|
|
10fa70 |
From b4dba5a4c16b2585c38445e3067b5e3399f38a10 Mon Sep 17 00:00:00 2001
|
|
|
10fa70 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
10fa70 |
Date: Mon, 24 Feb 2020 15:58:59 -0500
|
|
|
10fa70 |
Subject: [PATCH] Allow certauth modules to set hw-authent flag
|
|
|
10fa70 |
|
|
|
10fa70 |
In PKINIT, if a certauth module returns KRB5_CERTAUTH_HWAUTH from its
|
|
|
10fa70 |
authorize method, set the hw-authent flag in the ticket.
|
|
|
10fa70 |
|
|
|
10fa70 |
ticket: 8879 (new)
|
|
|
10fa70 |
(cherry picked from commit 50fb43b4a2d97ce2cd53e1ced30e8e8224fede70)
|
|
|
10fa70 |
(cherry picked from commit d23b2ed4f06fa77cd021814834dd1391ef6f452f)
|
|
|
10fa70 |
---
|
|
|
10fa70 |
doc/plugindev/certauth.rst | 7 +++++--
|
|
|
10fa70 |
src/include/krb5/certauth_plugin.h | 9 ++++++---
|
|
|
10fa70 |
src/lib/krb5/error_tables/k5e1_err.et | 1 +
|
|
|
10fa70 |
src/plugins/certauth/test/Makefile.in | 4 ++--
|
|
|
10fa70 |
src/plugins/certauth/test/main.c | 11 +++++++++--
|
|
|
10fa70 |
src/plugins/preauth/pkinit/pkinit_srv.c | 24 ++++++++++++++++--------
|
|
|
10fa70 |
src/tests/t_certauth.py | 13 +++++++++++++
|
|
|
10fa70 |
7 files changed, 52 insertions(+), 17 deletions(-)
|
|
|
10fa70 |
|
|
|
10fa70 |
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
|
|
|
10fa70 |
index 8a7f7c5eb..3b715f738 100644
|
|
|
10fa70 |
--- a/doc/plugindev/certauth.rst
|
|
|
10fa70 |
+++ b/doc/plugindev/certauth.rst
|
|
|
10fa70 |
@@ -15,8 +15,11 @@ principal. **authorize** receives the DER-encoded certificate, the
|
|
|
10fa70 |
requested client principal, and a pointer to the client's
|
|
|
10fa70 |
krb5_db_entry (for modules that link against libkdb5). It returns the
|
|
|
10fa70 |
authorization status and optionally outputs a list of authentication
|
|
|
10fa70 |
-indicator strings to be added to the ticket. A module must use its
|
|
|
10fa70 |
-own internal or library-provided ASN.1 certificate decoder.
|
|
|
10fa70 |
+indicator strings to be added to the ticket. Beginning in release
|
|
|
10fa70 |
+1.19, the authorize method can request that the hardware
|
|
|
10fa70 |
+authentication bit be set in the ticket by returning
|
|
|
10fa70 |
+**KRB5_CERTAUTH_HWAUTH**. A module must use its own internal or
|
|
|
10fa70 |
+library-provided ASN.1 certificate decoder.
|
|
|
10fa70 |
|
|
|
10fa70 |
A module can optionally create and destroy module data with the
|
|
|
10fa70 |
**init** and **fini** methods. Module data objects last for the
|
|
|
10fa70 |
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
|
|
|
10fa70 |
index 3074790f8..3466cf345 100644
|
|
|
10fa70 |
--- a/src/include/krb5/certauth_plugin.h
|
|
|
10fa70 |
+++ b/src/include/krb5/certauth_plugin.h
|
|
|
10fa70 |
@@ -85,14 +85,17 @@ typedef void
|
|
|
10fa70 |
(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata);
|
|
|
10fa70 |
|
|
|
10fa70 |
/*
|
|
|
10fa70 |
- * Mandatory:
|
|
|
10fa70 |
- * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by
|
|
|
10fa70 |
- * princ; otherwise return one of the following error codes:
|
|
|
10fa70 |
+ * Mandatory: return 0 or KRB5_CERTAUTH_HWAUTH if the DER-encoded cert is
|
|
|
10fa70 |
+ * authorized for PKINIT authentication by princ; otherwise return one of the
|
|
|
10fa70 |
+ * following error codes:
|
|
|
10fa70 |
* - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value
|
|
|
10fa70 |
* - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU
|
|
|
10fa70 |
* - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error
|
|
|
10fa70 |
* - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert
|
|
|
10fa70 |
*
|
|
|
10fa70 |
+ * Returning KRB5_CERTAUTH_HWAUTH will cause the hw-authent flag to be set in
|
|
|
10fa70 |
+ * the issued ticket (new in release 1.19).
