1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <unistd.h>
32 #include <ctype.h>
33 #include <errno.h>
34 #include <syslog.h>
35 #include <netdb.h>
36 #include <sys/param.h>
37 #include <kerberosv5/krb5.h>
38 #include <kerberosv5/com_err.h>
39 
40 #include <smbsrv/libsmb.h>
41 #include <smbns_krb.h>
42 
43 static char *spn_prefix[] = {"host/", "nfs/", "HTTP/", "root/"};
44 
45 static int smb_krb5_open_wrfile(krb5_context ctx, char *fname,
46     krb5_keytab *kt);
47 static int smb_krb5_ktadd(krb5_context ctx, krb5_keytab kt,
48     const krb5_principal princ, krb5_enctype enctype, krb5_kvno kvno,
49     const char *pw);
50 
51 /*
52  * smb_krb5_get_spn
53  *
54  * Gets Service Principal Name.
55  * Caller must free the memory allocated for the spn.
56  */
57 char *
58 smb_krb5_get_spn(smb_krb5_spn_idx_t idx, char *fqhost)
59 {
60 	int len;
61 	char *princ;
62 	char *spn;
63 
64 	if (!fqhost)
65 		return (NULL);
66 
67 	if ((idx < 0) || (idx >= SMBKRB5_SPN_IDX_MAX))
68 		return (NULL);
69 
70 	spn = spn_prefix[idx];
71 	len = strlen(spn) + strlen(fqhost) + 1;
72 	princ = (char *)malloc(len);
73 
74 	if (!princ)
75 		return (NULL);
76 
77 	(void) snprintf(princ, len, "%s%s", spn, fqhost);
78 	return (princ);
79 }
80 
81 /*
82  * smb_krb5_get_upn
83  *
84  * Gets User Principal Name.
85  * Caller must free the memory allocated for the upn.
86  */
87 char *
88 smb_krb5_get_upn(char *spn, char *domain)
89 {
90 	int len;
91 	char *realm;
92 	char *upn;
93 
94 	if (!spn || !domain)
95 		return (NULL);
96 
97 	realm = strdup(domain);
98 	if (!realm)
99 		return (NULL);
100 
101 	(void) smb_strupr(realm);
102 
103 	len = strlen(spn) + 1 + strlen(realm) + 1;
104 	upn = (char *)malloc(len);
105 	if (!upn) {
106 		free(realm);
107 		return (NULL);
108 	}
109 
110 	(void) snprintf(upn, len, "%s@%s", spn, realm);
111 	free(realm);
112 
113 	return (upn);
114 }
115 
116 /*
117  * smb_krb5_get_host_upn
118  *
119  * Derives UPN by the given fully-qualified hostname.
120  * Caller must free the memory allocated for the upn.
121  */
122 static char *
123 smb_krb5_get_host_upn(const char *fqhn)
124 {
125 	char *upn;
126 	char *realm;
127 	char *dom;
128 	int len;
129 
130 	if ((dom = strchr(fqhn, '.')) == NULL)
131 		return (NULL);
132 
133 	if ((realm = strdup(++dom)) == NULL)
134 		return (NULL);
135 
136 	(void) smb_strupr(realm);
137 
138 	len = strlen(spn_prefix[SMBKRB5_SPN_IDX_HOST]) + strlen(fqhn) +
139 	    + 1 + strlen(realm) + 1;
140 	if ((upn = malloc(len)) == NULL) {
141 		free(realm);
142 		return (NULL);
143 	}
144 
145 	(void) snprintf(upn, len, "%s%s@%s", spn_prefix[SMBKRB5_SPN_IDX_HOST],
146 	    fqhn, realm);
147 
148 	free(realm);
149 	return (upn);
150 }
151 
152 /*
153  * smb_krb5_ctx_init
154  *
155  * Initialize the kerberos context.
156  * Return 0 on success. Otherwise, return -1.
157  */
158 int
159 smb_krb5_ctx_init(krb5_context *ctx)
160 {
161 	if (krb5_init_context(ctx) != 0)
162 		return (-1);
163 
164 	return (0);
165 }
166 
167 /*
168  * smb_krb5_get_principals
169  *
170  * Setup the krb5_principal array given the principals in string format.
171  * Parameters:
172  *   domain - fully-qualified domain name in lower case.
173  * Return 0 on success. Otherwise, return -1.
