diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source3/librpc/crypto | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/librpc/crypto')
-rw-r--r-- | source3/librpc/crypto/gse.c | 1438 | ||||
-rw-r--r-- | source3/librpc/crypto/gse.h | 26 | ||||
-rw-r--r-- | source3/librpc/crypto/gse_krb5.c | 609 | ||||
-rw-r--r-- | source3/librpc/crypto/gse_krb5.h | 30 |
4 files changed, 2103 insertions, 0 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c new file mode 100644 index 0000000..c2cac7a --- /dev/null +++ b/source3/librpc/crypto/gse.c @@ -0,0 +1,1438 @@ +/* + * GSSAPI Security Extensions + * RPC Pipe client and server routines + * Copyright (C) Simo Sorce 2010. + * Copyright (C) Andrew Bartlett 2004-2011. + * Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* We support only GSSAPI/KRB5 here */ + +#include "includes.h" +#include <tevent.h> +#include "lib/util/tevent_ntstatus.h" +#include "gse.h" +#include "libads/kerberos_proto.h" +#include "auth/common_auth.h" +#include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_internal.h" +#include "auth/credentials/credentials.h" +#include "../librpc/gen_ndr/dcerpc.h" +#include "param/param.h" + +#if defined(HAVE_KRB5) + +#include "auth/kerberos/pac_utils.h" +#include "auth/kerberos/gssapi_helper.h" +#include "gse_krb5.h" + +static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min); +static size_t gensec_gse_sig_size(struct gensec_security *gensec_security, + size_t data_size); + +struct gse_context { + gss_ctx_id_t gssapi_context; + gss_name_t server_name; + gss_name_t client_name; + OM_uint32 gss_want_flags, gss_got_flags; + size_t max_wrap_buf_size; + size_t sig_size; + + gss_cred_id_t delegated_cred_handle; + + NTTIME expire_time; + + /* gensec_gse only */ + krb5_context k5ctx; + krb5_ccache ccache; + krb5_keytab keytab; + + gss_OID_desc gss_mech; + gss_cred_id_t creds; + + gss_OID ret_mech; +}; + +/* free non talloc dependent contexts */ +static int gse_context_destructor(void *ptr) +{ + struct gse_context *gse_ctx; + OM_uint32 gss_min; + + gse_ctx = talloc_get_type_abort(ptr, struct gse_context); + if (gse_ctx->k5ctx) { + if (gse_ctx->ccache) { + krb5_cc_close(gse_ctx->k5ctx, gse_ctx->ccache); + gse_ctx->ccache = NULL; + } + if (gse_ctx->keytab) { + krb5_kt_close(gse_ctx->k5ctx, gse_ctx->keytab); + gse_ctx->keytab = NULL; + } + krb5_free_context(gse_ctx->k5ctx); + gse_ctx->k5ctx = NULL; + } + if (gse_ctx->gssapi_context != GSS_C_NO_CONTEXT) { + (void)gss_delete_sec_context(&gss_min, + &gse_ctx->gssapi_context, + GSS_C_NO_BUFFER); + } + if (gse_ctx->server_name) { + (void)gss_release_name(&gss_min, + &gse_ctx->server_name); + } + if (gse_ctx->client_name) { + (void)gss_release_name(&gss_min, + &gse_ctx->client_name); + } + if (gse_ctx->creds) { + (void)gss_release_cred(&gss_min, + &gse_ctx->creds); + } + if (gse_ctx->delegated_cred_handle) { + (void)gss_release_cred(&gss_min, + &gse_ctx->delegated_cred_handle); + } + + /* MIT and Heimdal differ as to if you can call + * gss_release_oid() on this OID, generated by + * gss_{accept,init}_sec_context(). However, as long as the + * oid is gss_mech_krb5 (which it always is at the moment), + * then this is a moot point, as both declare this particular + * OID static, and so no memory is lost. This assert is in + * place to ensure that the programmer who wishes to extend + * this code to EAP or other GSS mechanisms determines an + * implementation-dependent way of releasing any dynamically + * allocated OID */ + SMB_ASSERT(smb_gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || + smb_gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5)); + + return 0; +} + +static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx, + const char *target_principal, + const char *service, + const char *hostname, + const char *realm, + char **pserver_principal, + gss_name_t *pserver_name) +{ + char *server_principal = NULL; + gss_buffer_desc name_token; + gss_OID name_type; + OM_uint32 maj_stat, min_stat = 0; + + if (target_principal != NULL) { + server_principal = talloc_strdup(mem_ctx, target_principal); + name_type = GSS_C_NULL_OID; + } else { + server_principal = talloc_asprintf(mem_ctx, + "%s/%s@%s", + service, + hostname, + realm); + name_type = GSS_C_NT_USER_NAME; + } + if (server_principal == NULL) { + return NT_STATUS_NO_MEMORY; + } + + name_token.value = (uint8_t *)server_principal; + name_token.length = strlen(server_principal); + + maj_stat = gss_import_name(&min_stat, + &name_token, + name_type, + pserver_name); + if (maj_stat) { + DBG_WARNING("GSS Import name of %s failed: %s\n", + server_principal, + gse_errstr(mem_ctx, maj_stat, min_stat)); + TALLOC_FREE(server_principal); + return NT_STATUS_INVALID_PARAMETER; + } + + *pserver_principal = server_principal; + + return NT_STATUS_OK; +} + +static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, + bool do_sign, bool do_seal, + const char *ccache_name, + uint32_t add_gss_c_flags, + struct gse_context **_gse_ctx) +{ + struct gse_context *gse_ctx; + krb5_error_code k5ret; + NTSTATUS status; + + gse_ctx = talloc_zero(mem_ctx, struct gse_context); + if (!gse_ctx) { + return NT_STATUS_NO_MEMORY; + } + talloc_set_destructor((TALLOC_CTX *)gse_ctx, gse_context_destructor); + + gse_ctx->expire_time = GENSEC_EXPIRE_TIME_INFINITY; + gse_ctx->max_wrap_buf_size = UINT16_MAX; + + memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); + + gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | + GSS_C_DELEG_POLICY_FLAG | + GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG; + if (do_sign) { + gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG; + } + if (do_seal) { + gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG; + gse_ctx->gss_want_flags |= GSS_C_CONF_FLAG; + } + + gse_ctx->gss_want_flags |= add_gss_c_flags; + + /* Initialize Kerberos Context */ + k5ret = smb_krb5_init_context_common(&gse_ctx->k5ctx); + if (k5ret) { + DBG_ERR("kerberos init context failed (%s)\n", + error_message(k5ret)); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + +#ifdef SAMBA4_USES_HEIMDAL + k5ret = gsskrb5_set_dns_canonicalize(false); + if (k5ret) { + DBG_ERR("gsskrb5_set_dns_canonicalize() failed (%s)\n", + error_message(k5ret)); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } +#endif + + if (!ccache_name) { + ccache_name = krb5_cc_default_name(gse_ctx->k5ctx); + } + k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name, + &gse_ctx->ccache); + if (k5ret) { + DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n", + ccache_name, error_message(k5ret))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + + /* TODO: Should we enforce a enc_types list ? + ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types); + */ + + *_gse_ctx = gse_ctx; + return NT_STATUS_OK; + +err_out: + TALLOC_FREE(gse_ctx); + return status; +} + +static NTSTATUS gse_init_client(struct gensec_security *gensec_security, + bool do_sign, bool do_seal, + const char *ccache_name, + const char *server, + const char *service, + const char *realm, + const char *username, + const char *password, + uint32_t add_gss_c_flags, + struct gse_context **_gse_ctx) +{ + struct gse_context *gse_ctx; + OM_uint32 gss_maj, gss_min; +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); +#endif + NTSTATUS status; + + if (!server || !service) { + return NT_STATUS_INVALID_PARAMETER; + } + + status = gse_context_init(gensec_security, do_sign, do_seal, + ccache_name, add_gss_c_flags, + &gse_ctx); + if (!NT_STATUS_IS_OK(status)) { + return NT_STATUS_NO_MEMORY; + } + +#ifdef SAMBA4_USES_HEIMDAL + { + int ret; + bool set_dns_canon = gensec_setting_bool( + gensec_security->settings, + "krb5", "set_dns_canonicalize", + false); + const char *server_realm = lpcfg_realm( + gensec_security->settings->lp_ctx); + if (server_realm != NULL) { + ret = gsskrb5_set_default_realm(server_realm); + if (ret) { + DBG_ERR("gsskrb5_set_default_realm failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } + + /* + * don't do DNS lookups of any kind, it might/will + * fail for a netbios name + */ + ret = gsskrb5_set_dns_canonicalize(set_dns_canon); + if (ret != GSS_S_COMPLETE) { + DBG_ERR("gsskrb5_set_dns_canonicalize failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } +#endif + + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + + gss_maj = smb_gss_krb5_import_cred(&gss_min, + gse_ctx->k5ctx, + gse_ctx->ccache, + NULL, /* keytab_principal */ + NULL, /* keytab */ + &gse_ctx->creds); + if (gss_maj) { + char *ccache = NULL; + int kret; + + kret = krb5_cc_get_full_name(gse_ctx->k5ctx, + gse_ctx->ccache, + &ccache); + if (kret != 0) { + ccache = NULL; + } + + DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -" + "the caller may retry after a kinit.\n", + ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); + SAFE_FREE(ccache); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + +#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + /* + * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG. + * + * This allows us to disable SIGN and SEAL for + * AUTH_LEVEL_CONNECT and AUTH_LEVEL_INTEGRITY. + * + * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575 + * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938 + */ + gss_maj = gss_set_cred_option(&gss_min, &gse_ctx->creds, + oid, + &empty_buffer); + if (gss_maj) { + DEBUG(0, ("gss_set_cred_option(GSS_KRB5_CRED_NO_CI_FLAGS_X), " + "failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } +#endif + + *_gse_ctx = gse_ctx; + return NT_STATUS_OK; + +err_out: + TALLOC_FREE(gse_ctx); + return status; +} + +static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + OM_uint32 gss_maj = 0; + OM_uint32 gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; + DATA_BLOB blob = data_blob_null; + NTSTATUS status; + OM_uint32 time_rec = 0; + struct timeval tv; + struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); + const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *client_realm = cli_credentials_get_realm(cli_creds); + char *server_principal = NULL; + char *server_realm = NULL; + bool fallback = false; + OM_uint32 time_req = 0; + + time_req = gensec_setting_int(gensec_security->settings, + "gensec_gssapi", + "requested_life_time", + time_req); + + in_data.value = token_in->data; + in_data.length = token_in->length; + + /* + * With credentials for administrator@FOREST1.EXAMPLE.COM this patch + * changes the target_principal for the ldap service of host + * dc2.forest2.example.com from + * + * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM + * + * to + * + * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM + * + * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be + * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a + * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. + * + * The problem is that KDCs only return such referral tickets if + * there's a forest trust between FOREST1.EXAMPLE.COM and + * FOREST2.EXAMPLE.COM. If there's only an external domain trust + * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of + * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being + * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. + * + * In the case of an external trust the client can still ask explicitly + * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of + * FOREST1.EXAMPLE.COM will generate it. + * + * From there the client can use the + * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC + * of FOREST2.EXAMPLE.COM for a service ticket for + * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. + * + * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior + * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as + * target principal. As _krb5_get_cred_kdc_any() first calls + * get_cred_kdc_referral() (which always starts with the client realm) + * and falls back to get_cred_kdc_capath() (which starts with the given + * realm). + * + * MIT krb5 only tries the given realm of the target principal, if we + * want to autodetect support for transitive forest trusts, would have + * to do the fallback ourself. + */ +#ifndef SAMBA4_USES_HEIMDAL + if (gse_ctx->server_name == NULL) { + OM_uint32 gss_min2 = 0; + + status = gse_setup_server_principal(mem_ctx, + target_principal, + service, + hostname, + client_realm, + &server_principal, + &gse_ctx->server_name); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->creds, + &gse_ctx->gssapi_context, + gse_ctx->server_name, + &gse_ctx->gss_mech, + gse_ctx->gss_want_flags, + time_req, + GSS_C_NO_CHANNEL_BINDINGS, + &in_data, + NULL, + &out_data, + &gse_ctx->gss_got_flags, + &time_rec); + if (gss_maj != GSS_S_FAILURE) { + goto init_sec_context_done; + } + if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { + goto init_sec_context_done; + } + if (target_principal != NULL) { + goto init_sec_context_done; + } + + fallback = true; + TALLOC_FREE(server_principal); + gss_release_name(&gss_min2, &gse_ctx->server_name); + } +#endif /* !SAMBA4_USES_HEIMDAL */ + + if (gse_ctx->server_name == NULL) { + server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, + hostname, + client_realm); + if (server_realm == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (fallback && + strequal(client_realm, server_realm)) { + goto init_sec_context_done; + } + + status = gse_setup_server_principal(mem_ctx, + target_principal, + service, + hostname, + server_realm, + &server_principal, + &gse_ctx->server_name); + TALLOC_FREE(server_realm); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + TALLOC_FREE(server_principal); + } + + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->creds, + &gse_ctx->gssapi_context, + gse_ctx->server_name, + &gse_ctx->gss_mech, + gse_ctx->gss_want_flags, + time_req, GSS_C_NO_CHANNEL_BINDINGS, + &in_data, NULL, &out_data, + &gse_ctx->gss_got_flags, &time_rec); + goto init_sec_context_done; + /* JUMP! */ +init_sec_context_done: + + switch (gss_maj) { + case GSS_S_COMPLETE: + /* we are done with it */ + tv = timeval_current_ofs(time_rec, 0); + gse_ctx->expire_time = timeval_to_nttime(&tv); + + status = NT_STATUS_OK; + break; + case GSS_S_CONTINUE_NEEDED: + /* we will need a third leg */ + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + break; + case GSS_S_CONTEXT_EXPIRED: + /* Make SPNEGO ignore us, we can't go any further here */ + DBG_NOTICE("Context expired\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case GSS_S_FAILURE: + switch (gss_min) { + case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: { + gss_buffer_desc name_token = { + .length = 0, + }; + + gss_maj = gss_display_name(&gss_min, + gse_ctx->server_name, + &name_token, + NULL); + if (gss_maj == GSS_S_COMPLETE) { + DBG_NOTICE("Server principal %.*s not found\n", + (int)name_token.length, + (char *)name_token.value); + gss_release_buffer(&gss_maj, &name_token); + } else { + DBG_NOTICE("Server principal not found\n"); + } + + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + } + case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED: + DBG_NOTICE("Ticket expired\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV: + DBG_NOTICE("Clockskew\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_TIME_DIFFERENCE_AT_DC; + goto done; + case (OM_uint32)KRB5_KDC_UNREACH: + DBG_NOTICE("KDC unreachable\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_NO_LOGON_SERVERS; + goto done; + case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE: + /* Garbage input, possibly from the auto-mech detection */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case (OM_uint32)KRB5KDC_ERR_ETYPE_NOSUPP: + status = NT_STATUS_KDC_UNKNOWN_ETYPE; + goto done; + default: + DBG_ERR("gss_init_sec_context failed with [%s](%u)\n", + gse_errstr(talloc_tos(), gss_maj, gss_min), + gss_min); + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + break; + default: + DBG_ERR("gss_init_sec_context failed with [%s]\n", + gse_errstr(talloc_tos(), gss_maj, gss_min)); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + /* we may be told to return nothing */ + if (out_data.length) { + blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length); + if (!blob.data) { + status = NT_STATUS_NO_MEMORY; + } + + gss_release_buffer(&gss_min, &out_data); + } + +done: + *token_out = blob; + return status; +} + +static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, + bool do_sign, bool do_seal, + uint32_t add_gss_c_flags, + struct gse_context **_gse_ctx) +{ + struct gse_context *gse_ctx; + OM_uint32 gss_maj, gss_min; + krb5_error_code ret; + NTSTATUS status; + + status = gse_context_init(mem_ctx, do_sign, do_seal, + NULL, add_gss_c_flags, &gse_ctx); + if (!NT_STATUS_IS_OK(status)) { + return NT_STATUS_NO_MEMORY; + } + + ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx, + &gse_ctx->keytab); + if (ret) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + /* This creates a GSSAPI cred_id_t with the keytab set */ + gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx, + NULL, NULL, gse_ctx->keytab, + &gse_ctx->creds); + + if (gss_maj != 0) { + DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + status = NT_STATUS_OK; + +done: + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(gse_ctx); + } + + *_gse_ctx = gse_ctx; + return status; +} + +static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; + DATA_BLOB blob = data_blob_null; + NTSTATUS status; + OM_uint32 time_rec = 0; + struct timeval tv; + + in_data.value = token_in->data; + in_data.length = token_in->length; + + gss_maj = gss_accept_sec_context(&gss_min, + &gse_ctx->gssapi_context, + gse_ctx->creds, + &in_data, + GSS_C_NO_CHANNEL_BINDINGS, + &gse_ctx->client_name, + &gse_ctx->ret_mech, + &out_data, + &gse_ctx->gss_got_flags, + &time_rec, + &gse_ctx->delegated_cred_handle); + switch (gss_maj) { + case GSS_S_COMPLETE: + /* we are done with it */ + tv = timeval_current_ofs(time_rec, 0); + gse_ctx->expire_time = timeval_to_nttime(&tv); + + status = NT_STATUS_OK; + break; + case GSS_S_CONTINUE_NEEDED: + /* we will need a third leg */ + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + break; + default: + DEBUG(1, ("gss_accept_sec_context failed with [%s]\n", + gse_errstr(talloc_tos(), gss_maj, gss_min))); + + if (gse_ctx->gssapi_context) { + gss_delete_sec_context(&gss_min, + &gse_ctx->gssapi_context, + GSS_C_NO_BUFFER); + } + + /* + * If we got an output token, make Windows aware of it + * by telling it that more processing is needed + */ + if (out_data.length > 0) { + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + /* Fall through to handle the out token */ + } else { + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + } + + /* we may be told to