sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
Code
samba-mirror/third_party/heimdal/kdc/bx509d.c
Stefan Metzmacher 75ec66c729 third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-10 09:51:38 +00:00

3176 lines
104 KiB
C
Raw Blame History

/*
* Copyright (c) 2019 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* This file implements a RESTful HTTPS API to an online CA, as well as an
* HTTP/Negotiate token issuer, as well as a way to get TGTs.
*
* Users are authenticated with Negotiate and/or Bearer.
*
* This is essentially a RESTful online CA sharing some code with the KDC's
* kx509 online CA, and also a proxy for PKINIT and GSS-API (Negotiate).
*
* See the manual page for HTTP API details.
*
* TBD:
* - rewrite to not use libmicrohttpd but an alternative more appropriate to
* Heimdal's license (though libmicrohttpd will do)
* - there should be an end-point for fetching an issuer's chain
*
* NOTES:
* - We use krb5_error_code values as much as possible. Where we need to use
* MHD_NO because we got that from an mhd function and cannot respond with
* an HTTP response, we use (krb5_error_code)-1, and later map that to
* MHD_NO.
*
* (MHD_NO is an ENOMEM-cannot-even-make-a-static-503-response level event.)
*/
/*
* Theory of operation:
*
* - We use libmicrohttpd (MHD) for the HTTP(S) implementation.
*
* - MHD has an online request processing model:
*
* - all requests are handled via the `dh' and `dh_cls' closure arguments
* of `MHD_start_daemon()'; ours is called `route()'
*
* - `dh' is called N+1 times:
* - once to allocate a request context
* - once for every N chunks of request body
* - once to process the request and produce a response
*
* - the response cannot begin to be produced before consuming the whole
* request body (for requests that have a body)
* (this seems like a bug in MHD)
*
* - the response body can be produced over multiple calls (i.e., in an
* online manner)
*
* - Our `route()' processes any POST request body form data / multipart by
* treating all the key/value pairs as if they had been additional URI query
* parameters.
*
* - Then `route()' calls a handler appropriate to the URI local-part with the
* request context, and the handler produces a response in one call.
*
* I.e., we turn the online MHD request processing into not-online. Our
* handlers are presented with complete requests and must produce complete
* responses in one call.
*
* - `route()' also does any authentication and CSRF protection so that the
* request handlers don't have to.
*
* This non-online request handling approach works for most everything we want
* to do. However, for /get-tgts with very large numbers of principals, we
* might have to revisit this, using MHD_create_response_from_callback() or
* MHD_create_response_from_pipe() (and a thread to do the actual work of
* producing the body) instead of MHD_create_response_from_buffer().
*/
#define _XOPEN_SOURCE_EXTENDED 1
#define _DEFAULT_SOURCE 1
#define _BSD_SOURCE 1
#define _GNU_SOURCE 1
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <ctype.h>
#include <dlfcn.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>
#include <stdarg.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <microhttpd.h>
#include "kdc_locl.h"
#include "token_validator_plugin.h"
#include <getarg.h>
#include <roken.h>
#include <krb5.h>
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
#include <hx509.h>
#include "../lib/hx509/hx_locl.h"
#include <hx509-private.h>
#define heim_pcontext krb5_context
#define heim_pconfig krb5_context
#include <heimbase-svc.h>
#if MHD_VERSION < 0x00097002 || defined(MHD_YES)
/* libmicrohttpd changed these from int valued macros to an enum in 0.9.71 */
#ifdef MHD_YES
#undef MHD_YES
#undef MHD_NO
#endif
enum MHD_Result { MHD_NO = 0, MHD_YES = 1 };
#define MHD_YES 1
#define MHD_NO 0
typedef int heim_mhd_result;
#else
typedef enum MHD_Result heim_mhd_result;
#endif
enum k5_creds_kind { K5_CREDS_EPHEMERAL, K5_CREDS_CACHED };
/*
* This is to keep track of memory we need to free, mainly because we had to
* duplicate data from the MHD POST form data processor.
*/
struct free_tend_list {
void *freeme1;
void *freeme2;
struct free_tend_list *next;
};
/* Per-request context data structure */
typedef struct bx509_request_desc {
/* Common elements for Heimdal request/response services */
HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;
struct MHD_Connection *connection;
struct MHD_PostProcessor *pp;
struct MHD_Response *response;
krb5_times token_times;
time_t req_life;
hx509_request req;
struct free_tend_list *free_list;
const char *for_cname;
const char *target;
const char *redir;
const char *method;
size_t post_data_size;
size_t san_idx; /* For /get-tgts */
enum k5_creds_kind cckind;
char *pkix_store;
char *tgts_filename;
FILE *tgts;
char *ccname;
char *freeme1;
char *csrf_token;
krb5_addresses tgt_addresses; /* For /get-tgt */
char frombuf[128];
} *bx509_request_desc;
static void
audit_trail(bx509_request_desc r, krb5_error_code ret)
{
const char *retname = NULL;
/* Get a symbolic name for some error codes */
#define CASE(x) case x : retname = #x; break
switch (ret) {
CASE(ENOMEM);
CASE(EACCES);
CASE(HDB_ERR_NOT_FOUND_HERE);
CASE(HDB_ERR_WRONG_REALM);
CASE(HDB_ERR_EXISTS);
CASE(HDB_ERR_KVNO_NOT_FOUND);
CASE(HDB_ERR_NOENTRY);
CASE(HDB_ERR_NO_MKEY);
CASE(KRB5KDC_ERR_BADOPTION);
CASE(KRB5KDC_ERR_CANNOT_POSTDATE);
CASE(KRB5KDC_ERR_CLIENT_NOTYET);
CASE(KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN);
CASE(KRB5KDC_ERR_ETYPE_NOSUPP);
CASE(KRB5KDC_ERR_KEY_EXPIRED);
CASE(KRB5KDC_ERR_NAME_EXP);
CASE(KRB5KDC_ERR_NEVER_VALID);
CASE(KRB5KDC_ERR_NONE);
CASE(KRB5KDC_ERR_NULL_KEY);
CASE(KRB5KDC_ERR_PADATA_TYPE_NOSUPP);
CASE(KRB5KDC_ERR_POLICY);
CASE(KRB5KDC_ERR_PREAUTH_FAILED);
CASE(KRB5KDC_ERR_PREAUTH_REQUIRED);
CASE(KRB5KDC_ERR_SERVER_NOMATCH);
CASE(KRB5KDC_ERR_SERVICE_EXP);
CASE(KRB5KDC_ERR_SERVICE_NOTYET);
CASE(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
CASE(KRB5KDC_ERR_TRTYPE_NOSUPP);
CASE(KRB5KRB_ERR_RESPONSE_TOO_BIG);
/* XXX Add relevant error codes */
case 0:
retname = "SUCCESS";
break;
default:
retname = NULL;
break;
}
/* Let's save a few bytes */
if (retname && strncmp("KRB5KDC_", retname, sizeof("KRB5KDC_") - 1) == 0)
retname += sizeof("KRB5KDC_") - 1;
#undef PREFIX
heim_audit_trail((heim_svc_req_desc)r, ret, retname);
}
static krb5_log_facility *logfac;
static pthread_key_t k5ctx;
static krb5_error_code
get_krb5_context(krb5_context *contextp)
{
krb5_error_code ret;
if ((*contextp = pthread_getspecific(k5ctx)))
return 0;
if ((ret = krb5_init_context(contextp)))
return *contextp = NULL, ret;
if (logfac)
krb5_set_log_dest(*contextp, logfac);
(void) pthread_setspecific(k5ctx, *contextp);
return *contextp ? 0 : ENOMEM;
}
typedef enum {
CSRF_PROT_UNSPEC = 0,
CSRF_PROT_GET_WITH_HEADER = 1,
CSRF_PROT_GET_WITH_TOKEN = 2,
CSRF_PROT_POST_WITH_HEADER = 8,
CSRF_PROT_POST_WITH_TOKEN = 16,
} csrf_protection_type;
static csrf_protection_type csrf_prot_type = CSRF_PROT_UNSPEC;
static int port = -1;
static int allow_GET_flag = -1;
static int help_flag;
static int daemonize;
static int daemon_child_fd = -1;
static int verbose_counter;
static int version_flag;
static int reverse_proxied_flag;
static int thread_per_client_flag;
struct getarg_strings audiences;
static getarg_strings csrf_prot_type_strs;
static const char *csrf_header = "X-CSRF";
static const char *cert_file;
static const char *priv_key_file;
static const char *cache_dir;
static const char *csrf_key_file;
static char *impersonation_key_fn;
static char csrf_key[16];
static krb5_error_code resp(struct bx509_request_desc *, int,
enum MHD_ResponseMemoryMode, const char *,
const void *, size_t, const char *);
static krb5_error_code bad_req(struct bx509_request_desc *, krb5_error_code, int,
const char *, ...)
HEIMDAL_PRINTF_ATTRIBUTE((__printf__, 4, 5));
static krb5_error_code bad_enomem(struct bx509_request_desc *, krb5_error_code);
static krb5_error_code bad_400(struct bx509_request_desc *, krb5_error_code, char *);
static krb5_error_code bad_401(struct bx509_request_desc *, char *);
static krb5_error_code bad_403(struct bx509_request_desc *, krb5_error_code, char *);
static krb5_error_code bad_404(struct bx509_request_desc *, const char *);
static krb5_error_code bad_405(struct bx509_request_desc *, const char *);
static krb5_error_code bad_500(struct bx509_request_desc *, krb5_error_code, const char *);
static krb5_error_code bad_503(struct bx509_request_desc *, krb5_error_code, const char *);
static heim_mhd_result validate_csrf_token(struct bx509_request_desc *r);
static int
validate_token(struct bx509_request_desc *r)
{
krb5_error_code ret;
krb5_principal cprinc = NULL;
const char *token;
const char *host;
char token_type[64]; /* Plenty */
char *p;
krb5_data tok;
size_t host_len, brk, i;
memset(&r->token_times, 0, sizeof(r->token_times));
host = MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
MHD_HTTP_HEADER_HOST);
if (host == NULL)
return bad_400(r, EINVAL, "Host header is missing");
/* Exclude port number here (IPv6-safe because of the below) */
host_len = ((p = strchr(host, ':'))) ? p - host : strlen(host);
token = MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
MHD_HTTP_HEADER_AUTHORIZATION);
if (token == NULL)
return bad_401(r, "Authorization token is missing");
brk = strcspn(token, " \t");
if (token[brk] == '\0' || brk > sizeof(token_type) - 1)
return bad_401(r, "Authorization token is missing");
memcpy(token_type, token, brk);
token_type[brk] = '\0';
token += brk + 1;
tok.length = strlen(token);
tok.data = (void *)(uintptr_t)token;
for (i = 0; i < audiences.num_strings; i++)
if (strncasecmp(host, audiences.strings[i], host_len) == 0 &&
audiences.strings[i][host_len] == '\0')
break;
if (i == audiences.num_strings)
return bad_403(r, EINVAL, "Host: value is not accepted here");
r->sname = strdup(host); /* No need to check for ENOMEM here */
ret = kdc_validate_token(r->context, NULL /* realm */, token_type, &tok,
(const char **)&audiences.strings[i], 1,
&cprinc, &r->token_times);
if (ret)
return bad_403(r, ret, "Token validation failed");
if (cprinc == NULL)
return bad_403(r, ret, "Could not extract a principal name "
"from token");
ret = krb5_unparse_name(r->context, cprinc, &r->cname);
krb5_free_principal(r->context, cprinc);
if (ret)
return bad_503(r, ret, "Could not parse principal name");
return ret;
}
static void
generate_key(hx509_context context,
const char *key_name,
const char *gen_type,
unsigned long gen_bits,
char **fn)
{
struct hx509_generate_private_context *key_gen_ctx = NULL;
hx509_private_key key = NULL;
hx509_certs certs = NULL;
hx509_cert cert = NULL;
int ret;
if (strcmp(gen_type, "rsa") != 0)
errx(1, "Only RSA keys are supported at this time");
if (asprintf(fn, "PEM-FILE:%s/.%s_priv_key.pem",
cache_dir, key_name) == -1 ||
*fn == NULL)
err(1, "Could not set up private key for %s", key_name);
ret = _hx509_generate_private_key_init(context,
ASN1_OID_ID_PKCS1_RSAENCRYPTION,
&key_gen_ctx);
if (ret == 0)
ret = _hx509_generate_private_key_bits(context, key_gen_ctx, gen_bits);
if (ret == 0)
ret = _hx509_generate_private_key(context, key_gen_ctx, &key);
if (ret == 0)
cert = hx509_cert_init_private_key(context, key, NULL);
if (ret == 0)
ret = hx509_certs_init(context, *fn,
HX509_CERTS_CREATE | HX509_CERTS_UNPROTECT_ALL,
NULL, &certs);
if (ret == 0)
ret = hx509_certs_add(context, certs, cert);
if (ret == 0)
ret = hx509_certs_store(context, certs, 0, NULL);
if (ret)
hx509_err(context, 1, ret, "Could not generate and save private key "
"for %s", key_name);
_hx509_generate_private_key_free(&key_gen_ctx);
hx509_private_key_free(&key);
hx509_certs_free(&certs);
hx509_cert_free(cert);
}
static void
k5_free_context(void *ctx)
{
krb5_free_context(ctx);
}
#ifndef HAVE_UNLINKAT
static int
unlink1file(const char *dname, const char *name)
{
char p[PATH_MAX];
if (strlcpy(p, dname, sizeof(p)) < sizeof(p) &&
strlcat(p, "/", sizeof(p)) < sizeof(p) &&
strlcat(p, name, sizeof(p)) < sizeof(p))
return unlink(p);
return ERANGE;
}
#endif
static void
rm_cache_dir(void)
{
struct dirent *e;
DIR *d;
/*
* This works, but not on Win32:
*
* (void) simple_execlp("rm", "rm", "-rf", cache_dir, NULL);
*
* We make no directories in `cache_dir', so we need not recurse.
