Blame - vendor/gopkg.in/jcmturner/gokrb5.v7/messages/APReq.go - voltha-go

blob: e1ed4ae100880f7b27821c8cde04aa0ada675f7f [file] [log] [blame]

Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	1	package messages
				2
				3	import (
				4	"fmt"
				5	"time"
				6
				7	"github.com/jcmturner/gofork/encoding/asn1"
				8	"gopkg.in/jcmturner/gokrb5.v7/asn1tools"
				9	"gopkg.in/jcmturner/gokrb5.v7/crypto"
				10	"gopkg.in/jcmturner/gokrb5.v7/iana"
				11	"gopkg.in/jcmturner/gokrb5.v7/iana/asnAppTag"
				12	"gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
				13	"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
				14	"gopkg.in/jcmturner/gokrb5.v7/iana/msgtype"
				15	"gopkg.in/jcmturner/gokrb5.v7/keytab"
				16	"gopkg.in/jcmturner/gokrb5.v7/krberror"
				17	"gopkg.in/jcmturner/gokrb5.v7/types"
				18	)
				19
				20	/*AP-REQ ::= [APPLICATION 14] SEQUENCE {
				21	pvno [0] INTEGER (5),
				22	msg-type [1] INTEGER (14),
				23	ap-options [2] APOptions,
				24	ticket [3] Ticket,
				25	authenticator [4] EncryptedData -- Authenticator
				26	}
				27
				28	APOptions ::= KerberosFlags
				29	-- reserved(0),
				30	-- use-session-key(1),
				31	-- mutual-required(2)*/
				32
				33	type marshalAPReq struct {
				34	PVNO int `asn1:"explicit,tag:0"`
				35	MsgType int `asn1:"explicit,tag:1"`
				36	APOptions asn1.BitString `asn1:"explicit,tag:2"`
				37	// Ticket needs to be a raw value as it is wrapped in an APPLICATION tag
				38	Ticket asn1.RawValue `asn1:"explicit,tag:3"`
				39	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
				40	}
				41
				42	// APReq implements RFC 4120 KRB_AP_REQ: https://tools.ietf.org/html/rfc4120#section-5.5.1.
				43	type APReq struct {
				44	PVNO int `asn1:"explicit,tag:0"`
				45	MsgType int `asn1:"explicit,tag:1"`
				46	APOptions asn1.BitString `asn1:"explicit,tag:2"`
				47	Ticket Ticket `asn1:"explicit,tag:3"`
				48	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
				49	Authenticator types.Authenticator `asn1:"optional"`
				50	}
				51
				52	// NewAPReq generates a new KRB_AP_REQ struct.
				53	func NewAPReq(tkt Ticket, sessionKey types.EncryptionKey, auth types.Authenticator) (APReq, error) {
				54	var a APReq
				55	ed, err := encryptAuthenticator(auth, sessionKey, tkt)
				56	if err != nil {
				57	return a, krberror.Errorf(err, krberror.KRBMsgError, "error creating Authenticator for AP_REQ")
				58	}
				59	a = APReq{
				60	PVNO: iana.PVNO,
				61	MsgType: msgtype.KRB_AP_REQ,
				62	APOptions: types.NewKrbFlags(),
				63	Ticket: tkt,
				64	EncryptedAuthenticator: ed,
				65	}
				66	return a, nil
				67	}
				68
				69	// Encrypt Authenticator
				70	func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey, tkt Ticket) (types.EncryptedData, error) {
				71	var ed types.EncryptedData
				72	m, err := a.Marshal()
				73	if err != nil {
				74	return ed, krberror.Errorf(err, krberror.EncodingError, "marshaling error of EncryptedData form of Authenticator")
				75	}
				76	usage := authenticatorKeyUsage(tkt.SName)
				77	ed, err = crypto.GetEncryptedData(m, sessionKey, uint32(usage), tkt.EncPart.KVNO)
				78	if err != nil {
				79	return ed, krberror.Errorf(err, krberror.EncryptingError, "error encrypting Authenticator")
				80	}
				81	return ed, nil
				82	}
				83
				84	// DecryptAuthenticator decrypts the Authenticator within the AP_REQ.
				85	// sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
				86	func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) error {
				87	usage := authenticatorKeyUsage(a.Ticket.SName)
				88	ab, e := crypto.DecryptEncPart(a.EncryptedAuthenticator, sessionKey, uint32(usage))
				89	if e != nil {
				90	return fmt.Errorf("error decrypting authenticator: %v", e)
				91	}
				92	err := a.Authenticator.Unmarshal(ab)
				93	if err != nil {
				94	return fmt.Errorf("error unmarshaling authenticator: %v", err)
				95	}
				96	return nil
				97	}
				98
				99	func authenticatorKeyUsage(pn types.PrincipalName) int {
				100	if pn.NameString[0] == "krbtgt" {
				101	return keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
				102	}
				103	return keyusage.AP_REQ_AUTHENTICATOR
				104	}
				105
				106	// Unmarshal bytes b into the APReq struct.
