Line data Source code
1 : /* 2 : * Unix SMB/CIFS implementation. 3 : * 4 : * Copyright (c) 2015 Andreas Schneider <asn@samba.org> 5 : * 6 : * This program is free software; you can redistribute it and/or modify 7 : * it under the terms of the GNU General Public License as published by 8 : * the Free Software Foundation; either version 3 of the License, or 9 : * (at your option) any later version. 10 : * 11 : * This program is distributed in the hope that it will be useful, 12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 : * GNU General Public License for more details. 15 : * 16 : * You should have received a copy of the GNU General Public License 17 : * along with this program. If not, see <http://www.gnu.org/licenses/>. 18 : */ 19 : 20 : #include "includes.h" 21 : #include "system/kerberos.h" 22 : #include "source4/auth/kerberos/kerberos.h" 23 : #include "auth/kerberos/pac_utils.h" 24 : 25 : #include "librpc/gen_ndr/irpc.h" 26 : #include "lib/messaging/irpc.h" 27 : #include "source4/librpc/gen_ndr/ndr_irpc.h" 28 : #include "source4/librpc/gen_ndr/irpc.h" 29 : 30 : #include "librpc/gen_ndr/ndr_krb5pac.h" 31 : 32 : #include "source4/samba/process_model.h" 33 : #include "lib/param/param.h" 34 : 35 : #include "samba_kdc.h" 36 : #include "db-glue.h" 37 : #include "sdb.h" 38 : #include "mit_kdc_irpc.h" 39 : 40 : #undef DBGC_CLASS 41 : #define DBGC_CLASS DBGC_KERBEROS 42 : 43 : struct mit_kdc_irpc_context { 44 : struct task_server *task; 45 : krb5_context krb5_context; 46 : struct samba_kdc_db_context *db_ctx; 47 : }; 48 : 49 100 : static NTSTATUS netr_samlogon_generic_logon(struct irpc_message *msg, 50 : struct kdc_check_generic_kerberos *r) 51 : { 52 : struct PAC_Validate pac_validate; 53 : DATA_BLOB pac_chksum; 54 : struct PAC_SIGNATURE_DATA pac_kdc_sig; 55 : struct mit_kdc_irpc_context *mki_ctx = 56 100 : talloc_get_type(msg->private_data, 57 : struct mit_kdc_irpc_context); 58 : enum ndr_err_code ndr_err; 59 : int code; 60 : krb5_principal principal; 61 100 : struct sdb_entry sentry = {}; 62 : struct sdb_keys skeys; 63 : unsigned int i; 64 100 : const uint8_t *d = NULL; 65 : 66 : /* There is no reply to this request */ 67 100 : r->out.generic_reply = data_blob(NULL, 0); 68 : 69 : ndr_err = 70 100 : ndr_pull_struct_blob(&r->in.generic_request, 71 : msg, 72 : &pac_validate, 73 : (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); 74 100 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { 75 0 : return NT_STATUS_INVALID_PARAMETER; 76 : } 77 : 78 100 : if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) { 79 : /* 80 : * We don't implement any other message types - such as 81 : * certificate validation - yet 82 : */ 83 0 : return NT_STATUS_INVALID_PARAMETER; 84 : } 85 : 86 100 : if ((pac_validate.ChecksumAndSignature.length != 87 100 : (pac_validate.ChecksumLength + pac_validate.SignatureLength)) || 88 60 : (pac_validate.ChecksumAndSignature.length < 89 60 : pac_validate.ChecksumLength) || 90 60 : (pac_validate.ChecksumAndSignature.length < 91 60 : pac_validate.SignatureLength)) { 92 40 : return NT_STATUS_INVALID_PARAMETER; 93 : } 