*/
if ((d = opendir(cache_dir)) == NULL)
return;
while ((e = readdir(d))) {
#ifdef HAVE_UNLINKAT
/*
* Because unlinkat() takes a directory FD, implementing one for
* libroken is tricky at best. Instead we might want to implement an
* rm_dash_rf() function in lib/roken.
*/
(void) unlinkat(dirfd(d), e->d_name, 0);
#else
(void) unlink1file(cache_dir, e->d_name);
#endif
}
(void) closedir(d);
(void) rmdir(cache_dir);
}
static krb5_error_code
mk_pkix_store(char **pkix_store)
{
char *s = NULL;
int ret = ENOMEM;
int fd;
if (*pkix_store) {
const char *fn = strchr(*pkix_store, ':');
fn = fn ? fn + 1 : *pkix_store;
(void) unlink(fn);
}
free(*pkix_store);
*pkix_store = NULL;
if (asprintf(&s, "PEM-FILE:%s/pkix-XXXXXX", cache_dir) == -1 ||
s == NULL) {
free(s);
return ret;
}
if ((fd = mkstemp(s + sizeof("PEM-FILE:") - 1)) == -1) {
free(s);
return errno;
}
(void) close(fd);
*pkix_store = s;
return 0;
}
static krb5_error_code
resp(struct bx509_request_desc *r,
int http_status_code,
enum MHD_ResponseMemoryMode rmmode,
const char *content_type,
const void *body,
size_t bodylen,
const char *token)
{
int mret = MHD_YES;
if (r->response)
return MHD_YES;
(void) gettimeofday(&r->tv_end, NULL);
if (http_status_code == MHD_HTTP_OK ||
http_status_code == MHD_HTTP_TEMPORARY_REDIRECT)
audit_trail(r, 0);
r->response = MHD_create_response_from_buffer(bodylen, rk_UNCONST(body),
rmmode);
if (r->response == NULL)
return -1;
if (r->csrf_token)
mret = MHD_add_response_header(r->response, "X-CSRF-Token", r->csrf_token);
if (mret == MHD_YES)
mret = MHD_add_response_header(r->response, MHD_HTTP_HEADER_CACHE_CONTROL,
"no-store, max-age=0");
if (mret == MHD_YES && http_status_code == MHD_HTTP_UNAUTHORIZED) {
mret = MHD_add_response_header(r->response,
MHD_HTTP_HEADER_WWW_AUTHENTICATE,
"Bearer");
if (mret == MHD_YES)
mret = MHD_add_response_header(r->response,
MHD_HTTP_HEADER_WWW_AUTHENTICATE,
"Negotiate");
} else if (mret == MHD_YES && http_status_code == MHD_HTTP_TEMPORARY_REDIRECT) {
const char *redir;
/* XXX Move this */
redir = MHD_lookup_connection_value(r->connection, MHD_GET_ARGUMENT_KIND,
"redirect");
mret = MHD_add_response_header(r->response, MHD_HTTP_HEADER_LOCATION,
redir);
if (mret != MHD_NO && token)
mret = MHD_add_response_header(r->response,
MHD_HTTP_HEADER_AUTHORIZATION,
token);
}
if (mret == MHD_YES && content_type) {
mret = MHD_add_response_header(r->response,
MHD_HTTP_HEADER_CONTENT_TYPE,
content_type);
}
if (mret == MHD_YES)
mret = MHD_queue_response(r->connection, http_status_code, r->response);
MHD_destroy_response(r->response);
return mret == MHD_NO ? -1 : 0;
}
static krb5_error_code
bad_reqv(struct bx509_request_desc *r,
krb5_error_code code,
int http_status_code,
const char *fmt,
va_list ap)
{
krb5_error_code ret;
const char *k5msg = NULL;
const char *emsg = NULL;
char *formatted = NULL;
char *msg = NULL;
heim_audit_setkv_number((heim_svc_req_desc)r, "http-status-code",
http_status_code);
(void) gettimeofday(&r->tv_end, NULL);
if (code == ENOMEM) {
if (r->context)
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
audit_trail(r, code);
return resp(r, http_status_code, MHD_RESPMEM_PERSISTENT,
NULL, fmt, strlen(fmt), NULL);
}
if (code) {
if (r->context)
emsg = k5msg = krb5_get_error_message(r->context, code);
else if (code > -1)
emsg = strerror(code);
else
emsg = "Unknown error";
}
ret = vasprintf(&formatted, fmt, ap);
if (code) {
if (ret > -1 && formatted)
ret = asprintf(&msg, "%s: %s (%d)", formatted, emsg, (int)code);
} else {
msg = formatted;
formatted = NULL;
}
heim_audit_addreason((heim_svc_req_desc)r, "%s", msg);
audit_trail(r, code);
if (r->context)
krb5_free_error_message(r->context, k5msg);
if (ret == -1 || msg == NULL) {
if (r->context)
krb5_log_msg(r->context, logfac, 1, NULL, "Out of memory");
return resp(r, MHD_HTTP_SERVICE_UNAVAILABLE, MHD_RESPMEM_PERSISTENT,
NULL, "Out of memory", sizeof("Out of memory") - 1, NULL);
}
ret = resp(r, http_status_code, MHD_RESPMEM_MUST_COPY,
NULL, msg, strlen(msg), NULL);
free(formatted);
free(msg);
return ret == -1 ? -1 : code;
}
static krb5_error_code
bad_req(struct bx509_request_desc *r,
krb5_error_code code,
int http_status_code,
const char *fmt,
...)
{
krb5_error_code ret;
va_list ap;
va_start(ap, fmt);
ret = bad_reqv(r, code, http_status_code, fmt, ap);
va_end(ap);
return ret;
}
static krb5_error_code
bad_enomem(struct bx509_request_desc *r, krb5_error_code ret)
{
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Out of memory");
}
static krb5_error_code
bad_400(struct bx509_request_desc *r, int ret, char *reason)
{
return bad_req(r, ret, MHD_HTTP_BAD_REQUEST, "%s", reason);
}
static krb5_error_code
bad_401(struct bx509_request_desc *r, char *reason)
{
return bad_req(r, EACCES, MHD_HTTP_UNAUTHORIZED, "%s", reason);
}
static krb5_error_code
bad_403(struct bx509_request_desc *r, krb5_error_code ret, char *reason)
{
return bad_req(r, ret, MHD_HTTP_FORBIDDEN, "%s", reason);
}
static krb5_error_code
bad_404(struct bx509_request_desc *r, const char *name)
{
return bad_req(r, ENOENT, MHD_HTTP_NOT_FOUND,
"Resource not found: %s", name);
}
static krb5_error_code
bad_405(struct bx509_request_desc *r, const char *method)
{
return bad_req(r, EPERM, MHD_HTTP_METHOD_NOT_ALLOWED,
"Method not supported: %s", method);
}
static krb5_error_code
bad_413(struct bx509_request_desc *r)
{
return bad_req(r, E2BIG, MHD_HTTP_METHOD_NOT_ALLOWED,
"POST request body too large");
}
static krb5_error_code
bad_500(struct bx509_request_desc *r,
krb5_error_code ret,
const char *reason)
{
return bad_req(r, ret, MHD_HTTP_INTERNAL_SERVER_ERROR,
"Internal error: %s", reason);
}
static krb5_error_code
bad_503(struct bx509_request_desc *r,
krb5_error_code ret,
const char *reason)
{
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Service unavailable: %s", reason);
}
static krb5_error_code
good_bx509(struct bx509_request_desc *r)
{
krb5_error_code ret;
const char *fn;
size_t bodylen;
void *body;
/*
* This `fn' thing is just to quiet linters that think "hey, strchr() can
* return NULL so...", but here we've build `r->pkix_store' and know it has
* a ':'.
*/
if (r->pkix_store == NULL)
return bad_503(r, EINVAL, "Internal error"); /* Quiet warnings */
fn = strchr(r->pkix_store, ':');
fn = fn ? fn + 1 : r->pkix_store;
ret = rk_undumpdata(fn, &body, &bodylen);
if (ret)
return bad_503(r, ret, "Could not recover issued certificate "
"from PKIX store");
(void) gettimeofday(&r->tv_end, NULL);
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY, "application/x-pem-file",
body, bodylen, NULL);
free(body);
return ret;
}
static heim_mhd_result
bx509_param_cb(void *d,
enum MHD_ValueKind kind,
const char *key,
const char *val)
{
struct bx509_request_desc *r = d;
heim_oid oid = { 0, 0 };
if (strcmp(key, "eku") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS, "requested_eku",
"%s", val);
r->error_code = der_parse_heim_oid(val, ".", &oid);
if (r->error_code == 0)
r->error_code = hx509_request_add_eku(r->context->hx509ctx, r->req, &oid);
der_free_oid(&oid);
} else if (strcmp(key, "dNSName") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_dNSName", "%s", val);
r->error_code = hx509_request_add_dns_name(r->context->hx509ctx, r->req, val);
} else if (strcmp(key, "rfc822Name") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_rfc822Name", "%s", val);
r->error_code = hx509_request_add_email(r->context->hx509ctx, r->req, val);
} else if (strcmp(key, "xMPPName") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_xMPPName", "%s", val);
r->error_code = hx509_request_add_xmpp_name(r->context->hx509ctx, r->req,
val);
} else if (strcmp(key, "krb5PrincipalName") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_krb5PrincipalName", "%s", val);
r->error_code = hx509_request_add_pkinit(r->context->hx509ctx, r->req,
val);
} else if (strcmp(key, "ms-upn") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_ms_upn", "%s", val);
r->error_code = hx509_request_add_ms_upn_name(r->context->hx509ctx, r->req,
val);
} else if (strcmp(key, "registeredID") == 0 && val) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_registered_id", "%s", val);
r->error_code = der_parse_heim_oid(val, ".", &oid);
if (r->error_code == 0)
r->error_code = hx509_request_add_registered(r->context->hx509ctx, r->req,
&oid);
der_free_oid(&oid);
} else if (strcmp(key, "csr") == 0 && val) {
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_csr", TRUE);
r->error_code = 0; /* Handled upstairs */
} else if (strcmp(key, "lifetime") == 0 && val) {
r->req_life = parse_time(val, "day");
} else {
/* Produce error for unknown params */
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->error_code = ENOTSUP,
"Query parameter %s not supported", key);
}
return r->error_code == 0 ? MHD_YES : MHD_NO /* Stop iterating */;
}
static krb5_error_code
authorize_CSR(struct bx509_request_desc *r,
krb5_data *csr,
krb5_const_principal p)
{
krb5_error_code ret;
ret = hx509_request_parse_der(r->context->hx509ctx, csr, &r->req);
if (ret)
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not parse CSR");
r->error_code = 0;
(void) MHD_get_connection_values(r->connection, MHD_GET_ARGUMENT_KIND,
bx509_param_cb, r);
ret = r->error_code;
if (ret)
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not handle query parameters");
ret = kdc_authorize_csr(r->context, "bx509", r->req, p);
if (ret)
return bad_403(r, ret, "Not authorized to requested certificate");
return ret;
}
/*
* hx509_certs_iter_f() callback to assign a private key to the first cert in a
* store.