174  */
175 int
176 smb_krb5_get_principals(char *domain, krb5_context ctx,
177     krb5_principal *krb5princs)
178 {
179 	char fqhn[MAXHOSTNAMELEN];
180 	int i;
181 	char *spn, *upn;
182 
183 	if (smb_gethostname(fqhn, MAXHOSTNAMELEN, SMB_CASE_LOWER) != 0)
184 			return (-1);
185 
186 	/*
187 	 * To comply with RFC 4120 section 6.2.1, the fully-qualified hostname
188 	 * must be set to lower case.
189 	 */
190 	(void) snprintf(fqhn, MAXHOSTNAMELEN, "%s.%s", fqhn,
191 	    domain);
192 
193 	for (i = 0; i < SMBKRB5_SPN_IDX_MAX; i++) {
194 
195 		if ((spn = smb_krb5_get_spn(i, fqhn)) == NULL) {
196 			return (-1);
197 		}
198 
199 		upn = smb_krb5_get_upn(spn, domain);
200 		free(spn);
201 
202 		if (krb5_parse_name(ctx, upn, &krb5princs[i]) != 0) {
203 			smb_krb5_free_principals(ctx, krb5princs, i - 1);
204 			free(upn);
205 			return (-1);
206 		}
207 		free(upn);
208 	}
209 	return (0);
210 }
211 
212 void
213 smb_krb5_free_principals(krb5_context ctx, krb5_principal *krb5princs,
214     size_t num)
215 {
216 	int i;
217 
218 	for (i = 0; i < num; i++)
219 		krb5_free_principal(ctx, krb5princs[i]);
220 }
221 
222 /*
223  * smb_krb5_ctx_fini
224  *
225  * Free the kerberos context.
226  */
227 void
228 smb_krb5_ctx_fini(krb5_context ctx)
229 {
230 	krb5_free_context(ctx);
231 }
232 
233 /*
234  * smb_ksetpw
235  *
236  * Set the workstation trust account password.
237  * Returns 0 on success.  Otherwise, returns non-zero value.
238  */
239 int
240 smb_krb5_setpwd(krb5_context ctx, krb5_principal princ, char *passwd)
241 {
242 	krb5_error_code code;
243 	krb5_ccache cc = NULL;
244 	int result_code;
245 	krb5_data result_code_string, result_string;
246 
247 	(void) memset(&result_code_string, 0, sizeof (result_code_string));
248 	(void) memset(&result_string, 0, sizeof (result_string));
249 
250 	if ((code = krb5_cc_default(ctx, &cc)) != 0) {
251 		syslog(LOG_ERR, "smb_krb5_setpwd: failed to find a ccache\n");
252 		return (-1);
253 	}
254 
255 	code = krb5_set_password_using_ccache(ctx, cc, passwd, princ,
256 	    &result_code, &result_code_string, &result_string);
257 
258 	(void) krb5_cc_close(ctx, cc);
259 
260 	if (code != 0)
261 		(void) syslog(LOG_ERR,
262 		    "smb_krb5_setpwd: Result: %.*s (%d) %.*s\n",
263 		    result_code == 0 ?
264 		    strlen("success") : result_code_string.length,
265 		    result_code == 0 ? "success" : result_code_string.data,
266 		    result_code, result_string.length, result_string.data);
267 
268 	free(result_code_string.data);
269 	free(result_string.data);
270 	return (code);
271 }
272 
273 /*
274  * smb_krb5_open_wrfile
275  *
276  * Open the keytab file for writing.
277  * The keytab should be closed by calling krb5_kt_close().
278  */
279 static int
280 smb_krb5_open_wrfile(krb5_context ctx, char *fname, krb5_keytab *kt)
281 {
282 	char *ktname;
283 	int len;
284 
285 	*kt = NULL;
286 	len = snprintf(NULL, 0, "WRFILE:%s", fname) + 1;
287 	if ((ktname = malloc(len)) == NULL) {
288 		syslog(LOG_ERR, "smb_krb5_write_keytab: resource shortage");
289 		return (-1);
290 	}
291 
292 	(void) snprintf(ktname, len, "WRFILE:%s", fname);
293 
294 	if (krb5_kt_resolve(ctx, ktname, kt) != 0) {
295 		syslog(LOG_ERR, "smb_krb5_write_keytab: failed to open/create "
296 		    "keytab %s\n", fname);
297 		free(ktname);
298 		return (-1);
299 	}
300 
301 	free(ktname);
302 	return (0);
303 }
304 
305 /*
306  * smb_krb5_add_keytab_entries
307  *
308  * Update the keys for the specified principal in the keytab.
309  * Returns 0 on success.  Otherwise, returns -1.
