From 17ffdd0e93271072369e479f440ddf85e020580a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 9 Oct 2009 18:29:34 +0000 Subject: Implement GSS naming extensions and authdata verification Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. ticket: 6572 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/authdata/greet_client/Makefile.in | 38 +++ src/plugins/authdata/greet_client/deps | 6 + src/plugins/authdata/greet_client/greet.c | 379 +++++++++++++++++++++ .../authdata/greet_client/greet_client.exports | 1 + src/plugins/authdata/greet_server/Makefile.in | 38 +++ src/plugins/authdata/greet_server/deps | 6 + src/plugins/authdata/greet_server/greet_auth.c | 191 +++++++++++ .../authdata/greet_server/greet_server.exports | 1 + 8 files changed, 660 insertions(+) create mode 100644 src/plugins/authdata/greet_client/Makefile.in create mode 100644 src/plugins/authdata/greet_client/deps create mode 100644 src/plugins/authdata/greet_client/greet.c create mode 100644 src/plugins/authdata/greet_client/greet_client.exports create mode 100644 src/plugins/authdata/greet_server/Makefile.in create mode 100644 src/plugins/authdata/greet_server/deps create mode 100644 src/plugins/authdata/greet_server/greet_auth.c create mode 100644 src/plugins/authdata/greet_server/greet_server.exports (limited to 'src/plugins/authdata') diff --git a/src/plugins/authdata/greet_client/Makefile.in b/src/plugins/authdata/greet_client/Makefile.in new file mode 100644 index 000000000..72d665ad2 --- /dev/null +++ b/src/plugins/authdata/greet_client/Makefile.in @@ -0,0 +1,38 @@ +thisconfigdir=../../.. +myfulldir=plugins/authdata/greet_client +mydir=plugins/authdata/greet_client +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_AD_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 + +LIBBASE=greet_client +LIBMAJOR=0 +LIBMINOR=0 +SO_EXT=.so +SHLIB_EXPDEPS = $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS= greet.o + +SRCS= greet.c + +all-unix:: all-liblinks +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + +@libnover_frag@ +@libobj_frag@ + diff --git a/src/plugins/authdata/greet_client/deps b/src/plugins/authdata/greet_client/deps new file mode 100644 index 000000000..b754fcff9 --- /dev/null +++ b/src/plugins/authdata/greet_client/deps @@ -0,0 +1,6 @@ +# +# Generated makefile dependencies follow. +# +greet_auth.so greet_auth.po $(OUTPRE)greet_auth.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/authdata_plugin.h \ + greet_auth.c diff --git a/src/plugins/authdata/greet_client/greet.c b/src/plugins/authdata/greet_client/greet.c new file mode 100644 index 000000000..cb0d6e519 --- /dev/null +++ b/src/plugins/authdata/greet_client/greet.c @@ -0,0 +1,379 @@ +/* + * plugins/authdata/greet_client/ + * + * Copyright 2009 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Sample authorization data plugin + */ + +#include +#include +#include "k5-int.h" +#include +#include + +struct greet_context { + krb5_data greeting; + krb5_boolean verified; +}; + +static krb5_data greet_attr = { + KV5M_DATA, sizeof("greet:greeting") - 1, "greet:greeting" }; + +static krb5_error_code +greet_init(krb5_context kcontext, void **plugin_context) +{ + *plugin_context = 0; + return 0; +} + +static void +greet_flags(krb5_context kcontext, + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags) +{ + *flags = AD_USAGE_AP_REQ | AD_USAGE_KDC_ISSUED | AD_INFORMATIONAL; +} + +static void +greet_fini(krb5_context kcontext, void *plugin_context) +{ + return; +} + +static krb5_error_code +greet_request_init(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void **request_context) +{ + struct greet_context *greet; + + greet = malloc(sizeof(*greet)); + if (greet == NULL) + return ENOMEM; + + greet->greeting.data = NULL; + greet->greeting.length = 0; + greet->verified = FALSE; + + *request_context = greet; + + return 0; +} + +static krb5_error_code +greet_export_authdata(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_flags usage, + krb5_authdata ***out_authdata) +{ + struct greet_context *greet = (struct greet_context *)request_context; + krb5_authdata *data[2]; + krb5_authdata datum; + krb5_error_code code; + + datum.ad_type = -42; + datum.length = greet->greeting.length; + datum.contents = (krb5_octet *)greet->greeting.data; + + data[0] = &datum; + data[1] = NULL; + + code = krb5_copy_authdata(kcontext, data, out_authdata); + + return code; +} + +static krb5_error_code +greet_import_authdata(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued_flag, + krb5_const_principal issuer) +{ + krb5_error_code code; + struct greet_context *greet = (struct greet_context *)request_context; + krb5_data data; + + krb5_free_data_contents(kcontext, &greet->greeting); + greet->verified = FALSE; + + assert(authdata[0] != NULL); + + data.length = authdata[0]->length; + data.data = (char *)authdata[0]->contents; + + code = krb5int_copy_data_contents_add0(kcontext, &data, &greet->greeting); + if (code == 0) + greet->verified = kdc_issued_flag; + + return code; +} + +static void +greet_request_fini(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context) +{ + struct greet_context *greet = (struct greet_context *)request_context; + + if (greet != NULL) { + krb5_free_data_contents(kcontext, &greet->greeting); + free(greet); + } +} + +static krb5_error_code +greet_get_attribute_types(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_data **out_attrs) +{ + krb5_error_code code; + struct greet_context *greet = (struct greet_context *)request_context; + + if (greet->greeting.length == 0) + return ENOENT; + + *out_attrs = calloc(2, sizeof(krb5_data)); + if (*out_attrs == NULL) + return ENOMEM; + + code = krb5int_copy_data_contents_add0(kcontext, + &greet_attr, + &(*out_attrs)[0]); + if (code != 0) { + free(*out_attrs); + *out_attrs = NULL; + return code; + } + + return 0; +} + +static krb5_error_code +greet_get_attribute(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute, + krb5_boolean *authenticated, + krb5_boolean *complete, + krb5_data *value, + krb5_data *display_value, + int *more) +{ + struct greet_context *greet = (struct greet_context *)request_context; + krb5_error_code code; + + if (!data_eq(*attribute, greet_attr) || greet->greeting.length == 0) + return ENOENT; + + *authenticated = greet->verified; + *complete = TRUE; + *more = 0; + + code = krb5int_copy_data_contents_add0(kcontext, &greet->greeting, value); + if (code == 0) { + code = krb5int_copy_data_contents_add0(kcontext, + &greet->greeting, + display_value); + if (code != 0) + krb5_free_data_contents(kcontext, value); + } + + return code; +} + +static krb5_error_code +greet_set_attribute(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean complete, + const krb5_data *attribute, + const krb5_data *value) +{ + struct greet_context *greet = (struct greet_context *)request_context; + krb5_data data; + krb5_error_code code; + + if (greet->greeting.data != NULL) + return EEXIST; + + code = krb5int_copy_data_contents_add0(kcontext, value, &data); + if (code != 0) + return code; + + krb5_free_data_contents(kcontext, &greet->greeting); + greet->greeting = data; + greet->verified = FALSE; + + return 0; +} + +static krb5_error_code +greet_delete_attribute(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute) +{ + struct greet_context *greet = (struct greet_context *)request_context; + + krb5_free_data_contents(kcontext, &greet->greeting); + greet->verified = FALSE; + + return 0; +} + +static krb5_error_code +greet_size(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + size_t *sizep) +{ + struct greet_context *greet = (struct greet_context *)request_context; + + *sizep += sizeof(krb5_int32) + + greet->greeting.length + + sizeof(krb5_int32); + + return 0; +} + +static krb5_error_code +greet_externalize(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) +{ + size_t required = 0; + struct greet_context *greet = (struct greet_context *)request_context; + + greet_size(kcontext, context, plugin_context, + request_context, &required); + + if (*lenremain < required) + return ENOMEM; + + /* Greeting Length | Greeting Contents | Verified */ + krb5_ser_pack_int32(greet->greeting.length, buffer, lenremain); + krb5_ser_pack_bytes((krb5_octet *)greet->greeting.data, + (size_t)greet->greeting.length, + buffer, lenremain); + krb5_ser_pack_int32((krb5_int32)greet->verified, buffer, lenremain); + + return 0; +} + +static krb5_error_code +greet_internalize(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) +{ + struct greet_context *greet = (struct greet_context *)request_context; + krb5_error_code code; + krb5_int32 length; + krb5_octet *contents = NULL; + krb5_int32 verified; + krb5_octet *bp; + size_t remain; + + bp = *buffer; + remain = *lenremain; + + /* Greeting Length */ + code = krb5_ser_unpack_int32(&length, &bp, &remain); + if (code != 0) + return code; + + /* Greeting Contents */ + if (length != 0) { + contents = malloc(length); + if (contents == NULL) + return ENOMEM; + + code = krb5_ser_unpack_bytes(contents, (size_t)length, &bp, &remain); + if (code != 0) { + free(contents); + return code; + } + } + + /* Verified */ + code = krb5_ser_unpack_int32(&verified, &bp, &remain); + if (code != 0) { + free(contents); + return code; + } + + krb5_free_data_contents(kcontext, &greet->greeting); + greet->greeting.length = length; + greet->greeting.data = (char *)contents; + greet->verified = (verified != 0); + + *buffer = bp; + *lenremain = remain; + + return 0; +} + +static krb5_authdatatype greet_ad_types[] = { -42, 0 }; + +krb5plugin_authdata_client_ftable_v0 authdata_client_0 = { + "greet", + greet_ad_types, + greet_init, + greet_fini, + greet_flags, + greet_request_init, + greet_request_fini, + greet_get_attribute_types, + greet_get_attribute, + greet_set_attribute, + greet_delete_attribute, + greet_export_authdata, + greet_import_authdata, + NULL, + NULL, + NULL, + greet_size, + greet_externalize, + greet_internalize, + NULL +}; diff --git a/src/plugins/authdata/greet_client/greet_client.exports b/src/plugins/authdata/greet_client/greet_client.exports new file mode 100644 index 000000000..8d5d5c47f --- /dev/null +++ b/src/plugins/authdata/greet_client/greet_client.exports @@ -0,0 +1 @@ +authdata_client_0 diff --git a/src/plugins/authdata/greet_server/Makefile.in b/src/plugins/authdata/greet_server/Makefile.in new file mode 100644 index 000000000..3924f1b98 --- /dev/null +++ b/src/plugins/authdata/greet_server/Makefile.in @@ -0,0 +1,38 @@ +thisconfigdir=../../.. +myfulldir=plugins/authdata/greet_server +mydir=plugins/authdata/greet_server +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_AD_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 + +LIBBASE=greet_server +LIBMAJOR=1 +LIBMINOR=0 +SO_EXT=.so +SHLIB_EXPDEPS = $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS= greet_auth.o + +SRCS= greet_auth.c + +all-unix:: all-liblinks +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + +@libnover_frag@ +@libobj_frag@ + diff --git a/src/plugins/authdata/greet_server/deps b/src/plugins/authdata/greet_server/deps new file mode 100644 index 000000000..b754fcff9 --- /dev/null +++ b/src/plugins/authdata/greet_server/deps @@ -0,0 +1,6 @@ +# +# Generated makefile dependencies follow. +# +greet_auth.so greet_auth.po $(OUTPRE)greet_auth.