| // Copyright 2019 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "kerberos/config_parser.h" |
| |
| #include <vector> |
| |
| #include <base/stl_util.h> |
| #include <base/strings/string_split.h> |
| |
| namespace kerberos { |
| namespace { |
| |
| // Maximum depth of nested '{' in the config. |
| constexpr int kMaxGroupLevelDepth = 1000; |
| |
| // See |
| // https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html |
| // for a description of the krb5.conf format. |
| |
| // Directives that are not relations (i.e. key=value). All blacklisted. |
| const char* const kDirectives[] = {"module", "include", "includedir"}; |
| |
| // Whitelisted configuration keys in the [libdefaults] section. |
| const char* const kLibDefaultsWhitelist[] = { |
| "canonicalize", |
| "clockskew", |
| "default_tgs_enctypes", |
| "default_tkt_enctypes", |
| "dns_canonicalize_hostname", |
| "dns_lookup_kdc", |
| "extra_addresses", |
| "forwardable", |
| "ignore_acceptor_hostname", |
| "kdc_default_options", |
| "kdc_timesync", |
| "noaddresses", |
| "permitted_enctypes", |
| "preferred_preauth_types", |
| "proxiable", |
| "rdns", |
| "renew_lifetime", |
| "ticket_lifetime", |
| "udp_preference_limit", |
| }; |
| |
| // Whitelisted configuration keys in the [realms] section. |
| const char* const kRealmsWhitelist[] = { |
| "admin_server", "auth_to_local", "kdc", "kpasswd_server", "master_kdc", |
| }; |
| |
| // Whitelisted sections. Any key in "domain_realm" and "capaths" is accepted. |
| constexpr char kSectionLibdefaults[] = "libdefaults"; |
| constexpr char kSectionRealms[] = "realms"; |
| constexpr char kSectionDomainRealm[] = "domain_realm"; |
| constexpr char kSectionCapaths[] = "capaths"; |
| |
| const char* const kSectionWhitelist[] = {kSectionLibdefaults, kSectionRealms, |
| kSectionDomainRealm, kSectionCapaths}; |
| |
| // List of encryption types fields allowed inside [libdefaults] section. |
| const char* const kEnctypesFields[] = { |
| "default_tgs_enctypes", |
| "default_tkt_enctypes", |
| "permitted_enctypes", |
| }; |
| |
| // List of weak encryption types. |DEFAULT| value is also listed because it |
| // includes both weak and strong types. |
| const char* const kWeakEnctypes[] = { |
| "DEFAULT", |
| "des", |
| "des3", |
| "rc4", |
| "des-cbc-crc", |
| "des-cbc-md4", |
| "des-cbc-md5", |
| "des-cbc-raw", |
| "des-hmac-sha1", |
| "des3-cbc-raw", |
| "des3-cbc-sha1", |
| "des3-hmac-sha1", |
| "des3-cbc-sha1-kd", |
| "arcfour-hmac", |
| "rc4-hmac", |
| "arcfour-hmac-md5", |
| "arcfour-hmac-exp", |
| "rc4-hmac-exp", |
| "arcfour-hmac-md5-exp", |
| }; |
| |
| // List of strong encryption types. |DEFAULT| value is also listed because it |
| // includes both weak and strong types. |
| const char* const kStrongEnctypes[] = { |
| "DEFAULT", "aes", "aes256-cts-hmac-sha1-96", |
| "aes256-cts", "AES-256", "aes128-cts-hmac-sha1-96", |
| "aes128-cts", "AES-128", |
| }; |
| |
| ConfigErrorInfo MakeErrorInfo(ConfigErrorCode code, int line_index) { |
| ConfigErrorInfo error_info; |
| error_info.set_code(code); |
| error_info.set_line_index(line_index); |
| return error_info; |
| } |
| |
| } // namespace |
| |
| ConfigParser::ConfigParser() |
| : libdefaults_whitelist_(std::begin(kLibDefaultsWhitelist), |
| std::end(kLibDefaultsWhitelist)), |
| realms_whitelist_(std::begin(kRealmsWhitelist), |
| std::end(kRealmsWhitelist)), |
| section_whitelist_(std::begin(kSectionWhitelist), |
| std::end(kSectionWhitelist)), |
| enctypes_fields_(std::begin(kEnctypesFields), std::end(kEnctypesFields)), |
| weak_enctypes_(std::begin(kWeakEnctypes), std::end(kWeakEnctypes)), |
| strong_enctypes_(std::begin(kStrongEnctypes), std::end(kStrongEnctypes)) { |
| } |
| |
| ConfigErrorInfo ConfigParser::Validate(const std::string& krb5conf) const { |
| KerberosEncryptionTypes encryption_types; |
| return ParseConfig(krb5conf, &encryption_types); |
| } |
| |
| bool ConfigParser::GetEncryptionTypes( |
