diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 14 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 10 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos.h | 3 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 53 | ||||
-rw-r--r-- | source4/librpc/idl/krb5pac.idl | 2 | ||||
-rw-r--r-- | source4/torture/auth/pac.c | 39 |
6 files changed, 90 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 2b7c4ca2cc..e6049edc58 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -228,6 +228,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi NTSTATUS nt_status; gss_buffer_desc name_token; OM_uint32 maj_stat, min_stat; + const char *hostname = gensec_get_target_hostname(gensec_security); + + if (!hostname) { + DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSSAPI to a IP address")); + return NT_STATUS_INVALID_PARAMETER; + } nt_status = gensec_gssapi_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -238,7 +248,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security), - gensec_get_target_hostname(gensec_security)); + hostname); name_token.length = strlen(name_token.value); maj_stat = gss_import_name (&min_stat, @@ -786,7 +796,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* decode and verify the pac */ nt_status = kerberos_decode_pac(mem_ctx, &logon_info, pac_blob, gensec_gssapi_state->smb_krb5_context, - keyblock); + NULL, keyblock); if (NT_STATUS_IS_OK(nt_status)) { union netr_Validation validation; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 69dae1c8d9..168b6df364 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -138,8 +138,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security const char *hostname = gensec_get_target_hostname(gensec_security); if (!hostname) { DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSSAPI to a IP address")); + return NT_STATUS_INVALID_PARAMETER; } + nt_status = gensec_krb5_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -444,7 +449,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* decode and verify the pac */ nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac, - gensec_krb5_state->smb_krb5_context, (gensec_krb5_state->keyblock)); + gensec_krb5_state->smb_krb5_context, + NULL, gensec_krb5_state->keyblock); /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index a7c370a1e5..c5b361df5e 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -131,7 +131,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, struct PAC_LOGON_INFO **logon_info_out, DATA_BLOB blob, struct smb_krb5_context *smb_krb5_context, - krb5_keyblock *keyblock); + krb5_keyblock *service_keyblock, + krb5_keyblock *krbtgt_keyblock); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info *server_info, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index b0844187e5..858f91045c 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -53,7 +53,8 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, 0, &crypto); if (ret) { - DEBUG(0,("krb5_crypto_init() failed\n")); + DEBUG(0,("krb5_crypto_init() failed: %s\n", + smb_get_krb5_error_message(context, ret, mem_ctx))); return NT_STATUS_FOOBAR; } ret = krb5_verify_checksum(context, @@ -77,10 +78,11 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, } NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, - struct PAC_LOGON_INFO **logon_info_out, - DATA_BLOB blob, - struct smb_krb5_context *smb_krb5_context, - krb5_keyblock *keyblock) + struct PAC_LOGON_INFO **logon_info_out, + DATA_BLOB blob, + struct smb_krb5_context *smb_krb5_context, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *service_keyblock) { NTSTATUS status; struct PAC_SIGNATURE_DATA srv_sig; @@ -159,11 +161,26 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, /* verify by service_key */ status = check_pac_checksum(mem_ctx, modified_pac_blob, &srv_sig, - smb_krb5_context->krb5_context, keyblock); - + smb_krb5_context->krb5_context, + service_keyblock); if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("PAC Decode: Failed to verify the service signature\n")); return status; } + + if (krbtgt_keyblock) { + DATA_BLOB service_checksum_blob + = data_blob(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature)); + + status = check_pac_checksum(mem_ctx, + service_checksum_blob, &kdc_sig, + smb_krb5_context->krb5_context, krbtgt_keyblock); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("PAC Decode: Failed to verify the krbtgt signature\n")); + return status; + } + } + DEBUG(0,("account_name: %s [%s]\n", logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string)); @@ -221,13 +238,13 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info *server_info, krb5_context context, krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, + krb5_keyblock *service_keyblock, DATA_BLOB *pac) { NTSTATUS nt_status; DATA_BLOB zero_blob = data_blob(NULL, 0); DATA_BLOB tmp_blob = data_blob(NULL, 0); - DATA_BLOB server_checksum_blob; + DATA_BLOB service_checksum_blob; krb5_error_code ret; struct PAC_DATA *pac_data = talloc(mem_ctx, struct PAC_DATA); struct netr_SamInfo3 *sam3; @@ -335,9 +352,9 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, return ret; } - ret = make_pac_checksum(mem_ctx, zero_blob, SRV_CHECKSUM, context, server_keyblock); + ret = make_pac_checksum(mem_ctx, zero_blob, SRV_CHECKSUM, context, service_keyblock); if (ret) { - DEBUG(2, ("making server PAC checksum failed: %s\n", + DEBUG(2, ("making service PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); talloc_free(pac_data); return ret; @@ -357,19 +374,13 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, /* Then sign the result of the previous push, where the sig was zero'ed out */ ret = make_pac_checksum(mem_ctx, tmp_blob, SRV_CHECKSUM, - context, server_keyblock); + context, service_keyblock); - /* Push the Server checksum out */ - nt_status = ndr_push_struct_blob(&server_checksum_blob, mem_ctx, SRV_CHECKSUM, - (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("PAC_SIGNATURE push failed: %s\n", nt_errstr(nt_status))); - talloc_free(pac_data); - return EINVAL; - } + service_checksum_blob + = data_blob(SRV_CHECKSUM->signature, sizeof(SRV_CHECKSUM->signature)); /* Then sign Server checksum */ - ret = make_pac_checksum(mem_ctx, server_checksum_blob, KDC_CHECKSUM, context, krbtgt_keyblock); + ret = make_pac_checksum(mem_ctx, service_checksum_blob, KDC_CHECKSUM, context, krbtgt_keyblock); if (ret) { DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index 13a562a8f8..7a975946d7 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -18,7 +18,7 @@ interface krb5pac [flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name; } PAC_LOGON_NAME; - typedef [public,flag(NDR_PAHEX)] struct { + typedef [flag(NDR_PAHEX)] struct { uint32 type; uint8 signature[16]; } PAC_SIGNATURE_DATA; diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index ecf67a9014..ade68fcd77 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -26,6 +26,7 @@ #include "auth/auth.h" #include "auth/kerberos/kerberos.h" #include "librpc/gen_ndr/ndr_krb5pac.h" +#include "librpc/gen_ndr/ndr_samr.h" #ifdef HAVE_KRB5 @@ -105,15 +106,14 @@ static BOOL torture_pac_self_check(void) &server_keyblock, &tmp_blob); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &krbtgt_keyblock); - if (ret) { DEBUG(1, ("PAC encoding failed: %s\n", smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); talloc_free(mem_ctx); return False; @@ -125,7 +125,11 @@ static BOOL torture_pac_self_check(void) nt_status = kerberos_decode_pac(mem_ctx, &pac_info, tmp_blob, smb_krb5_context, + &krbtgt_keyblock, &server_keyblock); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); if (ret) { @@ -196,7 +200,9 @@ static BOOL torture_pac_saved_check(void) struct PAC_LOGON_INFO *pac_info; struct PAC_DATA pac_data; krb5_keyblock server_keyblock; + krb5_keyblock krbtgt_keyblock; uint8_t server_bytes[16]; + struct samr_Password *krbtgt_bytes; krb5_error_code ret; @@ -209,6 +215,13 @@ static BOOL torture_pac_saved_check(void) return False; } + krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, "B286757148AF7FD252C53603A150B7E7"); + if (!krbtgt_bytes) { + DEBUG(0, ("Could not interpret krbtgt key")); + talloc_free(mem_ctx); + return False; + } + /* The machine trust account in use when the above PAC was generated. It used arcfour-hmac-md5, so this is easy */ E_md4hash("iqvwmii8CuEkyY", server_bytes); @@ -226,6 +239,21 @@ static BOOL torture_pac_saved_check(void) return False; } + ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash), + &krbtgt_keyblock); + if (ret) { + DEBUG(1, ("Server Keyblock encoding failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, mem_ctx))); + + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &server_keyblock); + talloc_free(mem_ctx); + return False; + } + tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac)); /*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), &tmp_blob.length);*/ @@ -236,10 +264,13 @@ static BOOL torture_pac_saved_check(void) nt_status = kerberos_decode_pac(mem_ctx, &pac_info, tmp_blob, smb_krb5_context, + &krbtgt_keyblock, &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &krbtgt_keyblock); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); - if (ret) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("PAC decoding failed: %s\n", nt_errstr(nt_status))); |