From 00a2ccfeaeac7a0019a73a97cfe33063ba90c7f3 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Fri, 26 Mar 2021 23:38:54 -0400

Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client

In kcm_retrieve(), try KCM_OP_RETRIEVE.  Fall back to iteration if the

server doesn't implement it, or if we can an answer incompatible with

KRB5_TC_SUPPORTED_KTYPES.

In kcmserver.py, implement partial decoding for creds and cred tags so

that we can do a basic principal name match.

ticket: 8997 (new)

(cherry picked from commit 795ebba8c039be172ab93cd41105c73ffdba0fdb)

(cherry picked from commit c56d4b87de0f30a38dc61d374ad225d02d581eb3)

(cherry picked from commit ac0a117096324fa73afae291ed467f2ea66e279b)

---

 src/include/kcm.h            |  2 +-

 src/lib/krb5/ccache/cc_kcm.c | 52 +++++++++++++++++++++++++++++++++---

 src/tests/kcmserver.py       | 44 +++++++++++++++++++++++++++---

 src/tests/t_ccache.py        | 11 +++++---

 4 files changed, 99 insertions(+), 10 deletions(-)

diff --git a/src/include/kcm.h b/src/include/kcm.h

index 9b66f1cbd..85c20d345 100644

--- a/src/include/kcm.h

+++ b/src/include/kcm.h

@@ -87,7 +87,7 @@ typedef enum kcm_opcode {

     KCM_OP_INITIALIZE,          /*          (name, princ) -> ()          */

     KCM_OP_DESTROY,             /*                 (name) -> ()          */

     KCM_OP_STORE,               /*           (name, cred) -> ()          */

-    KCM_OP_RETRIEVE,

+    KCM_OP_RETRIEVE,            /* (name, flags, credtag) -> (cred)      */

     KCM_OP_GET_PRINCIPAL,       /*                 (name) -> (princ)     */

     KCM_OP_GET_CRED_UUID_LIST,  /*                 (name) -> (uuid, ...) */

     KCM_OP_GET_CRED_BY_UUID,    /*           (name, uuid) -> (cred)      */

diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c

index dae622feb..b600c6f15 100644

--- a/src/lib/krb5/ccache/cc_kcm.c

+++ b/src/lib/krb5/ccache/cc_kcm.c

@@ -826,9 +826,55 @@ static krb5_error_code KRB5_CALLCONV

 kcm_retrieve(krb5_context context, krb5_ccache cache, krb5_flags flags,

              krb5_creds *mcred, krb5_creds *cred_out)

 {

-    /* There is a KCM opcode for retrieving creds, but Heimdal's client doesn't

-     * use it.  It causes the KCM daemon to actually make a TGS request. */

-    return k5_cc_retrieve_cred_default(context, cache, flags, mcred, cred_out);

+    krb5_error_code ret;

+    struct kcmreq req = EMPTY_KCMREQ;

+    krb5_creds cred;

+    krb5_enctype *enctypes = NULL;

+

+    memset(&cred, 0, sizeof(cred));

+

+    /* Include KCM_GC_CACHED in flags to prevent Heimdal's sssd from making a

+     * TGS request itself. */

+    kcmreq_init(&req, KCM_OP_RETRIEVE, cache);

+    k5_buf_add_uint32_be(&req.reqbuf, map_tcflags(flags) | KCM_GC_CACHED);

+    k5_marshal_mcred(&req.reqbuf, mcred);

+    ret = cache_call(context, cache, &req;;

+

+    /* Fall back to iteration if the server does not support retrieval. */

+    if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {

+        ret = k5_cc_retrieve_cred_default(context, cache, flags, mcred,

+                                          cred_out);

+        goto cleanup;

+    }

+    if (ret)

+        goto cleanup;

+

+    ret = k5_unmarshal_cred(req.reply.ptr, req.reply.len, 4, &cred);

+    if (ret)

+        goto cleanup;

+

+    /* In rare cases we might retrieve a credential with a session key this

+     * context can't support, in which case we must retry using iteration. */

+    if (flags & KRB5_TC_SUPPORTED_KTYPES) {

+        ret = krb5_get_tgs_ktypes(context, cred.server, &enctypes);

+        if (ret)

+            goto cleanup;

+        if (!k5_etypes_contains(enctypes, cred.keyblock.enctype)) {

+            ret = k5_cc_retrieve_cred_default(context, cache, flags, mcred,

+                                              cred_out);

+            goto cleanup;

+        }

+    }

+

+    *cred_out = cred;

+    memset(&cred, 0, sizeof(cred));

+

+cleanup:

+    kcmreq_free(&req;;

+    krb5_free_cred_contents(context, &cred);

+    free(enctypes);

+    /* Heimdal's KCM returns KRB5_CC_END if no cred is found. */

+    return (ret == KRB5_CC_END) ? KRB5_CC_NOTFOUND : map_invalid(ret);

 }

 static krb5_error_code KRB5_CALLCONV

diff --git a/src/tests/kcmserver.py b/src/tests/kcmserver.py

index 8c5e66ff1..25e6f2bbe 100644

--- a/src/tests/kcmserver.py

+++ b/src/tests/kcmserver.py

@@ -40,6 +40,7 @@ class KCMOpcodes(object):

     INITIALIZE = 4

     DESTROY = 5

     STORE = 6

+    RETRIEVE = 7

     GET_PRINCIPAL = 8

     GET_CRED_UUID_LIST = 9

     GET_CRED_BY_UUID = 10

@@ -54,6 +55,7 @@ class KCMOpcodes(object):

 class KRB5Errors(object):

+    KRB5_CC_NOTFOUND = -1765328243

     KRB5_CC_END = -1765328242

     KRB5_CC_NOSUPP = -1765328137

     KRB5_FCC_NOFILE = -1765328189

@@ -86,11 +88,29 @@ def get_cache(name):

     return cache

+def unpack_data(argbytes):

+    dlen, = struct.unpack('>L', argbytes[:4])

+    return argbytes[4:dlen+4], argbytes[dlen+4:]

+

+

 def unmarshal_name(argbytes):

     offset = argbytes.find(b'\0')

     return argbytes[0:offset], argbytes[offset+1:]

+def unmarshal_princ(argbytes):

+    # Ignore the type at argbytes[0:4].

