git.samba.org / lorikeet-heimdal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
kdc: move Services for User implementation out of krb5tgs.c
[lorikeet-heimdal.git] / kdc / mssfu.c
1 /*
2  * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33
34 #include "kdc_locl.h"
35
36 /*
37  * [MS-SFU] Kerberos Protocol Extensions:
38  * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
39  * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
40  */
41
42 /*
43  * Determine if constrained delegation is allowed from this client to this server
44  */
45
46 static krb5_error_code
47 check_constrained_delegation(krb5_context context,
48                              krb5_kdc_configuration *config,
49                              HDB *clientdb,
50                              hdb_entry_ex *client,
51                              hdb_entry_ex *server,
52                              krb5_const_principal target)
53 {
54     const HDB_Ext_Constrained_delegation_acl *acl;
55     krb5_error_code ret;
56     size_t i;
57
58     /*
59      * constrained delegation (S4U2Proxy) only works within
60      * the same realm. We use the already canonicalized version
61      * of the principals here, while "target" is the principal
62      * provided by the client.
63      */
64     if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
65         ret = KRB5KDC_ERR_BADOPTION;
66         kdc_log(context, config, 4,
67             "Bad request for constrained delegation");
68         return ret;
69     }
70
71     if (clientdb->hdb_check_constrained_delegation) {
72         ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
73         if (ret == 0)
74             return 0;
75     } else {
76         /* if client delegates to itself, that ok */
77         if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
78             return 0;
79
80         ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
81         if (ret) {
82             krb5_clear_error_message(context);
83             return ret;
84         }
85
86         if (acl) {
87             for (i = 0; i < acl->len; i++) {
88                 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
89                     return 0;
90             }
91         }
92         ret = KRB5KDC_ERR_BADOPTION;
93     }
94     kdc_log(context, config, 4,
95             "Bad request for constrained delegation");
96     return ret;
97 }
98
99 static void
100 update_client_names(astgs_request_t r,
101                     char **s4ucname,
102                     krb5_principal *s4u_client_name,
103                     hdb_entry_ex **s4u_client,
104                     krb5_principal *s4u_canon_client_name,
105                     krb5_pac *s4u_pac)
106 {
107     krb5_xfree(r->cname);
108     r->cname = *s4ucname;
109     *s4ucname = NULL;
110
111     r->client_princ = *s4u_client_name;
112     *s4u_client_name = NULL;
113
114     _kdc_free_ent(r->context, r->client);
115     r->client = *s4u_client;
116     *s4u_client = NULL;
117
118     krb5_free_principal(r->context, r->canon_client_princ);
119     r->canon_client_princ = *s4u_canon_client_name;
120     *s4u_canon_client_name = NULL;
121
122     krb5_pac_free(r->context, r->pac);
123     r->pac = *s4u_pac;
124     *s4u_pac = NULL;
125 }
126
127 /*
128  * Validate a protocol transition (S4U2Self) request. If present and
129  * successfully validated then the client in the request structure
130  * will be replaced with the impersonated client.
131  */
132
133 static krb5_error_code
134 validate_protocol_transition(astgs_request_t r)
135 {
136     krb5_error_code ret;
137     KDC_REQ_BODY *b = &r->req.req_body;
138     EncTicketPart *ticket = &r->ticket->ticket;
139     hdb_entry_ex *s4u_client = NULL;
140     HDB *s4u_clientdb;
141     int flags = HDB_F_FOR_TGS_REQ;
142     krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
143     krb5_pac s4u_pac = NULL;
144     const PA_DATA *sdata;
145     char *s4ucname = NULL;
146     int i = 0;
147     krb5_crypto crypto;
148     krb5_data datack;
149     PA_S4U2Self self;
150     const char *str;
151
152     if (r->client == NULL)
153         return 0;
154
155     sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
156     if (sdata == NULL)
157         return 0;
158
159     memset(&self, 0, sizeof(self));
160
161     if (b->kdc_options.canonicalize)
162         flags |= HDB_F_CANON;
163
164     ret = decode_PA_S4U2Self(sdata->padata_value.data,
165                              sdata->padata_value.length,
166                              &self, NULL);
167     if (ret) {
168         _kdc_audit_addreason((kdc_request_t)r,
169                              "Failed to decode PA-S4U2Self");
170         kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
171         goto out;
172     }
173
174     if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
175         _kdc_audit_addreason((kdc_request_t)r,
176                              "PA-S4U2Self with unkeyed checksum");
177         kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
178         ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
179         goto out;
180     }
181
182     ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
183     if (ret)
184         goto out;
185
186     ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
187     if (ret) {