| const std::string& krb5conf, |
| KerberosEncryptionTypes* encryption_types) const { |
| ConfigErrorInfo error_info = ParseConfig(krb5conf, encryption_types); |
| return error_info.code() == CONFIG_ERROR_NONE; |
| } |
| |
| // Validates the config and gets encryption types from it. Finds the enctypes |
| // fields and maps the union of the enctypes into one of the buckets of |
| // interest: 'All', 'Strong' or 'Legacy'. If an enctypes field is missing, the |
| // default value for this field ('All') will be used. |
| ConfigErrorInfo ConfigParser::ParseConfig( |
| const std::string& krb5conf, |
| KerberosEncryptionTypes* encryption_types) const { |
| // Variables used to keep track of encryption fields and types on |krc5conf|. |
| StringSet listed_enctypes_fields; |
| bool has_weak_enctype = false; |
| bool has_strong_enctype = false; |
| |
| // Initializes |encryption_types| with the default value in our feature. It |
| // will be replaced at the end of this method, if |krb5conf| is valid. |
| *encryption_types = KerberosEncryptionTypes::kStrong; |
| |
| // Keep empty lines, they're necessary to get the line numbers right. |
| // Note: The MIT krb5 parser does not count \r as newline. |
| const std::vector<std::string> lines = base::SplitString( |
| krb5conf, "\n", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); |
| |
| // Level of nested curly braces {}. |
| int group_level = 0; |
| |
| // Opening curly braces '{' can be on the same line and on the next line. This |
| // is set to true if a '{' is expected on the next line. |
| bool expect_opening_curly_brace = false; |
| |
| // Current [section]. |
| std::string current_section; |
| |
| for (size_t line_index = 0; line_index < lines.size(); ++line_index) { |
| // Convert to c_str() and back to get rid of embedded \0's. |
| std::string line = lines.at(line_index).c_str(); |
| |
| // Are we expecting a '{' to open a { group }? |
| if (expect_opening_curly_brace) { |
| if (line.empty() || line.at(0) != '{') { |
| return MakeErrorInfo(CONFIG_ERROR_EXPECTED_OPENING_CURLY_BRACE, |
| line_index); |
| } |
| group_level++; |
| // If too nested config, exit here to prevent krb5 stack overflow. |
| if (group_level > kMaxGroupLevelDepth) |
| return MakeErrorInfo(CONFIG_ERROR_TOO_MANY_NESTED_GROUPS, line_index); |
| expect_opening_curly_brace = false; |
| continue; |
| } |
| |
| // Skip empty lines. |
| if (line.empty()) |
| continue; |
| |
| // Skip comments. |
| if (line.at(0) == ';' || line.at(0) == '#') |
| continue; |
| |
| // Bail on any |kDirectives|. |
| for (const char* directive : kDirectives) { |
| const int len = strlen(directive); |
| const int line_len = static_cast<int>(line.size()); |
| if (strncmp(line.c_str(), directive, len) == 0 && |
| (len >= line_len || isspace(line.at(len)))) { |
| return MakeErrorInfo(CONFIG_ERROR_KEY_NOT_SUPPORTED, line_index); |
| } |
| } |
| |
| // Check for '}' to close a { group }. |
| if (line.at(0) == '}') { |
| if (group_level == 0) |
| return MakeErrorInfo(CONFIG_ERROR_EXTRA_CURLY_BRACE, line_index); |
| group_level--; |
| continue; |
| } |
| |
| // Check for new [section]. |
| if (line.at(0) == '[') { |
| // Bail if section is within a { group }. |
| if (group_level > 0) |
| return MakeErrorInfo(CONFIG_ERROR_SECTION_NESTED_IN_GROUP, line_index); |
| |
| // Bail if closing bracket is missing or if there's more stuff after the |
| // closing bracket (the final marker '*' is fine). |
| std::vector<std::string> parts = base::SplitString( |
| line, "]", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL); |
| if (parts.size() != 2 || !(parts.at(1).empty() || parts.at(1) == "*")) |
| return MakeErrorInfo(CONFIG_ERROR_SECTION_SYNTAX, line_index); |
| |
| current_section = parts.at(0).substr(1); |
| |
| // Bail if the section is not supported, e.g. [appdefaults]. |
| if (current_section.empty() || |
| !base::Contains(section_whitelist_, current_section)) { |