310  */
311 int
312 smb_krb5_add_keytab_entries(krb5_context ctx, krb5_principal *princs,
313     char *fname, krb5_kvno kvno, char *passwd, krb5_enctype *enctypes,
314     int enctype_count)
315 {
316 	krb5_keytab kt = NULL;
317 	int i, j;
318 
319 	if (smb_krb5_open_wrfile(ctx, fname, &kt) != 0)
320 		return (-1);
321 
322 	for (j = 0; j < SMBKRB5_SPN_IDX_MAX; j++) {
323 		for (i = 0; i < enctype_count; i++) {
324 			if (smb_krb5_ktadd(ctx, kt, princs[j], enctypes[i],
325 			    kvno, passwd) != 0) {
326 				(void) krb5_kt_close(ctx, kt);
327 				return (-1);
328 			}
329 		}
330 
331 	}
332 	(void) krb5_kt_close(ctx, kt);
333 	return (0);
334 }
335 
336 boolean_t
337 smb_krb5_find_keytab_entries(const char *fqhn, char *fname)
338 {
339 	krb5_context ctx;
340 	krb5_keytab kt;
341 	krb5_keytab_entry entry;
342 	krb5_principal princ;
343 	char ktname[MAXPATHLEN];
344 	char *upn;
345 	boolean_t found = B_FALSE;
346 
347 	if (!fqhn || !fname)
348 		return (found);
349 
350 	if ((upn = smb_krb5_get_host_upn((char *)fqhn)) == NULL)
351 		return (found);
352 
353 	if (smb_krb5_ctx_init(&ctx) != 0) {
354 		free(upn);
355 		return (found);
356 	}
357 
358 	if (krb5_parse_name(ctx, upn, &princ) != 0) {
359 		free(upn);
360 		smb_krb5_ctx_fini(ctx);
361 		return (found);
362 	}
363 
364 	free(upn);
365 	(void) snprintf(ktname, MAXPATHLEN, "FILE:%s", fname);
366 	if (krb5_kt_resolve(ctx, ktname, &kt) == 0) {
367 		if (krb5_kt_get_entry(ctx, kt, princ, 0, 0, &entry) == 0) {
368 			found = B_TRUE;
369 			(void) krb5_kt_free_entry(ctx, &entry);
370 		}
371 
372 		(void) krb5_kt_close(ctx, kt);
373 	}
374 
375 	krb5_free_principal(ctx, princ);
376 	smb_krb5_ctx_fini(ctx);
377 	return (found);
378 }
379 
380 /*
381  * smb_krb5_ktadd
382  *
383  * Add a Keberos key to the keytab file.
384  * Returns 0 on success. Otherwise, returns -1.
385  */
386 static int
387 smb_krb5_ktadd(krb5_context ctx, krb5_keytab kt, const krb5_principal princ,
388 	krb5_enctype enctype, krb5_kvno kvno, const char *pw)
389 {
390 	krb5_keytab_entry *entry;
391 	krb5_data password, salt;
392 	krb5_keyblock key;
393 	krb5_error_code code;
394 	char buf[100];
395 	int rc = 0;
396 
397 	if ((code = krb5_enctype_to_string(enctype, buf, sizeof (buf)))) {
398 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: unknown enctype",
399 		    enctype);
400 		return (-1);
401 	}
402 
403 	if ((entry = (krb5_keytab_entry *) malloc(sizeof (*entry))) == NULL) {
404 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: resource shortage",
405 		    enctype);
406 		return (-1);
407 	}
408 
409 	(void) memset((char *)entry, 0, sizeof (*entry));
410 
411 	password.length = strlen(pw);
412 	password.data = (char *)pw;
413 
414 	if ((code = krb5_principal2salt(ctx, princ, &salt)) != 0) {
415 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: failed to compute salt",
416 		    enctype);
417 		free(entry);
418 		return (-1);
419 	}
420 
421 	code = krb5_c_string_to_key(ctx, enctype, &password, &salt, &key);
422 	krb5_xfree(salt.data);
423 	if (code != 0) {
424 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: failed to generate key",
425 		    enctype);
426 		free(entry);
427 		return (-1);
428 	}
429 
430 	(void) memcpy(&entry->key, &key, sizeof (krb5_keyblock));
431 	entry->vno = kvno;
432 	entry->principal = princ;
433 
434 	if ((code = krb5_kt_add_entry(ctx, kt, entry)) != 0) {
435 		syslog(LOG_ERR, "smb_krb5_ktadd[%d] failed to add entry to "
436 		    "keytab (%d)", enctype, code);
437 		rc = -1;
438 	}
439 
440 	free(entry);
441 	if (key.length)
442 		krb5_free_keyblock_contents(ctx, &key);
443 	return (rc);
444 }
445