Line data Source code
1 : /*
2 : * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "kdc_locl.h"
35 :
36 : /*
37 : * [MS-SFU] Kerberos Protocol Extensions:
38 : * Service for User (S4U2Self) and Constrained Delegation Protocol (S4U2Proxy)
39 : * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
40 : */
41 :
42 : /*
43 : * Determine if constrained delegation is allowed from this client to this server
44 : */
45 :
46 : static krb5_error_code
47 110 : check_constrained_delegation(krb5_context context,
48 : krb5_kdc_configuration *config,
49 : HDB *clientdb,
50 : hdb_entry *client,
51 : hdb_entry *server,
52 : krb5_const_principal target)
53 : {
54 : const HDB_Ext_Constrained_delegation_acl *acl;
55 : krb5_error_code ret;
56 : size_t i;
57 :
58 : /*
59 : * constrained delegation (S4U2Proxy) only works within
60 : * the same realm. We use the already canonicalized version
61 : * of the principals here, while "target" is the principal
62 : * provided by the client.
63 : */
64 110 : if (!krb5_realm_compare(context, client->principal, server->principal)) {
65 0 : ret = KRB5KDC_ERR_BADOPTION;
66 0 : kdc_log(context, config, 4,
67 : "Bad request for constrained delegation");
68 0 : return ret;
69 : }
70 :
71 110 : if (clientdb->hdb_check_constrained_delegation) {
72 110 : ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, target);
73 110 : if (ret == 0)
74 94 : return 0;
75 : } else {
76 : /* if client delegates to itself, that ok */
77 0 : if (krb5_principal_compare(context, client->principal, server->principal) == TRUE)
78 0 : return 0;
79 :
80 0 : ret = hdb_entry_get_ConstrainedDelegACL(client, &acl);
81 0 : if (ret) {
82 0 : krb5_clear_error_message(context);
83 0 : return ret;
84 : }
85 :
86 0 : if (acl) {
87 0 : for (i = 0; i < acl->len; i++) {
88 0 : if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
89 0 : return 0;
90 : }
91 : }
92 0 : ret = KRB5KDC_ERR_BADOPTION;
93 : }
94 16 : kdc_log(context, config, 4,
95 : "Bad request for constrained delegation");
96 16 : return ret;
97 : }
98 :
99 : /*
100 : * Validate a protocol transition (S4U2Self) request. If present and
101 : * successfully validated then the client in the request structure
102 : * will be replaced with the impersonated client.
103 : */
104 :
105 : static krb5_error_code
106 35964 : validate_protocol_transition(astgs_request_t r)
107 : {
108 : krb5_error_code ret;
109 35964 : KDC_REQ_BODY *b = &r->req.req_body;
110 35964 : EncTicketPart *ticket = &r->ticket->ticket;
111 35964 : hdb_entry *s4u_client = NULL;
112 : HDB *s4u_clientdb;
113 35964 : int flags = HDB_F_FOR_TGS_REQ;
114 35964 : krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
115 35964 : krb5_pac s4u_pac = NULL;
116 : const PA_DATA *sdata;
117 35964 : char *s4ucname = NULL;
118 35964 : int i = 0;
119 : krb5_crypto crypto;
120 : krb5_data datack;
121 : PA_S4U2Self self;
122 : const char *str;
123 :
124 35964 : if (r->client == NULL)
125 48 : return 0;
126 :
127 35916 : sdata = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FOR_USER);
128 35916 : if (sdata == NULL)
129 35274 : return 0;
130 :
131 642 : memset(&self, 0, sizeof(self));
132 :
133 642 : if (b->kdc_options.canonicalize)
134 576 : flags |= HDB_F_CANON;
135 :
136 642 : ret = decode_PA_S4U2Self(sdata->padata_value.data,
137 : sdata->padata_value.length,
138 : &self, NULL);
139 642 : if (ret) {
140 0 : kdc_audit_addreason((kdc_request_t)r,
141 : "Failed to decode PA-S4U2Self");
142 0 : kdc_log(r->context, r->config, 4, "Failed to decode PA-S4U2Self");
143 0 : goto out;
144 : }
145 :
146 642 : if (!krb5_checksum_is_keyed(r->context, self.cksum.cksumtype)) {
147 4 : kdc_audit_addreason((kdc_request_t)r,
148 : "PA-S4U2Self with unkeyed checksum");
149 4 : kdc_log(r->context, r->config, 4, "Reject PA-S4U2Self with unkeyed checksum");
150 4 : ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
