summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_krb5.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec/gensec_krb5.c')
-rw-r--r--source4/auth/gensec/gensec_krb5.c184
1 files changed, 2 insertions, 182 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 348a75b535..6d3c105405 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -51,185 +51,6 @@ struct gensec_krb5_state {
char *peer_principal;
};
-#ifdef KRB5_DO_VERIFY_PAC
-static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
- struct PAC_SIGNATURE_DATA *sig,
- struct gensec_krb5_state *gensec_krb5_state,
- uint32 keyusage)
-{
- krb5_error_code ret;
- krb5_crypto crypto;
- Checksum cksum;
- int i;
-
- cksum.cksumtype = (CKSUMTYPE)sig->type;
- cksum.checksum.length = sizeof(sig->signature);
- cksum.checksum.data = sig->signature;
-
-
- ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context,
- &gensec_krb5_state->keyblock,
- 0,
- &crypto);
- if (ret) {
- DEBUG(0,("krb5_crypto_init() failed\n"));
- return NT_STATUS_FOOBAR;
- }
- for (i=0; i < 40; i++) {
- keyusage = i;
- ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context,
- crypto,
- keyusage,
- pac_data.data,
- pac_data.length,
- &cksum);
- if (!ret) {
- DEBUG(0,("PAC Verified: keyusage: %d\n", keyusage));
- break;
- }
- }
- krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto);
-
- if (ret) {
- DEBUG(0,("NOT verifying PAC checksums yet!\n"));
- //return NT_STATUS_LOGON_FAILURE;
- } else {
- DEBUG(0,("PAC checksums verified!\n"));
- }
-
- return NT_STATUS_OK;
-}
-#endif
-
-static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
- struct PAC_LOGON_INFO **logon_info_out,
- DATA_BLOB blob,
- struct gensec_krb5_state *gensec_krb5_state)
-{
- NTSTATUS status;
- struct PAC_SIGNATURE_DATA srv_sig;
- struct PAC_SIGNATURE_DATA *srv_sig_ptr;
- struct PAC_SIGNATURE_DATA kdc_sig;
- struct PAC_SIGNATURE_DATA *kdc_sig_ptr;
- struct PAC_LOGON_INFO *logon_info = NULL;
- struct PAC_DATA pac_data;
-#ifdef KRB5_DO_VERIFY_PAC
- DATA_BLOB tmp_blob = data_blob(NULL, 0);
-#endif
- int i;
-
- status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
- return status;
- }
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
-
- if (pac_data.num_buffers < 3) {
- /* we need logon_ingo, service_key and kdc_key */
- DEBUG(0,("less than 3 PAC buffers\n"));
- return NT_STATUS_FOOBAR;
- }
-
- for (i=0; i < pac_data.num_buffers; i++) {
- switch (pac_data.buffers[i].type) {
- case PAC_TYPE_LOGON_INFO:
- if (!pac_data.buffers[i].info) {
- break;
- }
- logon_info = &pac_data.buffers[i].info->logon_info;
- break;
- case PAC_TYPE_SRV_CHECKSUM:
- if (!pac_data.buffers[i].info) {
- break;
- }
- srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
- srv_sig = pac_data.buffers[i].info->srv_cksum;
- break;
- case PAC_TYPE_KDC_CHECKSUM:
- if (!pac_data.buffers[i].info) {
- break;
- }
- kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
- kdc_sig = pac_data.buffers[i].info->kdc_cksum;
- break;
- case PAC_TYPE_UNKNOWN_10:
- break;
- default:
- break;
- }
- }
-
- if (!logon_info) {
- DEBUG(0,("PAC no logon_info\n"));
- return NT_STATUS_FOOBAR;
- }
-
- if (!srv_sig_ptr) {
- DEBUG(0,("PAC no srv_key\n"));
- return NT_STATUS_FOOBAR;
- }
-
- if (!kdc_sig_ptr) {
- DEBUG(0,("PAC no kdc_key\n"));
- return NT_STATUS_FOOBAR;
- }
-#ifdef KRB5_DO_VERIFY_PAC
- /* clear the kdc_key */
-/* memset((void *)kdc_sig_ptr , '\0', sizeof(*kdc_sig_ptr));*/
-
- status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
- (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
- return status;
- }
- /*NDR_PRINT_DEBUG(PAC_DATA, &pac_data);*/
-
- /* verify by kdc_key */
- status = gensec_krb5_pac_checksum(tmp_blob, &kdc_sig, gensec_krb5_state, 0);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* clear the service_key */
-/* memset((void *)srv_sig_ptr , '\0', sizeof(*srv_sig_ptr));*/
-
- status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
- (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
- return status;
- }
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
-
- /* verify by servie_key */
- status = gensec_krb5_pac_checksum(tmp_blob, &srv_sig, gensec_krb5_state, 0);
-
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-#endif
- DEBUG(0,("account_name: %s [%s]\n",
- logon_info->info3.base.account_name.string,
- logon_info->info3.base.full_name.string));
- *logon_info_out = logon_info;
-
- return status;
-}
-
static int gensec_krb5_destory(void *ptr)
{
struct gensec_krb5_state *gensec_krb5_state = ptr;
@@ -263,7 +84,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
gensec_security->private_data = gensec_krb5_state;
- initialize_krb5_error_table();
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ccache = NULL;
ZERO_STRUCT(gensec_krb5_state->ticket);
@@ -623,8 +443,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
account_name = principal;
/* decode and verify the pac */
- nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
- gensec_krb5_state);
+ nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
+ gensec_krb5_state);
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some
generated by cgit (git 2.34.1) at 2025-02-18 02:21:30 +0000