Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

gensec_krb5.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 29.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Kerberos backend for GENSEC
5
6	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7	Copyright (C) Andrew Tridgell 2001
8	Copyright (C) Luke Howard 2002-2003
9	Copyright (C) Stefan Metzmacher 2004-2005
10
11	This program is free software; you can redistribute it and/or modify
12	it under the terms of the GNU General Public License as published by
13	the Free Software Foundation; either version 3 of the License, or
14	(at your option) any later version.
15
16	This program is distributed in the hope that it will be useful,
17	but WITHOUT ANY WARRANTY; without even the implied warranty of
18	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	GNU General Public License for more details.
20
21
22	You should have received a copy of the GNU General Public License
23	along with this program. If not, see <http://www.gnu.org/licenses/>.
24	*/
25
26	#include "includes.h"
27	#include "system/kerberos.h"
28	#include "auth/kerberos/kerberos.h"
29	#include "auth/auth.h"
30	#include "lib/socket/socket.h"
31	#include "lib/tsocket/tsocket.h"
32	#include "librpc/rpc/dcerpc.h"
33	#include "auth/credentials/credentials.h"
34	#include "auth/credentials/credentials_krb5.h"
35	#include "auth/kerberos/kerberos_credentials.h"
36	#include "auth/gensec/gensec.h"
37	#include "auth/gensec/gensec_proto.h"
38	#include "param/param.h"
39	#include "auth/auth_sam_reply.h"
40	#include "lib/util/util_net.h"
41
42	enum GENSEC_KRB5_STATE {
43	GENSEC_KRB5_SERVER_START,
44	GENSEC_KRB5_CLIENT_START,
45	GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
46	GENSEC_KRB5_DONE
47	};
48
49	struct gensec_krb5_state {
50	DATA_BLOB session_key;
51	DATA_BLOB pac;
52	enum GENSEC_KRB5_STATE state_position;
53	struct smb_krb5_context *smb_krb5_context;
54	krb5_auth_context auth_context;
55	krb5_data enc_ticket;
56	krb5_keyblock *keyblock;
57	krb5_ticket *ticket;
58	bool gssapi;
59	krb5_flags ap_req_options;
60	};
61
62	static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
63	{
64	if (!gensec_krb5_state->smb_krb5_context) {
65	/* We can't clean anything else up unless we started up this far */
66	return 0;
67	}
68	if (gensec_krb5_state->enc_ticket.length) {
69	kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
70	&gensec_krb5_state->enc_ticket);
71	}
72
73	if (gensec_krb5_state->ticket) {
74	krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context,
75	gensec_krb5_state->ticket);
76	}
77
78	/* ccache freed in a child destructor */
79
80	krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context,
81	gensec_krb5_state->keyblock);
82
83	if (gensec_krb5_state->auth_context) {
84	krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
85	gensec_krb5_state->auth_context);
86	}
87
88	return 0;
89	}
90
91	static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
92	{
93	krb5_error_code ret;
94	struct gensec_krb5_state *gensec_krb5_state;
95	struct cli_credentials *creds;
96	const struct tsocket_address tlocal_addr, tremote_addr;
97	krb5_address my_krb5_addr, peer_krb5_addr;
98
99	creds = gensec_get_credentials(gensec_security);
100	if (!creds) {
101	return NT_STATUS_INVALID_PARAMETER;
102	}
103
104	gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
105	if (!gensec_krb5_state) {
106	return NT_STATUS_NO_MEMORY;
107	}
108
109	gensec_security->private_data = gensec_krb5_state;
110	gensec_krb5_state->smb_krb5_context = NULL;
111	gensec_krb5_state->auth_context = NULL;
112	gensec_krb5_state->ticket = NULL;
113	ZERO_STRUCT(gensec_krb5_state->enc_ticket);
114	gensec_krb5_state->keyblock = NULL;
115	gensec_krb5_state->session_key = data_blob(NULL, 0);
116	gensec_krb5_state->pac = data_blob(NULL, 0);
117	gensec_krb5_state->gssapi = gssapi;
118
119	talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
120
121	if (cli_credentials_get_krb5_context(creds,
122	gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
123	talloc_free(gensec_krb5_state);
124	return NT_STATUS_INTERNAL_ERROR;
125	}
126
127	ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
128	if (ret) {
129	DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
130	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
131	ret, gensec_krb5_state)));
132	talloc_free(gensec_krb5_state);
133	return NT_STATUS_INTERNAL_ERROR;
134	}
135
136	ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
