From 31e21b67d998eed46c55132cc6067db6163d30c1 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Mon, 7 Apr 2003 18:01:40 +0000 Subject: Decode the PAC! This patch just decodes it and then frees it, so it's just for doc purposes right now (you can see it in the debug logs). (This used to be commit 046c2087a11b9ce7a02aece34ffb129ce0d66b08) --- source3/libads/authdata.c | 495 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 495 insertions(+) create mode 100644 source3/libads/authdata.c (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c new file mode 100644 index 0000000000..3d25aec205 --- /dev/null +++ b/source3/libads/authdata.c @@ -0,0 +1,495 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Jim McDonough 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +static DATA_BLOB unwrap_pac(DATA_BLOB *auth_data) +{ + DATA_BLOB pac_contents; + ASN1_DATA data; + int data_type; + + asn1_load(&data, *auth_data); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_SEQUENCE(0)); + asn1_start_tag(&data, ASN1_CONTEXT(0)); + asn1_read_Integer(&data, &data_type); + asn1_end_tag(&data); + asn1_start_tag(&data, ASN1_CONTEXT(1)); + asn1_read_OctetString(&data, &pac_contents); + asn1_end_tag(&data); + asn1_end_tag(&data); + asn1_end_tag(&data); + return pac_contents; +} + +static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, + prs_struct *ps, int depth) +{ + if (NULL == sid_and_attr) + return False; + + prs_debug(ps, depth, desc, "pac_io_krb_sids"); + depth++; + + if (UNMARSHALLING(ps)) { + sid_and_attr->sid = + (DOM_SID2 * ) prs_alloc_mem(ps, sizeof(DOM_SID2)); + if (!sid_and_attr->sid) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + if(!smb_io_dom_sid2("sid", sid_and_attr->sid, ps, depth)) + return False; + + return True; +} + + +static BOOL pac_io_krb_attrs(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, + prs_struct *ps, int depth) +{ + if (NULL == sid_and_attr) + return False; + + prs_debug(ps, depth, desc, "pac_io_krb_attrs"); + depth++; + + if (!prs_uint32("sid_ptr", ps, depth, &sid_and_attr->sid_ptr)) + return False; + if (!prs_uint32("attrs", ps, depth, &sid_and_attr->attrs)) + return False; + + return True; +} + +static BOOL pac_io_krb_sid_and_attr_array(const char *desc, + KRB_SID_AND_ATTR_ARRAY *array, + uint32 num, + prs_struct *ps, int depth) +{ + int i; + + if (NULL == array) + return False; + + prs_debug(ps, depth, desc, "pac_io_krb_sid_and_attr_array"); + depth++; + + + if (!prs_uint32("count", ps, depth, &array->count)) + return False; + + if (UNMARSHALLING(ps)) { + array->krb_sid_and_attrs = (KRB_SID_AND_ATTRS *) + prs_alloc_mem(ps, sizeof(KRB_SID_AND_ATTRS) * num); + if (!array->krb_sid_and_attrs) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + for (i=0; ikrb_sid_and_attrs[i], + ps, depth)) + return False; + + } + for (i=0; ikrb_sid_and_attrs[i], + ps, depth)) + return False; + + } + + return True; + +} + +static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, + prs_struct *ps, int depth) +{ + uint32 garbage; + if (NULL == info) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_logon_info"); + depth++; + + if (!prs_uint32("unknown", ps, depth, &garbage)) + return False; + if (!prs_uint32("unknown", ps, depth, &garbage)) + return False; + if (!prs_uint32("bufferlen", ps, depth, &garbage)) + return False; + if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) + return False; + if (!prs_uint32("pointer", ps, depth, &garbage)) + return False; + + if (!smb_io_time("logon_time", &info->logon_time, ps, depth)) + return False; + if (!smb_io_time("logoff_time", &info->logoff_time, ps, depth)) + return False; + if (!smb_io_time("kickoff_time", &info->kickoff_time, ps, depth)) + return False; + if (!smb_io_time("pass_last_set_time", &info->pass_last_set_time, + ps, depth)) + return False; + if (!smb_io_time("pass_can_change_time", &info->pass_can_change_time, + ps, depth)) + return False; + if (!smb_io_time("pass_must_change_time", &info->pass_must_change_time, + ps, depth)) + return False; + + if (!smb_io_unihdr("hdr_user_name", &info->hdr_user_name, ps, depth)) + return False; + if (!smb_io_unihdr("hdr_full_name", &info->hdr_full_name, ps, depth)) + return False; + if (!smb_io_unihdr("hdr_logon_script", &info->hdr_logon_script, + ps, depth)) + return False; + if (!smb_io_unihdr("hdr_profile_path", &info->hdr_profile_path, + ps, depth)) + return False; + if (!smb_io_unihdr("hdr_home_dir", &info->hdr_home_dir, ps, depth)) + return False; + if (!smb_io_unihdr("hdr_dir_drive", &info->hdr_dir_drive, ps, depth)) + return