source4/auth/kerberos/kerberos_pac.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Create and parse the krb5 PAC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005,2008
   7    Copyright (C) Andrew Tridgell 2001
   8    Copyright (C) Luke Howard 2002-2003
   9    Copyright (C) Stefan Metzmacher 2004-2005
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  24 */
  25
  26 #include "includes.h"
  27 #include "system/kerberos.h"
  28 #include "auth/auth.h"
  29 #include "auth/kerberos/kerberos.h"
  30 #include "librpc/gen_ndr/ndr_krb5pac.h"
  31 #include <ldb.h>
  32 #include "auth/auth_sam_reply.h"
  33 #include "auth/credentials/credentials.h"
  34 #include "auth/kerberos/kerberos_util.h"
  35 #include "auth/kerberos/pac_utils.h"
  36
  37  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
  38                                     struct PAC_DATA *pac_data,
  39                                     krb5_context context,
  40                                     const krb5_keyblock *krbtgt_keyblock,
  41                                     const krb5_keyblock *service_keyblock,
  42                                     DATA_BLOB *pac)
  43 {
  44         NTSTATUS nt_status;
  45         krb5_error_code ret;
  46         enum ndr_err_code ndr_err;
  47         DATA_BLOB zero_blob = data_blob(NULL, 0);
  48         DATA_BLOB tmp_blob = data_blob(NULL, 0);
  49         struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
  50         struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
  51         uint32_t i;
  52
  53         /* First, just get the keytypes filled in (and lengths right, eventually) */
  54         for (i=0; i < pac_data->num_buffers; i++) {
  55                 if (pac_data->buffers[i].type != PAC_TYPE_KDC_CHECKSUM) {
  56                         continue;
  57                 }
  58                 kdc_checksum = &pac_data->buffers[i].info->kdc_cksum,
  59                 ret = smb_krb5_make_pac_checksum(mem_ctx,
  60                                                  &zero_blob,
  61                                                  context,
  62                                                  krbtgt_keyblock,
  63                                                  &kdc_checksum->type,
  64                                                  &kdc_checksum->signature);
  65                 if (ret) {
  66                         DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
  67                                   smb_get_krb5_error_message(context, ret, mem_ctx)));
  68                         talloc_free(pac_data);
  69                         return ret;
  70                 }
  71         }
  72
  73         for (i=0; i < pac_data->num_buffers; i++) {
  74                 if (pac_data->buffers[i].type != PAC_TYPE_SRV_CHECKSUM) {
  75                         continue;
  76                 }
  77                 srv_checksum = &pac_data->buffers[i].info->srv_cksum;
  78                 ret = smb_krb5_make_pac_checksum(mem_ctx,
  79                                                  &zero_blob,
  80                                                  context,
  81                                                  service_keyblock,
  82                                                  &srv_checksum->type,
  83                                                  &srv_checksum->signature);
  84                 if (ret) {
  85                         DEBUG(2, ("making service PAC checksum failed: %s\n",
  86                                   smb_get_krb5_error_message(context, ret, mem_ctx)));
  87                         talloc_free(pac_data);
  88                         return ret;
  89                 }
  90         }
  91
  92         if (!kdc_checksum) {
  93                 DEBUG(2, ("Invalid PAC constructed for signing, no KDC checksum present!"));
  94                 return EINVAL;
  95         }
  96         if (!srv_checksum) {
  97                 DEBUG(2, ("Invalid PAC constructed for signing, no SRV checksum present!"));
  98                 return EINVAL;
  99         }
 100
 101         /* But wipe out the actual signatures */
 102         memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
 103         memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