return nothing */ + if (out_data.length) { + blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length); + if (!blob.data) { + status = NT_STATUS_NO_MEMORY; + } + gss_release_buffer(&gss_min, &out_data); + } + + +done: + *token_out = blob; + return status; +} + +static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min) +{ + OM_uint32 gss_min, gss_maj; + gss_buffer_desc msg_min; + gss_buffer_desc msg_maj; + OM_uint32 msg_ctx = 0; + + char *errstr = NULL; + + ZERO_STRUCT(msg_min); + ZERO_STRUCT(msg_maj); + + gss_maj = gss_display_status(&gss_min, maj, GSS_C_GSS_CODE, + GSS_C_NO_OID, &msg_ctx, &msg_maj); + if (gss_maj) { + goto done; + } + errstr = talloc_strndup(mem_ctx, + (char *)msg_maj.value, + msg_maj.length); + if (!errstr) { + goto done; + } + gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE, + (gss_OID)discard_const(gss_mech_krb5), + &msg_ctx, &msg_min); + if (gss_maj) { + goto done; + } + + errstr = talloc_strdup_append_buffer(errstr, ": "); + if (!errstr) { + goto done; + } + errstr = talloc_strndup_append_buffer(errstr, + (char *)msg_min.value, + msg_min.length); + if (!errstr) { + goto done; + } + +done: + if (msg_min.value) { + gss_release_buffer(&gss_min, &msg_min); + } + if (msg_maj.value) { + gss_release_buffer(&gss_min, &msg_maj); + } + return errstr; +} + +static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx; + struct cli_credentials *creds = gensec_get_credentials(gensec_security); + NTSTATUS nt_status; + OM_uint32 want_flags = 0; + bool do_sign = false, do_seal = false; + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *username = cli_credentials_get_username(creds); + const char *password = cli_credentials_get_password(creds); + const char *realm = cli_credentials_get_realm(creds); + + if (!hostname) { + DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSE to an IP address\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (strcmp(hostname, "localhost") == 0) { + DEBUG(2, ("GSE to 'localhost' does not make sense\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { + do_sign = true; + } + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + do_sign = true; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + do_seal = true; + } + if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) { + want_flags |= GSS_C_DCE_STYLE; + } + + nt_status = gse_init_client(gensec_security, do_sign, do_seal, NULL, + hostname, service, realm, + username, password, want_flags, + &gse_ctx); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + gensec_security->private_data = gse_ctx; + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_server_start(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx; + NTSTATUS nt_status; + OM_uint32 want_flags = 0; + bool do_sign = false, do_seal = false; + + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + do_sign = true; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + do_seal = true; + } + if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) { + want_flags |= GSS_C_DCE_STYLE; + } + + nt_status = gse_init_server(gensec_security, do_sign, do_seal, want_flags, + &gse_ctx); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + gensec_security->private_data = gse_ctx; + return NT_STATUS_OK; +} + +struct gensec_gse_update_state { + NTSTATUS status; + DATA_BLOB out; +}; + +static NTSTATUS gensec_gse_update_internal(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB in, + DATA_BLOB *out); + +static struct tevent_req *gensec_gse_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct gensec_security *gensec_security, + const DATA_BLOB in) +{ + struct tevent_req *req = NULL; + struct gensec_gse_update_state *state = NULL; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct gensec_gse_update_state); + if (req == NULL) { + return NULL; + } + + status = gensec_gse_update_internal(gensec_security, + state, in, + &state->out); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + tevent_req_done(req); + return tevent_req_post(req, ev); +} + +static NTSTATUS gensec_gse_update_internal(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB in, + DATA_BLOB *out) +{ + NTSTATUS status; + + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + status = gse_get_client_auth_token(mem_ctx, + gensec_security, + &in, out); + break; + case GENSEC_SERVER: + status = gse_get_server_auth_token(mem_ctx, + gensec_security, + &in, out); + break; + } + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_update_recv(struct tevent_req *req, + TALLOC_CTX *out_mem_ctx, + DATA_BLOB *out) +{ + struct gensec_gse_update_state *state = + tevent_req_data(req, + struct gensec_gse_update_state); + NTSTATUS status; + + *out = data_blob_null; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + *out = state->out; + talloc_steal(out_mem_ctx, state->out.data); + status = state->status; + tevent_req_received(req); + return status; +} + +static NTSTATUS gensec_gse_wrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token; + int conf_state; + input_token.length = in->length; + input_token.value = in->data; + + maj_stat = gss_wrap(&min_stat, + gse_ctx->gssapi_context, + gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), + GSS_C_QOP_DEFAULT, + &input_token, + &conf_state, + &output_token); + if (GSS_ERROR(maj_stat)) { + DEBUG(0, ("gensec_gse_wrap: GSS Wrap failed: %s\n", + gse_errstr(talloc_tos(), maj_stat, min_stat))); + return NT_STATUS_ACCESS_DENIED; + } + + *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length); + gss_release_buffer(&min_stat, &output_token); + + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) + && !conf_state) { + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_unwrap(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const DATA_BLOB *in, + DATA_BLOB *out) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token; + int conf_state; + gss_qop_t qop_state; + input_token.length = in->length; + input_token.value = in->data; + + maj_stat = gss_unwrap(&min_stat, + gse_ctx->gssapi_context, + &input_token, + &output_token, + &conf_state, + &qop_state); + if (GSS_ERROR(maj_stat)) { + DEBUG(0, ("gensec_gse_unwrap: GSS UnWrap failed: %s\n", + gse_errstr(talloc_tos(), maj_stat, min_stat))); + return