source4/auth/gensec/gensec_krb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos backend for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
   7    Copyright (C) Andrew Tridgell 2001
   8    Copyright (C) Luke Howard 2002-2003
   9    Copyright (C) Stefan Metzmacher 2004-2005
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 2 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program; if not, write to the Free Software
  24    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  25 */
  26
  27 #include "includes.h"
  28 #include "system/kerberos.h"
  29 #include "system/time.h"
  30 #include "system/network.h"
  31 #include "auth/kerberos/kerberos.h"
  32 #include "librpc/gen_ndr/ndr_krb5pac.h"
  33 #include "auth/auth.h"
  34
  35 enum GENSEC_KRB5_STATE {
  36         GENSEC_KRB5_SERVER_START,
  37         GENSEC_KRB5_CLIENT_START,
  38         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
  39         GENSEC_KRB5_DONE
  40 };
  41
  42 struct gensec_krb5_state {
  43         DATA_BLOB session_key;
  44         DATA_BLOB pac;
  45         enum GENSEC_KRB5_STATE state_position;
  46         struct smb_krb5_context *smb_krb5_context;
  47         krb5_auth_context auth_context;
  48         krb5_ccache ccache;
  49         krb5_data ticket;
  50         krb5_keyblock *keyblock;
  51         char *peer_principal;
  52 };
  53
  54 static int gensec_krb5_destory(void *ptr)
  55 {
  56         struct gensec_krb5_state *gensec_krb5_state = ptr;
  57
  58         if (gensec_krb5_state->ticket.length) {
  59                 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
  60                                             &gensec_krb5_state->ticket);
  61         }
  62         /* ccache freed in a child destructor */
  63
  64         krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context,
  65                            gensec_krb5_state->keyblock);
  66
  67         if (gensec_krb5_state->auth_context) {
  68                 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
  69                                    gensec_krb5_state->auth_context);
  70         }
  71
  72         return 0;
  73 }
  74
  75 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
  76 {
  77         struct gensec_krb5_state *gensec_krb5_state;
  78         krb5_error_code ret = 0;
  79
  80         gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
  81         if (!gensec_krb5_state) {
  82                 return NT_STATUS_NO_MEMORY;
  83         }
  84
  85         gensec_security->private_data = gensec_krb5_state;
  86
  87         gensec_krb5_state->auth_context = NULL;
  88         gensec_krb5_state->ccache = NULL;
  89         ZERO_STRUCT(gensec_krb5_state->ticket);
  90         ZERO_STRUCT(gensec_krb5_state->keyblock);
  91         gensec_krb5_state->session_key = data_blob(NULL, 0);
  92         gensec_krb5_state->pac = data_blob(NULL, 0);
  93
  94         talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory);
  95
  96         ret = smb_krb5_init_context(gensec_krb5_state,
  97                                     &gensec_krb5_state->smb_krb5_context);
  98         if (ret) {
  99                 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
 100                          error_message(ret)));
 101                 return NT_STATUS_INTERNAL_ERROR;
 102         }
 103
 104         ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
 105         if (ret) {
 106                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
 107                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
 108                                                     ret, gensec_krb5_state)));
 109                 return NT_STATUS_INTERNAL_ERROR;
 110         }
 111
 112         return NT_STATUS_OK;
 113 }
 114
 115 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
 116 {
 117         NTSTATUS nt_status;
 118         struct gensec_krb5_state *gensec_krb5_state;
 119
 120         nt_status = gensec_krb5_start(gensec_security);
 121         if (!NT_STATUS_IS_OK(nt_status)) {
 122                 return nt_status;
 123         }
 124
 125         gensec_krb5_state = gensec_security->private_data;
 126         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
 127
 128         return NT_STATUS_OK;
 129 }
 130
 131 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
 132 {
 133         struct gensec_krb5_state *gensec_krb5_state;
 134         krb5_error_code ret;
 135         NTSTATUS nt_status;
 136         const char *ccache_name;
 137
 138         const char *hostname = gensec_get_target_hostname(gensec_security);
 139         if (!hostname) {
 140                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
 141                 return NT_STATUS_ACCESS_DENIED;
 142         }
 143
 144         nt_status = gensec_krb5_start(gensec_security);
 145         if (!NT_STATUS_IS_OK(nt_status)) {
 146                 return nt_status;
 147         }
 148
 149         gensec_krb5_state = gensec_security->private_data;
 150         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 151
 152         /* TODO: This is effecivly a static/global variable...
