summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-04-20 17:37:45 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-04-26 10:06:58 +0200
commit0840d5bb8b84fd6221d64a1992708fd3a135e5b7 (patch)
treeacd6b0b64289d4af49d0daccb7f6b1ebb006b950
parentccb62947e9e25e2a00ae2bb0ba411671ee4a00e7 (diff)
downloadsamba-0840d5bb8b84fd6221d64a1992708fd3a135e5b7.tar.gz
samba-0840d5bb8b84fd6221d64a1992708fd3a135e5b7.tar.bz2
samba-0840d5bb8b84fd6221d64a1992708fd3a135e5b7.zip
libcli/auth Allow parsing of a PAC that is already verified.
By making the verification parameters optional, we can parse a PAC that is already verified. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Apr 26 10:06:59 CEST 2011 on sn-devel-104
-rw-r--r--libcli/auth/kerberos_pac.c94
1 files changed, 50 insertions, 44 deletions
diff --git a/libcli/auth/kerberos_pac.c b/libcli/auth/kerberos_pac.c
index 6a41eb1ace..79d51b2645 100644
--- a/libcli/auth/kerberos_pac.c
+++ b/libcli/auth/kerberos_pac.c
@@ -279,61 +279,67 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
return status;
}
- /* verify by service_key */
- ret = check_pac_checksum(mem_ctx,
- modified_pac_blob, srv_sig_ptr,
- context,
- service_keyblock);
- if (ret) {
- DEBUG(1, ("PAC Decode: Failed to verify the service "
- "signature: %s\n", error_message(ret)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (krbtgt_keyblock) {
- /* verify the service key checksum by krbtgt_key */
+ if (service_keyblock) {
+ /* verify by service_key */
ret = check_pac_checksum(mem_ctx,
- srv_sig_ptr->signature, kdc_sig_ptr,
- context, krbtgt_keyblock);
+ modified_pac_blob, srv_sig_ptr,
+ context,
+ service_keyblock);
if (ret) {
- DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
- smb_get_krb5_error_message(context, ret, mem_ctx)));
+ DEBUG(1, ("PAC Decode: Failed to verify the service "
+ "signature: %s\n", error_message(ret)));
return NT_STATUS_ACCESS_DENIED;
}
- }
- /* Convert to NT time, so as not to loose accuracy in comparison */
- unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
-
- if (tgs_authtime_nttime != logon_name->logon_time) {
- DEBUG(2, ("PAC Decode: "
- "Logon time mismatch between ticket and PAC!\n"));
- DEBUG(2, ("PAC Decode: PAC: %s\n",
- nt_time_string(mem_ctx, logon_name->logon_time)));
- DEBUG(2, ("PAC Decode: Ticket: %s\n",
- nt_time_string(mem_ctx, tgs_authtime_nttime)));
- return NT_STATUS_ACCESS_DENIED;
+ if (krbtgt_keyblock) {
+ /* verify the service key checksum by krbtgt_key */
+ ret = check_pac_checksum(mem_ctx,
+ srv_sig_ptr->signature, kdc_sig_ptr,
+ context, krbtgt_keyblock);
+ if (ret) {
+ DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
}
- ret = smb_krb5_parse_name_norealm(context,
- logon_name->account_name,
- &client_principal_pac);
- if (ret) {
- DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
- logon_name->account_name, error_message(ret)));
- return NT_STATUS_INVALID_PARAMETER;
+ if (tgs_authtime) {
+ /* Convert to NT time, so as not to loose accuracy in comparison */
+ unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
+
+ if (tgs_authtime_nttime != logon_name->logon_time) {
+ DEBUG(2, ("PAC Decode: "
+ "Logon time mismatch between ticket and PAC!\n"));
+ DEBUG(2, ("PAC Decode: PAC: %s\n",
+ nt_time_string(mem_ctx, logon_name->logon_time)));
+ DEBUG(2, ("PAC Decode: Ticket: %s\n",
+ nt_time_string(mem_ctx, tgs_authtime_nttime)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
- bool_ret = smb_krb5_principal_compare_any_realm(context,
- client_principal,
- client_principal_pac);
+ if (client_principal) {
+ ret = smb_krb5_parse_name_norealm(context,
+ logon_name->account_name,
+ &client_principal_pac);
+ if (ret) {
+ DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
+ logon_name->account_name, error_message(ret)));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ bool_ret = smb_krb5_principal_compare_any_realm(context,
+ client_principal,
+ client_principal_pac);
- krb5_free_principal(context, client_principal_pac);
+ krb5_free_principal(context, client_principal_pac);
- if (!bool_ret) {
- DEBUG(2, ("Name in PAC [%s] does not match principal name "
- "in ticket\n", logon_name->account_name));
- return NT_STATUS_ACCESS_DENIED;
+ if (!bool_ret) {
+ DEBUG(2, ("Name in PAC [%s] does not match principal name "
+ "in ticket\n", logon_name->account_name));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
DEBUG(3,("Found account name from PAC: %s [%s]\n",