summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-10 10:39:45 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:38:03 -0500
commit1757f8355cc54dc4ff9a075787543ef7ebb1dd5e (patch)
tree5f28df480fe697f931f3d43b396d800d65bf5a68 /source4
parent869ae3b7a05a3840756bb92eaec93933eaa6cc2c (diff)
downloadsamba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.tar.gz
samba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.tar.bz2
samba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.zip
r10145: Allow a variable length signature, so we can support signing with
other than arcfour-hmac-md5. Currently we still fail to verify other signatures however. Andrew Bartlett (This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/kerberos/kerberos_pac.c24
-rw-r--r--source4/librpc/idl/krb5pac.idl2
2 files changed, 8 insertions, 18 deletions
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 3294699070..df1a871f85 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -44,9 +44,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
Checksum cksum;
cksum.cksumtype = (CKSUMTYPE)sig->type;
- cksum.checksum.length = sizeof(sig->signature);
- cksum.checksum.data = sig->signature;
-
+ cksum.checksum.length = sig->signature.length;
+ cksum.checksum.data = sig->signature.data;
ret = krb5_crypto_init(context,
keyblock,
@@ -172,11 +171,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
}
if (krbtgt_keyblock) {
- DATA_BLOB service_checksum_blob
- = data_blob_const(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature));
-
ret = check_pac_checksum(mem_ctx,
- service_checksum_blob, &kdc_sig,
+ srv_sig_ptr->signature, &kdc_sig,
context, krbtgt_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
@@ -300,9 +296,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
}
sig->type = cksum.cksumtype;
- if (cksum.checksum.length == sizeof(sig->signature)) {
- memcpy(sig->signature, cksum.checksum.data, sizeof(sig->signature));
- }
+ sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length);
free_Checksum(&cksum);
return 0;
@@ -319,7 +313,6 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
krb5_error_code ret;
DATA_BLOB zero_blob = data_blob(NULL, 0);
DATA_BLOB tmp_blob = data_blob(NULL, 0);
- DATA_BLOB service_checksum_blob;
struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
int i;
@@ -367,8 +360,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
}
/* But wipe out the actual signatures */
- ZERO_STRUCT(kdc_checksum->signature);
- ZERO_STRUCT(srv_checksum->signature);
+ memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
+ memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA);
@@ -382,11 +375,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum,
context, service_keyblock);
- service_checksum_blob
- = data_blob_const(srv_checksum->signature, sizeof(srv_checksum->signature));
-
/* Then sign Server checksum */
- ret = make_pac_checksum(mem_ctx, &service_checksum_blob, kdc_checksum, context, krbtgt_keyblock);
+ ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock);
if (ret) {
DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 7a975946d7..ff920b61bf 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -20,7 +20,7 @@ interface krb5pac
typedef [flag(NDR_PAHEX)] struct {
uint32 type;
- uint8 signature[16];
+ [flag(NDR_REMAINING)] DATA_BLOB signature;
} PAC_SIGNATURE_DATA;
typedef [gensize] struct {