*/
static int HX509_LIB_CALL
set_priv_key(hx509_context context, void *d, hx509_cert c)
{
(void) _hx509_cert_assign_key(c, (hx509_private_key)d);
return -1; /* stop iteration */
}
static krb5_error_code
store_certs(hx509_context context,
const char *store,
hx509_certs store_these,
hx509_private_key key)
{
krb5_error_code ret;
hx509_certs certs = NULL;
ret = hx509_certs_init(context, store, HX509_CERTS_CREATE, NULL,
&certs);
if (ret == 0) {
if (key)
(void) hx509_certs_iter_f(context, store_these, set_priv_key, key);
hx509_certs_merge(context, certs, store_these);
}
if (ret == 0)
hx509_certs_store(context, certs, 0, NULL);
hx509_certs_free(&certs);
return ret;
}
/* Setup a CSR for bx509() */
static krb5_error_code
do_CA(struct bx509_request_desc *r, const char *csr)
{
krb5_error_code ret = 0;
krb5_principal p;
hx509_certs certs = NULL;
krb5_data d;
ssize_t bytes;
char *csr2, *q;
/*
* Work around bug where microhttpd decodes %2b to + then + to space. That
* bug does not affect other base64 special characters that get URI
* %-encoded.
*/
if ((csr2 = strdup(csr)) == NULL)
return bad_enomem(r, ENOMEM);
for (q = strchr(csr2, ' '); q; q = strchr(q + 1, ' '))
*q = '+';
ret = krb5_parse_name(r->context, r->cname, &p);
if (ret) {
free(csr2);
return bad_req(r, ret, MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not parse principal name");
}
/* Set CSR */
if ((d.data = malloc(strlen(csr2))) == NULL) {
krb5_free_principal(r->context, p);
free(csr2);
return bad_enomem(r, ENOMEM);
}
bytes = rk_base64_decode(csr2, d.data);
free(csr2);
if (bytes < 0)
ret = errno ? errno : EINVAL;
else
d.length = bytes;
if (ret) {
krb5_free_principal(r->context, p);
free(d.data);
return bad_500(r, ret, "Invalid base64 encoding of CSR");
}
/*
* Parses and validates the CSR, adds external extension requests from
* query parameters, then checks authorization.
*/
ret = authorize_CSR(r, &d, p);
free(d.data);
d.data = 0;
d.length = 0;
if (ret) {
krb5_free_principal(r->context, p);
return ret; /* authorize_CSR() calls bad_req() */
}
/* Issue the certificate */
ret = kdc_issue_certificate(r->context, "bx509", logfac, r->req, p,
&r->token_times, r->req_life,
1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
if (ret) {
if (ret == KRB5KDC_ERR_POLICY || ret == EACCES)
return bad_403(r, ret,
"Certificate request denied for policy reasons");
return bad_500(r, ret, "Certificate issuance failed");
}
/* Setup PKIX store */
if ((ret = mk_pkix_store(&r->pkix_store)))
return bad_500(r, ret,
"Could not create PEM store for issued certificate");
ret = store_certs(r->context->hx509ctx, r->pkix_store, certs, NULL);
hx509_certs_free(&certs);
if (ret)
return bad_500(r, ret, "Failed to convert issued"
" certificate and chain to PEM");
return 0;
}
/* Copied from kdc/connect.c */
static void
addr_to_string(krb5_context context,
struct sockaddr *addr,
char *str,
size_t len)
{
krb5_error_code ret;
krb5_address a;
ret = krb5_sockaddr2address(context, addr, &a);
if (ret == 0) {
ret = krb5_print_address(&a, str, len, &len);
krb5_free_address(context, &a);
}
if (ret)
snprintf(str, len, "<family=%d>", addr->sa_family);
}
static void clean_req_desc(struct bx509_request_desc *);
static krb5_error_code
set_req_desc(struct MHD_Connection *connection,
const char *method,
const char *url,
struct bx509_request_desc **rp)
{
struct bx509_request_desc *r;
const union MHD_ConnectionInfo *ci;
const char *token;
krb5_error_code ret;
*rp = NULL;
if ((r = calloc(1, sizeof(*r))) == NULL)
return ENOMEM;
(void) gettimeofday(&r->tv_start, NULL);
ret = get_krb5_context(&r->context);
r->connection = connection;
r->response = NULL;
r->pp = NULL;
r->request.data = "<HTTP-REQUEST>";
r->request.length = sizeof("<HTTP-REQUEST>");
r->from = r->frombuf;
r->tgt_addresses.len = 0;
r->tgt_addresses.val = 0;
r->hcontext = r->context ? r->context->hcontext : NULL;
r->config = NULL;
r->logf = logfac;
r->csrf_token = NULL;
r->free_list = NULL;
r->method = method;
r->reqtype = url;
r->target = r->redir = NULL;
r->pkix_store = NULL;
r->for_cname = NULL;
r->freeme1 = NULL;
r->reason = NULL;
r->tgts_filename = NULL;
r->tgts = NULL;
r->ccname = NULL;
r->reply = NULL;
r->sname = NULL;
r->cname = NULL;
r->addr = NULL;
r->req = NULL;
r->req_life = 0;
r->error_code = ret;
r->kv = heim_dict_create(10);
r->attributes = heim_dict_create(1);
if (ret == 0 && (r->kv == NULL || r->attributes == NULL))
r->error_code = ret = ENOMEM;
ci = MHD_get_connection_info(connection,
MHD_CONNECTION_INFO_CLIENT_ADDRESS);
if (ci) {
r->addr = ci->client_addr;
addr_to_string(r->context, r->addr, r->frombuf, sizeof(r->frombuf));
}
heim_audit_addkv((heim_svc_req_desc)r, 0, "method", "GET");
heim_audit_addkv((heim_svc_req_desc)r, 0, "endpoint", "%s", r->reqtype);
token = MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
MHD_HTTP_HEADER_AUTHORIZATION);
if (token && r->kv) {
const char *token_end;
if ((token_end = strchr(token, ' ')) == NULL ||
(token_end - token) > INT_MAX || (token_end - token) < 2)
heim_audit_addkv((heim_svc_req_desc)r, 0, "auth", "<unknown>");
else
heim_audit_addkv((heim_svc_req_desc)r, 0, "auth", "%.*s",
(int)(token_end - token), token);
}
if (ret == 0)
*rp = r;
else
clean_req_desc(r);
return ret;
}
static void
clean_req_desc(struct bx509_request_desc *r)
{
if (!r)
return;
while (r->free_list) {
struct free_tend_list *ftl = r->free_list;
r->free_list = r->free_list->next;
free(ftl->freeme1);
free(ftl->freeme2);
free(ftl);
}
if (r->pkix_store) {
const char *fn = strchr(r->pkix_store, ':');
/*
* This `fn' thing is just to quiet linters that think "hey, strchr() can
* return NULL so...", but here we've build `r->pkix_store' and know it has
* a ':'.
*/
fn = fn ? fn + 1 : r->pkix_store;
(void) unlink(fn);
}
krb5_free_addresses(r->context, &r->tgt_addresses);
hx509_request_free(&r->req);
heim_release(r->attributes);
heim_release(r->reason);
heim_release(r->kv);
if (r->ccname && r->cckind == K5_CREDS_EPHEMERAL) {
const char *fn = r->ccname;
if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
fn += sizeof("FILE:") - 1;
(void) unlink(fn);
}
if (r->tgts)
(void) fclose(r->tgts);
if (r->tgts_filename) {
(void) unlink(r->tgts_filename);
free(r->tgts_filename);
}
/* No need to destroy r->response */
if (r->pp)
MHD_destroy_post_processor(r->pp);
free(r->csrf_token);
free(r->pkix_store);
free(r->freeme1);
free(r->ccname);
free(r->cname);
free(r->sname);
free(r);
}
/* Implements GETs of /bx509 */
static krb5_error_code
bx509(struct bx509_request_desc *r)
{
krb5_error_code ret;
const char *csr;
/* Get required inputs */
csr = MHD_lookup_connection_value(r->connection, MHD_GET_ARGUMENT_KIND,
"csr");
if (csr == NULL)
return bad_400(r, EINVAL, "CSR is missing");
if (r->cname == NULL)
return bad_403(r, EINVAL,
"Could not extract principal name from token");
/* Parse CSR, add extensions from parameters, authorize, issue cert */
if ((ret = do_CA(r, csr)))
return ret;
/* Read and send the contents of the PKIX store */
krb5_log_msg(r->context, logfac, 1, NULL, "Issued certificate to %s",
r->cname);
return good_bx509(r);
}
/*
* princ_fs_encode_sz() and princ_fs_encode() encode a principal name to be
* safe for use as a file name. They function very much like URL encoders, but
* '~' and '.' also get encoded, and '@' does not.
*
* A corresponding decoder is not needed.
*
* XXX Maybe use krb5_cc_default_for()!
*/
static size_t
princ_fs_encode_sz(const char *in)
{
size_t sz = strlen(in);
while (*in) {
unsigned char c = *(const unsigned char *)(in++);
if (isalnum(c))
continue;
switch (c) {
case '@':
case '-':
case '_':
continue;
default:
sz += 2;
}
}
return sz;
}
static char *
princ_fs_encode(const char *in)
{
size_t len = strlen(in);
size_t sz = princ_fs_encode_sz(in);
size_t i, k;
char *s;
if ((s = malloc(sz + 1)) == NULL)
return NULL;
s[sz] = '\0';
for (i = k = 0; i < len; i++) {
char c = in[i];
switch (c) {
case '@':
case '-':
case '_':
s[k++] = c;
break;
default:
if (isalnum((unsigned char)c)) {
s[k++] = c;
} else {
s[k++] = '%';
s[k++] = "0123456789abcdef"[(c&0xff)>>4];
s[k++] = "0123456789abcdef"[(c&0x0f)];
}
}
}
return s;
}
/*
* Find an existing, live ccache for `princ' in `cache_dir' or acquire Kerberos
* creds for `princ' with PKINIT and put them in a ccache in `cache_dir'.
*/
static krb5_error_code
find_ccache(krb5_context context, const char *princ, char **ccname)
{
krb5_error_code ret = ENOMEM;
krb5_ccache cc = NULL;
time_t life;
char *s = NULL;
*ccname = NULL;
/*
* Name the ccache after the principal. The principal may have special
* characters in it, such as / or \ (path component separarot), or shell
* special characters, so princ_fs_encode() it to make a ccache name.
*/
if ((s = princ_fs_encode(princ)) == NULL ||
asprintf(ccname, "FILE:%s/%s.cc", cache_dir, s) == -1 ||
*ccname == NULL) {
free(s);
return ENOMEM;
}
free(s);
if ((ret = krb5_cc_resolve(context, *ccname, &cc))) {
/* krb5_cc_resolve() suceeds even if the file doesn't exist */
free(*ccname);
*ccname = NULL;
cc = NULL;
}
/* Check if we have a good enough credential */
if (ret == 0 &&
(ret = krb5_cc_get_lifetime(context, cc, &life)) == 0 && life > 60) {
krb5_cc_close(context, cc);
return 0;
}
if (cc)
krb5_cc_close(context, cc);
return ret ? ret : ENOENT;
}
static krb5_error_code
get_ccache(struct bx509_request_desc *r, krb5_ccache *cc, int *won)
{
krb5_error_code ret = 0;
char *temp_ccname = NULL;
const char *fn = NULL;
time_t life;
int fd = -1;
/*
* Open and lock a .new ccache file. Use .new to avoid garbage files on
* crash.
*
* We can race with other threads to do this, so we loop until we
* definitively win or definitely lose the race. We win when we have a) an
* open FD that is b) flock'ed, and c) we observe with lstat() that the
* file we opened and locked is the same as on disk after locking.
*
* We don't close the FD until we're done.
*
* If we had a proper anon MEMORY ccache, we could instead use that for a
* temporary ccache, and then the initialization of and move to the final
* FILE ccache would take care to mkstemp() and rename() into place.
* fcc_open() basically does a similar thing.
*/
*cc = NULL;
*won = -1;
if (asprintf(&temp_ccname, "%s.ccnew", r->ccname) == -1 ||
temp_ccname == NULL)
ret = ENOMEM;
if (ret == 0)
fn = temp_ccname + sizeof("FILE:") - 1;
if (ret == 0) do {
struct stat st1, st2;
/*
* Open and flock the temp ccache file.
