r10145: Allow a variable length signature, so we can support signing with

other than arcfour-hmac-md5.  Currently we still fail to verify other
signatures however.

Andrew Bartlett
(This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)

2 files changed, 8 insertions, 18 deletions

diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 3294699070..df1a871f85 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -44,9 +44,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 	Checksum cksum;
 
 	cksum.cksumtype		= (CKSUMTYPE)sig->type;
-	cksum.checksum.length	= sizeof(sig->signature);
-	cksum.checksum.data	= sig->signature;
-
+	cksum.checksum.length	= sig->signature.length;
+	cksum.checksum.data	= sig->signature.data;
 
 	ret = krb5_crypto_init(context,
 			       keyblock,
@@ -172,11 +171,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 	}
 
 	if (krbtgt_keyblock) {
-		DATA_BLOB service_checksum_blob
-			= data_blob_const(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature));
-
 		ret = check_pac_checksum(mem_ctx, 
-					    service_checksum_blob, &kdc_sig, 
+					    srv_sig_ptr->signature, &kdc_sig, 
 					    context, krbtgt_keyblock);
 		if (ret) {
 			DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
@@ -300,9 +296,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	}
 
 	sig->type = cksum.cksumtype;
-	if (cksum.checksum.length == sizeof(sig->signature)) {
-		memcpy(sig->signature, cksum.checksum.data, sizeof(sig->signature));
-	}
+	sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length);
 	free_Checksum(&cksum);
 
 	return 0;
@@ -319,7 +313,6 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	krb5_error_code ret;
 	DATA_BLOB zero_blob = data_blob(NULL, 0);
 	DATA_BLOB tmp_blob = data_blob(NULL, 0);
-	DATA_BLOB service_checksum_blob;
 	struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
 	struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
 	int i;
@@ -367,8 +360,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	}
 
 	/* But wipe out the actual signatures */
-	ZERO_STRUCT(kdc_checksum->signature);
-	ZERO_STRUCT(srv_checksum->signature);
+	memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
+	memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
 
 	nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
 					 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
@@ -382,11 +375,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
 	ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum,
 				context, service_keyblock);
 
-	service_checksum_blob
-		= data_blob_const(srv_checksum->signature, sizeof(srv_checksum->signature));
-
 	/* Then sign Server checksum */
-	ret = make_pac_checksum(mem_ctx, &service_checksum_blob, kdc_checksum, context, krbtgt_keyblock);
+	ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock);
 	if (ret) {
 		DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", 
 			  smb_get_krb5_error_message(context, ret, mem_ctx)));
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 7a975946d7..ff920b61bf 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -20,7 +20,7 @@ interface krb5pac
 
 	typedef [flag(NDR_PAHEX)] struct {
 		uint32 type;
-		uint8 signature[16];
+		[flag(NDR_REMAINING)] DATA_BLOB signature;
 	} PAC_SIGNATURE_DATA;
 
 	typedef [gensize] struct {