ea90ca8666
This is the second of two commits in a series that must be picked together.
This series of two commits moves parts of lib/krb5/ infrastructure
functionality to lib/base/, leaving behind wrappers.
Some parts of libkrb5 are entirely generic or easily made so, and could
be useful in various parts of Heimdal that are not specific to the krb5
API, such as:
- lib/gssapi/ (especially since the integration of NegoEx)
- lib/hx509/
- bx509d (which should really move out of kdc/)
For the above we need to move these bits of lib/krb5/:
- lib/krb5/config_file.c (all of it, leaving forwardings behind)
- lib/krb5/config_reg.c (all of it)
- lib/krb5/plugin.c (all of it, leaving forwardings behind)
- lib/krb5/log.c (all of it, ditto)
- lib/krb5/heim_err.et (all of it)
And because of those two, these too must also move:
- lib/krb5/expand_path.c (all of it, leaving forwardings behind)
- lib/krb5/warn.c (just the warning functions, ditto)
The changes to the moved files are mostly quite straightforward and are
best reviewed with --word-diff=color.
We're also creating a heim_context and a heim API to go with it. But
it's as thin as possible, with as little state as necessary to enable
this move. Functions for dealing with error messages use callbacks.
Moving plugin.c does have one knock-on effect on all users of the old
krb5 plugin API (which remains), which is that a global search and
replace of struct krb5_plugin_data to struct heim_plugin_data was
needed, though the layout and size of that structure doesn't change, so
the ABI doesn't either.
As well, we now build lib/vers/ and lib/com_err/ before lib/base/ so as
to be able to move lib/krb5/heim_err.et to lib/base/ so that we can make
use of HEIM_ERR_* in lib/base/, specifically in the files that moved.
Once this is all done we'll be able to use config files and plugins in
lib/hx509/, we'll be able to move bx509d out of kdc/, and so on.
Most if not all of the new functions in lib/base/ are Heimdal-private,
thus calling conventions for them are not declared.
Status:
- builds and passes CIs (Travis, Appveyor)
- ran make check-valgrind and no new leaks or other memory errors
- ready for review
HOW TO REVIEW:
$ # Review file moves:
$ git log --stat -n1 HEAD^
$
$ # Review changes to moved files using --word-diff=color
$ git log -p -b -w --word-diff=color HEAD^..HEAD \
lib/base/config_file.c \
lib/base/config_reg.c \
lib/base/expand_path.c \
lib/base/warn.c \
lib/krb5/config_file.c \
lib/krb5/config_reg.c \
lib/krb5/expand_path.c \
lib/krb5/warn.c
$
$ # Review the whole thing, possibly adding -b and/or -w, and
$ # maybe --word-diff=color:
$ git log -p origin/master..HEAD
$ git log -p -b -w origin/master..HEAD
$ git log -p -b -w --word-diff=color origin/master..HEAD
TBD (future commits):
- make lib/gssapi use the new heimbase functions
- move kx509/bx509d common code to lib/hx509/ or other approp. location
- move bx509d out of kdc/
324 lines
11 KiB
C
324 lines
11 KiB
C
/*
|
|
* Copyright (c) 2019 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* This is a plugin by which bx509d can validate Negotiate tokens.
|
|
*
|
|
* [kdc]
|
|
* negotiate_token_validator = {
|
|
* keytab = ...
