diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-10-26 23:41:01 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:18 -0500 |
| commit | 14a3abd5591a7c310bdd2638e5c06833dc2c8f92 (patch) | |
| tree | 5c1036f7ece29289ec9d1ede93ceb5a254dbd978 /source4/auth/kerberos | |
| parent | 22c912329601d141fdba7359eb6dcec7a84dae69 (diff) | |
| download | samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.tar.gz samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.tar.bz2 samba-14a3abd5591a7c310bdd2638e5c06833dc2c8f92.zip | |
r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather
than doing ASN.1 parsing in Samba.
Also use the API function for getting a client from a ticket, rather
than just digging in the structure.
Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
Diffstat (limited to 'source4/auth/kerberos')
| -rw-r--r-- | source4/auth/kerberos/clikrb5.c | 112 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos-notes.txt | 14 |
2 files changed, 6 insertions, 120 deletions
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c index 17a1e5f3d4..3cac97cdc6 100644 --- a/source4/auth/kerberos/clikrb5.c +++ b/source4/auth/kerberos/clikrb5.c @@ -159,118 +159,6 @@ } #endif -BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) -{ - DATA_BLOB pac_contents; - struct asn1_data data; - int data_type; - - if (!auth_data->length) { - return False; - } - - asn1_load(&data, *auth_data); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_CONTEXT(0)); - asn1_read_Integer(&data, &data_type); - - if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) { - DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type)); - asn1_free(&data); - return False; - } - - asn1_end_tag(&data); - asn1_start_tag(&data, ASN1_CONTEXT(1)); - asn1_read_OctetString(&data, &pac_contents); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_free(&data); - - *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length); - - data_blob_free(&pac_contents); - - return True; -} - - BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt) -{ - DATA_BLOB auth_data_wrapped; - BOOL got_auth_data_pac = False; - int i; - -#if defined(HAVE_KRB5_TKT_ENC_PART2) - if (tkt->enc_part2 && tkt->enc_part2->authorization_data && - tkt->enc_part2->authorization_data[0] && - tkt->enc_part2->authorization_data[0]->length) - { - for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) { - - if (tkt->enc_part2->authorization_data[i]->ad_type != - KRB5_AUTHDATA_IF_RELEVANT) { - DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", - tkt->enc_part2->authorization_data[i]->ad_type)); - continue; - } - - auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents, - tkt->enc_part2->authorization_data[i]->length); - - /* check if it is a PAC */ - got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); - data_blob_free(&auth_data_wrapped); - - if (!got_auth_data_pac) { - continue; - } - } - - return got_auth_data_pac; - } - -#else - if (tkt->ticket.authorization_data && - tkt->ticket.authorization_data->len) - { - for (i = 0; i < tkt->ticket.authorization_data->len; i++) { - - if (tkt->ticket.authorization_data->val[i].ad_type != - KRB5_AUTHDATA_IF_RELEVANT) { - DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", - tkt->ticket.authorization_data->val[i].ad_type)); - continue; - } - - auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data, - tkt->ticket.authorization_data->val[i].ad_data.length); - - /* check if it is a PAC */ - got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); - data_blob_free(&auth_data_wrapped); - - if (!got_auth_data_pac) { - continue; - } - } - - return got_auth_data_pac; - } -#endif - return False; -} - - krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt) -{ -#if defined(HAVE_KRB5_TKT_ENC_PART2) - return tkt->enc_part2->client; -#else - return tkt->client; -#endif -} - #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) void krb5_free_unparsed_name(krb5_context context, char *val) { diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index a36bf556aa..83fb886c45 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -309,6 +309,12 @@ Samba makes extensive use of the principal manipulation functions in Heimdal, including the known structure behind krb_principal and krb5_realm (a char *). +Authz data extraction +--------------------- + +We use krb5_ticket_get_authorization_data_type(), and expect it to +return the correct authz data, even if wrapped in an AD-IFRELEVENT container. + KDC Extensions -------------- @@ -392,14 +398,6 @@ PAC Correctness We need to put the PAC into the TGT, not just the service ticket. -Authz data extraction ---------------------- - -We need to parse the authz data field correctly, and have a generic -rouitine to get at particular types of data, no matter their inclusion -in 'if relevent' or other stuctures. This should be a utlity function -we can use in both the client libs and KDC. - Forwarded tickets ----------------- |