source3/libads/kerberos_verify.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    kerberos utility library
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001
   6    Copyright (C) Luke Howard 2003
   7    Copyright (C) Guenther Deschner 2003, 2005
   8    Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
   9    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
  10    Copyright (C) Jeremy Allison 2007
  11
  12    This program is free software; you can redistribute it and/or modify
  13    it under the terms of the GNU General Public License as published by
  14    the Free Software Foundation; either version 2 of the License, or
  15    (at your option) any later version.
  16
  17    This program is distributed in the hope that it will be useful,
  18    but WITHOUT ANY WARRANTY; without even the implied warranty of
  19    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20    GNU General Public License for more details.
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program; if not, write to the Free Software
  24    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  25 */
  26
  27 #include "includes.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
  32 const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
  33 #endif
  34
  35 /**********************************************************************************
  36  Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
  37  it's more like what microsoft does... see comment in utils/net_ads.c in the
  38  ads_keytab_add_entry function for details.
  39 ***********************************************************************************/
  40
  41 static BOOL ads_keytab_verify_ticket(krb5_context context,
  42                                         krb5_auth_context auth_context,
  43                                         const DATA_BLOB *ticket,
  44                                         krb5_ticket **pp_tkt,
  45                                         krb5_keyblock **keyblock,
  46                                         krb5_error_code *perr)
  47 {
  48         krb5_error_code ret = 0;
  49         BOOL auth_ok = False;
  50         krb5_keytab keytab = NULL;
  51         krb5_kt_cursor kt_cursor;
  52         krb5_keytab_entry kt_entry;
  53         char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
  54         char *entry_princ_s = NULL;
  55         fstring my_name, my_fqdn;
  56         int i;
  57         int number_matched_principals = 0;
  58         krb5_data packet;
  59
  60         *pp_tkt = NULL;
  61         *keyblock = NULL;
  62         *perr = 0;
  63
  64         /* Generate the list of principal names which we expect
  65          * clients might want to use for authenticating to the file
  66          * service.  We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
  67
  68         fstrcpy(my_name, global_myname());
  69
  70         my_fqdn[0] = '\0';
  71         name_to_fqdn(my_fqdn, global_myname());
  72
  73         asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm());
  74         asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm());
  75         asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm());
  76         asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
  77         asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm());
  78         asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm());
  79         asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
  80
  81         ZERO_STRUCT(kt_entry);
  82         ZERO_STRUCT(kt_cursor);
  83
  84         ret = krb5_kt_default(context, &keytab);
  85         if (ret) {
  86                 DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
  87                 goto out;
  88         }
  89
  90         /* Iterate through the keytab.  For each key, if the principal
  91          * name case-insensitively matches one of the allowed formats,
  92          * try verifying the ticket using that principal. */
  93
  94         ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
  95         if (ret) {
  96                 DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
  97                 goto out;
  98         }
  99
 100         while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
 101                 ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
 102                 if (ret) {
 103                         DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
 104                                 error_message(ret)));
 105                         goto out;
 106                 }
 107
 108                 for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
 109
 110                         if (!strequal(entry_princ_s, valid_princ_formats[i])) {
 111                                 continue;
 112                         }
 113
 114                         number_matched_principals++;
 115                         packet.length = ticket->length;
 116                         packet.data = (char *)ticket->data;
 117                         *pp_tkt = NULL;
 118
 119                         ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, &packet,
 120                                                                       kt_entry.principal, keytab,
 121                                                                       NULL, pp_tkt, keyblock);
 122
 123                         if (ret) {
 124                                 DEBUG(10,("ads_keytab_verify_ticket: "
 125                                         "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
 126                                         entry_princ_s, error_message(ret)));
 127
 128                                 /* workaround for MIT:
 129                                 * as krb5_ktfile_get_entry will explicitly
 130                                 * close the krb5_keytab as soon as krb5_rd_req
 131                                 * has sucessfully decrypted the ticket but the
 132                                 * ticket is not valid yet (due to clockskew)
 133                                 * there is no point in querying more keytab
 134                                 * entries - Guenther */
 135
 136                                 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
 137                                     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
 138                                     ret == KRB5KRB_AP_ERR_SKEW) {
 139                                         break;
