lock_free(lock);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init cert certs");
goto out;
}
} else {
id->certs = NULL;
}
ret = hx509_certs_init(context->hx509ctx, anchor_id, 0, NULL, &id->anchors);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init anchors");
goto out;
}
ret = hx509_certs_init(context->hx509ctx, "MEMORY:pkinit-cert-chain",
0, NULL, &id->certpool);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init chain");
goto out;
}
while (chain_list && *chain_list) {
ret = hx509_certs_append(context->hx509ctx, id->certpool,
NULL, *chain_list);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to load chain %s",
*chain_list);
goto out;
}
chain_list++;
}
if (revoke_list) {
ret = hx509_revoke_init(context->hx509ctx, &id->revokectx);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init revoke list");
goto out;
}
while (*revoke_list) {
ret = hx509_revoke_add_crl(context->hx509ctx,
id->revokectx,
*revoke_list);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to load revoke list");
goto out;
}
revoke_list++;
}
} else
hx509_context_set_missing_revoke(context->hx509ctx, 1);
ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init verify context");
goto out;
}
hx509_verify_attach_anchors(id->verify_ctx, id->anchors);
hx509_verify_attach_revoke(id->verify_ctx, id->revokectx);
out:
if (ret) {
hx509_verify_destroy_ctx(id->verify_ctx);
hx509_certs_free(&id->certs);
hx509_certs_free(&id->anchors);
hx509_certs_free(&id->certpool);
hx509_revoke_free(&id->revokectx);
free(id);
} else
*ret_id = id;
return ret;
}
/*
*
*/
static void
pk_copy_error(krb5_context context,
hx509_context hx509ctx,
int hxret,
const char *fmt,
...)
{
va_list va;
char *s, *f;
int ret;
va_start(va, fmt);
ret = vasprintf(&f, fmt, va);
va_end(va);
if (ret == -1 || f == NULL) {
krb5_clear_error_message(context);
return;
}
s = hx509_get_error_string(hx509ctx, hxret);
if (s == NULL) {
krb5_clear_error_message(context);
free(f);
return;
}
krb5_set_error_message(context, hxret, "%s: %s", f, s);
free(s);
free(f);
}
static int
parse_integer(krb5_context context, char **p, const char *file, int lineno,
const char *name, heim_integer *integer)
{
int ret;
char *p1;
p1 = strsep(p, " \t");
if (p1 == NULL) {
krb5_set_error_message(context, EINVAL,
N_("moduli file %s missing %s on line %d", ""),
file, name, lineno);
return EINVAL;
}
ret = der_parse_hex_heim_integer(p1, integer);
if (ret) {
krb5_set_error_message(context, ret,
N_("moduli file %s failed parsing %s "
"on line %d", ""),
file, name, lineno);
return ret;
}
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_parse_moduli_line(krb5_context context,
const char *file,
int lineno,
char *p,
struct krb5_dh_moduli **m)
{
struct krb5_dh_moduli *m1;
char *p1;
int ret;
*m = NULL;
m1 = calloc(1, sizeof(*m1));
if (m1 == NULL)
return krb5_enomem(context);
while (isspace((unsigned char)*p))
p++;
if (*p == '#') {
free(m1);
return 0;
}
ret = EINVAL;
p1 = strsep(&p, " \t");
if (p1 == NULL) {
krb5_set_error_message(context, ret,
N_("moduli file %s missing name on line %d", ""),
file, lineno);
goto out;
}
m1->name = strdup(p1);
if (m1->name == NULL) {
ret = krb5_enomem(context);
goto out;
}
p1 = strsep(&p, " \t");
if (p1 == NULL) {
krb5_set_error_message(context, ret,
N_("moduli file %s missing bits on line %d", ""),
file, lineno);
goto out;
}
m1->bits = atoi(p1);
if (m1->bits == 0) {
krb5_set_error_message(context, ret,
N_("moduli file %s has un-parsable "
"bits on line %d", ""), file, lineno);
goto out;
}
ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
if (ret)
goto out;
ret = parse_integer(context, &p, file, lineno, "g", &m1->g);
if (ret)
goto out;
ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
if (ret) {
m1->q.negative = 0;
m1->q.length = 0;
m1->q.data = 0;
krb5_clear_error_message(context);
}
*m = m1;
return 0;
out:
free(m1->name);
der_free_heim_integer(&m1->p);
der_free_heim_integer(&m1->g);
der_free_heim_integer(&m1->q);
free(m1);
return ret;
}
static void
free_moduli_element(struct krb5_dh_moduli *element)
{
free(element->name);
der_free_heim_integer(&element->p);
der_free_heim_integer(&element->g);
der_free_heim_integer(&element->q);
free(element);
}
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_free_moduli(struct krb5_dh_moduli **moduli)
{
int i;
for (i = 0; moduli[i] != NULL; i++)
free_moduli_element(moduli[i]);
free(moduli);
}
static const char *default_moduli_RFC2412_MODP_group2 =
/* name */
"RFC2412-MODP-group2 "
/* bits */
"1024 "
/* p */
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
"FFFFFFFF" "FFFFFFFF "
/* g */
"02 "
/* q */