False; + + if (!prs_uint16("logon_count", ps, depth, &info->logon_count)) + return False; + if (!prs_uint16("reserved12", ps, depth, &info->reserved12)) + return False; + if (!prs_uint32("user_rid", ps, depth, &info->user_rid)) + return False; + if (!prs_uint32("group_rid", ps, depth, &info->group_rid)) + return False; + if (!prs_uint32("group_count", ps, depth, &info->group_count)) + return False; + /* I haven't seen this contain anything yet, but when it does + we will have to make sure we decode the contents in the middle + all the unistr2s ... */ + if (!prs_uint32("group_mem_ptr", ps, depth, + &info->group_membership_ptr)) + return False; + if (!prs_uint32("user_flags", ps, depth, &info->user_flags)) + return False; + + if (!prs_uint32("reserved13.0", ps, depth, &info->reserved13[0])) + return False; + if (!prs_uint32("reserved13.1", ps, depth, &info->reserved13[1])) + return False; + if (!prs_uint32("reserved13.2", ps, depth, &info->reserved13[2])) + return False; + if (!prs_uint32("reserved13.3", ps, depth, &info->reserved13[3])) + return False; + + if (!smb_io_unihdr("hdr_dom_controller", + &info->hdr_dom_controller, ps, depth)) + return False; + if (!smb_io_unihdr("hdr_dom_name", &info->hdr_dom_name, ps, depth)) + return False; + + /* this should be followed, but just get ptr for now */ + if (!prs_uint32("ptr_dom_sid", ps, depth, &info->ptr_dom_sid)) + return False; + + if (!prs_uint32("reserved16.0", ps, depth, &info->reserved16[0])) + return False; + if (!prs_uint32("reserved16.1", ps, depth, &info->reserved16[1])) + return False; + + /* might be acb_info */ + if (!prs_uint32("reserved17", ps, depth, &info->reserved17)) + return False; + + + if (!prs_uint32("reserved18.0", ps, depth, &info->reserved18[0])) + return False; + if (!prs_uint32("reserved18.1", ps, depth, &info->reserved18[1])) + return False; + if (!prs_uint32("reserved18.2", ps, depth, &info->reserved18[2])) + return False; + if (!prs_uint32("reserved18.3", ps, depth, &info->reserved18[3])) + return False; + if (!prs_uint32("reserved18.4", ps, depth, &info->reserved18[4])) + return False; + if (!prs_uint32("reserved18.5", ps, depth, &info->reserved18[5])) + return False; + if (!prs_uint32("reserved18.6", ps, depth, &info->reserved18[6])) + return False; + + if (!prs_uint32("sid_count", ps, depth, &info->sid_count)) + return False; + if (!prs_uint32("ptr_extra_sids", ps, depth, &info->ptr_extra_sids)) + return False; + if (!prs_uint32("ptr_res_group_dom_sid", ps, depth, + &info->ptr_res_group_dom_sid)) + return False; + if (!prs_uint32("res_group_count", ps, depth, &info->res_group_count)) + return False; + if (!prs_uint32("ptr_res_group_sids", ps, depth, + &info->ptr_res_group_sids)) + return False; + + if(!smb_io_unistr2("uni_user_name", &info->uni_user_name, + info->hdr_user_name.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_full_name", &info->uni_full_name, + info->hdr_full_name.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_logon_script", &info->uni_logon_script, + info->hdr_logon_script.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_profile_path", &info->uni_profile_path, + info->hdr_profile_path.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_home_dir", &info->uni_home_dir, + info->hdr_home_dir.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_dir_drive", &info->uni_dir_drive, + info->hdr_dir_drive.buffer, ps, depth)) + return False; + + /* the group membership list will need to be handled here */ + + if(!smb_io_unistr2("uni_dom_controller", &info->uni_dom_controller, + info->hdr_dom_controller.buffer, ps, depth)) + return False; + if(!smb_io_unistr2("uni_dom_name", &info->uni_dom_name, + info->hdr_dom_name.buffer, ps, depth)) + return False; + + if(info->ptr_dom_sid) + if(!smb_io_dom_sid2("dom_sid", &info->dom_sid, ps, depth)) + return False; + + + if (info->sid_count && info->ptr_extra_sids) { + if (!pac_io_krb_sid_and_attr_array("extra_sids", + &info->extra_sids, + info->sid_count, + ps, depth)) + return False; + } + + + return True; +} + + +static BOOL pac_io_pac_signature_data(const char *desc, + PAC_SIGNATURE_DATA *data, uint32 length, + prs_struct *ps, int depth) +{ + uint32 siglen = length - sizeof(uint32); + if (NULL == data) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_signature_data"); + depth++; + + if (!prs_uint32("type", ps, depth, &data->type)) + return False; + if (UNMARSHALLING(ps)) { + data->signature = prs_alloc_mem(ps, siglen); + if (!data->signature) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + if (!prs_uint8s(False, "signature", ps, depth, data->signature,siglen)) + return False; + + return True; +} + +static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, + prs_struct *ps, int depth) +{ + if (NULL == hdr) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_info_hdr_ctr"); + depth++; + + if (!prs_align(ps)) + return False; + + if (hdr->offset != prs_offset(ps)) { + DEBUG(5, ("offset in header(x%x) and data(x%x) do not match\n", + hdr->offset, prs_offset(ps))); + prs_set_offset(ps, hdr->offset); + } + + if (UNMARSHALLING(ps) && hdr->size > 0) { + hdr->ctr = (PAC_INFO_CTR *) + prs_alloc_mem(ps, sizeof(PAC_INFO_CTR)); + if (!hdr->ctr) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + switch(hdr->type) { + case PAC_TYPE_LOGON_INFO: + DEBUG(5, ("PAC_TYPE_LOGON_INFO\n")); + if (UNMARSHALLING(ps)) + hdr->ctr->pac.logon_info = (PAC_LOGON_INFO *) + prs_alloc_mem(ps, sizeof(PAC_LOGON_INFO)); + if (!hdr->ctr->pac.logon_info) { + DEBUG(3, ("No memory available\n")); + return False; + } + if (!pac_io_pac_logon_info(desc, hdr->ctr->pac.logon_info, + ps, depth)) + return False; + break; + + case PAC_TYPE_SERVER_CHECKSUM: + DEBUG(5, ("PAC_TYPE_SERVER_CHECKSUM\n")); + if (UNMARSHALLING(ps)) + hdr->ctr->pac.srv_cksum = (PAC_SIGNATURE_DATA *) + prs_alloc_mem(ps, sizeof(PAC_SIGNATURE_DATA)); + if (!hdr->ctr->pac.srv_cksum) { + DEBUG(3, ("No memory available\n")); + return False; + } + if (!pac_io_pac_signature_data(desc, hdr->ctr->pac.srv_cksum, + hdr->size, ps, depth)) + return False; + break; + + case PAC_TYPE_PRIVSVR_CHECKSUM: + DEBUG(5, ("PAC_TYPE_PRIVSVR_CHECKSUM\n")); + if (UNMARSHALLING(ps)) + hdr->ctr->pac.privsrv_cksum = (PAC_SIGNATURE_DATA *) + prs_alloc_mem(ps, sizeof(PAC_SIGNATURE_DATA)); + if (!hdr->ctr->pac.privsrv_cksum) { + DEBUG(3, ("No memory available\n")); + return False; + } + if (!pac_io_pac_signature_data(desc, + hdr->ctr->pac.privsrv_cksum, + hdr->size, ps, depth)) + return False; + break; + + default: + /* dont' know, so we need to skip it */ + DEBUG(3, ("unknown PAC type %d\n", hdr->type)); + prs_set_offset(ps, prs_offset(ps) + hdr->size); + } + + return True; +} + +static BOOL pac_io_pac_info_hdr(const char *desc, PAC_INFO_HDR *hdr, + prs_struct *ps, int depth) +{ + if (NULL == hdr) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_info_hdr"); + depth++; + + if (!prs_align(ps)) + return False; + if (!prs_uint32("type", ps, depth, &hdr->type)) + return False; + if (!prs_uint32("size", ps, depth, &hdr->size)) + return False; + if (!prs_uint32("offset", ps, depth, &hdr->offset)) + return False; + if (!prs_uint32("offsethi", ps, depth, &hdr->offsethi)) + return False; + + return True; +} + +static BOOL pac_io_pac_data(const char *desc, PAC_DATA *data, + prs_struct *ps, int depth) +{ + int i; + + if (NULL == data) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_data"); + depth++; + + if (!prs_align(ps)) + return False; + if (!prs_uint32("num_buffers", ps, depth, &data->num_buffers)) + return False; + if (!prs_uint32("version", ps, depth, &data->version)) + return False; + + if (UNMARSHALLING(ps) && data->num_buffers > 0) { + if ((data->pac_info_hdr_ptr = (PAC_INFO_HDR *) + prs_alloc_mem(ps, sizeof(PAC_INFO_HDR) * + data->num_buffers)) == NULL) { + return False; + } + } + + for (i=0; inum_buffers; i++) { + if (!pac_io_pac_info_hdr(desc, &data->pac_info_hdr_ptr[i], ps, + depth)) + return False; + } + + for (i=0; inum_buffers; i++) { + if (!pac_io_pac_info_hdr_ctr(desc, &data->pac_info_hdr_ptr[i], + ps, depth)) + return False; + } + + return True; +} + +PAC_DATA *decode_pac_data(DATA_BLOB *auth_data, TALLOC_CTX *ctx) +{ + DATA_BLOB pac_data_blob = unwrap_pac(auth_data); + prs_struct ps; + PAC_DATA *pac_data; + + DEBUG(5,("dump_pac_data\n")); + prs_init(&ps, pac_data_blob.length, ctx, UNMARSHALL); + prs_copy_data_in(&ps, pac_data_blob.data, pac_data_blob.length); + prs_set_offset(&ps, 0); + + pac_data = (PAC_DATA *) talloc_zero(ctx, sizeof(PAC_DATA)); + pac_io_pac_data("pac data", pac_data, &ps, 0); + + prs_mem_free(&ps); + + return pac_data; +} + +#endif -- cgit From 1f04eb2e2617ac05974c21bdac9ebb4781b5a9d9 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 9 Apr 2003 16:48:59 +0000 Subject: Complete what I've seen (and then some)t of the PAC. I haven't seen the rid+attr arrays for group membership, nor sids or the same kind of arrays for resource domains, so I don't know how that will work. Also, the PAC info type 10 is now decoded, but I don't know what it's for. It has an NTTIME, a 16-bit name length, and a username. According to M$, it's