 140                                 }
 141                         } else {
 142                                 DEBUG(3,("ads_keytab_verify_ticket: "
 143                                         "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
 144                                         entry_princ_s));
 145                                 auth_ok = True;
 146                                 break;
 147                         }
 148                 }
 149
 150                 /* Free the name we parsed. */
 151                 SAFE_FREE(entry_princ_s);
 152
 153                 /* Free the entry we just read. */
 154                 smb_krb5_kt_free_entry(context, &kt_entry);
 155                 ZERO_STRUCT(kt_entry);
 156         }
 157         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
 158
 159         ZERO_STRUCT(kt_cursor);
 160
 161   out:
 162
 163         for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
 164                 SAFE_FREE(valid_princ_formats[i]);
 165         }
 166
 167         if (!auth_ok) {
 168                 if (!number_matched_principals) {
 169                         DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
 170                 } else {
 171                         DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
 172                                 number_matched_principals));
 173                 }
 174         }
 175
 176         SAFE_FREE(entry_princ_s);
 177
 178         {
 179                 krb5_keytab_entry zero_kt_entry;
 180                 ZERO_STRUCT(zero_kt_entry);
 181                 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
 182                         smb_krb5_kt_free_entry(context, &kt_entry);
 183                 }
 184         }
 185
 186         {
 187                 krb5_kt_cursor zero_csr;
 188                 ZERO_STRUCT(zero_csr);
 189                 if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
 190                         krb5_kt_end_seq_get(context, keytab, &kt_cursor);
 191                 }
 192         }
 193
 194         if (keytab) {
 195                 krb5_kt_close(context, keytab);
 196         }
 197         *perr = ret;
 198         return auth_ok;
 199 }
 200
 201 /**********************************************************************************
 202  Try to verify a ticket using the secrets.tdb.
 203 ***********************************************************************************/
 204
 205 static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
 206                                                 krb5_auth_context auth_context,
 207                                                 krb5_principal host_princ,
 208                                                 const DATA_BLOB *ticket,
 209                                                 krb5_ticket **pp_tkt,
 210                                                 krb5_keyblock **keyblock,
 211                                                 krb5_error_code *perr)
 212 {
 213         krb5_error_code ret = 0;
 214         BOOL auth_ok = False;
 215         char *password_s = NULL;
 216         krb5_data password;
 217         krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
 218         krb5_data packet;
 219         int i;
 220
 221         *pp_tkt = NULL;
 222         *keyblock = NULL;
 223         *perr = 0;
 224
 225 #if defined(ENCTYPE_ARCFOUR_HMAC)
 226         enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
 227 #endif
 228
 229         if (!secrets_init()) {
 230                 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
 231                 *perr = KRB5_CONFIG_CANTOPEN;
 232                 return False;
 233         }
 234
 235         password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 236         if (!password_s) {
 237                 DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
 238                 *perr = KRB5_LIBOS_CANTREADPWD;
 239                 return False;
 240         }
 241
 242         password.data = password_s;
 243         password.length = strlen(password_s);
 244
 245         /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
 246
 247         packet.length = ticket->length;
 248         packet.data = (char *)ticket->data;
 249
 250         /* We need to setup a auth context with each possible encoding type in turn. */
 251         for (i=0;enctypes[i];i++) {
 252                 krb5_keyblock *key = NULL;
 253
 254                 if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
 255                         ret = ENOMEM;
 256                         goto out;
 257                 }
 258
 259                 if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
 260                         SAFE_FREE(key);
 261                         continue;
 262                 }
 263
 264                 krb5_auth_con_setuseruserkey(context, auth_context, key);
 265
 266                 if (!(ret = krb5_rd_req(context, &auth_context, &packet,
 267                                         NULL,
 268                                         NULL, NULL, pp_tkt))) {
 269                         DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
 270                                 (unsigned int)enctypes[i] ));
 271                         auth_ok = True;
 272                         krb5_copy_keyblock(context, key, keyblock);
 273                         krb5_free_keyblock(context, key);
 274                         break;
 275                 }
 276
 277                 DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
 278                                 ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
 279                                 (unsigned int)enctypes[i], error_message(ret)));
 280
 281                 /* successfully decrypted but ticket is just not valid at the moment */
 282                 if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
 283                     ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
 284                     ret == KRB5KRB_AP_ERR_SKEW) {
 285                         break;
 286                 }
 287
 288                 krb5_free_keyblock(context, key);
 289
 290         }
 291
 292  out:
 293         SAFE_FREE(password_s);
 294         *perr = ret;
 295         return auth_ok;
 296 }
 297
 298 /**********************************************************************************
 299  Verify an incoming ticket and parse out the principal name and
 300  authorization_data if available.
 301 ***********************************************************************************/
 302
 303 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 304                            const char *realm,
 305                            time_t time_offset,
 306                            const DATA_BLOB *ticket,
 307                            char **principal,
 308                            PAC_DATA **pac_data,
 309                            DATA_BLOB *ap_rep,
 310                            DATA_BLOB *session_key)
 311 {
 312         NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
 313         NTSTATUS pac_ret;
 314         DATA_BLOB auth_data;
 315         krb5_context context = NULL;
 316         krb5_auth_context auth_context = NULL;
 317         krb5_data packet;
 318         krb5_ticket *tkt = NULL;
 319         krb5_rcache rcache = NULL;
 320         krb5_keyblock *keyblock = NULL;
 321         time_t authtime;
 322         krb5_error_code ret = 0;
 323
 324         krb5_principal host_princ = NULL;
 325         krb5_const_principal client_principal = NULL;
 326         char *host_princ_s = NULL;
 327         BOOL auth_ok = False;
 328         BOOL got_replay_mutex = False;
 329         BOOL got_auth_data = False;
 330
 331         ZERO_STRUCT(packet);
 332         ZERO_STRUCT(auth_data);
 333
 334         *principal = NULL;
 335         *pac_data = NULL;
 336         *ap_rep = data_blob_null;
 337         *session_key = data_blob_null;
 338
 339         initialize_krb5_error_table();
 340         ret = krb5_init_context(&context);
 341         if (ret) {
 342                 DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
 343                 return NT_STATUS_LOGON_FAILURE;
 344         }
 345
 346         if (time_offset != 0) {
 347                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 348         }
 349
 350         ret = krb5_set_default_realm(context, realm);
 351         if (ret) {
 352                 DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
 353                 goto out;
 354         }
 355
 356         /* This whole process is far more complex than I would
 357            like. We have to go through all this to allow us to store
 358            the secret internally, instead of using /etc/krb5.keytab */
 359
 360         ret = krb5_auth_con_init(context, &auth_context);
 361         if (ret) {
 362                 DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
 363                 goto out;
 364         }
 365
 366         asprintf(&host_princ_s, "%s$", global_myname());
 367         if (!host_princ_s) {
 368                 goto out;
 369         }
 370
 371         strlower_m(host_princ_s);
 372         ret = smb_krb5_parse_name(context, host_princ_s, &host_princ);
 373         if (ret) {
 374                 DEBUG(1,("ads_verify_ticket: smb_krb5_parse_name(%s) failed (%s)\n",
 375                                         host_princ_s, error_message(ret)));
 376                 goto out;
 377         }
 378
 379
 380         /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
 381          * code surrounding the replay cache... */
 382
 383         if (!grab_server_mutex("replay cache mutex")) {
 384                 DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
 385                 ret = KRB5_CC_IO;
 386                 goto out;
 387         }
 388
 389         got_replay_mutex = True;
 390
 391         /*
 392          * JRA. We must set the rcache here. This will prevent replay attacks.
 393          */
 394
 395         ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
 396         if (ret) {
 397                 DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
 398                 goto out;
 399         }
 400
 401         ret = krb5_auth_con_setrcache(context, auth_context, rcache);
 402         if (ret) {
 403                 DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
 404                 goto out;
 405         }
 406
 407         if (lp_use_kerberos_keytab()) {
 408                 auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &tkt, &keyblock, &ret);
 409         }
 410         if (!auth_ok) {
 411                 auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
 412                                                     ticket, &tkt, &keyblock, &ret);
 413         }
 414
 415         release_server_mutex();
 416         got_replay_mutex = False;
 417
 418 #if 0
 419         /* Heimdal leaks here, if we fix the leak, MIT crashes */
 420         if (rcache) {
 421                 krb5_rc_close(context, rcache);
 422         }
 423 #endif
 424
 425         if (!auth_ok) {
 426                 DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
 427                          error_message(ret)));
 428                 /* Try map the error return in case it's something like
 429                  * a clock skew error.
