r7968: Pull the PAC from within GSSAPI, rather than only when using our own

'mock GSSAPI'. Many thanks to Luke Howard for the work he has done on Heimdal for XAD, to provide the right API hooks in GSSAPI. Next step is to verify the signatures, and to build the PAC for the KDC end. Andrew Bartlett (This used to be commit 2e82743c98e563e97c5a215d09efa0121854d0f7)
author: Andrew Bartlett <abartlet@samba.org> 2005-06-28 00:55:44 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:18:55 -0500
commit: f9861c9c5aee332545a9ea51683da28a87bdb10c (patch)
tree: a1f968db86fe5161eb5363b1b6321414ad9377ca /source4/auth/gensec/gensec_krb5.c
parent: 3433a464c2e46301a2ef51642577ef731a3ae1ce (diff)
download: samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.tar.gz
samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.tar.bz2
samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.zip
1 files changed, 2 insertions, 182 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 348a75b535..6d3c105405 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -51,185 +51,6 @@ struct gensec_krb5_state {
 	char *peer_principal;
 };
 
-#ifdef KRB5_DO_VERIFY_PAC
-static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
-					 struct PAC_SIGNATURE_DATA *sig,
-					 struct gensec_krb5_state *gensec_krb5_state,
-					 uint32 keyusage)
-{
-	krb5_error_code ret;
-	krb5_crypto crypto;
-	Checksum cksum;
-	int i;
-
-	cksum.cksumtype		= (CKSUMTYPE)sig->type;
-	cksum.checksum.length	= sizeof(sig->signature);
-	cksum.checksum.data	= sig->signature;
-
-
-	ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context,
-				&gensec_krb5_state->keyblock,
-				0,
-				&crypto);
-	if (ret) {
-		DEBUG(0,("krb5_crypto_init() failed\n"));
-		return NT_STATUS_FOOBAR;
-	}
-	for (i=0; i < 40; i++) {
-		keyusage = i;
-		ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context,
-					   crypto,
-					   keyusage,
-					   pac_data.data,
-					   pac_data.length,
-					   &cksum);
-		if (!ret) {
-			DEBUG(0,("PAC Verified: keyusage: %d\n", keyusage));
-			break;
-		}
-	}
-	krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto);
-
-	if (ret) {
-		DEBUG(0,("NOT verifying PAC checksums yet!\n"));
-		//return NT_STATUS_LOGON_FAILURE;
-	} else {
-		DEBUG(0,("PAC checksums verified!\n"));
-	}
-
-	return NT_STATUS_OK;
-}
-#endif
-
-static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
-				struct PAC_LOGON_INFO **logon_info_out,
-				DATA_BLOB blob,
-				struct gensec_krb5_state *gensec_krb5_state)
-{
-	NTSTATUS status;
-	struct PAC_SIGNATURE_DATA srv_sig;
-	struct PAC_SIGNATURE_DATA *srv_sig_ptr;
-	struct PAC_SIGNATURE_DATA kdc_sig;
-	struct PAC_SIGNATURE_DATA *kdc_sig_ptr;
-	struct PAC_LOGON_INFO *logon_info = NULL;
-	struct PAC_DATA pac_data;
-#ifdef KRB5_DO_VERIFY_PAC
-	DATA_BLOB tmp_blob = data_blob(NULL, 0);
-#endif
-	int i;
-
-	status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
-					(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("can't parse the PAC\n"));
-		return status;
-	}
-	NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
-
-	if (pac_data.num_buffers < 3) {
-		/* we need logon_ingo, service_key and kdc_key */
-		DEBUG(0,("less than 3 PAC buffers\n"));
-		return NT_STATUS_FOOBAR;
-	}
-
-	for (i=0; i < pac_data.num_buffers; i++) {
-		switch (pac_data.buffers[i].type) {
-			case PAC_TYPE_LOGON_INFO:
-				if (!pac_data.buffers[i].info) {
-					break;
-				}
-				logon_info = &pac_data.buffers[i].info->logon_info;
-				break;
-			case PAC_TYPE_SRV_CHECKSUM:
-				if (!pac_data.buffers[i].info) {
-					break;
-				}
-				srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
-				srv_sig = pac_data.buffers[i].info->srv_cksum;
-				break;
-			case PAC_TYPE_KDC_CHECKSUM:
-				if (!pac_data.buffers[i].info) {
-					break;
-				}
-				kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
-				kdc_sig = pac_data.buffers[i].info->kdc_cksum;
-				break;
-			case PAC_TYPE_UNKNOWN_10:
-				break;
-			default:
-				break;
-		}
-	}
-
-	if (!logon_info) {
-		DEBUG(0,("PAC no logon_info\n"));
-		return NT_STATUS_FOOBAR;
-	}
-
-	if (!srv_sig_ptr) {
-		DEBUG(0,("PAC no srv_key\n"));
-		return NT_STATUS_FOOBAR;
-	}
-
-	if (!kdc_sig_ptr) {
-		DEBUG(0,("PAC no kdc_key\n"));
-		return NT_STATUS_FOOBAR;
-	}
-#ifdef KRB5_DO_VERIFY_PAC
-	/* clear the kdc_key */
-/*	memset((void *)kdc_sig_ptr , '\0', sizeof(*kdc_sig_ptr));*/
-
-	status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
-					      (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-	status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
-					(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("can't parse the PAC\n"));
-		return status;
-	}
-	/*NDR_PRINT_DEBUG(PAC_DATA, &pac_data);*/
-
-	/* verify by kdc_key */
-	status = gensec_krb5_pac_checksum(tmp_blob, &kdc_sig, gensec_krb5_state, 0);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	/* clear the service_key */
-/*	memset((void *)srv_sig_ptr , '\0', sizeof(*srv_sig_ptr));*/
-
-	status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
-					      (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-	status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
-					(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("can't parse the PAC\n"));
-		return status;
-	}
-	NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
-
-	/* verify by servie_key */
-	status = gensec_krb5_pac_checksum(tmp_blob, &srv_sig, gensec_krb5_state, 0);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-#endif
-	DEBUG(0,("account_name: %s [%s]\n",
-		 logon_info->info3.base.account_name.string, 
-		 logon_info->info3.base.full_name.string));
-	*logon_info_out = logon_info;
-
-	return status;
-}
-
 static int gensec_krb5_destory(void *ptr) 
 {
 	struct gensec_krb5_state *gensec_krb5_state = ptr;
@@ -263,7 +84,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 
 	gensec_security->private_data = gensec_krb5_state;
 
-	initialize_krb5_error_table();
 	gensec_krb5_state->auth_context = NULL;
 	gensec_krb5_state->ccache = NULL;
 	ZERO_STRUCT(gensec_krb5_state->ticket);
@@ -623,8 +443,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 	account_name = principal;
 
 	/* decode and verify the pac */
-	nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
-					   gensec_krb5_state);
+	nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
+					gensec_krb5_state);
 
 	/* IF we have the PAC - otherwise we need to get this
 	 * data from elsewere - local ldb, or (TODO) lookup of some
author	Andrew Bartlett <abartlet@samba.org>	2005-06-28 00:55:44 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:18:55 -0500
commit	f9861c9c5aee332545a9ea51683da28a87bdb10c (patch)
tree	a1f968db86fe5161eb5363b1b6321414ad9377ca /source4/auth/gensec/gensec_krb5.c
parent	3433a464c2e46301a2ef51642577ef731a3ae1ce (diff)
download	samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.tar.gz samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.tar.bz2 samba-f9861c9c5aee332545a9ea51683da28a87bdb10c.zip