1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
samba-mirror/source3/librpc/crypto/gse_krb5.c

635 lines
15 KiB
C
Raw Normal View History

/*
* GSSAPI Security Extensions
* Krb5 helpers
* Copyright (C) Simo Sorce 2010.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "smb_krb5.h"
#include "secrets.h"
#include "gse_krb5.h"
#include "lib/param/loadparm.h"
#include "libads/kerberos_proto.h"
#ifdef HAVE_KRB5
static krb5_error_code flush_keytab(krb5_context krbctx, krb5_keytab keytab)
{
krb5_error_code ret;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
ZERO_STRUCT(kt_entry);
ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
if (ret == KRB5_KT_END || ret == ENOENT ) {
/* no entries */
return 0;
}
ret = krb5_kt_next_entry(krbctx, keytab, &kt_entry, &kt_cursor);
while (ret == 0) {
/* we need to close and reopen enumeration because we modify
* the keytab */
ret = krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
"failed (%s)\n", error_message(ret)));
goto out;
}
/* remove the entry */
ret = krb5_kt_remove_entry(krbctx, keytab, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
"failed (%s)\n", error_message(ret)));
goto out;
}
ret = smb_krb5_kt_free_entry(krbctx, &kt_entry);
ZERO_STRUCT(kt_entry);
/* now reopen */
ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
"(%s)\n", error_message(ret)));
goto out;
}
ret = krb5_kt_next_entry(krbctx, keytab,
&kt_entry, &kt_cursor);
}
if (ret != KRB5_KT_END && ret != ENOENT) {
DEBUG(1, (__location__ ": flushing keytab we got [%s]!\n",
error_message(ret)));
}
ret = 0;
out:
return ret;
}
static krb5_error_code get_host_principal(krb5_context krbctx,
krb5_principal *host_princ)
{
krb5_error_code ret;
char *host_princ_s = NULL;
int err;
err = asprintf(&host_princ_s, "%s$@%s", lp_netbios_name(), lp_realm());
if (err == -1) {
return -1;
}
if (!strlower_m(host_princ_s)) {
SAFE_FREE(host_princ_s);
return -1;
}
ret = smb_krb5_parse_name(krbctx, host_princ_s, host_princ);
if (ret) {
DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
"failed (%s)\n",
host_princ_s, error_message(ret)));
}
SAFE_FREE(host_princ_s);
return ret;
}
static krb5_error_code fill_keytab_from_password(krb5_context krbctx,
krb5_keytab keytab,
krb5_principal princ,
krb5_kvno vno,
krb5_data *password)
{
krb5_error_code ret;
krb5_enctype *enctypes;
krb5_keytab_entry kt_entry;
unsigned int i;
ret = smb_krb5_get_allowed_etypes(krbctx, &enctypes);
if (ret) {
DEBUG(1, (__location__
": Can't determine permitted enctypes!\n"));
return ret;
}
for (i = 0; enctypes[i]; i++) {
krb5_keyblock *key = NULL;
krb5_principal salt_princ = NULL;
char *salt_princ_s;
char *princ_s;
int rc;
if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
ret = ENOMEM;
goto out;
}
ret = krb5_unparse_name(krbctx, princ, &princ_s);
if (ret != 0) {
SAFE_FREE(key);
continue;
}
salt_princ_s = kerberos_fetch_salt_princ_for_host_princ(krbctx,
princ_s,
enctypes[i]);
SAFE_FREE(princ_s);
if (salt_princ_s == NULL) {
SAFE_FREE(key);
continue;
}
ret = krb5_parse_name(krbctx, salt_princ_s, &salt_princ);
SAFE_FREE(salt_princ_s);
if (ret != 0) {
SAFE_FREE(key);
continue;
}
rc = create_kerberos_key_from_string(krbctx,
princ,
salt_princ,
password,
key,
enctypes[i],
false);
krb5_free_principal(krbctx, salt_princ);
if (rc != 0) {
DEBUG(10, ("Failed to create key for enctype %d "
"(error: %s)\n",
enctypes[i], error_message(ret)));
SAFE_FREE(key);
continue;
}
kt_entry.principal = princ;
kt_entry.vno = vno;
*(KRB5_KT_KEY(&kt_entry)) = *key;
ret = krb5_kt_add_entry(krbctx, keytab, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": Failed to add entry to "
"keytab for enctype %d (error: %s)\n",
enctypes[i], error_message(ret)));
krb5_free_keyblock(krbctx, key);
goto out;
}
krb5_free_keyblock(krbctx, key);
}
ret = 0;
out:
SAFE_FREE(enctypes);
return ret;
}
#define SRV_MEM_KEYTAB_NAME "MEMORY:cifs_srv_keytab"
#define CLEARTEXT_PRIV_ENCTYPE -99
static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
krb5_keytab *keytab)
{
krb5_error_code ret;
char *pwd = NULL;
size_t pwd_len;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
krb5_data password;
krb5_principal princ = NULL;
krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */
char *pwd_old = NULL;
if (!secrets_init()) {
DEBUG(1, (__location__ ": secrets_init failed\n"));
return KRB5_CONFIG_CANTOPEN;
}
pwd = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
if (!pwd) {
DEBUG(2, (__location__ ": failed to fetch machine password\n"));
return KRB5_LIBOS_CANTREADPWD;
}
pwd_len = strlen(pwd);
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
/* check if the keytab already has any entry */
