/* * Copyright (c) 2019 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * This plugin authorizes requested certificate SANs and EKUs by calling a * service over IPC (Unix domain sockets on Linux/BSD/Illumos). * * The IPC protocol is request/response, with requests and responses sent as * * * * where the is 4 bytes, unsigned binary in network byte order, and * is an array of bytes and does NOT include a NUL * terminator. * * Requests are of the form: * * check = ... * * where is a URL-escaped principal name, is one of: * * - san_pkinit * - san_xmpp * - san_email * - san_ms_upn * - san_dnsname * - eku * * and is a URL-escaped string representation of the SAN or OID. * * OIDs are in the form 1.2.3.4.5.6. * * Only characters other than alphanumeric, '@', '.', '-', '_', and '/' are * URL-encoded. * * Responses are any of: * * - granted * - denied * - error message * * Example: * * C->S: check jane@TEST.H5L.SE san_dnsname=jane.foo.test.h5l.se eku=1.3.6.1.5.5.7.3.1 * S->C: granted * * Only digitalSignature and nonRepudiation key usages are allowed. Requested * key usages are not sent to the CSR authorizer IPC server. */ #define _GNU_SOURCE 1 #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * string_encode_sz() and string_encode() encode principal names and such to be * safe for use in our IPC text messages. They function very much like URL * encoders, but '~' also gets encoded, and '.' and '@' do not. * * An unescaper is not needed here. */ static size_t string_encode_sz(const char *in) { size_t sz = strlen(in); while (*in) { char c = *(in++); switch (c) { case '@': case '.': case '-': case '_': case '/': continue; default: if (isalnum((unsigned char)c)) continue; sz += 2; } } return sz; } static char * string_encode(const char *in) { size_t len = strlen(in); size_t sz = string_encode_sz(in); size_t i, k; char *s; if ((s = malloc(sz + 1)) == NULL) return NULL; s[sz] = '\0'; for (i = k = 0; i < len; i++) { unsigned char c = ((const unsigned char *)in)[i]; switch (c) { case '@': case '.': case '-': case '_': case '/': s[k++] = c; break; default: if (isalnum(c)) { s[k++] = c; } else { s[k++] = '%'; s[k++] = "0123456789abcdef"[(c&0xff)>>4]; s[k++] = "0123456789abcdef"[(c&0x0f)]; } } } return s; } static int cmd_append(struct rk_strpool **cmd, const char *s0, ...) { va_list ap; const char *arg; int ret = 0; if ((*cmd = rk_strpoolprintf(*cmd, "%s", s0)) == NULL) return ENOMEM; va_start(ap, s0); while ((arg = va_arg(ap, const char *))) { char *s; if ((s = string_encode(arg)) == NULL) { rk_strpoolfree(*cmd); *cmd = NULL; ret = ENOMEM; goto out; } *cmd = rk_strpoolprintf(*cmd, "%s", s); free(s); if (*cmd == NULL) { ret = ENOMEM; goto out; } } out: va_end(ap); return ret; } /* Like strpbrk(), but from the end of the string */ static char * strrpbrk(char *s, const char *accept) { char *last = NULL; char *p = s; do { p = strpbrk(p, accept); if (p != NULL) { last = p; p++; } } while (p != NULL); return last; } /* * For /get-tgts we need to support partial authorization of requests. The * hx509_request APIs support that. * * Here we just step through the IPC server's response and mark the * corresponding request elements authorized so that /get-tgts can issue or not * issue TGTs according to which requested principals are authorized and which * are not. */ static int mark_piecemeal_authorized(krb5_context context, hx509_request