*
* XXX We should really a) use _krb5_xlock(), or move that into
* lib/roken anyways, b) abstract this loop into a utility function in
* lib/roken.
*/
if (fd != -1) {
(void) close(fd);
fd = -1;
}
errno = 0;
memset(&st1, 0, sizeof(st1));
memset(&st2, 0xff, sizeof(st2));
if (ret == 0 &&
((fd = open(fn, O_RDWR | O_CREAT, 0600)) == -1 ||
flock(fd, LOCK_EX) == -1 ||
(lstat(fn, &st1) == -1 && errno != ENOENT) ||
fstat(fd, &st2) == -1))
ret = errno;
if (ret == 0 && errno == 0 &&
st1.st_dev == st2.st_dev && st1.st_ino == st2.st_ino) {
if (S_ISREG(st1.st_mode))
break;
if (unlink(fn) == -1)
ret = errno;
}
} while (ret == 0);
/* Check if we lost any race to acquire Kerberos creds */
if (ret == 0)
ret = krb5_cc_resolve(r->context, temp_ccname, cc);
if (ret == 0) {
ret = krb5_cc_get_lifetime(r->context, *cc, &life);
if (ret == 0 && life > 60)
*won = 0; /* We lost the race, but we win: we get to do less work */
*won = 1;
ret = 0;
}
free(temp_ccname);
if (fd != -1)
(void) close(fd); /* Drops the flock */
return ret;
}
/*
* Acquire credentials for `princ' using PKINIT and the PKIX credentials in
* `pkix_store', then place the result in the ccache named `ccname' (which will
* be in our own private `cache_dir').
*
* XXX This function could be rewritten using gss_acquire_cred_from() and
* gss_store_cred_into() provided we add new generic cred store key/value pairs
* for PKINIT.
*/
static krb5_error_code
do_pkinit(struct bx509_request_desc *r, enum k5_creds_kind kind)
{
krb5_get_init_creds_opt *opt = NULL;
krb5_init_creds_context ctx = NULL;
krb5_error_code ret = 0;
krb5_ccache temp_cc = NULL;
krb5_ccache cc = NULL;
krb5_principal p = NULL;
const char *crealm;
const char *cname = r->for_cname ? r->for_cname : r->cname;
if (kind == K5_CREDS_CACHED) {
int won = -1;
ret = get_ccache(r, &temp_cc, &won);
if (ret || !won)
goto out;
/*
* We won the race to do PKINIT. Setup to acquire Kerberos creds with
* PKINIT.
*
* We should really make sure that gss_acquire_cred_from() can do this
* for us. We'd add generic cred store key/value pairs for PKIX cred
* store, trust anchors, and so on, and acquire that way, then
* gss_store_cred_into() to save it in a FILE ccache.
*/
} else {
ret = krb5_cc_new_unique(r->context, "FILE", NULL, &temp_cc);
}
if (ret == 0)
ret = krb5_parse_name(r->context, cname, &p);
if (ret == 0)
crealm = krb5_principal_get_realm(r->context, p);
if (ret == 0)
ret = krb5_get_init_creds_opt_alloc(r->context, &opt);
if (ret == 0)
krb5_get_init_creds_opt_set_default_flags(r->context, "kinit", crealm,
opt);
if (ret == 0 && kind == K5_CREDS_EPHEMERAL &&
!krb5_config_get_bool_default(r->context, NULL, TRUE,
"get-tgt", "no_addresses", NULL)) {
krb5_addresses addr;
ret = _krb5_parse_address_no_lookup(r->context, r->frombuf, &addr);
if (ret == 0)
ret = krb5_append_addresses(r->context, &r->tgt_addresses,
&addr);
}
if (ret == 0) {
if (r->tgt_addresses.len == 0)
ret = krb5_get_init_creds_opt_set_addressless(r->context, opt, 1);
else
krb5_get_init_creds_opt_set_address_list(opt, &r->tgt_addresses);
}
if (ret == 0)
ret = krb5_get_init_creds_opt_set_pkinit(r->context, opt, p,
r->pkix_store,
NULL, /* pkinit_anchor */
NULL, /* anchor_chain */
NULL, /* pkinit_crl */
0, /* flags */
NULL, /* prompter */
NULL, /* prompter data */
NULL /* password */);
if (ret == 0)
ret = krb5_init_creds_init(r->context, p,
NULL /* prompter */,
NULL /* prompter data */,
0 /* start_time */,
opt, &ctx);
/*
* Finally, do the AS exchange w/ PKINIT, extract the new Kerberos creds
* into temp_cc, and rename into place. Note that krb5_cc_move() closes
* the source ccache, so we set temp_cc = NULL if it succeeds.
*/
if (ret == 0)
ret = krb5_init_creds_get(r->context, ctx);
if (ret == 0)
ret = krb5_init_creds_store(r->context, ctx, temp_cc);
if (kind == K5_CREDS_CACHED) {
if (ret == 0)
ret = krb5_cc_resolve(r->context, r->ccname, &cc);
if (ret == 0)
ret = krb5_cc_move(r->context, temp_cc, cc);
if (ret == 0)
temp_cc = NULL;
} else if (ret == 0 && kind == K5_CREDS_EPHEMERAL) {
ret = krb5_cc_get_full_name(r->context, temp_cc, &r->ccname);
}
out:
if (ctx)
krb5_init_creds_free(r->context, ctx);
krb5_get_init_creds_opt_free(r->context, opt);
krb5_free_principal(r->context, p);
krb5_cc_close(r->context, temp_cc);
krb5_cc_close(r->context, cc);
return ret;
}
static krb5_error_code
load_priv_key(krb5_context context, const char *fn, hx509_private_key *key)
{
hx509_private_key *keys = NULL;
krb5_error_code ret;
hx509_certs certs = NULL;
*key = NULL;
ret = hx509_certs_init(context->hx509ctx, fn, 0, NULL, &certs);
if (ret == ENOENT)
return 0;
if (ret == 0)
ret = _hx509_certs_keys_get(context->hx509ctx, certs, &keys);
if (ret == 0 && keys[0] == NULL)
ret = ENOENT; /* XXX Better error please */
if (ret == 0)
*key = _hx509_private_key_ref(keys[0]);
if (ret)
krb5_set_error_message(context, ret, "Could not load private "
"impersonation key from %s for PKINIT: %s", fn,
hx509_get_error_string(context->hx509ctx, ret));
_hx509_certs_keys_free(context->hx509ctx, keys);
hx509_certs_free(&certs);
return ret;
}
static krb5_error_code
k5_do_CA(struct bx509_request_desc *r)
{
SubjectPublicKeyInfo spki;
hx509_private_key key = NULL;
krb5_error_code ret = 0;
krb5_principal p = NULL;
hx509_request req = NULL;
hx509_certs certs = NULL;
KeyUsage ku = int2KeyUsage(0);
const char *cname = r->for_cname ? r->for_cname : r->cname;
memset(&spki, 0, sizeof(spki));
ku.digitalSignature = 1;
/* Make a CSR (halfway -- we don't need to sign it here) */
/* XXX Load impersonation key just once?? */
ret = load_priv_key(r->context, impersonation_key_fn, &key);
if (ret == 0)
ret = hx509_request_init(r->context->hx509ctx, &req);
if (ret == 0)
ret = krb5_parse_name(r->context, cname, &p);
if (ret == 0)
ret = hx509_private_key2SPKI(r->context->hx509ctx, key, &spki);
if (ret == 0)
hx509_request_set_SubjectPublicKeyInfo(r->context->hx509ctx, req,
&spki);
free_SubjectPublicKeyInfo(&spki);
if (ret == 0)
ret = hx509_request_add_pkinit(r->context->hx509ctx, req, cname);
if (ret == 0)
ret = hx509_request_add_eku(r->context->hx509ctx, req,
&asn1_oid_id_pkekuoid);
/* Mark it authorized */
if (ret == 0)
ret = hx509_request_authorize_san(req, 0);
if (ret == 0)
ret = hx509_request_authorize_eku(req, 0);
if (ret == 0)
hx509_request_authorize_ku(req, ku);
/* Issue the certificate */
if (ret == 0)
ret = kdc_issue_certificate(r->context, "get-tgt", logfac, req, p,
&r->token_times, r->req_life,
1 /* send_chain */, &certs);
krb5_free_principal(r->context, p);
hx509_request_free(&req);
p = NULL;
if (ret == KRB5KDC_ERR_POLICY || ret == EACCES) {
hx509_private_key_free(&key);
return bad_403(r, ret,
"Certificate request denied for policy reasons");
}
if (ret == ENOMEM) {
hx509_private_key_free(&key);
return bad_503(r, ret, "Certificate issuance failed");
}
if (ret) {
hx509_private_key_free(&key);
return bad_500(r, ret, "Certificate issuance failed");
}
/* Setup PKIX store and extract the certificate chain into it */
ret = mk_pkix_store(&r->pkix_store);
if (ret == 0)
ret = store_certs(r->context->hx509ctx, r->pkix_store, certs, key);
hx509_private_key_free(&key);
hx509_certs_free(&certs);
if (ret)
return bad_500(r, ret,
"Could not create PEM store for issued certificate");
return 0;
}
/* Get impersonated Kerberos credentials for `cprinc' */
static krb5_error_code
k5_get_creds(struct bx509_request_desc *r, enum k5_creds_kind kind)
{
krb5_error_code ret;
const char *cname = r->for_cname ? r->for_cname : r->cname;
/* If we have a live ccache for `cprinc', we're done */
r->cckind = kind;
if (kind == K5_CREDS_CACHED &&
(ret = find_ccache(r->context, cname, &r->ccname)) == 0)
return ret; /* Success */
/*
* Else we have to acquire a credential for them using their bearer token
* for authentication (and our keytab / initiator credentials perhaps).
