Blob Blame History Raw
From 64f643a7f798c5528182dc068f15dca7b3f2d8a1 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 10 Mar 2020 13:13:17 +0100
Subject: [PATCH] Add client_aware_channel_bindings option

Add client support for KERB_AP_OPTIONS_CBT in the form of a profile
option "client_aware_gss_bindings".  Adjust the make_etype_list()
helper so that enctype negotiation and AP_OPTIONS can be included in
the same IF-RELEVANT wrapper.

[ghudson@mit.edu: refactored; edited documentation; wrote commit
message]

ticket: 8900
(cherry picked from commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81)
(cherry picked from commit 2a08fe3d2d1972df4ffe37d4bb64b161889ff988)
---
 doc/admin/conf_files/krb5_conf.rst |   6 +
 src/include/k5-int.h               |   1 +
 src/lib/krb5/krb/mk_req_ext.c      | 177 +++++++++++++++--------------
 3 files changed, 98 insertions(+), 86 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 3a8b9cf47..315253e37 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -389,6 +389,12 @@ The libdefaults section may contain any of the following relations:
     credentials will fail if the client machine does not have a
     keytab.  The default value is false.
 
+**client_aware_channel_bindings**
+    If this flag is true, then all application protocol authentication
+    requests will be flagged to indicate that the application supports
+    channel bindings when operating over a secure channel.  The
+    default value is false.
+
 .. _realms:
 
 [realms]
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0d9af3d95..eb18a4cd6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -299,6 +299,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_V4_INSTANCE_CONVERT          "v4_instance_convert"
 #define KRB5_CONF_V4_REALM                     "v4_realm"
 #define KRB5_CONF_VERIFY_AP_REQ_NOFAIL         "verify_ap_req_nofail"
+#define KRB5_CONF_CLIENT_AWARE_GSS_BINDINGS    "client_aware_channel_bindings"
 
 /* Cache configuration variables */
 #define KRB5_CC_CONF_FAST_AVAIL                "fast_avail"
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 9fc6a0e52..08504860c 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -68,10 +68,9 @@
 */
 
 static krb5_error_code
-make_etype_list(krb5_context context,
-                krb5_enctype *desired_etypes,
-                krb5_enctype tkt_enctype,
-                krb5_authdata ***authdata);
+make_ap_authdata(krb5_context context, krb5_enctype *desired_enctypes,
+                 krb5_enctype tkt_enctype, krb5_boolean client_aware_cb,
+                 krb5_authdata ***authdata_out);
 
 static krb5_error_code
 generate_authenticator(krb5_context,
@@ -263,7 +262,8 @@ generate_authenticator(krb5_context context, krb5_authenticator *authent,
                        krb5_enctype tkt_enctype)
 {
     krb5_error_code retval;
-    krb5_authdata **ext_authdata = NULL;
+    krb5_authdata **ext_authdata = NULL, **ap_authdata, **combined;
+    int client_aware_cb;
 
     authent->client = client;
     authent->checksum = cksum;
@@ -297,99 +297,104 @@ generate_authenticator(krb5_context context, krb5_authenticator *authent,
         krb5_free_authdata(context, ext_authdata);
     }
 
-    /* Only send EtypeList if we prefer another enctype to tkt_enctype */
-    if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
-        TRACE_MK_REQ_ETYPES(context, desired_etypes);
-        retval = make_etype_list(context, desired_etypes, tkt_enctype,
-                                 &authent->authorization_data);
+    retval = profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
+                                 KRB5_CONF_CLIENT_AWARE_GSS_BINDINGS, NULL,
+                                 FALSE, &client_aware_cb);
+    if (retval)
+        return retval;
+
+    /* Add etype negotiation or channel-binding awareness authdata to the
+     * front, if appropriate. */
+    retval = make_ap_authdata(context, desired_etypes, tkt_enctype,
+                              client_aware_cb, &ap_authdata);
+    if (retval)
+        return retval;
+    if (ap_authdata != NULL) {
+        retval = krb5_merge_authdata(context, ap_authdata,
+                                     authent->authorization_data, &combined);
+        krb5_free_authdata(context, ap_authdata);
         if (retval)
             return retval;
+        krb5_free_authdata(context, authent->authorization_data);
+        authent->authorization_data = combined;
     }
 
     return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec));
 }
 
-/* RFC 4537 */
+/* Set *out to a DER-encoded RFC 4537 etype list, or to NULL if no etype list
+ * should be sent. */
 static krb5_error_code
-make_etype_list(krb5_context context,
-                krb5_enctype *desired_etypes,
-                krb5_enctype tkt_enctype,
-                krb5_authdata ***authdata)
+make_etype_list(krb5_context context, krb5_enctype *desired_enctypes,
+                krb5_enctype tkt_enctype, krb5_data **out)
 {
-    krb5_error_code code;
-    krb5_etype_list etypes;
-    krb5_data *enc_etype_list;
-    krb5_data *ad_if_relevant;
-    krb5_authdata *etype_adata[2], etype_adatum, **adata;
-    int i;
+    krb5_etype_list etlist;
+    int count;
 