 104
 105         ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
 106                                        pac_data,
 107                                        (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
 108         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 109                 nt_status = ndr_map_error2ntstatus(ndr_err);
 110                 DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status)));
 111                 talloc_free(pac_data);
 112                 return EINVAL;
 113         }
 114
 115         /* Then sign the result of the previous push, where the sig was zero'ed out */
 116         ret = smb_krb5_make_pac_checksum(mem_ctx,
 117                                          &tmp_blob,
 118                                          context,
 119                                          service_keyblock,
 120                                          &srv_checksum->type,
 121                                          &srv_checksum->signature);
 122
 123         if (ret) {
 124                 DBG_WARNING("making krbtgt PAC srv_checksum failed: %s\n",
 125                             smb_get_krb5_error_message(context, ret, mem_ctx));
 126                 talloc_free(pac_data);
 127                 return ret;
 128         }
 129
 130         /* Then sign Server checksum */
 131         ret = smb_krb5_make_pac_checksum(mem_ctx,
 132                                          &srv_checksum->signature,
 133                                          context,
 134                                          krbtgt_keyblock,
 135                                          &kdc_checksum->type,
 136                                          &kdc_checksum->signature);
 137         if (ret) {
 138                 DBG_WARNING("making krbtgt PAC kdc_checksum failed: %s\n",
 139                             smb_get_krb5_error_message(context, ret, mem_ctx));
 140                 talloc_free(pac_data);
 141                 return ret;
 142         }
 143
 144         /* And push it out again, this time to the world.  This relies on determanistic pointer values */
 145         ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
 146                                        pac_data,
 147                                        (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
 148         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 149                 nt_status = ndr_map_error2ntstatus(ndr_err);
 150                 DEBUG(1, ("PAC (final) push failed: %s\n", nt_errstr(nt_status)));
 151                 talloc_free(pac_data);
 152                 return EINVAL;
 153         }
 154
 155         *pac = tmp_blob;
 156
 157         return ret;
 158 }
 159
 160
 161  krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
 162                                      struct auth_user_info_dc *user_info_dc,
 163                                      krb5_context context,
 164                                      const krb5_keyblock *krbtgt_keyblock,
 165                                      const krb5_keyblock *service_keyblock,
 166                                      krb5_principal client_principal,
 167                                      time_t tgs_authtime,
 168                                      DATA_BLOB *pac)
 169 {
 170         NTSTATUS nt_status;
 171         krb5_error_code ret;
 172         struct PAC_DATA *pac_data = talloc(mem_ctx, struct PAC_DATA);
 173         struct netr_SamInfo3 *sam3;
 174         union PAC_INFO *u_LOGON_INFO;
 175         struct PAC_LOGON_INFO *LOGON_INFO;
 176         union PAC_INFO *u_LOGON_NAME;
 177         struct PAC_LOGON_NAME *LOGON_NAME;
 178         union PAC_INFO *u_KDC_CHECKSUM;
 179         union PAC_INFO *u_SRV_CHECKSUM;
 180
 181         char *name;
 182
 183         enum {
 184                 PAC_BUF_LOGON_INFO = 0,
 185                 PAC_BUF_LOGON_NAME = 1,
 186                 PAC_BUF_SRV_CHECKSUM = 2,
 187                 PAC_BUF_KDC_CHECKSUM = 3,
 188                 PAC_BUF_NUM_BUFFERS = 4
 189         };
 190
 191         if (!pac_data) {
 192                 return ENOMEM;
 193         }
 194
 195         pac_data->num_buffers = PAC_BUF_NUM_BUFFERS;
 196         pac_data->version = 0;
 197