94 : 95 : /* PAC Checksum */ 96 60 : pac_chksum = data_blob_const(pac_validate.ChecksumAndSignature.data, 97 60 : pac_validate.ChecksumLength); 98 : 99 : /* Create the krbtgt principal */ 100 60 : code = smb_krb5_make_principal(mki_ctx->krb5_context, 101 : &principal, 102 60 : lpcfg_realm(mki_ctx->task->lp_ctx), 103 : "krbtgt", 104 60 : lpcfg_realm(mki_ctx->task->lp_ctx), 105 : NULL); 106 60 : if (code != 0) { 107 0 : DBG_ERR("Failed to create krbtgt@%s principal!\n", 108 : lpcfg_realm(mki_ctx->task->lp_ctx)); 109 0 : return NT_STATUS_NO_MEMORY; 110 : } 111 : 112 : /* Get the krbtgt from the DB */ 113 60 : code = samba_kdc_fetch(mki_ctx->krb5_context, 114 : mki_ctx->db_ctx, 115 : principal, 116 : SDB_F_GET_KRBTGT | SDB_F_DECRYPT, 117 : 0, 118 : &sentry); 119 60 : krb5_free_principal(mki_ctx->krb5_context, principal); 120 60 : if (code != 0) { 121 0 : DBG_ERR("Failed to fetch krbtgt@%s principal entry!\n", 122 : lpcfg_realm(mki_ctx->task->lp_ctx)); 123 0 : return NT_STATUS_LOGON_FAILURE; 124 : } 125 : 126 : /* PAC Signature */ 127 60 : pac_kdc_sig.type = pac_validate.SignatureType; 128 : 129 60 : d = &pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength]; 130 : pac_kdc_sig.signature = 131 60 : data_blob_const(d, pac_validate.SignatureLength); 132 : 133 : /* 134 : * Brute force variant because MIT KRB5 doesn't provide a function like 135 : * krb5_checksum_to_enctype(). 136 : */ 137 60 : skeys = sentry.keys; 138 : 139 60 : code = EINVAL; 140 148 : for (i = 0; i < skeys.len; i++) { 141 108 : krb5_keyblock krbtgt_keyblock = skeys.val[i].key; 142 : 143 108 : code = check_pac_checksum(pac_chksum, 144 : &pac_kdc_sig, 145 : mki_ctx->krb5_context, 146 : &krbtgt_keyblock); 147 108 : if (code == 0) { 148 20 : break; 149 : } 150 : } 151 : 152 60 : sdb_entry_free(&sentry); 153 : 154 60 : if (code != 0) { 155 40 : return NT_STATUS_LOGON_FAILURE; 156 : } 157 : 158 20 : return NT_STATUS_OK; 159 : } 160 : 161 17 : NTSTATUS samba_setup_mit_kdc_irpc(struct task_server *task) 162 : { 163 : struct samba_kdc_base_context base_ctx; 164 : struct mit_kdc_irpc_context *mki_ctx; 165 : NTSTATUS status; 166 : int code; 167 : 168 17 : mki_ctx = talloc_zero(task, struct mit_kdc_irpc_context); 169 17 : if (mki_ctx == NULL) { 170 0 : return NT_STATUS_NO_MEMORY; 171 : } 172 17 : mki_ctx->task = task; 173 : 174 17 : base_ctx.ev_ctx = task->event_ctx; 175 17 : base_ctx.lp_ctx = task->lp_ctx; 176 : 177 : /* db-glue.h */ 178 17 : status = samba_kdc_setup_db_ctx(mki_ctx, 179 : &base_ctx, 180 : &mki_ctx->db_ctx); 181 17 : if (!NT_STATUS_IS_OK(status)) { 182 0 : return status; 183 : } 184 : 185 17 : code = smb_krb5_init_context_basic(mki_ctx, 186 : task->lp_ctx, 187 : &mki_ctx->krb5_context); 188 17 : if (code != 0) { 189 0 : return NT_STATUS_INTERNAL_ERROR; 190 : } 191 : 192 17 : status = IRPC_REGISTER(task->msg_ctx, 193 : irpc, 194 : KDC_CHECK_GENERIC_KERBEROS, 195 : netr_samlogon_generic_logon, 196 : mki_ctx); 197 17 : if (!NT_STATUS_IS_OK(status)) { 198 0 : return status; 199 : } 200 : 201 17 : irpc_add_name(task->msg_ctx, "kdc_server"); 202 : 203 17 : return status; 204 : }