*/
if ((ret = k5_do_CA(r)))
return ret; /* k5_do_CA() calls bad_req() */
if (ret == 0)
ret = do_pkinit(r, kind);
return ret;
}
/* Accumulate strings */
static void
acc_str(char **acc, char *adds, size_t addslen)
{
char *tmp = NULL;
int l = addslen <= INT_MAX ? (int)addslen : INT_MAX;
if (asprintf(&tmp, "%s%s%.*s",
*acc ? *acc : "",
*acc ? "; " : "", l, adds) > -1 &&
tmp) {
free(*acc);
*acc = tmp;
}
}
static char *
fmt_gss_error(OM_uint32 code, gss_OID mech)
{
gss_buffer_desc buf;
OM_uint32 major, minor;
OM_uint32 type = mech == GSS_C_NO_OID ? GSS_C_GSS_CODE: GSS_C_MECH_CODE;
OM_uint32 more = 0;
char *r = NULL;
do {
major = gss_display_status(&minor, code, type, mech, &more, &buf);
if (!GSS_ERROR(major))
acc_str(&r, (char *)buf.value, buf.length);
gss_release_buffer(&minor, &buf);
} while (!GSS_ERROR(major) && more);
return r;
}
static char *
fmt_gss_errors(const char *r, OM_uint32 major, OM_uint32 minor, gss_OID mech)
{
char *ma, *mi, *s;
ma = fmt_gss_error(major, GSS_C_NO_OID);
mi = mech == GSS_C_NO_OID ? NULL : fmt_gss_error(minor, mech);
if (asprintf(&s, "%s: %s%s%s", r,
ma ? ma : "Out of memory",
mi ? ": " : "",
mi ? mi : "") > -1 &&
s) {
free(ma);
free(mi);
return s;
}
free(mi);
return ma;
}
/* GSS-API error */
static krb5_error_code
bad_req_gss(struct bx509_request_desc *r,
OM_uint32 major,
OM_uint32 minor,
gss_OID mech,
int http_status_code,
const char *reason)
{
krb5_error_code ret;
char *msg = fmt_gss_errors(reason, major, minor, mech);
if (major == GSS_S_BAD_NAME || major == GSS_S_BAD_NAMETYPE)
http_status_code = MHD_HTTP_BAD_REQUEST;
if (msg)
ret = resp(r, http_status_code, MHD_RESPMEM_MUST_COPY, NULL,
msg, strlen(msg), NULL);
else
ret = resp(r, http_status_code, MHD_RESPMEM_MUST_COPY, NULL,
"Out of memory while formatting GSS error message",
sizeof("Out of memory while formatting GSS error message") - 1, NULL);
free(msg);
return ret;
}
/* Make an HTTP/Negotiate token */
static krb5_error_code
mk_nego_tok(struct bx509_request_desc *r,
char **nego_tok,
size_t *nego_toksz)
{
gss_key_value_element_desc kv[1] = { { "ccache", r->ccname } };
gss_key_value_set_desc store = { 1, kv };
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc name = GSS_C_EMPTY_BUFFER;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_name_t iname = GSS_C_NO_NAME;
gss_name_t aname = GSS_C_NO_NAME;
OM_uint32 major, minor, junk;
krb5_error_code ret; /* More like a system error code here */
const char *cname = r->for_cname ? r->for_cname : r->cname;
char *token_b64 = NULL;
*nego_tok = NULL;
*nego_toksz = 0;
/* Import initiator name */
name.length = strlen(cname);
name.value = rk_UNCONST(cname);
major = gss_import_name(&minor, &name, GSS_KRB5_NT_PRINCIPAL_NAME, &iname);
if (major != GSS_S_COMPLETE)
return bad_req_gss(r, major, minor, GSS_C_NO_OID,
MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not import cprinc parameter value as "
"Kerberos principal name");
/* Import target acceptor name */
name.length = strlen(r->target);
name.value = rk_UNCONST(r->target);
major = gss_import_name(&minor, &name, GSS_C_NT_HOSTBASED_SERVICE, &aname);
if (major != GSS_S_COMPLETE) {
(void) gss_release_name(&junk, &iname);
return bad_req_gss(r, major, minor, GSS_C_NO_OID,
MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not import target parameter value as "
"Kerberos principal name");
}
/* Acquire a credential from the given ccache */
major = gss_add_cred_from(&minor, cred, iname, GSS_KRB5_MECHANISM,
GSS_C_INITIATE, GSS_C_INDEFINITE, 0, &store,
&cred, NULL, NULL, NULL);
(void) gss_release_name(&junk, &iname);
if (major != GSS_S_COMPLETE) {
(void) gss_release_name(&junk, &aname);
return bad_req_gss(r, major, minor, GSS_KRB5_MECHANISM,
MHD_HTTP_FORBIDDEN, "Could not acquire credentials "
"for requested cprinc");
}
major = gss_init_sec_context(&minor, cred, &ctx, aname,
GSS_KRB5_MECHANISM, 0, GSS_C_INDEFINITE,
NULL, GSS_C_NO_BUFFER, NULL, &token, NULL,
NULL);
(void) gss_delete_sec_context(&junk, &ctx, GSS_C_NO_BUFFER);
(void) gss_release_name(&junk, &aname);
(void) gss_release_cred(&junk, &cred);
if (major != GSS_S_COMPLETE)
return bad_req_gss(r, major, minor, GSS_KRB5_MECHANISM,
MHD_HTTP_SERVICE_UNAVAILABLE, "Could not acquire "
"Negotiate token for requested target");
/* Encode token, output */
ret = rk_base64_encode(token.value, token.length, &token_b64);
(void) gss_release_buffer(&junk, &token);
if (ret > 0)
ret = asprintf(nego_tok, "Negotiate %s", token_b64);
free(token_b64);
if (ret < 0 || *nego_tok == NULL)
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"Could not allocate memory for encoding Negotiate "
"token");
*nego_toksz = ret;
return 0;
}
static krb5_error_code
bnegotiate_get_target(struct bx509_request_desc *r)
{
const char *target;
const char *redir;
const char *referer; /* misspelled on the wire, misspelled here, FYI */
const char *authority;
const char *local_part;
char *s1 = NULL;
char *s2 = NULL;
target = MHD_lookup_connection_value(r->connection, MHD_GET_ARGUMENT_KIND,
"target");
redir = MHD_lookup_connection_value(r->connection, MHD_GET_ARGUMENT_KIND,
"redirect");
referer = MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
MHD_HTTP_HEADER_REFERER);
if (target != NULL && redir == NULL) {
r->target = target;
return 0;
}
if (target == NULL && redir == NULL)
return bad_400(r, EINVAL,
"Query missing 'target' or 'redirect' parameter value");
if (target != NULL && redir != NULL)
return bad_403(r, EACCES,
"Only one of 'target' or 'redirect' parameter allowed");
if (redir != NULL && referer == NULL)
return bad_403(r, EACCES,
"Redirect request without Referer header nor allowed");
if (strncmp(referer, "https://", sizeof("https://") - 1) != 0 ||
strncmp(redir, "https://", sizeof("https://") - 1) != 0)
return bad_403(r, EACCES,
"Redirect requests permitted only for https referrers");
/* Parse out authority from each URI, redirect and referrer */
authority = redir + sizeof("https://") - 1;
if ((local_part = strchr(authority, '/')) == NULL)
local_part = authority + strlen(authority);
if ((s1 = strndup(authority, local_part - authority)) == NULL)
return bad_enomem(r, ENOMEM);
authority = referer + sizeof("https://") - 1;
if ((local_part = strchr(authority, '/')) == NULL)
local_part = authority + strlen(authority);
if ((s2 = strndup(authority, local_part - authority)) == NULL) {
free(s1);
return bad_enomem(r, ENOMEM);
}
/* Both must match */
if (strcasecmp(s1, s2) != 0) {
free(s2);
free(s1);
return bad_403(r, EACCES, "Redirect request does not match referer");
}
free(s2);
if (strchr(s1, '@')) {
free(s1);
return bad_403(r, EACCES,
"Redirect request authority has login information");
}
/* Extract hostname portion of authority and format GSS name */
if (strchr(s1, ':'))
*strchr(s1, ':') = '\0';
if (asprintf(&r->freeme1, "HTTP@%s", s1) == -1 || r->freeme1 == NULL) {
free(s1);
return bad_enomem(r, ENOMEM);
}
r->target = r->freeme1;
r->redir = redir;
free(s1);
return 0;
}
/*
* Implements /bnegotiate end-point.
*
* Query parameters (mutually exclusive):
*
* - target=<name>
* - redirect=<URL-encoded-URL>
*
* If the redirect query parameter is set then the Referer: header must be as
* well, and the authority of the redirect and Referer URIs must be the same.
*/
static krb5_error_code
bnegotiate(struct bx509_request_desc *r)
{
krb5_error_code ret;
size_t nego_toksz = 0;
char *nego_tok = NULL;
ret = bnegotiate_get_target(r);
if (ret)
return ret; /* bnegotiate_get_target() calls bad_req() */
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS, "target", "%s",
r->target ? r->target : "<unknown>");
heim_audit_setkv_bool((heim_svc_req_desc)r, "redir", !!r->redir);
/*
* Make sure we have Kerberos credentials for cprinc. If we have them
* cached from earlier, this will be fast (all local), else it will involve
* taking a file lock and talking to the KDC using kx509 and PKINIT.
*
* Perhaps we could use S4U instead, which would speed up the slow path a
* bit.
*/
ret = k5_get_creds(r, K5_CREDS_CACHED);
if (ret)
return bad_403(r, ret,
"Could not acquire Kerberos credentials using PKINIT");
/* Acquire the Negotiate token and output it */
if (ret == 0 && r->ccname != NULL)
ret = mk_nego_tok(r, &nego_tok, &nego_toksz);
if (ret == 0) {
/* Look ma', Negotiate as an OAuth-like token system! */
if (r->redir)
ret = resp(r, MHD_HTTP_TEMPORARY_REDIRECT, MHD_RESPMEM_PERSISTENT,
NULL, "", 0, nego_tok);
else
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY,
"application/x-negotiate-token", nego_tok, nego_toksz,
NULL);
}
free(nego_tok);
return ret;
}
static krb5_error_code
authorize_TGT_REQ(struct bx509_request_desc *r)
{
krb5_principal p = NULL;
krb5_error_code ret;
const char *for_cname = r->for_cname ? r->for_cname : r->cname;
if (for_cname == r->cname || strcmp(r->cname, r->for_cname) == 0)
return 0;
ret = hx509_request_init(r->context->hx509ctx, &r->req);
if (ret)
return bad_500(r, ret, "Out of resources");
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_krb5PrincipalName", "%s", for_cname);
ret = hx509_request_add_eku(r->context->hx509ctx, r->req,
ASN1_OID_ID_PKEKUOID);
if (ret == 0)
ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req,
for_cname);
if (ret == 0)
ret = krb5_parse_name(r->context, r->cname, &p);
if (ret == 0)
ret = kdc_authorize_csr(r->context, "get-tgt", r->req, p);
krb5_free_principal(r->context, p);
hx509_request_free(&r->req);
r->req = NULL;
if (ret)
return bad_403(r, ret, "Not authorized to requested TGT");
return ret;
}
static heim_mhd_result
get_tgt_param_cb(void *d,
enum MHD_ValueKind kind,
const char *key,
const char *val)
{
struct bx509_request_desc *r = d;
if (strcmp(key, "address") == 0 && val) {
if (!krb5_config_get_bool_default(r->context, NULL,
FALSE,
"get-tgt", "allow_addresses", NULL)) {
krb5_set_error_message(r->context, r->error_code = ENOTSUP,
"Query parameter %s not allowed", key);
} else {
krb5_addresses addresses;
r->error_code = _krb5_parse_address_no_lookup(r->context, val,
&addresses);
if (r->error_code == 0)
r->error_code = krb5_append_addresses(r->context, &r->tgt_addresses,
&addresses);
krb5_free_addresses(r->context, &addresses);
}
} else if (strcmp(key, "cname") == 0) {
/* Handled upstairs */
;
} else if (strcmp(key, "lifetime") == 0 && val) {
r->req_life = parse_time(val, "day");
} else {
/* Produce error for unknown params */
heim_audit_setkv_bool((heim_svc_req_desc)r, "requested_unknown", TRUE);
krb5_set_error_message(r->context, r->error_code = ENOTSUP,
"Query parameter %s not supported", key);
}
return r->error_code == 0 ? MHD_YES : MHD_NO /* Stop iterating */;
}
/*
* Implements /get-tgt end-point.