 198         pac_data->buffers = talloc_array(pac_data,
 199                                          struct PAC_BUFFER,
 200                                          pac_data->num_buffers);
 201         if (!pac_data->buffers) {
 202                 talloc_free(pac_data);
 203                 return ENOMEM;
 204         }
 205
 206         /* LOGON_INFO */
 207         u_LOGON_INFO = talloc_zero(pac_data->buffers, union PAC_INFO);
 208         if (!u_LOGON_INFO) {
 209                 talloc_free(pac_data);
 210                 return ENOMEM;
 211         }
 212         pac_data->buffers[PAC_BUF_LOGON_INFO].type = PAC_TYPE_LOGON_INFO;
 213         pac_data->buffers[PAC_BUF_LOGON_INFO].info = u_LOGON_INFO;
 214
 215         /* LOGON_NAME */
 216         u_LOGON_NAME = talloc_zero(pac_data->buffers, union PAC_INFO);
 217         if (!u_LOGON_NAME) {
 218                 talloc_free(pac_data);
 219                 return ENOMEM;
 220         }
 221         pac_data->buffers[PAC_BUF_LOGON_NAME].type = PAC_TYPE_LOGON_NAME;
 222         pac_data->buffers[PAC_BUF_LOGON_NAME].info = u_LOGON_NAME;
 223         LOGON_NAME = &u_LOGON_NAME->logon_name;
 224
 225         /* SRV_CHECKSUM */
 226         u_SRV_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO);
 227         if (!u_SRV_CHECKSUM) {
 228                 talloc_free(pac_data);
 229                 return ENOMEM;
 230         }
 231         pac_data->buffers[PAC_BUF_SRV_CHECKSUM].type = PAC_TYPE_SRV_CHECKSUM;
 232         pac_data->buffers[PAC_BUF_SRV_CHECKSUM].info = u_SRV_CHECKSUM;
 233
 234         /* KDC_CHECKSUM */
 235         u_KDC_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO);
 236         if (!u_KDC_CHECKSUM) {
 237                 talloc_free(pac_data);
 238                 return ENOMEM;
 239         }
 240         pac_data->buffers[PAC_BUF_KDC_CHECKSUM].type = PAC_TYPE_KDC_CHECKSUM;
 241         pac_data->buffers[PAC_BUF_KDC_CHECKSUM].info = u_KDC_CHECKSUM;
 242
 243         /* now the real work begins... */
 244
 245         LOGON_INFO = talloc_zero(u_LOGON_INFO, struct PAC_LOGON_INFO);
 246         if (!LOGON_INFO) {
 247                 talloc_free(pac_data);
 248                 return ENOMEM;
 249         }
 250         nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
 251         if (!NT_STATUS_IS_OK(nt_status)) {
 252                 DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
 253                 talloc_free(pac_data);
 254                 return EINVAL;
 255         }
 256
 257         u_LOGON_INFO->logon_info.info           = LOGON_INFO;
 258         LOGON_INFO->info3 = *sam3;
 259
 260         ret = krb5_unparse_name_flags(context, client_principal,
 261                                       KRB5_PRINCIPAL_UNPARSE_NO_REALM |
 262                                       KRB5_PRINCIPAL_UNPARSE_DISPLAY,
 263                                       &name);
 264         if (ret) {
 265                 return ret;
 266         }
 267         LOGON_NAME->account_name        = talloc_strdup(LOGON_NAME, name);
 268         free(name);
 269         /*
 270           this logon_time field is absolutely critical. This is what
 271           caused all our PAC troubles :-)
 272         */
 273         unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
 274
 275         ret = kerberos_encode_pac(mem_ctx,
 276                                   pac_data,
 277                                   context,
 278                                   krbtgt_keyblock,
 279                                   service_keyblock,
 280                                   pac);
 281         talloc_free(pac_data);
 282         return ret;
 283 }
 284
 285 static krb5_error_code kerberos_pac_buffer_present(krb5_context context,
 286                                                    const krb5_const_pac pac,
 287                                                    uint32_t type)
 288 {
 289 #ifdef SAMBA4_USES_HEIMDAL
 290         return krb5_pac_get_buffer(context, pac, type, NULL);
 291 #else /* MIT */
 292         krb5_error_code ret;
 293         krb5_data data;
 294
 295         /*
 296          * MIT won't let us pass NULL for the data parameter, so we are forced
 297          * to allocate a new buffer and then immediately free it.
