source3/libads/kerberos_verify.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    kerberos utility library
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001
   6    Copyright (C) Luke Howard 2003
   7    Copyright (C) Guenther Deschner 2003, 2005
   8    Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
   9    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
  10    Copyright (C) Jeremy Allison 2007
  11
  12    This program is free software; you can redistribute it and/or modify
  13    it under the terms of the GNU General Public License as published by
  14    the Free Software Foundation; either version 3 of the License, or
  15    (at your option) any later version.
  16
  17    This program is distributed in the hope that it will be useful,
  18    but WITHOUT ANY WARRANTY; without even the implied warranty of
  19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20    GNU General Public License for more details.
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  24 */
  25
  26 #include "includes.h"
  27
  28 #ifdef HAVE_KRB5
  29
  30 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
  31 const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
  32 #endif
  33
  34 /**********************************************************************************
  35  Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
  36  it's more like what microsoft does... see comment in utils/net_ads.c in the
  37  ads_keytab_add_entry function for details.
  38 ***********************************************************************************/
  39
  40 static bool ads_keytab_verify_ticket(krb5_context context,
  41                                         krb5_auth_context auth_context,
  42                                         const DATA_BLOB *ticket,
  43                                         krb5_ticket **pp_tkt,
  44                                         krb5_keyblock **keyblock,
  45                                         krb5_error_code *perr)
  46 {
  47         krb5_error_code ret = 0;
  48         bool auth_ok = False;
  49         krb5_keytab keytab = NULL;
  50         krb5_kt_cursor kt_cursor;
  51         krb5_keytab_entry kt_entry;
  52         char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
  53         char *entry_princ_s = NULL;
  54         fstring my_name, my_fqdn;
  55         int i;
  56         int number_matched_principals = 0;
  57         krb5_data packet;
  58
  59         *pp_tkt = NULL;
  60         *keyblock = NULL;
  61         *perr = 0;
  62
  63         /* Generate the list of principal names which we expect
  64          * clients might want to use for authenticating to the file
  65          * service.  We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
  66
  67         fstrcpy(my_name, global_myname());
  68
  69         my_fqdn[0] = '\0';
  70         name_to_fqdn(my_fqdn, global_myname());
  71
  72         asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm());
  73         asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm());
  74         asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm());
  75         asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
  76         asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm());
  77         asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm());
  78         asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
  79
  80         ZERO_STRUCT(kt_entry);
  81         ZERO_STRUCT(kt_cursor);
  82
  83         ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
  84         if (ret) {
  85                 DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
  86                 goto out;
  87         }
  88
  89         /* Iterate through the keytab.  For each key, if the principal
  90          * name case-insensitively matches one of the allowed formats,
  91          * try verifying the ticket using that principal. */
  92
  93         ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
  94         if (ret) {
  95                 DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
  96                 goto out;
  97         }
  98
  99         while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
 100                 ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
 101                 if (ret) {
 102                         DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
 103                                 error_message(ret)));
 104                         goto out;
 105                 }
 106
 107                 for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
 108
 109                         if (!strequal(entry_princ_s, valid_princ_formats[i])) {
 110                                 continue;
 111                         }
 112
 113                         number_matched_principals++;
 114                         packet.length = ticket->length;
 115                         packet.data = (char *)ticket->data;
 116                         *pp_tkt = NULL;
 117
 118                         ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, &packet,
 119                                                                       kt_entry.principal, keytab,
 120                                                                       NULL, pp_tkt, keyblock);
 121
 122                         if (ret) {
 123                                 DEBUG(10,("ads_keytab_verify_ticket: "
 124                                         "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
 125                                         entry_princ_s, error_message(ret)));
 126
 127                                 /* workaround for MIT:
 128                                 * as krb5_ktfile_get_entry will explicitly
 129                                 * close the krb5_keytab as soon as krb5_rd_req
 130                                 * has sucessfully decrypted the ticket but the
 131                                 * ticket is not valid yet (due to clockskew)
 132                                 * there is no point in querying more keytab
 133                                 * entries - Guenther */
 134
 135                                 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
 136                                     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
 137                                     ret == KRB5KRB_AP_ERR_SKEW) {
 138                                         break;
 139                                 }
 140                         } else {
 141                                 DEBUG(3,("ads_keytab_verify_ticket: "
 142                                         "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
 143                                         entry_princ_s));
 144                                 auth_ok = True;
 145                                 break;
 146                         }
 147                 }
 148
 149                 /* Free the name we parsed. */
 150                 SAFE_FREE(entry_princ_s);
 151
 152                 /* Free the entry we just read. */
 153                 smb_krb5_kt_free_entry(context, &kt_entry);
 154                 ZERO_STRUCT(kt_entry);
 155         }
 156         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
 157
 158         ZERO_STRUCT(kt_cursor);
 159
 160   out:
 161
 162         for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
 163                 SAFE_FREE(valid_princ_formats[i]);
 164         }
 165
 166         if (!auth_ok) {
 167                 if (!number_matched_principals) {
 168                         DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
 169                 } else {
 170                         DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
 171                                 number_matched_principals));
 172                 }
 173         }
 174
 175         SAFE_FREE(entry_princ_s);
 176
 177         {
 178                 krb5_keytab_entry zero_kt_entry;
 179                 ZERO_STRUCT(zero_kt_entry);
 180                 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
 181                         smb_krb5_kt_free_entry(context, &kt_entry);
 182                 }
 183         }
 184
 185         {
 186                 krb5_kt_cursor zero_csr;
 187                 ZERO_STRUCT(zero_csr);
 188                 if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
 189                         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
 190                 }
 191         }
 192
 193         if (keytab) {
 194                 krb5_kt_close(context, keytab);
 195         }
 196         *perr = ret;
 197         return auth_ok;
 198 }
 199
 200 /**********************************************************************************