NT_STATUS_ACCESS_DENIED; + } + + *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length); + gss_release_buffer(&min_stat, &output_token); + + if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) + && !conf_state) { + return NT_STATUS_ACCESS_DENIED; + } + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_seal_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + bool hdr_signing = false; + size_t sig_size = 0; + NTSTATUS status; + + if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + hdr_signing = true; + } + + sig_size = gensec_gse_sig_size(gensec_security, length); + + status = gssapi_seal_packet(gse_ctx->gssapi_context, + &gse_ctx->gss_mech, + hdr_signing, sig_size, + data, length, + whole_pdu, pdu_length, + mem_ctx, sig); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("gssapi_seal_packet(hdr_signing=%u,sig_size=%zu," + "data=%zu,pdu=%zu) failed: %s\n", + hdr_signing, sig_size, length, pdu_length, + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_unseal_packet(struct gensec_security *gensec_security, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + bool hdr_signing = false; + NTSTATUS status; + + if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + hdr_signing = true; + } + + status = gssapi_unseal_packet(gse_ctx->gssapi_context, + &gse_ctx->gss_mech, + hdr_signing, + data, length, + whole_pdu, pdu_length, + sig); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("gssapi_unseal_packet(hdr_signing=%u,sig_size=%zu," + "data=%zu,pdu=%zu) failed: %s\n", + hdr_signing, sig->length, length, pdu_length, + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_sign_packet(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + bool hdr_signing = false; + NTSTATUS status; + + if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + hdr_signing = true; + } + + status = gssapi_sign_packet(gse_ctx->gssapi_context, + &gse_ctx->gss_mech, + hdr_signing, + data, length, + whole_pdu, pdu_length, + mem_ctx, sig); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("gssapi_sign_packet(hdr_signing=%u," + "data=%zu,pdu=%zu) failed: %s\n", + hdr_signing, length, pdu_length, + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gensec_gse_check_packet(struct gensec_security *gensec_security, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + bool hdr_signing = false; + NTSTATUS status; + + if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { + hdr_signing = true; + } + + status = gssapi_check_packet(gse_ctx->gssapi_context, + &gse_ctx->gss_mech, + hdr_signing, + data, length, + whole_pdu, pdu_length, + sig); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("gssapi_check_packet(hdr_signing=%u,sig_size=%zu" + "data=%zu,pdu=%zu) failed: %s\n", + hdr_signing, sig->length, length, pdu_length, + nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +/* Try to figure out what features we actually got on the connection */ +static bool gensec_gse_have_feature(struct gensec_security *gensec_security, + uint32_t feature) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + if (feature & GENSEC_FEATURE_SESSION_KEY) { + return gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG; + } + if (feature & GENSEC_FEATURE_SIGN) { + return gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG; + } + if (feature & GENSEC_FEATURE_SEAL) { + return gse_ctx->gss_got_flags & GSS_C_CONF_FLAG; + } + if (feature & GENSEC_FEATURE_DCE_STYLE) { + return gse_ctx->gss_got_flags & GSS_C_DCE_STYLE; + } + if (feature & GENSEC_FEATURE_NEW_SPNEGO) { + NTSTATUS status; + uint32_t keytype; + + if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) { + return false; + } + + status = gssapi_get_session_key(talloc_tos(), + gse_ctx->gssapi_context, NULL, &keytype); + /* + * We should do a proper sig on the mechListMic unless + * we know we have to be backwards compatible with + * earlier windows versions. + * + * Negotiating a non-krb5 + * mech for example should be regarded as having + * NEW_SPNEGO + */ + if (NT_STATUS_IS_OK(status)) { + switch (keytype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_DES3_CBC_SHA1: + return false; + } + } + return true; + } + /* We can always do async (rather than strict request/reply) packets. */ + if (feature & GENSEC_FEATURE_ASYNC_REPLIES) { + return true; + } + if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) { + return true; + } + return false; +} + +static NTTIME gensec_gse_expire_time(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + return gse_ctx->expire_time; +} + +/* + * Extract the 'sesssion key' needed by SMB signing and ncacn_np + * (for encrypting some passwords). + * + * This breaks all the abstractions, but what do you expect... + */ +static NTSTATUS gensec_gse_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + return gssapi_get_session_key(mem_ctx, gse_ctx->gssapi_context, session_key, NULL); +} + +/* Get some basic (and authorization) information about the user on + * this session. This uses either the PAC (if present) or a local + * database lookup */ +static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, + struct auth_session_info **_session_info) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + NTSTATUS nt_status; + TALLOC_CTX *tmp_ctx; + struct auth_session_info *session_info = NULL; + OM_uint32 maj_stat, min_stat; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; + + gss_buffer_desc name_token; + char *principal_string; + + tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gse_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + maj_stat = gss_display_name(&min_stat, + gse_ctx->client_name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("GSS display_name failed: %s\n", + gse_errstr(talloc_tos(), maj_stat, min_stat))); + talloc_free(tmp_ctx); + return NT_STATUS_FOOBAR; + } + + principal_string = talloc_strndup(tmp_ctx, + (const char *)name_token.value, + name_token.length); + + gss_release_buffer(&min_stat, &name_token); + + if (!principal_string) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = gssapi_obtain_pac_blob(tmp_ctx, gse_ctx->gssapi_context, + gse_ctx->client_name, + &pac_blob); + + /* IF we have the PAC - otherwise we need to get this + * data from elsewere + */ + if (NT_STATUS_IS_OK(nt_status)) { + pac_blob_ptr = &pac_blob; + } + nt_status = gensec_generate_session_info_pac(tmp_ctx, + gensec_security, + NULL, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + nt_status = gensec_gse_session_key(gensec_security, session_info, + &session_info->session_key); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + *_session_info = talloc_move(mem_ctx, &session_info); + talloc_free(tmp_ctx); + + return NT_STATUS_OK; +} + +static size_t gensec_gse_max_input_size(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + OM_uint32 maj_stat, min_stat; + OM_uint32 max_input_size; + + maj_stat = gss_wrap_size_limit(&min_stat, + gse_ctx->gssapi_context, + gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL), + GSS_C_QOP_DEFAULT, + gse_ctx->max_wrap_buf_size, + &max_input_size); + if (GSS_ERROR(maj_stat)) { + TALLOC_CTX *mem_ctx = talloc_new(NULL); + DEBUG(1, ("gensec_gssapi_max_input_size: determining signature size with gss_wrap_size_limit failed: %s\n", + gse_errstr(mem_ctx, maj_stat, min_stat))); + talloc_free(mem_ctx); + return 0; + } + + return max_input_size; +} + +/* Find out the maximum output size negotiated on this connection */ +static size_t gensec_gse_max_wrapped_size(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + return gse_ctx->max_wrap_buf_size; +} + +static size_t gensec_gse_sig_size(struct gensec_security *gensec_security, + size_t data_size) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + if (gse_ctx->sig_size > 0) { + return gse_ctx->sig_size; + } + + gse_ctx->sig_size = gssapi_get_sig_size(gse_ctx->gssapi_context, + &gse_ctx->gss_mech, + gse_ctx->gss_got_flags, + data_size); + return gse_ctx->sig_size; +} + +static const char *gensec_gse_final_auth_type(struct gensec_security *gensec_security) +{ + struct gse_context *gse_ctx = + talloc_get_type_abort(gensec_security->private_data, + struct gse_context); + + /* Only return the string for GSSAPI/Krb5 */ + if (smb_gss_oid_equal(&gse_ctx->gss_mech, + gss_mech_krb5)) { + return GENSEC_FINAL_AUTH_TYPE_KRB5; + } else { + return "gensec_gse: UNKNOWN MECH"; + } +} + +static const char *gensec_gse_krb5_oids[] = { + GENSEC_OID_KERBEROS5_OLD, + GENSEC_OID_KERBEROS5, + NULL +}; + +const struct gensec_security_ops gensec_gse_krb5_security_ops = { + .name = "gse_krb5", + .auth_type = DCERPC_AUTH_TYPE_KRB5, + .oid = gensec_gse_krb5_oids, + .client_start = gensec_gse_client_start, + .server_start = gensec_gse_server_start, + .magic = gensec_magic_check_krb5_oid, + .update_send = gensec_gse_update_send, + .update_recv = gensec_gse_update_recv, + .session_key = gensec_gse_session_key, + .session_info = gensec_gse_session_info, + .sig_size = gensec_gse_sig_size, + .sign_packet = gensec_gse_sign_packet, + .check_packet = gensec_gse_check_packet, + .seal_packet = gensec_gse_seal_packet, + .unseal_packet = gensec_gse_unseal_packet, + .max_input_size = gensec_gse_max_input_size, + .max_wrapped_size = gensec_gse_max_wrapped_size, + .wrap = gensec_gse_wrap, + .unwrap = gensec_gse_unwrap, + .have_feature = gensec_gse_have_feature, + .expire_time = gensec_gse_expire_time, + .final_auth_type = gensec_gse_final_auth_type, + .enabled = true, + .kerberos = true, + .priority = GENSEC_GSSAPI +}; + +#endif /* HAVE_KRB5 */ diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h new file mode 100644 index 0000000..8618573 --- /dev/null +++ b/source3/librpc/crypto/gse.h @@ -0,0 +1,26 @@ +/* + * GSSAPI Security Extensions + * Copyright (C) Simo Sorce 2010. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _GSE_H_ +#define _GSE_H_ + +struct gse_context; + +extern const struct gensec_security_ops gensec_gse_krb5_security_ops; + +#endif /* _GSE_H_ */ diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c new file mode 100644 index 0000000..b4cec1e --- /dev/null +++ b/source3/librpc/crypto/gse_krb5.c @@ -0,0 +1,609 @@ +/* + * GSSAPI Security Extensions + * Krb5 helpers + * Copyright (C) Simo Sorce 2010. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "smb_krb5.h" +#include "secrets.h" +#include "librpc/gen_ndr/secrets.h" +#include "gse_krb5.h" +#include "lib/param/loadparm.h" +#include "libads/kerberos_proto.h" +#include "lib/util/string_wrappers.h" + +#ifdef HAVE_KRB5 + +static krb5_error_code flush_keytab(krb5_context krbctx, krb5_keytab keytab) +{ + krb5_error_code ret; + krb5_kt_cursor kt_cursor; + krb5_keytab_entry kt_entry; + + ZERO_STRUCT(kt_entry); + + ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor); + if (ret != 0) { + return ret; + } + + ret = krb5_kt_next_entry(krbctx, keytab, &kt_entry, &kt_cursor); + while (ret == 0) { + + /* we need to close and reopen enumeration because we modify + * the keytab */ + ret = krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor); + if (ret != 0) { + DEBUG(1, (__location__ ": krb5_kt_end_seq_get() " + "failed (%s)\n", error_message(ret))); + goto out; + } + + /* remove the entry */ + ret = krb5_kt_remove_entry(krbctx, keytab, &kt_entry); + if (ret != 0) { + DEBUG(1, (__location__ ": krb5_kt_remove_entry() " + "failed (%s)\n", error_message(ret))); + goto out; + } + smb_krb5_kt_free_entry(krbctx, &kt_entry); + ZERO_STRUCT(kt_entry); + + /* now reopen */ + ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor); + if (ret != 0) { + DEBUG(1, (__location__ ": krb5_kt_start_seq() failed " + "(%s)\n", error_message(ret))); + goto out; + } + + ret = krb5_kt_next_entry(krbctx, keytab, + &kt_entry, &kt_cursor); + } + + if (ret != KRB5_KT_END && ret != ENOENT) { + DEBUG(1, (__location__ ": flushing keytab we got [%s]!\n", + error_message(ret))); + } + + ret = krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor); + if (ret != 0) { + DEBUG(1, (__location__ ": krb5_kt_end_seq_get() " + "failed (%s)\n", error_message(ret))); + goto out; + } + ret = 0; + +out: + return ret; +} + +static krb5_error_code fill_keytab_from_password(krb5_context krbctx, + krb5_keytab keytab, + krb5_principal princ, + krb5_kvno vno, + struct secrets_domain_info1_password *pw) +{ + krb5_error_code ret; + krb5_enctype *enctypes; + uint16_t i; + + ret = smb_krb5_get_allowed_etypes(krbctx, &enctypes); + if (ret) { + DEBUG(1, (__location__ + ": Can't determine permitted enctypes!