 298          */
 299         ret = krb5_pac_get_buffer(context, pac, type, &data);
 300         if (ret == 0) {
 301                 krb5_free_data_contents(context, &data);
 302         }
 303         return ret;
 304 #endif /* SAMBA4_USES_HEIMDAL */
 305 }
 306
 307 krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
 308                                              krb5_const_pac pac,
 309                                              krb5_context context,
 310                                              struct auth_user_info_dc **user_info_dc,
 311                                              struct PAC_SIGNATURE_DATA *pac_srv_sig,
 312                                              struct PAC_SIGNATURE_DATA *pac_kdc_sig)
 313 {
 314         NTSTATUS nt_status;
 315         enum ndr_err_code ndr_err;
 316         krb5_error_code ret;
 317
 318         DATA_BLOB pac_logon_info_in, pac_srv_checksum_in, pac_kdc_checksum_in;
 319         krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
 320         DATA_BLOB pac_upn_dns_info_in;
 321         krb5_data k5pac_upn_dns_info_in;
 322
 323         union PAC_INFO info;
 324         union PAC_INFO _upn_dns_info;
 325         struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
 326         struct auth_user_info_dc *user_info_dc_out;
 327
 328         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 329
 330         if (!tmp_ctx) {
 331                 return ENOMEM;
 332         }
 333
 334         ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_LOGON_INFO, &k5pac_logon_info_in);
 335         if (ret != 0) {
 336                 talloc_free(tmp_ctx);
 337                 return EINVAL;
 338         }
 339
 340         pac_logon_info_in = data_blob_const(k5pac_logon_info_in.data, k5pac_logon_info_in.length);
 341
 342         ndr_err = ndr_pull_union_blob(&pac_logon_info_in, tmp_ctx, &info,
 343                                       PAC_TYPE_LOGON_INFO,
 344                                       (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
 345         smb_krb5_free_data_contents(context, &k5pac_logon_info_in);
 346         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 347                 nt_status = ndr_map_error2ntstatus(ndr_err);
 348                 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
 349                 talloc_free(tmp_ctx);
 350                 return EINVAL;
 351         }
 352         if (info.logon_info.info == NULL) {
 353                 DEBUG(0,("can't parse the PAC LOGON_INFO: missing info pointer\n"));
 354                 talloc_free(tmp_ctx);
 355                 return EINVAL;
 356         }
 357
 358         ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_UPN_DNS_INFO,
 359                                   &k5pac_upn_dns_info_in);
 360         if (ret == ENOENT) {
 361                 ZERO_STRUCT(k5pac_upn_dns_info_in);
 362                 ret = 0;
 363         }
 364         if (ret != 0) {
 365                 talloc_free(tmp_ctx);
 366                 return EINVAL;
 367         }
 368
 369         pac_upn_dns_info_in = data_blob_const(k5pac_upn_dns_info_in.data,
 370                                               k5pac_upn_dns_info_in.length);
 371
 372         if (pac_upn_dns_info_in.length != 0) {
 373                 ndr_err = ndr_pull_union_blob(&pac_upn_dns_info_in, tmp_ctx,
 374                                               &_upn_dns_info,
 375                                               PAC_TYPE_UPN_DNS_INFO,
 376                                               (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
 377                 smb_krb5_free_data_contents(context, &k5pac_upn_dns_info_in);
 378                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 379                         nt_status = ndr_map_error2ntstatus(ndr_err);
 380                         DEBUG(0,("can't parse the PAC UPN_DNS_INFO: %s\n",
 381                                  nt_errstr(nt_status)));
 382                         talloc_free(tmp_ctx);
 383                         return EINVAL;
 384                 }
 385                 upn_dns_info = &_upn_dns_info.upn_dns_info;
 386         }
 387
 388         /* Pull this right into the normal auth system structures */
 389         nt_status = make_user_info_dc_pac(mem_ctx,
 390                                          info.logon_info.info,
 391                                          upn_dns_info,
 392                                          &user_info_dc_out);
 393         if (!NT_STATUS_IS_OK(nt_status)) {
 394                 DBG_ERR("make_user_info_dc_pac() failed -%s\n",
