kdc/mssfu.c

   1 /*
   2  * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kdc_locl.h"
  35
  36 /*
  37  * [MS-SFU] Kerberos Protocol Extensions:
  38  * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
  39  * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
  40  */
  41
  42 /*
  43  * Determine if constrained delegation is allowed from this client to this server
  44  */
  45
  46 static krb5_error_code
  47 check_constrained_delegation(krb5_context context,
  48                              krb5_kdc_configuration *config,
  49                              HDB *clientdb,
  50                              hdb_entry *client,
  51                              hdb_entry *server,
  52                              krb5_const_principal target)
  53 {
  54     const HDB_Ext_Constrained_delegation_acl *acl;
  55     krb5_error_code ret;
  56     size_t i;
  57
  58     /*
  59      * constrained delegation (S4U2Proxy) only works within
  60      * the same realm. We use the already canonicalized version
  61      * of the principals here, while "target" is the principal
  62      * provided by the client.
  63      */
  64     if (!krb5_realm_compare(context, client->principal, server->principal)) {
  65         ret = KRB5KDC_ERR_BADOPTION;
  66         kdc_log(context, config, 4,
  67             "Bad request for constrained delegation");
  68         return ret;
  69     }
  70
  71     if (clientdb->hdb_check_constrained_delegation) {
  72         ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
  73         if (ret == 0)
  74             return 0;
  75     } else {
  76         /* if client delegates to itself, that ok */
  77         if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
  78             return 0;
  79
  80         ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
  81         if (ret) {
  82             krb5_clear_error_message(context);
  83             return ret;
  84         }
  85
  86         if (acl) {
  87             for (i = 0; i < acl->len; i++) {
  88                 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
  89                     return 0;
  90             }
  91         }
  92         ret = KRB5KDC_ERR_BADOPTION;
  93     }
  94     kdc_log(context, config, 4,
  95             "Bad request for constrained delegation");
  96     return ret;
  97 }
  98
  99 /*
 100  * Validate a protocol transition (S4U2Self) request. If present and
 101  * successfully validated then the client in the request structure
 102  * will be replaced with the impersonated client.
 103  */
 104
 105 static krb5_error_code
 106 validate_protocol_transition(astgs_request_t r)
 107 {
 108     krb5_error_code ret;
 109     KDC_REQ_BODY *b = &r->req.req_body;
 110     EncTicketPart *ticket = &r->ticket->ticket;
 111     hdb_entry *s4u_client = NULL;
 112     HDB *s4u_clientdb;
 113     int flags = HDB_F_FOR_TGS_REQ;
 114     krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
 115     krb5_pac s4u_pac = NULL;
 116     const PA_DATA *sdata;
 117     char *s4ucname = NULL;
 118     int i = 0;
 119     krb5_crypto crypto;
 120     krb5_data datack;
 121     PA_S4U2Self self;
 122     const char *str;
 123
 124     if (r->client == NULL)
 125         return 0;
 126
 127     sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
 128     if (sdata == NULL)
 129         return 0;
 130
 131     memset(&self, 0, sizeof(self));
 132
 133     if (b->kdc_options.canonicalize)
 134         flags |= HDB_F_CANON;
 135
 136     ret = decode_PA_S4U2Self(sdata->padata_value.data,
 137                              sdata->padata_value.length,
 138                              &self, NULL);
 139     if (ret) {
 140         kdc_audit_addreason((kdc_request_t)r,
 141                             "Failed to decode PA-S4U2Self");
 142         kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
 143         goto out;
 144     }
 145
 146     if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
 147         kdc_audit_addreason((kdc_request_t)r,
 148                             "PA-S4U2Self with unkeyed checksum");
 149         kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
 150         ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 151         goto out;
 152     }
 153
 154     ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
 155     if (ret)
 156         goto out;
 157
 158     ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
 159     if (ret) {
 160         const char *msg = krb5_get_error_message(r->context, ret);
 161         krb5_data_free(&datack);
 162         kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
 163         krb5_free_error_message(r->context, msg);
 164         goto out;
 165     }
 166
 167     /* Allow HMAC_MD5 checksum with any key type */
 168     if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
 169         struct krb5_crypto_iov iov;
 170         unsigned char csdata[16];
 171         Checksum cs;
 172
 173         cs.checksum.length = sizeof(csdata);
 174         cs.checksum.data = &csdata;
 175
 176         iov.data.data = datack.data;
 177         iov.data.length = datack.length;
 178         iov.flags = KRB5_CRYPTO_TYPE_DATA;
 179
 180         ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
 181                                       KRB5_KU_OTHER_CKSUM, &iov, 1,
 182                                       &cs);
 183         if (ret == 0 &&
 184             krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
 185             ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 186     } else {
 187         ret = _kdc_verify_checksum(r->context,
 188                                    crypto,
 189                                    KRB5_KU_OTHER_CKSUM,
 190                                    &datack,
 191                                    &self.cksum);
 192     }
 193     krb5_data_free(&datack);
 194     krb5_crypto_destroy(r->context, crypto);
 195     if (ret) {
 196         const char *msg = krb5_get_error_message(r->context, ret);
 197         kdc_audit_addreason((kdc_request_t)r,
 198                             "S4U2Self checksum failed");
 199         kdc_log(r->context, r->config, 4,
 200                 "krb5_verify_checksum failed for S4U2Self: %s", msg);
 201         krb5_free_error_message(r->context, msg);
 202         goto out;
 203     }
 204
 205     ret = _krb5_principalname2krb5_principal(r->context,
 206                                              &s4u_client_name,
 207                                              self.name,
 208                                              self.realm);
 209     if (ret)
 210         goto out;
 211
 212     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
 213     if (ret)
 214         goto out;
 215
 216     /*
 217      * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
 218      * is probably not desirable!