188         const char *msg = krb5_get_error_message(r->context, ret);
189         krb5_data_free(&datack);
190         kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
191         krb5_free_error_message(r->context, msg);
192         goto out;
193     }
194
195     /* Allow HMAC_MD5 checksum with any key type */
196     if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
197         struct krb5_crypto_iov iov;
198         unsigned char csdata[16];
199         Checksum cs;
200
201         cs.checksum.length = sizeof(csdata);
202         cs.checksum.data = &csdata;
203
204         iov.data.data = datack.data;
205         iov.data.length = datack.length;
206         iov.flags = KRB5_CRYPTO_TYPE_DATA;
207
208         ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
209                                       KRB5_KU_OTHER_CKSUM, &iov, 1,
210                                       &cs);
211         if (ret == 0 &&
212             krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
213             ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
214     } else {
215         ret = _kdc_verify_checksum(r->context,
216                                    crypto,
217                                    KRB5_KU_OTHER_CKSUM,
218                                    &datack,
219                                    &self.cksum);
220     }
221     krb5_data_free(&datack);
222     krb5_crypto_destroy(r->context, crypto);
223     if (ret) {
224         const char *msg = krb5_get_error_message(r->context, ret);
225         _kdc_audit_addreason((kdc_request_t)r,
226                              "S4U2Self checksum failed");
227         kdc_log(r->context, r->config, 4,
228                 "krb5_verify_checksum failed for S4U2Self: %s", msg);
229         krb5_free_error_message(r->context, msg);
230         goto out;
231     }
232
233     ret = _krb5_principalname2krb5_principal(r->context,
234                                              &s4u_client_name,
235                                              self.name,
236                                              self.realm);
237     if (ret)
238         goto out;
239
240     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
241     if (ret)
242         goto out;
243
244     /*
245      * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
246      * is probably not desirable!
247      */
248     ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
249                         HDB_F_GET_CLIENT | flags, NULL,
250                         &s4u_clientdb, &s4u_client);
251     if (ret) {
252         const char *msg;
253
254         /*
255          * If the client belongs to the same realm as our krbtgt, it
256          * should exist in the local database.
257          *
258          */
259         if (ret == HDB_ERR_NOENTRY)
260             ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
261         msg = krb5_get_error_message(r->context, ret);
262         _kdc_audit_addreason((kdc_request_t)r,
263                              "S4U2Self principal to impersonate not found");
264         kdc_log(r->context, r->config, 2,
265                 "S4U2Self principal to impersonate %s not found in database: %s",
266                 s4ucname, msg);
267         krb5_free_error_message(r->context, msg);
268         goto out;
269     }
270
271     /*
272      * Ignore require_pwchange and pw_end attributes (as Windows does),
273      * since S4U2Self is not password authentication.
274      */
275     s4u_client->entry.flags.require_pwchange = FALSE;
276     free(s4u_client->entry.pw_end);
277     s4u_client->entry.pw_end = NULL;
278
279     ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
280     if (ret)
281         goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
282
283     ret = _kdc_pac_generate(r->context,
284                             s4u_client,
285                             r->server,
286                             NULL,
287                             KRB5_PAC_WAS_GIVEN_IMPLICITLY,
288                             &s4u_pac);
289     if (ret) {
290         kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
291         goto out;
292     }
293
294     /*
295      * Check that service doing the impersonating is
296      * requesting a ticket to it-self.
297      */
298     ret = _kdc_check_client_matches_target_service(r->context,
299                                                    r->config,
300                                                    r->clientdb,
301                                                    r->client,
302                                                    r->server,
303                                                    r->server_princ);
304     if (ret) {
305         kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
306                 "to impersonate to service "
307                  "(tried for user %s to service %s)",
308                  r->cname, s4ucname, r->sname);
309         goto out;
310     }
311
312     ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
313                               &s4u_canon_client_name);
314     if (ret)
315         goto out;
316
317     /*
318      * If the service isn't trusted for authentication to
319      * delegation or if the impersonate client is disallowed
320      * forwardable, remove the forwardable flag.
