source3/librpc/crypto/gse_krb5.c

   1 /*
   2  *  GSSAPI Security Extensions
   3  *  Krb5 helpers
   4  *  Copyright (C) Simo Sorce 2010.
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 3 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  18  */
  19
  20 #include "includes.h"
  21 #include "smb_krb5.h"
  22 #include "secrets.h"
  23 #include "gse_krb5.h"
  24
  25 #ifdef HAVE_KRB5
  26
  27 static krb5_error_code flush_keytab(krb5_context krbctx, krb5_keytab keytab)
  28 {
  29         krb5_error_code ret;
  30         krb5_kt_cursor kt_cursor;
  31         krb5_keytab_entry kt_entry;
  32
  33         ZERO_STRUCT(kt_entry);
  34
  35         ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
  36         if (ret == KRB5_KT_END || ret == ENOENT ) {
  37                 /* no entries */
  38                 return 0;
  39         }
  40
  41         ret = krb5_kt_next_entry(krbctx, keytab, &kt_entry, &kt_cursor);
  42         while (ret == 0) {
  43
  44                 /* we need to close and reopen enumeration because we modify
  45                  * the keytab */
  46                 ret = krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
  47                 if (ret) {
  48                         DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
  49                                   "failed (%s)\n", error_message(ret)));
  50                         goto out;
  51                 }
  52
  53                 /* remove the entry */
  54                 ret = krb5_kt_remove_entry(krbctx, keytab, &kt_entry);
  55                 if (ret) {
  56                         DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
  57                                   "failed (%s)\n", error_message(ret)));
  58                         goto out;
  59                 }
  60                 ret = smb_krb5_kt_free_entry(krbctx, &kt_entry);
  61                 ZERO_STRUCT(kt_entry);
  62
  63                 /* now reopen */
  64                 ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
  65                 if (ret) {
  66                         DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
  67                                   "(%s)\n", error_message(ret)));
  68                         goto out;
  69                 }
  70
  71                 ret = krb5_kt_next_entry(krbctx, keytab,
  72                                          &kt_entry, &kt_cursor);
  73         }
  74
  75         if (ret != KRB5_KT_END && ret != ENOENT) {
  76                 DEBUG(1, (__location__ ": flushing keytab we got [%s]!\n",
  77                           error_message(ret)));
  78         }
  79
  80         ret = 0;
  81
  82 out:
  83         return ret;
  84 }
  85
  86 static krb5_error_code get_host_principal(krb5_context krbctx,
  87                                           krb5_principal *host_princ)
  88 {
  89         krb5_error_code ret;
  90         char *host_princ_s = NULL;
  91         int err;
  92
  93         err = asprintf(&host_princ_s, "%s$@%s", global_myname(), lp_realm());
  94         if (err == -1) {
  95                 return -1;
  96         }
  97
  98         strlower_m(host_princ_s);
  99         ret = smb_krb5_parse_name(krbctx, host_princ_s, host_princ);
 100         if (ret) {
 101                 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
 102                           "failed (%s)\n",
 103                           host_princ_s, error_message(ret)));
 104         }
 105
 106         SAFE_FREE(host_princ_s);
 107         return ret;
 108 }
 109
 110 static krb5_error_code fill_keytab_from_password(krb5_context krbctx,
 111                                                  krb5_keytab keytab,
 112                                                  krb5_principal princ,
 113                                                  krb5_kvno vno,
 114                                                  krb5_data *password)
 115 {
 116         krb5_error_code ret;
 117         krb5_enctype *enctypes;
 118         krb5_keytab_entry kt_entry;
 119         unsigned int i;
 120
 121         ret = get_kerberos_allowed_etypes(krbctx, &enctypes);
 122         if (ret) {
 123                 DEBUG(1, (__location__
 124                           ": Can't determine permitted enctypes!\n"));
 125                 return ret;
 126         }
 127
 128         for (i = 0; enctypes[i]; i++) {
 129                 krb5_keyblock *key = NULL;
 130
 131                 if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
 132                         ret = ENOMEM;
 133                         goto out;
 134                 }
 135
 136                 if (create_kerberos_key_from_string(krbctx, princ,
 137                                                     password, key,
 138                                                     enctypes[i], false)) {
 139                         DEBUG(10, ("Failed to create key for enctype %d "
 140                                    "(error: %s)\n",
 141                                    enctypes[i], error_message(ret)));
 142                         SAFE_FREE(key);
