source3/libads/authdata.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    kerberos authorization data (PAC) utility library
   4    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
   5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   6    Copyright (C) Andrew Tridgell 2001
   7    Copyright (C) Luke Howard 2002-2003
   8    Copyright (C) Stefan Metzmacher 2004-2005
   9    Copyright (C) Guenther Deschner 2005,2007,2008
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26 #include "librpc/gen_ndr/ndr_krb5pac.h"
  27 #include "smb_krb5.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 /****************************************************************
  32 ****************************************************************/
  33
  34 static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
  35                                           DATA_BLOB pac_data,
  36                                           struct PAC_SIGNATURE_DATA *sig,
  37                                           krb5_context context,
  38                                           krb5_keyblock *keyblock)
  39 {
  40         krb5_error_code ret;
  41         krb5_checksum cksum;
  42         krb5_keyusage usage = 0;
  43
  44         smb_krb5_checksum_from_pac_sig(&cksum, sig);
  45
  46 #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
  47         usage = KRB5_KU_OTHER_CKSUM;
  48 #elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */
  49         usage = KRB5_KEYUSAGE_APP_DATA_CKSUM;
  50 #else
  51 #error UNKNOWN_KRB5_KEYUSAGE
  52 #endif
  53
  54         ret = smb_krb5_verify_checksum(context,
  55                                        keyblock,
  56                                        usage,
  57                                        &cksum,
  58                                        pac_data.data,
  59                                        pac_data.length);
  60
  61         if (ret) {
  62                 DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
  63                         error_message(ret), ret));
  64                 return ret;
  65         }
  66
  67         return ret;
  68 }
  69
  70 /****************************************************************
  71 ****************************************************************/
  72
  73  NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx,
  74                          DATA_BLOB *pac_data_blob,
  75                          krb5_context context,
  76                          krb5_keyblock *service_keyblock,
  77                          krb5_const_principal client_principal,
  78                          time_t tgs_authtime,
  79                          struct PAC_DATA **pac_data_out)
  80 {
  81         NTSTATUS status;
  82         enum ndr_err_code ndr_err;
  83         krb5_error_code ret;
  84         DATA_BLOB modified_pac_blob;
  85
  86         NTTIME tgs_authtime_nttime;
  87         krb5_principal client_principal_pac = NULL;
  88         int i;
  89
  90         struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
  91         struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
  92         struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
  93         struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
  94         struct PAC_LOGON_NAME *logon_name = NULL;
  95         struct PAC_LOGON_INFO *logon_info = NULL;
  96         struct PAC_DATA *pac_data = NULL;
  97         struct PAC_DATA_RAW *pac_data_raw = NULL;
  98
  99         DATA_BLOB *srv_sig_blob = NULL;
 100         DATA_BLOB *kdc_sig_blob = NULL;
 101
 102         bool bool_ret;
 103
 104         *pac_data_out = NULL;
 105
 106         pac_data = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA);
 107         pac_data_raw = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA_RAW);
 108         kdc_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA);
 109         srv_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA);
 110         if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
 111                 return NT_STATUS_NO_MEMORY;
 112         }
 113
 114         ndr_err = ndr_pull_struct_blob(pac_data_blob, pac_data, pac_data,
 115                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
 116         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 117                 status = ndr_map_error2ntstatus(ndr_err);
 118                 DEBUG(0,("can't parse the PAC: %s\n",
 119                         nt_errstr(status)));
 120                 return status;
 121         }
 122
 123         if (pac_data->num_buffers < 4) {
 124                 /* we need logon_ingo, service_key and kdc_key */
 125                 DEBUG(0,("less than 4 PAC buffers\n"));
 126                 return NT_STATUS_INVALID_PARAMETER;
 127         }
 128
