diff options
Diffstat (limited to 'third_party/heimdal/kdc/negotiate_token_validator.c')
| -rw-r--r-- | third_party/heimdal/kdc/negotiate_token_validator.c | 323 |
1 files changed, 323 insertions, 0 deletions
diff --git a/third_party/heimdal/kdc/negotiate_token_validator.c b/third_party/heimdal/kdc/negotiate_token_validator.c new file mode 100644 index 0000000..20250c6 --- /dev/null +++ b/third_party/heimdal/kdc/negotiate_token_validator.c @@ -0,0 +1,323 @@ +/* + * Copyright (c) 2019 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * This is a plugin by which bx509d can validate Negotiate tokens. + * + * [kdc] + * negotiate_token_validator = { + * keytab = ... + * } + */ + +#define _DEFAULT_SOURCE +#define _BSD_SOURCE +#define _GNU_SOURCE 1 + +#include <sys/types.h> +#include <sys/stat.h> +#include <ctype.h> +#include <errno.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <base64.h> +#include <roken.h> +#include <heimbase.h> +#include <krb5.h> +#include <common_plugin.h> +#include <gssapi/gssapi.h> +#include <token_validator_plugin.h> + +static int +display_status(krb5_context context, + OM_uint32 major, + OM_uint32 minor, + gss_cred_id_t acred, + gss_ctx_id_t gctx, + gss_OID mech_type) +{ + gss_buffer_desc buf = GSS_C_EMPTY_BUFFER; + OM_uint32 dmaj, dmin; + OM_uint32 more = 0; + char *gmmsg = NULL; + char *gmsg = NULL; + char *s = NULL; + + do { + gss_release_buffer(&dmin, &buf); + dmaj = gss_display_status(&dmin, major, GSS_C_GSS_CODE, GSS_C_NO_OID, + &more, &buf); + if (GSS_ERROR(dmaj) || + buf.length >= INT_MAX || + asprintf(&s, "%s%s%.*s", gmsg ? gmsg : "", gmsg ? ": " : "", + (int)buf.length, (char *)buf.value) == -1 || + s == NULL) { + free(gmsg); + gmsg = NULL; + break; + } + gmsg = s; + s = NULL; + } while (!GSS_ERROR(dmaj) && more); + if (mech_type != GSS_C_NO_OID) { + do { + gss_release_buffer(&dmin, &buf); + dmaj = gss_display_status(&dmin, major, GSS_C_MECH_CODE, mech_type, + &more, &buf); + if (GSS_ERROR(dmaj) || + asprintf(&s, "%s%s%.*s", gmmsg ? gmmsg : "", gmmsg ? ": " : "", + (int)buf.length, (char *)buf.value) == -1 || + s == NULL) { + free(gmmsg); + gmmsg = NULL; + break; + } + gmmsg = s; + s = NULL; + } while (!GSS_ERROR(dmaj) && more); + } + if (gmsg == NULL) + krb5_set_error_message(context, ENOMEM, "Error displaying GSS-API " + "status"); + else + krb5_set_error_message(context, EACCES, "%s%s%s%s", gmmsg, + gmmsg ? " (" : "", gmmsg ? gmmsg : "", + gmmsg ? ")" : ""); + if (acred && gctx) + krb5_prepend_error_message(context, EACCES, "Failed to validate " + "Negotiate token due to error examining " + "GSS-API security context"); + else if (acred) + krb5_prepend_error_message(context, EACCES, "Failed to validate " + "Negotiate token due to error accepting " + "GSS-API security context token"); + else + krb5_prepend_error_message(context, EACCES, "Failed to validate " + "Negotiate token due to error acquiring " + "GSS-API default acceptor credential"); + return EACCES; +} + +static KRB5_LIB_CALL krb5_error_code +validate(void *ctx, + krb5_context context, + const char *realm, + const char *token_type, + krb5_data *token, + const char * const *audiences, + size_t naudiences, + krb5_boolean *result, + krb5_principal *actual_principal, + krb5_times *token_times) +{ + gss_buffer_desc adisplay_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc idisplay_name = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc input_token; + gss_cred_id_t acred = GSS_C_NO_CREDENTIAL; + gss_ctx_id_t gctx = GSS_C_NO_CONTEXT; + gss_name_t aname = GSS_C_NO_NAME; + gss_name_t iname = GSS_C_NO_NAME; + gss_OID mech_type = GSS_C_NO_OID; + const char *kt = krb5_config_get_string(context, NULL, "kdc", + "negotiate_token_validator", + "keytab", NULL); + OM_uint32 major, minor, ret_flags, time_rec; + size_t i; + char *token_decoded = NULL; + void *token_copy = NULL; + char *princ_str = NULL; + int ret = 0; + + if (strcmp(token_type, "Negotiate") != 0) + return KRB5_PLUGIN_NO_HANDLE; + + if (kt) { + gss_key_value_element_desc store_keytab_kv; + gss_key_value_set_desc store; + gss_OID_desc mech_set[2] = { *GSS_KRB5_MECHANISM, *GSS_SPNEGO_MECHANISM }; + gss_OID_set_desc mechs = { 2, mech_set }; + + store_keytab_kv.key = "keytab"; + store_keytab_kv.value = kt; + store.elements = &store_keytab_kv; + store.count = 