diff options
| -rw-r--r-- | auth/kerberos/gssapi_pac.c | 1 | ||||
| -rw-r--r-- | auth/kerberos/kerberos_pac.c | 37 | ||||
| -rw-r--r-- | auth/kerberos/pac_utils.h | 50 | ||||
| -rwxr-xr-x[-rw-r--r--] | auth/kerberos/wscript_build | 1 | ||||
| -rw-r--r-- | libcli/auth/krb5_wrap.c | 49 | ||||
| -rw-r--r-- | libcli/auth/krb5_wrap.h | 32 | ||||
| -rw-r--r-- | source3/auth/auth_generic.c | 2 | ||||
| -rw-r--r-- | source3/include/smb_krb5.h | 1 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 1 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 1 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 1 | ||||
| -rw-r--r-- | source4/kdc/pac-glue.c | 1 | ||||
| -rw-r--r-- | source4/torture/auth/pac.c | 1 |
13 files changed, 85 insertions, 93 deletions
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c index 07c7c94205..05065b2725 100644 --- a/auth/kerberos/gssapi_pac.c +++ b/auth/kerberos/gssapi_pac.c @@ -22,6 +22,7 @@ #ifdef HAVE_KRB5 #include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #if 0 /* FIXME - need proper configure/waf test diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 5155c9fd28..eacf39d321 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -26,7 +26,7 @@ #ifdef HAVE_KRB5 #include "librpc/gen_ndr/ndr_krb5pac.h" -#include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -36,8 +36,18 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_error_code ret; krb5_checksum cksum; krb5_keyusage usage = 0; - - smb_krb5_checksum_from_pac_sig(&cksum, sig); + krb5_boolean checksum_valid = false; + krb5_data input; + +#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ + cksum.cksumtype = (krb5_cksumtype)sig->type; + cksum.checksum.length = sig->signature.length; + cksum.checksum.data = sig->signature.data; +#else /* MIT */ + cksum.checksum_type = (krb5_cksumtype)sig->type; + cksum.length = sig->signature.length; + cksum.contents = sig->signature.data; +#endif #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */ usage = KRB5_KU_OTHER_CKSUM; @@ -47,14 +57,19 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, #error UNKNOWN_KRB5_KEYUSAGE #endif - ret = smb_krb5_verify_checksum(context, - keyblock, - usage, - &cksum, - pac_data.data, - pac_data.length); - - if (ret) { + input.data = (char *)pac_data.data; + input.length = pac_data.length; + + ret = krb5_c_verify_checksum(context, + keyblock, + usage, + &input, + &cksum, + &checksum_valid); + if (!checksum_valid) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } + if (ret){ DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", error_message(ret), ret)); return ret; diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h new file mode 100644 index 0000000000..9fe08de834 --- /dev/null +++ b/auth/kerberos/pac_utils.h @@ -0,0 +1,50 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011 + Copyright (C) Simo Sorce 2010-2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _PAC_UTILS_H +#define _PAC_UTILS_H + +#include "libcli/auth/krb5_wrap.h" +struct PAC_SIGNATURE_DATA; +struct PAC_DATA; + +krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + struct PAC_SIGNATURE_DATA *sig, + krb5_context context, + const krb5_keyblock *keyblock); + +NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data_blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out); + +NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + gss_name_t gss_client_name, + DATA_BLOB *pac_data); +NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + DATA_BLOB *session_key, + uint32_t *keytype); +#endif /* _PAC_UTILS_H */ diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build index 2421b1654f..f49cc517ba 100644..100755 --- a/auth/kerberos/wscript_build +++ b/auth/kerberos/wscript_build @@ -1,3 +1,4 @@ +#!/usr/bin/env python bld.SAMBA_SUBSYSTEM('KRB5_PAC', source='gssapi_pac.c kerberos_pac.c', deps='gssapi_krb5 krb5 ndr-krb5pac com_err') diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c index c16b35dcee..2f877e7f0a 100644 --- a/libcli/auth/krb5_wrap.c +++ b/libcli/auth/krb5_wrap.c @@ -186,55 +186,6 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, return krb5_principal_compare_any_realm(context, princ1, princ2); } - void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig) -{ -#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM - cksum->cksumtype = (krb5_cksumtype)sig->type; - cksum->checksum.length = sig->signature.length; - cksum->checksum.data = sig->signature.data; -#else - cksum->checksum_type = (krb5_cksumtype)sig->type; - cksum->length = sig->signature.length; - cksum->contents = sig->signature.data; -#endif -} - - krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8_t *data, - size_t length) -{ - krb5_error_code ret; - - /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */ - - krb5_boolean checksum_valid = false; - krb5_data input; - - input.data = (char *)data; - input.length = length; - - ret = krb5_c_verify_checksum(context, - keyblock, - usage, - &input, - cksum, - &checksum_valid); - if (ret) { - DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", - error_message(ret))); - return ret; - } - - if (!checksum_valid) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - - return ret; -} - char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat, const gss_OID mech) diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h index 8723d2ddaa..4c0ef93e4c 100644 --- a/libcli/auth/krb5_wrap.h +++ b/libcli/auth/krb5_wrap.h @@ -21,8 +21,6 @@ */ #include "system/kerberos.h" -struct PAC_SIGNATURE_DATA; -struct PAC_DATA; #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ #define KRB5_KEY_TYPE(k) ((k)->keytype) @@ -57,38 +55,8 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, bool smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2); - void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig); - krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8_t *data, - size_t length); char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat, const gss_OID mech); char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); -krb5_error_code check_pac_checksum(DATA_BLOB pac_data, - struct PAC_SIGNATURE_DATA *sig, - krb5_context context, - const krb5_keyblock *keyblock); - -NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, - DATA_BLOB pac_data_blob, - krb5_context context, - const krb5_keyblock *krbtgt_keyblock, - const krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_DATA **pac_data_out); - -NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, - gss_ctx_id_t gssapi_context, - gss_name_t gss_client_name, - DATA_BLOB *pac_data); -NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, - gss_ctx_id_t gssapi_context, - DATA_BLOB *session_key, - uint32_t *keytype); diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index c37672620f..9b9e96e89b 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -27,7 +27,7 @@ #include "auth/gensec/gensec.h" #include "lib/param/param.h" #ifdef HAVE_KRB5 -#include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #endif #include "librpc/crypto/gse.h" #include "auth/credentials/credentials.h" diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h index 152652512d..88e91e1670 100644 --- a/source3/include/smb_krb5.h +++ b/source3/include/smb_krb5.h @@ -35,6 +35,7 @@ #endif #include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #ifndef KRB5_ADDR_NETBIOS #define KRB5_ADDR_NETBIOS 0x14 diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c6d4fb5fd5..7de15c8673 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -42,6 +42,7 @@ #include <gssapi/gssapi_spnego.h> #include "gensec_gssapi.h" #include "lib/util/util_net.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS gensec_gssapi_init(void); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index ca933f5b0f..8dde8373a8 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -40,6 +40,7 @@ #include "auth/auth_sam_reply.h" #include "lib/util/util_net.h" #include "../lib/util/asn1.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS gensec_krb5_init(void); diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 2e60af6f84..82a029871c 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -31,6 +31,7 @@ #include <ldb.h> #include "auth/auth_sam_reply.h" #include "auth/kerberos/kerberos_util.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, DATA_BLOB blob, diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 3b0f00f850..d654dc32ca 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -32,6 +32,7 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" #include "libcli/security/security.h" #include "dsdb/samdb/samdb.h" +#include "auth/kerberos/pac_utils.h" static NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 4840a79b7f..827864242c 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -31,6 +31,7 @@ #include "param/param.h" #include "librpc/gen_ndr/ndr_krb5pac.h" #include "torture/auth/proto.h" +#include "auth/kerberos/pac_utils.h" static bool torture_pac_self_check(struct torture_context *tctx) { |