+    ncomps, = struct.unpack('>L', argbytes[4:8])

+    realm, rest = unpack_data(argbytes[8:])

+    comps = []

+    for i in range(ncomps):

+        comp, rest = unpack_data(rest)

+        comps.append(comp)

+    # Asssume no quoting is needed.

+    princ = b'/'.join(comps) + b'@' + realm

+    return princ, rest

+

+

 def op_gen_new(argbytes):

     # Does not actually check for uniqueness.

     global next_unique

@@ -126,6 +146,22 @@ def op_store(argbytes):

     return 0, b''

+def op_retrieve(argbytes):

+    name, rest = unmarshal_name(argbytes)

+    # Ignore the flags at rest[0:4] and the header at rest[4:8].

+    # Assume there are client and server creds in the tag and match

+    # only against them.

+    cprinc, rest = unmarshal_princ(rest[8:])

+    sprinc, rest = unmarshal_princ(rest)

+    cache = get_cache(name)

+    for cred in (cache.creds[u] for u in cache.cred_uuids):

+        cred_cprinc, rest = unmarshal_princ(cred)

+        cred_sprinc, rest = unmarshal_princ(rest)

+        if cred_cprinc == cprinc and cred_sprinc == sprinc:

+            return 0, cred

+    return KRB5Errors.KRB5_CC_NOTFOUND, b''

+

+

 def op_get_principal(argbytes):

     name, rest = unmarshal_name(argbytes)

     cache = get_cache(name)

@@ -199,6 +235,7 @@ ophandlers = {

     KCMOpcodes.INITIALIZE : op_initialize,

     KCMOpcodes.DESTROY : op_destroy,

     KCMOpcodes.STORE : op_store,

+    KCMOpcodes.RETRIEVE : op_retrieve,

     KCMOpcodes.GET_PRINCIPAL : op_get_principal,

     KCMOpcodes.GET_CRED_UUID_LIST : op_get_cred_uuid_list,

     KCMOpcodes.GET_CRED_BY_UUID : op_get_cred_by_uuid,

@@ -243,10 +280,11 @@ def service_request(s):

     return True

 parser = optparse.OptionParser()

-parser.add_option('-c', '--credlist', action='store_true', dest='credlist',

-                  default=False, help='Support KCM_OP_GET_CRED_LIST')

+parser.add_option('-f', '--fallback', action='store_true', dest='fallback',

+                  default=False, help='Do not support RETRIEVE/GET_CRED_LIST')

 (options, args) = parser.parse_args()

-if not options.credlist:

+if options.fallback:

+    del ophandlers[KCMOpcodes.RETRIEVE]

     del ophandlers[KCMOpcodes.GET_CRED_LIST]

 server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)

diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py

index 90040fb7b..6ea9fb969 100755

--- a/src/tests/t_ccache.py

+++ b/src/tests/t_ccache.py

@@ -25,7 +25,7 @@ from k5test import *

 kcm_socket_path = os.path.join(os.getcwd(), 'testdir', 'kcm')

 conf = {'libdefaults': {'kcm_socket': kcm_socket_path,

                         'kcm_mach_service': '-'}}

-realm = K5Realm(create_host=False, krb5_conf=conf)

+realm = K5Realm(krb5_conf=conf)

 keyctl = which('keyctl')

 out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)

@@ -71,6 +71,11 @@ def collection_test(realm, ccname):

     realm.kinit('alice', password('alice'))

     realm.run([klist], expected_msg='Default principal: alice@')

     realm.run([klist, '-A', '-s'])

+    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')

+    realm.run([kvno, realm.host_princ], expected_msg = 'kvno = 1')

+    out = realm.run([klist])

+    if out.count(realm.host_princ) != 1:

+        fail('Wrong number of service tickets in cache')

     realm.run([kdestroy])

     output = realm.run([klist], expected_code=1)

     if 'No credentials cache' not in output and 'not found' not in output:

@@ -126,14 +131,14 @@ def collection_test(realm, ccname):

 collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc'))

-# Test KCM without and with GET_CRED_LIST support.

+# Test KCM with and without RETRIEVE and GET_CRED_LIST support.

 kcmserver_path = os.path.join(srctop, 'tests', 'kcmserver.py')

 kcmd = realm.start_server([sys.executable, kcmserver_path, kcm_socket_path],

                           'starting...')

 collection_test(realm, 'KCM:')

 stop_daemon(kcmd)

 os.remove(kcm_socket_path)

-realm.start_server([sys.executable, kcmserver_path, '-c', kcm_socket_path],

+realm.start_server([sys.executable, kcmserver_path, '-f', kcm_socket_path],

                    'starting...')

 collection_test(realm, 'KCM:')