137	gensec_krb5_state->auth_context,
138	KRB5_AUTH_CONTEXT_DO_SEQUENCE);
139	if (ret) {
140	DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
141	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
142	ret, gensec_krb5_state)));
143	talloc_free(gensec_krb5_state);
144	return NT_STATUS_INTERNAL_ERROR;
145	}
146
147	tlocal_addr = gensec_get_local_address(gensec_security);
148	if (tlocal_addr) {
149	ssize_t socklen;
150	struct sockaddr_storage ss;
151
152	socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
153	(struct sockaddr *) &ss,
154	sizeof(struct sockaddr_storage));
155	if (socklen < 0) {
156	talloc_free(gensec_krb5_state);
157	return NT_STATUS_INTERNAL_ERROR;
158	}
159	ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
160	(const struct sockaddr *) &ss, &my_krb5_addr);
161	if (ret) {
162	DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
163	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
164	ret, gensec_krb5_state)));
165	talloc_free(gensec_krb5_state);
166	return NT_STATUS_INTERNAL_ERROR;
167	}
168	}
169
170	tremote_addr = gensec_get_remote_address(gensec_security);
171	if (tremote_addr) {
172	ssize_t socklen;
173	struct sockaddr_storage ss;
174
175	socklen = tsocket_address_bsd_sockaddr(tremote_addr,
176	(struct sockaddr *) &ss,
177	sizeof(struct sockaddr_storage));
178	if (socklen < 0) {
179	talloc_free(gensec_krb5_state);
180	return NT_STATUS_INTERNAL_ERROR;
181	}
182	ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
183	(const struct sockaddr *) &ss, &peer_krb5_addr);
184	if (ret) {
185	DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
186	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
187	ret, gensec_krb5_state)));
188	talloc_free(gensec_krb5_state);
189	return NT_STATUS_INTERNAL_ERROR;
190	}
191	}
192
193	ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
194	gensec_krb5_state->auth_context,
195	tlocal_addr ? &my_krb5_addr : NULL,
196	tremote_addr ? &peer_krb5_addr : NULL);
197	if (ret) {
198	DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
199	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
200	ret, gensec_krb5_state)));
201	talloc_free(gensec_krb5_state);
202	return NT_STATUS_INTERNAL_ERROR;
203	}
204
205	return NT_STATUS_OK;
206	}
207
208	static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi)
209	{
210	NTSTATUS nt_status;
211	struct gensec_krb5_state *gensec_krb5_state;
212
213	nt_status = gensec_krb5_start(gensec_security, gssapi);
214	if (!NT_STATUS_IS_OK(nt_status)) {
215	return nt_status;
216	}
217
218	gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
219	gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
220
221	return NT_STATUS_OK;
222	}
223
224	static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
225	{
226	return gensec_krb5_common_server_start(gensec_security, false);
227	}
228
229	static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
230	{
231	return gensec_krb5_common_server_start(gensec_security, true);
232	}
233
234	static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
235	{
236	struct gensec_krb5_state *gensec_krb5_state;
237	krb5_error_code ret;
238	NTSTATUS nt_status;
239	struct ccache_container *ccache_container;
240	const char *hostname;
241	const char *error_string;
242	const char *principal;
243	krb5_data in_data;
244	struct tevent_context *previous_ev;
245
246	hostname = gensec_get_target_hostname(gensec_security);
247	if (!hostname) {
248	DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
249	return NT_STATUS_INVALID_PARAMETER;
250	}
251	if (is_ipaddress(hostname)) {
252	DEBUG(2, ("Cannot do krb5 to an IP address"));
253	return NT_STATUS_INVALID_PARAMETER;
254	}
255	if (strcmp(hostname, "localhost") == 0) {
256	DEBUG(2, ("krb5 to 'localhost' does not make sense"));
257	return NT_STATUS_INVALID_PARAMETER;
258	}
259
260	nt_status = gensec_krb5_start(gensec_security, gssapi);
261	if (!NT_STATUS_IS_OK(nt_status)) {
262	return nt_status;
263	}
264
265	gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
266	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
267	gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
268
269	if (gensec_krb5_state->gssapi) {
270	/* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */
271	if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
272	gensec_krb5_state->ap_req_options \|= AP_OPTS_MUTUAL_REQUIRED;
273	}
274	} else {
275	/* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
276	if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
