2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * [MS-SFU] Kerberos Protocol Extensions:
38 * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
39 * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
43 * Determine if constrained delegation is allowed from this client to this server
46 static krb5_error_code
47 check_constrained_delegation(krb5_context context,
48 krb5_kdc_configuration *config,
52 krb5_const_principal target)
54 const HDB_Ext_Constrained_delegation_acl *acl;
59 * constrained delegation (S4U2Proxy) only works within
60 * the same realm. We use the already canonicalized version
61 * of the principals here, while "target" is the principal
62 * provided by the client.
64 if (!krb5_realm_compare(context, client->entry.principal, server->entry.principal)) {
65 ret = KRB5KDC_ERR_BADOPTION;
66 kdc_log(context, config, 4,
67 "Bad request for constrained delegation");
71 if (clientdb->hdb_check_constrained_delegation) {
72 ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
76 /* if client delegates to itself, that ok */
77 if (krb5_principal_compare(context, client->entry.principal, server->entry.principal) == TRUE)
80 ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
82 krb5_clear_error_message(context);
87 for (i = 0; i < acl->len; i++) {
88 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
92 ret = KRB5KDC_ERR_BADOPTION;
94 kdc_log(context, config, 4,
95 "Bad request for constrained delegation");
100 update_client_names(astgs_request_t r,
102 krb5_principal *s4u_client_name,
103 hdb_entry_ex **s4u_client,
104 krb5_principal *s4u_canon_client_name,
107 krb5_xfree(r->cname);
108 r->cname = *s4ucname;
111 r->client_princ = *s4u_client_name;
112 *s4u_client_name = NULL;
114 _kdc_free_ent(r->context, r->client);
115 r->client = *s4u_client;
118 krb5_free_principal(r->context, r->canon_client_princ);
119 r->canon_client_princ = *s4u_canon_client_name;
120 *s4u_canon_client_name = NULL;
122 krb5_pac_free(r->context, r->pac);
128 * Validate a protocol transition (S4U2Self) request. If present and
129 * successfully validated then the client in the request structure
130 * will be replaced with the impersonated client.
133 static krb5_error_code
134 validate_protocol_transition(astgs_request_t r)
137 KDC_REQ_BODY *b = &r->req.req_body;
138 EncTicketPart *ticket = &r->ticket->ticket;
139 hdb_entry_ex *s4u_client = NULL;
141 int flags = HDB_F_FOR_TGS_REQ;
142 krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
143 krb5_pac s4u_pac = NULL;
144 const PA_DATA *sdata;
145 char *s4ucname = NULL;
152 if (r->client == NULL)
155 sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
159 memset(&self, 0, sizeof(self));
161 if (b->kdc_options.canonicalize)
162 flags |= HDB_F_CANON;
164 ret = decode_PA_S4U2Self(sdata->padata_value.data,
165 sdata->padata_value.length,
168 _kdc_audit_addreason((kdc_request_t)r,
169 "Failed to decode PA-S4U2Self");
170 kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
174 if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
175 _kdc_audit_addreason((kdc_request_t)r,
176 "PA-S4U2Self with unkeyed checksum");
177 kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
178 ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
182 ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
186 ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
188 const char *msg = krb5_get_error_message(r->context, ret);
189 krb5_data_free(&datack);
190 kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
191 krb5_free_error_message(r->context, msg);
195 /* Allow HMAC_MD5 checksum with any key type */
196 if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
197 struct krb5_crypto_iov iov;
198 unsigned char csdata[16];
201 cs.checksum.length = sizeof(csdata);
202 cs.checksum.data = &csdata;
204 iov.data.data = datack.data;
205 iov.data.length = datack.length;
206 iov.flags = KRB5_CRYPTO_TYPE_DATA;
208 ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
209 KRB5_KU_OTHER_CKSUM, &iov, 1,
212 krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
213 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
215 ret = _kdc_verify_checksum(r->context,
221 krb5_data_free(&datack);
222 krb5_crypto_destroy(r->context, crypto);
224 const char *msg = krb5_get_error_message(r->context, ret);
225 _kdc_audit_addreason((kdc_request_t)r,
226 "S4U2Self checksum failed");
227 kdc_log(r->context, r->config, 4,
228 "krb5_verify_checksum failed for S4U2Self: %s", msg);
229 krb5_free_error_message(r->context, msg);
233 ret = _krb5_principalname2krb5_principal(r->context,
240 ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
245 * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
246 * is probably not desirable!