 201  Try to verify a ticket using the secrets.tdb.
 202 ***********************************************************************************/
 203
 204 static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
 205                                                 krb5_auth_context auth_context,
 206                                                 krb5_principal host_princ,
 207                                                 const DATA_BLOB *ticket,
 208                                                 krb5_ticket **pp_tkt,
 209                                                 krb5_keyblock **keyblock,
 210                                                 krb5_error_code *perr)
 211 {
 212         krb5_error_code ret = 0;
 213         bool auth_ok = False;
 214         char *password_s = NULL;
 215         krb5_data password;
 216         krb5_enctype enctypes[] = {
 217 #if defined(ENCTYPE_ARCFOUR_HMAC)
 218                 ENCTYPE_ARCFOUR_HMAC,
 219 #endif
 220                 ENCTYPE_DES_CBC_CRC,
 221                 ENCTYPE_DES_CBC_MD5,
 222                 ENCTYPE_NULL
 223         };
 224         krb5_data packet;
 225         int i;
 226
 227         *pp_tkt = NULL;
 228         *keyblock = NULL;
 229         *perr = 0;
 230
 231
 232         if (!secrets_init()) {
 233                 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
 234                 *perr = KRB5_CONFIG_CANTOPEN;
 235                 return False;
 236         }
 237
 238         password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 239         if (!password_s) {
 240                 DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
 241                 *perr = KRB5_LIBOS_CANTREADPWD;
 242                 return False;
 243         }
 244
 245         password.data = password_s;
 246         password.length = strlen(password_s);
 247
 248         /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
 249
 250         packet.length = ticket->length;
 251         packet.data = (char *)ticket->data;
 252
 253         /* We need to setup a auth context with each possible encoding type in turn. */
 254         for (i=0;enctypes[i];i++) {
 255                 krb5_keyblock *key = NULL;
 256
 257                 if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
 258                         ret = ENOMEM;
 259                         goto out;
 260                 }
 261
 262                 if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
 263                         SAFE_FREE(key);
 264                         continue;
 265                 }
 266
 267                 krb5_auth_con_setuseruserkey(context, auth_context, key);
 268
 269                 if (!(ret = krb5_rd_req(context, &auth_context, &packet,
 270                                         NULL,
 271                                         NULL, NULL, pp_tkt))) {
 272                         DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
 273                                 (unsigned int)enctypes[i] ));
 274                         auth_ok = True;
 275                         krb5_copy_keyblock(context, key, keyblock);
 276                         krb5_free_keyblock(context, key);
 277                         break;
 278                 }
 279
 280                 DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
 281                                 ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
 282                                 (unsigned int)enctypes[i], error_message(ret)));
 283
 284                 /* successfully decrypted but ticket is just not valid at the moment */
 285                 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
 286                     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
 287                     ret == KRB5KRB_AP_ERR_SKEW) {
 288                         krb5_free_keyblock(context, key);
 289                         break;
 290                 }
 291
 292                 krb5_free_keyblock(context, key);
 293
 294         }
 295
 296  out:
 297         SAFE_FREE(password_s);
 298         *perr = ret;
 299         return auth_ok;
 300 }
 301
 302 /**********************************************************************************
 303  Verify an incoming ticket and parse out the principal name and
 304  authorization_data if available.