321      */
322     if (r->client->entry.flags.trusted_for_delegation &&
323         s4u_client->entry.flags.forwardable) {
324         str = "[forwardable]";
325     } else {
326         b->kdc_options.forwardable = 0;
327         str = "";
328     }
329     kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
330             "service %s %s", r->cname, s4ucname, r->sname, str);
331
332     /*
333      * Replace all client information in the request with the
334      * impersonated client. (The audit entry containing the original
335      * client name will have been created before this point.)
336      */
337     update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
338                         &s4u_canon_client_name, &s4u_pac);
339
340 out:
341     if (s4u_client)
342         _kdc_free_ent(r->context, s4u_client);
343     krb5_free_principal(r->context, s4u_client_name);
344     krb5_xfree(s4ucname);
345     krb5_free_principal(r->context, s4u_canon_client_name);
346     krb5_pac_free(r->context, s4u_pac);
347
348     free_PA_S4U2Self(&self);
349
350     return ret;
351 }
352
353 /*
354  * Validate a constrained delegation (S4U2Proxy) request. If present
355  * and successfully validated then the client in the request structure
356  * will be replaced with the client from the evidence ticket.
357  */
358
359 static krb5_error_code
360 validate_constrained_delegation(astgs_request_t r)
361 {
362     krb5_error_code ret;
363     KDC_REQ_BODY *b = &r->req.req_body;
364     int flags = HDB_F_FOR_TGS_REQ;
365     krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
366     krb5_principal s4u_canon_client_name = NULL;
367     krb5_pac s4u_pac = NULL;
368     uint64_t s4u_pac_attributes;
369     char *s4ucname = NULL, *s4usname = NULL;
370     EncTicketPart evidence_tkt;
371     hdb_entry_ex *s4u_client = NULL;
372     krb5_boolean ad_kdc_issued = FALSE;
373     Key *clientkey;
374     Ticket *t;
375     krb5_const_realm local_realm;
376
377     if (r->client == NULL
378         || b->additional_tickets == NULL
379         || b->additional_tickets->len == 0
380         || b->kdc_options.cname_in_addl_tkt == 0
381         || b->kdc_options.enc_tkt_in_skey)
382         return 0;
383
384     memset(&evidence_tkt, 0, sizeof(evidence_tkt));
385     local_realm =
386             krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1);
387
388     /*
389      * We require that the service's TGT has a PAC; this will have been
390      * validated prior to this function being called.
391      */
392     if (r->pac == NULL) {
393         ret = KRB5KDC_ERR_BADOPTION;
394         _kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
395         kdc_log(r->context, r->config, 4,
396                 "Constrained delegation without PAC, %s/%s",
397                 r->cname, r->sname);
398         goto out;
399     }
400
401     t = &b->additional_tickets->val[0];
402
403     ret = hdb_enctype2key(r->context, &r->client->entry,
404                           hdb_kvno2keys(r->context, &r->client->entry,
405                                         t->enc_part.kvno ? * t->enc_part.kvno : 0),
406                           t->enc_part.etype, &clientkey);
407     if (ret) {
408         ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
409         goto out;
410     }
411
412     ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
413     if (ret) {
414         _kdc_audit_addreason((kdc_request_t)r,
415                              "Failed to decrypt constrained delegation ticket");
416         kdc_log(r->context, r->config, 4,
417                 "failed to decrypt ticket for "
418                 "constrained delegation from %s to %s ", r->cname, r->sname);
419         goto out;
420     }
421
422     ret = _krb5_principalname2krb5_principal(r->context,
423                                              &s4u_client_name,
424                                              evidence_tkt.cname,
425                                              evidence_tkt.crealm);
426     if (ret)
427         goto out;
428
429     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
430     if (ret)
431         goto out;
432
433     _kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
434
435     ret = _krb5_principalname2krb5_principal(r->context,
436                                              &s4u_server_name,
437                                              t->sname,
438                                              t->realm);
439     if (ret)
440         goto out;
441
442     ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
443     if (ret)
444         goto out;
445
446         /* check that ticket is valid */
447     if (evidence_tkt.flags.forwardable == 0) {
448         _kdc_audit_addreason((kdc_request_t)r,
449                              "Missing forwardable flag on ticket for constrained delegation");
450         kdc_log(r->context, r->config, 4,