*
* Query parameters:
*
* - cname=<name> (client principal name, if not the same as the authenticated
* name, then this will be impersonated if allowed; may be
* given only once)
*
* - address=<IP> (IP address to add as a ticket address; may be given
* multiple times)
*
* - lifetime=<time> (requested lifetime for the ticket; may be given only
* once)
*/
static krb5_error_code
get_tgt(struct bx509_request_desc *r)
{
krb5_error_code ret;
size_t bodylen;
const char *fn;
void *body;
r->for_cname = MHD_lookup_connection_value(r->connection,
MHD_GET_ARGUMENT_KIND, "cname");
if (r->for_cname && r->for_cname[0] == '\0')
r->for_cname = NULL;
ret = authorize_TGT_REQ(r);
if (ret)
return ret; /* authorize_TGT_REQ() calls bad_req() */
r->error_code = 0;
(void) MHD_get_connection_values(r->connection, MHD_GET_ARGUMENT_KIND,
get_tgt_param_cb, r);
ret = r->error_code;
/* k5_get_creds() calls bad_req() */
if (ret == 0)
ret = k5_get_creds(r, K5_CREDS_EPHEMERAL);
if (ret)
return bad_403(r, ret,
"Could not acquire Kerberos credentials using PKINIT");
fn = strchr(r->ccname, ':');
if (fn == NULL)
return bad_500(r, ret, "Impossible error");
fn++;
if ((errno = rk_undumpdata(fn, &body, &bodylen)))
return bad_503(r, ret, "Could not get TGT");
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY,
"application/x-krb5-ccache", body, bodylen, NULL);
free(body);
return ret;
}
static int
get_tgts_accumulate_ccache_write_json(struct bx509_request_desc *r,
krb5_error_code code,
const char *data,
size_t datalen)
{
heim_object_t k, v;
heim_string_t text;
heim_error_t e = NULL;
heim_dict_t o;
int ret;
o = heim_dict_create(9);
k = heim_string_create("name");
v = heim_string_create(r->for_cname);
if (o && k && v)
ret = heim_dict_set_value(o, k, v);
else
ret = ENOMEM;
if (ret == 0) {
heim_release(v);
heim_release(k);
k = heim_string_create("error_code");
v = heim_number_create(code);
if (k && v)
ret = heim_dict_set_value(o, k, v);
}
if (ret == 0 && data != NULL) {
heim_release(v);
heim_release(k);
k = heim_string_create("ccache");
v = heim_data_create(data, datalen);
if (k && v)
ret = heim_dict_set_value(o, k, v);
}
if (ret == 0 && code != 0) {
const char *s = krb5_get_error_message(r->context, code);
heim_release(v);
heim_release(k);
k = heim_string_create("error");
v = heim_string_create(s ? s : "Out of memory");
krb5_free_error_message(r->context, s);
if (k && v)
ret = heim_dict_set_value(o, k, v);
}
heim_release(v);
heim_release(k);
if (ret) {
heim_release(o);
return bad_503(r, errno, "Out of memory");
}
text = heim_json_copy_serialize(o,
HEIM_JSON_F_NO_DATA_DICT |
HEIM_JSON_F_ONE_LINE,
&e);
if (text) {
const char *s = heim_string_get_utf8(text);
(void) fwrite(s, strlen(s), 1, r->tgts);
} else {
const char *s = NULL;
v = heim_error_copy_string(e);
if (v)
s = heim_string_get_utf8(v);
if (s == NULL)
s = "<unknown encoder error>";
krb5_log_msg(r->context, logfac, 1, NULL, "Failed to encode JSON text with ccache or error for %s: %s",
r->for_cname, s);
heim_release(v);
}
heim_release(text);
heim_release(o);
return MHD_YES;
}
/* Writes one ccache to a response file, as JSON */
static int
get_tgts_accumulate_ccache(struct bx509_request_desc *r, krb5_error_code ret)
{
const char *fn;
size_t bodylen = 0;
void *body = NULL;
int res;
if (r->tgts == NULL) {
int fd = -1;
if (asprintf(&r->tgts_filename,
"%s/tgts-json-XXXXXX", cache_dir) == -1 ||
r->tgts_filename == NULL) {
free(r->tgts_filename);
r->tgts_filename = NULL;
return bad_enomem(r, r->error_code = ENOMEM);
}
if ((fd = mkstemp(r->tgts_filename)) == -1)
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"%s", strerror(r->error_code = errno));
if ((r->tgts = fdopen(fd, "w+")) == NULL) {
(void) close(fd);
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"%s", strerror(r->error_code = errno));
}
}
if (ret == 0) {
fn = strchr(r->ccname, ':');
if (fn == NULL)
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"Internal error (invalid credentials cache name)");
fn++;
if ((r->error_code = rk_undumpdata(fn, &body, &bodylen)))
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"%s", strerror(r->error_code));
(void) unlink(fn);
free(r->ccname);
r->ccname = NULL;
if (bodylen > INT_MAX >> 4) {
free(body);
return bad_req(r, errno, MHD_HTTP_SERVICE_UNAVAILABLE,
"Credentials cache too large!");
}
}
res = get_tgts_accumulate_ccache_write_json(r, ret, body, bodylen);
free(body);
return res;
}
static heim_mhd_result
get_tgts_param_authorize_cb(void *d,
enum MHD_ValueKind kind,
const char *key,
const char *val)
{
struct bx509_request_desc *r = d;
krb5_error_code ret = 0;
if (strcmp(key, "cname") != 0 || val == NULL)
return MHD_YES;
if (r->req == NULL) {
ret = hx509_request_init(r->context->hx509ctx, &r->req);
if (ret == 0)
ret = hx509_request_add_eku(r->context->hx509ctx, r->req,
ASN1_OID_ID_PKEKUOID);
if (ret)
return bad_500(r, ret, "Out of resources");
}
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"requested_krb5PrincipalName", "%s", val);
ret = hx509_request_add_pkinit(r->context->hx509ctx, r->req,
val);
if (ret)
return bad_403(r, ret, "Not authorized to requested TGT");
return MHD_YES;
}
/* For each requested principal, produce a ccache */
static heim_mhd_result
get_tgts_param_execute_cb(void *d,
enum MHD_ValueKind kind,
const char *key,
const char *val)
{
struct bx509_request_desc *r = d;
hx509_san_type san_type;
krb5_error_code ret;
size_t san_idx = r->san_idx++;
const char *save_for_cname = r->for_cname;
char *s = NULL;
int res;
/* We expect only cname=principal q-params here */
if (strcmp(key, "cname") != 0 || val == NULL)
return MHD_YES;
/*
* We expect the `san_idx'th SAN in the `r->req' request checked by
* kdc_authorize_csr() to be the same as this cname. This happens
* naturally because we add these SANs to `r->req' in the same order as we
* visit them here (unless our HTTP library somehow went crazy).
*
* Still, we check that it's the same SAN.
*/
ret = hx509_request_get_san(r->req, san_idx, &san_type, &s);
if (ret == HX509_NO_ITEM ||
san_type != HX509_SAN_TYPE_PKINIT ||
strcmp(s, val) != 0) {
/*
* If the cname and SAN don't match, it's some weird internal error
* (can't happen).
*/
krb5_set_error_message(r->context, r->error_code = EACCES,
"PKINIT SAN not granted: %s (internal error)",
val);
ret = EACCES;
}
/*
* We're going to pretend to be this SAN for the purpose of acquring a TGT
* for it. So we "push" `r->for_cname'.
*/
if (ret == 0)
r->for_cname = val;
/*
* Our authorizer supports partial authorization where the whole request is
* rejected but some features of it are permitted.
*
* (In most end-points we don't want partial authorization, but in
* /get-tgts we very much do.)
*/
if (ret == 0 && !hx509_request_san_authorized_p(r->req, san_idx)) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"REJECT_krb5PrincipalName", "%s", val);
krb5_set_error_message(r->context, r->error_code = EACCES,
"PKINIT SAN denied: %s", val);
ret = EACCES;
}
if (ret == 0) {
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"ACCEPT_krb5PrincipalName", "%s", val);
ret = k5_get_creds(r, K5_CREDS_EPHEMERAL);
if (ret == 0)
heim_audit_addkv((heim_svc_req_desc)r, KDC_AUDIT_VIS,
"ISSUE_krb5PrincipalName", "%s", val);
}
/*
* If ret == 0 this will gather the TGT we acquired, else it will acquire
* the error we got.
*/
res = get_tgts_accumulate_ccache(r, ret);
/* Now we "pop" `r->for_cname' */
r->for_cname = save_for_cname;
hx509_xfree(s);
return res;
}
/*
* Implements /get-tgts end-point.
*
* Query parameters:
*
* - cname=<name> (client principal name, if not the same as the authenticated
* name, then this will be impersonated if allowed; may be
* given multiple times)
*/
static krb5_error_code
get_tgts(struct bx509_request_desc *r)
{
krb5_error_code ret;
krb5_principal p = NULL;
size_t bodylen;
void *body;
int res = MHD_YES;
/* Prep to authorize */
ret = krb5_parse_name(r->context, r->cname, &p);
if (ret)
return bad_403(r, ret, "Could not parse caller principal name");
if (ret == 0) {
/* Extract q-params other than `cname' */
r->error_code = 0;
res = MHD_get_connection_values(r->connection, MHD_GET_ARGUMENT_KIND,
get_tgt_param_cb, r);
if (r->response || res == MHD_NO) {
krb5_free_principal(r->context, p);
return res;
}
ret = r->error_code;
}
if (ret == 0) {
/*
* Check authorization of the authenticated client to the requested
* client principal names (calls bad_req()).
*/
r->error_code = 0;
res = MHD_get_connection_values(r->connection, MHD_GET_ARGUMENT_KIND,
get_tgts_param_authorize_cb, r);
if (r->response || res == MHD_NO) {
krb5_free_principal(r->context, p);
return res;
}
ret = r->error_code;
if (ret == 0) {
/* Use the same configuration as /get-tgt (or should we?) */
ret = kdc_authorize_csr(r->context, "get-tgt", r->req, p);
/*
* We tolerate EACCES because we support partial approval.
*
* (KRB5_PLUGIN_NO_HANDLE means no plugin handled the authorization
* check.)
*/
if (ret == EACCES || ret == KRB5_PLUGIN_NO_HANDLE)
ret = 0;
if (ret) {
krb5_free_principal(r->context, p);
return bad_403(r, ret, "Permission denied");
}
}
}
if (ret == 0) {
/*
* Get the actual TGTs that were authorized.
*
* get_tgts_param_execute_cb() calls bad_req()
*/
r->error_code = 0;
res = MHD_get_connection_values(r->connection, MHD_GET_ARGUMENT_KIND,
get_tgts_param_execute_cb, r);
if (r->response || res == MHD_NO) {
krb5_free_principal(r->context, p);
return res;
}
ret = r->error_code;
}
krb5_free_principal(r->context, p);
hx509_request_free(&r->req);
r->req = NULL;
/*
* get_tgts_param_execute_cb() will write its JSON response to the file
* named by r->ccname.
*/
if (fflush(r->tgts) != 0)
return bad_503(r, ret, "Could not get TGT");
if ((errno = rk_undumpdata(r->tgts_filename, &body, &bodylen)))
return bad_503(r, ret, "Could not get TGT");
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_MUST_COPY,
"application/x-krb5-ccaches-json", body, bodylen, NULL);
free(body);
return ret;
}
static krb5_error_code
health(const char *method, struct bx509_request_desc *r)
{
if (strcmp(method, "HEAD") == 0)
return resp(r, MHD_HTTP_OK, MHD_RESPMEM_PERSISTENT, NULL, "", 0, NULL);
return resp(r, MHD_HTTP_OK, MHD_RESPMEM_PERSISTENT, NULL,
"To determine the health of the service, use the /bx509 "
"end-point.\n",
sizeof("To determine the health of the service, use the "
"/bx509 end-point.\n") - 1, NULL);
}
static krb5_error_code
mac_csrf_token(struct bx509_request_desc *r, krb5_storage *sp)
{
krb5_error_code ret;
krb5_data data;
char mac[EVP_MAX_MD_SIZE];
unsigned int maclen = sizeof(mac);
HMAC_CTX *ctx = NULL;
ret = krb5_storage_to_data(sp, &data);
if (ret == 0 && (ctx = HMAC_CTX_new()) == NULL)
ret = krb5_enomem(r->context);
/* HMAC the token body and the client principal name */
if (ret == 0) {
if (HMAC_Init_ex(ctx, csrf_key, sizeof(csrf_key),
EVP_sha256(),
NULL) == 0) {
HMAC_CTX_cleanup(ctx);
ret = krb5_enomem(r->context);
} else {
HMAC_Update(ctx, data.data, data.length);
if (r->cname)
HMAC_Update(ctx, r->cname, strlen(r->cname));
HMAC_Final(ctx, mac, &maclen);
HMAC_CTX_cleanup(ctx);
krb5_data_free(&data);
data.length = maclen;
data.data = mac;
if (krb5_storage_write(sp, mac, maclen) != maclen)
ret = krb5_enomem(r->context);
}
}
if (ctx)
HMAC_CTX_free(ctx);
return ret;
}
/*
* Make a CSRF token. If one is also given, make one with the same body
* content so we can check the HMAC.
*
* Outputs the token and its age. Do not use either if the token does not
* equal the given token.