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/authdata_plugin.h \ + greet_auth.c diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c new file mode 100644 index 000000000..cacbc659f --- /dev/null +++ b/src/plugins/authdata/greet_server/greet_auth.c @@ -0,0 +1,191 @@ +/* + * plugins/authdata/greet_server/ + * + * Copyright 2009 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Sample authorization data plugin + */ + +#include +#include +#include +#include +#include +#include + +static krb5_error_code +greet_init(krb5_context ctx, void **blob) +{ + return 0; +} + +static void +greet_fini(krb5_context ctx, void *blob) +{ +} + +static krb5_error_code greet_hello(krb5_context context, krb5_data **ret) +{ + krb5_data tmp; + + tmp.data = "Hello, KDC issued acceptor world!"; + tmp.length = strlen(tmp.data); + + return krb5_copy_data(context, &tmp, ret); +} + +static krb5_error_code +greet_kdc_verify(krb5_context context, + krb5_enc_tkt_part *enc_tkt_request, + krb5_data **greeting) +{ + krb5_error_code code; + krb5_authdata **tgt_authdata = NULL; + krb5_authdata **kdc_issued = NULL; + krb5_authdata **greet = NULL; + + code = krb5int_find_authdata(context, + enc_tkt_request->authorization_data, + NULL, + KRB5_AUTHDATA_KDC_ISSUED, + &tgt_authdata); + if (code != 0) + return 0; + + code = krb5_verify_authdata_kdc_issued(context, + enc_tkt_request->session, + tgt_authdata[0], + NULL, + &kdc_issued); + if (code != 0) { + krb5_free_authdata(context, tgt_authdata); + return code; + } + + code = krb5int_find_authdata(context, + kdc_issued, + NULL, + -42, + &greet); + if (code == 0) { + krb5_data tmp; + + tmp.data = (char *)greet[0]->contents; + tmp.length = greet[0]->length; + + code = krb5_copy_data(context, &tmp, greeting); + } else + code = 0; + + krb5_free_authdata(context, tgt_authdata); + krb5_free_authdata(context, kdc_issued); + krb5_free_authdata(context, greet); + + return code; +} + +static krb5_error_code +greet_kdc_sign(krb5_context context, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_const_principal tgs, + krb5_data *greeting) +{ + krb5_error_code code; + krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL; + krb5_authdata **if_relevant = NULL; + + ad_datum.ad_type = -42; + ad_datum.contents = (krb5_octet *)greeting->data; + ad_datum.length = greeting->length; + + ad_data[0] = &ad_datum; + ad_data[1] = NULL; + + code = krb5_make_authdata_kdc_issued(context, + enc_tkt_reply->session, + tgs, + ad_data, + &kdc_issued); + if (code != 0) + return code; + + code = krb5_encode_authdata_container(context, + KRB5_AUTHDATA_IF_RELEVANT, + kdc_issued, + &if_relevant); + if (code != 0) { + krb5_free_authdata(context, kdc_issued); + return code; + } + + /* this isn't very friendly to other plugins... */ + krb5_free_authdata(context, enc_tkt_reply->authorization_data); + enc_tkt_reply->authorization_data = if_relevant; + + krb5_free_authdata(context, kdc_issued); + + return 0; +} + +static krb5_error_code +greet_authdata(krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *tgs, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_const_principal for_user_princ, + krb5_enc_tkt_part *enc_tkt_request, + krb5_enc_tkt_part *enc_tkt_reply) +{ + krb5_error_code code; + krb5_data *greeting = NULL; + + if (request->msg_type == KRB5_TGS_REQ) { + code = greet_kdc_verify(context, enc_tkt_request, &greeting); + if (code != 0) + return code; + } + + if (greeting == NULL) { + code = greet_hello(context, &greeting); + if (code != 0) + return code; + } + + code = greet_kdc_sign(context, enc_tkt_reply, tgs->princ, greeting); + + krb5_free_data(context, greeting); + + return code; +} + +krb5plugin_authdata_server_ftable_v1 authdata_server_1 = { + "greet", + greet_init, + greet_fini, + greet_authdata, +}; diff --git a/src/plugins/authdata/greet_server/greet_server.exports b/src/plugins/authdata/greet_server/greet_server.exports new file mode 100644 index 000000000..74719bfa7 --- /dev/null +++ b/src/plugins/authdata/greet_server/greet_server.exports @@ -0,0 +1 @@ +authdata_server_1 -- cgit