|
|
|
10fa70 |
+ *
|
|
|
10fa70 |
* - opts is used by built-in modules to receive internal data, and must be
|
|
|
10fa70 |
* ignored by other modules.
|
|
|
10fa70 |
* - db_entry receives the client principal database entry, and can be ignored
|
|
|
10fa70 |
diff --git a/src/lib/krb5/error_tables/k5e1_err.et b/src/lib/krb5/error_tables/k5e1_err.et
|
|
|
10fa70 |
index ade5caecf..abd9f3bfe 100644
|
|
|
10fa70 |
--- a/src/lib/krb5/error_tables/k5e1_err.et
|
|
|
10fa70 |
+++ b/src/lib/krb5/error_tables/k5e1_err.et
|
|
|
10fa70 |
@@ -42,4 +42,5 @@ error_code KRB5_KCM_MALFORMED_REPLY, "Malformed reply from KCM daemon"
|
|
|
10fa70 |
error_code KRB5_KCM_RPC_ERROR, "Mach RPC error communicating with KCM daemon"
|
|
|
10fa70 |
error_code KRB5_KCM_REPLY_TOO_BIG, "KCM daemon reply too big"
|
|
|
10fa70 |
error_code KRB5_KCM_NO_SERVER, "No KCM server found"
|
|
|
10fa70 |
+error_code KRB5_CERTAUTH_HWAUTH, "Authorize and set hw-authent ticket flag"
|
|
|
10fa70 |
end
|
|
|
10fa70 |
diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in
|
|
|
10fa70 |
index d3524084c..e94c13845 100644
|
|
|
10fa70 |
--- a/src/plugins/certauth/test/Makefile.in
|
|
|
10fa70 |
+++ b/src/plugins/certauth/test/Makefile.in
|
|
|
10fa70 |
@@ -5,8 +5,8 @@ LIBBASE=certauth_test
|
|
|
10fa70 |
LIBMAJOR=0
|
|
|
10fa70 |
LIBMINOR=0
|
|
|
10fa70 |
RELDIR=../plugins/certauth/test
|
|
|
10fa70 |
-SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS)
|
|
|
10fa70 |
-SHLIB_EXPLIBS=$(KRB5_BASE_LIBS)
|
|
|
10fa70 |
+SHLIB_EXPDEPS=$(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS)
|
|
|
10fa70 |
+SHLIB_EXPLIBS=$(KDB5_LIBS) $(KRB5_BASE_LIBS)
|
|
|
10fa70 |
|
|
|
10fa70 |
STLIBOBJS=main.o
|
|
|
10fa70 |
|
|
|
10fa70 |
diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
|
|
|
10fa70 |
index 77641230c..d4633b8cd 100644
|
|
|
10fa70 |
--- a/src/plugins/certauth/test/main.c
|
|
|
10fa70 |
+++ b/src/plugins/certauth/test/main.c
|
|
|
10fa70 |
@@ -31,6 +31,7 @@
|
|
|
10fa70 |
*/
|
|
|
10fa70 |
|
|
|
10fa70 |
#include <k5-int.h>
|
|
|
10fa70 |
+#include <kdb.h>
|
|
|
10fa70 |
#include "krb5/certauth_plugin.h"
|
|
|
10fa70 |
|
|
|
10fa70 |
struct krb5_certauth_moddata_st {
|
|
|
10fa70 |
@@ -131,7 +132,8 @@ has_cn(krb5_context context, const uint8_t *cert, size_t cert_len,
|
|
|
10fa70 |
|
|
|
10fa70 |
/*
|
|
|
10fa70 |
* Test module 2 returns OK if princ matches the CN part of the subject name,
|
|
|
10fa70 |
- * and returns indicators of the module name and princ.
|
|
|
10fa70 |
+ * and returns indicators of the module name and princ. If the "hwauth" string
|
|
|
10fa70 |
+ * attribute is set on db_entry, it returns KRB5_CERTAUTH_HWAUTH.