-    etypes.etypes = desired_etypes;
+    *out = NULL;
 
-    for (etypes.length = 0;
-         etypes.etypes[etypes.length] != ENCTYPE_NULL;
-         etypes.length++)
-    {
-        /*
-         * RFC 4537:
-         *
-         *   If the enctype of the ticket session key is included in the enctype
-         *   list sent by the client, it SHOULD be the last on the list;
-         */
-        if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype)
+    /* Only send a list if we prefer another enctype to tkt_enctype. */
+    if (desired_enctypes == NULL || desired_enctypes[0] == tkt_enctype)
+        return 0;
+
+    /* Count elements of desired_etypes, stopping at tkt_enctypes if present.
+     * (Per RFC 4537, it must be the last option if it is included.) */
+    for (count = 0; desired_enctypes[count] != ENCTYPE_NULL; count++) {
+        if (count > 0 && desired_enctypes[count - 1] == tkt_enctype)
             break;
     }
 
-    code = encode_krb5_etype_list(&etypes, &enc_etype_list);
-    if (code) {
-        return code;
-    }
-
-    etype_adatum.magic = KV5M_AUTHDATA;
-    etype_adatum.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION;
-    etype_adatum.length = enc_etype_list->length;
-    etype_adatum.contents = (krb5_octet *)enc_etype_list->data;
-
-    etype_adata[0] = &etype_adatum;
-    etype_adata[1] = NULL;
-
-    /* Wrap in AD-IF-RELEVANT container */
-    code = encode_krb5_authdata(etype_adata, &ad_if_relevant);
-    if (code) {
-        krb5_free_data(context, enc_etype_list);
-        return code;
-    }
-
-    krb5_free_data(context, enc_etype_list);
-
-    adata = *authdata;
-    if (adata == NULL) {
-        adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *));
-        i = 0;
-    } else {
-        for (i = 0; adata[i] != NULL; i++)
-            ;
-
-        adata = (krb5_authdata **)realloc(*authdata,
-                                          (i + 2) * sizeof(krb5_authdata *));
-    }
-    if (adata == NULL) {
-        krb5_free_data(context, ad_if_relevant);
-        return ENOMEM;
-    }
-    *authdata = adata;
-
-    adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata));
-    if (adata[i] == NULL) {
-        krb5_free_data(context, ad_if_relevant);
-        return ENOMEM;
-    }
-    adata[i]->magic = KV5M_AUTHDATA;
-    adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT;
-    adata[i]->length = ad_if_relevant->length;
-    adata[i]->contents = (krb5_octet *)ad_if_relevant->data;
-    free(ad_if_relevant); /* contents owned by adata[i] */
-
-    adata[i + 1] = NULL;
-
-    return 0;
+    etlist.etypes = desired_enctypes;
+    etlist.length = count;
+    return encode_krb5_etype_list(&etlist, out);
+}
+
+/* Set *authdata_out to appropriate authenticator authdata for the request,
+ * encoded in a single AD_IF_RELEVANT element. */
+static krb5_error_code
+make_ap_authdata(krb5_context context, krb5_enctype *desired_enctypes,
+                 krb5_enctype tkt_enctype, krb5_boolean client_aware_cb,
+                 krb5_authdata ***authdata_out)
+{
+    krb5_error_code ret;
+    krb5_authdata etypes_ad, flags_ad, *list[3];
+    krb5_data *der_etypes = NULL;
+    size_t count = 0;
+    uint8_t flagbuf[4];
+    const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
+
+    *authdata_out = NULL;
+
+    /* Include an ETYPE_NEGOTIATION element if appropriate. */
+    ret = make_etype_list(context, desired_enctypes, tkt_enctype, &der_etypes);
+    if (ret)
+        goto cleanup;
+    if (der_etypes != NULL) {
+        etypes_ad.magic = KV5M_AUTHDATA;
+        etypes_ad.ad_type = KRB5_AUTHDATA_ETYPE_NEGOTIATION;
+        etypes_ad.length = der_etypes->length;
+        etypes_ad.contents = (uint8_t *)der_etypes->data;
+        list[count++] = &etypes_ad;
+    }
+
+    /* Include an AP_OPTIONS element if the CBT flag is configured. */
+    if (client_aware_cb != 0) {
+        store_32_le(KERB_AP_OPTIONS_CBT, flagbuf);
+        flags_ad.magic = KV5M_AUTHDATA;
+        flags_ad.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
+        flags_ad.length = 4;
+        flags_ad.contents = flagbuf;
+        list[count++] = &flags_ad;
+    }
+
+    if (count > 0) {
+        list[count] = NULL;
+        ret = krb5_encode_authdata_container(context,
+                                             KRB5_AUTHDATA_IF_RELEVANT,
+                                             list, authdata_out);
+    }
+
+cleanup:
+    krb5_free_data(context, der_etypes);
+    return ret;
 }