libcli/auth/krb5_wrap.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011
   7    Copyright (C) Guenther Deschner 2005-2009
   8    Copyright (C) Simo Sorce 2010.
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #ifdef HAVE_KRB5
  26
  27 #include "libcli/auth/krb5_wrap.h"
  28 #include "librpc/gen_ndr/krb5pac.h"
  29
  30 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  31 int create_kerberos_key_from_string_direct(krb5_context context,
  32                                                   krb5_principal host_princ,
  33                                                   krb5_data *password,
  34                                                   krb5_keyblock *key,
  35                                                   krb5_enctype enctype)
  36 {
  37         int ret = 0;
  38         krb5_data salt;
  39         krb5_encrypt_block eblock;
  40
  41         ret = krb5_principal2salt(context, host_princ, &salt);
  42         if (ret) {
  43                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
  44                 return ret;
  45         }
  46         krb5_use_enctype(context, &eblock, enctype);
  47         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
  48         SAFE_FREE(salt.data);
  49
  50         return ret;
  51 }
  52 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
  53 int create_kerberos_key_from_string_direct(krb5_context context,
  54                                                   krb5_principal host_princ,
  55                                                   krb5_data *password,
  56                                                   krb5_keyblock *key,
  57                                                   krb5_enctype enctype)
  58 {
  59         int ret;
  60         krb5_salt salt;
  61
  62         ret = krb5_get_pw_salt(context, host_princ, &salt);
  63         if (ret) {
  64                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
  65                 return ret;
  66         }
  67
  68         ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
  69         krb5_free_salt(context, salt);
  70
  71         return ret;
  72 }
  73 #else
  74 #error UNKNOWN_CREATE_KEY_FUNCTIONS
  75 #endif
  76
  77  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
  78 {
  79 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
  80         if (pdata->data) {
  81                 krb5_free_data_contents(context, pdata);
  82         }
  83 #elif defined(HAVE_KRB5_DATA_FREE)
  84         krb5_data_free(context, pdata);
  85 #else
  86         SAFE_FREE(pdata->data);
  87 #endif
  88 }
  89
  90
  91  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
  92 {
  93 /* Try krb5_free_keytab_entry_contents first, since
  94  * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
  95  * krb5_kt_free_entry but only has a prototype for the first, while the
  96  * second is considered private.
  97  */
  98 #if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
  99         return krb5_free_keytab_entry_contents(context, kt_entry);
 100 #elif defined(HAVE_KRB5_KT_FREE_ENTRY)
 101         return krb5_kt_free_entry(context, kt_entry);
 102 #else
 103 #error UNKNOWN_KT_FREE_FUNCTION
 104 #endif
 105 }
 106
 107 /**************************************************************
 108  Wrappers around kerberos string functions that convert from
 109  utf8 -> unix charset and vica versa.
 110 **************************************************************/
 111
 112 /**************************************************************
 113  krb5_parse_name that takes a UNIX charset.
 114 **************************************************************/
 115
 116  krb5_error_code smb_krb5_parse_name(krb5_context context,
 117                                 const char *name, /* in unix charset */
 118                                 krb5_principal *principal)
 119 {
 120         krb5_error_code ret;
 121         char *utf8_name;
 122         size_t converted_size;
 123         TALLOC_CTX *frame = talloc_stackframe();
 124
 125         if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) {
 126                 talloc_free(frame);
 127                 return ENOMEM;
 128         }
 129
 130         ret = krb5_parse_name(context, utf8_name, principal);
 131         TALLOC_FREE(frame);
 132         return ret;
 133 }
 134
 135 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 136 static void krb5_free_unparsed_name(krb5_context context, char *val)
 137 {
 138         SAFE_FREE(val);
 139 }
 140 #endif
 141
 142 /**************************************************************
 143  krb5_parse_name that returns a UNIX charset name. Must
 144  be freed with talloc_free() call.