 430                  */
 431                 sret = krb5_to_nt_status(ret);
 432                 if (NT_STATUS_IS_OK(sret) || NT_STATUS_EQUAL(sret,NT_STATUS_UNSUCCESSFUL)) {
 433                         sret = NT_STATUS_LOGON_FAILURE;
 434                 }
 435                 DEBUG(10,("ads_verify_ticket: returning error %s\n",
 436                         nt_errstr(sret) ));
 437                 goto out;
 438         }
 439
 440         authtime = get_authtime_from_tkt(tkt);
 441         client_principal = get_principal_from_tkt(tkt);
 442
 443         ret = krb5_mk_rep(context, auth_context, &packet);
 444         if (ret) {
 445                 DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
 446                         error_message(ret)));
 447                 goto out;
 448         }
 449
 450         *ap_rep = data_blob(packet.data, packet.length);
 451         if (packet.data) {
 452                 kerberos_free_data_contents(context, &packet);
 453                 ZERO_STRUCT(packet);
 454         }
 455
 456         get_krb5_smb_session_key(context, auth_context, session_key, True);
 457         dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
 458
 459 #if 0
 460         file_save("/tmp/ticket.dat", ticket->data, ticket->length);
 461 #endif
 462
 463         /* continue when no PAC is retrieved or we couldn't decode the PAC
 464            (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
 465            Kerberos tickets encrypted using a DES key) - Guenther */
 466
 467         got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
 468         if (!got_auth_data) {
 469                 DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n"));
 470         }
 471
 472         if (got_auth_data && pac_data != NULL) {
 473
 474                 pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
 475                 if (!NT_STATUS_IS_OK(pac_ret)) {
 476                         DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
 477                         *pac_data = NULL;
 478                 }
 479                 data_blob_free(&auth_data);
 480         }
 481
 482 #if 0
 483 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 484         /* MIT */
 485         if (tkt->enc_part2) {
 486                 file_save("/tmp/authdata.dat",
 487                           tkt->enc_part2->authorization_data[0]->contents,
 488                           tkt->enc_part2->authorization_data[0]->length);
 489         }
 490 #else
 491         /* Heimdal */
 492         if (tkt->ticket.authorization_data) {
 493                 file_save("/tmp/authdata.dat",
 494                           tkt->ticket.authorization_data->val->ad_data.data,
 495                           tkt->ticket.authorization_data->val->ad_data.length);
 496         }
 497 #endif
 498 #endif
 499
 500         if ((ret = smb_krb5_unparse_name(context, client_principal, principal))) {
 501                 DEBUG(3,("ads_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
 502                          error_message(ret)));
 503                 sret = NT_STATUS_LOGON_FAILURE;
 504                 goto out;
 505         }
 506
 507         sret = NT_STATUS_OK;
 508
 509  out:
 510
 511         if (got_replay_mutex) {
 512                 release_server_mutex();
 513         }
 514
 515         if (!NT_STATUS_IS_OK(sret)) {
 516                 data_blob_free(&auth_data);
 517         }
 518
 519         if (!NT_STATUS_IS_OK(sret)) {
 520                 data_blob_free(ap_rep);
 521         }
 522
 523         if (host_princ) {
 524                 krb5_free_principal(context, host_princ);
 525         }
 526
 527         if (keyblock) {
 528                 krb5_free_keyblock(context, keyblock);
 529         }
 530
 531         if (tkt != NULL) {
 532                 krb5_free_ticket(context, tkt);
 533         }
 534
 535         SAFE_FREE(host_princ_s);
 536
 537         if (auth_context) {
 538                 krb5_auth_con_free(context, auth_context);
 539         }
 540
 541         if (context) {
 542                 krb5_free_context(context);
 543         }
 544
 545         return sret;
 546 }
 547
 548 #endif /* HAVE_KRB5 */