kdc/mssfu.c

   1 /*
   2  * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kdc_locl.h"
  35
  36 /*
  37  * [MS-SFU] Kerberos Protocol Extensions:
  38  * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
  39  * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
  40  */
  41
  42 /*
  43  * Determine if constrained delegation is allowed from this client to this server
  44  */
  45
  46 static krb5_error_code
  47 check_constrained_delegation(krb5_context context,
  48                              krb5_kdc_configuration *config,
  49                              HDB *clientdb,
  50                              hdb_entry *client,
  51                              hdb_entry *server,
  52                              krb5_const_principal target)
  53 {
  54     const HDB_Ext_Constrained_delegation_acl *acl;
  55     krb5_error_code ret;
  56     size_t i;
  57
  58     /*
  59      * constrained delegation (S4U2Proxy) only works within
  60      * the same realm. We use the already canonicalized version
  61      * of the principals here, while "target" is the principal
  62      * provided by the client.
  63      */
  64     if (!krb5_realm_compare(context, client->principal, server->principal)) {
  65         ret = KRB5KDC_ERR_BADOPTION;
  66         kdc_log(context, config, 4,
  67             "Bad request for constrained delegation");
  68         return ret;
  69     }
  70
  71     if (clientdb->hdb_check_constrained_delegation) {
  72         ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
  73         if (ret == 0)
  74             return 0;
  75     } else {
  76         /* if client delegates to itself, that ok */
  77         if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
  78             return 0;
  79
  80         ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
  81         if (ret) {
  82             krb5_clear_error_message(context);
  83             return ret;
  84         }
  85
  86         if (acl) {
  87             for (i = 0; i < acl->len; i++) {
  88                 if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
  89                     return 0;
  90             }
  91         }
  92         ret = KRB5KDC_ERR_BADOPTION;
  93     }
  94     kdc_log(context, config, 4,
  95             "Bad request for constrained delegation");
  96     return ret;
  97 }
  98
  99 static void
 100 update_client_names(astgs_request_t r,
 101                     char **s4ucname,
 102                     krb5_principal *s4u_client_name,
 103                     HDB **s4u_clientdb,
 104                     hdb_entry **s4u_client,
 105                     krb5_principal *s4u_canon_client_name,
 106                     krb5_pac *s4u_pac)
 107 {
 108     krb5_xfree(r->cname);
 109     r->cname = *s4ucname;
 110     *s4ucname = NULL;
 111
 112     r->client_princ = *s4u_client_name;
 113     *s4u_client_name = NULL;
 114
 115     _kdc_free_ent(r->context, r->clientdb, r->client);
 116     r->client = *s4u_client;
 117     *s4u_client = NULL;
 118     r->clientdb = *s4u_clientdb;
 119     *s4u_clientdb = NULL;
 120
 121     krb5_free_principal(r->context, r->canon_client_princ);
 122     r->canon_client_princ = *s4u_canon_client_name;
 123     *s4u_canon_client_name = NULL;
 124
 125     krb5_pac_free(r->context, r->pac);
 126     r->pac = *s4u_pac;
 127     *s4u_pac = NULL;
 128 }
 129
 130 /*
 131  * Validate a protocol transition (S4U2Self) request. If present and
 132  * successfully validated then the client in the request structure
 133  * will be replaced with the impersonated client.
 134  */
 135
 136 static krb5_error_code
 137 validate_protocol_transition(astgs_request_t r)
 138 {
 139     krb5_error_code ret;
 140     KDC_REQ_BODY *b = &r->req.req_body;
 141     EncTicketPart *ticket = &r->ticket->ticket;
 142     hdb_entry *s4u_client = NULL;
 143     HDB *s4u_clientdb;
 144     int flags = HDB_F_FOR_TGS_REQ;
 145     krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
 146     krb5_pac s4u_pac = NULL;
 147     const PA_DATA *sdata;
 148     char *s4ucname = NULL;
 149     int i = 0;
 150     krb5_crypto crypto;
 151     krb5_data datack;
 152     PA_S4U2Self self;
 153     const char *str;
 154
 155     if (r->client == NULL)
 156         return 0;
 157
 158     sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
 159     if (sdata == NULL)
 160         return 0;
 161
 162     memset(&self, 0, sizeof(self));
 163
 164     if (b->kdc_options.canonicalize)
 165         flags |= HDB_F_CANON;
 166
 167     ret = decode_PA_S4U2Self(sdata->padata_value.data,
 168                              sdata->padata_value.length,
 169                              &self, NULL);
 170     if (ret) {
 171         kdc_audit_addreason((kdc_request_t)r,
 172                             "Failed to decode PA-S4U2Self");
 173         kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
 174         goto out;
 175     }
 176
 177     if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
 178         kdc_audit_addreason((kdc_request_t)r,
 179                             "PA-S4U2Self with unkeyed checksum");
 180         kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
 181         ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 182         goto out;
 183     }
 184
 185     ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
 186     if (ret)
 187         goto out;
 188
 189     ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
 190     if (ret) {