151 4 : goto out;
152 : }
153 :
154 638 : ret = _krb5_s4u2self_to_checksumdata(r->context, &self, &datack);
155 638 : if (ret)
156 0 : goto out;
157 :
158 638 : ret = krb5_crypto_init(r->context, &ticket->key, 0, &crypto);
159 638 : if (ret) {
160 0 : const char *msg = krb5_get_error_message(r->context, ret);
161 0 : krb5_data_free(&datack);
162 0 : kdc_log(r->context, r->config, 4, "krb5_crypto_init failed: %s", msg);
163 0 : krb5_free_error_message(r->context, msg);
164 0 : goto out;
165 : }
166 :
167 : /* Allow HMAC_MD5 checksum with any key type */
168 638 : if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
169 : struct krb5_crypto_iov iov;
170 : unsigned char csdata[16];
171 : Checksum cs;
172 :
173 123 : cs.checksum.length = sizeof(csdata);
174 123 : cs.checksum.data = &csdata;
175 :
176 123 : iov.data.data = datack.data;
177 123 : iov.data.length = datack.length;
178 123 : iov.flags = KRB5_CRYPTO_TYPE_DATA;
179 :
180 123 : ret = _krb5_HMAC_MD5_checksum(r->context, NULL, &crypto->key,
181 : KRB5_KU_OTHER_CKSUM, &iov, 1,
182 : &cs);
183 246 : if (ret == 0 &&
184 123 : krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
185 0 : ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
186 : } else {
187 515 : ret = _kdc_verify_checksum(r->context,
188 : crypto,
189 : KRB5_KU_OTHER_CKSUM,
190 : &datack,
191 : &self.cksum);
192 : }
193 638 : krb5_data_free(&datack);
194 638 : krb5_crypto_destroy(r->context, crypto);
195 638 : if (ret) {
196 2 : const char *msg = krb5_get_error_message(r->context, ret);
197 2 : kdc_audit_addreason((kdc_request_t)r,
198 : "S4U2Self checksum failed");
199 2 : kdc_log(r->context, r->config, 4,
200 : "krb5_verify_checksum failed for S4U2Self: %s", msg);
201 2 : krb5_free_error_message(r->context, msg);
202 2 : goto out;
203 : }
204 :
205 636 : ret = _krb5_principalname2krb5_principal(r->context,
206 : &s4u_client_name,
207 : self.name,
208 : self.realm);
209 636 : if (ret)
210 0 : goto out;
211 :
212 636 : ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
213 636 : if (ret)
214 0 : goto out;
215 :
216 : /*
217 : * Note no HDB_F_SYNTHETIC_OK -- impersonating non-existent clients
218 : * is probably not desirable!
219 : */
220 636 : ret = _kdc_db_fetch(r->context, r->config, s4u_client_name,
221 636 : HDB_F_GET_CLIENT | flags, NULL,
222 : &s4u_clientdb, &s4u_client);
223 636 : if (ret) {
224 : const char *msg;
225 :
226 : /*
227 : * If the client belongs to the same realm as our krbtgt, it
228 : * should exist in the local database.
229 : *
230 : */
231 0 : if (ret == HDB_ERR_NOENTRY)
232 0 : ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
233 0 : msg = krb5_get_error_message(r->context, ret);
234 0 : kdc_audit_addreason((kdc_request_t)r,
235 : "S4U2Self principal to impersonate not found");
236 0 : kdc_log(r->context, r->config, 2,
237 : "S4U2Self principal to impersonate %s not found in database: %s",
238 : s4ucname, msg);
239 0 : krb5_free_error_message(r->context, msg);
240 0 : goto out;
241 : }
242 :
243 : /*
244 : * Ignore require_pwchange and pw_end attributes (as Windows does),
245 : * since S4U2Self is not password authentication.
246 : */
247 636 : s4u_client->flags.require_pwchange = FALSE;
248 636 : free(s4u_client->pw_end);
249 636 : s4u_client->pw_end = NULL;
250 :
251 636 : ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
252 636 : if (ret)
253 0 : goto out; /* kdc_check_flags() calls kdc_audit_addreason() */
254 :
255 636 : ret = _kdc_pac_generate(r,
256 : s4u_client,
257 : r->server,
258 : NULL,
259 : KRB5_PAC_WAS_GIVEN_IMPLICITLY,
260 : &s4u_pac);
261 636 : if (ret) {
262 0 : kdc_log(r->context, r->config, 4, "PAC generation failed for -- %s", s4ucname);
263 0 : goto out;
264 : }
265 :
266 : /*
267 : * Check that service doing the impersonating is
268 : * requesting a ticket to it-self.