 143                         continue;
 144                 }
 145
 146                 kt_entry.principal = princ;
 147                 kt_entry.vno = vno;
 148                 *(KRB5_KT_KEY(&kt_entry)) = *key;
 149
 150                 ret = krb5_kt_add_entry(krbctx, keytab, &kt_entry);
 151                 if (ret) {
 152                         DEBUG(1, (__location__ ": Failed to add entry to "
 153                                   "keytab for enctype %d (error: %s)\n",
 154                                    enctypes[i], error_message(ret)));
 155                         krb5_free_keyblock(krbctx, key);
 156                         goto out;
 157                 }
 158
 159                 krb5_free_keyblock(krbctx, key);
 160         }
 161
 162         ret = 0;
 163
 164 out:
 165         SAFE_FREE(enctypes);
 166         return ret;
 167 }
 168
 169 #define SRV_MEM_KEYTAB_NAME "MEMORY:cifs_srv_keytab"
 170 #define CLEARTEXT_PRIV_ENCTYPE -99
 171
 172 static krb5_error_code get_mem_keytab_from_secrets(krb5_context krbctx,
 173                                                    krb5_keytab *keytab)
 174 {
 175         krb5_error_code ret;
 176         char *pwd = NULL;
 177         size_t pwd_len;
 178         krb5_kt_cursor kt_cursor;
 179         krb5_keytab_entry kt_entry;
 180         krb5_data password;
 181         krb5_principal princ = NULL;
 182         krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */
 183         char *pwd_old = NULL;
 184
 185         if (!secrets_init()) {
 186                 DEBUG(1, (__location__ ": secrets_init failed\n"));
 187                 return KRB5_CONFIG_CANTOPEN;
 188         }
 189
 190         pwd = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 191         if (!pwd) {
 192                 DEBUG(2, (__location__ ": failed to fetch machine password\n"));
 193                 return KRB5_LIBOS_CANTREADPWD;
 194         }
 195         pwd_len = strlen(pwd);
 196
 197         if (*keytab == NULL) {
 198                 /* create memory keytab */
 199                 ret = krb5_kt_resolve(krbctx, SRV_MEM_KEYTAB_NAME, keytab);
 200                 if (ret) {
 201                         DEBUG(1, (__location__ ": Failed to get memory "
 202                                   "keytab!\n"));
 203                         return ret;
 204                 }
 205         }
 206
 207         ZERO_STRUCT(kt_entry);
 208         ZERO_STRUCT(kt_cursor);
 209
 210         /* check if the keytab already has any entry */
 211         ret = krb5_kt_start_seq_get(krbctx, *keytab, &kt_cursor);
 212         if (ret != KRB5_KT_END && ret != ENOENT ) {
 213                 /* check if we have our special enctype used to hold
 214                  * the clear text password. If so, check it out so that
 215                  * we can verify if the keytab needs to be upgraded */
 216                 while ((ret = krb5_kt_next_entry(krbctx, *keytab,
 217                                            &kt_entry, &kt_cursor)) == 0) {
 218                         if (smb_get_enctype_from_kt_entry(&kt_entry) == CLEARTEXT_PRIV_ENCTYPE) {
 219                                 break;
 220                         }
 221                         smb_krb5_kt_free_entry(krbctx, &kt_entry);
 222                         ZERO_STRUCT(kt_entry);
 223                 }
 224
 225                 if (ret != 0 && ret != KRB5_KT_END && ret != ENOENT ) {
 226                         /* Error parsing keytab */
 227                         DEBUG(1, (__location__ ": Failed to parse memory "
 228                                   "keytab!\n"));
 229                         goto out;
 230                 }
 231
 232                 if (ret == 0) {
 233                         /* found private entry,
 234                          * check if keytab is up to date */
 235
 236                         if ((pwd_len == KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry))) &&
 237                             (memcmp(KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)),
 238                                                 pwd, pwd_len) == 0)) {
 239                                 /* keytab is already up to date, return */
 240                                 smb_krb5_kt_free_entry(krbctx, &kt_entry);
 241                                 goto out;
 242                         }
 243
 244                         smb_krb5_kt_free_entry(krbctx, &kt_entry);
 245                         ZERO_STRUCT(kt_entry);
 246
 247
 248                         /* flush keytab, we need to regen it */
 249                         ret = flush_keytab(krbctx, *keytab);
 250                         if (ret) {
 251                                 DEBUG(1, (__location__ ": Failed to flush "
 252                                           "memory keytab!\n"));
 253                                 goto out;
 254                         }
 255                 }
 256         }
 257
 258         {
 259                 krb5_kt_cursor zero_csr;
 260                 ZERO_STRUCT(zero_csr);
 261                 if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && *keytab) {
