2 * COPYRIGHT (C) 2006,2007
3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
6 * Permission is granted to use, copy, create derivative works
7 * and redistribute this software and such derivative works
8 * for any purpose, so long as the name of The University of
9 * Michigan is not used in any advertising or publicity
10 * pertaining to the use of distribution of this software
11 * without specific, written prior authorization. If the
12 * above copyright notice or any other identification of the
13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
34 #include <krb5/krb5.h>
35 #include <krb5/preauth_plugin.h>
36 #include <k5-platform.h>
37 #include <k5-int-pkinit.h>
39 #include "pkinit_accessor.h"
42 * It is anticipated that all the special checks currently
43 * required when talking to a Longhorn server will go away
44 * by the time it is officially released and all references
45 * to the longhorn global can be removed and any code
46 * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
49 #define LONGHORN_BETA_COMPAT 1
50 #ifdef LONGHORN_BETA_COMPAT
51 extern int longhorn; /* XXX Talking to a Longhorn server? */
55 #ifndef WITHOUT_PKCS11
58 #define PKCS11_MODNAME "opensc-pkcs11.so"
59 #define PK_SIGLEN_GUESS 1000
60 #define PK_NOSLOT 999999
64 #define RSA_PROTOCOL 2
66 #define TD_TRUSTED_CERTIFIERS 104
67 #define TD_INVALID_CERTIFICATES 105
68 #define TD_DH_PARAMETERS 109
70 #define PKINIT_CTX_MAGIC 0x05551212
71 #define PKINIT_REQ_CTX_MAGIC 0xdeadbeef
73 #define PKINIT_DEFAULT_DH_MIN_BITS 2048
75 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
76 #define KRB5_CONF_LIBDEFAULTS "libdefaults"
77 #define KRB5_CONF_REALMS "realms"
78 #define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
79 #define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
80 #define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match"
81 #define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
82 #define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
83 #define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
84 #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
85 #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
86 #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
87 #define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn"
88 #define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mapping_file"
89 #define KRB5_CONF_PKINIT_POOL "pkinit_pool"
90 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
91 #define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
92 #define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k"
93 #define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding"
95 /* Make pkiDebug(fmt,...) print, or not. */
97 #define pkiDebug printf
99 /* Still evaluates for side effects. */
100 static inline void pkiDebug (const char *fmt, ...) { }
101 /* This is better if the compiler doesn't inline variadic functions
102 well, but gcc will warn about "left-hand operand of comma
103 expression has no effect". Still evaluates for side effects. */
104 /* #define pkiDebug (void) */
107 /* Solaris compiler doesn't grok __FUNCTION__
108 * hack for now. Fix all the uses eventually. */
109 #define __FUNCTION__ __func__
111 /* Macros to deal with converting between various data types... */
112 #define PADATA_TO_KRB5DATA(pad, k5d) \
113 (k5d)->length = (pad)->length; (k5d)->data = (char *)(pad)->contents;
114 #define OCTETDATA_TO_KRB5DATA(octd, k5d) \
115 (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
117 extern const krb5_octet_data dh_oid;
120 * notes about crypto contexts:
122 * the basic idea is that there are crypto contexts that live at
123 * both the plugin level and request level. the identity context (that
124 * keeps info about your own certs and such) is separate because
125 * it is needed at different levels for the kdc and and the client.
126 * (the kdc's identity is at the plugin level, the client's identity
127 * information could change per-request.)
128 * the identity context is meant to have the entity's cert,
129 * a list of trusted and intermediate cas, a list of crls, and any
130 * pkcs11 information. the req context is meant to have the
131 * received certificate and the DH related information. the plugin
132 * context is meant to have global crypto information, i.e., OIDs
133 * and constant DH parameter information.