|
|
* }
|
|
*/
|
|
|
|
#define _DEFAULT_SOURCE
|
|
#define _BSD_SOURCE
|
|
#define _GNU_SOURCE 1
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <ctype.h>
|
|
#include <errno.h>
|
|
#include <limits.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
#include <base64.h>
|
|
#include <roken.h>
|
|
#include <heimbase.h>
|
|
#include <krb5.h>
|
|
#include <common_plugin.h>
|
|
#include <gssapi/gssapi.h>
|
|
#include <token_validator_plugin.h>
|
|
|
|
static int
|
|
display_status(krb5_context context,
|
|
OM_uint32 major,
|
|
OM_uint32 minor,
|
|
gss_cred_id_t acred,
|
|
gss_ctx_id_t gctx,
|
|
gss_OID mech_type)
|
|
{
|
|
gss_buffer_desc buf = GSS_C_EMPTY_BUFFER;
|
|
OM_uint32 dmaj, dmin;
|
|
OM_uint32 more = 0;
|
|
char *gmmsg = NULL;
|
|
char *gmsg = NULL;
|
|
char *s = NULL;
|
|
|
|
do {
|
|
gss_release_buffer(&dmin, &buf);
|
|
dmaj = gss_display_status(&dmin, major, GSS_C_GSS_CODE, GSS_C_NO_OID,
|
|
&more, &buf);
|
|
if (GSS_ERROR(dmaj) ||
|
|
buf.length >= INT_MAX ||
|
|
asprintf(&s, "%s%s%.*s", gmsg ? gmsg : "", gmsg ? ": " : "",
|
|
(int)buf.length, (char *)buf.value) == -1 ||
|
|
s == NULL) {
|
|
free(gmsg);
|
|
gmsg = NULL;
|
|
break;
|
|
}
|
|
gmsg = s;
|
|
s = NULL;
|
|
} while (!GSS_ERROR(dmaj) && more);
|
|
if (mech_type != GSS_C_NO_OID) {
|
|
do {
|
|
gss_release_buffer(&dmin, &buf);
|
|
dmaj = gss_display_status(&dmin, major, GSS_C_MECH_CODE, mech_type,
|
|
&more, &buf);
|
|
if (GSS_ERROR(dmaj) ||
|
|
asprintf(&s, "%s%s%.*s", gmmsg ? gmmsg : "", gmmsg ? ": " : "",
|
|
(int)buf.length, (char *)buf.value) == -1 ||
|
|
s == NULL) {
|
|
free(gmmsg);
|
|
gmmsg = NULL;
|
|
break;
|
|
}
|
|
gmmsg = s;
|
|
s = NULL;
|
|
} while (!GSS_ERROR(dmaj) && more);
|
|
}
|
|
if (gmsg == NULL)
|
|
krb5_set_error_message(context, ENOMEM, "Error displaying GSS-API "
|
|
"status");
|
|
else
|
|
krb5_set_error_message(context, EACCES, "%s%s%s%s", gmmsg,
|
|
gmmsg ? " (" : "", gmmsg ? gmmsg : "",
|
|
gmmsg ? ")" : "");
|
|
if (acred && gctx)
|
|
krb5_prepend_error_message(context, EACCES, "Failed to validate "
|
|
"Negotiate token due to error examining "
|
|
"GSS-API security context");
|
|
else if (acred)
|
|
krb5_prepend_error_message(context, EACCES, "Failed to validate "
|
|
"Negotiate token due to error accepting "
|
|
"GSS-API security context token");
|
|
else
|
|
krb5_prepend_error_message(context, EACCES, "Failed to validate "
|
|
"Negotiate token due to error acquiring "
|
|
"GSS-API default acceptor credential");
|
|
return EACCES;
|
|
}
|
|
|
|
static KRB5_LIB_CALL krb5_error_code
|
|
validate(void *ctx,
|
|
krb5_context context,
|
|
const char *realm,
|
|
const char *token_type,
|
|
krb5_data *token,
|
|
const char * const *audiences,
|
|
size_t naudiences,
|
|
krb5_boolean *result,
|
|
krb5_principal *actual_principal,
|
|
krb5_times *token_times)
|
|
{
|
|
gss_buffer_desc adisplay_name = GSS_C_EMPTY_BUFFER;
|
|