"7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
"94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
"F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
"F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
"F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
"FFFFFFFF" "FFFFFFFF";
static const char *default_moduli_rfc3526_MODP_group14 =
/* name */
"rfc3526-MODP-group14 "
/* bits */
"2048 "
/* p */
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
/* g */
"02 "
/* q */
"7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
"94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
"F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
"F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
"F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
"E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
"C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
"B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
"F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
"EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
"0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_parse_moduli(krb5_context context, const char *file,
struct krb5_dh_moduli ***moduli)
{
/* name bits P G Q */
krb5_error_code ret;
struct krb5_dh_moduli **m = NULL, **m2;
char buf[4096];
FILE *f;
int lineno = 0, n = 0;
*moduli = NULL;
m = calloc(1, sizeof(m[0]) * 3);
if (m == NULL)
return krb5_enomem(context);
strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]);
if (ret) {
_krb5_free_moduli(m);
return ret;
}
n++;
strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]);
if (ret) {
_krb5_free_moduli(m);
return ret;
}
n++;
if (file == NULL)
file = MODULI_FILE;
{
char *exp_file;
if (_krb5_expand_path_tokens(context, file, 1, &exp_file) == 0) {
f = fopen(exp_file, "r");
krb5_xfree(exp_file);
} else {
f = NULL;
}
}
if (f == NULL) {
*moduli = m;
return 0;
}
rk_cloexec_file(f);
while(fgets(buf, sizeof(buf), f) != NULL) {
struct krb5_dh_moduli *element;
buf[strcspn(buf, "\n")] = '\0';
lineno++;
ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
if (ret)
break;
if (element == NULL)
continue;
m2 = realloc(m, (n + 2) * sizeof(m[0]));
if (m2 == NULL) {
free_moduli_element(element);
ret = krb5_enomem(context);
break;
}
m = m2;
m[n] = element;
m[n + 1] = NULL;
n++;
}
if (ret) {
_krb5_free_moduli(m);
m = NULL;
}
*moduli = m;
(void) fclose(f);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_dh_group_ok(krb5_context context, unsigned long bits,
heim_integer *p, heim_integer *g, heim_integer *q,
struct krb5_dh_moduli **moduli,
char **name)
{
unsigned long dh_min_bits = krb5_config_get_int_default(context, NULL, 0,
"libdefaults",
"pkinit_dh_min_bits",
NULL);
int i;
if (name)
*name = NULL;
if (dh_min_bits > 0 && bits < dh_min_bits) {
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
N_("PKINIT: DH group parameter not ok (group too small)", ""));
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
for (i = 0; moduli[i] != NULL; i++) {
if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
(q == NULL || moduli[i]->q.length == 0 ||
der_heim_integer_cmp(&moduli[i]->q, q) == 0))
{
if (bits && bits > moduli[i]->bits) {
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
N_("PKINIT: DH group parameter %s "
"not accepted, not enough bits "
"generated", ""),
moduli[i]->name);
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
if (name)
*name = strdup(moduli[i]->name);
return 0;
}
}
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
N_("PKINIT: DH group parameter not ok", ""));
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
{
krb5_pk_init_ctx ctx;
if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL)
return;
ctx = opt->opt_private->pk_init_ctx;
switch (ctx->keyex) {
case USE_DH:
case USE_ECDH:
EVP_PKEY_free(ctx->pkey);
break;
case USE_RSA:
break;
}
if (ctx->id) {
hx509_verify_destroy_ctx(ctx->id->verify_ctx);
hx509_certs_free(&ctx->id->certs);
hx509_cert_free(ctx->id->cert);
hx509_certs_free(&ctx->id->anchors);
hx509_certs_free(&ctx->id->certpool);
if (ctx->clientDHNonce) {
krb5_free_data(NULL, ctx->clientDHNonce);
ctx->clientDHNonce = NULL;
}
if (ctx->m)
_krb5_free_moduli(ctx->m);
free(ctx->id);
ctx->id = NULL;
}
free(opt->opt_private->pk_init_ctx);
opt->opt_private->pk_init_ctx = NULL;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_init_creds_opt_set_pkinit_allowed_algs(krb5_context context,
krb5_get_init_creds_opt *opt,
const char *dh_alg,
const char *sig_alg,
const char *kdf_alg)
{
const heim_oid *oid = NULL;
if (sig_alg) {
/*
* Signature algorithm preferences select certificates by public key
* algorithm OID.