269 : */
270 636 : ret = _kdc_check_client_matches_target_service(r->context,
271 : r->config,
272 : r->clientdb,
273 : r->client,
274 : r->server,
275 636 : r->server_princ);
276 636 : if (ret) {
277 2 : kdc_log(r->context, r->config, 4, "S4U2Self: %s is not allowed "
278 : "to impersonate to service "
279 : "(tried for user %s to service %s)",
280 : r->cname, s4ucname, r->sname);
281 2 : goto out;
282 : }
283 :
284 634 : ret = krb5_copy_principal(r->context, s4u_client->principal,
285 : &s4u_canon_client_name);
286 634 : if (ret)
287 0 : goto out;
288 :
289 : /*
290 : * If the service isn't trusted for authentication to
291 : * delegation or if the impersonate client is disallowed
292 : * forwardable, remove the forwardable flag.
293 : */
294 755 : if (r->client->flags.trusted_for_delegation &&
295 121 : s4u_client->flags.forwardable) {
296 120 : str = "[forwardable]";
297 : } else {
298 514 : b->kdc_options.forwardable = 0;
299 514 : str = "";
300 : }
301 634 : kdc_log(r->context, r->config, 4, "s4u2self %s impersonating %s to "
302 : "service %s %s", r->cname, s4ucname, r->sname, str);
303 :
304 : /*
305 : * Replace all client information in the request with the
306 : * impersonated client. (The audit entry containing the original
307 : * client name will have been created before this point.)
308 : */
309 634 : _kdc_request_set_cname_nocopy((kdc_request_t)r, &s4ucname);
310 634 : _kdc_request_set_client_princ_nocopy(r, &s4u_client_name);
311 :
312 634 : _kdc_free_ent(r->context, r->clientdb, r->client);
313 634 : r->client = s4u_client;
314 634 : s4u_client = NULL;
315 634 : r->clientdb = s4u_clientdb;
316 634 : s4u_clientdb = NULL;
317 :
318 634 : _kdc_request_set_canon_client_princ_nocopy(r, &s4u_canon_client_name);
319 634 : _kdc_request_set_pac_nocopy(r, &s4u_pac);
320 :
321 642 : out:
322 642 : if (s4u_client)
323 2 : _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
324 642 : krb5_free_principal(r->context, s4u_client_name);
325 642 : krb5_xfree(s4ucname);
326 642 : krb5_free_principal(r->context, s4u_canon_client_name);
327 642 : krb5_pac_free(r->context, s4u_pac);
328 :
329 642 : free_PA_S4U2Self(&self);
330 :
331 642 : return ret;
332 : }
333 :
334 : /*
335 : * Validate a constrained delegation (S4U2Proxy) request. If present
336 : * and successfully validated then the client in the request structure
337 : * will be replaced with the client from the evidence ticket.
338 : */
339 :
340 : static krb5_error_code
341 35956 : validate_constrained_delegation(astgs_request_t r)
342 : {
343 : krb5_error_code ret;
344 35956 : KDC_REQ_BODY *b = &r->req.req_body;
345 35956 : int flags = HDB_F_FOR_TGS_REQ;
346 35956 : krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
347 35956 : krb5_principal s4u_canon_client_name = NULL;
348 35956 : krb5_pac s4u_pac = NULL;
349 : uint64_t s4u_pac_attributes;
350 35956 : char *s4ucname = NULL, *s4usname = NULL;
351 : EncTicketPart evidence_tkt;
352 : HDB *s4u_clientdb;
353 35956 : hdb_entry *s4u_client = NULL;
354 35956 : krb5_boolean ad_kdc_issued = FALSE;
355 : Key *clientkey;
356 : Ticket *t;
357 : krb5_const_realm local_realm;
358 :
359 35956 : if (r->client == NULL
360 35908 : || b->additional_tickets == NULL
361 124 : || b->additional_tickets->len == 0
362 124 : || b->kdc_options.cname_in_addl_tkt == 0
363 124 : || b->kdc_options.enc_tkt_in_skey)
364 35832 : return 0;
365 :
366 124 : memset(&evidence_tkt, 0, sizeof(evidence_tkt));
367 124 : local_realm =
368 124 : krb5_principal_get_comp_string(r->context, r->krbtgt->principal, 1);
369 :
370 : /*
371 : * We require that the service's TGT has a PAC; this will have been
372 : * validated prior to this function being called.
