source4/auth/kerberos/kerberos_pac.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos backend for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
   7    Copyright (C) Andrew Tridgell 2001
   8    Copyright (C) Luke Howard 2002-2003
   9    Copyright (C) Stefan Metzmacher 2004-2005
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 2 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21
  22    You should have received a copy of the GNU General Public License
  23    along with this program; if not, write to the Free Software
  24    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  25 */
  26
  27 #include "includes.h"
  28 #include "system/kerberos.h"
  29 #include "system/time.h"
  30 #include "system/network.h"
  31 #include "auth/kerberos/kerberos.h"
  32 #include "librpc/gen_ndr/ndr_krb5pac.h"
  33 #include "auth/auth.h"
  34
  35 static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
  36                                       DATA_BLOB pac_data,
  37                                       struct PAC_SIGNATURE_DATA *sig,
  38                                       struct smb_krb5_context *smb_krb5_context,
  39                                       krb5_keyblock *keyblock,
  40                                       uint32_t keyusage)
  41 {
  42         krb5_error_code ret;
  43         krb5_crypto crypto;
  44         Checksum cksum;
  45         int i;
  46
  47         cksum.cksumtype         = (CKSUMTYPE)sig->type;
  48         cksum.checksum.length   = sizeof(sig->signature);
  49         cksum.checksum.data     = sig->signature;
  50
  51
  52         ret = krb5_crypto_init(smb_krb5_context->krb5_context,
  53                                keyblock,
  54                                0,
  55                                &crypto);
  56         if (ret) {
  57                 DEBUG(0,("krb5_crypto_init() failed\n"));
  58                 return NT_STATUS_FOOBAR;
  59         }
  60         for (i=0; i < 40; i++) {
  61                 keyusage = i;
  62                 ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
  63                                            crypto,
  64                                            keyusage,
  65                                            pac_data.data,
  66                                            pac_data.length,
  67                                            &cksum);
  68                 if (!ret) {
  69                         DEBUG(0, ("PAC Verified: keyusage: %d\n", keyusage));
  70                         break;
  71                 } else {
  72                         DEBUG(2, ("PAC Verification failed: %s\n",
  73                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
  74                 }
  75         }
  76
  77         krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto);
  78
  79         if (ret) {
  80                 DEBUG(0,("NOT verifying PAC checksums yet!\n"));
  81                 //return NT_STATUS_LOGON_FAILURE;
  82         } else {
  83                 DEBUG(0,("PAC checksums verified!\n"));
  84         }
  85
  86         return NT_STATUS_OK;
  87 }
  88
  89  NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
  90                              struct PAC_LOGON_INFO **logon_info_out,
  91                              DATA_BLOB blob,
  92                              struct smb_krb5_context *smb_krb5_context,
  93                              krb5_keyblock *keyblock)
  94 {
  95         NTSTATUS status;
  96         struct PAC_SIGNATURE_DATA srv_sig;
  97         struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
  98         struct PAC_SIGNATURE_DATA kdc_sig;
  99         struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
 100         struct PAC_LOGON_INFO *logon_info = NULL;
 101         struct PAC_DATA pac_data;
 102         DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length);
 103         DATA_BLOB tmp_blob;
 104         int i;
 105
 106         status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
 107                                         (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
 108         if (!NT_STATUS_IS_OK(status)) {
 109                 DEBUG(0,("can't parse the PAC\n"));
 110                 return status;
 111         }
 112         NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
 113
 114         if (pac_data.num_buffers < 3) {
 115                 /* we need logon_ingo, service_key and kdc_key */
 116                 DEBUG(0,("less than 3 PAC buffers\n"));
 117                 return NT_STATUS_FOOBAR;
 118         }
 119
 120         for (i=0; i < pac_data.num_buffers; i++) {
 121                 switch (pac_data.buffers[i].type) {
 122                         case PAC_TYPE_LOGON_INFO:
 123                                 if (!pac_data.buffers[i].info) {
 124                                         break;
 125                                 }
 126                                 logon_info = &pac_data.buffers[i].info->logon_info;
 127                                 break;
 128                         case PAC_TYPE_SRV_CHECKSUM:
 129                                 if (!pac_data.buffers[i].info) {
 130                                         break;
 131                                 }
 132                                 srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
 133                                 srv_sig = pac_data.buffers[i].info->srv_cksum;
 134                                 break;
 135                         case PAC_TYPE_KDC_CHECKSUM:
 136                                 if (!pac_data.buffers[i].info) {
 137                                         break;
 138                                 }
 139                                 kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
 140                                 kdc_sig = pac_data.buffers[i].info->kdc_cksum;
 141                                 break;
 142                         case PAC_TYPE_UNKNOWN_10:
 143                                 break;
 144                         default:
 145                                 break;
 146                 }
 147         }
 148
 149         if (!logon_info) {
 150                 DEBUG(0,("PAC no logon_info\n"));
 151                 return NT_STATUS_FOOBAR;
 152         }
 153
 154         if (!srv_sig_ptr) {
 155                 DEBUG(0,("PAC no srv_key\n"));
 156                 return NT_STATUS_FOOBAR;
 157         }
 158
 159         if (!kdc_sig_ptr) {
 160                 DEBUG(0,("PAC no kdc_key\n"));
 161                 return NT_STATUS_FOOBAR;
 162         }
 163
 164         memset(&modified_pac_blob.data[modified_pac_blob.length - 48],
 165                '\0', 48);
 166
 167         status = ndr_pull_struct_blob(&modified_pac_blob, mem_ctx, &pac_data,
 168                                         (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
 169         if (!NT_STATUS_IS_OK(status)) {
 170                 DEBUG(0,("can't parse the PAC\n"));
 171                 return status;
 172         }
 173         NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
 174
 175         /* verify by servie_key */
 176         status = kerberos_pac_checksum(mem_ctx,
 177                                        modified_pac_blob, &srv_sig,
 178                                        smb_krb5_context, keyblock, 0);
 179
 180         if (!NT_STATUS_IS_OK(status)) {
 181                 return status;
 182         }
 183         DEBUG(0,("account_name: %s [%s]\n",
 184                  logon_info->info3.base.account_name.string,
 185                  logon_info->info3.base.full_name.string));
 186         *logon_info_out = logon_info;
 187
 188         return status;
 189 }
 190