 153
 154            TODO: If the user set a username, we should use an in-memory CCACHE (see below)
 155         */
 156         ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache);
 157         if (ret) {
 158                 DEBUG(1,("krb5_cc_default failed (%s)\n",
 159                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 160                 return NT_STATUS_INTERNAL_ERROR;
 161         }
 162
 163         while (1) {
 164                 {
 165                         krb5_data in_data;
 166                         in_data.length = 0;
 167
 168                         ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
 169                                           &gensec_krb5_state->auth_context,
 170                                           AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
 171                                           gensec_get_target_service(gensec_security),
 172                                           hostname,
 173                                           &in_data, gensec_krb5_state->ccache,
 174                                           &gensec_krb5_state->ticket);
 175
 176                 }
 177                 switch (ret) {
 178                 case 0:
 179                         return NT_STATUS_OK;
 180                 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 181                         DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
 182                                   hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 183                         return NT_STATUS_ACCESS_DENIED;
 184                 case KRB5KDC_ERR_PREAUTH_FAILED:
 185                 case KRB5KRB_AP_ERR_TKT_EXPIRED:
 186                 case KRB5_CC_END:
 187                         /* Too much clock skew - we will need to kinit to re-skew the clock */
 188                 case KRB5KRB_AP_ERR_SKEW:
 189                 case KRB5_KDCREP_SKEW:
 190                 {
 191                         DEBUG(3, ("kerberos (mk_req) failed: %s\n",
 192                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 193                         /* fall down to remaining code */
 194                 }
 195
 196
 197                 /* just don't print a message for these really ordinary messages */
 198                 case KRB5_FCC_NOFILE:
 199                 case KRB5_CC_NOTFOUND:
 200                 case ENOENT:
 201
 202                 nt_status = kinit_to_ccache(gensec_krb5_state,
 203                                             gensec_security->credentials,
 204                                             gensec_krb5_state->smb_krb5_context,
 205                                             &gensec_krb5_state->ccache,
 206                                             &ccache_name);
 207
 208                 if (!NT_STATUS_IS_OK(nt_status)) {
 209                         return nt_status;
 210                 }
 211                 break;
 212
 213                 default:
 214                         DEBUG(0, ("kerberos: %s\n",
 215                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
 216                         return NT_STATUS_UNSUCCESSFUL;
 217                 }
 218         }
 219 }
 220
 221
 222 /**
 223  * Check if the packet is one for this mechansim
 224  *
 225  * @param gensec_security GENSEC state
 226  * @param in The request, as a DATA_BLOB
 227  * @return Error, INVALID_PARAMETER if it's not a packet for us
 228  *                or NT_STATUS_OK if the packet is ok.
 229  */
 230
 231 static NTSTATUS gensec_krb5_magic(struct gensec_security *gensec_security,
 232                                   const DATA_BLOB *in)
 233 {
 234         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
 235                 return NT_STATUS_OK;
 236         } else {
 237                 return NT_STATUS_INVALID_PARAMETER;
 238         }
 239 }
 240
 241
 242 /**
 243  * Next state function for the Krb5 GENSEC mechanism
 244  *
 245  * @param gensec_krb5_state KRB5 State
 246  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
 247  * @param in The request, as a DATA_BLOB
 248  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 249  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
 250  *                or NT_STATUS_OK if the user is authenticated.