373 : */
374 124 : if (r->pac == NULL) {
375 7 : ret = KRB5KDC_ERR_BADOPTION;
376 7 : kdc_audit_addreason((kdc_request_t)r, "Missing PAC");
377 7 : kdc_log(r->context, r->config, 4,
378 : "Constrained delegation without PAC, %s/%s",
379 : r->cname, r->sname);
380 7 : goto out;
381 : }
382 :
383 117 : t = &b->additional_tickets->val[0];
384 :
385 468 : ret = hdb_enctype2key(r->context, r->client,
386 117 : hdb_kvno2keys(r->context, r->client,
387 234 : t->enc_part.kvno ? * t->enc_part.kvno : 0),
388 : t->enc_part.etype, &clientkey);
389 117 : if (ret) {
390 0 : ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
391 0 : goto out;
392 : }
393 :
394 117 : ret = krb5_decrypt_ticket(r->context, t, &clientkey->key, &evidence_tkt, 0);
395 117 : if (ret) {
396 0 : kdc_audit_addreason((kdc_request_t)r,
397 : "Failed to decrypt constrained delegation ticket");
398 0 : kdc_log(r->context, r->config, 4,
399 : "failed to decrypt ticket for "
400 : "constrained delegation from %s to %s ", r->cname, r->sname);
401 0 : goto out;
402 : }
403 :
404 117 : ret = _krb5_principalname2krb5_principal(r->context,
405 : &s4u_client_name,
406 : evidence_tkt.cname,
407 : evidence_tkt.crealm);
408 117 : if (ret)
409 0 : goto out;
410 :
411 117 : ret = krb5_unparse_name(r->context, s4u_client_name, &s4ucname);
412 117 : if (ret)
413 0 : goto out;
414 :
415 117 : kdc_audit_addkv((kdc_request_t)r, 0, "impersonatee", "%s", s4ucname);
416 :
417 117 : ret = _krb5_principalname2krb5_principal(r->context,
418 : &s4u_server_name,
419 : t->sname,
420 : t->realm);
421 117 : if (ret)
422 0 : goto out;
423 :
424 117 : ret = krb5_unparse_name(r->context, s4u_server_name, &s4usname);
425 117 : if (ret)
426 0 : goto out;
427 :
428 : /* check that ticket is valid */
429 117 : if (evidence_tkt.flags.forwardable == 0) {
430 7 : kdc_audit_addreason((kdc_request_t)r,
431 : "Missing forwardable flag on ticket for constrained delegation");
432 7 : kdc_log(r->context, r->config, 4,
433 : "Missing forwardable flag on ticket for "
434 : "constrained delegation from %s (%s) as %s to %s ",
435 : r->cname, s4usname, s4ucname, r->sname);
436 7 : ret = KRB5KDC_ERR_BADOPTION;
437 7 : goto out;
438 : }
439 :
440 110 : ret = check_constrained_delegation(r->context, r->config, r->clientdb,
441 110 : r->client, r->server, r->server_princ);
442 110 : if (ret) {
443 16 : kdc_audit_addreason((kdc_request_t)r,
444 : "Constrained delegation not allowed");
445 16 : kdc_log(r->context, r->config, 4,
446 : "constrained delegation from %s (%s) as %s to %s not allowed",
447 : r->cname, s4usname, s4ucname, r->sname);
448 16 : goto out;
449 : }
450 :
451 94 : ret = _kdc_verify_flags(r->context, r->config, &evidence_tkt, s4ucname);
452 94 : if (ret) {
453 0 : kdc_audit_addreason((kdc_request_t)r,
454 : "Constrained delegation ticket expired or invalid");
455 0 : goto out;
456 : }
457 :
458 : /* Try lookup the delegated client in DB */
459 94 : ret = _kdc_db_fetch_client(r->context, r->config, flags,
460 : s4u_client_name, s4ucname, local_realm,
461 : &s4u_clientdb, &s4u_client);
462 94 : if (ret)
463 0 : goto out;
464 :
465 94 : if (s4u_client != NULL) {
466 93 : ret = kdc_check_flags(r, FALSE, s4u_client, r->server);
467 93 : if (ret)
468 0 : goto out;
469 : }
470 :
471 : /*
472 : * TODO: pass in t->sname and t->realm and build
473 : * a S4U_DELEGATION_INFO blob to the PAC.