 191         const char *msg = krb5_get_error_message(r->context, ret);
 192         krb5_data_free(&datack);
 193         kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
 194         krb5_free_error_message(r->context, msg);
 195         goto out;
 196     }
 197
 198     /* Allow HMAC_MD5 checksum with any key type */
 199     if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
 200         struct krb5_crypto_iov iov;
 201         unsigned char csdata[16];
 202         Checksum cs;
 203
 204         cs.checksum.length = sizeof(csdata);
 205         cs.checksum.data = &csdata;
 206
 207         iov.data.data = datack.data;
 208         iov.data.length = datack.length;
 209         iov.flags = KRB5_CRYPTO_TYPE_DATA;
 210
 211         ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
 212                                       KRB5_KU_OTHER_CKSUM, &iov, 1,
 213                                       &cs);
 214         if (ret == 0 &&
 215             krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
 216             ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 217     } else {
 218         ret = _kdc_verify_checksum(r->context,
 219                                    crypto,
 220                                    KRB5_KU_OTHER_CKSUM,
 221                                    &datack,
 222                                    &self.cksum);
 223     }
 224     krb5_data_free(&datack);
 225     krb5_crypto_destroy(r->context, crypto);
 226     if (ret) {
 227         const char *msg = krb5_get_error_message(r->context, ret);
 228         kdc_audit_addreason((kdc_request_t)r,
 229                             "S4U2Self checksum failed");
 230         kdc_log(r->context, r->config, 4,
 231                 "krb5_verify_checksum failed for S4U2Self: %s", msg);
 232         krb5_free_error_message(r->context, msg);
 233         goto out;
 234     }
 235
 236     ret = _krb5_principalname2krb5_principal(r->context,
 237                                              &s4u_client_name,
 238                                              self.name,
 239                                              self.realm);
 240     if (ret)
 241         goto out;
 242
 243     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
 244     if (ret)
 245         goto out;
 246
 247     /*
 248      * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
 249      * is probably not desirable!
 250      */
 251     ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
 252                         HDB_F_GET_CLIENT | flags, NULL,
 253                         &s4u_clientdb, &s4u_client);
 254     if (ret) {
 255         const char *msg;
 256
 257         /*
 258          * If the client belongs to the same realm as our krbtgt, it
 259          * should exist in the local database.
 260          *
 261          */
 262         if (ret == HDB_ERR_NOENTRY)
 263             ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 264         msg = krb5_get_error_message(r->context, ret);
 265         kdc_audit_addreason((kdc_request_t)r,
 266                             "S4U2Self principal to impersonate not found");
 267         kdc_log(r->context, r->config, 2,
 268                 "S4U2Self principal to impersonate %s not found in database: %s",
 269                 s4ucname, msg);
 270         krb5_free_error_message(r->context, msg);
 271         goto out;
 272     }
 273
 274     /*
 275      * Ignore require_pwchange and pw_end attributes (as Windows does),
 276      * since S4U2Self is not password authentication.
 277      */
 278     s4u_client->flags.require_pwchange = FALSE;
 279     free(s4u_client->pw_end);
 280     s4u_client->pw_end = NULL;
 281
 282     ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
 283     if (ret)
 284         goto out; /* kdc_check_flags() calls kdc_audit_addreason() */
 285
 286     ret = _kdc_pac_generate(r->context,
 287                             r->config,
 288                             s4u_client,
 289                             r->server,
 290                             NULL,
 291                             KRB5_PAC_WAS_GIVEN_IMPLICITLY,
 292                             &s4u_pac);
 293     if (ret) {
 294         kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
 295         goto out;
 296     }
 297
 298     /*
 299      * Check that service doing the impersonating is
 300      * requesting a ticket to it-self.
 301      */
 302     ret = _kdc_check_client_matches_target_service(r->context,
 303                                                    r->config,
 304                                                    r->clientdb,
 305                                                    r->client,
 306                                                    r->server,
 307                                                    r->server_princ);
 308     if (ret) {
 309         kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
 310                 "to impersonate to service "
 311                  "(tried for user %s to service %s)",
 312                  r->cname, s4ucname, r->sname);
 313         goto out;
 314     }
 315
 316     ret = krb5_copy_principal(r->context, s4u_client->principal,
 317                               &s4u_canon_client_name);
 318     if (ret)
 319         goto out;
 320
 321     /*
 322      * If the service isn't trusted for authentication to
 323      * delegation or if the impersonate client is disallowed
 324      * forwardable, remove the forwardable flag.