277	gensec_krb5_state->ap_req_options \|= AP_OPTS_MUTUAL_REQUIRED;
278	}
279	}
280
281	principal = gensec_get_target_principal(gensec_security);
282
283	ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
284	gensec_security->event_ctx,
285	gensec_security->settings->lp_ctx, &ccache_container, &error_string);
286	switch (ret) {
287	case 0:
288	break;
289	case KRB5KDC_ERR_PREAUTH_FAILED:
290	case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
291	return NT_STATUS_LOGON_FAILURE;
292	case KRB5_KDC_UNREACH:
293	DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
294	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
295	case KRB5_CC_NOTFOUND:
296	case KRB5_CC_END:
297	DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
298	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
299	default:
300	DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
301	return NT_STATUS_UNSUCCESSFUL;
302	}
303	in_data.length = 0;
304
305	/* Do this every time, in case we have weird recursive issues here */
306	ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev);
307	if (ret != 0) {
308	DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
309	return NT_STATUS_NO_MEMORY;
310	}
311	if (principal) {
312	krb5_principal target_principal;
313	ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
314	&target_principal);
315	if (ret == 0) {
316	ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
317	&gensec_krb5_state->auth_context,
318	gensec_krb5_state->ap_req_options,
319	target_principal,
320	&in_data, ccache_container->ccache,
321	&gensec_krb5_state->enc_ticket);
322	krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
323	target_principal);
324	}
325	} else {
326	ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
327	&gensec_krb5_state->auth_context,
328	gensec_krb5_state->ap_req_options,
329	gensec_get_target_service(gensec_security),
330	hostname,
331	&in_data, ccache_container->ccache,
332	&gensec_krb5_state->enc_ticket);
333	}
334
335	smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx);
336
337	switch (ret) {
338	case 0:
339	return NT_STATUS_OK;
340	case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
341	DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
342	hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
343	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
344	case KRB5_KDC_UNREACH:
345	DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
346	hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
347	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
348	case KRB5KDC_ERR_PREAUTH_FAILED:
349	case KRB5KRB_AP_ERR_TKT_EXPIRED:
350	case KRB5_CC_END:
351	/* Too much clock skew - we will need to kinit to re-skew the clock */
352	case KRB5KRB_AP_ERR_SKEW:
353	case KRB5_KDCREP_SKEW:
354	{
355	DEBUG(3, ("kerberos (mk_req) failed: %s\n",
356	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
357	/fall through/
358	}
359
360	/* just don't print a message for these really ordinary messages */
361	case KRB5_FCC_NOFILE:
362	case KRB5_CC_NOTFOUND:
363	case ENOENT:
364
365	return NT_STATUS_UNSUCCESSFUL;
366	break;
367
368	default:
369	DEBUG(0, ("kerberos: %s\n",
370	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
371	return NT_STATUS_UNSUCCESSFUL;
372	}
373	}
374
375	static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
376	{
377	return gensec_krb5_common_client_start(gensec_security, false);
378	}
379
380	static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
381	{
382	return gensec_krb5_common_client_start(gensec_security, true);
383	}
384
385	/**
386	* Check if the packet is one for this mechansim
387	*
388	* @param gensec_security GENSEC state
389	* @param in The request, as a DATA_BLOB
390	* @return Error, INVALID_PARAMETER if it's not a packet for us
391	* or NT_STATUS_OK if the packet is ok.
392	*/
393
394	static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security,
395	const DATA_BLOB *in)
396	{
397	if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
398	return NT_STATUS_OK;
399	} else {
400	return NT_STATUS_INVALID_PARAMETER;
401	}
402	}
403
404
405	/**
406	* Next state function for the Krb5 GENSEC mechanism
407	*
408	* @param gensec_krb5_state KRB5 State
409	* @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
410	* @param in The request, as a DATA_BLOB
411	* @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
412	* @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
413	* or NT_STATUS_OK if the user is authenticated.