*/
if (strcasecmp(sig_alg, "ed25519") == 0)
oid = ASN1_OID_ID_ED25519;
else if (strcasecmp(sig_alg, "ed448") == 0)
oid = ASN1_OID_ID_ED448;
else if (strcasecmp(sig_alg, "rsa") == 0 ||
strcasecmp(sig_alg, "rsa-sha256") == 0)
oid = &asn1_oid_id_pkcs1_rsaEncryption;
else if ((oid = _krb5_ec_nidname2heim_oid(sig_alg)) == NULL) {
krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG,
"PKINIT: Signature/key algorithm %s unknown",
sig_alg);
return KRB5_KDC_ERR_INVALID_HASH_ALG;
}
opt->opt_private->pk_init_ctx->want_sig_alg = oid;
}
if (dh_alg) {
if ((oid = _krb5_ec_nidname2heim_oid(dh_alg))) {
opt->opt_private->pk_init_ctx->keyex = USE_ECDH;
} else if (strncmp(dh_alg, "modp", sizeof("modp") - 1) == 0) {
oid = &asn1_oid_id_dhpublicnumber;
opt->opt_private->pk_init_ctx->keyex = USE_DH;
}
if (oid == NULL) {
krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG,
"PKINIT: Key agreement algorithm %s unknown",
dh_alg);
return KRB5_KDC_ERR_INVALID_HASH_ALG;
}
opt->opt_private->pk_init_ctx->want_dh_alg = oid;
}
if (kdf_alg) {
if (strcmp(kdf_alg, "ah-sha1") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha1;
else if (strcmp(kdf_alg, "ah-sha256") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha256;
else if (strcmp(kdf_alg, "ah-sha384") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha384;
else if (strcmp(kdf_alg, "ah-sha512") == 0)
oid = &asn1_oid_id_pkinit_kdf_ah_sha512;
else if (strcmp(kdf_alg, "RFC4556") == 0)
/*
* asn1_oid_id_pkinit_kdf is not a thing, but we'll use it
* internally to mean "use only the RFC4556 KDF", and that we want
* only for testing purposes (to test interop with older Heimdal
* and MIT Kerberos KDCs).
*/
oid = &asn1_oid_id_pkinit_kdf;
if (oid == NULL) {
krb5_set_error_message(context, KRB5_KDC_ERR_INVALID_HASH_ALG,
"PKINIT: Key derivation function algorithm %s unknown",
kdf_alg);
return KRB5_KDC_ERR_INVALID_HASH_ALG;
}
opt->opt_private->pk_init_ctx->want_kdf_alg = oid;
}
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_init_creds_opt_set_pkinit(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_principal principal,
const char *user_id,
const char *x509_anchors,
char * const * pool,
char * const * pki_revoke,
int flags,
krb5_prompter_fct prompter,
void *prompter_data,
char *password)
{
krb5_error_code ret;
char **freeme1 = NULL;
char **freeme2 = NULL;
char *anchors = NULL;
if (opt->opt_private == NULL) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: on non extendable opt", ""));
return EINVAL;
}
opt->opt_private->pk_init_ctx =
calloc(1, sizeof(*opt->opt_private->pk_init_ctx));
if (opt->opt_private->pk_init_ctx == NULL)
return krb5_enomem(context);
opt->opt_private->pk_init_ctx->require_binding = 0;
opt->opt_private->pk_init_ctx->require_eku = 1;
opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1;
opt->opt_private->pk_init_ctx->peer = NULL;
/* XXX implement krb5_appdefault_strings */
if (pool == NULL)
pool = freeme1 = krb5_config_get_strings(context, NULL, "appdefaults",
"pkinit_pool", NULL);
if (pki_revoke == NULL)
pki_revoke = freeme2 = krb5_config_get_strings(context, NULL,
"appdefaults",
"pkinit_revoke", NULL);
if (x509_anchors == NULL) {
krb5_appdefault_string(context, "kinit",
krb5_principal_get_realm(context, principal),
"pkinit_anchors", NULL, &anchors);
x509_anchors = anchors;
}
if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS)
opt->opt_private->pk_init_ctx->anonymous = 1;
if ((flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) == 0 &&
x509_anchors == NULL) {
krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
N_("PKINIT: No anchor given", ""));
return HEIM_PKINIT_NO_VALID_CA;
}
ret = _krb5_pk_load_id(context,
&opt->opt_private->pk_init_ctx->id,
user_id,
x509_anchors,
pool,
pki_revoke,
prompter,
prompter_data,
password);
krb5_config_free_strings(freeme2);
krb5_config_free_strings(freeme1);
free(anchors);
if (ret) {
free(opt->opt_private->pk_init_ctx);
opt->opt_private->pk_init_ctx = NULL;
return ret;
}
if (flags & KRB5_GIC_OPT_PKINIT_BTMM)
opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
if (principal && krb5_principal_is_lkdc(context, principal))
opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