 325      */
 326     if (r->client->flags.trusted_for_delegation &&
 327         s4u_client->flags.forwardable) {
 328         str = "[forwardable]";
 329     } else {
 330         b->kdc_options.forwardable = 0;
 331         str = "";
 332     }
 333     kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
 334             "service %s %s", r->cname, s4ucname, r->sname, str);
 335
 336     /*
 337      * Replace all client information in the request with the
 338      * impersonated client. (The audit entry containing the original
 339      * client name will have been created before this point.)
 340      */
 341     update_client_names(r, &s4ucname, &s4u_client_name,
 342                         &s4u_clientdb, &s4u_client,
 343                         &s4u_canon_client_name, &s4u_pac);
 344
 345 out:
 346     if (s4u_client)
 347         _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
 348     krb5_free_principal(r->context, s4u_client_name);
 349     krb5_xfree(s4ucname);
 350     krb5_free_principal(r->context, s4u_canon_client_name);
 351     krb5_pac_free(r->context, s4u_pac);
 352
 353     free_PA_S4U2Self(&self);
 354
 355     return ret;
 356 }
 357
 358 /*
 359  * Validate a constrained delegation (S4U2Proxy) request. If present
 360  * and successfully validated then the client in the request structure
 361  * will be replaced with the client from the evidence ticket.
 362  */
 363
 364 static krb5_error_code
 365 validate_constrained_delegation(astgs_request_t r)
 366 {
 367     krb5_error_code ret;
 368     KDC_REQ_BODY *b = &r->req.req_body;
 369     int flags = HDB_F_FOR_TGS_REQ;
 370     krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
 371     krb5_principal s4u_canon_client_name = NULL;
 372     krb5_pac s4u_pac = NULL;
 373     uint64_t s4u_pac_attributes;
 374     char *s4ucname = NULL, *s4usname = NULL;
 375     EncTicketPart evidence_tkt;
 376     HDB *s4u_clientdb;
 377     hdb_entry *s4u_client = NULL;
 378     krb5_boolean ad_kdc_issued = FALSE;
 379     Key *clientkey;
 380     Ticket *t;
 381     krb5_const_realm local_realm;
 382
 383     if (r->client == NULL
 384         || b->additional_tickets == NULL
 385         || b->additional_tickets->len == 0
 386         || b->kdc_options.cname_in_addl_tkt == 0
 387         || b->kdc_options.enc_tkt_in_skey)
 388         return 0;
 389
 390     memset(&evidence_tkt, 0, sizeof(evidence_tkt));
 391     local_realm =
 392             krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
 393
 394     /*
 395      * We require that the service's TGT has a PAC; this will have been
 396      * validated prior to this function being called.
 397      */
 398     if (r->pac == NULL) {
 399         ret = KRB5KDC_ERR_BADOPTION;
 400         kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
 401         kdc_log(r->context, r->config, 4,
 402                 "Constrained delegation without PAC, %s/%s",
 403                 r->cname, r->sname);
 404         goto out;
 405     }
 406
 407     t = &b->additional_tickets->val[0];
 408
 409     ret = hdb_enctype2key(r->context, r->client,
 410                           hdb_kvno2keys(r->context, r->client,
 411                                         t->enc_part.kvno ? * t->enc_part.kvno : 0),
 412                           t->enc_part.etype, &clientkey);
 413     if (ret) {
 414         ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
 415         goto out;
 416     }
 417
 418     ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
 419     if (ret) {
 420         kdc_audit_addreason((kdc_request_t)r,
 421                             "Failed to decrypt constrained delegation ticket");
 422         kdc_log(r->context, r->config, 4,
 423                 "failed to decrypt ticket for "
 424                 "constrained delegation from %s to %s ", r->cname, r->sname);
 425         goto out;
 426     }
 427
 428     ret = _krb5_principalname2krb5_principal(r->context,
 429                                              &s4u_client_name,
 430                                              evidence_tkt.cname,
 431                                              evidence_tkt.crealm);
 432     if (ret)
 433         goto out;
 434
 435     ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
 436     if (ret)
 437         goto out;
 438
 439     kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
 440
 441     ret = _krb5_principalname2krb5_principal(r->context,
 442                                              &s4u_server_name,
 443                                              t->sname,
 444                                              t->realm);
 445     if (ret)
 446         goto out;
 447
 448     ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
 449     if (ret)
 450         goto out;
 451
 452         /* check that ticket is valid */
 453     if (evidence_tkt.flags.forwardable == 0) {
 454         kdc_audit_addreason((kdc_request_t)r,
 455                             "Missing forwardable flag on ticket for constrained delegation");
 456         kdc_log(r->context, r->config, 4,