414	*/
415
416	static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
417	TALLOC_CTX *out_mem_ctx,
418	const DATA_BLOB in, DATA_BLOB *out)
419	{
420	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
421	krb5_error_code ret = 0;
422	NTSTATUS nt_status;
423
424	switch (gensec_krb5_state->state_position) {
425	case GENSEC_KRB5_CLIENT_START:
426	{
427	DATA_BLOB unwrapped_out;
428
429	if (gensec_krb5_state->gssapi) {
430	unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
431
432	/* wrap that up in a nice GSS-API wrapping */
433	*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
434	} else {
435	*out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
436	}
437	if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
438	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
439	nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
440	} else {
441	gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
442	nt_status = NT_STATUS_OK;
443	}
444	return nt_status;
445	}
446
447	case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
448	{
449	DATA_BLOB unwrapped_in;
450	krb5_data inbuf;
451	krb5_ap_rep_enc_part *repl = NULL;
452	uint8_t tok_id[2];
453
454	if (gensec_krb5_state->gssapi) {
455	if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
456	DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
457	dump_data_pw("Mutual authentication message:\n", in.data, in.length);
458	return NT_STATUS_INVALID_PARAMETER;
459	}
460	} else {
461	unwrapped_in = in;
462	}
463	/* TODO: check the tok_id */
464
465	inbuf.data = unwrapped_in.data;
466	inbuf.length = unwrapped_in.length;
467	ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
468	gensec_krb5_state->auth_context,
469	&inbuf, &repl);
470	if (ret) {
471	DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
472	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
473	dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
474	nt_status = NT_STATUS_ACCESS_DENIED;
475	} else {
476	*out = data_blob(NULL, 0);
477	nt_status = NT_STATUS_OK;
478	gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
479	}
480	if (repl) {
481	krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
482	}
483	return nt_status;
484	}
485
486	case GENSEC_KRB5_SERVER_START:
487	{
488	DATA_BLOB unwrapped_in;
489	DATA_BLOB unwrapped_out = data_blob(NULL, 0);
490	krb5_data inbuf, outbuf;
491	uint8_t tok_id[2];
492	struct keytab_container *keytab;
493	krb5_principal server_in_keytab;
494	const char *error_string;
495	enum credentials_obtained obtained;
496
497	if (!in.data) {
498	return NT_STATUS_INVALID_PARAMETER;
499	}
500
501	/* Grab the keytab, however generated */
502	ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
503	gensec_security->settings->lp_ctx, &keytab);
504	if (ret) {
505	return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
506	}
507
508	/* This ensures we lookup the correct entry in that keytab */
509	ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
510	gensec_krb5_state->smb_krb5_context,
511	&server_in_keytab, &obtained, &error_string);
512
513	if (ret) {
514	DEBUG(2,("Failed to make credentials from principal: %s\n", error_string));
515	return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
516	}
517
518	/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
519	if (gensec_krb5_state->gssapi
520	&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
521	inbuf.data = unwrapped_in.data;
522	inbuf.length = unwrapped_in.length;
523	} else {
524	inbuf.data = in.data;
525	inbuf.length = in.length;
526	}
527
528	ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
529	&gensec_krb5_state->auth_context,
530	&inbuf, keytab->keytab, server_in_keytab,
531	&outbuf,
532	&gensec_krb5_state->ticket,
533	&gensec_krb5_state->keyblock);
534
535	if (ret) {
536	return NT_STATUS_LOGON_FAILURE;
537	}
538	unwrapped_out.data = (uint8_t *)outbuf.data;
539	unwrapped_out.length = outbuf.length;
540	gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
541	/* wrap that up in a nice GSS-API wrapping */
542	if (gensec_krb5_state->gssapi) {
543	*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
544	} else {
545	*out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
546	}
547	krb5_data_free(&outbuf);
548	return NT_STATUS_OK;
549	}
550
551	case GENSEC_KRB5_DONE:
552	default:
553	/* Asking too many times... */
554	return NT_STATUS_INVALID_PARAMETER;
555	}
556	}
557
558	static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
559	DATA_BLOB *session_key)
560	{
561	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
562	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
563	krb5_auth_context auth_context = gensec_krb5_state->auth_context;
564	krb5_keyblock *skey;
565	krb5_error_code err = -1;
566
567	if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
