2 * COPYRIGHT (C) 2006,2007
3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
6 * Permission is granted to use, copy, create derivative works
7 * and redistribute this software and such derivative works
8 * for any purpose, so long as the name of The University of
9 * Michigan is not used in any advertising or publicity
10 * pertaining to the use of distribution of this software
11 * without specific, written prior authorization. If the
12 * above copyright notice or any other identification of the
13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
34 #include <k5-platform.h>
35 #include <krb5/krb5.h>
36 #include <krb5/preauth_plugin.h>
37 #include <k5-int-pkinit.h>
39 #include "pkinit_accessor.h"
40 #include "pkinit_trace.h"
42 #ifndef WITHOUT_PKCS11
45 #define PKCS11_MODNAME "opensc-pkcs11.so"
46 #define PK_SIGLEN_GUESS 1000
47 #define PK_NOSLOT 999999
51 #define RSA_PROTOCOL 2
53 #define TD_TRUSTED_CERTIFIERS 104
54 #define TD_INVALID_CERTIFICATES 105
55 #define TD_DH_PARAMETERS 109
57 #define PKINIT_CTX_MAGIC 0x05551212
58 #define PKINIT_REQ_CTX_MAGIC 0xdeadbeef
59 #define PKINIT_DEFERRED_ID_MAGIC 0x3ca20d21
61 #define PKINIT_DEFAULT_DH_MIN_BITS 2048
62 #define PKINIT_DH_MIN_CONFIG_BITS 1024
64 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
65 #define KRB5_CONF_LIBDEFAULTS "libdefaults"
66 #define KRB5_CONF_REALMS "realms"
67 #define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
68 #define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
69 #define KRB5_CONF_PKINIT_INDICATOR "pkinit_indicator"
70 #define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match"
71 #define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
72 #define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
73 #define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
74 #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
75 #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
76 /* pkinit_kdc_ocsp has been removed */
77 #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
78 #define KRB5_CONF_PKINIT_POOL "pkinit_pool"
79 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
80 #define KRB5_CONF_PKINIT_REQUIRE_FRESHNESS "pkinit_require_freshness"
81 #define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
83 /* Make pkiDebug(fmt,...) print, or not. */
85 #define pkiDebug printf
87 /* Still evaluates for side effects. */
88 static inline void pkiDebug (const char *fmt, ...) { }
89 /* This is better if the compiler doesn't inline variadic functions
90 well, but gcc will warn about "left-hand operand of comma
91 expression has no effect". Still evaluates for side effects. */
92 /* #define pkiDebug (void) */
95 /* Solaris compiler doesn't grok __FUNCTION__
96 * hack for now. Fix all the uses eventually. */
97 #define __FUNCTION__ __func__
99 /* Macros to deal with converting between various data types... */
100 #define PADATA_TO_KRB5DATA(pad, k5d) \
101 (k5d)->length = (pad)->length; (k5d)->data = (char *)(pad)->contents;
102 #define OCTETDATA_TO_KRB5DATA(octd, k5d) \
103 (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
105 extern const krb5_data dh_oid;
108 * notes about crypto contexts:
110 * the basic idea is that there are crypto contexts that live at
111 * both the plugin level and request level. the identity context (that
112 * keeps info about your own certs and such) is separate because
113 * it is needed at different levels for the kdc and and the client.
114 * (the kdc's identity is at the plugin level, the client's identity
115 * information could change per-request.)
116 * the identity context is meant to have the entity's cert,
117 * a list of trusted and intermediate cas, a list of crls, and any
118 * pkcs11 information. the req context is meant to have the
119 * received certificate and the DH related information. the plugin
120 * context is meant to have global crypto information, i.e., OIDs
121 * and constant DH parameter information.