 305 ***********************************************************************************/
 306
 307 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 308                            const char *realm,
 309                            time_t time_offset,
 310                            const DATA_BLOB *ticket,
 311                            char **principal,
 312                            PAC_DATA **pac_data,
 313                            DATA_BLOB *ap_rep,
 314                            DATA_BLOB *session_key,
 315                            bool use_replay_cache)
 316 {
 317         NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
 318         NTSTATUS pac_ret;
 319         DATA_BLOB auth_data;
 320         krb5_context context = NULL;
 321         krb5_auth_context auth_context = NULL;
 322         krb5_data packet;
 323         krb5_ticket *tkt = NULL;
 324         krb5_rcache rcache = NULL;
 325         krb5_keyblock *keyblock = NULL;
 326         time_t authtime;
 327         krb5_error_code ret = 0;
 328         int flags = 0;
 329         krb5_principal host_princ = NULL;
 330         krb5_const_principal client_principal = NULL;
 331         char *host_princ_s = NULL;
 332         bool auth_ok = False;
 333         bool got_replay_mutex = False;
 334         bool got_auth_data = False;
 335
 336         ZERO_STRUCT(packet);
 337         ZERO_STRUCT(auth_data);
 338
 339         *principal = NULL;
 340         *pac_data = NULL;
 341         *ap_rep = data_blob_null;
 342         *session_key = data_blob_null;
 343
 344         initialize_krb5_error_table();
 345         ret = krb5_init_context(&context);
 346         if (ret) {
 347                 DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
 348                 return NT_STATUS_LOGON_FAILURE;
 349         }
 350
 351         if (time_offset != 0) {
 352                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 353         }
 354
 355         ret = krb5_set_default_realm(context, realm);
 356         if (ret) {
 357                 DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
 358                 goto out;
 359         }
 360
 361         /* This whole process is far more complex than I would
 362            like. We have to go through all this to allow us to store
 363            the secret internally, instead of using /etc/krb5.keytab */
 364
 365         ret = krb5_auth_con_init(context, &auth_context);
 366         if (ret) {
 367                 DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
 368                 goto out;
 369         }
 370
 371         krb5_auth_con_getflags( context, auth_context, &flags );
 372         if ( !use_replay_cache ) {
 373                 /* Disable default use of a replay cache */
 374                 flags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
 375                 krb5_auth_con_setflags( context, auth_context, flags );
 376         }
 377
 378         asprintf(&host_princ_s, "%s$", global_myname());
 379         if (!host_princ_s) {
 380                 goto out;
 381         }
 382
 383         strlower_m(host_princ_s);
 384         ret = smb_krb5_parse_name(context, host_princ_s, &host_princ);
 385         if (ret) {
 386                 DEBUG(1,("ads_verify_ticket: smb_krb5_parse_name(%s) failed (%s)\n",
 387                                         host_princ_s, error_message(ret)));
 388                 goto out;
 389         }
 390
 391
 392         if ( use_replay_cache ) {
 393
 394                 /* Lock a mutex surrounding the replay as there is no
 395                    locking in the MIT krb5 code surrounding the replay
 396                    cache... */
 397
 398                 if (!grab_server_mutex("replay cache mutex")) {
 399                         DEBUG(1,("ads_verify_ticket: unable to protect "
 400                                  "replay cache with mutex.\n"));
 401                         ret = KRB5_CC_IO;
 402                         goto out;
 403                 }
 404
 405                 got_replay_mutex = True;
 406
 407                 /* JRA. We must set the rcache here. This will prevent
 408                    replay attacks. */
 409
 410                 ret = krb5_get_server_rcache(context,
 411                                              krb5_princ_component(context, host_princ, 0),
 412                                              &rcache);
 413                 if (ret) {
 414                         DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache "
 415                                  "failed (%s)\n", error_message(ret)));
 416                         goto out;
 417                 }
 418
 419                 ret = krb5_auth_con_setrcache(context, auth_context, rcache);
 420                 if (ret) {
 421                         DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache "
 422                                  "failed (%s)\n", error_message(ret)));
 423                         goto out;
 424                 }
 425         }
 426
 427         /* Try secrets.tdb first and fallback to the krb5.keytab if
 428            necessary */
 429
 430         auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 431                                             ticket, &tkt, &keyblock, &ret);
 432
 433         if (!auth_ok &&
 434             (ret == KRB5KRB_AP_ERR_TKT_NYV ||
 435              ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
 436              ret == KRB5KRB_AP_ERR_SKEW)) {
 437                 goto auth_failed;
 438         }
 439
 440         if (!auth_ok && lp_use_kerberos_keytab()) {
 441                 auth_ok = ads_keytab_verify_ticket(context, auth_context,
 442                                                    ticket, &tkt, &keyblock, &ret);
 443         }
 444
 445         if ( use_replay_cache ) {
 446                 release_server_mutex();
 447                 got_replay_mutex = False;
 448 #if 0
 449                 /* Heimdal leaks here, if we fix the leak, MIT crashes */
 450                 if (rcache) {
 451                         krb5_rc_close(context, rcache);
 452                 }
 453 #endif
 454         }
 455
 456  auth_failed:
 457         if (!auth_ok) {
 458                 DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
 459                          error_message(ret)));
 460                 /* Try map the error return in case it's something like
 461                  * a clock skew error.