 457                 "Missing forwardable flag on ticket for "
 458                 "constrained delegation from %s (%s) as %s to %s ",
 459                 r->cname, s4usname, s4ucname, r->sname);
 460         ret = KRB5KDC_ERR_BADOPTION;
 461         goto out;
 462     }
 463
 464     ret = check_constrained_delegation(r->context, r->config, r->clientdb,
 465                                        r->client, r->server, r->server_princ);
 466     if (ret) {
 467         kdc_audit_addreason((kdc_request_t)r,
 468                             "Constrained delegation not allowed");
 469         kdc_log(r->context, r->config, 4,
 470                 "constrained delegation from %s (%s) as %s to %s not allowed",
 471                 r->cname, s4usname, s4ucname, r->sname);
 472         goto out;
 473     }
 474
 475     ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
 476     if (ret) {
 477         kdc_audit_addreason((kdc_request_t)r,
 478                             "Constrained delegation ticket expired or invalid");
 479         goto out;
 480     }
 481
 482     /* Try lookup the delegated client in DB */
 483     ret = _kdc_db_fetch_client(r->context, r->config, flags,
 484                                s4u_client_name, s4ucname, local_realm,
 485                                &s4u_clientdb, &s4u_client);
 486     if (ret)
 487         goto out;
 488
 489     if (s4u_client != NULL) {
 490         ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
 491         if (ret)
 492             goto out;
 493     }
 494
 495     /*
 496      * TODO: pass in t->sname and t->realm and build
 497      * a S4U_DELEGATION_INFO blob to the PAC.
 498      */
 499     ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
 500                          s4u_client, r->server, r->krbtgt, r->client,
 501                          &clientkey->key, &r->ticket_key->key, &evidence_tkt,
 502                          &ad_kdc_issued, &s4u_pac,
 503                          &s4u_canon_client_name, &s4u_pac_attributes);
 504     if (ret) {
 505         const char *msg = krb5_get_error_message(r->context, ret);
 506         kdc_audit_addreason((kdc_request_t)r,
 507                             "Constrained delegation ticket PAC check failed");
 508         kdc_log(r->context, r->config, 4,
 509                 "Verify delegated PAC failed to %s for client"
 510                 "%s (%s) as %s from %s with %s",
 511                 r->sname, r->cname, s4usname, s4ucname, r->from, msg);
 512         krb5_free_error_message(r->context, msg);
 513         goto out;
 514     }
 515
 516     if (s4u_pac == NULL || !ad_kdc_issued) {
 517         ret = KRB5KDC_ERR_BADOPTION;
 518         kdc_log(r->context, r->config, 4,
 519                 "Ticket not signed with PAC; service %s failed for "
 520                 "for delegation to %s for client %s (%s) from %s; (%s).",
 521                 r->sname, s4ucname, s4usname, r->cname, r->from,
 522                 s4u_pac ? "Ticket unsigned" : "No PAC");
 523         kdc_audit_addreason((kdc_request_t)r,
 524                             "Constrained delegation ticket not signed");
 525         goto out;
 526     }
 527
 528     /*
 529      * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
 530      * the canonical client name, but the user is local to our KDC, we
 531      * can insert the canonical client name ourselves.
 532      */
 533     if (s4u_canon_client_name == NULL && s4u_client != NULL) {
 534         ret = krb5_copy_principal(r->context, s4u_client->principal,
 535                                   &s4u_canon_client_name);
 536         if (ret)
 537             goto out;
 538     }
 539
 540     kdc_log(r->context, r->config, 4, "constrained delegation for %s "
 541             "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
 542
 543     /*
 544      * Replace all client information in the request with the
 545      * impersonated client. (The audit entry containing the original
 546      * client name will have been created before this point.)
 547      */
 548     update_client_names(r, &s4ucname, &s4u_client_name,
 549                         &s4u_clientdb, &s4u_client,
 550                         &s4u_canon_client_name, &s4u_pac);
 551     r->pac_attributes = s4u_pac_attributes;
 552
 553 out:
 554     if (s4u_client)
 555         _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
 556     krb5_free_principal(r->context, s4u_client_name);
 557     krb5_xfree(s4ucname);
 558     krb5_free_principal(r->context, s4u_server_name);
 559     krb5_xfree(s4usname);
 560     krb5_free_principal(r->context, s4u_canon_client_name);
 561     krb5_pac_free(r->context, s4u_pac);
 562
 563     free_EncTicketPart(&evidence_tkt);
 564
 565     return ret;
 566 }
 567
 568 /*
 569  *
 570  */
 571
 572 krb5_error_code
 573 _kdc_validate_services_for_user(astgs_request_t r)
 574 {
 575     krb5_error_code ret;
 576
 577     ret = validate_protocol_transition(r);
 578     if (ret == 0)
 579         ret = validate_constrained_delegation(r);
 580
 581     return ret;
 582 }