125 * plugin crypto context should keep plugin common information,
126 * eg., OIDs, known DHparams
128 typedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context;
131 * request crypto context should keep reqyest common information,
132 * eg., received credentials, DH parameters of this request
134 typedef struct _pkinit_req_crypto_context *pkinit_req_crypto_context;
137 * identity context should keep information about credentials
138 * for the request, eg., my credentials, trusted ca certs,
139 * intermediate ca certs, crls, pkcs11 info
141 typedef struct _pkinit_identity_crypto_context *pkinit_identity_crypto_context;
144 * this structure keeps information about the config options
146 typedef struct _pkinit_plg_opts {
147 int require_eku; /* require EKU checking (default is true) */
148 int accept_secondary_eku;/* accept secondary EKU (default is false) */
149 int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */
150 int dh_or_rsa; /* selects DH or RSA based pkinit */
151 int require_crl_checking; /* require CRL for a CA (default is false) */
152 int require_freshness; /* require freshness token (default is false) */
153 int disable_freshness; /* disable freshness token on client for testing */
154 int dh_min_bits; /* minimum DH modulus size allowed */
158 * this structure keeps options used for a given request
160 typedef struct _pkinit_req_opts {
162 int accept_secondary_eku;
165 int require_crl_checking;
166 int dh_size; /* initial request DH modulus size (default=1024) */
167 int require_hostname_match;
168 int disable_freshness;
172 * information about identity from config file or command line
175 typedef struct _pkinit_identity_opts {
179 char **intermediates;
184 #ifndef WITHOUT_PKCS11
185 char *p11_module_name;
188 char *cert_id_string;
191 } pkinit_identity_opts;
195 * Client's plugin context
197 struct _pkinit_context {
199 pkinit_plg_crypto_context cryptoctx;
200 pkinit_plg_opts *opts;
201 pkinit_identity_opts *idopts;
203 typedef struct _pkinit_context *pkinit_context;
206 * Client's per-request context
208 struct _pkinit_req_context {
210 pkinit_req_crypto_context cryptoctx;
211 pkinit_req_opts *opts;
212 pkinit_identity_crypto_context idctx;
213 pkinit_identity_opts *idopts;
214 int do_identity_matching;
215 krb5_preauthtype pa_type;
218 int identity_initialized;
219 int identity_prompted;
220 krb5_error_code identity_prompt_retval;
221 krb5_data *freshness_token;
223 typedef struct _pkinit_req_context *pkinit_req_context;
226 * KDC's (per-realm) plugin context
228 struct _pkinit_kdc_context {
230 pkinit_plg_crypto_context cryptoctx;
231 pkinit_plg_opts *opts;
232 pkinit_identity_crypto_context idctx;
233 pkinit_identity_opts *idopts;
235 unsigned int realmname_len;
236 char **auth_indicators;
238 typedef struct _pkinit_kdc_context *pkinit_kdc_context;
241 * KDC's per-request context
243 struct _pkinit_kdc_req_context {
245 pkinit_req_crypto_context cryptoctx;
246 krb5_auth_pack *rcv_auth_pack;
247 krb5_auth_pack_draft9 *rcv_auth_pack9;
248 krb5_preauthtype pa_type;
250 typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context;
253 * Functions in pkinit_lib.c
256 krb5_error_code pkinit_init_req_opts(pkinit_req_opts **);
257 void pkinit_fini_req_opts(pkinit_req_opts *);
259 krb5_error_code pkinit_init_plg_opts(pkinit_plg_opts **);
260 void pkinit_fini_plg_opts(pkinit_plg_opts *);
262 krb5_error_code pkinit_init_identity_opts(pkinit_identity_opts **idopts);
263 void pkinit_fini_identity_opts(pkinit_identity_opts *idopts);
264 krb5_error_code pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
265 pkinit_identity_opts **dest_opts);
268 * Functions in pkinit_identity.c
270 char * idtype2string(int idtype);
271 char * catype2string(int catype);
273 krb5_error_code pkinit_identity_initialize
274 (krb5_context context, /* IN */
275 pkinit_plg_crypto_context plg_cryptoctx, /* IN */
276 pkinit_req_crypto_context req_cryptoctx, /* IN */
277 pkinit_identity_opts *idopts, /* IN */
278 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
279 krb5_clpreauth_callbacks cb, /* IN/OUT */
280 krb5_clpreauth_rock rock, /* IN/OUT */
281 krb5_principal princ); /* IN (optional) */
283 krb5_error_code pkinit_identity_prompt