137 * plugin crypto context should keep plugin common information,
138 * eg., OIDs, known DHparams
140 typedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context;
143 * request crypto context should keep reqyest common information,
144 * eg., received credentials, DH parameters of this request
146 typedef struct _pkinit_req_crypto_context *pkinit_req_crypto_context;
149 * identity context should keep information about credentials
150 * for the request, eg., my credentials, trusted ca certs,
151 * intermediate ca certs, crls, pkcs11 info
153 typedef struct _pkinit_identity_crypto_context *pkinit_identity_crypto_context;
156 * this structure keeps information about the config options
158 typedef struct _pkinit_plg_opts {
159 int require_eku; /* require EKU checking (default is true) */
160 int accept_secondary_eku;/* accept secondary EKU (default is false) */
161 int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */
162 int dh_or_rsa; /* selects DH or RSA based pkinit */
163 int require_crl_checking; /* require CRL for a CA (default is false) */
164 int dh_min_bits; /* minimum DH modulus size allowed */
168 * this structure keeps options used for a given request
170 typedef struct _pkinit_req_opts {
172 int accept_secondary_eku;
175 int require_crl_checking;
176 int dh_size; /* initial request DH modulus size (default=1024) */
177 int require_hostname_match;
179 int win2k_require_cksum;
183 * information about identity from config file or command line
186 typedef struct _pkinit_identity_opts {
190 char **intermediates;
193 char *dn_mapping_file;
197 #ifndef WITHOUT_PKCS11
198 char *p11_module_name;
201 char *cert_id_string;
204 } pkinit_identity_opts;
208 * Client's plugin context
210 struct _pkinit_context {
212 pkinit_plg_crypto_context cryptoctx;
213 pkinit_plg_opts *opts;
214 pkinit_identity_opts *idopts;
216 typedef struct _pkinit_context *pkinit_context;
219 * Client's per-request context
221 struct _pkinit_req_context {
223 pkinit_req_crypto_context cryptoctx;
224 pkinit_req_opts *opts;
225 pkinit_identity_crypto_context idctx;
226 pkinit_identity_opts *idopts;
227 krb5_preauthtype pa_type;
229 typedef struct _pkinit_req_context *pkinit_req_context;
232 * KDC's (per-realm) plugin context
234 struct _pkinit_kdc_context {
236 pkinit_plg_crypto_context cryptoctx;
237 pkinit_plg_opts *opts;
238 pkinit_identity_crypto_context idctx;
239 pkinit_identity_opts *idopts;
241 unsigned int realmname_len;
243 typedef struct _pkinit_kdc_context *pkinit_kdc_context;
246 * KDC's per-request context
248 struct _pkinit_kdc_req_context {
250 pkinit_req_crypto_context cryptoctx;
251 krb5_auth_pack *rcv_auth_pack;
252 krb5_auth_pack_draft9 *rcv_auth_pack9;
253 krb5_preauthtype pa_type;
255 typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context;
258 * Functions in pkinit_lib.c
261 krb5_error_code pkinit_init_req_opts(pkinit_req_opts **);
262 void pkinit_fini_req_opts(pkinit_req_opts *);
264 krb5_error_code pkinit_init_plg_opts(pkinit_plg_opts **);
265 void pkinit_fini_plg_opts(pkinit_plg_opts *);
267 krb5_error_code pkinit_init_identity_opts(pkinit_identity_opts **idopts);
268 void pkinit_fini_identity_opts(pkinit_identity_opts *idopts);
269 krb5_error_code pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
270 pkinit_identity_opts **dest_opts);
273 * Functions in pkinit_identity.c
275 char * idtype2string(int idtype);
276 char * catype2string(int catype);
278 krb5_error_code pkinit_identity_initialize
279 (krb5_context context, /* IN */
280 pkinit_plg_crypto_context plg_cryptoctx, /* IN */
281 pkinit_req_crypto_context req_cryptoctx, /* IN */
282 pkinit_identity_opts *idopts, /* IN */
283 pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
284 int do_matching, /* IN */
285 krb5_principal princ); /* IN (optional) */
287 krb5_error_code pkinit_cert_matching
288 (krb5_context context,
289 pkinit_plg_crypto_context plg_cryptoctx,
290 pkinit_req_crypto_context req_cryptoctx,
291 pkinit_identity_crypto_context id_cryptoctx,
292 krb5_principal princ);
295 * initialization and free functions
297 void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
298 void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
299 void init_krb5_reply_key_pack(krb5_reply_key_pack **in);
300 void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
302 void init_krb5_auth_pack(krb5_auth_pack **in);
303 void init_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in);
304 void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
305 void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
306 void init_krb5_typed_data(krb5_typed_data **in);
307 void init_krb5_subject_pk_info(krb5_subject_pk_info **in);
309 void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
310 void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
311 void free_krb5_reply_key_pack(krb5_reply_key_pack **in);
312 void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
313 void free_krb5_auth_pack(krb5_auth_pack **in);
314 void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
315 void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
316 void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
317 void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
318 void free_krb5_trusted_ca(krb5_trusted_ca ***in);
319 void free_krb5_typed_data(krb5_typed_data ***in);
320 void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
321 void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
322 void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
323 void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
324 krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
328 * Functions in pkinit_profile.c
330 krb5_error_code pkinit_kdcdefault_strings
331 (krb5_context context, const char *realmname, const char *option,
333 krb5_error_code pkinit_kdcdefault_string
334 (krb5_context context, const char *realmname, const char *option,
336 krb5_error_code pkinit_kdcdefault_boolean
337 (krb5_context context, const char *realmname, const char *option,
338 int default_value, int *ret_value);
339 krb5_error_code pkinit_kdcdefault_integer
340 (krb5_context context, const char *realmname, const char *option,
341 int default_value, int *ret_value);
344 krb5_error_code pkinit_libdefault_strings
345 (krb5_context context, const krb5_data *realm,
346 const char *option, char ***ret_value);
347 krb5_error_code pkinit_libdefault_string
348 (krb5_context context, const krb5_data *realm,
349 const char *option, char **ret_value);
350 krb5_error_code pkinit_libdefault_boolean
351 (krb5_context context, const krb5_data *realm, const char *option,
352 int default_value, int *ret_value);
353 krb5_error_code pkinit_libdefault_integer
354 (krb5_context context, const krb5_data *realm, const char *option,
355 int default_value, int *ret_value);
358 * debugging functions
360 void print_buffer(const unsigned char *, unsigned int);
361 void print_buffer_bin(unsigned char *, unsigned int, char *);
364 * Now get crypto function declarations
366 #include "pkinit_crypto.h"
368 #endif /* _PKINIT_H */