248 ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
249 HDB_F_GET_CLIENT | flags, NULL,
250 &s4u_clientdb, &s4u_client);
255 * If the client belongs to the same realm as our krbtgt, it
256 * should exist in the local database.
259 if (ret == HDB_ERR_NOENTRY)
260 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
261 msg = krb5_get_error_message(r->context, ret);
262 _kdc_audit_addreason((kdc_request_t)r,
263 "S4U2Self principal to impersonate not found");
264 kdc_log(r->context, r->config, 2,
265 "S4U2Self principal to impersonate %s not found in database: %s",
267 krb5_free_error_message(r->context, msg);
272 * Ignore require_pwchange and pw_end attributes (as Windows does),
273 * since S4U2Self is not password authentication.
275 s4u_client->entry.flags.require_pwchange = FALSE;
276 free(s4u_client->entry.pw_end);
277 s4u_client->entry.pw_end = NULL;
279 ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
281 goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
283 ret = _kdc_pac_generate(r->context,
287 KRB5_PAC_WAS_GIVEN_IMPLICITLY,
290 kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
295 * Check that service doing the impersonating is
296 * requesting a ticket to it-self.
298 ret = _kdc_check_client_matches_target_service(r->context,
305 kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
306 "to impersonate to service "
307 "(tried for user %s to service %s)",
308 r->cname, s4ucname, r->sname);
312 ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
313 &s4u_canon_client_name);
318 * If the service isn't trusted for authentication to
319 * delegation or if the impersonate client is disallowed
320 * forwardable, remove the forwardable flag.
322 if (r->client->entry.flags.trusted_for_delegation &&
323 s4u_client->entry.flags.forwardable) {
324 str = "[forwardable]";
326 b->kdc_options.forwardable = 0;
329 kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
330 "service %s %s", r->cname, s4ucname, r->sname, str);
333 * Replace all client information in the request with the
334 * impersonated client. (The audit entry containing the original
335 * client name will have been created before this point.)
337 update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
338 &s4u_canon_client_name, &s4u_pac);
342 _kdc_free_ent(r->context, s4u_client);
343 krb5_free_principal(r->context, s4u_client_name);
344 krb5_xfree(s4ucname);
345 krb5_free_principal(r->context, s4u_canon_client_name);
346 krb5_pac_free(r->context, s4u_pac);
348 free_PA_S4U2Self(&self);
354 * Validate a constrained delegation (S4U2Proxy) request. If present
355 * and successfully validated then the client in the request structure
356 * will be replaced with the client from the evidence ticket.
359 static krb5_error_code
360 validate_constrained_delegation(astgs_request_t r)
363 KDC_REQ_BODY *b = &r->req.req_body;
364 int flags = HDB_F_FOR_TGS_REQ;
365 krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
366 krb5_principal s4u_canon_client_name = NULL;
367 krb5_pac s4u_pac = NULL;
368 uint64_t s4u_pac_attributes;
369 char *s4ucname = NULL, *s4usname = NULL;
370 EncTicketPart evidence_tkt;
371 hdb_entry_ex *s4u_client = NULL;
372 krb5_boolean ad_kdc_issued = FALSE;
375 krb5_const_realm local_realm;
377 if (r->client == NULL
378 || b->additional_tickets == NULL
379 || b->additional_tickets->len == 0
380 || b->kdc_options.cname_in_addl_tkt == 0
381 || b->kdc_options.enc_tkt_in_skey)
384 memset(&evidence_tkt, 0, sizeof(evidence_tkt));
386 krb5_principal_get_comp_string(r->context, r->krbtgt->entry.principal, 1);
389 * We require that the service's TGT has a PAC; this will have been
390 * validated prior to this function being called.
