sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
6b580f7368
samba-mirror/source4/kdc/mit-kdb/kdb_samba_principals.c
Joseph Sutton 3e773a3954 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less 
This matches the behaviour of Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00

398 lines
9.5 KiB
C
Raw Blame History

/*
Unix SMB/CIFS implementation.
Samba KDB plugin for MIT Kerberos
Copyright (c) 2010 Simo Sorce <idra@samba.org>.
Copyright (c) 2014 Andreas Schneider <asn@samba.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "system/kerberos.h"
#include <profile.h>
#include <kdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/mit_samba.h"
#include "kdb_samba.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_KERBEROS
#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
krb5_error_code ks_get_principal(krb5_context context,
krb5_const_principal principal,
unsigned int kflags,
krb5_db_entry **kentry)
{
struct mit_samba_context *mit_ctx;
krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
code = mit_samba_get_principal(mit_ctx,
principal,
kflags,
kentry);
if (code != 0) {
goto cleanup;
}
cleanup:
return code;
}
static void ks_free_principal_e_data(krb5_context context, krb5_octet *e_data)
{
struct samba_kdc_entry *skdc_entry;
skdc_entry = talloc_get_type_abort(e_data,
struct samba_kdc_entry);
skdc_entry->kdc_entry = NULL;
TALLOC_FREE(skdc_entry);
}
void ks_free_principal(krb5_context context, krb5_db_entry *entry)
{
krb5_tl_data *tl_data_next = NULL;
krb5_tl_data *tl_data = NULL;
size_t i, j;
if (entry != NULL) {
krb5_free_principal(context, entry->princ);
for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
tl_data_next = tl_data->tl_data_next;
if (tl_data->tl_data_contents != NULL) {
free(tl_data->tl_data_contents);
}
free(tl_data);
}
if (entry->key_data != NULL) {
for (i = 0; i < entry->n_key_data; i++) {
for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
if (entry->key_data[i].key_data_length[j] != 0) {
if (entry->key_data[i].key_data_contents[j] != NULL) {
memset(entry->key_data[i].key_data_contents[j], 0, entry->key_data[i].key_data_length[j]);
free(entry->key_data[i].key_data_contents[j]);
}
}
entry->key_data[i].key_data_contents[j] = NULL;
entry->key_data[i].key_data_length[j] = 0;
entry->key_data[i].key_data_type[j] = 0;
}
}
free(entry->key_data);
}
if (entry->e_data) {
ks_free_principal_e_data(context, entry->e_data);
}
free(entry);
}
}
static krb5_boolean ks_is_master_key_principal(krb5_context context,
krb5_const_principal princ)
{
return krb5_princ_size(context, princ) == 2 &&
ks_data_eq_string(princ->data[0], "K") &&
ks_data_eq_string(princ->data[1], "M");
}
static krb5_error_code ks_get_master_key_principal(krb5_context context,
krb5_const_principal princ,
krb5_db_entry **kentry_ptr)
{
krb5_error_code code;
krb5_key_data *key_data;
krb5_timestamp now;
krb5_db_entry *kentry;
*kentry_ptr = NULL;
kentry = calloc(1, sizeof(krb5_db_entry));
if (kentry == NULL) {
return ENOMEM;
}
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
kentry->attributes = KRB5_KDB_DISALLOW_ALL_TIX;
if (princ == NULL) {
code = krb5_parse_name(context, KRB5_KDB_M_NAME, &kentry->princ);
} else {
code = krb5_copy_principal(context, princ, &kentry->princ);
}
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
now = time(NULL);
code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
/* Return a dummy key */
kentry->n_key_data = 1;
kentry->key_data = calloc(1, sizeof(krb5_key_data));
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
key_data = &kentry->key_data[0];
key_data->key_data_ver = KRB5_KDB_V1_KEY_DATA_ARRAY;
key_data->key_data_kvno = 1;
key_data->key_data_type[0] = ENCTYPE_UNKNOWN;
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
*kentry_ptr = kentry;
return 0;
}
static krb5_error_code ks_create_principal(krb5_context context,
krb5_const_principal princ,
int attributes,
int max_life,
const char *password,
krb5_db_entry **kentry_ptr)
{
krb5_error_code code;
krb5_key_data *key_data;
krb5_timestamp now;
krb5_db_entry *kentry;
krb5_keyblock key;
krb5_data salt;