\n")); + return ret; + } + + for (i = 0; i < pw->num_keys; i++) { + krb5_keytab_entry kt_entry; + krb5_keyblock *key = NULL; + unsigned int ei; + bool found_etype = false; + + for (ei=0; enctypes[ei] != 0; ei++) { + if ((uint32_t)enctypes[ei] != pw->keys[i].keytype) { + continue; + } + + found_etype = true; + break; + } + + if (!found_etype) { + continue; + } + + ZERO_STRUCT(kt_entry); + kt_entry.principal = princ; + kt_entry.vno = vno; + + key = KRB5_KT_KEY(&kt_entry); + KRB5_KEY_TYPE(key) = pw->keys[i].keytype; + KRB5_KEY_DATA(key) = pw->keys[i].value.data; + KRB5_KEY_LENGTH(key) = pw->keys[i].value.length; + + ret = krb5_kt_add_entry(krbctx, keytab, &kt_entry); + if (ret) { + DEBUG(1, (__location__ ": Failed to add entry to " + "keytab for enctype %d (error: %s)\n", + (unsigned)pw->keys[i].keytype, + error_message(ret))); + goto out; + } + } + + ret = 0; + +out: + SAFE_FREE(enctypes); + return ret; +} + +#define SRV_MEM_KEYTAB_NAME "MEMORY:cifs_srv_keytab" +#define CLEARTEXT_PRIV_ENCTYPE -99 + +static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, + krb5_keytab *keytab) +{ + TALLOC_CTX *frame = talloc_stackframe(); + krb5_error_code ret, ret2; + const char *domain = lp_workgroup(); + struct secrets_domain_info1 *info = NULL; + const char *realm = NULL; + const DATA_BLOB *ct = NULL; + krb5_kt_cursor kt_cursor; + krb5_keytab_entry kt_entry; + krb5_principal princ = NULL; + krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */ + NTSTATUS status; + + if (!secrets_init()) { + DEBUG(1, (__location__ ": secrets_init failed\n")); + TALLOC_FREE(frame); + return KRB5_CONFIG_CANTOPEN; + } + + status = secrets_fetch_or_upgrade_domain_info(domain, + frame, + &info); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("secrets_fetch_or_upgrade_domain_info(%s) - %s\n", + domain, nt_errstr(status)); + TALLOC_FREE(frame); + return KRB5_LIBOS_CANTREADPWD; + } + ct = &info->password->cleartext_blob; + + if (info->domain_info.dns_domain.string != NULL) { + realm = strupper_talloc(frame, + info->domain_info.dns_domain.string); + if (realm == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + } + + ZERO_STRUCT(kt_entry); + ZERO_STRUCT(kt_cursor); + + /* check if the keytab already has any entry */ + ret = krb5_kt_start_seq_get(krbctx, *keytab, &kt_cursor); + if (ret != 0) { + goto out; + } + + /* check if we have our special enctype used to hold + * the clear text password. If so, check it out so that + * we can verify if the keytab needs to be upgraded */ + while ((ret = krb5_kt_next_entry(krbctx, *keytab, + &kt_entry, &kt_cursor)) == 0) { + if (smb_krb5_kt_get_enctype_from_entry(&kt_entry) == + CLEARTEXT_PRIV_ENCTYPE) { + break; + } + smb_krb5_kt_free_entry(krbctx, &kt_entry); + ZERO_STRUCT(kt_entry); + } + + ret2 = krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor); + if (ret2 != 0) { + ret = ret2; + DEBUG(1, (__location__ ": krb5_kt_end_seq_get() " + "failed (%s)\n", error_message(ret))); + goto out; + } + + if (ret != 0 && ret != KRB5_KT_END && ret != ENOENT ) { + /* Error parsing keytab */ + DEBUG(1, (__location__ ": Failed to parse memory " + "keytab!\n")); + goto out; + } + + if (ret == 0) { + /* found private entry, + * check if keytab is up to date */ + + if ((ct->length == KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry))) && + (mem_equal_const_time(KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)), + ct->data, ct->length))) { + /* keytab is already up to date, return */ + smb_krb5_kt_free_entry(krbctx, &kt_entry); + goto out; + } + + smb_krb5_kt_free_entry(krbctx, &kt_entry); + ZERO_STRUCT(kt_entry); + + + /* flush keytab, we need to regen it */ + ret = flush_keytab(krbctx, *keytab); + if (ret) { + DEBUG(1, (__location__ ": Failed to flush " + "memory keytab!\n")); + goto out; + } + } + + /* keytab is not up to date, fill it up */ + + ret = smb_krb5_make_principal(krbctx, &princ, realm, + info->account_name, NULL); + if (ret) { + DEBUG(1, (__location__ ": Failed to get host principal!\n")); + goto out; + } + + ret = fill_keytab_from_password(krbctx, *keytab, + princ, kvno, + info->password); + if (ret) { + DBG_WARNING("fill_keytab_from_password() failed for " + "info->password.\n."); + goto out; + } + + if (info->old_password != NULL) { + ret = fill_keytab_from_password(krbctx, *keytab, + princ, kvno - 1, + info->old_password); + if (ret) { + DBG_WARNING("fill_keytab_from_password() failed for " + "info->old_password.\n."); + goto out; + } + } + + if (info->older_password != NULL) { + ret = fill_keytab_from_password(krbctx, *keytab, + princ, kvno - 2, + info->older_password); + if (ret) { + DBG_WARNING("fill_keytab_from_password() failed for " + "info->older_password.\n."); + goto out; + } + } + + if (info->next_change != NULL) { + ret = fill_keytab_from_password(krbctx, *keytab, + princ, kvno - 3, + info->next_change->password); + if (ret) { + DBG_WARNING("fill_keytab_from_password() failed for " + "info->next_change->password.\n."); + goto out; + } + } + + /* add our private enctype + cleartext password so that we can + * update the keytab if secrets change later on */ + ZERO_STRUCT(kt_entry); + kt_entry.principal = princ; + kt_entry.vno = 0; + + KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry)) = CLEARTEXT_PRIV_ENCTYPE; + KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry)) = ct->length; + KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)) = ct->data; + + ret = krb5_kt_add_entry(krbctx, *keytab, &kt_entry); + if (ret) { + DEBUG(1, (__location__ ": Failed to add entry to " + "keytab for private enctype (%d) (error: %s)\n", + CLEARTEXT_PRIV_ENCTYPE, error_message(ret))); + goto out; + } + + ret = 0; + +out: + + if (princ) { + krb5_free_principal(krbctx, princ); + } + + TALLOC_FREE(frame); + return ret; +} + +static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx, + krb5_keytab *mkeytab) +{ + krb5_error_code ret = 0; + krb5_keytab keytab = NULL; + krb5_kt_cursor kt_cursor = { 0, }; + krb5_keytab_entry kt_entry = { 0, }; + char *valid_princ_formats[7] = { NULL, NULL, NULL, + NULL, NULL, NULL, NULL }; + char *entry_princ_s = NULL; + fstring my_name, my_fqdn; + unsigned i; + int err; + + /* Generate the list of principal names which we expect + * clients might want to use for authenticating to the file + * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */ + + fstrcpy(my_name, lp_netbios_name()); + + my_fqdn[0] = '\0'; + name_to_fqdn(my_fqdn, lp_netbios_name()); + + err = asprintf(&valid_princ_formats[0], + "%s$@%s", my_name, lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[1], + "host/%s@%s", my_name, lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[2], + "host/%s@%s", my_fqdn, lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[3], + "host/%s.