From: Greg Hudson Date: Mon, 2 Feb 2015 19:54:14 +0000 (-0500) Subject: Add KDC CAMMAC and auth indicator functions X-Git-Tag: krb5-1.14-alpha1~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b39ea2b4ed54f4f208246b3cb725e7b1113d047;p=thirdparty%2Fkrb5.git Add KDC CAMMAC and auth indicator functions Add KDC utility functions to manipulate CAMMACs and authentication indicators, to be used in later commits. ticket: 8157 --- diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index e8aa64b115..63b6bb65b9 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -9,6 +9,8 @@ all:: krb5kdc rtest LOCALINCLUDES = -I. SRCS= \ kdc5_err.c \ + $(srcdir)/authind.c \ + $(srcdir)/cammac.c \ $(srcdir)/dispatch.c \ $(srcdir)/do_as_req.c \ $(srcdir)/do_tgs_req.c \ @@ -29,6 +31,8 @@ SRCS= \ OBJS= \ kdc5_err.o \ + authind.o \ + cammac.o \ dispatch.o \ do_as_req.o \ do_tgs_req.o \ diff --git a/src/kdc/authind.c b/src/kdc/authind.c new file mode 100644 index 0000000000..9fef49514a --- /dev/null +++ b/src/kdc/authind.c @@ -0,0 +1,123 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kdc/authind.c - Functions for manipulating authentication indicator lists */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "kdc_util.h" + +/* Return true if ind matches an entry in indicators. */ +krb5_boolean +authind_contains(krb5_data *const *indicators, const char *ind) +{ + for (; indicators != NULL && *indicators != NULL; indicators++) { + if (data_eq_string(**indicators, ind)) + return TRUE; + } + return FALSE; +} + +/* Add ind to *indicators, reallocating as necessary. */ +krb5_error_code +authind_add(krb5_context context, const char *ind, krb5_data ***indicators) +{ + size_t count; + krb5_data **list = *indicators, *dptr, d; + + /* Count the number of existing indicators and check for duplicates. */ + for (count = 0; list != NULL && list[count] != NULL; count++) { + if (data_eq_string(*list[count], ind)) + return 0; + } + + /* Allocate space for a new entry. */ + list = realloc(list, (count + 2) * sizeof(*list)); + if (list == NULL) + return ENOMEM; + *indicators = list; + + /* Add a copy of ind (as a krb5_data object) to the list. */ + d = string2data((char *)ind); + if (krb5_copy_data(context, &d, &dptr) != 0) + return ENOMEM; + list[count++] = dptr; + list[count] = NULL; + return 0; +} + +/* Add all auth indicators from authdata to *indicators, reallocating as + * necessary. (Currently does not compress duplicates.) */ +krb5_error_code +authind_extract(krb5_context context, krb5_authdata **authdata, + krb5_data ***indicators) +{ + krb5_error_code ret; + size_t count, scount; + krb5_authdata **ind_authdata = NULL, **adp; + krb5_data der_indicators, **strings = NULL, **list = *indicators; + + for (count = 0; list != NULL && list[count] != NULL; count++); + + ret = krb5_find_authdata(context, authdata, NULL, + KRB5_AUTHDATA_AUTH_INDICATOR, &ind_authdata); + if (ret) + goto cleanup; + + for (adp = ind_authdata; adp != NULL && *adp != NULL; adp++) { + /* Decode this authdata element into an auth indicator list. */ + der_indicators = make_data((*adp)->contents, (*adp)->length); + ret = decode_utf8_strings(&der_indicators, &strings); + if (ret == ENOMEM) + goto cleanup; + if (ret) + continue; + + /* Count the entries in strings and allocate space in list. */ + for (scount = 0; strings != NULL && strings[scount] != NULL; scount++); + list = realloc(list, (count + scount + 1) * sizeof(*list)); + if (list == NULL) { + ret = ENOMEM; + goto