From 1757f8355cc54dc4ff9a075787543ef7ebb1dd5e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 10 Sep 2005 10:39:45 +0000 Subject: r10145: Allow a variable length signature, so we can support signing with other than arcfour-hmac-md5. Currently we still fail to verify other signatures however. Andrew Bartlett (This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1) --- source4/auth/kerberos/kerberos_pac.c | 24 +++++++----------------- source4/librpc/idl/krb5pac.idl | 2 +- 2 files changed, 8 insertions(+), 18 deletions(-) diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 3294699070..df1a871f85 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -44,9 +44,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, Checksum cksum; cksum.cksumtype = (CKSUMTYPE)sig->type; - cksum.checksum.length = sizeof(sig->signature); - cksum.checksum.data = sig->signature; - + cksum.checksum.length = sig->signature.length; + cksum.checksum.data = sig->signature.data; ret = krb5_crypto_init(context, keyblock, @@ -172,11 +171,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, } if (krbtgt_keyblock) { - DATA_BLOB service_checksum_blob - = data_blob_const(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature)); - ret = check_pac_checksum(mem_ctx, - service_checksum_blob, &kdc_sig, + srv_sig_ptr->signature, &kdc_sig, context, krbtgt_keyblock); if (ret) { DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n", @@ -300,9 +296,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } sig->type = cksum.cksumtype; - if (cksum.checksum.length == sizeof(sig->signature)) { - memcpy(sig->signature, cksum.checksum.data, sizeof(sig->signature)); - } + sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length); free_Checksum(&cksum); return 0; @@ -319,7 +313,6 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_error_code ret; DATA_BLOB zero_blob = data_blob(NULL, 0); DATA_BLOB tmp_blob = data_blob(NULL, 0); - DATA_BLOB service_checksum_blob; struct PAC_SIGNATURE_DATA *kdc_checksum = NULL; struct PAC_SIGNATURE_DATA *srv_checksum = NULL; int i; @@ -367,8 +360,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } /* But wipe out the actual signatures */ - ZERO_STRUCT(kdc_checksum->signature); - ZERO_STRUCT(srv_checksum->signature); + memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length); + memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length); nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data, (ndr_push_flags_fn_t)ndr_push_PAC_DATA); @@ -382,11 +375,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum, context, service_keyblock); - service_checksum_blob - = data_blob_const(srv_checksum->signature, sizeof(srv_checksum->signature)); - /* Then sign Server checksum */ - ret = make_pac_checksum(mem_ctx, &service_checksum_blob, kdc_checksum, context, krbtgt_keyblock); + ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock); if (ret) { DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index 7a975946d7..ff920b61bf 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -20,7 +20,7 @@ interface krb5pac typedef [flag(NDR_PAHEX)] struct { uint32 type; - uint8 signature[16]; + [flag(NDR_REMAINING)] DATA_BLOB signature; } PAC_SIGNATURE_DATA; typedef [gensize] struct { -- cgit