 251  */
 252
 253 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 254                                    TALLOC_CTX *out_mem_ctx,
 255                                    const DATA_BLOB in, DATA_BLOB *out)
 256 {
 257         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 258         krb5_error_code ret = 0;
 259         DATA_BLOB pac;
 260         NTSTATUS nt_status;
 261
 262         switch (gensec_krb5_state->state_position) {
 263         case GENSEC_KRB5_CLIENT_START:
 264         {
 265                 if (ret) {
 266                         DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
 267                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
 268                         nt_status = NT_STATUS_LOGON_FAILURE;
 269                 } else {
 270                         DATA_BLOB unwrapped_out;
 271
 272 #ifndef GENSEC_SEND_UNWRAPPED_KRB5 /* This should be a switch for the torture code to set */
 273                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
 274
 275                         /* wrap that up in a nice GSS-API wrapping */
 276                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
 277 #else
 278                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
 279 #endif
 280                         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
 281                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 282                 }
 283
 284                 return nt_status;
 285         }
 286
 287         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
 288         {
 289                 krb5_data inbuf;
 290                 krb5_ap_rep_enc_part *repl = NULL;
 291                 uint8_t tok_id[2];
 292                 DATA_BLOB unwrapped_in;
 293
 294                 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
 295                         DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
 296                         dump_data_pw("Mutual authentication message:\n", in.data, in.length);
 297                         return NT_STATUS_INVALID_PARAMETER;
 298                 }
 299                 /* TODO: check the tok_id */
 300
 301                 inbuf.data = unwrapped_in.data;
 302                 inbuf.length = unwrapped_in.length;
 303                 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
 304                                   gensec_krb5_state->auth_context,
 305                                   &inbuf, &repl);
 306                 if (ret) {
 307                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
 308                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
 309                         dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
 310                         nt_status = NT_STATUS_ACCESS_DENIED;
 311                 } else {
 312                         *out = data_blob(NULL, 0);
 313                         nt_status = NT_STATUS_OK;
 314                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
 315                 }
 316                 if (repl) {
 317                         krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
 318                 }
 319                 return nt_status;
 320         }
 321
 322         case GENSEC_KRB5_SERVER_START:
 323         {
 324                 char *principal;
 325                 DATA_BLOB unwrapped_in;
 326                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
 327                 uint8_t tok_id[2];
 328
 329                 if (!in.data) {
 330                         *out = unwrapped_out;
 331                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 332                 }
 333
 334                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 335                 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
 336                         nt_status = ads_verify_ticket(out_mem_ctx,
 337                                                       gensec_krb5_state->smb_krb5_context,
 338                                                       gensec_krb5_state->auth_context,
 339                                                       lp_realm(),
 340                                                       gensec_get_target_service(gensec_security), &in,
 341                                                       &principal, &pac, &unwrapped_out,
 342                                                       &gensec_krb5_state->keyblock);
 343                 } else {
 344                         /* TODO: check the tok_id */
 345                         nt_status = ads_verify_ticket(out_mem_ctx,
 346                                                       gensec_krb5_state->smb_krb5_context,
 347                                                       gensec_krb5_state->auth_context,
 348                                                       lp_realm(),
 349                                                       gensec_get_target_service(gensec_security),
 350                                                       &unwrapped_in,
 351                                                       &principal, &pac, &unwrapped_out,
 352                                                       &gensec_krb5_state->keyblock);
 353                 }
 354
 355                 if (!NT_STATUS_IS_OK(nt_status)) {
 356                         return nt_status;
 357                 }
 358
 359                 if (pac.data) {
 360                         gensec_krb5_state->pac = data_blob_talloc_reference(gensec_krb5_state, &pac);
 361                 }
 362
 363                 if (NT_STATUS_IS_OK(nt_status)) {
 364                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
 365                         /* wrap that up in a nice GSS-API wrapping */
 366 #ifndef GENSEC_SEND_UNWRAPPED_KRB5
 367                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
 368 #else
 369                         *out = unwrapped_out;
 370 #endif
 371                         gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
 372                 }
 373                 return nt_status;
 374         }
 375         case GENSEC_KRB5_DONE:
 376                 return NT_STATUS_OK;
 377         }
 378
 379         return NT_STATUS_INVALID_PARAMETER;
 380 }
 381
 382 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