 129         ndr_err = ndr_pull_struct_blob(pac_data_blob, pac_data_raw, pac_data_raw,
 130                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
 131         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 132                 status = ndr_map_error2ntstatus(ndr_err);
 133                 DEBUG(0,("can't parse the PAC: %s\n",
 134                         nt_errstr(status)));
 135                 return status;
 136         }
 137
 138         if (pac_data_raw->num_buffers < 4) {
 139                 /* we need logon_ingo, service_key and kdc_key */
 140                 DEBUG(0,("less than 4 PAC buffers\n"));
 141                 return NT_STATUS_INVALID_PARAMETER;
 142         }
 143
 144         if (pac_data->num_buffers != pac_data_raw->num_buffers) {
 145                 /* we need logon_ingo, service_key and kdc_key */
 146                 DEBUG(0,("misparse!  PAC_DATA has %d buffers while PAC_DATA_RAW has %d\n",
 147                          pac_data->num_buffers, pac_data_raw->num_buffers));
 148                 return NT_STATUS_INVALID_PARAMETER;
 149         }
 150
 151         for (i=0; i < pac_data->num_buffers; i++) {
 152                 if (pac_data->buffers[i].type != pac_data_raw->buffers[i].type) {
 153                         DEBUG(0,("misparse!  PAC_DATA buffer %d has type %d while PAC_DATA_RAW has %d\n",
 154                                  i, pac_data->buffers[i].type, pac_data->buffers[i].type));
 155                         return NT_STATUS_INVALID_PARAMETER;
 156                 }
 157                 switch (pac_data->buffers[i].type) {
 158                         case PAC_TYPE_LOGON_INFO:
 159                                 if (!pac_data->buffers[i].info) {
 160                                         break;
 161                                 }
 162                                 logon_info = pac_data->buffers[i].info->logon_info.info;
 163                                 break;
 164                         case PAC_TYPE_SRV_CHECKSUM:
 165                                 if (!pac_data->buffers[i].info) {
 166                                         break;
 167                                 }
 168                                 srv_sig_ptr = &pac_data->buffers[i].info->srv_cksum;
 169                                 srv_sig_blob = &pac_data_raw->buffers[i].info->remaining;
 170                                 break;
 171                         case PAC_TYPE_KDC_CHECKSUM:
 172                                 if (!pac_data->buffers[i].info) {
 173                                         break;
 174                                 }
 175                                 kdc_sig_ptr = &pac_data->buffers[i].info->kdc_cksum;
 176                                 kdc_sig_blob = &pac_data_raw->buffers[i].info->remaining;
 177                                 break;
 178                         case PAC_TYPE_LOGON_NAME:
 179                                 logon_name = &pac_data->buffers[i].info->logon_name;
 180                                 break;
 181                         default:
 182                                 break;
 183                 }
 184         }
 185
 186         if (!logon_info) {
 187                 DEBUG(0,("PAC no logon_info\n"));
 188                 return NT_STATUS_INVALID_PARAMETER;
 189         }
 190
 191         if (!logon_name) {
 192                 DEBUG(0,("PAC no logon_name\n"));
 193                 return NT_STATUS_INVALID_PARAMETER;
 194         }
 195
 196         if (!srv_sig_ptr || !srv_sig_blob) {
 197                 DEBUG(0,("PAC no srv_key\n"));
 198                 return NT_STATUS_INVALID_PARAMETER;
 199         }
 200
 201         if (!kdc_sig_ptr || !kdc_sig_blob) {
 202                 DEBUG(0,("PAC no kdc_key\n"));
 203                 return NT_STATUS_INVALID_PARAMETER;
 204         }
 205
 206         /* Find and zero out the signatures, as required by the signing algorithm */
 207
 208         /* We find the data blobs above, now we parse them to get at the exact portion we should zero */
 209         ndr_err = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
 210                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
 211         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 212                 status = ndr_map_error2ntstatus(ndr_err);
 213                 DEBUG(0,("can't parse the KDC signature: %s\n",
 214                         nt_errstr(status)));
 215                 return status;
 216         }
 217
 218         ndr_err = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
 219                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
 220         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 221                 status = ndr_map_error2ntstatus(ndr_err);
 222                 DEBUG(0,("can't parse the SRV signature: %s\n",