284 (krb5_context context, /* IN */
285 pkinit_plg_crypto_context plg_cryptoctx, /* IN */
286 pkinit_req_crypto_context req_cryptoctx, /* IN */
287 pkinit_identity_opts *idopts, /* IN */
288 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
289 krb5_clpreauth_callbacks cb, /* IN/OUT */
290 krb5_clpreauth_rock rock, /* IN/OUT */
291 int do_matching, /* IN */
292 krb5_principal princ); /* IN (optional) */
294 krb5_error_code pkinit_cert_matching
295 (krb5_context context,
296 pkinit_plg_crypto_context plg_cryptoctx,
297 pkinit_req_crypto_context req_cryptoctx,
298 pkinit_identity_crypto_context id_cryptoctx,
299 krb5_principal princ);
301 krb5_error_code pkinit_client_cert_match
302 (krb5_context context,
303 pkinit_plg_crypto_context plgctx,
304 pkinit_req_crypto_context reqctx,
305 const char *match_rule,
306 krb5_boolean *matched);
309 * Client's list of identities for which it needs PINs or passwords
311 struct _pkinit_deferred_id {
314 unsigned long ck_flags;
317 typedef struct _pkinit_deferred_id *pkinit_deferred_id;
319 krb5_error_code pkinit_set_deferred_id
320 (pkinit_deferred_id **identities, const char *identity,
321 unsigned long ck_flags, const char *password);
322 const char * pkinit_find_deferred_id
323 (pkinit_deferred_id *identities, const char *identity);
324 unsigned long pkinit_get_deferred_id_flags
325 (pkinit_deferred_id *identities, const char *identity);
326 void pkinit_free_deferred_ids(pkinit_deferred_id *identities);
329 * initialization and free functions
331 void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
332 void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
333 void init_krb5_reply_key_pack(krb5_reply_key_pack **in);
334 void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
336 void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
337 void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
338 void init_krb5_subject_pk_info(krb5_subject_pk_info **in);
340 void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
341 void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
342 void free_krb5_reply_key_pack(krb5_reply_key_pack **in);
343 void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
344 void free_krb5_auth_pack(krb5_auth_pack **in);
345 void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
346 void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
347 void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
348 void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
349 void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
350 void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
351 void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
352 void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
353 krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src);
357 * Functions in pkinit_profile.c
359 krb5_error_code pkinit_kdcdefault_strings
360 (krb5_context context, const char *realmname, const char *option,
362 krb5_error_code pkinit_kdcdefault_string
363 (krb5_context context, const char *realmname, const char *option,
365 krb5_error_code pkinit_kdcdefault_boolean
366 (krb5_context context, const char *realmname, const char *option,
367 int default_value, int *ret_value);
368 krb5_error_code pkinit_kdcdefault_integer
369 (krb5_context context, const char *realmname, const char *option,
370 int default_value, int *ret_value);
373 krb5_error_code pkinit_libdefault_strings
374 (krb5_context context, const krb5_data *realm,
375 const char *option, char ***ret_value);
376 krb5_error_code pkinit_libdefault_string
377 (krb5_context context, const krb5_data *realm,
378 const char *option, char **ret_value);
379 krb5_error_code pkinit_libdefault_boolean
380 (krb5_context context, const krb5_data *realm, const char *option,
381 int default_value, int *ret_value);
382 krb5_error_code pkinit_libdefault_integer
383 (krb5_context context, const krb5_data *realm, const char *option,
384 int default_value, int *ret_value);
387 * debugging functions
389 void print_buffer(const unsigned char *, unsigned int);
390 void print_buffer_bin(unsigned char *, unsigned int, char *);
393 * Now get crypto function declarations
395 #include "pkinit_crypto.h"
397 #endif /* _PKINIT_H */