*/
static krb5_error_code
make_csrf_token(struct bx509_request_desc *r,
const char *given,
char **token,
int64_t *age)
{
krb5_error_code ret = 0;
unsigned char given_decoded[128];
krb5_storage *sp = NULL;
krb5_data data;
ssize_t dlen = -1;
uint64_t nonce;
int64_t t = 0;
*age = 0;
data.data = NULL;
data.length = 0;
if (given) {
size_t len = strlen(given);
/* Extract issue time and nonce from token */
if (len >= sizeof(given_decoded))
ret = ERANGE;
if (ret == 0 && (dlen = rk_base64_decode(given, &given_decoded)) <= 0)
ret = errno;
if (ret == 0 &&
(sp = krb5_storage_from_mem(given_decoded, dlen)) == NULL)
ret = krb5_enomem(r->context);
if (ret == 0)
ret = krb5_ret_int64(sp, &t);
if (ret == 0)
ret = krb5_ret_uint64(sp, &nonce);
krb5_storage_free(sp);
sp = NULL;
if (ret == 0)
*age = time(NULL) - t;
} else {
t = time(NULL);
krb5_generate_random_block((void *)&nonce, sizeof(nonce));
}
if (ret == 0 && (sp = krb5_storage_emem()) == NULL)
ret = krb5_enomem(r->context);
if (ret == 0)
ret = krb5_store_int64(sp, t);
if (ret == 0)
ret = krb5_store_uint64(sp, nonce);
if (ret == 0)
ret = mac_csrf_token(r, sp);
if (ret == 0)
ret = krb5_storage_to_data(sp, &data);
if (ret == 0 && data.length > INT_MAX)
ret = ERANGE;
if (ret == 0 &&
rk_base64_encode(data.data, data.length, token) < 0)
ret = errno;
krb5_storage_free(sp);
krb5_data_free(&data);
return ret;
}
static heim_mhd_result
validate_csrf_token(struct bx509_request_desc *r)
{
const char *given;
int64_t age;
krb5_error_code ret;
if ((((csrf_prot_type & CSRF_PROT_GET_WITH_HEADER) &&
strcmp(r->method, "GET") == 0) ||
((csrf_prot_type & CSRF_PROT_POST_WITH_HEADER) &&
strcmp(r->method, "POST") == 0)) &&
MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
csrf_header) == NULL) {
ret = bad_req(r, EACCES, MHD_HTTP_FORBIDDEN,
"Request must have header \"%s\"", csrf_header);
return ret == -1 ? MHD_NO : MHD_YES;
}
if (strcmp(r->method, "GET") == 0 &&
!(csrf_prot_type & CSRF_PROT_GET_WITH_TOKEN))
return 0;
if (strcmp(r->method, "POST") == 0 &&
!(csrf_prot_type & CSRF_PROT_POST_WITH_TOKEN))
return 0;
given = MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND,
"X-CSRF-Token");
ret = make_csrf_token(r, given, &r->csrf_token, &age);
if (ret)
return bad_503(r, ret, "Could not make or validate CSRF token");
if (given == NULL)
return bad_req(r, EACCES, MHD_HTTP_FORBIDDEN,
"CSRF token needed; copy the X-CSRF-Token: response "
"header to your next POST");
if (strlen(given) != strlen(r->csrf_token) ||
strcmp(given, r->csrf_token) != 0)
return bad_403(r, EACCES, "Invalid CSRF token");
if (age > 300)
return bad_403(r, EACCES, "CSRF token expired");
return 0;
}
/*
* MHD callback to free the request context when MHD is done sending the
* response.
*/
static void
cleanup_req(void *cls,
struct MHD_Connection *connection,
void **con_cls,
enum MHD_RequestTerminationCode toe)
{
struct bx509_request_desc *r = *con_cls;
(void)cls;
(void)connection;
(void)toe;
clean_req_desc(r);
*con_cls = NULL;
}
/* Callback for MHD POST form data processing */
static heim_mhd_result
ip(void *cls,
enum MHD_ValueKind kind,
const char *key,
const char *content_name,
const char *content_type,
const char *transfer_encoding,
const char *val,
uint64_t off,
size_t size)
{
struct bx509_request_desc *r = cls;
struct free_tend_list *ftl = calloc(1, sizeof(*ftl));
char *keydup = strdup(key);
char *valdup = strndup(val, size);
(void)content_name; /* MIME attachment name */
(void)content_type; /* Don't care -- MHD liked it */
(void)transfer_encoding;
(void)off; /* Offset in POST data */
/*
* We're going to MHD_set_connection_value(), but we need copies because
* the MHD POST processor quite naturally keeps none of the chunks
* received.
*/
if (ftl == NULL || keydup == NULL || valdup == NULL) {
free(ftl);
free(keydup);
free(valdup);
return MHD_NO;
}
ftl->freeme1 = keydup;
ftl->freeme2 = valdup;
ftl->next = r->free_list;
r->free_list = ftl;
return MHD_set_connection_value(r->connection, MHD_GET_ARGUMENT_KIND,
keydup, valdup);
}
typedef krb5_error_code (*handler)(struct bx509_request_desc *);
struct route {
const char *local_part;
handler h;
unsigned int referer_ok:1;
} routes[] = {
{ "/get-cert", bx509, 0 },
{ "/get-negotiate-token", bnegotiate, 1 },
{ "/get-tgt", get_tgt, 0 },
{ "/get-tgts", get_tgts, 0 },
/* Lousy old names to be removed eventually */
{ "/bnegotiate", bnegotiate, 1 },
{ "/bx509", bx509, 0 },
};
/*
* We should commonalize all of:
*
* - route() and related infrastructure
* - including the CSRF functions
* - and Negotiate/Bearer authentication
*
* so that we end up with a simple framework that our daemons can invoke to
* serve simple functions that take a fully-consumed request and send a
* response.
*
* Then:
*
* - split out the CA and non-CA bits into separate daemons using that common
* code,
* - make httpkadmind use that common code,
* - abstract out all the MHD stuff.
*/
/* Routes requests */
static heim_mhd_result
route(void *cls,
struct MHD_Connection *connection,
const char *url,
const char *method,
const char *version,
const char *upload_data,
size_t *upload_data_size,
void **ctx)
{
struct bx509_request_desc *r = *ctx;
size_t i;
int ret;
if (r == NULL) {
/*
* This is the first call, right after headers were read.
*
* We must return quickly so that any 100-Continue might be sent with
* celerity. We want to make sure to send any 401s early, so we check
* WWW-Authenticate now, not later.
*
* We'll get called again to really do the processing. If we're
* handling a POST then we'll also get called with upload_data != NULL,
* possibly multiple times.
*/
if ((ret = set_req_desc(connection, method, url, &r)))
return MHD_NO;
*ctx = r;
/* All requests other than /health require authentication */
if (strcmp(url, "/health") == 0)
return MHD_YES;
/*
* Authenticate and do CSRF protection.
*
* If the Referer: header is set in the request, we don't want CSRF
* protection as only /get-negotiate-token will accept a Referer:
* header (see routes[] and below), so we'll call validate_csrf_token()
* for the other routes or reject the request for having Referer: set.
*/
ret = validate_token(r);
if (ret == 0 &&
MHD_lookup_connection_value(r->connection, MHD_HEADER_KIND, "Referer") == NULL)
ret = validate_csrf_token(r);
/*
* As this is the initial call to this handler, we must return now.
*
* If authentication or CSRF protection failed then we'll already have
* enqueued a 401, 403, or 5xx response and then we're done.
*
* If both authentication and CSRF protection succeeded then no
* response has been queued up and we'll get called again to finally
* process the request, then this entire if block will not be executed.
*/
return ret == -1 ? MHD_NO : MHD_YES;
}
/* Validate HTTP method */
if (strcmp(method, "GET") != 0 &&
strcmp(method, "POST") != 0 &&
strcmp(method, "HEAD") != 0) {
return bad_405(r, method) == -1 ? MHD_NO : MHD_YES;
}
if ((strcmp(method, "HEAD") == 0 || strcmp(method, "GET") == 0) &&
(strcmp(url, "/health") == 0 || strcmp(url, "/") == 0)) {
/* /health end-point -- no authentication, no CSRF, no nothing */
return health(method, r) == -1 ? MHD_NO : MHD_YES;
}
if (r->cname == NULL)
return bad_401(r, "Authorization token is missing");
if (strcmp(method, "POST") == 0 && *upload_data_size != 0) {
/*
* Consume all the POST body and set form data as MHD_GET_ARGUMENT_KIND
* (as if they had been URI query parameters).
*
* We have to do this before we can MHD_queue_response() as MHD will
* not consume the rest of the request body on its own, so it's an
* error to MHD_queue_response() before we've done this, and if we do
* then MHD just closes the connection.
*
* 4KB should be more than enough buffer space for all the keys we
* expect.
*/
if (r->pp == NULL)
r->pp = MHD_create_post_processor(connection, 4096, ip, r);
if (r->pp == NULL) {
ret = bad_503(r, errno ? errno : ENOMEM,
"Could not consume POST data");
return ret == -1 ? MHD_NO : MHD_YES;
}
if (r->post_data_size + *upload_data_size > 1UL<<17) {
return bad_413(r) == -1 ? MHD_NO : MHD_YES;
}
r->post_data_size += *upload_data_size;
if (MHD_post_process(r->pp, upload_data,
*upload_data_size) == MHD_NO) {
ret = bad_503(r, errno ? errno : ENOMEM,
"Could not consume POST data");
return ret == -1 ? MHD_NO : MHD_YES;
}
*upload_data_size = 0;
return MHD_YES;
}
/*
* Either this is a HEAD, a GET, or a POST whose request body has now been
* received completely and processed.
*/
/* Allow GET? */
if (strcmp(method, "GET") == 0 && !allow_GET_flag) {
/* No */
return bad_405(r, method) == -1 ? MHD_NO : MHD_YES;
}
for (i = 0; i < sizeof(routes)/sizeof(routes[0]); i++) {
if (strcmp(url, routes[i].local_part) != 0)
continue;
if (!routes[i].referer_ok &&
MHD_lookup_connection_value(r->connection,
MHD_HEADER_KIND,
"Referer") != NULL) {
ret = bad_req(r, EACCES, MHD_HTTP_FORBIDDEN,
"GET from browser not allowed");
return ret == -1 ? MHD_NO : MHD_YES;
}
if (strcmp(method, "HEAD") == 0)
ret = resp(r, MHD_HTTP_OK, MHD_RESPMEM_PERSISTENT, NULL, "", 0,
NULL);
else
ret = routes[i].h(r);
return ret == -1 ? MHD_NO : MHD_YES;
}
ret = bad_404(r, url);
return ret == -1 ? MHD_NO : MHD_YES;
}
static struct getargs args[] = {
{ "help", 'h', arg_flag, &help_flag, "Print usage message", NULL },
{ "version", '\0', arg_flag, &version_flag, "Print version", NULL },
{ NULL, 'H', arg_strings, &audiences,
"expected token audience(s)", "HOSTNAME" },
{ "daemon", 'd', arg_flag, &daemonize, "daemonize", "daemonize" },
{ "daemon-child", 0, arg_flag, &daemon_child_fd, NULL, NULL }, /* priv */
{ "reverse-proxied", 0, arg_flag, &reverse_proxied_flag,
"reverse proxied", "listen on 127.0.0.1 and do not use TLS" },
{ "port", 'p', arg_integer, &port, "port number (default: 443)", "PORT" },
{ "cache-dir", 0, arg_string, &cache_dir,
"cache directory", "DIRECTORY" },
{ "allow-GET", 0, arg_negative_flag, &allow_GET_flag, NULL, NULL },
{ "csrf-header", 0, arg_flag,
&csrf_header, "required request header", "HEADER-NAME" },
{ "csrf-protection-type", 0, arg_strings, &csrf_prot_type_strs,
"Anti-CSRF protection type", "TYPE" },
{ "csrf-key-file", 0, arg_string, &csrf_key_file,
"CSRF MAC key", "FILE" },
{ "cert", 0, arg_string, &cert_file,
"certificate file path (PEM)", "HX509-STORE" },
{ "private-key", 0, arg_string, &priv_key_file,
"private key file path (PEM)", "HX509-STORE" },
{ "thread-per-client", 't', arg_flag, &thread_per_client_flag,
"thread per-client", "use thread per-client" },
{ "verbose", 'v', arg_counter, &verbose_counter, "verbose", "run verbosely" }
};
static int
usage(int e)
{
arg_printusage(args, sizeof(args) / sizeof(args[0]), "bx509",
"\nServes RESTful GETs of /get-cert, /get-tgt, /get-tgts, and\n"
"/get-negotiate-toke, performing corresponding kx509 and, \n"
"possibly, PKINIT requests to the KDCs of the requested \n"
"realms (or just the given REALM).\n");
exit(e);
}
static int sigpipe[2] = { -1, -1 };
static void
sighandler(int sig)
{
char c = sig;
while (write(sigpipe[1], &c, sizeof(c)) == -1 && errno == EINTR)
;
}
static void
bx509_openlog(krb5_context context,
const char *svc,
krb5_log_facility **fac)
{
char **s = NULL, **p;
krb5_initlog(context, "bx509d", fac);
s = krb5_config_get_strings(context, NULL, svc, "logging", NULL);
if (s == NULL)
s = krb5_config_get_strings(context, NULL, "logging", svc, NULL);
if (s) {
for(p = s; *p; p++)
krb5_addlog_dest(context, *fac, *p);
krb5_config_free_strings(s);
} else {
char *ss;
if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
KDC_LOG_FILE) < 0)
err(1, "out of memory");
krb5_addlog_dest(context, *fac, ss);
free(ss);
}
krb5_set_warn_dest(context, *fac);
}
static const char *sysplugin_dirs[] = {
#ifdef _WIN32
"$ORIGIN",
#else
"$ORIGIN/../lib/plugin/kdc",
#endif
#ifdef __APPLE__
LIBDIR "/plugin/kdc",
#endif
NULL
};
static void
load_plugins(krb5_context context)
{
const char * const *dirs = sysplugin_dirs;
#ifndef _WIN32
char **cfdirs;
cfdirs = krb5_config_get_strings(context, NULL, "kdc", "plugin_dir", NULL);
if (cfdirs)
dirs = (const char * const *)cfdirs;
#endif
/* XXX kdc? */
_krb5_load_plugins(context, "kdc", (const char **)dirs);
#ifndef _WIN32
krb5_config_free_strings(cfdirs);
#endif
}
static void
get_csrf_prot_type(krb5_context context)
{
char * const *strs = csrf_prot_type_strs.strings;
size_t n = csrf_prot_type_strs.num_strings;
size_t i;
char **freeme = NULL;
if (csrf_header == NULL)
csrf_header = krb5_config_get_string(context, NULL, "bx509d",
"csrf_protection_csrf_header",
NULL);
if (n == 0) {
char * const *p;
strs = freeme = krb5_config_get_strings(context, NULL, "bx509d",
"csrf_protection_type", NULL);
for (p = strs; p && p; p++)
n++;
}
for (i = 0; i < n; i++) {
if (strcmp(strs[i], "GET-with-header") == 0)
csrf_prot_type |= CSRF_PROT_GET_WITH_HEADER;
else if (strcmp(strs[i], "GET-with-token") == 0)
csrf_prot_type |= CSRF_PROT_GET_WITH_TOKEN;
else if (strcmp(strs[i], "POST-with-header") == 0)
csrf_prot_type |= CSRF_PROT_POST_WITH_HEADER;
else if (strcmp(strs[i], "POST-with-token") == 0)
csrf_prot_type |= CSRF_PROT_POST_WITH_TOKEN;
}
free(freeme);
/*
* For GETs we default to no CSRF protection as our GETable resources are
* safe and idempotent and we count on the browser not to make the
* responses available to cross-site requests.