 219      */
 220     ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
 221                         HDB_F_GET_CLIENT | flags, NULL,
 222                         &s4u_clientdb, &s4u_client);
 223     if (ret) {
 224         const char *msg;
 225
 226         /*
 227          * If the client belongs to the same realm as our krbtgt, it
 228          * should exist in the local database.
 229          *
 230          */
 231         if (ret == HDB_ERR_NOENTRY)
 232             ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 233         msg = krb5_get_error_message(r->context, ret);
 234         kdc_audit_addreason((kdc_request_t)r,
 235                             "S4U2Self principal to impersonate not found");
 236         kdc_log(r->context, r->config, 2,
 237                 "S4U2Self principal to impersonate %s not found in database: %s",
 238                 s4ucname, msg);
 239         krb5_free_error_message(r->context, msg);
 240         goto out;
 241     }
 242
 243     /*
 244      * Ignore require_pwchange and pw_end attributes (as Windows does),
 245      * since S4U2Self is not password authentication.
 246      */
 247     s4u_client->flags.require_pwchange = FALSE;
 248     free(s4u_client->pw_end);
 249     s4u_client->pw_end = NULL;
 250
 251     ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
 252     if (ret)
 253         goto out; /* kdc_check_flags() calls kdc_audit_addreason() */
 254
 255     ret = _kdc_pac_generate(r,
 256                             s4u_client,
 257                             r->server,
 258                             NULL,
 259                             KRB5_PAC_WAS_GIVEN_IMPLICITLY,
 260                             &s4u_pac);
 261     if (ret) {
 262         kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
 263         goto out;
 264     }
 265
 266     /*
 267      * Check that service doing the impersonating is
 268      * requesting a ticket to it-self.
 269      */
 270     ret = _kdc_check_client_matches_target_service(r->context,
 271                                                    r->config,
 272                                                    r->clientdb,
 273                                                    r->client,
 274                                                    r->server,
 275                                                    r->server_princ);
 276     if (ret) {
 277         kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
 278                 "to impersonate to service "
 279                  "(tried for user %s to service %s)",
 280                  r->cname, s4ucname, r->sname);
 281         goto out;
 282     }
 283
 284     ret = krb5_copy_principal(r->context, s4u_client->principal,
 285                               &s4u_canon_client_name);
 286     if (ret)
 287         goto out;
 288
 289     /*
 290      * If the service isn't trusted for authentication to
 291      * delegation or if the impersonate client is disallowed
 292      * forwardable, remove the forwardable flag.
 293      */
 294     if (r->client->flags.trusted_for_delegation &&
 295         s4u_client->flags.forwardable) {
 296         str = " [forwardable]";
 297     } else {
 298         b->kdc_options.forwardable = 0;
 299         str = "";
 300     }
 301     kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
 302             "service %s%s", r->cname, s4ucname, r->sname, str);
 303
 304     /*
 305      * Replace all client information in the request with the
 306      * impersonated client. (The audit entry containing the original
 307      * client name will have been created before this point.)
 308      */
 309     _kdc_request_set_cname_nocopy((kdc_request_t)r, &s4ucname);
 310     _kdc_request_set_client_princ_nocopy(r, &s4u_client_name);
 311
 312     _kdc_free_ent(r->context, r->clientdb, r->client);
 313     r->client = s4u_client;
 314     s4u_client = NULL;
 315     r->clientdb = s4u_clientdb;
 316     s4u_clientdb = NULL;
 317
 318     _kdc_request_set_canon_client_princ_nocopy(r, &s4u_canon_client_name);
 319     _kdc_request_set_pac_nocopy(r, &s4u_pac);
 320
 321 out:
 322     if (s4u_client)
 323         _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
 324     krb5_free_principal(r->context, s4u_client_name);
 325     krb5_xfree(s4ucname);
 326     krb5_free_principal(r->context, s4u_canon_client_name);
 327     krb5_pac_free(r->context, s4u_pac);
 328
 329     free_PA_S4U2Self(&self);
 330
 331     return ret;
 332 }
 333
 334 /*
 335  * Validate a constrained delegation (S4U2Proxy) request. If present
 336  * and successfully validated then the client in the request structure
 337  * will be replaced with the client from the evidence ticket.