 383                                         DATA_BLOB *session_key)
 384 {
 385         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 386         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
 387         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
 388         krb5_keyblock *skey;
 389         krb5_error_code err;
 390
 391         if (gensec_krb5_state->session_key.data) {
 392                 *session_key = gensec_krb5_state->session_key;
 393                 return NT_STATUS_OK;
 394         }
 395
 396         switch (gensec_security->gensec_role) {
 397         case GENSEC_CLIENT:
 398                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 399                 break;
 400         case GENSEC_SERVER:
 401                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 402                 break;
 403         }
 404         if (err == 0 && skey != NULL) {
 405                 DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
 406                 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state,
 407                                                 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 408                 *session_key = gensec_krb5_state->session_key;
 409                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 410
 411                 krb5_free_keyblock(context, skey);
 412                 return NT_STATUS_OK;
 413         } else {
 414                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
 415                 return NT_STATUS_NO_USER_SESSION_KEY;
 416         }
 417 }
 418
 419 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
 420                                          struct auth_session_info **_session_info)
 421 {
 422         NTSTATUS nt_status;
 423         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 424         struct auth_serversupplied_info *server_info = NULL;
 425         struct auth_session_info *session_info = NULL;
 426         struct PAC_LOGON_INFO *logon_info;
 427         char *p;
 428         char *principal;
 429         const char *account_name;
 430         const char *realm;
 431
 432         principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state->peer_principal);
 433         NT_STATUS_HAVE_NO_MEMORY(principal);
 434
 435         p = strchr(principal, '@');
 436         if (p) {
 437                 *p = '\0';
 438                 p++;
 439                 realm = p;
 440         } else {
 441                 realm = lp_realm();
 442         }
 443         account_name = principal;
 444
 445         /* decode and verify the pac */
 446         nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
 447                                         gensec_krb5_state->smb_krb5_context, (gensec_krb5_state->keyblock));
 448
 449         /* IF we have the PAC - otherwise we need to get this
 450          * data from elsewere - local ldb, or (TODO) lookup of some
 451          * kind...
 452          *
 453          * when heimdal can generate the PAC, we should fail if there's
 454          * no PAC present
 455          */
 456
 457         if (NT_STATUS_IS_OK(nt_status)) {
 458                 union netr_Validation validation;
 459                 validation.sam3 = &logon_info->info3;
 460                 nt_status = make_server_info_netlogon_validation(gensec_krb5_state,
 461                                                                  account_name,
 462                                                                  3, &validation,
 463                                                                  &server_info);
 464                 talloc_free(principal);
 465                 NT_STATUS_NOT_OK_RETURN(nt_status);
 466         } else {
 467                 DATA_BLOB user_sess_key = data_blob(NULL, 0);
 468                 DATA_BLOB lm_sess_key = data_blob(NULL, 0);
 469                 /* TODO: should we pass the krb5 session key in here? */
 470                 nt_status = sam_get_server_info(gensec_krb5_state, account_name, realm,
 471                                                 user_sess_key, lm_sess_key,
 472                                                 &server_info);
 473                 talloc_free(principal);
 474                 NT_STATUS_NOT_OK_RETURN(nt_status);
 475         }
 476
 477         /* references the server_info into the session_info */
 478         nt_status = auth_generate_session_info(gensec_krb5_state, server_info, &session_info);
 479         talloc_free(server_info);
 480         NT_STATUS_NOT_OK_RETURN(nt_status);
 481
 482         nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
 483         NT_STATUS_NOT_OK_RETURN(nt_status);
 484
 485         *_session_info = session_info;
 486
 487         return NT_STATUS_OK;
 488 }
 489
 490 static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security,
 491                                      uint32_t feature)
 492 {
 493         if (feature & GENSEC_FEATURE_SESSION_KEY) {
 494                 return True;
 495         }
 496
 497         return False;
 498 }
 499
 500 static const char *gensec_krb5_oids[] = {
 501         GENSEC_OID_KERBEROS5,
 502         GENSEC_OID_KERBEROS5_OLD,
 503         NULL
 504 };
 505
 506 static const struct gensec_security_ops gensec_krb5_security_ops = {
 507         .name           = "krb5",
 508         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
 509         .oid            = gensec_krb5_oids,
 510         .client_start   = gensec_krb5_client_start,
 511         .server_start   = gensec_krb5_server_start,
 512         .magic          = gensec_krb5_magic,
 513         .update         = gensec_krb5_update,
 514         .session_key    = gensec_krb5_session_key,
 515         .session_info   = gensec_krb5_session_info,
 516         .have_feature   = gensec_krb5_have_feature,
 517         .enabled        = False
 518 };
 519
 520 NTSTATUS gensec_krb5_init(void)
 521 {
 522         NTSTATUS ret;
 523
 524         ret = gensec_register(&gensec_krb5_security_ops);
 525         if (!NT_STATUS_IS_OK(ret)) {
 526                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 527                         gensec_krb5_security_ops.name));
 528                 return ret;
 529         }
 530
 531         return ret;
 532 }