 462                  */
 463                 sret = krb5_to_nt_status(ret);
 464                 if (NT_STATUS_IS_OK(sret) || NT_STATUS_EQUAL(sret,NT_STATUS_UNSUCCESSFUL)) {
 465                         sret = NT_STATUS_LOGON_FAILURE;
 466                 }
 467                 DEBUG(10,("ads_verify_ticket: returning error %s\n",
 468                         nt_errstr(sret) ));
 469                 goto out;
 470         }
 471
 472         authtime = get_authtime_from_tkt(tkt);
 473         client_principal = get_principal_from_tkt(tkt);
 474
 475         ret = krb5_mk_rep(context, auth_context, &packet);
 476         if (ret) {
 477                 DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
 478                         error_message(ret)));
 479                 goto out;
 480         }
 481
 482         *ap_rep = data_blob(packet.data, packet.length);
 483         if (packet.data) {
 484                 kerberos_free_data_contents(context, &packet);
 485                 ZERO_STRUCT(packet);
 486         }
 487
 488         get_krb5_smb_session_key(context, auth_context, session_key, True);
 489         dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
 490
 491 #if 0
 492         file_save("/tmp/ticket.dat", ticket->data, ticket->length);
 493 #endif
 494
 495         /* continue when no PAC is retrieved or we couldn't decode the PAC
 496            (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
 497            Kerberos tickets encrypted using a DES key) - Guenther */
 498
 499         got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
 500         if (!got_auth_data) {
 501                 DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n"));
 502         }
 503
 504         if (got_auth_data) {
 505                 pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
 506                 if (!NT_STATUS_IS_OK(pac_ret)) {
 507                         DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
 508                         *pac_data = NULL;
 509                 }
 510                 data_blob_free(&auth_data);
 511         }
 512
 513 #if 0
 514 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 515         /* MIT */
 516         if (tkt->enc_part2) {
 517                 file_save("/tmp/authdata.dat",
 518                           tkt->enc_part2->authorization_data[0]->contents,
 519                           tkt->enc_part2->authorization_data[0]->length);
 520         }
 521 #else
 522         /* Heimdal */
 523         if (tkt->ticket.authorization_data) {
 524                 file_save("/tmp/authdata.dat",
 525                           tkt->ticket.authorization_data->val->ad_data.data,
 526                           tkt->ticket.authorization_data->val->ad_data.length);
 527         }
 528 #endif
 529 #endif
 530
 531         if ((ret = smb_krb5_unparse_name(context, client_principal, principal))) {
 532                 DEBUG(3,("ads_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
 533                          error_message(ret)));
 534                 sret = NT_STATUS_LOGON_FAILURE;
 535                 goto out;
 536         }
 537
 538         sret = NT_STATUS_OK;
 539
 540  out:
 541
 542         if (got_replay_mutex) {
 543                 release_server_mutex();
 544         }
 545
 546         if (!NT_STATUS_IS_OK(sret)) {
 547                 data_blob_free(&auth_data);
 548         }
 549
 550         if (!NT_STATUS_IS_OK(sret)) {
 551                 data_blob_free(ap_rep);
 552         }
 553
 554         if (host_princ) {
 555                 krb5_free_principal(context, host_princ);
 556         }
 557
 558         if (keyblock) {
 559                 krb5_free_keyblock(context, keyblock);
 560         }
 561
 562         if (tkt != NULL) {
 563                 krb5_free_ticket(context, tkt);
 564         }
 565
 566         SAFE_FREE(host_princ_s);
 567
 568         if (auth_context) {
 569                 krb5_auth_con_free(context, auth_context);
 570         }
 571
 572         if (context) {
 573                 krb5_free_context(context);
 574         }
 575
 576         return sret;
 577 }
 578
 579 #endif /* HAVE_KRB5 */