 338  */
 339
 340 static krb5_error_code
 341 validate_constrained_delegation(astgs_request_t r)
 342 {
 343     krb5_error_code ret;
 344     KDC_REQ_BODY *b = &r->req.req_body;
 345     int flags = HDB_F_FOR_TGS_REQ;
 346     krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
 347     krb5_principal s4u_canon_client_name = NULL;
 348     krb5_pac s4u_pac = NULL;
 349     uint64_t s4u_pac_attributes;
 350     char *s4ucname = NULL, *s4usname = NULL;
 351     EncTicketPart evidence_tkt;
 352     HDB *s4u_clientdb;
 353     hdb_entry *s4u_client = NULL;
 354     krb5_boolean ad_kdc_issued = FALSE;
 355     Key *clientkey;
 356     Ticket *t;
 357     krb5_const_realm local_realm;
 358
 359     if (r->client == NULL
 360         || b->additional_tickets == NULL
 361         || b->additional_tickets->len == 0
 362         || b->kdc_options.cname_in_addl_tkt == 0
 363         || b->kdc_options.enc_tkt_in_skey)
 364         return 0;
 365
 366     memset(&evidence_tkt, 0, sizeof(evidence_tkt));
 367     local_realm =
 368             krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
 369
 370     /*
 371      * We require that the service's TGT has a PAC; this will have been
 372      * validated prior to this function being called.
 373      */
 374     if (r->pac == NULL) {
 375         ret = KRB5KDC_ERR_BADOPTION;
 376         kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
 377         kdc_log(r->context, r->config, 4,
 378                 "Constrained delegation without PAC, %s/%s",
 379                 r->cname, r->sname);
 380         goto out;
 381     }
 382
 383     t = &b->additional_tickets->val[0];
 384
 385     ret = hdb_enctype2key(r->context, r->client,
 386                           hdb_kvno2keys(r->context, r->client,
 387                                         t->enc_part.kvno ? * t->enc_part.kvno : 0),
 388                           t->enc_part.etype, &clientkey);
 389     if (ret) {
 390         ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
 391         goto out;
 392     }
 393
 394     ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
 395     if (ret) {
 396         kdc_audit_addreason((kdc_request_t)r,
 397                             "Failed to decrypt constrained delegation ticket");
 398         kdc_log(r->context, r->config, 4,
 399                 "failed to decrypt ticket for "
 400                 "constrained delegation from %s to %s", r->cname, r->sname);
 401         goto out;
 402     }
 403
 404     ret = _krb5_principalname2krb5_principal(r->context,
 405                                              &s4u_client_name,
 406                                              evidence_tkt.cname,
 407                                              evidence_tkt.crealm);
 408     if (ret)
 409         goto out;
 410
 411     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
 412     if (ret)
 413         goto out;
 414
 415     kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
 416
 417     ret = _krb5_principalname2krb5_principal(r->context,
 418                                              &s4u_server_name,
 419                                              t->sname,
 420                                              t->realm);
 421     if (ret)
 422         goto out;
 423
 424     ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
 425     if (ret)
 426         goto out;
 427
 428         /* check that ticket is valid */
 429     if (evidence_tkt.flags.forwardable == 0) {
 430         kdc_audit_addreason((kdc_request_t)r,
 431                             "Missing forwardable flag on ticket for constrained delegation");
 432         kdc_log(r->context, r->config, 4,
 433                 "Missing forwardable flag on ticket for "
 434                 "constrained delegation from %s (%s) as %s to %s ",
 435                 r->cname, s4usname, s4ucname, r->sname);
 436         ret = KRB5KDC_ERR_BADOPTION;
 437         goto out;
 438     }
 439
 440     ret = check_constrained_delegation(r->context, r->config, r->clientdb,
 441                                        r->client, r->server, r->server_princ);
 442     if (ret) {
 443         kdc_audit_addreason((kdc_request_t)r,
 444                             "Constrained delegation not allowed");
 445         kdc_log(r->context, r->config, 4,
 446                 "constrained delegation from %s (%s) as %s to %s not allowed",
 447                 r->cname, s4usname, s4ucname, r->sname);
 448         goto out;
 449     }
 450
 451     ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
 452     if (ret) {
 453         kdc_audit_addreason((kdc_request_t)r,
 454                             "Constrained delegation ticket expired or invalid");
 455         goto out;
 456     }
 457
 458     /* Try lookup the delegated client in DB */
 459     ret = _kdc_db_fetch_client(r->context, r->config, flags,
 460                                s4u_client_name, s4ucname, local_realm,
 461                                &s4u_clientdb, &s4u_client);
 462     if (ret)
 463         goto out;
 464
 465     if (s4u_client != NULL) {
 466         ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
 467         if (ret)
 468             goto out;
 469     }
 470
 471     /*
 472      * TODO: pass in t->sname and t->realm and build
 473      * a S4U_DELEGATION_INFO blob to the PAC.