				107	func (a *APReq) Unmarshal(b []byte) error {
				108	var m marshalAPReq
				109	_, err := asn1.UnmarshalWithParams(b, &m, fmt.Sprintf("application,explicit,tag:%v", asnAppTag.APREQ))
				110	if err != nil {
				111	return krberror.Errorf(err, krberror.EncodingError, "unmarshal error of AP_REQ")
				112	}
				113	if m.MsgType != msgtype.KRB_AP_REQ {
				114	return NewKRBError(types.PrincipalName{}, "", errorcode.KRB_AP_ERR_MSG_TYPE, errorcode.Lookup(errorcode.KRB_AP_ERR_MSG_TYPE))
				115	}
				116	a.PVNO = m.PVNO
				117	a.MsgType = m.MsgType
				118	a.APOptions = m.APOptions
				119	a.EncryptedAuthenticator = m.EncryptedAuthenticator
				120	a.Ticket, err = unmarshalTicket(m.Ticket.Bytes)
				121	if err != nil {
				122	return krberror.Errorf(err, krberror.EncodingError, "unmarshaling error of Ticket within AP_REQ")
				123	}
				124	return nil
				125	}
				126
				127	// Marshal APReq struct.
				128	func (a *APReq) Marshal() ([]byte, error) {
				129	m := marshalAPReq{
				130	PVNO: a.PVNO,
				131	MsgType: a.MsgType,
				132	APOptions: a.APOptions,
				133	EncryptedAuthenticator: a.EncryptedAuthenticator,
				134	}
				135	var b []byte
				136	b, err := a.Ticket.Marshal()
				137	if err != nil {
				138	return b, err
				139	}
				140	m.Ticket = asn1.RawValue{
				141	Class: asn1.ClassContextSpecific,
				142	IsCompound: true,
				143	Tag: 3,
				144	Bytes: b,
				145	}
				146	mk, err := asn1.Marshal(m)
				147	if err != nil {
				148	return mk, krberror.Errorf(err, krberror.EncodingError, "marshaling error of AP_REQ")
				149	}
				150	mk = asn1tools.AddASNAppTag(mk, asnAppTag.APREQ)
				151	return mk, nil
				152	}
				153
				154	// Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration.
				155	// The service ticket encrypted part and authenticator will be decrypted as part of this operation.
				156	func (a APReq) Verify(kt keytab.Keytab, d time.Duration, cAddr types.HostAddress) (bool, error) {
				157	// Decrypt ticket's encrypted part with service key
				158	//TODO decrypt with service's session key from its TGT is use-to-user. Need to figure out how to get TGT.
				159	//if types.IsFlagSet(&a.APOptions, flags.APOptionUseSessionKey) {
				160	// //If the USE-SESSION-KEY flag is set in the ap-options field, it indicates to
				161	// //the server that user-to-user authentication is in use, and that the ticket
				162	// //is encrypted in the session key from the server's TGT rather than in the server's secret key.
				163	// err := a.Ticket.Decrypt(tgt.DecryptedEncPart.Key)
				164	// if err != nil {
				165	// return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of ticket provided using session key")
				166	// }
				167	//} else {
				168	// // Because it is possible for the server to be registered in multiple
				169	// // realms, with different keys in each, the srealm field in the
				170	// // unencrypted portion of the ticket in the KRB_AP_REQ is used to
				171	// // specify which secret key the server should use to decrypt that
				172	// // ticket.The KRB_AP_ERR_NOKEY error code is returned if the server
				173	// // doesn't have the proper key to decipher the ticket.
				174	// // The ticket is decrypted using the version of the server's key
				175	// // specified by the ticket.
				176	// err := a.Ticket.DecryptEncPart(*kt, &a.Ticket.SName)
				177	// if err != nil {
				178	// return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
				179	// }
				180	//}
				181	err := a.Ticket.DecryptEncPart(kt, &a.Ticket.SName)
				182	if err != nil {
				183	return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
				184	}
				185
				186	// Check time validity of ticket
				187	ok, err := a.Ticket.Valid(d)
				188	if err != nil \|\| !ok {
				189	return ok, err
				190	}
				191
				192	// Check client's address is listed in the client addresses in the ticket
				193	if len(a.Ticket.DecryptedEncPart.CAddr) > 0 {
				194	//The addresses in the ticket (if any) are then searched for an address matching the operating-system reported
				195	//address of the client. If no match is found or the server insists on ticket addresses but none are present in
				196	//the ticket, the KRB_AP_ERR_BADADDR error is returned.
				197	if !types.HostAddressesContains(a.Ticket.DecryptedEncPart.CAddr, cAddr) {
				198	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "client address not within the list contained in the service ticket")
				199	}
				200	}
				201
				202	// Decrypt authenticator with session key from ticket's encrypted part
				203	err = a.DecryptAuthenticator(a.Ticket.DecryptedEncPart.Key)
				204	if err != nil {
				205	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BAD_INTEGRITY, "could not decrypt authenticator")
				206	}
				207
				208	// Check CName in authenticator is the same as that in the ticket
				209	if !a.Authenticator.CName.Equal(a.Ticket.DecryptedEncPart.CName) {
				210	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADMATCH, "CName in Authenticator does not match that in service ticket")
				211	}
				212
				213	// Check the clock skew between the client and the service server
				214	ct := a.Authenticator.CTime.Add(time.Duration(a.Authenticator.Cusec) * time.Microsecond)
				215	t := time.Now().UTC()
				216	if t.Sub(ct) > d \|\| ct.Sub(t) > d {
				217	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_SKEW, fmt.Sprintf("clock skew with client too large. greater than %v seconds", d))
				218	}
				219	return true, nil
				220	}