*
* But, really, we don't want browsers even making these requests since, if
* the browsers behave correctly, then there's no point, and if they don't
* behave correctly then that could be catastrophic. Of course, there's no
* guarantee that a browser won't have other catastrophic bugs, but still,
* we should probably change this default in the future:
*
* if (!(csrf_prot_type & CSRF_PROT_GET_WITH_HEADER) &&
* !(csrf_prot_type & CSRF_PROT_GET_WITH_TOKEN))
* csrf_prot_type |= <whatever-the-new-default-should-be>;
*/
/*
* For POSTs we default to CSRF protection with anti-CSRF tokens even
* though out POSTable resources are safe and idempotent when POSTed and we
* could count on the browser not to make the responses available to
* cross-site requests.
*/
if (!(csrf_prot_type & CSRF_PROT_POST_WITH_HEADER) &&
!(csrf_prot_type & CSRF_PROT_POST_WITH_TOKEN))
csrf_prot_type |= CSRF_PROT_POST_WITH_TOKEN;
}
int
main(int argc, char **argv)
{
unsigned int flags = MHD_USE_THREAD_PER_CONNECTION; /* XXX */
struct sockaddr_in sin;
struct MHD_Daemon *previous = NULL;
struct MHD_Daemon *current = NULL;
struct sigaction sa;
krb5_context context = NULL;
MHD_socket sock = MHD_INVALID_SOCKET;
char *priv_key_pem = NULL;
char *cert_pem = NULL;
char sig;
int optidx = 0;
int ret;
setprogname("bx509d");
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
if (argc > optidx) /* Add option to set a URI local part prefix? */
usage(1);
if (port < 0)
errx(1, "Port number must be given");
if ((errno = pthread_key_create(&k5ctx, k5_free_context)))
err(1, "Could not create thread-specific storage");
if ((errno = get_krb5_context(&context)))
err(1, "Could not init krb5 context");
bx509_openlog(context, "bx509d", &logfac);
krb5_set_log_dest(context, logfac);
load_plugins(context);
if (allow_GET_flag == -1)
warnx("It is safer to use --no-allow-GET");
get_csrf_prot_type(context);
krb5_generate_random_block((void *)&csrf_key, sizeof(csrf_key));
if (csrf_key_file == NULL)
csrf_key_file = krb5_config_get_string(context, NULL, "bx509d",
"csrf_key_file", NULL);
if (csrf_key_file) {
ssize_t bytes;
int fd;
fd = open(csrf_key_file, O_RDONLY);
if (fd == -1)
err(1, "CSRF key file missing %s", csrf_key_file);
bytes = read(fd, csrf_key, sizeof(csrf_key));
if (bytes == -1)
err(1, "Could not read CSRF key file %s", csrf_key_file);
if (bytes != sizeof(csrf_key))
errx(1, "CSRF key file too small (should be %lu) %s",
(unsigned long)sizeof(csrf_key), csrf_key_file);
}
if (audiences.num_strings == 0) {
char localhost[MAXHOSTNAMELEN];
ret = gethostname(localhost, sizeof(localhost));
if (ret == -1)
errx(1, "Could not determine local hostname; use --audience");
if ((audiences.strings =
calloc(1, sizeof(audiences.strings[0]))) == NULL ||
(audiences.strings[0] = strdup(localhost)) == NULL)
err(1, "Out of memory");
audiences.num_strings = 1;
}
if (daemonize && daemon_child_fd == -1)
daemon_child_fd = roken_detach_prep(argc, argv, "--daemon-child");
daemonize = 0;
argc -= optidx;
argv += optidx;
if (argc != 0)
usage(1);
if (cache_dir == NULL) {
char *s = NULL;
if (asprintf(&s, "%s/bx509d-XXXXXX",
getenv("TMPDIR") ? getenv("TMPDIR") : "/tmp") == -1 ||
s == NULL ||
(cache_dir = mkdtemp(s)) == NULL)
err(1, "could not create temporary cache directory");
if (verbose_counter)
fprintf(stderr, "Note: using %s as cache directory\n", cache_dir);
atexit(rm_cache_dir);
setenv("TMPDIR", cache_dir, 1);
}
generate_key(context->hx509ctx, "impersonation", "rsa", 2048, &impersonation_key_fn);
again:
if (cert_file && !priv_key_file)
priv_key_file = cert_file;
if (cert_file) {
hx509_cursor cursor = NULL;
hx509_certs certs = NULL;
hx509_cert cert = NULL;
time_t min_cert_life = 0;
size_t len;
void *s;
ret = hx509_certs_init(context->hx509ctx, cert_file, 0, NULL, &certs);
if (ret == 0)
ret = hx509_certs_start_seq(context->hx509ctx, certs, &cursor);
while (ret == 0 &&
(ret = hx509_certs_next_cert(context->hx509ctx, certs,
cursor, &cert)) == 0 && cert) {
time_t notAfter = 0;
if (!hx509_cert_have_private_key_only(cert) &&
(notAfter = hx509_cert_get_notAfter(cert)) <= time(NULL) + 30)
errx(1, "One or more certificates in %s are expired",
cert_file);
if (notAfter) {
notAfter -= time(NULL);
if (notAfter < 600)
warnx("One or more certificates in %s expire soon",
cert_file);
/* Reload 5 minutes prior to expiration */
if (notAfter < min_cert_life || min_cert_life < 1)
min_cert_life = notAfter;
}
hx509_cert_free(cert);
}
if (certs)
(void) hx509_certs_end_seq(context->hx509ctx, certs, cursor);
if (min_cert_life > 4)
alarm(min_cert_life >> 1);
hx509_certs_free(&certs);
if (ret)
hx509_err(context->hx509ctx, 1, ret,
"could not read certificate from %s", cert_file);
if ((errno = rk_undumpdata(cert_file, &s, &len)) ||
(cert_pem = strndup(s, len)) == NULL)
err(1, "could not read certificate from %s", cert_file);
if (strlen(cert_pem) != len)
err(1, "NULs in certificate file contents: %s", cert_file);
free(s);
}
if (priv_key_file) {
size_t len;
void *s;
if ((errno = rk_undumpdata(priv_key_file, &s, &len)) ||
(priv_key_pem = strndup(s, len)) == NULL)
err(1, "could not read private key from %s", priv_key_file);
if (strlen(priv_key_pem) != len)
err(1, "NULs in private key file contents: %s", priv_key_file);
free(s);
}
if (verbose_counter > 1)
flags |= MHD_USE_DEBUG;
if (thread_per_client_flag)
flags |= MHD_USE_THREAD_PER_CONNECTION;
if (pipe(sigpipe) == -1)
err(1, "Could not set up key/cert reloading");
memset(&sa, 0, sizeof(sa));
sa.sa_handler = sighandler;
if (reverse_proxied_flag) {
/*
* We won't use TLS in the reverse proxy case, so no need to reload
* certs. But we'll still read them if given, and alarm() will get
* called.
*/
(void) signal(SIGHUP, SIG_IGN);
(void) signal(SIGUSR1, SIG_IGN);
(void) signal(SIGALRM, SIG_IGN);
} else {
(void) sigaction(SIGHUP, &sa, NULL); /* Reload key & cert */
(void) sigaction(SIGUSR1, &sa, NULL); /* Reload key & cert */
(void) sigaction(SIGALRM, &sa, NULL); /* Reload key & cert */
}
(void) sigaction(SIGINT, &sa, NULL); /* Graceful shutdown */
(void) sigaction(SIGTERM, &sa, NULL); /* Graceful shutdown */
(void) signal(SIGPIPE, SIG_IGN);
if (previous)
sock = MHD_quiesce_daemon(previous);
if (reverse_proxied_flag) {
/*
* XXX IPv6 too. Create the sockets and tell MHD_start_daemon() about
* them.
*/
sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
current = MHD_start_daemon(flags, port,
/*
* This is a connection access callback. We
* don't use it.
*/
NULL, NULL,
/* This is our request handler */
route, (char *)NULL,
MHD_OPTION_SOCK_ADDR, &sin,
MHD_OPTION_CONNECTION_LIMIT, (unsigned int)200,
MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int)10,
/* This is our request cleanup handler */
MHD_OPTION_NOTIFY_COMPLETED, cleanup_req, NULL,
MHD_OPTION_END);
} else if (sock != MHD_INVALID_SOCKET) {
/*
* Restart following a possible certificate/key rollover, reusing the
* listen socket returned by MHD_quiesce_daemon().
*/
current = MHD_start_daemon(flags | MHD_USE_SSL, port,
NULL, NULL,
route, (char *)NULL,
MHD_OPTION_HTTPS_MEM_KEY, priv_key_pem,
MHD_OPTION_HTTPS_MEM_CERT, cert_pem,
MHD_OPTION_CONNECTION_LIMIT, (unsigned int)200,
MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int)10,
MHD_OPTION_NOTIFY_COMPLETED, cleanup_req, NULL,
MHD_OPTION_LISTEN_SOCKET, sock,
MHD_OPTION_END);
sock = MHD_INVALID_SOCKET;
} else {
/*
* Initial MHD_start_daemon(), with TLS.
*
* Subsequently we'll restart reusing the listen socket this creates.
* See above.
*/
current = MHD_start_daemon(flags | MHD_USE_SSL, port,
NULL, NULL,
route, (char *)NULL,
MHD_OPTION_HTTPS_MEM_KEY, priv_key_pem,
MHD_OPTION_HTTPS_MEM_CERT, cert_pem,
MHD_OPTION_CONNECTION_LIMIT, (unsigned int)200,
MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int)10,
MHD_OPTION_NOTIFY_COMPLETED, cleanup_req, NULL,
MHD_OPTION_END);
}
if (current == NULL)
err(1, "Could not start bx509 REST service");
if (previous) {
MHD_stop_daemon(previous);
previous = NULL;
}
if (verbose_counter)
fprintf(stderr, "Ready!\n");
if (daemon_child_fd != -1)
roken_detach_finish(NULL, daemon_child_fd);
/* Wait for signal, possibly SIGALRM, to reload certs and/or exit */
while ((ret = read(sigpipe[0], &sig, sizeof(sig))) == -1 &&
errno == EINTR)
;
free(priv_key_pem);
free(cert_pem);
priv_key_pem = NULL;
cert_pem = NULL;
if (ret == 1 && (sig == SIGHUP || sig == SIGUSR1 || sig == SIGALRM)) {
/* Reload certs and restart service gracefully */
previous = current;
current = NULL;
goto again;
}
MHD_stop_daemon(current);
_krb5_unload_plugins(context, "kdc");
pthread_key_delete(k5ctx);
return 0;
}
View Git Blame Copy Permalink