 474      */
 475     ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name,
 476                          s4u_client, r->server, r->krbtgt, r->client,
 477                          &clientkey->key, &r->ticket_key->key, &evidence_tkt,
 478                          &ad_kdc_issued, &s4u_pac,
 479                          &s4u_canon_client_name, &s4u_pac_attributes);
 480     if (ret) {
 481         const char *msg = krb5_get_error_message(r->context, ret);
 482         kdc_audit_addreason((kdc_request_t)r,
 483                             "Constrained delegation ticket PAC check failed");
 484         kdc_log(r->context, r->config, 4,
 485                 "Verify delegated PAC failed to %s for client"
 486                 "%s (%s) as %s from %s with %s",
 487                 r->sname, r->cname, s4usname, s4ucname, r->from, msg);
 488         krb5_free_error_message(r->context, msg);
 489         goto out;
 490     }
 491
 492     if (s4u_pac == NULL || !ad_kdc_issued) {
 493         ret = KRB5KDC_ERR_BADOPTION;
 494         kdc_log(r->context, r->config, 4,
 495                 "Ticket not signed with PAC; service %s failed for "
 496                 "for delegation to %s for client %s (%s) from %s; (%s).",
 497                 r->sname, s4ucname, s4usname, r->cname, r->from,
 498                 s4u_pac ? "Ticket unsigned" : "No PAC");
 499         kdc_audit_addreason((kdc_request_t)r,
 500                             "Constrained delegation ticket not signed");
 501         goto out;
 502     }
 503
 504     /*
 505      * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
 506      * the canonical client name, but the user is local to our KDC, we
 507      * can insert the canonical client name ourselves.
 508      */
 509     if (s4u_canon_client_name == NULL && s4u_client != NULL) {
 510         ret = krb5_copy_principal(r->context, s4u_client->principal,
 511                                   &s4u_canon_client_name);
 512         if (ret)
 513             goto out;
 514     }
 515
 516     if (b->enc_authorization_data && r->rk_is_subkey == 0) {
 517         krb5_free_keyblock_contents(r->context, &r->enc_ad_key);
 518         ret = krb5_copy_keyblock_contents(r->context,
 519                                           &evidence_tkt.key,
 520                                           &r->enc_ad_key);
 521         if (ret)
 522             goto out;
 523     }
 524
 525     kdc_log(r->context, r->config, 4, "constrained delegation for %s "
 526             "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
 527
 528     /*
 529      * Replace all client information in the request with the
 530      * impersonated client. (The audit entry containing the original
 531      * client name will have been created before this point.)
 532      */
 533     _kdc_request_set_cname_nocopy((kdc_request_t)r, &s4ucname);
 534     _kdc_request_set_client_princ_nocopy(r, &s4u_client_name);
 535
 536     _kdc_free_ent(r->context, r->clientdb, r->client);
 537     r->client = s4u_client;
 538     s4u_client = NULL;
 539     r->clientdb = s4u_clientdb;
 540     s4u_clientdb = NULL;
 541
 542     _kdc_request_set_canon_client_princ_nocopy(r, &s4u_canon_client_name);
 543     _kdc_request_set_pac_nocopy(r, &s4u_pac);
 544
 545     r->pac_attributes = s4u_pac_attributes;
 546
 547     r->et.authtime = evidence_tkt.authtime;
 548
 549 out:
 550     if (s4u_client)
 551         _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
 552     krb5_free_principal(r->context, s4u_client_name);
 553     krb5_xfree(s4ucname);
 554     krb5_free_principal(r->context, s4u_server_name);
 555     krb5_xfree(s4usname);
 556     krb5_free_principal(r->context, s4u_canon_client_name);
 557     krb5_pac_free(r->context, s4u_pac);
 558
 559     free_EncTicketPart(&evidence_tkt);
 560
 561     return ret;
 562 }
 563
 564 /*
 565  *
 566  */
 567
 568 krb5_error_code
 569 _kdc_validate_services_for_user(astgs_request_t r)
 570 {
 571     krb5_error_code ret;
 572
 573     ret = validate_protocol_transition(r);
 574     if (ret == 0)
 575         ret = validate_constrained_delegation(r);
 576
 577     return ret;
 578 }