cleanup; + } + *indicators = list; + + /* Steal the krb5_data pointers from strings and free the array. */ + memcpy(list + count, strings, scount * sizeof(*strings)); + count += scount; + list[count] = NULL; + free(strings); + strings = NULL; + } + +cleanup: + krb5_free_authdata(context, ind_authdata); + k5_free_data_ptr_list(strings); + return ret; +} diff --git a/src/kdc/cammac.c b/src/kdc/cammac.c new file mode 100644 index 0000000000..37926e53c6 --- /dev/null +++ b/src/kdc/cammac.c @@ -0,0 +1,194 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kdc/cammac.c - Functions for wrapping and unwrapping CAMMACs */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "kdc_util.h" + +/* Encode enc_tkt with contents as the authdata field, for use in KDC + * verifier checksums. */ +static krb5_error_code +encode_kdcver_encpart(krb5_enc_tkt_part *enc_tkt, krb5_authdata **contents, + krb5_data **der_out) +{ + krb5_enc_tkt_part ck_enctkt; + + ck_enctkt = *enc_tkt; + ck_enctkt.authorization_data = contents; + return encode_krb5_enc_tkt_part(&ck_enctkt, der_out); +} + +/* + * Create a CAMMAC for contents, using enc_tkt and the first key from krbtgt + * for the KDC verifier. Set *cammac_out to a single-element authdata list + * containing the CAMMAC inside an IF-RELEVANT container. + */ +krb5_error_code +cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt, + krb5_keyblock *server_key, krb5_db_entry *krbtgt, + krb5_authdata **contents, krb5_authdata ***cammac_out) +{ + krb5_error_code ret; + krb5_data *der_authdata = NULL, *der_enctkt = NULL, *der_cammac = NULL; + krb5_authdata ad, *list[2]; + krb5_cammac cammac; + krb5_verifier_mac kdc_verifier, svc_verifier; + krb5_key_data *kd; + krb5_keyblock tgtkey; + krb5_checksum kdc_cksum, svc_cksum; + + *cammac_out = NULL; + memset(&tgtkey, 0, sizeof(tgtkey)); + memset(&kdc_cksum, 0, sizeof(kdc_cksum)); + memset(&svc_cksum, 0, sizeof(svc_cksum)); + + /* Fetch the first krbtgt key for the KDC verifier. */ + ret = krb5_dbe_find_enctype(context, krbtgt, -1, -1, 0, &kd); + if (ret) + goto cleanup; + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &tgtkey, NULL); + if (ret) + goto cleanup; + + /* Checksum the reply with contents as authdata for the KDC verifier. */ + ret = encode_kdcver_encpart(enc_tkt, contents, &der_enctkt); + if (ret) + goto cleanup; + ret = krb5_c_make_checksum(context, 0, &tgtkey, KRB5_KEYUSAGE_CAMMAC, + der_enctkt, &kdc_cksum); + if (ret) + goto cleanup; + kdc_verifier.princ = NULL; + kdc_verifier.kvno = kd->key_data_kvno; + kdc_verifier.enctype = ENCTYPE_NULL; + kdc_verifier.checksum = kdc_cksum; + + /* Encode the authdata and checksum it for the service verifier. */ + ret = encode_krb5_authdata(contents, &der_authdata); + if (ret) + goto cleanup; + ret = krb5_c_make_checksum(context, 0, server_key, KRB5_KEYUSAGE_CAMMAC, + der_authdata, &svc_cksum); + if (ret) + goto cleanup; + svc_verifier.princ = NULL; + svc_verifier.kvno = 0; + svc_verifier.enctype = ENCTYPE_NULL; + svc_verifier.checksum = svc_cksum; + + cammac.elements = contents; + cammac.kdc_verifier = &kdc_verifier; + cammac.svc_verifier = &svc_verifier; + cammac.other_verifiers = NULL; + + ret = encode_krb5_cammac(&cammac, &der_cammac); + if (ret) + goto cleanup; + + /* Wrap the encoded CAMMAC in an IF-RELEVANT container and return it as a + * single-element authdata list. */ + ad.ad_type = KRB5_AUTHDATA_CAMMAC; + ad.length = der_cammac->length; + ad.contents = (uint8_t *)der_cammac->data; + list[0] = &ad; + list[1] = NULL; + ret = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, + list, cammac_out); + +cleanup: + krb5_free_data(context, der_enctkt); + krb5_free_data(context, der_authdata); + krb5_free_data(context, der_cammac); + krb5_free_keyblock_contents(context, &tgtkey); + krb5_free_checksum_contents(context, &kdc_cksum); + krb5_free_checksum_contents(context, &svc_cksum); + return ret; +} + +/* Return true if cammac's KDC verifier is valid for enc_tkt, using krbtgt to + * retrieve the TGT key indicated by the verifier. */ +krb5_boolean +cammac_check_kdcver(krb5_context context, krb5_cammac *cammac, + krb5_enc_tkt_part *enc_tkt, krb5_db_entry *krbtgt) +{ + krb5_verifier_mac *ver = cammac->kdc_verifier; + krb5_key_data *kd; + krb5_keyblock tgtkey; + krb5_boolean valid = FALSE; + krb5_data *der_enctkt = NULL; + + memset(&tgtkey, 0, sizeof(tgtkey)); + + if (ver == NULL) + goto cleanup; + + /* Fetch the krbtgt key indicated by the KDC verifier. Only allow the + * first krbtgt key of the specified kvno. */ + if (krb5_dbe_find_enctype(context, krbtgt, -1, -1, ver->kvno, &kd) != 0) + goto cleanup; + if (krb5_dbe_decrypt_key_data(context, NULL, kd, &tgtkey, NULL) != 0) + goto cleanup; + if (ver->enctype != ENCTYPE_NULL && tgtkey.enctype != ver->enctype) + goto cleanup; + + /* Verify the checksum over the DER-encoded enc_tkt with the CAMMAC + * elements as authdata. */ + if (encode_kdcver_encpart(enc_tkt, cammac->elements, &der_enctkt) != 0) + goto cleanup; + (void)krb5_c_verify_checksum(context, &tgtkey, KRB5_KEYUSAGE_CAMMAC, + der_enctkt, &ver->checksum, &valid); + +cleanup: + krb5_free_keyblock_contents(context, &tgtkey); + krb5_free_data(context, der_enctkt); + return valid; +} + +/* Return true if cammac's service verifier is valid for server_key. */ +krb5_boolean +cammac_check_svcver(krb5_context context, krb5_cammac *cammac, + krb5_keyblock *server_key) +{ + krb5_error_code ret; + krb5_verifier_mac *ver = cammac->svc_verifier; + krb5_boolean valid = FALSE; + krb5_data *der_authdata = NULL; + + if (ver == NULL) + return FALSE; + ret = encode_krb5_authdata(cammac->elements, &der_authdata); + if (ret) + return FALSE; + ret = krb5_c_verify_checksum(context, server_key, KRB5_KEYUSAGE_CAMMAC, + der_authdata, &ver->checksum, &valid); + krb5_free_data(context, der_authdata); + return valid; +} diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 97ae41f78a..da9bf33e1e 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -112,6 +112,31 @@ ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype); void rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); +/* authind.c */ +krb5_boolean +authind_contains(krb5_data *const *indicators, const char *ind); + +krb5_error_code +authind_add(krb5_context context, const char *ind, krb5_data ***indicators); + +krb5_error_code +authind_extract(krb5_context context, krb5_authdata **authdata, + krb5_data ***indicators); + +/* cammac.c */ +krb5_error_code +cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt_reply, + krb5_keyblock *server_key, krb5_db_entry *krbtgt, + krb5_authdata **contents, krb5_authdata ***cammac_out); + +krb5_boolean +cammac_check_kdcver(krb5_context context, krb5_cammac *cammac, + krb5_enc_tkt_part *enc_tkt, krb5_db_entry *krbtgt); + +krb5_boolean +cammac_check_svcver(krb5_context context, krb5_cammac *cammac, + krb5_keyblock *server_key); + /* do_as_req.c */ void process_as_req (krb5_kdc_req *, krb5_data *,