451                 "Missing forwardable flag on ticket for "
452                 "constrained delegation from %s (%s) as %s to %s ",
453                 r->cname, s4usname, s4ucname, r->sname);
454         ret = KRB5KDC_ERR_BADOPTION;
455         goto out;
456     }
457
458     ret = check_constrained_delegation(r->context, r->config, r->clientdb,
459                                        r->client, r->server, r->server_princ);
460     if (ret) {
461         _kdc_audit_addreason((kdc_request_t)r,
462                              "Constrained delegation not allowed");
463         kdc_log(r->context, r->config, 4,
464                 "constrained delegation from %s (%s) as %s to %s not allowed",
465                 r->cname, s4usname, s4ucname, r->sname);
466         goto out;
467     }
468
469     ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
470     if (ret) {
471         _kdc_audit_addreason((kdc_request_t)r,
472                              "Constrained delegation ticket expired or invalid");
473         goto out;
474     }
475
476     /* Try lookup the delegated client in DB */
477     ret = _kdc_db_fetch_client(r->context, r->config, flags,
478                                s4u_client_name, s4ucname, local_realm,
479                                NULL, &s4u_client);
480     if (ret)
481         goto out;
482
483     if (s4u_client != NULL) {
484         ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
485         if (ret)
486             goto out;
487     }
488
489     /*
490      * TODO: pass in t->sname and t->realm and build
491      * a S4U_DELEGATION_INFO blob to the PAC.
492      */
493     ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
494                          s4u_client, r->server, r->krbtgt, r->client,
495                          &clientkey->key, &r->ticket_key->key, &evidence_tkt,
496                          &ad_kdc_issued, &s4u_pac,
497                          &s4u_canon_client_name, &s4u_pac_attributes);
498     if (ret) {
499         const char *msg = krb5_get_error_message(r->context, ret);
500         _kdc_audit_addreason((kdc_request_t)r,
501                                  "Constrained delegation ticket PAC check failed");
502         kdc_log(r->context, r->config, 4,
503                 "Verify delegated PAC failed to %s for client"
504                 "%s (%s) as %s from %s with %s",
505                 r->sname, r->cname, s4usname, s4ucname, r->from, msg);
506         krb5_free_error_message(r->context, msg);
507         goto out;
508     }
509
510     if (s4u_pac == NULL || !ad_kdc_issued) {
511         ret = KRB5KDC_ERR_BADOPTION;
512         kdc_log(r->context, r->config, 4,
513                 "Ticket not signed with PAC; service %s failed for "
514                 "for delegation to %s for client %s (%s) from %s; (%s).",
515                 r->sname, s4ucname, s4usname, r->cname, r->from,
516                 s4u_pac ? "Ticket unsigned" : "No PAC");
517         _kdc_audit_addreason((kdc_request_t)r,
518                              "Constrained delegation ticket not signed");
519         goto out;
520     }
521
522     /*
523      * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
524      * the canonical client name, but the user is local to our KDC, we
525      * can insert the canonical client name ourselves.
526      */
527     if (s4u_canon_client_name == NULL && s4u_client != NULL) {
528         ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
529                                   &s4u_canon_client_name);
530         if (ret)
531             goto out;
532     }
533
534     kdc_log(r->context, r->config, 4, "constrained delegation for %s "
535             "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
536
537     /*
538      * Replace all client information in the request with the
539      * impersonated client. (The audit entry containing the original
540      * client name will have been created before this point.)
541      */
542     update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
543                         &s4u_canon_client_name, &s4u_pac);
544     r->pac_attributes = s4u_pac_attributes;
545
546 out:
547     if (s4u_client)
548         _kdc_free_ent(r->context, s4u_client);
549     krb5_free_principal(r->context, s4u_client_name);
550     krb5_xfree(s4ucname);
551     krb5_free_principal(r->context, s4u_server_name);
552     krb5_xfree(s4usname);
553     krb5_free_principal(r->context, s4u_canon_client_name);
554     krb5_pac_free(r->context, s4u_pac);
555
556     free_EncTicketPart(&evidence_tkt);
557
558     return ret;
559 }
560
561 /*
562  *
563  */
564
565 krb5_error_code
566 _kdc_validate_services_for_user(astgs_request_t r)
567 {
568     krb5_error_code ret;
569
570     ret = validate_protocol_transition(r);
571     if (ret == 0)
572         ret = validate_constrained_delegation(r);
573
574     return ret;
575 }
Lorikeet-Heimal