1; + major = gss_acquire_cred_from(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, + &mechs, GSS_C_ACCEPT, &store, &acred, NULL, + NULL); + if (major != GSS_S_COMPLETE) + return display_status(context, major, minor, acred, gctx, mech_type); + + mechs.count = 1; + major = gss_set_neg_mechs(&minor, acred, &mechs); + if (major != GSS_S_COMPLETE) + return display_status(context, major, minor, acred, gctx, mech_type); + } /* else we'll use the default credential */ + + if ((token_decoded = malloc(token->length)) == NULL || + (token_copy = calloc(1, token->length + 1)) == NULL) + goto enomem; + + memcpy(token_copy, token->data, token->length); + if ((ret = rk_base64_decode(token_copy, token_decoded)) <= 0) { + krb5_set_error_message(context, EACCES, "Negotiate token malformed"); + ret = EACCES; + goto out; + } + + input_token.value = token_decoded; + input_token.length = ret; + major = gss_accept_sec_context(&minor, &gctx, acred, &input_token, NULL, + &iname, &mech_type, &output_token, + &ret_flags, &time_rec, NULL); + + if (mech_type == GSS_C_NO_OID || + !gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) { + krb5_set_error_message(context, ret = EACCES, "Negotiate token used " + "non-Kerberos mechanism"); + goto out; + } + + if (major != GSS_S_COMPLETE) { + ret = display_status(context, major, minor, acred, gctx, mech_type); + if (ret == 0) + ret = EINVAL; + goto out; + } + + major = gss_inquire_context(&minor, gctx, NULL, &aname, NULL, NULL, + NULL, NULL, NULL); + if (major == GSS_S_COMPLETE) + major = gss_display_name(&minor, aname, &adisplay_name, NULL); + if (major == GSS_S_COMPLETE) + major = gss_display_name(&minor, iname, &idisplay_name, NULL); + if (major != GSS_S_COMPLETE) { + ret = display_status(context, major, minor, acred, gctx, mech_type); + if (ret == 0) + ret = EINVAL; + goto out; + } + + for (i = 0; i < naudiences; i++) { + const char *s = adisplay_name.value; + size_t slen = adisplay_name.length; + size_t len = strlen(audiences[i]); + + if (slen >= sizeof("HTTP/") - 1 && + slen >= sizeof("HTTP/") - 1 + len && + memcmp(s, "HTTP/", sizeof("HTTP/") - 1) == 0 && + memcmp(s + sizeof("HTTP/") - 1, audiences[i], len) == 0 && + s[sizeof("HTTP/") - 1 + len] == '@') + break; + } + if (i == naudiences) { + /* This handles the case where naudiences == 0 as an error */ + krb5_set_error_message(context, EACCES, "Negotiate token used " + "wrong HTTP service host acceptor name"); + goto out; + } + + if ((princ_str = calloc(1, idisplay_name.length + 1)) == NULL) + goto enomem; + memcpy(princ_str, idisplay_name.value, idisplay_name.length); + if ((ret = krb5_parse_name(context, princ_str, actual_principal))) + goto out; + + /* XXX Need name attributes to get authtime/starttime/renew_till */ + token_times->authtime = 0; + token_times->starttime = time(NULL) - 300; + token_times->endtime = token_times->starttime + 300 + time_rec; + token_times->renew_till = 0; + + *result = TRUE; + goto out; + +enomem: + ret = krb5_enomem(context); +out: + gss_delete_sec_context(&minor, &gctx, NULL); + gss_release_buffer(&minor, &adisplay_name); + gss_release_buffer(&minor, &idisplay_name); + gss_release_buffer(&minor, &output_token); + gss_release_cred(&minor, &acred); + gss_release_name(&minor, &aname); + gss_release_name(&minor, &iname); + free(token_decoded); + free(token_copy); + free(princ_str); + return ret; +} + +static KRB5_LIB_CALL krb5_error_code +negotiate_init(krb5_context context, void **c) +{ + *c = NULL; + return 0; +} + +static KRB5_LIB_CALL void +negotiate_fini(void *c) +{ +} + +static krb5plugin_token_validator_ftable plug_desc = + { 1, negotiate_init, negotiate_fini, validate }; + +static krb5plugin_token_validator_ftable *plugs[] = { &plug_desc }; + +static uintptr_t +negotiate_get_instance(const char *libname) +{ + if (strcmp(libname, "krb5") == 0) + return krb5_get_instance(libname); + + return 0; +} + +krb5_plugin_load_ft kdc_token_validator_plugin_load; + +krb5_error_code KRB5_CALLCONV +kdc_token_validator_plugin_load(heim_pcontext context, + krb5_get_instance_func_t *get_instance, + size_t *num_plugins, + krb5_plugin_common_ftable_cp **plugins) +{ + *get_instance = negotiate_get_instance; + *num_plugins = sizeof(plugs) / sizeof(plugs[0]); + *plugins = (krb5_plugin_common_ftable_cp *)plugs; + return 0; +} |