gss_buffer_desc idisplay_name = GSS_C_EMPTY_BUFFER;
|
|
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
|
|
gss_buffer_desc input_token;
|
|
gss_cred_id_t acred = GSS_C_NO_CREDENTIAL;
|
|
gss_ctx_id_t gctx = GSS_C_NO_CONTEXT;
|
|
gss_name_t aname = GSS_C_NO_NAME;
|
|
gss_name_t iname = GSS_C_NO_NAME;
|
|
gss_OID mech_type = GSS_C_NO_OID;
|
|
const char *kt = krb5_config_get_string(context, NULL, "kdc",
|
|
"negotiate_token_validator",
|
|
"keytab", NULL);
|
|
OM_uint32 major, minor, ret_flags, time_rec;
|
|
size_t i;
|
|
char *token_decoded = NULL;
|
|
void *token_copy = NULL;
|
|
char *princ_str = NULL;
|
|
int ret = 0;
|
|
|
|
if (strcmp(token_type, "Negotiate") != 0)
|
|
return KRB5_PLUGIN_NO_HANDLE;
|
|
|
|
if (kt) {
|
|
gss_key_value_element_desc store_keytab_kv;
|
|
gss_key_value_set_desc store;
|
|
gss_OID_desc mech_set[2] = { *GSS_KRB5_MECHANISM, *GSS_SPNEGO_MECHANISM };
|
|
gss_OID_set_desc mechs = { 2, mech_set };
|
|
|
|
store_keytab_kv.key = "keytab";
|
|
store_keytab_kv.value = kt;
|
|
store.elements = &store_keytab_kv;
|
|
store.count = 1;
|
|
major = gss_acquire_cred_from(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
|
|
&mechs, GSS_C_ACCEPT, &store, &acred, NULL,
|
|
NULL);
|
|
if (major != GSS_S_COMPLETE)
|
|
return display_status(context, major, minor, acred, gctx, mech_type);
|
|
|
|
mechs.count = 1;
|
|
major = gss_set_neg_mechs(&minor, acred, &mechs);
|
|
if (major != GSS_S_COMPLETE)
|
|
return display_status(context, major, minor, acred, gctx, mech_type);
|
|
} /* else we'll use the default credential */
|
|
|
|
if ((token_decoded = malloc(token->length)) == NULL ||
|
|
(token_copy = calloc(1, token->length + 1)) == NULL)
|
|
goto enomem;
|
|
|
|
memcpy(token_copy, token->data, token->length);
|
|
if ((ret = rk_base64_decode(token_copy, token_decoded)) <= 0) {
|
|
krb5_set_error_message(context, EACCES, "Negotiate token malformed");
|
|
ret = EACCES;
|
|
goto out;
|
|
}
|
|
|
|
input_token.value = token_decoded;
|
|
input_token.length = ret;
|
|
major = gss_accept_sec_context(&minor, &gctx, acred, &input_token, NULL,
|
|
&iname, &mech_type, &output_token,
|
|
&ret_flags, &time_rec, NULL);
|
|
|
|
if (mech_type == GSS_C_NO_OID ||
|
|
!gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) {
|
|
krb5_set_error_message(context, ret = EACCES, "Negotiate token used "
|
|
"non-Kerberos mechanism");
|
|
goto out;
|
|
}
|
|
|
|
if (major != GSS_S_COMPLETE) {
|
|
ret = display_status(context, major, minor, acred, gctx, mech_type);
|
|
if (ret == 0)
|
|
ret = EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
major = gss_inquire_context(&minor, gctx, NULL, &aname, NULL, NULL,
|
|
NULL, NULL, NULL);
|
|
if (major == GSS_S_COMPLETE)
|
|
major = gss_display_name(&minor, aname, &adisplay_name, NULL);
|
|
if (major == GSS_S_COMPLETE)
|
|
major = gss_display_name(&minor, iname, &idisplay_name, NULL);
|
|