|
|
|
10fa70 |
*/
|
|
|
10fa70 |
static krb5_error_code
|
|
|
10fa70 |
test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
|
|
|
10fa70 |
@@ -141,7 +143,7 @@ test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
|
|
|
10fa70 |
char ***authinds_out)
|
|
|
10fa70 |
{
|
|
|
10fa70 |
krb5_error_code ret;
|
|
|
10fa70 |
- char *name = NULL, **ais = NULL;
|
|
|
10fa70 |
+ char *name = NULL, *strval = NULL, **ais = NULL;
|
|
|
10fa70 |
|
|
|
10fa70 |
*authinds_out = NULL;
|
|
|
10fa70 |
|
|
|
10fa70 |
@@ -167,6 +169,11 @@ test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
|
|
|
10fa70 |
|
|
|
10fa70 |
ais = NULL;
|
|
|
10fa70 |
|
|
|
10fa70 |
+ ret = krb5_dbe_get_string(context, (krb5_db_entry *)db_entry, "hwauth",
|
|
|
10fa70 |
+ &strval);
|
|
|
10fa70 |
+ ret = (strval != NULL) ? KRB5_CERTAUTH_HWAUTH : 0;
|
|
|
10fa70 |
+ krb5_dbe_free_string(context, strval);
|
|
|
10fa70 |
+
|
|
|
10fa70 |
cleanup:
|
|
|
10fa70 |
krb5_free_unparsed_name(context, name);
|
|
|
10fa70 |
return ret;
|
|
|
10fa70 |
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
10fa70 |
index feca11806..3ae56c064 100644
|
|
|
10fa70 |
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
10fa70 |
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
10fa70 |
@@ -320,12 +320,12 @@ static krb5_error_code
|
|
|
10fa70 |
authorize_cert(krb5_context context, certauth_handle *certauth_modules,
|
|
|
10fa70 |
pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx,
|
|
|
10fa70 |
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
|
|
|
10fa70 |
- krb5_principal client)
|
|
|
10fa70 |
+ krb5_principal client, krb5_boolean *hwauth_out)
|
|
|
10fa70 |
{
|
|
|
10fa70 |
krb5_error_code ret;
|
|
|
10fa70 |
certauth_handle h;
|
|
|
10fa70 |
struct certauth_req_opts opts;
|
|
|
10fa70 |
- krb5_boolean accepted = FALSE;
|
|
|
10fa70 |
+ krb5_boolean accepted = FALSE, hwauth = FALSE;
|
|
|
10fa70 |
uint8_t *cert;
|
|
|
10fa70 |
size_t i, cert_len;
|
|
|
10fa70 |
void *db_ent = NULL;
|
|
|
10fa70 |
@@ -347,9 +347,10 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
|
|
|
10fa70 |
|
|
|
10fa70 |
/*
|
|
|
10fa70 |
* Check the certificate against each certauth module. For the certificate
|
|
|
10fa70 |
- * to be authorized at least one module must return 0, and no module can an
|
|
|
10fa70 |
- * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
|
|
|
10fa70 |
- * modules that return 0 or pass.
|
|
|
10fa70 |
+ * to be authorized at least one module must return 0 or
|
|
|
10fa70 |
+ * KRB5_CERTAUTH_HWAUTH, and no module can return an error code other than
|
|
|
10fa70 |
+ * KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from modules that return 0
|
|
|
10fa70 |
+ * or pass.
|
|
|
10fa70 |
*/
|
|
|
10fa70 |
ret = KRB5_PLUGIN_NO_HANDLE;
|
|
|
10fa70 |
for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
|
|
|
10fa70 |
@@ -359,6 +360,8 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
|
|
|
10fa70 |
&opts, db_ent, &ais);
|
|
|
10fa70 |
if (ret == 0)
|
|
|
10fa70 |
accepted = TRUE;
|
|
|
10fa70 |
+ else if (ret == KRB5_CERTAUTH_HWAUTH)
|
|
|
10fa70 |
+ accepted = hwauth = TRUE;
|
|
|
10fa70 |
else if (ret != KRB5_PLUGIN_NO_HANDLE)
|
|
|
10fa70 |
goto cleanup;
|
|
|
10fa70 |
|
|
|
10fa70 |
@@ -374,6 +377,7 @@ authorize_cert(krb5_context context, certauth_handle *certauth_modules,
|
|
|
10fa70 |
}
|
|
|