krb5_data pwd;
int enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
int sts = KRB5_KDB_SALTTYPE_SPECIAL;
if (princ == NULL) {
return KRB5_KDB_NOENTRY;
}
*kentry_ptr = NULL;
kentry = calloc(1, sizeof(krb5_db_entry));
if (kentry == NULL) {
return ENOMEM;
}
kentry->magic = KRB5_KDB_MAGIC_NUMBER;
kentry->len = KRB5_KDB_V1_BASE_LENGTH;
if (attributes > 0) {
kentry->attributes = attributes;
}
if (max_life > 0) {
kentry->max_life = max_life;
}
code = krb5_copy_principal(context, princ, &kentry->princ);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
now = time(NULL);
code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
code = mit_samba_generate_salt(&salt);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
if (password != NULL) {
pwd.data = strdup(password);
pwd.length = strlen(password);
} else {
/* create a random password */
code = mit_samba_generate_random_password(&pwd);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
}
code = krb5_c_string_to_key(context, enctype, &pwd, &salt, &key);
SAFE_FREE(pwd.data);
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
kentry->n_key_data = 1;
kentry->key_data = calloc(1, sizeof(krb5_key_data));
if (code != 0) {
krb5_db_free_principal(context, kentry);
return code;
}
key_data = &kentry->key_data[0];
key_data->key_data_ver = KRB5_KDB_V1_KEY_DATA_ARRAY;
key_data->key_data_kvno = 1;
key_data->key_data_type[0] = key.enctype;
key_data->key_data_length[0] = key.length;
key_data->key_data_contents[0] = key.contents;
key_data->key_data_type[1] = sts;
key_data->key_data_length[1] = salt.length;
key_data->key_data_contents[1] = (krb5_octet*)salt.data;
*kentry_ptr = kentry;
return 0;
}
static krb5_error_code ks_get_admin_principal(krb5_context context,
krb5_const_principal princ,
krb5_db_entry **kentry_ptr)
{
krb5_error_code code = EINVAL;
code = ks_create_principal(context,
princ,
KRB5_KDB_DISALLOW_TGT_BASED,
ADMIN_LIFETIME,
NULL,
kentry_ptr);
return code;
}
krb5_error_code kdb_samba_db_get_principal(krb5_context context,
krb5_const_principal princ,
unsigned int kflags,
krb5_db_entry **kentry)
{
struct mit_samba_context *mit_ctx;
krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
if (ks_is_master_key_principal(context, princ)) {
return ks_get_master_key_principal(context, princ, kentry);
}
/*
* Fake a kadmin/admin and kadmin/history principal so that kadmindd can
* start
*/
if (ks_is_kadmin_admin(context, princ) ||
ks_is_kadmin_history(context, princ)) {
return ks_get_admin_principal(context, princ, kentry);
}
code = ks_get_principal(context, princ, kflags, kentry);
/*
* This restricts the changepw account so it isn't able to request a
* service ticket. It also marks the principal as the changepw service.
*/
if (ks_is_kadmin_changepw(context, princ)) {
/* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ?
* testing showed that setpw kpasswd command fails then on the
* server though... */
(*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE;
(*kentry)->max_life = CHANGEPW_LIFETIME;
}
return code;
}
krb5_error_code kdb_samba_db_put_principal(krb5_context context,
krb5_db_entry *entry,
char **db_args)
{
/* NOTE: deferred, samba does not allow the KDC to store
* principals for now. We should not return KRB5_KDB_DB_INUSE as this
* would result in confusing error messages after password changes. */
return 0;
}
krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
krb5_const_principal princ)
{
/* NOTE: deferred, samba does not allow the KDC to delete
* principals for now */
return KRB5_KDB_DB_INUSE;
}
krb5_error_code kdb_samba_db_iterate(krb5_context context,
char *match_entry,
int (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg,
krb5_flags iterflags)
{
struct mit_samba_context *mit_ctx;
krb5_db_entry *kentry = NULL;
krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
code = mit_samba_get_firstkey(mit_ctx, &kentry);
while (code == 0) {
code = (*func)(func_arg, kentry);
if (code != 0) {
break;
}
code = mit_samba_get_nextkey(mit_ctx, &kentry);
}
if (code == KRB5_KDB_NOENTRY) {
code = 0;
}
return code;
}
View Git Blame Copy Permalink