 262                         krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor);
 263                 }
 264         }
 265
 266         /* keytab is not up to date, fill it up */
 267
 268         ret = get_host_principal(krbctx, &princ);
 269         if (ret) {
 270                 DEBUG(1, (__location__ ": Failed to get host principal!\n"));
 271                 goto out;
 272         }
 273
 274         password.data = pwd;
 275         password.length = pwd_len;
 276         ret = fill_keytab_from_password(krbctx, *keytab,
 277                                         princ, kvno, &password);
 278         if (ret) {
 279                 DEBUG(1, (__location__ ": Failed to fill memory keytab!\n"));
 280                 goto out;
 281         }
 282
 283         pwd_old = secrets_fetch_prev_machine_password(lp_workgroup());
 284         if (!pwd_old) {
 285                 DEBUG(10, (__location__ ": no prev machine password\n"));
 286         } else {
 287                 password.data = pwd_old;
 288                 password.length = strlen(pwd_old);
 289                 ret = fill_keytab_from_password(krbctx, *keytab,
 290                                                 princ, kvno -1, &password);
 291                 if (ret) {
 292                         DEBUG(1, (__location__
 293                                   ": Failed to fill memory keytab!\n"));
 294                         goto out;
 295                 }
 296         }
 297
 298         /* add our private enctype + cleartext password so that we can
 299          * update the keytab if secrets change later on */
 300         ZERO_STRUCT(kt_entry);
 301         kt_entry.principal = princ;
 302         kt_entry.vno = 0;
 303
 304         KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry)) = CLEARTEXT_PRIV_ENCTYPE;
 305         KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry)) = pwd_len;
 306         KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)) = (uint8_t *)pwd;
 307
 308         ret = krb5_kt_add_entry(krbctx, *keytab, &kt_entry);
 309         if (ret) {
 310                 DEBUG(1, (__location__ ": Failed to add entry to "
 311                           "keytab for private enctype (%d) (error: %s)\n",
 312                            CLEARTEXT_PRIV_ENCTYPE, error_message(ret)));
 313                 goto out;
 314         }
 315
 316         ret = 0;
 317
 318 out:
 319         SAFE_FREE(pwd);
 320         SAFE_FREE(pwd_old);
 321
 322         {
 323                 krb5_kt_cursor zero_csr;
 324                 ZERO_STRUCT(zero_csr);
 325                 if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && *keytab) {
 326                         krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor);
 327                 }
 328         }
 329
 330         if (princ) {
 331                 krb5_free_principal(krbctx, princ);
 332         }
 333
 334         if (ret) {
 335                 if (*keytab) {
 336                         krb5_kt_close(krbctx, *keytab);
 337                         *keytab = NULL;
 338                 }
 339         }
 340
 341         return ret;
 342 }
 343
 344 static krb5_error_code get_mem_keytab_from_system_keytab(krb5_context krbctx,
 345                                                          krb5_keytab *keytab,
 346                                                          bool verify)
 347 {
 348         return KRB5_KT_NOTFOUND;
 349 }
 350
 351 krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx,
 352                                            krb5_keytab *keytab)
 353 {
 354         krb5_error_code ret;
 355
 356         *keytab = NULL;
 357
 358         switch (lp_kerberos_method()) {
 359         default:
 360         case KERBEROS_VERIFY_SECRETS:
 361                 ret = get_mem_keytab_from_secrets(krbctx, keytab);
 362                 break;
 363         case KERBEROS_VERIFY_SYSTEM_KEYTAB:
 364                 ret = get_mem_keytab_from_system_keytab(krbctx, keytab, true);
 365                 break;
 366         case KERBEROS_VERIFY_DEDICATED_KEYTAB:
 367                 /* just use whatever keytab is configured */
 368                 ret = get_mem_keytab_from_system_keytab(krbctx, keytab, false);
 369                 break;
 370         case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
 371                 ret = get_mem_keytab_from_secrets(krbctx, keytab);
 372                 if (ret) {
 373                         DEBUG(3, (__location__ ": Warning! Unable to set mem "
 374                                   "keytab from secrets!\n"));
 375                 }
 376                 /* Now append system keytab keys too */
 377                 ret = get_mem_keytab_from_system_keytab(krbctx, keytab, true);
 378                 if (ret) {
 379                         DEBUG(3, (__location__ ": Warning! Unable to set mem "
 380                                   "keytab from secrets!\n"));
 381                 }
 382                 break;
 383         }
 384
 385         return ret;
 386 }
 387
 388 #endif /* HAVE_KRB5 */