%s@%s", my_name, lp_realm(), lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[4], + "cifs/%s@%s", my_name, lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[5], + "cifs/%s@%s", my_fqdn, lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + err = asprintf(&valid_princ_formats[6], + "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()); + if (err == -1) { + ret = ENOMEM; + goto out; + } + + ret = smb_krb5_kt_open_relative(krbctx, NULL, false, &keytab); + if (ret) { + DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", + error_message(ret))); + goto out; + } + + /* + * Iterate through the keytab. For each key, if the principal + * name case-insensitively matches one of the allowed formats, + * copy it to the memory keytab. + */ + + ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor); + if (ret) { + DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n", + error_message(ret))); + /* + * krb5_kt_start_seq_get() may leaves bogus data + * in kt_cursor. And we want to use the all_zero() + * logic below. + * + * See bug #10490 + */ + ZERO_STRUCT(kt_cursor); + goto out; + } + + while ((krb5_kt_next_entry(krbctx, keytab, + &kt_entry, &kt_cursor) == 0)) { + ret = smb_krb5_unparse_name(talloc_tos(), krbctx, + kt_entry.principal, + &entry_princ_s); + if (ret) { + DEBUG(1, (__location__ ": smb_krb5_unparse_name " + "failed (%s)\n", error_message(ret))); + goto out; + } + + for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) { + + if (!strequal(entry_princ_s, valid_princ_formats[i])) { + continue; + } + + ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry); + if (ret) { + DEBUG(1, (__location__ ": smb_krb5_unparse_name " + "failed (%s)\n", error_message(ret))); + goto out; + } + } + + /* Free the name we parsed. */ + TALLOC_FREE(entry_princ_s); + + /* Free the entry we just read. */ + smb_krb5_kt_free_entry(krbctx, &kt_entry); + ZERO_STRUCT(kt_entry); + } + krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor); + + ZERO_STRUCT(kt_cursor); + +out: + + for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) { + SAFE_FREE(valid_princ_formats[i]); + } + + TALLOC_FREE(entry_princ_s); + + if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) { + smb_krb5_kt_free_entry(krbctx, &kt_entry); + } + + if (!all_zero((uint8_t *)&kt_cursor, sizeof(kt_cursor)) && keytab) { + krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor); + } + + if (keytab) { + krb5_kt_close(krbctx, keytab); + } + + return ret; +} + +static krb5_error_code fill_mem_keytab_from_dedicated_keytab(krb5_context krbctx, + krb5_keytab *mkeytab) +{ + krb5_error_code ret = 0; + krb5_keytab keytab = NULL; + krb5_kt_cursor kt_cursor; + krb5_keytab_entry kt_entry; + + ret = smb_krb5_kt_open(krbctx, lp_dedicated_keytab_file(), + false, &keytab); + if (ret) { + DEBUG(1, ("smb_krb5_kt_open of %s failed (%s)\n", + lp_dedicated_keytab_file(), + error_message(ret))); + return ret; + } + + /* + * Copy the dedicated keyab to our in-memory keytab. + */ + + ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor); + if (ret) { + DEBUG(1, (__location__ ": krb5_kt_start_seq_get on %s " + "failed (%s)\n", + lp_dedicated_keytab_file(), + error_message(ret))); + goto out; + } + + while ((krb5_kt_next_entry(krbctx, keytab, + &kt_entry, &kt_cursor) == 0)) { + + ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry); + + /* Free the entry we just read. */ + smb_krb5_kt_free_entry(krbctx, &kt_entry); + + if (ret) { + DEBUG(1, (__location__ ": smb_krb5_unparse_name " + "failed (%s)\n", error_message(ret))); + break; + } + } + krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor); + +out: + + krb5_kt_close(krbctx, keytab); + + return ret; +} + +krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx, + krb5_keytab *keytab) +{ + krb5_error_code ret = 0; + krb5_error_code ret1 = 0; + krb5_error_code ret2 = 0; + + *keytab = NULL; + + /* create memory keytab */ + ret = krb5_kt_resolve(krbctx, SRV_MEM_KEYTAB_NAME, keytab); + if (ret) { + DEBUG(1, (__location__ ": Failed to get memory " + "keytab!\n")); + return ret; + } + + switch (lp_kerberos_method()) { + default: + case KERBEROS_VERIFY_SECRETS: + ret = fill_mem_keytab_from_secrets(krbctx, keytab); + break; + case KERBEROS_VERIFY_SYSTEM_KEYTAB: + ret = fill_mem_keytab_from_system_keytab(krbctx, keytab); + break; + case KERBEROS_VERIFY_DEDICATED_KEYTAB: + /* just use whatever keytab is configured */ + ret = fill_mem_keytab_from_dedicated_keytab(krbctx, keytab); + break; + case KERBEROS_VERIFY_SECRETS_AND_KEYTAB: + ret1 = fill_mem_keytab_from_secrets(krbctx, keytab); + if (ret1) { + DEBUG(3, (__location__ ": Warning! Unable to set mem " + "keytab from secrets!\n")); + } + /* Now append system keytab keys too */ + ret2 = fill_mem_keytab_from_system_keytab(krbctx, keytab); + if (ret2) { + DEBUG(3, (__location__ ": Warning! Unable to set mem " + "keytab from system keytab!\n")); + } + if (ret1 == 0 || ret2 == 0) { + ret = 0; + } else { + ret = ret1; + } + break; + } + + if (ret) { + krb5_kt_close(krbctx, *keytab); + *keytab = NULL; + DEBUG(1,("%s: Error! Unable to set mem keytab - %d\n", + __location__, ret)); + } + + return ret; +} + +#endif /* HAVE_KRB5 */ diff --git a/source3/librpc/crypto/gse_krb5.h b/source3/librpc/crypto/gse_krb5.h new file mode 100644 index 0000000..ea789c9 --- /dev/null +++ b/source3/librpc/crypto/gse_krb5.h @@ -0,0 +1,30 @@ +/* + * GSSAPI Security Extensions + * Krb5 helpers + * Copyright (C) Simo Sorce 2010. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _GSE_KRB5_H_ +#define _GSE_KRB5_H_ + +#ifdef HAVE_KRB5 + +krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx, + krb5_keytab *keytab); + +#endif /* HAVE_KRB5 */ + +#endif /* _GSE_KRB5_H_ */ |