568	return NT_STATUS_NO_USER_SESSION_KEY;
569	}
570
571	if (gensec_krb5_state->session_key.data) {
572	*session_key = gensec_krb5_state->session_key;
573	return NT_STATUS_OK;
574	}
575
576	switch (gensec_security->gensec_role) {
577	case GENSEC_CLIENT:
578	err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
579	break;
580	case GENSEC_SERVER:
581	err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
582	break;
583	}
584	if (err == 0 && skey != NULL) {
585	DEBUG(10, ("Got KRB5 session key of length %d\n",
586	(int)KRB5_KEY_LENGTH(skey)));
587	gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state,
588	KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
589	*session_key = gensec_krb5_state->session_key;
590	dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
591
592	krb5_free_keyblock(context, skey);
593	return NT_STATUS_OK;
594	} else {
595	DEBUG(10, ("KRB5 error getting session key %d\n", err));
596	return NT_STATUS_NO_USER_SESSION_KEY;
597	}
598	}
599
600	static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
601	struct auth_session_info **_session_info)
602	{
603	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
604	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
605	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
606	struct auth_user_info_dc *user_info_dc = NULL;
607	struct auth_session_info *session_info = NULL;
608	struct PAC_LOGON_INFO *logon_info;
609
610	krb5_principal client_principal;
611	char *principal_string;
612
613	DATA_BLOB pac;
614	krb5_data pac_data;
615
616	krb5_error_code ret;
617
618	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
619	if (!mem_ctx) {
620	return NT_STATUS_NO_MEMORY;
621	}
622
623	ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
624	if (ret) {
625	DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
626	smb_get_krb5_error_message(context,
627	ret, mem_ctx)));
628	talloc_free(mem_ctx);
629	return NT_STATUS_NO_MEMORY;
630	}
631
632	ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
633	client_principal, &principal_string);
634	if (ret) {
635	DEBUG(1, ("Unable to parse client principal: %s\n",
636	smb_get_krb5_error_message(context,
637	ret, mem_ctx)));
638	krb5_free_principal(context, client_principal);
639	talloc_free(mem_ctx);
640	return NT_STATUS_NO_MEMORY;
641	}
642
643	ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
644	KRB5_AUTHDATA_WIN2K_PAC,
645	&pac_data);
646
647	if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
648	DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
649	principal_string,
650	smb_get_krb5_error_message(context,
651	ret, mem_ctx)));
652	free(principal_string);
653	krb5_free_principal(context, client_principal);
654	talloc_free(mem_ctx);
655	return NT_STATUS_ACCESS_DENIED;
656	} else if (ret) {
657	/* NO pac */
658	DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
659	smb_get_krb5_error_message(context,
660	ret, mem_ctx)));
661	if (gensec_security->auth_context &&
662	!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
663	DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
664	principal_string, smb_get_krb5_error_message(context,
665	ret, mem_ctx)));
666	nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
667	gensec_security->auth_context,
668	principal_string,
669	NULL, &user_info_dc);
670	if (!NT_STATUS_IS_OK(nt_status)) {
671	free(principal_string);
672	krb5_free_principal(context, client_principal);
673	talloc_free(mem_ctx);
674	return nt_status;
675	}
676	} else {
677	DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
678	principal_string));
679	free(principal_string);
680	krb5_free_principal(context, client_principal);
681	talloc_free(mem_ctx);
682	return NT_STATUS_ACCESS_DENIED;
683	}
684	} else {
685	/* Found pac */
686	union netr_Validation validation;
687
688	pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
689	if (!pac.data) {
690	free(principal_string);
691	krb5_free_principal(context, client_principal);
692	talloc_free(mem_ctx);
693	return NT_STATUS_NO_MEMORY;
694	}
695
696	/* decode and verify the pac */
697	nt_status = kerberos_pac_logon_info(gensec_krb5_state,
698	&logon_info, pac,
699	gensec_krb5_state->smb_krb5_context->krb5_context,
700	NULL, gensec_krb5_state->keyblock,
701	client_principal,
702	gensec_krb5_state->ticket->ticket.authtime, NULL);
703
704	if (!NT_STATUS_IS_OK(nt_status)) {
705	free(principal_string);
706	krb5_free_principal(context, client_principal);
707	talloc_free(mem_ctx);
708	return nt_status;
709	}
710
711	validation.sam3 = &logon_info->info3;
712	nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
713	NULL,
714	3, &validation,
715	&user_info_dc);
716	if (!NT_STATUS_IS_OK(nt_status)) {
717	free(principal_string);
718	krb5_free_principal(context, client_principal);
719	talloc_free(mem_ctx);