if (flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR)
opt->opt_private->pk_init_ctx->id->flags |= PKINIT_NO_KDC_ANCHOR;
if (opt->opt_private->pk_init_ctx->id->certs) {
ret = _krb5_pk_set_user_id(context,
principal,
opt->opt_private->pk_init_ctx,
opt->opt_private->pk_init_ctx->id->certs);
if (ret) {
free(opt->opt_private->pk_init_ctx);
opt->opt_private->pk_init_ctx = NULL;
return ret;
}
} else
opt->opt_private->pk_init_ctx->id->cert = NULL;
if ((flags & KRB5_GIC_OPT_PKINIT_USE_ENCKEY) == 0) {
/* Use key agreement (modp DH) or ECDH (including X curves) */
opt->opt_private->pk_init_ctx->keyex =
select_dh_type(context, opt->opt_private->pk_init_ctx);
} else {
/* Use RSA key transport */
opt->opt_private->pk_init_ctx->keyex = USE_RSA;
if (opt->opt_private->pk_init_ctx->id->certs == NULL) {
krb5_set_error_message(context, EINVAL,
N_("No anonymous pkinit support in RSA mode", ""));
return EINVAL;
}
}
return 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
krb5_get_init_creds_opt *opt,
struct hx509_certs_data *certs)
{
if (opt->opt_private == NULL) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: on non extendable opt", ""));
return EINVAL;
}
if (opt->opt_private->pk_init_ctx == NULL) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: on pkinit context", ""));
return EINVAL;
}
return _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
}
static int
get_ms_san(hx509_context context, hx509_cert cert, char **upn)
{
hx509_octet_string_list list;
int ret;
*upn = NULL;
ret = hx509_cert_find_subjectAltName_otherName(context,
cert,
&asn1_oid_id_pkinit_ms_san,
&list);
if (ret)
return 0;
if (list.len > 0 && list.val[0].length > 0)
ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length,
upn, NULL);
else
ret = 1;
hx509_free_octet_string_list(&list);
return ret;
}
static int
find_ms_san(hx509_context context, hx509_cert cert, void *ctx)
{
char *upn;
int ret;
ret = get_ms_san(context, cert, &upn);
if (ret == 0)
free(upn);
return ret;
}
/*
* Private since it need to be redesigned using krb5_get_init_creds()
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_pk_enterprise_cert(krb5_context context,
const char *user_id,
krb5_const_realm realm,
krb5_principal *principal,
struct hx509_certs_data **res)
{
krb5_error_code ret;
hx509_certs certs, result;
hx509_cert cert = NULL;
hx509_query *q;
char *name;
*principal = NULL;
if (res)
*res = NULL;
if (user_id == NULL) {
krb5_set_error_message(context, ENOENT, "no user id");
return ENOENT;
}
ret = hx509_certs_init(context->hx509ctx, user_id, 0, NULL, &certs);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to init cert certs");
goto out;
}
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
krb5_set_error_message(context, ret, "out of memory");
hx509_certs_free(&certs);
goto out;
}
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
hx509_query_match_eku(q, &asn1_oid_id_pkinit_ms_eku);
hx509_query_match_cmp_func(q, find_ms_san, NULL);
ret = hx509_certs_filter(context->hx509ctx, certs, q, &result);
hx509_query_free(context->hx509ctx, q);
hx509_certs_free(&certs);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to find PKINIT certificate");
return ret;
}
ret = hx509_get_one_cert(context->hx509ctx, result, &cert);
hx509_certs_free(&result);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to get one cert");
goto out;
}
ret = get_ms_san(context->hx509ctx, cert, &name);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
"Failed to get MS SAN");
goto out;
}
ret = krb5_make_principal(context, principal, realm, name, NULL);
free(name);
if (ret)
goto out;
krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL);
if (res) {
ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res);
if (ret)
goto out;
ret = hx509_certs_add(context->hx509ctx, *res, cert);
if (ret) {
hx509_certs_free(res);
goto out;
}
}
out:
hx509_cert_free(cert);
return ret;
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_pk_is_kdc_verified(krb5_context context,
krb5_get_init_creds_opt *opt)
{
if (opt == NULL ||
opt->opt_private == NULL ||
opt->opt_private->pk_init_ctx == NULL)
return FALSE;
return opt->opt_private->pk_init_ctx->kdc_verified;
}
Reference in New Issue View Git Blame Copy Permalink