 395                         nt_errstr(nt_status));
 396                 NDR_PRINT_DEBUG(PAC_LOGON_INFO, info.logon_info.info);
 397                 if (upn_dns_info != NULL) {
 398                         NDR_PRINT_DEBUG(PAC_UPN_DNS_INFO, upn_dns_info);
 399                 }
 400                 talloc_free(tmp_ctx);
 401                 return EINVAL;
 402         }
 403
 404         if (pac_srv_sig) {
 405                 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
 406                 if (ret != 0) {
 407                         talloc_free(tmp_ctx);
 408                         return ret;
 409                 }
 410
 411                 pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
 412
 413                 ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
 414                                                pac_srv_sig,
 415                                                (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
 416                 smb_krb5_free_data_contents(context, &k5pac_srv_checksum_in);
 417                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 418                         nt_status = ndr_map_error2ntstatus(ndr_err);
 419                         DEBUG(0,("can't parse the server signature: %s\n",
 420                                  nt_errstr(nt_status)));
 421                         return EINVAL;
 422                 }
 423         }
 424
 425         if (pac_kdc_sig) {
 426                 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
 427                 if (ret != 0) {
 428                         talloc_free(tmp_ctx);
 429                         return ret;
 430                 }
 431
 432                 pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
 433
 434                 ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
 435                                                pac_kdc_sig,
 436                                                (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
 437                 smb_krb5_free_data_contents(context, &k5pac_kdc_checksum_in);
 438                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 439                         nt_status = ndr_map_error2ntstatus(ndr_err);
 440                         DEBUG(0,("can't parse the KDC signature: %s\n",
 441                                  nt_errstr(nt_status)));
 442                         return EINVAL;
 443                 }
 444         }
 445
 446         /*
 447          * Based on the presence of a REQUESTER_SID PAC buffer, ascertain
 448          * whether the ticket is a TGT. This helps the KDC and kpasswd service
 449          * ensure they do not accept tickets meant for the other.
 450          *
 451          * This heuristic will fail for older Samba versions and Windows prior
 452          * to Nov. 2021 updates, which lack support for the REQUESTER_SID PAC
 453          * buffer.
 454          */
 455         ret = kerberos_pac_buffer_present(context, pac, PAC_TYPE_REQUESTER_SID);
 456         if (ret == ENOENT) {
 457                 /* This probably isn't a TGT. */
 458                 user_info_dc_out->ticket_type = TICKET_TYPE_NON_TGT;
 459         } else if (ret != 0) {
 460                 talloc_free(tmp_ctx);
 461                 return ret;
 462         } else {
 463                 /* This probably is a TGT. */
 464                 user_info_dc_out->ticket_type = TICKET_TYPE_TGT;
 465         }
 466
 467         *user_info_dc = user_info_dc_out;
 468
 469         return 0;
 470 }
 471
 472
 473 NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx,
 474                                            DATA_BLOB pac_blob,
 475                                            krb5_context context,
 476                                            struct auth_user_info_dc **user_info_dc,
 477                                            struct PAC_SIGNATURE_DATA *pac_srv_sig,
 478                                            struct PAC_SIGNATURE_DATA *pac_kdc_sig)
 479 {
 480         krb5_error_code ret;
 481         krb5_pac pac;
 482         ret = krb5_pac_parse(context,
 483                              pac_blob.data, pac_blob.length,
 484                              &pac);
 485         if (ret) {
 486                 return map_nt_error_from_unix_common(ret);
 487         }
 488
 489
 490         ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig);
 491         krb5_pac_free(context, pac);
 492         if (ret) {
 493                 return map_nt_error_from_unix_common(ret);
 494         }
 495         return NT_STATUS_OK;
 496 }