474 : */
475 188 : ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name,
476 : s4u_client, r->server, r->krbtgt, r->client,
477 188 : &clientkey->key, &r->ticket_key->key, &evidence_tkt,
478 : &ad_kdc_issued, &s4u_pac,
479 : &s4u_canon_client_name, &s4u_pac_attributes);
480 94 : if (ret) {
481 43 : const char *msg = krb5_get_error_message(r->context, ret);
482 43 : kdc_audit_addreason((kdc_request_t)r,
483 : "Constrained delegation ticket PAC check failed");
484 43 : kdc_log(r->context, r->config, 4,
485 : "Verify delegated PAC failed to %s for client"
486 : "%s (%s) as %s from %s with %s",
487 : r->sname, r->cname, s4usname, s4ucname, r->from, msg);
488 43 : krb5_free_error_message(r->context, msg);
489 43 : goto out;
490 : }
491 :
492 51 : if (s4u_pac == NULL || !ad_kdc_issued) {
493 2 : ret = KRB5KDC_ERR_BADOPTION;
494 2 : kdc_log(r->context, r->config, 4,
495 : "Ticket not signed with PAC; service %s failed for "
496 : "for delegation to %s for client %s (%s) from %s; (%s).",
497 : r->sname, s4ucname, s4usname, r->cname, r->from,
498 2 : s4u_pac ? "Ticket unsigned" : "No PAC");
499 2 : kdc_audit_addreason((kdc_request_t)r,
500 : "Constrained delegation ticket not signed");
501 2 : goto out;
502 : }
503 :
504 : /*
505 : * If the evidence ticket PAC didn't include PAC_UPN_DNS_INFO with
506 : * the canonical client name, but the user is local to our KDC, we
507 : * can insert the canonical client name ourselves.
508 : */
509 49 : if (s4u_canon_client_name == NULL && s4u_client != NULL) {
510 0 : ret = krb5_copy_principal(r->context, s4u_client->principal,
511 : &s4u_canon_client_name);
512 0 : if (ret)
513 0 : goto out;
514 : }
515 :
516 49 : kdc_log(r->context, r->config, 4, "constrained delegation for %s "
517 : "from %s (%s) to %s", s4ucname, r->cname, s4usname, r->sname);
518 :
519 : /*
520 : * Replace all client information in the request with the
521 : * impersonated client. (The audit entry containing the original
522 : * client name will have been created before this point.)
523 : */
524 49 : _kdc_request_set_cname_nocopy((kdc_request_t)r, &s4ucname);
525 49 : _kdc_request_set_client_princ_nocopy(r, &s4u_client_name);
526 :
527 49 : _kdc_free_ent(r->context, r->clientdb, r->client);
528 49 : r->client = s4u_client;
529 49 : s4u_client = NULL;
530 49 : r->clientdb = s4u_clientdb;
531 49 : s4u_clientdb = NULL;
532 :
533 49 : _kdc_request_set_canon_client_princ_nocopy(r, &s4u_canon_client_name);
534 49 : _kdc_request_set_pac_nocopy(r, &s4u_pac);
535 :
536 49 : r->pac_attributes = s4u_pac_attributes;
537 :
538 124 : out:
539 124 : if (s4u_client)
540 45 : _kdc_free_ent(r->context, s4u_clientdb, s4u_client);
541 124 : krb5_free_principal(r->context, s4u_client_name);
542 124 : krb5_xfree(s4ucname);
543 124 : krb5_free_principal(r->context, s4u_server_name);
544 124 : krb5_xfree(s4usname);
545 124 : krb5_free_principal(r->context, s4u_canon_client_name);
546 124 : krb5_pac_free(r->context, s4u_pac);
547 :
548 124 : free_EncTicketPart(&evidence_tkt);
549 :
550 124 : return ret;
551 : }
552 :
553 : /*
554 : *
555 : */
556 :
557 : krb5_error_code
558 35964 : _kdc_validate_services_for_user(astgs_request_t r)
559 : {
560 : krb5_error_code ret;
561 :
562 35964 : ret = validate_protocol_transition(r);
563 35964 : if (ret == 0)
564 35956 : ret = validate_constrained_delegation(r);
565 :
566 35964 : return ret;
567 : }
|