 223                         nt_errstr(status)));
 224                 return status;
 225         }
 226
 227         /* Now zero the decoded structure */
 228         memset(kdc_sig_wipe->signature.data, '\0', kdc_sig_wipe->signature.length);
 229         memset(srv_sig_wipe->signature.data, '\0', srv_sig_wipe->signature.length);
 230
 231         /* and reencode, back into the same place it came from */
 232         ndr_err = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
 233                                        (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
 234         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 235                 status = ndr_map_error2ntstatus(ndr_err);
 236                 DEBUG(0,("can't repack the KDC signature: %s\n",
 237                         nt_errstr(status)));
 238                 return status;
 239         }
 240         ndr_err = ndr_push_struct_blob(srv_sig_blob, pac_data_raw, srv_sig_wipe,
 241                                        (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
 242         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 243                 status = ndr_map_error2ntstatus(ndr_err);
 244                 DEBUG(0,("can't repack the SRV signature: %s\n",
 245                         nt_errstr(status)));
 246                 return status;
 247         }
 248
 249         /* push out the whole structure, but now with zero'ed signatures */
 250         ndr_err = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw,
 251                                        pac_data_raw,
 252                                        (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
 253         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 254                 status = ndr_map_error2ntstatus(ndr_err);
 255                 DEBUG(0,("can't repack the RAW PAC: %s\n",
 256                         nt_errstr(status)));
 257                 return status;
 258         }
 259
 260         /* verify by service_key */
 261         ret = check_pac_checksum(mem_ctx,
 262                                  modified_pac_blob, srv_sig_ptr,
 263                                  context,
 264                                  service_keyblock);
 265         if (ret) {
 266                 DEBUG(1, ("PAC Decode: Failed to verify the service signature: %s\n",
 267                           error_message(ret)));
 268                 return NT_STATUS_ACCESS_DENIED;
 269         }
 270
 271         /* Convert to NT time, so as not to loose accuracy in comparison */
 272         unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
 273
 274         if (tgs_authtime_nttime != logon_name->logon_time) {
 275                 DEBUG(2, ("PAC Decode: Logon time mismatch between ticket and PAC!\n"));
 276                 DEBUG(2, ("PAC Decode: PAC: %s\n", nt_time_string(mem_ctx, logon_name->logon_time)));
 277                 DEBUG(2, ("PAC Decode: Ticket: %s\n", nt_time_string(mem_ctx, tgs_authtime_nttime)));
 278                 return NT_STATUS_ACCESS_DENIED;
 279         }
 280
 281         ret = smb_krb5_parse_name_norealm(context, logon_name->account_name,
 282                                     &client_principal_pac);
 283         if (ret) {
 284                 DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n",
 285                           logon_name->account_name,
 286                           error_message(ret)));
 287                 return NT_STATUS_INVALID_PARAMETER;
 288         }
 289
 290         bool_ret = smb_krb5_principal_compare_any_realm(
 291                 context, client_principal, client_principal_pac);
 292
 293         krb5_free_principal(context, client_principal_pac);
 294
 295         if (!bool_ret) {
 296                 DEBUG(2, ("Name in PAC [%s] does not match principal name in ticket\n",
 297                           logon_name->account_name));
 298                 return NT_STATUS_ACCESS_DENIED;
 299         }
 300
 301         DEBUG(3,("Found account name from PAC: %s [%s]\n",
 302                  logon_info->info3.base.account_name.string,
 303                  logon_info->info3.base.full_name.string));
 304
 305         DEBUG(10,("Successfully validated Kerberos PAC\n"));
 306
 307         if (DEBUGLEVEL >= 10) {
 308                 const char *s;
 309                 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_DATA, pac_data);
 310                 if (s) {
 311                         DEBUGADD(10,("%s\n", s));
 312                 }
 313         }
 314
 315         *pac_data_out = pac_data;
 316
 317         return NT_STATUS_OK;
 318 }
 319
 320 /****************************************************************
 321 Given a username, password and other details, return the
 322 PAC_LOGON_INFO (the structure containing the important user
 323 information such as groups).