csr, heim_octet_string *rep) { size_t san_idx = 0; size_t eku_idx = 0; char *s, *p, *rep2, *tok, *next = NULL; int slow_path = 0; int partial = 0; int ret = 0; /* We have a data, but we want a C string */ if ((rep2 = strndup(rep->data, rep->length)) == NULL) return krb5_enomem(context); /* The first token should be "denied"; skip it */ if ((s = strchr(rep2, ' ')) == NULL) { free(rep2); return EACCES; } s++; while ((tok = strtok_r(s, ",", &next))) { hx509_san_type san_type, san_type2; char *s2 = NULL; s = NULL; /* for strtok_r() */ if (strncmp(tok, "eku=", sizeof("eku=") -1) == 0) { /* * Very simplistic handling of partial authz for EKUs: * * - denial of an EKU -> deny the whole request * - else below mark all EKUs approved */ if (strstr(tok, ":denied")) { krb5_set_error_message(context, EACCES, "CSR denied because " "EKU denied: %s", tok); ret = EACCES; break; } continue; } /* * For SANs we check that the nth SAN in the response matches the nth * SAN in the hx509_request. */ if (strncmp(tok, "san_pkinit=", sizeof("san_pkinit=") - 1) == 0) { tok += sizeof("san_pkinit=") - 1; san_type = HX509_SAN_TYPE_PKINIT; } else if (strncmp(tok, "san_dnsname=", sizeof("san_dnsname=") -1) == 0) { tok += sizeof("san_dnsname=") - 1; san_type = HX509_SAN_TYPE_DNSNAME; } else if (strncmp(tok, "san_email=", sizeof("san_email=") -1) == 0) { tok += sizeof("san_email=") - 1; san_type = HX509_SAN_TYPE_EMAIL; } else if (strncmp(tok, "san_xmpp=", sizeof("san_xmpp=") -1) == 0) { tok += sizeof("san_xmpp=") - 1; san_type = HX509_SAN_TYPE_XMPP; } else if (strncmp(tok, "san_ms_upn=", sizeof("san_ms_upn=") -1) == 0) { tok += sizeof("san_ms_upn=") - 1; san_type = HX509_SAN_TYPE_MS_UPN; } else { krb5_set_error_message(context, EACCES, "CSR denied because could " "not parse token in response: %s", tok); ret = EACCES; break; } /* * This token has to end in ":granted" or ":denied". Using our * `strrpbrk()' means we can deal with principals names that have ':' * in them. */ if ((p = strrpbrk(tok, ":")) == NULL) { san_idx++; continue; } *(p++) = '\0'; /* Now we get the nth SAN from the authorization */ ret = hx509_request_get_san(csr, san_idx, &san_type2, &s2); if (ret == HX509_NO_ITEM) { /* See below */ slow_path = 1; break; } /* And we check that it matches the SAN in this token */ if (ret == 0) { if (san_type != san_type2 || strcmp(tok, s2) != 0) { /* * We expect the tokens in the reply to be in the same order as * in the request. If not, we must take a slow path where we * have to sort requests and responses then iterate them in * order. */ slow_path = 1; hx509_xfree(s2); break; } hx509_xfree(s2); if (strcmp(p, "granted") == 0) { ret = hx509_request_authorize_san(csr, san_idx); } else { partial = 1; ret = hx509_request_reject_san(csr, san_idx); } if (ret) break; } san_idx++; } if (slow_path) { /* * FIXME? Implement the slow path? * * Basically, we'd get all the SANs from the request into an array of * {SAN, index} and sort that array, then all the SANs from the * response into an array and sort it, then step a cursor through both, * using the index from the first to mark SANs in the request * authorized or rejected. */ krb5_set_error_message(context, EACCES, "CSR denied because " "authorizer service did not include all " "piecemeal grants/denials in order"); ret = EACCES; } /* Mark all the EKUs authorized */ for (eku_idx = 0; ret == 0; eku_idx++) ret = hx509_request_authorize_eku(csr, eku_idx); if (ret == HX509_NO_ITEM) ret = 0; if (ret == 0 && partial) { krb5_set_error_message(context, EACCES, "CSR partially authorized"); ret = EACCES; } free(rep2); return ret; } static krb5_error_code mark_authorized(hx509_request); static int call_svc(krb5_context context, heim_ipc ipc, hx509_request csr, const char *cmd, int piecemeal_check_ok) { heim_octet_string req, resp; int ret; req.data = (void *)(uintptr_t)cmd; req.length = strlen(cmd); resp.length = 0; resp.data = NULL; ret = heim_ipc_call(ipc, &req, &resp, NULL); /* Check for all granted case */ if (ret == 0 && resp.length == sizeof("granted") - 1 && strncasecmp(resp.data, "granted", sizeof("granted") - 1) == 0) { free(resp.data); return mark_authorized(csr); /* Full approval */ } /* Check for "denied ..." piecemeal authorization case */ if ((ret == 0 || ret == EACCES || ret == KRB5_PLUGIN_NO_HANDLE) && piecemeal_check_ok && resp.length > sizeof("denied") - 1 && strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) { /* Piecemeal authorization */ ret = mark_piecemeal_authorized(context, csr, &resp); /* mark_piecemeal_authorized() should return EACCES; just in case: */ if (ret == 0) ret = EACCES; free(resp.data); return ret; } /* All other failure cases */ if (resp.data == NULL || resp.length == 0) { krb5_set_error_message(context, ret, "CSR authorizer IPC service " "failed silently"); free(resp.data); return EACCES; } if (resp.length == sizeof("ignore") - 1 && strncasecmp(resp.data, "ignore", sizeof("ignore") - 1) == 0) { /* * In this case the server is saying "I can't handle this request, try * some other authorizer plugin". */ free(resp.data); return KRB5_PLUGIN_NO_HANDLE; } if (resp.length == sizeof("denied") - 1 && strncasecmp(resp.data, "denied", sizeof("denied") - 1) == 0) { krb5_set_error_message(context, ret, "CSR authorizer rejected %s", cmd); free(resp.data); return EACCES; } if (resp.length > INT_MAX) krb5_set_error_message(context, ret, "CSR authorizer rejected %s", cmd); else krb5_set_error_message(context, ret, "CSR authorizer rejected %s: %.*s", cmd, resp.length, resp.data); free(resp.data); return ret; } static void frees(char **s) { free(*s); *s = NULL; } static krb5_error_code mark_authorized(hx509_request csr) { size_t i; char *s; int ret = 0; for (i = 0; ret == 0; i++) { ret = hx509_request_get_eku(csr, i, &s); if (ret == 0) hx509_request_authorize_eku(csr, i); frees(&s); } if (ret == HX509_NO_ITEM) ret = 0; for (i = 0; ret == 0; i++) { hx509_san_type san_type; ret = hx509_request_get_san(csr, i, &san_type, &s); if (ret == 0) hx509_request_authorize_san(csr, i); frees(&s); } return ret == HX509_NO_ITEM ? 0 : ret; } static KRB5_LIB_CALL krb5_error_code authorize(void *ctx, krb5_context context, const char *app, hx509_request csr, krb5_const_principal client, krb5_boolean *result) { struct rk_strpool *cmd = NULL; krb5_error_code ret; hx509_context hx509ctx = NULL; heim_ipc ipc = NULL; const char *svc; KeyUsage ku; size_t i; char *princ = NULL; char *s = NULL; int do_check = 0; int piecemeal_check_ok = 1; if ((svc = krb5_config_get_string_default(context, NULL, "ANY:org.h5l.csr_authorizer", app ? app : "kdc", "ipc_csr_authorizer", "service", NULL)) == NULL) return KRB5_PLUGIN_NO_HANDLE; if ((ret = heim_ipc_init_context(svc, &ipc))) { /* * If the IPC authorizer is optional, then fallback on whatever is * next. */ if (krb5_config_get_bool_default(context, NULL, FALSE, app ? app : "kdc", "ipc_csr_authorizer", "optional", NULL)) return KRB5_PLUGIN_NO_HANDLE; krb5_set_error_message(context, ret, "Could not set up IPC client " "end-point for service %s", svc); return ret; } if ((ret = hx509_context_init(&hx509ctx))) goto out; if ((ret = krb5_unparse_name(context, client, &princ))) goto out; if ((ret = cmd_append(&cmd, "check ", princ, NULL))) goto enomem; frees(&princ); for (i = 0; ret == 0; i++) { hx509_san_type san_type; size_t p; ret = hx509_request_get_san(csr, i, &san_type, &s); if (ret) break; /* * We cannot do a piecemeal check if any of the SANs could make the * response ambiguous. */ p = strcspn(s, ",= "); if (s[p] != '\0') piecemeal_check_ok = 0; if (piecemeal_check_ok && strstr(s, ":granted") != NULL) piecemeal_check_ok = 0; switch (san_type) { case HX509_SAN_TYPE_EMAIL: if ((ret = cmd_append(&cmd, " san_email=", s, NULL))) goto enomem; do_check = 1; break; case HX509_SAN_TYPE_DNSNAME: if ((ret = cmd_append(&cmd, " san_dnsname=", s, NULL))) goto enomem; do_check = 1; break; case HX509_SAN_TYPE_XMPP: if ((ret = cmd_append(&cmd, " san_xmpp=", s, NULL))) goto enomem; do_check = 1; break; case HX509_SAN_TYPE_PKINIT: if ((ret = cmd_append(&cmd, " san_pkinit=", s, NULL))) goto enomem; do_check = 1; break; case HX509_SAN_TYPE_MS_UPN: if ((ret = cmd_append(&cmd, " san_ms_upn=", s, NULL))) goto enomem; do_check = 1; break; default: if ((ret = hx509_request_reject_san(csr, i))) goto out; break; } frees(&s); } if (ret == HX509_NO_ITEM) ret = 0; if (ret) goto out; for (i = 0; ret == 0; i++) { ret = hx509_request_get_eku(csr, i, &s); if (ret) break; if ((ret = cmd_append(&cmd, " eku=", s, NULL))) goto enomem; do_check = 1; frees(&s); } if (ret == HX509_NO_ITEM) ret = 0; if (ret) goto out; ku = int2KeyUsage(0); ku.digitalSignature = 1; ku.nonRepudiation = 1; hx509_request_authorize_ku(csr, ku); if (do_check) { s = rk_strpoolcollect(cmd); cmd = NULL; if (s == NULL) goto enomem; if ((ret = call_svc(context, ipc, csr, s, piecemeal_check_ok))) goto out; } /* else there was nothing to check -> permit */ *result = TRUE; ret = 0; goto out; enomem: ret = krb5_enomem(context); goto out; out: heim_ipc_free_context(ipc); hx509_context_free(&hx509ctx); if (cmd) rk_strpoolfree(cmd); free(princ); free(s); return ret; } static KRB5_LIB_CALL krb5_error_code ipc_csr_authorizer_init(krb5_context context, void **c) { *c = NULL; return 0; } static KRB5_LIB_CALL void ipc_csr_authorizer_fini(void *c) { } static krb5plugin_csr_authorizer_ftable plug_desc = { 1, ipc_csr_authorizer_init, ipc_csr_authorizer_fini, authorize }; static krb5plugin_csr_authorizer_ftable *plugs[] = { &plug_desc }; static uintptr_t ipc_csr_authorizer_get_instance(const char *libname) { if (strcmp(libname, "krb5") == 0) return krb5_get_instance(libname); if (strcmp(libname, "kdc") == 0) return kdc_get_instance(libname); if (strcmp(libname, "hx509") == 0) return hx509_get_instance(libname); return 0; } krb5_plugin_load_ft kdc_csr_authorizer_plugin_load; krb5_error_code KRB5_CALLCONV kdc_csr_authorizer_plugin_load(heim_pcontext context, krb5_get_instance_func_t *get_instance, size_t *num_plugins, krb5_plugin_common_ftable_cp **plugins) { *get_instance = ipc_csr_authorizer_get_instance; *num_plugins = sizeof(plugs) / sizeof(plugs[0]); *plugins = (krb5_plugin_common_ftable_cp *)plugs; return 0; }