if (major != GSS_S_COMPLETE) {
|
|
ret = display_status(context, major, minor, acred, gctx, mech_type);
|
|
if (ret == 0)
|
|
ret = EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
for (i = 0; i < naudiences; i++) {
|
|
const char *s = adisplay_name.value;
|
|
size_t slen = adisplay_name.length;
|
|
size_t len = strlen(audiences[i]);
|
|
|
|
if (slen >= sizeof("HTTP/") - 1 &&
|
|
slen >= sizeof("HTTP/") - 1 + len &&
|
|
memcmp(s, "HTTP/", sizeof("HTTP/") - 1) == 0 &&
|
|
memcmp(s + sizeof("HTTP/") - 1, audiences[i], len) == 0 &&
|
|
s[sizeof("HTTP/") - 1 + len] == '@')
|
|
break;
|
|
}
|
|
if (i == naudiences) {
|
|
/* This handles the case where naudiences == 0 as an error */
|
|
krb5_set_error_message(context, EACCES, "Negotiate token used "
|
|
"wrong HTTP service host acceptor name");
|
|
goto out;
|
|
}
|
|
|
|
if ((princ_str = calloc(1, idisplay_name.length + 1)) == NULL)
|
|
goto enomem;
|
|
memcpy(princ_str, idisplay_name.value, idisplay_name.length);
|
|
if ((ret = krb5_parse_name(context, princ_str, actual_principal)))
|
|
goto out;
|
|
|
|
/* XXX Need name attributes to get authtime/starttime/renew_till */
|
|
token_times->authtime = 0;
|
|
token_times->starttime = time(NULL) - 300;
|
|
token_times->endtime = token_times->starttime + 300 + time_rec;
|
|
token_times->renew_till = 0;
|
|
|
|
*result = TRUE;
|
|
goto out;
|
|
|
|
enomem:
|
|
ret = krb5_enomem(context);
|
|
out:
|
|
gss_delete_sec_context(&minor, &gctx, NULL);
|
|
gss_release_buffer(&minor, &adisplay_name);
|
|
gss_release_buffer(&minor, &idisplay_name);
|
|
gss_release_buffer(&minor, &output_token);
|
|
gss_release_cred(&minor, &acred);
|
|
gss_release_name(&minor, &aname);
|
|
gss_release_name(&minor, &iname);
|
|
free(token_decoded);
|
|
free(token_copy);
|
|
free(princ_str);
|
|
return ret;
|
|
}
|
|
|
|
static KRB5_LIB_CALL krb5_error_code
|
|
negotiate_init(krb5_context context, void **c)
|
|
{
|
|
*c = NULL;
|
|
return 0;
|
|
}
|
|
|
|
static KRB5_LIB_CALL void
|
|
negotiate_fini(void *c)
|
|
{
|
|
}
|
|
|
|
static krb5plugin_token_validator_ftable plug_desc =
|
|
{ 1, negotiate_init, negotiate_fini, validate };
|
|
|
|
static krb5plugin_token_validator_ftable *plugs[] = { &plug_desc };
|
|
|
|
static uintptr_t
|
|
negotiate_get_instance(const char *libname)
|
|
{
|
|
if (strcmp(libname, "krb5") == 0)
|
|
return krb5_get_instance(libname);
|
|
/* XXX gss_get_instance() doesn't exist :( */
|
|
return 0;
|
|
}
|
|
|
|
krb5_plugin_load_ft kdc_token_validator_plugin_load;
|
|
|
|
krb5_error_code KRB5_CALLCONV
|
|
kdc_token_validator_plugin_load(heim_pcontext context,
|
|
krb5_get_instance_func_t *get_instance,
|
|
size_t *num_plugins,
|
|
krb5_plugin_common_ftable_cp **plugins)
|
|
{
|
|
*get_instance = negotiate_get_instance;
|
|
*num_plugins = sizeof(plugs) / sizeof(plugs[0]);
|
|
*plugins = (krb5_plugin_common_ftable_cp *)plugs;
|
|
return 0;
|
|
}
|