 324 ****************************************************************/
 325
 326 NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 327                              const char *name,
 328                              const char *pass,
 329                              time_t time_offset,
 330                              time_t *expire_time,
 331                              time_t *renew_till_time,
 332                              const char *cache_name,
 333                              bool request_pac,
 334                              bool add_netbios_addr,
 335                              time_t renewable_time,
 336                              const char *impersonate_princ_s,
 337                              struct PAC_LOGON_INFO **logon_info)
 338 {
 339         krb5_error_code ret;
 340         NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
 341         DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
 342         char *client_princ_out = NULL;
 343         const char *auth_princ = NULL;
 344         const char *local_service = NULL;
 345         const char *cc = "MEMORY:kerberos_return_pac";
 346
 347         ZERO_STRUCT(tkt);
 348         ZERO_STRUCT(ap_rep);
 349         ZERO_STRUCT(sesskey1);
 350         ZERO_STRUCT(sesskey2);
 351
 352         if (!name || !pass) {
 353                 return NT_STATUS_INVALID_PARAMETER;
 354         }
 355
 356         if (cache_name) {
 357                 cc = cache_name;
 358         }
 359
 360         if (!strchr_m(name, '@')) {
 361                 auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
 362                         lp_realm());
 363         } else {
 364                 auth_princ = name;
 365         }
 366         NT_STATUS_HAVE_NO_MEMORY(auth_princ);
 367
 368         local_service = talloc_asprintf(mem_ctx, "%s$@%s",
 369                                         global_myname(), lp_realm());
 370         NT_STATUS_HAVE_NO_MEMORY(local_service);
 371
 372         ret = kerberos_kinit_password_ext(auth_princ,
 373                                           pass,
 374                                           time_offset,
 375                                           expire_time,
 376                                           renew_till_time,
 377                                           cc,
 378                                           request_pac,
 379                                           add_netbios_addr,
 380                                           renewable_time,
 381                                           &status);
 382         if (ret) {
 383                 DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
 384                         auth_princ, error_message(ret), ret));
 385                 /* status already set */
 386                 goto out;
 387         }
 388
 389         DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
 390         if (expire_time) {
 391                 DEBUGADD(10,("\tvalid until: %s (%d)\n",
 392                         http_timestring(talloc_tos(), *expire_time),
 393                         (int)*expire_time));
 394         }
 395         if (renew_till_time) {
 396                 DEBUGADD(10,("\trenewable till: %s (%d)\n",
 397                         http_timestring(talloc_tos(), *renew_till_time),
 398                         (int)*renew_till_time));
 399         }
 400
 401         /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
 402          * in that case fallback to NTLM - gd */
 403
 404         if (expire_time && renew_till_time &&
 405             (*expire_time == 0) && (*renew_till_time == 0)) {
 406                 return NT_STATUS_INVALID_LOGON_TYPE;
 407         }
 408
 409         ret = cli_krb5_get_ticket(local_service,
 410                                   time_offset,
 411                                   &tkt,
 412                                   &sesskey1,
 413                                   0,
 414                                   cc,
 415                                   NULL,
 416                                   impersonate_princ_s);
 417         if (ret) {
 418                 DEBUG(1,("failed to get ticket for %s: %s\n",
 419                         local_service, error_message(ret)));
 420                 if (impersonate_princ_s) {
 421                         DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
 422                                 impersonate_princ_s));
 423                 }
 424                 status = krb5_to_nt_status(ret);
 425                 goto out;
 426         }
 427         status = ads_verify_ticket(mem_ctx,
 428                                    lp_realm(),
 429                                    time_offset,
 430                                    &tkt,
 431                                    &client_princ_out,
 432                                    logon_info,
 433                                    &ap_rep,
 434                                    &sesskey2,
 435                                    False);
 436         if (!NT_STATUS_IS_OK(status)) {
 437                 DEBUG(1,("ads_verify_ticket failed: %s\n",
 438                         nt_errstr(status)));
 439                 goto out;
 440         }
 441
 442         if (!*logon_info) {
 443                 DEBUG(1,("no PAC\n"));
 444                 status = NT_STATUS_INVALID_PARAMETER;
 445                 goto out;
 446         }
 447
 448 out:
 449         if (cc != cache_name) {
 450                 ads_kdestroy(cc);
 451         }
 452
 453         data_blob_free(&tkt);
 454         data_blob_free(&ap_rep);
 455         data_blob_free(&sesskey1);
 456         data_blob_free(&sesskey2);
 457
 458         TALLOC_FREE(client_princ_out);
 459
 460         return status;
 461 }
 462
 463 #endif