ret = krb5_kt_start_seq_get(krbctx, *keytab, &kt_cursor);
if (ret != KRB5_KT_END && ret != ENOENT ) {
/* check if we have our special enctype used to hold
* the clear text password. If so, check it out so that
* we can verify if the keytab needs to be upgraded */
while ((ret = krb5_kt_next_entry(krbctx, *keytab,
&kt_entry, &kt_cursor)) == 0) {
if (smb_krb5_kt_get_enctype_from_entry(&kt_entry) ==
CLEARTEXT_PRIV_ENCTYPE) {
break;
}
smb_krb5_kt_free_entry(krbctx, &kt_entry);
ZERO_STRUCT(kt_entry);
}
if (ret != 0 && ret != KRB5_KT_END && ret != ENOENT ) {
/* Error parsing keytab */
DEBUG(1, (__location__ ": Failed to parse memory "
"keytab!\n"));
goto out;
}
if (ret == 0) {
/* found private entry,
* check if keytab is up to date */
if ((pwd_len == KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry))) &&
(memcmp(KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)),
pwd, pwd_len) == 0)) {
/* keytab is already up to date, return */
smb_krb5_kt_free_entry(krbctx, &kt_entry);
goto out;
}
smb_krb5_kt_free_entry(krbctx, &kt_entry);
ZERO_STRUCT(kt_entry);
/* flush keytab, we need to regen it */
ret = flush_keytab(krbctx, *keytab);
if (ret) {
DEBUG(1, (__location__ ": Failed to flush "
"memory keytab!\n"));
goto out;
}
}
}
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && *keytab) {
krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor);
}
}
/* keytab is not up to date, fill it up */
ret = get_host_principal(krbctx, &princ);
if (ret) {
DEBUG(1, (__location__ ": Failed to get host principal!\n"));
goto out;
}
password.data = pwd;
password.length = pwd_len;
ret = fill_keytab_from_password(krbctx, *keytab,
princ, kvno, &password);
if (ret) {
DEBUG(1, (__location__ ": Failed to fill memory keytab!\n"));
goto out;
}
pwd_old = secrets_fetch_prev_machine_password(lp_workgroup());
if (!pwd_old) {
DEBUG(10, (__location__ ": no prev machine password\n"));
} else {
password.data = pwd_old;
password.length = strlen(pwd_old);
ret = fill_keytab_from_password(krbctx, *keytab,
princ, kvno -1, &password);
if (ret) {
DEBUG(1, (__location__
": Failed to fill memory keytab!\n"));
goto out;
}
}
/* add our private enctype + cleartext password so that we can
* update the keytab if secrets change later on */
ZERO_STRUCT(kt_entry);
kt_entry.principal = princ;
kt_entry.vno = 0;
KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry)) = CLEARTEXT_PRIV_ENCTYPE;
KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry)) = pwd_len;
KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)) = (uint8_t *)pwd;
ret = krb5_kt_add_entry(krbctx, *keytab, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": Failed to add entry to "
"keytab for private enctype (%d) (error: %s)\n",
CLEARTEXT_PRIV_ENCTYPE, error_message(ret)));
goto out;
}
ret = 0;
out:
SAFE_FREE(pwd);
SAFE_FREE(pwd_old);
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && *keytab) {
krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor);
}
}
if (princ) {
krb5_free_principal(krbctx, princ);
}
return ret;
}
static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx,
krb5_keytab *mkeytab)
{
krb5_error_code ret = 0;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
char *valid_princ_formats[7] = { NULL, NULL, NULL,
NULL, NULL, NULL, NULL };
char *entry_princ_s = NULL;
fstring my_name, my_fqdn;
unsigned i;
int err;
/* Generate the list of principal names which we expect
* clients might want to use for authenticating to the file
* service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
fstrcpy(my_name, lp_netbios_name());
my_fqdn[0] = '\0';
name_to_fqdn(my_fqdn, lp_netbios_name());
err = asprintf(&valid_princ_formats[0],
"%s$@%s", my_name, lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[1],
"host/%s@%s", my_name, lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[2],
"host/%s@%s", my_fqdn, lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[3],
"host/%s.%s@%s", my_name, lp_realm(), lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[4],
"cifs/%s@%s", my_name, lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[5],
"cifs/%s@%s", my_fqdn, lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
err = asprintf(&valid_princ_formats[6],
"cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
if (err == -1) {
ret = ENOMEM;
goto out;
}
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
ret = smb_krb5_kt_open(krbctx, NULL, false, &keytab);
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
goto out;
}
/*
* Iterate through the keytab. For each key, if the principal
* name case-insensitively matches one of the allowed formats,
* copy it to the memory keytab.
*/
ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
error_message(ret)));
goto out;
}
while ((krb5_kt_next_entry(krbctx, keytab,
&kt_entry, &kt_cursor) == 0)) {
ret = smb_krb5_unparse_name(talloc_tos(), krbctx,
kt_entry.principal,
&entry_princ_s);
if (ret) {
DEBUG(1, (__location__ ": smb_krb5_unparse_name "
"failed (%s)\n", error_message(ret)));
goto out;
}
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
if (!strequal(entry_princ_s, valid_princ_formats[i])) {
continue;
}
ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": smb_krb5_unparse_name "
"failed (%s)\n", error_message(ret)));
goto out;
}
}
/* Free the name we parsed. */
TALLOC_FREE(entry_princ_s);
/* Free the entry we just read. */
smb_krb5_kt_free_entry(krbctx, &kt_entry);
ZERO_STRUCT(kt_entry);
}
krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
ZERO_STRUCT(kt_cursor);
out:
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
SAFE_FREE(valid_princ_formats[i]);
}
TALLOC_FREE(entry_princ_s);
{
krb5_keytab_entry zero_kt_entry;
ZERO_STRUCT(zero_kt_entry);
if (memcmp(&zero_kt_entry, &kt_entry,
sizeof(krb5_keytab_entry))) {
smb_krb5_kt_free_entry(krbctx, &kt_entry);
}
}
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
if ((memcmp(&kt_cursor, &zero_csr,
sizeof(krb5_kt_cursor)) != 0) && keytab) {
krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
}
}
if (keytab) {
krb5_kt_close(krbctx, keytab);
}
return ret;
}
static krb5_error_code fill_mem_keytab_from_dedicated_keytab(krb5_context krbctx,
krb5_keytab *mkeytab)
{
krb5_error_code ret = 0;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
ret = smb_krb5_kt_open(krbctx, lp_dedicated_keytab_file(),
false, &keytab);
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
return ret;
}
/*
* Iterate through the keytab. For each key, if the principal
* name case-insensitively matches one of the allowed formats,
* copy it to the memory keytab.
*/
ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
error_message(ret)));
goto out;
}
while ((krb5_kt_next_entry(krbctx, keytab,
&kt_entry, &kt_cursor) == 0)) {
ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry);
/* Free the entry we just read. */
smb_krb5_kt_free_entry(krbctx, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": smb_krb5_unparse_name "
"failed (%s)\n", error_message(ret)));
break;
}
}
krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
out:
krb5_kt_close(krbctx, keytab);
return ret;
}
krb5_error_code gse_krb5_get_server_keytab(krb5_context krbctx,
krb5_keytab *keytab)
{
krb5_error_code ret = 0;
krb5_error_code ret1 = 0;
krb5_error_code ret2 = 0;
*keytab = NULL;
/* create memory keytab */
ret = krb5_kt_resolve(krbctx, SRV_MEM_KEYTAB_NAME, keytab);
if (ret) {
DEBUG(1, (__location__ ": Failed to get memory "
"keytab!\n"));
return ret;
}
switch (lp_kerberos_method()) {
default:
case KERBEROS_VERIFY_SECRETS:
ret = fill_mem_keytab_from_secrets(krbctx, keytab);
break;
case KERBEROS_VERIFY_SYSTEM_KEYTAB:
ret = fill_mem_keytab_from_system_keytab(krbctx, keytab);
break;
case KERBEROS_VERIFY_DEDICATED_KEYTAB:
/* just use whatever keytab is configured */
ret = fill_mem_keytab_from_dedicated_keytab(krbctx, keytab);
break;
case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
ret1 = fill_mem_keytab_from_secrets(krbctx, keytab);
if (ret1) {
DEBUG(3, (__location__ ": Warning! Unable to set mem "
"keytab from secrets!\n"));
}
/* Now append system keytab keys too */
ret2 = fill_mem_keytab_from_system_keytab(krbctx, keytab);
if (ret2) {
DEBUG(3, (__location__ ": Warning! Unable to set mem "
"keytab from system keytab!\n"));
}
if (ret1 == 0 || ret2 == 0) {
ret = 0;
} else {
ret = ret1;
}
break;
}
if (ret) {
krb5_kt_close(krbctx, *keytab);
*keytab = NULL;
DEBUG(1,("%s: Error! Unable to set mem keytab - %d\n",
__location__, ret));
}
return ret;
}
#endif /* HAVE_KRB5 */