392 if (r->pac == NULL) {
393 ret = KRB5KDC_ERR_BADOPTION;
394 _kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
395 kdc_log(r->context, r->config, 4,
396 "Constrained delegation without PAC, %s/%s",
401 t = &b->additional_tickets->val[0];
403 ret = hdb_enctype2key(r->context, &r->client->entry,
404 hdb_kvno2keys(r->context, &r->client->entry,
405 t->enc_part.kvno ? * t->enc_part.kvno : 0),
406 t->enc_part.etype, &clientkey);
408 ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
412 ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
414 _kdc_audit_addreason((kdc_request_t)r,
415 "Failed to decrypt constrained delegation ticket");
416 kdc_log(r->context, r->config, 4,
417 "failed to decrypt ticket for "
418 "constrained delegation from %s to %s ", r->cname, r->sname);
422 ret = _krb5_principalname2krb5_principal(r->context,
425 evidence_tkt.crealm);
429 ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
433 _kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
435 ret = _krb5_principalname2krb5_principal(r->context,
442 ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
446 /* check that ticket is valid */
447 if (evidence_tkt.flags.forwardable == 0) {
448 _kdc_audit_addreason((kdc_request_t)r,
449 "Missing forwardable flag on ticket for constrained delegation");
450 kdc_log(r->context, r->config, 4,
451 "Missing forwardable flag on ticket for "
452 "constrained delegation from %s (%s) as %s to %s ",
453 r->cname, s4usname, s4ucname, r->sname);
454 ret = KRB5KDC_ERR_BADOPTION;
458 ret = check_constrained_delegation(r->context, r->config, r->clientdb,
459 r->client, r->server, r->server_princ);
461 _kdc_audit_addreason((kdc_request_t)r,
462 "Constrained delegation not allowed");
463 kdc_log(r->context, r->config, 4,
464 "constrained delegation from %s (%s) as %s to %s not allowed",
465 r->cname, s4usname, s4ucname, r->sname);
469 ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
471 _kdc_audit_addreason((kdc_request_t)r,
472 "Constrained delegation ticket expired or invalid");
476 /* Try lookup the delegated client in DB */
477 ret = _kdc_db_fetch_client(r->context, r->config, flags,
478 s4u_client_name, s4ucname, local_realm,
483 if (s4u_client != NULL) {
484 ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
490 * TODO: pass in t->sname and t->realm and build
491 * a S4U_DELEGATION_INFO blob to the PAC.
493 ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
494 s4u_client, r->server, r->krbtgt, r->client,
495 &clientkey->key, &r->ticket_key->key, &evidence_tkt,
496 &ad_kdc_issued, &s4u_pac,
497 &s4u_canon_client_name, &s4u_pac_attributes);
499 const char *msg = krb5_get_error_message(r->context, ret);
500 _kdc_audit_addreason((kdc_request_t)r,
501 "Constrained delegation ticket PAC check failed");
502 kdc_log(r->context, r->config, 4,
503 "Verify delegated PAC failed to %s for client"
504 "%s (%s) as %s from %s with %s",
505 r->sname, r->cname, s4usname, s4ucname, r->from, msg);
506 krb5_free_error_message(r->context, msg);
510 if (s4u_pac == NULL || !ad_kdc_issued) {
511 ret = KRB5KDC_ERR_BADOPTION;
512 kdc_log(r->context, r->config, 4,
513 "Ticket not signed with PAC; service %s failed for "
514 "for delegation to %s for client %s (%s) from %s; (%s).",
515 r->sname, s4ucname, s4usname, r->cname, r->from,
516 s4u_pac ? "Ticket unsigned" : "No PAC");
517 _kdc_audit_addreason((kdc_request_t)r,
518 "Constrained delegation ticket not signed");
523 * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
524 * the canonical client name, but the user is local to our KDC, we
525 * can insert the canonical client name ourselves.
527 if (s4u_canon_client_name == NULL && s4u_client != NULL) {
528 ret = krb5_copy_principal(r->context, s4u_client->entry.principal,
529 &s4u_canon_client_name);
534 kdc_log(r->context, r->config, 4, "constrained delegation for %s "
535 "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
538 * Replace all client information in the request with the
539 * impersonated client. (The audit entry containing the original
540 * client name will have been created before this point.)
542 update_client_names(r, &s4ucname, &s4u_client_name, &s4u_client,
543 &s4u_canon_client_name, &s4u_pac);
544 r->pac_attributes = s4u_pac_attributes;
548 _kdc_free_ent(r->context, s4u_client);
549 krb5_free_principal(r->context, s4u_client_name);
550 krb5_xfree(s4ucname);
551 krb5_free_principal(r->context, s4u_server_name);
552 krb5_xfree(s4usname);
553 krb5_free_principal(r->context, s4u_canon_client_name);
554 krb5_pac_free(r->context, s4u_pac);
556 free_EncTicketPart(&evidence_tkt);
566 _kdc_validate_services_for_user(astgs_request_t r)
570 ret = validate_protocol_transition(r);
572 ret = validate_constrained_delegation(r);