search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
drsuapi.idl: fix source_dsa spelling
[samba4-gss.git] / auth / kerberos / kerberos_pac.c
blob4c61cfe838ffccb218f4499563c46645ada3ad9a
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos authorization data (PAC) utility library
4 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Luke Howard 2002-2003
8 Copyright (C) Stefan Metzmacher 2004-2005
9 Copyright (C) Guenther Deschner 2005,2007,2008
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
29
30 #ifdef HAVE_KRB5
31
32 #include "librpc/gen_ndr/ndr_krb5pac.h"
33 #include "librpc/gen_ndr/auth.h"
34 #include "auth/common_auth.h"
35 #include "auth/kerberos/pac_utils.h"
36 #include "lib/krb5_wrap/krb5_samba.h"
37
38 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
39 struct PAC_SIGNATURE_DATA *sig,
40 krb5_context context,
41 const krb5_keyblock *keyblock)
42 {
43 krb5_error_code ret;
44 krb5_checksum cksum;
45 krb5_keyusage usage = 0;
46 krb5_boolean checksum_valid = false;
47 krb5_data input;
48 size_t idx = 0;
49 struct {
50 krb5_cksumtype cksum_type;
51 krb5_enctype enc_type;
52 } supported_types[] = {
53 {CKSUMTYPE_HMAC_SHA1_96_AES_256, ENCTYPE_AES256_CTS_HMAC_SHA1_96},
54 {CKSUMTYPE_HMAC_SHA1_96_AES_128, ENCTYPE_AES128_CTS_HMAC_SHA1_96},
55 /* RFC8009 types. Not supported by AD yet but used by FreeIPA and MIT Kerberos */
56 {CKSUMTYPE_HMAC_SHA256_128_AES128, ENCTYPE_AES128_CTS_HMAC_SHA256_128},
57 {CKSUMTYPE_HMAC_SHA384_192_AES256, ENCTYPE_AES256_CTS_HMAC_SHA384_192},
58 {0, 0},
59 };
60
61 for(idx = 0; supported_types[idx].cksum_type != 0; idx++) {
62 if (sig->type == supported_types[idx].cksum_type) {
63 if (KRB5_KEY_TYPE(keyblock) != supported_types[idx].enc_type) {
64 return EINVAL;
65 }
66 /* ok */
67 break;
68 }
69 }
70
71 /* do not do key type check for HMAC-MD5 */
72 if ((sig->type != CKSUMTYPE_HMAC_MD5) &&
73 (supported_types[idx].cksum_type == 0)) {
74 DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
75 (int)sig->type));
76 return EINVAL;
77 }
78
79 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
80 cksum.cksumtype = (krb5_cksumtype)sig->type;
81 cksum.checksum.length = sig->signature.length;
82 cksum.checksum.data = sig->signature.data;
83 #else /* MIT */
84 cksum.checksum_type = (krb5_cksumtype)sig->type;
85 cksum.length = sig->signature.length;
86 cksum.contents = sig->signature.data;
87 #endif
88
89 #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
90 usage = KRB5_KU_OTHER_CKSUM;
91 #elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */
92 usage = KRB5_KEYUSAGE_APP_DATA_CKSUM;
93 #else
94 #error UNKNOWN_KRB5_KEYUSAGE
95 #endif
96
97 input.data = (char *)pac_data.data;
98 input.length = pac_data.length;
99
100 ret = krb5_c_verify_checksum(context,
101 keyblock,
102 usage,
103 &input,
104 &cksum,
105 &checksum_valid);
106 if (!checksum_valid) {
107 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
108 }
109 if (ret){
110 DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
111 error_message(ret), ret));
112 return ret;
113 }
114
115 return ret;
116 }
117
118 /**
119 * @brief Decode a blob containing a NDR encoded PAC structure
120 *
121 * @param mem_ctx - The memory context
122 * @param pac_data_blob - The data blob containing the NDR encoded data
123 * @param context - The Kerberos Context
124 * @param service_keyblock - The Service Key used to verify the checksum
125 * @param client_principal - The client principal
126 * @param tgs_authtime - The ticket timestamp
127 * @param pac_data_out - [out] The decoded PAC
128 *
129 * @return - A NTSTATUS error code
130 */
131 NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
132 DATA_BLOB pac_data_blob,
133 krb5_context context,
134 const krb5_keyblock *krbtgt_keyblock,
135 const krb5_keyblock *service_keyblock,
136 krb5_const_principal client_principal,
137 time_t tgs_authtime,
138 struct PAC_DATA **pac_data_out)
139 {
140 NTSTATUS status = NT_STATUS_NO_MEMORY;
141 enum ndr_err_code ndr_err;
142 krb5_error_code ret;
143 DATA_BLOB modified_pac_blob;
144
145 NTTIME tgs_authtime_nttime;
146 int i;
147
148 struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
149 struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
150 struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
151 struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
152 struct PAC_LOGON_NAME *logon_name = NULL;
153 struct PAC_LOGON_INFO *logon_info = NULL;
154 struct PAC_DATA *pac_data = NULL;
155 struct PAC_DATA_RAW *pac_data_raw = NULL;
156
157 DATA_BLOB *srv_sig_blob = NULL;
158 DATA_BLOB *kdc_sig_blob = NULL;
159
160 bool bool_ret;
161
162 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
163 if (!tmp_ctx) {
164 return NT_STATUS_NO_MEMORY;
165 }
166
167 if (pac_data_out) {
168 *pac_data_out = NULL;
169 }
170
171 pac_data = talloc(tmp_ctx, struct PAC_DATA);
172 pac_data_raw = talloc(tmp_ctx, struct PAC_DATA_RAW);
173 kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
174 srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
175 if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
176 status = NT_STATUS_NO_MEMORY;
177 goto out;
178 }
179
180 ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
181 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
182 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
183 status = ndr_map_error2ntstatus(ndr_err);
184 DEBUG(0,("can't parse the PAC: %s\n",
185 nt_errstr(status)));
186 goto out;
187 }
188
189 if (pac_data->num_buffers < 4) {
190 /* we need logon_info, service_key and kdc_key */
191 DEBUG(0,("less than 4 PAC buffers\n"));
192 status = NT_STATUS_INVALID_PARAMETER;
193 goto out;
194 }
195
196 ndr_err = ndr_pull_struct_blob(
197 &pac_data_blob, pac_data_raw, pac_data_raw,
198 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
199 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 status = ndr_map_error2ntstatus(ndr_err);
201 DEBUG(0,("can't parse the PAC: %s\n",
202 nt_errstr(status)));
203 goto out;
204 }
205
206 if (pac_data_raw->num_buffers < 4) {
207 /* we need logon_info, service_key and kdc_key */
208 DEBUG(0,("less than 4 PAC buffers\n"));
209 status = NT_STATUS_INVALID_PARAMETER;
210 goto out;
211 }
212
213 if (pac_data->num_buffers != pac_data_raw->num_buffers) {
214 /* we need logon_info, service_key and kdc_key */
215 DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
216 "PAC_DATA_RAW has %d\n", pac_data->num_buffers,
217 pac_data_raw->num_buffers));
218 status = NT_STATUS_INVALID_PARAMETER;
219 goto out;
220 }
221
222 for (i=0; i < pac_data->num_buffers; i++) {
223 struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
224 struct PAC_BUFFER_RAW *raw_buf = &pac_data_raw->buffers[i];
225
226 if (data_buf->type != raw_buf->type) {
227 DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
228 "%d while PAC_DATA_RAW has %d\n", i,
229 data_buf->type, raw_buf->type));
230 status = NT_STATUS_INVALID_PARAMETER;
231 goto out;
232 }
233 switch (data_buf->type) {
234 case PAC_TYPE_LOGON_INFO:
235 if (!data_buf->info) {
236 break;
237 }
238 logon_info = data_buf->info->logon_info.info;
239 break;
240 case PAC_TYPE_SRV_CHECKSUM:
241 if (!data_buf->info) {
242 break;
243 }
244 srv_sig_ptr = &data_buf->info->srv_cksum;
245 srv_sig_blob = &raw_buf->info->remaining;
246 break;
247 case PAC_TYPE_KDC_CHECKSUM:
248 if (!data_buf->info) {
249 break;
250 }
251 kdc_sig_ptr = &data_buf->info->kdc_cksum;
252 kdc_sig_blob = &raw_buf->info->remaining;
253 break;
254 case PAC_TYPE_LOGON_NAME:
255 logon_name = &data_buf->info->logon_name;
256 break;
257 default:
258 break;
259 }
260 }
261
262 if (!logon_info) {
263 DEBUG(0,("PAC no logon_info\n"));
264 status = NT_STATUS_INVALID_PARAMETER;
265 goto out;
266 }
267
268 if (!logon_name) {
269 DEBUG(0,("PAC no logon_name\n"));
270 status = NT_STATUS_INVALID_PARAMETER;
271 goto out;
272 }
273
274 if (!srv_sig_ptr || !srv_sig_blob) {
275 DEBUG(0,("PAC no srv_key\n"));
276 status = NT_STATUS_INVALID_PARAMETER;
277 goto out;
278 }
279
280 if (!kdc_sig_ptr || !kdc_sig_blob) {
281 DEBUG(0,("PAC no kdc_key\n"));
282 status = NT_STATUS_INVALID_PARAMETER;
283 goto out;
284 }
285
286 /* Find and zero out the signatures,
287 * as required by the signing algorithm */
288
289 /* We find the data blobs above,
290 * now we parse them to get at the exact portion we should zero */
291 ndr_err = ndr_pull_struct_blob(
292 kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
293 (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
294 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
295 status = ndr_map_error2ntstatus(ndr_err);
296 DEBUG(0,("can't parse the KDC signature: %s\n",
297 nt_errstr(status)));
298 goto out;
299 }
300
301 ndr_err = ndr_pull_struct_blob(
302 srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
303 (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
304 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
305 status = ndr_map_error2ntstatus(ndr_err);
306 DEBUG(0,("can't parse the SRV signature: %s\n",
307 nt_errstr(status)));
308 goto out;
309 }
310
311 /* Now zero the decoded structure */
312 memset(kdc_sig_wipe->signature.data,
313 '\0', kdc_sig_wipe->signature.length);
314 memset(srv_sig_wipe->signature.data,
315 '\0', srv_sig_wipe->signature.length);
316
317 /* and re-encode, back into the same place it came from */
318 ndr_err = ndr_push_struct_blob(
319 kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
320 (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
321 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
322 status = ndr_map_error2ntstatus(ndr_err);
323 DEBUG(0,("can't repack the KDC signature: %s\n",
324 nt_errstr(status)));
325 goto out;
326 }
327 ndr_err = ndr_push_struct_blob(
328 srv_sig_blob, pac_data_raw, srv_sig_wipe,
329 (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
330 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
331 status = ndr_map_error2ntstatus(ndr_err);
332 DEBUG(0,("can't repack the SRV signature: %s\n",
333 nt_errstr(status)));
334 goto out;
335 }
336
337 /* push out the whole structure, but now with zero'ed signatures */
338 ndr_err = ndr_push_struct_blob(
339 &modified_pac_blob, pac_data_raw, pac_data_raw,
340 (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
341 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
342 status = ndr_map_error2ntstatus(ndr_err);
343 DEBUG(0,("can't repack the RAW PAC: %s\n",
344 nt_errstr(status)));
345 goto out;
346 }
347
348 if (service_keyblock) {
349 /* verify by service_key */
350 ret = check_pac_checksum(modified_pac_blob, srv_sig_ptr,
351 context,
352 service_keyblock);
353 if (ret) {
354 DEBUG(5, ("PAC Decode: Failed to verify the service "
355 "signature: %s\n", error_message(ret)));
356 status = NT_STATUS_ACCESS_DENIED;
357 goto out;
358 }
359
360 if (krbtgt_keyblock) {
361 /* verify the service key checksum by krbtgt_key */
362 ret = check_pac_checksum(srv_sig_ptr->signature, kdc_sig_ptr,
363 context, krbtgt_keyblock);
364 if (ret) {
365 DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
366 smb_get_krb5_error_message(context, ret, tmp_ctx)));
367 status = NT_STATUS_ACCESS_DENIED;
368 goto out;
369 }
370 }
371 }
372
373 if (tgs_authtime) {
374 /* Convert to NT time, so as not to lose accuracy in comparison */
375 unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
376
377 if (tgs_authtime_nttime != logon_name->logon_time) {
378 DEBUG(2, ("PAC Decode: "
379 "Logon time mismatch between ticket and PAC!\n"));
380 DEBUG(2, ("PAC Decode: PAC: %s\n",
381 nt_time_string(tmp_ctx, logon_name->logon_time)));
382 DEBUG(2, ("PAC Decode: Ticket: %s\n",
383 nt_time_string(tmp_ctx, tgs_authtime_nttime)));
384 status = NT_STATUS_ACCESS_DENIED;
385 goto out;
386 }
387 }
388
389 if (client_principal) {
390 char *client_principal_string;
391 ret = krb5_unparse_name_flags(context, client_principal,
392 KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
393 &client_principal_string);
394 if (ret) {
395 DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
396 logon_name->account_name, error_message(ret)));
397 status = NT_STATUS_INVALID_PARAMETER;
398 goto out;
399 }
400
401 bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
402
403 if (!bool_ret) {
404 DEBUG(2, ("Name in PAC [%s] does not match principal name "
405 "in ticket [%s]\n",
406 logon_name->account_name,
407 client_principal_string));
408 SAFE_FREE(client_principal_string);
409 status = NT_STATUS_ACCESS_DENIED;
410 goto out;
411 }
412 SAFE_FREE(client_principal_string);
413
414 }
415
416 DEBUG(3,("Found account name from PAC: %s [%s]\n",
417 logon_info->info3.base.account_name.string,
418 logon_info->info3.base.full_name.string));
419
420 DEBUG(10,("Successfully validated Kerberos PAC\n"));
421
422 if (DEBUGLEVEL >= 10) {
423 const char *s;
424 s = NDR_PRINT_STRUCT_STRING(tmp_ctx, PAC_DATA, pac_data);
425 if (s) {
426 DEBUGADD(10,("%s\n", s));
427 }
428 }
429
430 if (pac_data_out) {
431 *pac_data_out = talloc_move(mem_ctx, &pac_data);
432 }
433
434 status = NT_STATUS_OK;
435
436 out:
437
438 TALLOC_FREE(tmp_ctx);
439 return status;
440 }
441
442 NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
443 DATA_BLOB blob,
444 krb5_context context,
445 const krb5_keyblock *krbtgt_keyblock,
446 const krb5_keyblock *service_keyblock,
447 krb5_const_principal client_principal,
448 time_t tgs_authtime,
449 struct PAC_LOGON_INFO **logon_info)
450 {
451 NTSTATUS nt_status;
452 struct PAC_DATA *pac_data;
453 int i;
454 nt_status = kerberos_decode_pac(mem_ctx,
455 blob,
456 context,
457 krbtgt_keyblock,
458 service_keyblock,
459 client_principal,
460 tgs_authtime,
461 &pac_data);
462 if (!NT_STATUS_IS_OK(nt_status)) {
463 return nt_status;
464 }
465
466 *logon_info = NULL;
467 for (i=0; i < pac_data->num_buffers; i++) {
468 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
469 continue;
470 }
471 *logon_info = pac_data->buffers[i].info->logon_info.info;
472 }
473 if (!*logon_info) {
474 return NT_STATUS_INVALID_PARAMETER;
475 }
476 return NT_STATUS_OK;
477 }
478
479 static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
480 struct auth4_context *auth_ctx,
481 TALLOC_CTX *mem_ctx,
482 struct smb_krb5_context *smb_krb5_context,
483 DATA_BLOB *pac_blob,
484 const char *princ_name,
485 const struct tsocket_address *remote_address,
486 uint32_t session_info_flags,
487 struct auth_session_info **session_info)
488 {
489 struct PAC_DATA_CTR *pac_data_ctr = NULL;
490 NTSTATUS status;
491
492 if (pac_blob == NULL) {
493 return NT_STATUS_NO_IMPERSONATION_TOKEN;
494 }
495
496 pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
497 if (pac_data_ctr == NULL) {
498 status = NT_STATUS_NO_MEMORY;
499 goto fail;
500 }
501
502 status = kerberos_decode_pac(pac_data_ctr,
503 *pac_blob,
504 NULL,
505 NULL,
506 NULL,
507 NULL,
508 0,
509 &pac_data_ctr->pac_data);
510 if (!NT_STATUS_IS_OK(status)) {
511 goto fail;
512 }
513
514 pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
515 pac_blob->data,
516 pac_blob->length);
517 if (pac_data_ctr->pac_blob.length != pac_blob->length) {
518 status = NT_STATUS_NO_MEMORY;
519 goto fail;
520 }
521
522 *session_info = talloc_zero(mem_ctx, struct auth_session_info);
523 if (*session_info == NULL) {
524 status = NT_STATUS_NO_MEMORY;
525 goto fail;
526 }
527
528 TALLOC_FREE(auth_ctx->private_data);
529 auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
530
531 return NT_STATUS_OK;
532
533 fail:
534 TALLOC_FREE(pac_data_ctr);
535
536 return status;
537 }
538
539 struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
540 {
541 struct auth4_context *auth_ctx = NULL;
542
543 auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
544 if (auth_ctx == NULL) {
545 return NULL;
546 }
547 auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
548
549 return auth_ctx;
550 }
551
552 struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
553 TALLOC_CTX *mem_ctx)
554 {
555 struct PAC_DATA_CTR *p = NULL;
556 SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
557 p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
558 auth_ctx->private_data = NULL;
559 return talloc_move(mem_ctx, &p);
560 }
561
562 #endif
GSS-enabled samba4