720	return nt_status;
721	}
722	}
723
724	free(principal_string);
725	krb5_free_principal(context, client_principal);
726
727	/* references the user_info_dc into the session_info */
728	nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
729
730	if (!NT_STATUS_IS_OK(nt_status)) {
731	talloc_free(mem_ctx);
732	return nt_status;
733	}
734
735	nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
736
737	if (!NT_STATUS_IS_OK(nt_status)) {
738	talloc_free(mem_ctx);
739	return nt_status;
740	}
741
742	*_session_info = session_info;
743
744	talloc_steal(gensec_krb5_state, session_info);
745	talloc_free(mem_ctx);
746	return NT_STATUS_OK;
747	}
748
749	static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security,
750	TALLOC_CTX *mem_ctx,
751	const DATA_BLOB *in,
752	DATA_BLOB *out)
753	{
754	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
755	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
756	krb5_auth_context auth_context = gensec_krb5_state->auth_context;
757	krb5_error_code ret;
758	krb5_data input, output;
759	input.length = in->length;
760	input.data = in->data;
761
762	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
763	ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
764	if (ret) {
765	DEBUG(1, ("krb5_mk_priv failed: %s\n",
766	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
767	ret, mem_ctx)));
768	return NT_STATUS_ACCESS_DENIED;
769	}
770	*out = data_blob_talloc(mem_ctx, output.data, output.length);
771
772	krb5_data_free(&output);
773	} else {
774	return NT_STATUS_ACCESS_DENIED;
775	}
776	return NT_STATUS_OK;
777	}
778
779	static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
780	TALLOC_CTX *mem_ctx,
781	const DATA_BLOB *in,
782	DATA_BLOB *out)
783	{
784	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
785	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
786	krb5_auth_context auth_context = gensec_krb5_state->auth_context;
787	krb5_error_code ret;
788	krb5_data input, output;
789	krb5_replay_data replay;
790	input.length = in->length;
791	input.data = in->data;
792
793	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
794	ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
795	if (ret) {
796	DEBUG(1, ("krb5_rd_priv failed: %s\n",
797	smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
798	ret, mem_ctx)));
799	return NT_STATUS_ACCESS_DENIED;
800	}
801	*out = data_blob_talloc(mem_ctx, output.data, output.length);
802
803	krb5_data_free(&output);
804	} else {
805	return NT_STATUS_ACCESS_DENIED;
806	}
807	return NT_STATUS_OK;
808	}
809
810	static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
811	uint32_t feature)
812	{
813	struct gensec_krb5_state gensec_krb5_state = (struct gensec_krb5_state )gensec_security->private_data;
814	if (feature & GENSEC_FEATURE_SESSION_KEY) {
815	return true;
816	}
817	if (!gensec_krb5_state->gssapi &&
818	(feature & GENSEC_FEATURE_SEAL)) {
819	return true;
820	}
821
822	return false;
823	}
824
825	static const char *gensec_krb5_oids[] = {
826	GENSEC_OID_KERBEROS5,
827	GENSEC_OID_KERBEROS5_OLD,
828	NULL
829	};
830
831	static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
832	.name = "fake_gssapi_krb5",
833	.auth_type = DCERPC_AUTH_TYPE_KRB5,
834	.oid = gensec_krb5_oids,
835	.client_start = gensec_fake_gssapi_krb5_client_start,
836	.server_start = gensec_fake_gssapi_krb5_server_start,
837	.update = gensec_krb5_update,
838	.magic = gensec_fake_gssapi_krb5_magic,
839	.session_key = gensec_krb5_session_key,
840	.session_info = gensec_krb5_session_info,
841	.have_feature = gensec_krb5_have_feature,
842	.enabled = false,
843	.kerberos = true,
844	.priority = GENSEC_KRB5
845	};
846
847	static const struct gensec_security_ops gensec_krb5_security_ops = {
848	.name = "krb5",
849	.client_start = gensec_krb5_client_start,
850	.server_start = gensec_krb5_server_start,
851	.update = gensec_krb5_update,
852	.session_key = gensec_krb5_session_key,
853	.session_info = gensec_krb5_session_info,
854	.have_feature = gensec_krb5_have_feature,
855	.wrap = gensec_krb5_wrap,
856	.unwrap = gensec_krb5_unwrap,
857	.enabled = true,
858	.kerberos = true,
859	.priority = GENSEC_KRB5
860	};
861
862	_PUBLIC_ NTSTATUS gensec_krb5_init(void)
863	{
864	NTSTATUS ret;
865
866	ret = gensec_register(&gensec_krb5_security_ops);
867	if (!NT_STATUS_IS_OK(ret)) {
868	DEBUG(0,("Failed to register '%s' gensec backend!\n",
869	gensec_krb5_security_ops.name));
870	return ret;
871	}
872
873	ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
874	if (!NT_STATUS_IS_OK(ret)) {
875	DEBUG(0,("Failed to register '%s' gensec backend!\n",
876	gensec_krb5_security_ops.name));
877	return ret;
878	}
879
880	return ret;
881	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/auth/gensec/gensec_krb5.c

Download in other formats: