sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code
v4-20-stable
samba-mirror/lib/krb5_wrap/krb5_samba.h
Alexander Bokovoy 215bb9bd48 Do not fail checksums for RFC8009 types 
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8e931fce12)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224
2024-04-16 12:24:55 +00:00

472 lines
15 KiB
C
Raw Permalink Blame History

/*
Unix SMB/CIFS implementation.
simple kerberos5 routines for active directory
Copyright (C) Andrew Tridgell 2001
Copyright (C) Luke Howard 2002-2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
Copyright (C) Guenther Deschner 2005-2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _KRB5_SAMBA_H
#define _KRB5_SAMBA_H
#include "lib/util/data_blob.h"
#include "libcli/util/ntstatus.h"
#ifdef HAVE_KRB5
#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
/* this file uses DEPRECATED interfaces! */
#ifdef KRB5_DEPRECATED
#undef KRB5_DEPRECATED
#endif
#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
#define KRB5_DEPRECATED 1
#else
#define KRB5_DEPRECATED
#endif
#include "system/kerberos.h"
#include "system/network.h"
#ifndef KRB5_ADDR_NETBIOS
#define KRB5_ADDR_NETBIOS 0x14
#endif
#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
#endif
/* Heimdal uses a slightly different name */
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
#endif
#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
#define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
#endif
/* The older versions of heimdal that don't have this
define don't seem to use it anyway. I'm told they
always use a subkey */
#ifndef HAVE_AP_OPTS_USE_SUBKEY
#define AP_OPTS_USE_SUBKEY 0
#endif
#ifndef KRB5_PW_SALT
#define KRB5_PW_SALT 3
#endif
/* CKSUMTYPE_HMAC_MD5 in Heimdal
CKSUMTYPE_HMAC_MD5_ARCFOUR in MIT */
#if defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && !defined(CKSUMTYPE_HMAC_MD5)
#define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
#endif
/*
* CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
* CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
*/
#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
#endif
#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
#endif
/*
* RFC8009 encryption types' defines have different names:
*
* KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 in Heimdal
* ENCTYPE_AES128_CTS_HMAC_SHA256_128 in MIT
*
* and
*
* KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 in Heimdal
* ENCTYPE_AES256_CTS_HMAC_SHA384_192 in MIT
*/
#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA256_128)
#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
#endif
#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA384_192)
#define ENCTYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
#endif
/*
* Same for older encryption types, rename to have the same defines
*/
#if !defined(ENCTYPE_AES128_CTS_HMAC_SHA1_96)
#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
#endif
#if !defined(ENCTYPE_AES256_CTS_HMAC_SHA1_96)
#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
#endif
/*
* KRB5_KU_OTHER_ENCRYPTED in Heimdal
* KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
*/
#if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
#define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
#endif
typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
krb5_addresses *addrs;
#else
#error UNKNOWN_KRB5_ADDRESS_TYPE
#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
} smb_krb5_addresses;
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
#define KRB5_KT_KEY(k) (&(k)->key)
#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */
#define KRB5_KT_KEY(k) (&(k)->keyblock)
#else
#error krb5_keytab_entry has no key or keyblock member
#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
/* work around broken krb5.h on sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
#endif
#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
#define KRB5_KEY_TYPE(k) ((k)->keytype)
#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
#define KRB5_KEY_DATA_CAST void
#else /* MIT */
#define KRB5_KEY_TYPE(k) ((k)->enctype)
#define KRB5_KEY_LENGTH(k) ((k)->length)
#define KRB5_KEY_DATA(k) ((k)->contents)
#define KRB5_KEY_DATA_CAST krb5_octet
#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
#define KRB5_ERROR_CODE(k) ((k)->error_code)
#else /* MIT */
#define KRB5_ERROR_CODE(k) ((k)->error)
#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
#ifndef HAVE_KRB5_CONST_PAC
#ifdef KRB5_CONST_PAC_GET_BUFFER
typedef const struct krb5_pac_data *krb5_const_pac;
#else
/*
* Certain Heimdal versions include a version of krb5_pac_get_buffer() that is
* unusable in certain cases, taking a krb5_pac when a krb5_const_pac may be all
* that we can supply. Furthermore, MIT Kerberos doesn't declare krb5_const_pac
* at all. In such cases, we must declare krb5_const_pac as a non-const typedef
* so that the build can succeed.
*/
typedef struct krb5_pac_data *krb5_const_pac;
#endif
#endif
krb5_error_code smb_krb5_parse_name(krb5_context context,
const char *name, /* in unix charset */
krb5_principal *principal);
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
char **unix_name);
krb5_error_code smb_krb5_init_context_common(krb5_context *_krb5_context);
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
#endif
#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
void krb5_free_unparsed_name(krb5_context ctx, char *val);
#endif
#if !defined(HAVE_KRB5_FREE_ENCTYPES)
void krb5_free_enctypes(krb5_context context, krb5_enctype *val);
#endif
#if !defined(HAVE_KRB5_FREE_STRING)
void krb5_free_string(krb5_context context, char *val);
#endif
/* Stub out initialize_krb5_error_table since it is not present in all
* Kerberos implementations. If it's not present, it's not necessary to
* call it.
*/
#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
#define initialize_krb5_error_table()
#endif
/* Samba wrapper functions for krb5 functionality. */
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr);
krb5_error_code smb_krb5_mk_error(krb5_context context,
krb5_error_code error_code,
const char *e_text,
krb5_data *e_data,
const krb5_principal client,
const krb5_principal server,
krb5_data *enc_err);
krb5_error_code smb_krb5_get_allowed_etypes(krb5_context context,
krb5_enctype **enctypes);
bool smb_krb5_get_smb_session_key(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_auth_context auth_context,
DATA_BLOB *session_key,
bool remote);
krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
void smb_krb5_free_data_contents(krb5_context context, krb5_data *pdata);
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr,
const char *netbios_name);
krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
krb5_enctype smb_krb5_kt_get_enctype_from_entry(krb5_keytab_entry *kt_entry);
krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
krb5_enctype enctype,
char **etype_s);
krb5_error_code smb_krb5_kt_open_relative(krb5_context context,
const char *keytab_name_req,
bool write_access,
krb5_keytab *keytab);
krb5_error_code smb_krb5_kt_open(krb5_context context,
const char *keytab_name,
bool write_access,
krb5_keytab *keytab);
krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_keytab keytab,
const char **keytab_name);
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
bool keep_old_kvno,
krb5_kvno kvno,
bool enctype_only,
krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
bool flush);
krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
const char *princ_s,
const char *salt_principal,
krb5_enctype enctype,
krb5_data *password,
bool no_salt);
krb5_error_code smb_krb5_get_credentials(krb5_context context,
krb5_ccache ccache,
krb5_principal me,
krb5_principal server,
krb5_principal impersonate_princ,
krb5_creds **out_creds);
krb5_error_code smb_krb5_keyblock_init_contents(krb5_context context,
krb5_enctype enctype,
const void *data,
size_t length,
krb5_keyblock *key);
krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
krb5_ccache cc,
krb5_principal principal,
krb5_keyblock *keyblock,
const char *target_service,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_ccache cc,
krb5_principal principal,
const char *password,
const char *target_service,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
const char *init_password,
krb5_principal impersonate_principal,
const char *self_service,
const char *target_service,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
#elif defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
krb5_error_code smb_krb5_make_principal(krb5_context context,
krb5_principal *principal,
const char *realm, ...);
#else
#error krb5_make_principal not available
#endif
#if defined(HAVE_KRB5_CC_GET_LIFETIME)
#define smb_krb5_cc_get_lifetime krb5_cc_get_lifetime
#elif defined(HAVE_KRB5_CC_RETRIEVE_CRED)
krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context,
krb5_ccache id,
time_t *t);
#else
#error krb5_cc_get_lifetime not available
#endif
#if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS)
#define smb_krb5_free_checksum_contents krb5_free_checksum_contents
#elif defined (HAVE_FREE_CHECKSUM)
void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum);
#else
#error krb5_free_checksum_contents/free_Checksum is not available
#endif
krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
DATA_BLOB *pac_data,
krb5_context context,
const krb5_keyblock *keyblock,
uint32_t *sig_type,
DATA_BLOB *sig_blob);
char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal);
void smb_krb5_principal_set_type(krb5_context context,
krb5_principal principal,
int type);
int smb_krb5_principal_is_tgs(krb5_context context,
krb5_const_principal principal);
krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
krb5_principal principal,
const char *realm);
char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
const char *hostname,
const char *client_realm);
char *smb_get_krb5_error_message(krb5_context context,
krb5_error_code code,
TALLOC_CTX *mem_ctx);
#if defined(HAVE_KRB5_KT_COMPARE)
#define smb_krb5_kt_compare krb5_kt_compare
#else
krb5_boolean smb_krb5_kt_compare(krb5_context context,
krb5_keytab_entry *entry,
krb5_const_principal principal,
krb5_kvno vno,
krb5_enctype enctype);
#endif
const krb5_enctype *samba_all_enctypes(void);
uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap);
krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
uint32_t enctype_bitmap,
krb5_enctype **enctypes);
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
int smb_krb5_salt_principal(krb5_context krb5_ctx,
const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
krb5_principal *salt_princ);
int smb_krb5_salt_principal_str(const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
TALLOC_CTX *mem_ctx,
char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
char **_salt_data);
int smb_krb5_create_key_from_string(krb5_context context,
krb5_const_principal host_princ,
const krb5_data *salt,
const krb5_data *password,
krb5_enctype enctype,
krb5_keyblock *key);
#ifndef krb5_princ_size
#if defined(HAVE_KRB5_PRINCIPAL_GET_NUM_COMP)
#define krb5_princ_size krb5_principal_get_num_comp
#else
#error krb5_princ_size unavailable
#endif
#endif
krb5_error_code smb_krb5_principal_get_comp_string(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
unsigned int component,
char **out);
krb5_error_code smb_krb5_copy_data_contents(krb5_data *p,
const void *data,
size_t len);
krb5_data smb_krb5_make_data(void *data,
size_t len);
krb5_data smb_krb5_data_from_blob(DATA_BLOB blob);
int smb_krb5_principal_get_type(krb5_context context,
krb5_const_principal principal);
#if !defined(HAVE_KRB5_WARNX)
krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
PRINTF_ATTRIBUTE(2, 0);
#endif
krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
krb5_ccache incc, krb5_ccache outcc);
#endif /* HAVE_KRB5 */
int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
const char *principal,
time_t time_offset,
DATA_BLOB *ticket,
DATA_BLOB *session_key_krb5,
uint32_t extra_ap_opts, const char *ccname,
time_t *tgs_expire,
const char *impersonate_princ_s);
NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
#endif /* _KRB5_SAMBA_H */
View Git Blame Copy Permalink