| return MakeErrorInfo(CONFIG_ERROR_SECTION_NOT_SUPPORTED, line_index); |
| } |
| continue; |
| } |
| |
| // Check for "key = value" or "key = {". |
| std::vector<std::string> parts = base::SplitString( |
| line, "=", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); |
| |
| // Remove final marker. |
| std::string& key = parts.at(0); |
| if (key.back() == '*') |
| key.pop_back(); |
| |
| // No space allowed in the key. |
| if (std::find_if(key.begin(), key.end(), isspace) != key.end()) |
| return MakeErrorInfo(CONFIG_ERROR_RELATION_SYNTAX, line_index); |
| |
| // Final marker must come immediately after key. |
| if (key.empty() || isspace(key.back())) |
| return MakeErrorInfo(CONFIG_ERROR_RELATION_SYNTAX, line_index); |
| |
| // Is there at least one '=' sign? |
| if (parts.size() < 2) |
| return MakeErrorInfo(CONFIG_ERROR_RELATION_SYNTAX, line_index); |
| |
| const std::string& value = parts.at(1); |
| if (parts.size() == 2) { |
| // Check for a '{' to start a group. The '{' could also be on the next |
| // line. If there's anything except whitespace after '{', it counts as |
| // value, not as a group. |
| // Note: If there is more than one '=', it cannot be the start of a group, |
| // e.g. key==\n{. |
| if (value.empty()) { |
| expect_opening_curly_brace = true; |
| continue; |
| } |
| if (value == "{") { |
| group_level++; |
| // If too nested config, exit here to prevent krb5 stack overflow. |
| if (group_level > kMaxGroupLevelDepth) |
| return MakeErrorInfo(CONFIG_ERROR_TOO_MANY_NESTED_GROUPS, line_index); |
| continue; |
| } |
| } |
| |
| // Check whether we support the key. |
| if (!IsKeySupported(key, current_section, group_level)) |
| return MakeErrorInfo(CONFIG_ERROR_KEY_NOT_SUPPORTED, line_index); |
| |
| // If |key| is a enctypes field in the [libdefaults] section. |
| if (current_section == kSectionLibdefaults && group_level <= 1 && |
| base::Contains(enctypes_fields_, key)) { |
| listed_enctypes_fields.insert(key); |
| |
| // Note: encryption types can be delimited by comma or whitespace. |
| const std::vector<std::string> enctypes = base::SplitString( |
| value, ", ", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| |
| for (const std::string& type : enctypes) { |
| has_weak_enctype |= base::Contains(weak_enctypes_, type); |
| has_strong_enctype |= base::Contains(strong_enctypes_, type); |
| } |
| } |
| } |
| |
| // Note: if an enctypes field is missing, the default value is 'All'. |
| if (listed_enctypes_fields.size() < enctypes_fields_.size() || |
| (has_weak_enctype && has_strong_enctype)) { |
| *encryption_types = KerberosEncryptionTypes::kAll; |
| } else if (has_strong_enctype) { |
| *encryption_types = KerberosEncryptionTypes::kStrong; |
| } else { |
| *encryption_types = KerberosEncryptionTypes::kLegacy; |
| } |
| |
| ConfigErrorInfo error_info; |
| error_info.set_code(CONFIG_ERROR_NONE); |
| return error_info; |
| } |
| |
| bool ConfigParser::IsKeySupported(const std::string& key, |
| const std::string& section, |
| int group_level) const { |
| // Bail on anything outside of a section. |
| if (section.empty()) |
| return false; |
| |
| // Enforce only whitelisted libdefaults keys on the root and realm levels: |
| // [libdefaults] |
| // clockskew = 300 |
| // EXAMPLE.COM = { |
| // clockskew = 500 |
| // } |
| if (section == kSectionLibdefaults && group_level <= 1) { |
| return base::Contains(libdefaults_whitelist_, key); |
| } |
| |
| // Enforce only whitelisted realm keys on the root and realm levels: |
| // [realms] |
| // kdc = kerberos1.example.com |
| // EXAMPLE.COM = { |
| // kdc = kerberos2.example.com |
| // } |
| // Not sure if they can actually be at the root level, but just in case... |
| if (section == kSectionRealms && group_level <= 1) |
| return base::Contains(realms_whitelist_, key); |
| |
| // Anything else is fine (all keys of other supported sections). |
| return true; |
| } |
| |
| } // namespace kerberos |