 145 **************************************************************/
 146
 147 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 148                                       krb5_context context,
 149                                       krb5_const_principal principal,
 150                                       char **unix_name)
 151 {
 152         krb5_error_code ret;
 153         char *utf8_name;
 154         size_t converted_size;
 155
 156         *unix_name = NULL;
 157         ret = krb5_unparse_name(context, principal, &utf8_name);
 158         if (ret) {
 159                 return ret;
 160         }
 161
 162         if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
 163                 krb5_free_unparsed_name(context, utf8_name);
 164                 return ENOMEM;
 165         }
 166         krb5_free_unparsed_name(context, utf8_name);
 167         return 0;
 168 }
 169
 170  krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
 171                                             const char *name,
 172                                             krb5_principal *principal)
 173 {
 174 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
 175         return smb_krb5_parse_name_norealm_conv(context, name, principal);
 176 #endif
 177
 178         /* we are cheating here because parse_name will in fact set the realm.
 179          * We don't care as the only caller of smb_krb5_parse_name_norealm
 180          * ignores the realm anyway when calling
 181          * smb_krb5_principal_compare_any_realm later - Guenther */
 182
 183         return smb_krb5_parse_name(context, name, principal);
 184 }
 185
 186  bool smb_krb5_principal_compare_any_realm(krb5_context context,
 187                                           krb5_const_principal princ1,
 188                                           krb5_const_principal princ2)
 189 {
 190         return krb5_principal_compare_any_realm(context, princ1, princ2);
 191 }
 192
 193  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
 194                                      struct PAC_SIGNATURE_DATA *sig)
 195 {
 196 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
 197         cksum->cksumtype        = (krb5_cksumtype)sig->type;
 198         cksum->checksum.length  = sig->signature.length;
 199         cksum->checksum.data    = sig->signature.data;
 200 #else
 201         cksum->checksum_type    = (krb5_cksumtype)sig->type;
 202         cksum->length           = sig->signature.length;
 203         cksum->contents         = sig->signature.data;
 204 #endif
 205 }
 206
 207  krb5_error_code smb_krb5_verify_checksum(krb5_context context,
 208                                           const krb5_keyblock *keyblock,
 209                                          krb5_keyusage usage,
 210                                          krb5_checksum *cksum,
 211                                          uint8_t *data,
 212                                          size_t length)
 213 {
 214         krb5_error_code ret;
 215
 216         /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
 217
 218         krb5_boolean checksum_valid = false;
 219         krb5_data input;
 220
 221         input.data = (char *)data;
 222         input.length = length;
 223
 224         ret = krb5_c_verify_checksum(context,
 225                                      keyblock,
 226                                      usage,
 227                                      &input,
 228                                      cksum,
 229                                      &checksum_valid);
 230         if (ret) {
 231                 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
 232                          error_message(ret)));
 233                 return ret;
 234         }
 235
 236         if (!checksum_valid)
 237                 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 238
 239         return ret;
 240 }
 241
 242 char *gssapi_error_string(TALLOC_CTX *mem_ctx,
 243                           OM_uint32 maj_stat, OM_uint32 min_stat,
 244                           const gss_OID mech)
 245 {
 246         OM_uint32 disp_min_stat, disp_maj_stat;
 247         gss_buffer_desc maj_error_message;
 248         gss_buffer_desc min_error_message;
 249         char *maj_error_string, *min_error_string;
 250         OM_uint32 msg_ctx = 0;
 251
 252         char *ret;
 253
 254         maj_error_message.value = NULL;
 255         min_error_message.value = NULL;
 256         maj_error_message.length = 0;
 257         min_error_message.length = 0;
 258
 259         disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
 260                            mech, &msg_ctx, &maj_error_message);
 261         disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
 262                            mech, &msg_ctx, &min_error_message);
 263
 264         maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
 265
 266         min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
 267
 268         ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
 269
 270         talloc_free(maj_error_string);
 271         talloc_free(min_error_string);
 272
 273         gss_release_buffer(&disp_min_stat, &maj_error_message);
 274         gss_release_buffer(&disp_min_stat, &min_error_message);
 275
 276         return ret;
 277 }
 278
 279
 280  char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
 281 {
 282         char *ret;
 283
 284 #if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
 285         const char *context_error = krb5_get_error_message(context, code);
 286         if (context_error) {
 287                 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
 288                 krb5_free_error_message(context, context_error);
 289                 return ret;
 290         }
 291 #endif
 292         ret = talloc_strdup(mem_ctx, error_message(code));
 293         return ret;
 294 }
 295
 296 #endif