10fa70 |
}
|
|
|
10fa70 |
|
|
|
10fa70 |
+ *hwauth_out = hwauth;
|
|
|
10fa70 |
ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
|
|
|
10fa70 |
|
|
|
10fa70 |
cleanup:
|
|
|
10fa70 |
@@ -430,7 +434,7 @@ pkinit_server_verify_padata(krb5_context context,
|
|
|
10fa70 |
int is_signed = 1;
|
|
|
10fa70 |
krb5_pa_data **e_data = NULL;
|
|
|
10fa70 |
krb5_kdcpreauth_modreq modreq = NULL;
|
|
|
10fa70 |
- krb5_boolean valid_freshness_token = FALSE;
|
|
|
10fa70 |
+ krb5_boolean valid_freshness_token = FALSE, hwauth = FALSE;
|
|
|
10fa70 |
char **sp;
|
|
|
10fa70 |
|
|
|
10fa70 |
pkiDebug("pkinit_verify_padata: entered!\n");
|
|
|
10fa70 |
@@ -494,7 +498,7 @@ pkinit_server_verify_padata(krb5_context context,
|
|
|
10fa70 |
}
|
|
|
10fa70 |
if (is_signed) {
|
|
|
10fa70 |
retval = authorize_cert(context, moddata->certauth_modules, plgctx,
|
|
|
10fa70 |
- reqctx, cb, rock, request->client);
|
|
|
10fa70 |
+ reqctx, cb, rock, request->client, &hwauth);
|
|
|
10fa70 |
if (retval)
|
|
|
10fa70 |
goto cleanup;
|
|
|
10fa70 |
|
|
|
10fa70 |
@@ -613,6 +617,8 @@ pkinit_server_verify_padata(krb5_context context,
|
|
|
10fa70 |
|
|
|
10fa70 |
/* remember to set the PREAUTH flag in the reply */
|
|
|
10fa70 |
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
|
|
|
10fa70 |
+ if (hwauth)
|
|
|
10fa70 |
+ enc_tkt_reply->flags |= TKT_FLG_HW_AUTH;
|
|
|
10fa70 |
modreq = (krb5_kdcpreauth_modreq)reqctx;
|
|
|
10fa70 |
reqctx = NULL;
|
|
|
10fa70 |
|
|
|
10fa70 |
@@ -1044,7 +1050,9 @@ pkinit_server_get_flags(krb5_context kcontext, krb5_preauthtype patype)
|
|
|
10fa70 |
{
|
|
|
10fa70 |
if (patype == KRB5_PADATA_PKINIT_KX)
|
|
|
10fa70 |
return PA_INFO;
|
|
|
10fa70 |
- return PA_SUFFICIENT | PA_REPLACES_KEY | PA_TYPED_E_DATA;
|
|
|
10fa70 |
+ /* PKINIT does not normally set the hw-authent ticket flag, but a
|
|
|
10fa70 |
+ * certauth module can cause it to do so. */
|
|
|
10fa70 |
+ return PA_SUFFICIENT | PA_REPLACES_KEY | PA_TYPED_E_DATA | PA_HARDWARE;
|
|
|
10fa70 |
}
|
|
|
10fa70 |
|
|
|
10fa70 |
static krb5_preauthtype supported_server_pa_types[] = {
|
|
|
10fa70 |
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
|
|
|
10fa70 |
index 9c7094525..0fe0fdb4a 100644
|
|
|
10fa70 |
--- a/src/tests/t_certauth.py
|
|
|
10fa70 |
+++ b/src/tests/t_certauth.py
|
|
|
10fa70 |
@@ -43,4 +43,17 @@ out = realm.kinit("user2@KRBTEST.COM",
|
|
|
10fa70 |
expected_code=1,
|
|
|
10fa70 |
expected_msg='kinit: Certificate mismatch')
|
|
|
10fa70 |
|
|
|
10fa70 |
+# Test the KRB5_CERTAUTH_HWAUTH return code.
|
|
|
10fa70 |
+mark('hw-authent flag tests')
|
|
|
10fa70 |
+# First test +requires_hwauth without causing the hw-authent ticket
|
|
|
10fa70 |
+# flag to be set. This currently results in a preauth loop.
|
|
|
10fa70 |
+realm.run([kadminl, 'modprinc', '+requires_hwauth', realm.user_princ])
|
|
|
10fa70 |
+realm.kinit(realm.user_princ,
|
|
|
10fa70 |
+ flags=['-X', 'X509_user_identity=%s' % file_identity],
|
|
|
10fa70 |
+ expected_code=1, expected_msg='Looping detected')
|
|
|
10fa70 |
+# Cause the test2 module to return KRB5_CERTAUTH_HWAUTH and try again.
|
|
|
10fa70 |
+realm.run([kadminl, 'setstr', realm.user_princ, 'hwauth', 'x'])
|
|
|
10fa70 |
+realm.kinit(realm.user_princ,
|
|
|
10fa70 |
+ flags=['-X', 'X509_user_identity=%s' % file_identity])
|
|
|
10fa70 |
+
|
|
|
10fa70 |
success("certauth tests")
|