xref: /freebsd/crypto/krb5/src/kdc/policy.c (revision ee3960cba1068e12fb032a68c46d74841d9edab3) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kdc/policy.c - Policy decision routines for KDC */
3 /*
4  * Copyright (C) 2017 by Red Hat, Inc.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * * Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer.
13  *
14  * * Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in
16  *   the documentation and/or other materials provided with the
17  *   distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30  * OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "k5-int.h"
34 #include "kdc_util.h"
35 #include "extern.h"
36 #include "policy.h"
37 #include "adm_proto.h"
38 #include <krb5/kdcpolicy_plugin.h>
39 #include <syslog.h>
40 
41 typedef struct kdcpolicy_handle_st {
42     struct krb5_kdcpolicy_vtable_st vt;
43     krb5_kdcpolicy_moddata moddata;
44 } *kdcpolicy_handle;
45 
46 static kdcpolicy_handle *handles;
47 
48 static void
49 free_indicators(char **ais)
50 {
51     size_t i;
52 
53     if (ais == NULL)
54         return;
55     for (i = 0; ais[i] != NULL; i++)
56         free(ais[i]);
57     free(ais);
58 }
59 
60 /* Convert inds to a null-terminated list of C strings. */
61 static krb5_error_code
62 authind_strings(krb5_data *const *inds, char ***strs_out)
63 {
64     krb5_error_code ret;
65     char **list = NULL;
66     size_t i, count;
67 
68     *strs_out = NULL;
69 
70     for (count = 0; inds != NULL && inds[count] != NULL; count++);
71     list = k5calloc(count + 1, sizeof(*list), &ret);
72     if (list == NULL)
73         goto error;
74 
75     for (i = 0; i < count; i++) {
76         list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret);
77         if (list[i] == NULL)
78             goto error;
79     }
80 
81     *strs_out = list;
82     return 0;
83 
84 error:
85     free_indicators(list);
86     return ret;
87 }
88 
89 /* Constrain times->endtime to life and times->renew_till to rlife, relative to
90  * now. */
91 static void
92 update_ticket_times(krb5_ticket_times *times, krb5_timestamp now,
93                     krb5_deltat life, krb5_deltat rlife)
94 {
95     if (life)
96         times->endtime = ts_min(ts_incr(now, life), times->endtime);
97     if (rlife)
98         times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till);
99 }
100 
101 /* Check an AS request against kdcpolicy modules, updating times with any
102  * module endtime constraints.  Set an appropriate status string on error. */
103 krb5_error_code
104 check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
105                    const krb5_db_entry *client, const krb5_db_entry *server,
106                    krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
107                    krb5_ticket_times *times, const char **status)
108 {
109     krb5_deltat life = 0, rlife = 0;
110     krb5_error_code ret;
111     kdcpolicy_handle *hp, h;
112     char **ais = NULL;
113 
114     *status = NULL;
115 
116     ret = authind_strings(auth_indicators, &ais);
117     if (ret)
118         goto done;
119 
120     for (hp = handles; *hp != NULL; hp++) {
121         h = *hp;
122         if (h->vt.check_as == NULL)
123             continue;
124 
125         ret = h->vt.check_as(context, h->moddata, request, client, server,
126                              (const char **)ais, status, &life, &rlife);
127         if (ret)
128             goto done;
129 
130         update_ticket_times(times, kdc_time, life, rlife);
131     }
132 
133 done:
134     free_indicators(ais);
135     return ret;
136 }
137 
138 /*
139  * Check the TGS request against the local TGS policy.  Accepts an
140  * authentication indicator for the module policy decisions.  Returns 0 and a
141  * NULL status string on success.
142  */
143 krb5_error_code
144 check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
145                     const krb5_db_entry *server, const krb5_ticket *ticket,
146                     krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
147                     krb5_ticket_times *times, const char **status)
148 {
149     krb5_deltat life = 0, rlife = 0;
150     krb5_error_code ret;
151     kdcpolicy_handle *hp, h;
152     char **ais = NULL;
153 
154     *status = NULL;
155 
156     ret = authind_strings(auth_indicators, &ais);
157     if (ret)
158         goto done;
159 
160     for (hp = handles; *hp != NULL; hp++) {
161         h = *hp;
162         if (h->vt.check_tgs == NULL)
163             continue;
164 
165         ret = h->vt.check_tgs(context, h->moddata, request, server, ticket,
166                               (const char **)ais, status, &life, &rlife);
167         if (ret)
168             goto done;
169 
170         update_ticket_times(times, kdc_time, life, rlife);
171     }
172 
173 done:
174     free_indicators(ais);
175     return ret;
176 }
177 
178 void
179 unload_kdcpolicy_plugins(krb5_context context)
180 {
181     kdcpolicy_handle *hp, h;
182 
183     for (hp = handles; *hp != NULL; hp++) {
184         h = *hp;
185         if (h->vt.fini != NULL)
186             h->vt.fini(context, h->moddata);
187         free(h);
188     }
189     free(handles);
190     handles = NULL;
191 }
192 
193 krb5_error_code
194 load_kdcpolicy_plugins(krb5_context context)
195 {
196     krb5_error_code ret;
197     krb5_plugin_initvt_fn *modules = NULL, *mod;
198     kdcpolicy_handle h;
199     size_t count;
200 
201     ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules);
202     if (ret)
203         goto cleanup;
204 
205     for (count = 0; modules[count] != NULL; count++);
206     handles = k5calloc(count + 1, sizeof(*handles), &ret);
207     if (handles == NULL)
208         goto cleanup;
209 
210     count = 0;
211     for (mod = modules; *mod != NULL; mod++) {
212         h = k5calloc(1, sizeof(*h), &ret);
213         if (h == NULL)
214             goto cleanup;
215 
216         ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
217         if (ret) {              /* Version mismatch. */
218             TRACE_KDCPOLICY_VTINIT_FAIL(context, ret);
219             free(h);
220             continue;
221         }
222         if (h->vt.init != NULL) {
223             ret = h->vt.init(context, &h->moddata);
224             if (ret == KRB5_PLUGIN_NO_HANDLE) {
225                 TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
226                 free(h);
227                 continue;
228             }
229             if (ret) {
230                 kdc_err(context, ret, _("while loading policy module %s"),
231                         h->vt.name);
232                 free(h);
233                 goto cleanup;
234             }
235         }
236         handles[count++] = h;
237     }
238 
239     ret = 0;
240 
241 cleanup:
242     if (ret)
243         unload_kdcpolicy_plugins(context);
244     k5_plugin_free_modules(context, modules);
245     return ret;
246 }
247