not needed, because they didn't doc it... (This used to be commit 28ab8504cf6c181866106e5cc626a5896283d0a9) --- source3/libads/authdata.c | 129 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 124 insertions(+), 5 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 3d25aec205..c554a02e90 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -42,6 +42,38 @@ static DATA_BLOB unwrap_pac(DATA_BLOB *auth_data) return pac_contents; } +static BOOL pac_io_unknown_type_10(const char *desc, UNKNOWN_TYPE_10 *type_10, + prs_struct *ps, int depth) +{ + if (NULL == type_10) + return False; + + prs_debug(ps, depth, desc, "pac_io_unknown_type_10"); + depth++; + + if (!smb_io_time("unknown_time", &type_10->unknown_time, ps, depth)) + return False; + + if (!prs_uint16("len", ps, depth, &type_10->len)) + return False; + + if (UNMARSHALLING(ps) && type_10->len) { + type_10->username = (uint16 *) prs_alloc_mem(ps, type_10->len); + if (!type_10->username) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + if (!prs_uint16s(True, "name", ps, depth, type_10->username, + (type_10->len / sizeof(uint16)))) + return False; + + return True; + +} + + static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, prs_struct *ps, int depth) { @@ -129,6 +161,63 @@ static BOOL pac_io_krb_sid_and_attr_array(const char *desc, } +static BOOL pac_io_group_membership(const char *desc, + GROUP_MEMBERSHIP *membership, + prs_struct *ps, int depth) +{ + if (NULL == membership) + return False; + + prs_debug(ps, depth, desc, "pac_io_group_membership"); + depth++; + + if (!prs_uint32("rid", ps, depth, &membership->rid)) + return False; + if (!prs_uint32("attrs", ps, depth, &membership->attrs)) + return False; + + return True; +} + + +static BOOL pac_io_group_membership_array(const char *desc, + GROUP_MEMBERSHIP_ARRAY *array, + uint32 num, + prs_struct *ps, int depth) +{ + int i; + + if (NULL == array) + return False; + + prs_debug(ps, depth, desc, "pac_io_group_membership_array"); + depth++; + + + if (!prs_uint32("count", ps, depth, &array->count)) + return False; + + if (UNMARSHALLING(ps)) { + array->group_membership = (GROUP_MEMBERSHIP *) + prs_alloc_mem(ps, sizeof(GROUP_MEMBERSHIP) * num); + if (!array->group_membership) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + for (i=0; igroup_membership[i], + ps, depth)) + return False; + + } + + return True; + +} + static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { @@ -253,8 +342,7 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, return False; if (!prs_uint32("res_group_count", ps, depth, &info->res_group_count)) return False; - if (!prs_uint32("ptr_res_group_sids", ps, depth, - &info->ptr_res_group_sids)) + if (!prs_uint32("ptr_res_groups", ps, depth, &info->ptr_res_groups)) return False; if(!smb_io_unistr2("uni_user_name", &info->uni_user_name, @@ -276,7 +364,14 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, info->hdr_dir_drive.buffer, ps, depth)) return False; - /* the group membership list will need to be handled here */ + if (info->group_membership_ptr) { + if (!pac_io_group_membership_array("group membership", + &info->groups, + info->group_count, + ps, depth)) + return False; + } + if(!smb_io_unistr2("uni_dom_controller", &info->uni_dom_controller, info->hdr_dom_controller.buffer, ps, depth)) @@ -290,14 +385,24 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, return False; - if (info->sid_count && info->ptr_extra_sids) { + if (info->sid_count && info->ptr_extra_sids) if (!pac_io_krb_sid_and_attr_array("extra_sids", &info->extra_sids, info->sid_count, ps, depth)) return False; - } + if (info->ptr_res_group_dom_sid) + if (!smb_io_dom_sid2("res_group_dom_sid", + &info->res_group_dom_sid, ps, depth)) + return False; + + if (info->ptr_res_groups) + if (!pac_io_group_membership_array("res group membership", + &info->res_groups, + info->res_group_count, + ps, depth)) + return False; return True; } @@ -400,6 +505,20 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, return False; break; + case PAC_TYPE_UNKNOWN_10: + DEBUG(5, ("PAC_TYPE_UNKNOWN_10\n")); + if (UNMARSHALLING(ps)) + hdr->ctr->pac.type_10 = (UNKNOWN_TYPE_10 *) + prs_alloc_mem(ps, sizeof(UNKNOWN_TYPE_10)); + if (!hdr->ctr->pac.type_10) { + DEBUG(3, ("No memory available\n")); + return False; + } + if (!pac_io_unknown_type_10(desc, hdr->ctr->pac.type_10, + ps, depth)) + return False; + break; + default: /* dont' know, so we need to skip it */ DEBUG(3, ("unknown PAC type %d\n", hdr->type)); -- cgit From 9f2e6167d22cc06fa94495574fc29d6bcbb1dd8a Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 1 Aug 2003 15:21:20 +0000 Subject: Update my copyrights according to my agreement with IBM (This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index c554a02e90..50a9ef2718 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. kerberos authorization data (PAC) utility library - Copyright (C) Jim McDonough 2003 + Copyright (C) Jim McDonough 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From c9aa836204eb722890cbd4d64248ff7ef1a50e60 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 15 Aug 2003 01:46:09 +0000 Subject: Fix memleaks. Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8) --- source3/libads/authdata.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 50a9ef2718..f78a4ad707 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -39,6 +39,7 @@ static DATA_BLOB unwrap_pac(DATA_BLOB *auth_data) asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); + asn1_free(&data); return pac_contents; } @@ -603,6 +604,8 @@ PAC_DATA *decode_pac_data(DATA_BLOB *auth_data, TALLOC_CTX *ctx) prs_copy_data_in(&ps, pac_data_blob.data, pac_data_blob.length); prs_set_offset(&ps, 0); + data_blob_free(&pac_data_blob); + pac_data = (PAC_DATA *) talloc_zero(ctx, sizeof(PAC_DATA)); pac_io_pac_data("pac data", pac_data, &ps, 0); -- cgit From aa39cc37dab9c4f8c3295d872bb8cc143890b378 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 04:42:05 +0000 Subject: get rid of more compiler warnings (This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669) --- source3/libads/authdata.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index f78a4ad707..29170af377 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -423,7 +423,7 @@ static BOOL pac_io_pac_signature_data(const char *desc, if (!prs_uint32("type", ps, depth, &data->type)) return False; if (UNMARSHALLING(ps)) { - data->signature = prs_alloc_mem(ps, siglen); + data->signature = (unsigned char *)prs_alloc_mem(ps, siglen); if (!data->signature) { DEBUG(3, ("No memory available\n")); return False; @@ -601,7 +601,7 @@ PAC_DATA *decode_pac_data(DATA_BLOB *auth_data, TALLOC_CTX *ctx) DEBUG(5,("dump_pac_data\n")); prs_init(&ps, pac_data_blob.length, ctx, UNMARSHALL); - prs_copy_data_in(&ps, pac_data_blob.data, pac_data_blob.length); + prs_copy_data_in(&ps, (char *)pac_data_blob.data, pac_data_blob.length); prs_set_offset(&ps, 0); data_blob_free(&pac_data_blob); -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/libads/authdata.c | 34 ++++++++++++---------------------- 1 file changed, 12 insertions(+), 22 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 29170af377..ccaf82124c 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -59,7 +59,7 @@ static BOOL pac_io_unknown_type_10(const char *desc, UNKNOWN_TYPE_10 *type_10, return False; if (UNMARSHALLING(ps) && type_10->len) { - type_10->username = (uint16 *) prs_alloc_mem(ps, type_10->len); + type_10->username = PRS_ALLOC_MEM(ps, uint16, type_10->len); if (!type_10->username) { DEBUG(3, ("No memory available\n")); return False; @@ -85,8 +85,7 @@ static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, depth++; if (UNMARSHALLING(ps)) { - sid_and_attr->sid = - (DOM_SID2 * ) prs_alloc_mem(ps, sizeof(DOM_SID2)); + sid_and_attr->sid = PRS_ALLOC_MEM(ps, DOM_SID2, 1); if (!sid_and_attr->sid) { DEBUG(3, ("No memory available\n")); return False; @@ -135,8 +134,7 @@ static BOOL pac_io_krb_sid_and_attr_array(const char *desc, return False; if (UNMARSHALLING(ps)) { - array->krb_sid_and_attrs = (KRB_SID_AND_ATTRS *) - prs_alloc_mem(ps, sizeof(KRB_SID_AND_ATTRS) * num); + array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); if (!array->krb_sid_and_attrs) { DEBUG(3, ("No memory available\n")); return False; @@ -199,8 +197,7 @@ static BOOL pac_io_group_membership_array(const char *desc, return False; if (UNMARSHALLING(ps)) { - array->group_membership = (GROUP_MEMBERSHIP *) - prs_alloc_mem(ps, sizeof(GROUP_MEMBERSHIP) * num); + array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); if (!array->group_membership) { DEBUG(3, ("No memory available\n")); return False; @@ -423,7 +420,7 @@ static BOOL pac_io_pac_signature_data(const char *desc, if (!prs_uint32("type", ps, depth, &data->type)) return False; if (UNMARSHALLING(ps)) { - data->signature = (unsigned char *)prs_alloc_mem(ps, siglen); + data->signature = PRS_ALLOC_MEM(ps, unsigned char, siglen); if (!data->signature) { DEBUG(3, ("No memory available\n")); return False; @@ -454,8 +451,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, } if (UNMARSHALLING(ps) && hdr->size > 0) { - hdr->ctr = (PAC_INFO_CTR *) - prs_alloc_mem(ps, sizeof(PAC_INFO_CTR)); + hdr->ctr = PRS_ALLOC_MEM(ps, PAC_INFO_CTR, 1); if (!hdr->ctr) { DEBUG(3, ("No memory available\n")); return False; @@ -466,8 +462,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, case PAC_TYPE_LOGON_INFO: DEBUG(5, ("PAC_TYPE_LOGON_INFO\n")); if (UNMARSHALLING(ps)) - hdr->ctr->pac.logon_info = (PAC_LOGON_INFO *) - prs_alloc_mem(ps, sizeof(PAC_LOGON_INFO)); + hdr->ctr->pac.logon_info = PRS_ALLOC_MEM(ps, PAC_LOGON_INFO, 1); if (!hdr->ctr->pac.logon_info) { DEBUG(3, ("No memory available\n")); return False; @@ -480,8 +475,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, case PAC_TYPE_SERVER_CHECKSUM: DEBUG(5, ("PAC_TYPE_SERVER_CHECKSUM\n")); if (UNMARSHALLING(ps)) - hdr->ctr->pac.srv_cksum = (PAC_SIGNATURE_DATA *) - prs_alloc_mem(ps, sizeof(PAC_SIGNATURE_DATA)); + hdr->ctr->pac.srv_cksum = PRS_ALLOC_MEM(ps, PAC_SIGNATURE_DATA, 1); if (!hdr->ctr->pac.srv_cksum) { DEBUG(3, ("No memory available\n")); return False; @@ -494,8 +488,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, case PAC_TYPE_PRIVSVR_CHECKSUM: DEBUG(5, ("PAC_TYPE_PRIVSVR_CHECKSUM\n")); if (UNMARSHALLING(ps)) - hdr->ctr->pac.privsrv_cksum = (PAC_SIGNATURE_DATA *) - prs_alloc_mem(ps, sizeof(PAC_SIGNATURE_DATA)); + hdr->ctr->pac.privsrv_cksum = PRS_ALLOC_MEM(ps, PAC_SIGNATURE_DATA, 1); if (!hdr->ctr->pac.privsrv_cksum) { DEBUG(3, ("No memory available\n")); return False; @@ -509,8 +502,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, case PAC_TYPE_UNKNOWN_10: DEBUG(5, ("PAC_TYPE_UNKNOWN_10\n")); if (UNMARSHALLING(ps)) - hdr->ctr->pac.type_10 = (UNKNOWN_TYPE_10 *) - prs_alloc_mem(ps, sizeof(UNKNOWN_TYPE_10)); + hdr->ctr->pac.type_10 = PRS_ALLOC_MEM(ps, UNKNOWN_TYPE_10, 1); if (!hdr->ctr->pac.type_10) { DEBUG(3, ("No memory available\n")); return False; @@ -571,9 +563,7 @@ static BOOL pac_io_pac_data(const char *desc, PAC_DATA *data, return False; if (UNMARSHALLING(ps) && data->num_buffers > 0) { - if ((data->pac_info_hdr_ptr = (PAC_INFO_HDR *) - prs_alloc_mem(ps, sizeof(PAC_INFO_HDR) * - data->num_buffers)) == NULL) { + if ((data->pac_info_hdr_ptr = PRS_ALLOC_MEM(ps, PAC_INFO_HDR, data->num_buffers)) == NULL) { return False; } } @@ -606,7 +596,7 @@ PAC_DATA *decode_pac_data(DATA_BLOB *auth_data, TALLOC_CTX *ctx) data_blob_free(&pac_data_blob); - pac_data = (PAC_DATA *) talloc_zero(ctx, sizeof(PAC_DATA)); + pac_data = TALLOC_ZERO_P(ctx, PAC_DATA); pac_io_pac_data("pac data", pac_data, &ps, 0); prs_mem_free(&ps); -- cgit From cc6843fcca2220d27235ff87c7f2b5b2403052ad Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 6 Aug 2005 04:35:11 +0000 Subject: r9163: Rename UNKNOWN_TYPE_10 to PAC_LOGON_NAME (merge from samba4) Guenther (This used to be commit d14dcba9635d10d2d8bf9f60c601b8c9078ec340) --- source3/libads/authdata.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index ccaf82124c..2cc6c6ebae 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -43,31 +43,31 @@ static DATA_BLOB unwrap_pac(DATA_BLOB *auth_data) return pac_contents; } -static BOOL pac_io_unknown_type_10(const char *desc, UNKNOWN_TYPE_10 *type_10, - prs_struct *ps, int depth) +static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, + prs_struct *ps, int depth) { - if (NULL == type_10) + if (NULL == logon_name) return False; - prs_debug(ps, depth, desc, "pac_io_unknown_type_10"); + prs_debug(ps, depth, desc, "pac_io_logon_name"); depth++; - if (!smb_io_time("unknown_time", &type_10->unknown_time, ps, depth)) + if (!smb_io_time("logon_time", &logon_name->logon_time, ps, depth)) return False; - if (!prs_uint16("len", ps, depth, &type_10->len)) + if (!prs_uint16("len", ps, depth, &logon_name->len)) return False; - if (UNMARSHALLING(ps) && type_10->len) { - type_10->username = PRS_ALLOC_MEM(ps, uint16, type_10->len); - if (!type_10->username) { + if (UNMARSHALLING(ps) && logon_name->len) { + logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len); + if (!logon_name->username) { DEBUG(3, ("No memory available\n")); return False; } } - if (!prs_uint16s(True, "name", ps, depth, type_10->username, - (type_10->len / sizeof(uint16)))) + if (!prs_uint16s(True, "name", ps, depth, logon_name->username, + (logon_name->len / sizeof(uint16)))) return False; return True; @@ -499,15 +499,15 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, return False; break; - case PAC_TYPE_UNKNOWN_10: - DEBUG(5, ("PAC_TYPE_UNKNOWN_10\n")); + case PAC_TYPE_LOGON_NAME: + DEBUG(5, ("PAC_TYPE_LOGON_NAME\n")); if (UNMARSHALLING(ps)) - hdr->ctr->pac.type_10 = PRS_ALLOC_MEM(ps, UNKNOWN_TYPE_10, 1); - if (!hdr->ctr->pac.type_10) { + hdr->ctr->pac.logon_name = PRS_ALLOC_MEM(ps, PAC_LOGON_NAME, 1); + if (!hdr->ctr->pac.logon_name) { DEBUG(3, ("No memory available\n")); return False; } - if (!pac_io_unknown_type_10(desc, hdr->ctr->pac.type_10, + if (!pac_io_logon_name(desc, hdr->ctr->pac.logon_name, ps, depth)) return False; break; -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/libads/authdata.c | 478 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 399 insertions(+), 79 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 2cc6c6ebae..2e7866c055 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -2,6 +2,11 @@ Unix SMB/CIFS implementation. kerberos authorization data (PAC) utility library Copyright (C) Jim McDonough 2003 + Copyright (C) Andrew Bartlett 2004-2005 + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Luke Howard 2002-2003 + Copyright (C) Stefan Metzmacher 2004-2005 + Copyright (C) Guenther Deschner 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,27 +27,6 @@ #ifdef HAVE_KRB5 -static DATA_BLOB unwrap_pac(DATA_BLOB *auth_data) -{ - DATA_BLOB pac_contents; - ASN1_DATA data; - int data_type; - - asn1_load(&data, *auth_data); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_SEQUENCE(0)); - asn1_start_tag(&data, ASN1_CONTEXT(0)); - asn1_read_Integer(&data, &data_type); - asn1_end_tag(&data); - asn1_start_tag(&data, ASN1_CONTEXT(1)); - asn1_read_OctetString(&data, &pac_contents); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_end_tag(&data); - asn1_free(&data); - return pac_contents; -} - static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, prs_struct *ps, int depth) { @@ -75,6 +59,8 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, } + +#if 0 /* Unused (handled now in net_io_user_info3()) - Guenther */ static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, prs_struct *ps, int depth) { @@ -159,6 +145,7 @@ static BOOL pac_io_krb_sid_and_attr_array(const char *desc, return True; } +#endif static BOOL pac_io_group_membership(const char *desc, GROUP_MEMBERSHIP *membership, @@ -216,27 +203,34 @@ static BOOL pac_io_group_membership_array(const char *desc, } +#if 0 /* Unused, replaced using an expanded net_io_user_info3() now - Guenther */ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { - uint32 garbage; + uint32 garbage, i; + if (NULL == info) return False; prs_debug(ps, depth, desc, "pac_io_pac_logon_info"); depth++; - if (!prs_uint32("unknown", ps, depth, &garbage)) + if (!prs_align(ps)) return False; - if (!prs_uint32("unknown", ps, depth, &garbage)) + if (!prs_uint32("unknown", ps, depth, &garbage)) /* 00081001 */ + return False; + if (!prs_uint32("unknown", ps, depth, &garbage)) /* cccccccc */ return False; if (!prs_uint32("bufferlen", ps, depth, &garbage)) return False; - if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) + if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) /* 00000000 */ return False; + if (!prs_uint32("pointer", ps, depth, &garbage)) return False; + if (!prs_align(ps)) + return False; if (!smb_io_time("logon_time", &info->logon_time, ps, depth)) return False; if (!smb_io_time("logoff_time", &info->logoff_time, ps, depth)) @@ -270,7 +264,7 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, if (!prs_uint16("logon_count", ps, depth, &info->logon_count)) return False; - if (!prs_uint16("reserved12", ps, depth, &info->reserved12)) + if (!prs_uint16("bad_password_count", ps, depth, &info->bad_password_count)) return False; if (!prs_uint32("user_rid", ps, depth, &info->user_rid)) return False; @@ -287,13 +281,7 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, if (!prs_uint32("user_flags", ps, depth, &info->user_flags)) return False; - if (!prs_uint32("reserved13.0", ps, depth, &info->reserved13[0])) - return False; - if (!prs_uint32("reserved13.1", ps, depth, &info->reserved13[1])) - return False; - if (!prs_uint32("reserved13.2", ps, depth, &info->reserved13[2])) - return False; - if (!prs_uint32("reserved13.3", ps, depth, &info->reserved13[3])) + if (!prs_uint8s(False, "session_key", ps, depth, info->session_key, 16)) return False; if (!smb_io_unihdr("hdr_dom_controller", @@ -306,30 +294,17 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, if (!prs_uint32("ptr_dom_sid", ps, depth, &info->ptr_dom_sid)) return False; - if (!prs_uint32("reserved16.0", ps, depth, &info->reserved16[0])) - return False; - if (!prs_uint32("reserved16.1", ps, depth, &info->reserved16[1])) + if (!prs_uint8s(False, "lm_session_key", ps, depth, info->lm_session_key, 8)) return False; - /* might be acb_info */ - if (!prs_uint32("reserved17", ps, depth, &info->reserved17)) + if (!prs_uint32("acct_flags", ps, depth, &info->acct_flags)) return False; - - if (!prs_uint32("reserved18.0", ps, depth, &info->reserved18[0])) - return False; - if (!prs_uint32("reserved18.1", ps, depth, &info->reserved18[1])) - return False; - if (!prs_uint32("reserved18.2", ps, depth, &info->reserved18[2])) - return False; - if (!prs_uint32("reserved18.3", ps, depth, &info->reserved18[3])) - return False; - if (!prs_uint32("reserved18.4", ps, depth, &info->reserved18[4])) - return False; - if (!prs_uint32("reserved18.5", ps, depth, &info->reserved18[5])) - return False; - if (!prs_uint32("reserved18.6", ps, depth, &info->reserved18[6])) - return False; + for (i = 0; i < 7; i++) + { + if (!prs_uint32("unkown", ps, depth, &info->unknown[i])) /* unknown */ + return False; + } if (!prs_uint32("sid_count", ps, depth, &info->sid_count)) return False; @@ -395,44 +370,109 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, &info->res_group_dom_sid, ps, depth)) return False; - if (info->ptr_res_groups) + if (info->ptr_res_groups) { + + if (!(info->user_flgs & LOGON_RESOURCE_GROUPS)) { + DEBUG(0,("user_flgs attribute does not have LOGON_RESOURCE_GROUPS\n")); + /* return False; */ + } + if (!pac_io_group_membership_array("res group membership", &info->res_groups, info->res_group_count, ps, depth)) return False; + } + + return True; +} +#endif + +static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, + prs_struct *ps, int depth) +{ + uint32 garbage; + BOOL kerb_validation_info = True; + + if (NULL == info) + return False; + + prs_debug(ps, depth, desc, "pac_io_pac_logon_info"); + depth++; + + if (!prs_align(ps)) + return False; + if (!prs_uint32("unknown", ps, depth, &garbage)) /* 00081001 */ + return False; + if (!prs_uint32("unknown", ps, depth, &garbage)) /* cccccccc */ + return False; + if (!prs_uint32("bufferlen", ps, depth, &garbage)) + return False; + if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) /* 00000000 */ + return False; + + if(!net_io_user_info3("", &info->info3, ps, depth, 3, kerb_validation_info)) + return False; + + if (info->info3.ptr_res_group_dom_sid) { + if (!smb_io_dom_sid2("res_group_dom_sid", + &info->res_group_dom_sid, ps, depth)) + return False; + } + + if (info->info3.ptr_res_groups) { + + if (!(info->info3.user_flgs & LOGON_RESOURCE_GROUPS)) { + DEBUG(0,("user_flgs attribute does not have LOGON_RESOURCE_GROUPS\n")); + /* return False; */ + } + + if (!pac_io_group_membership_array("res group membership", + &info->res_groups, + info->info3.res_group_count, + ps, depth)) + return False; + } return True; } + static BOOL pac_io_pac_signature_data(const char *desc, PAC_SIGNATURE_DATA *data, uint32 length, prs_struct *ps, int depth) { uint32 siglen = length - sizeof(uint32); - if (NULL == data) - return False; - prs_debug(ps, depth, desc, "pac_io_pac_signature_data"); depth++; + + if (data == NULL) + return False; + if (!prs_align(ps)) + return False; if (!prs_uint32("type", ps, depth, &data->type)) return False; - if (UNMARSHALLING(ps)) { - data->signature = PRS_ALLOC_MEM(ps, unsigned char, siglen); - if (!data->signature) { + + if (UNMARSHALLING(ps) && length) { + data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); + if (!data->signature.buffer) { DEBUG(3, ("No memory available\n")); return False; } } - if (!prs_uint8s(False, "signature", ps, depth, data->signature,siglen)) + + data->signature.buf_len = siglen; + + if (!prs_uint8s(False, "signature", ps, depth, data->signature.buffer, data->signature.buf_len)) return False; + return True; } -static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, +static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_BUFFER *hdr, prs_struct *ps, int depth) { if (NULL == hdr) @@ -445,8 +485,8 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, return False; if (hdr->offset != prs_offset(ps)) { - DEBUG(5, ("offset in header(x%x) and data(x%x) do not match\n", - hdr->offset, prs_offset(ps))); + DEBUG(5,("offset in header(x%x) and data(x%x) do not match, correcting\n", + hdr->offset, prs_offset(ps))); prs_set_offset(ps, hdr->offset); } @@ -518,10 +558,15 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_INFO_HDR *hdr, prs_set_offset(ps, prs_offset(ps) + hdr->size); } +#if 0 + /* obscure pad */ + if (!prs_uint32("pad", ps, depth, &hdr->pad)) + return False; +#endif return True; } -static BOOL pac_io_pac_info_hdr(const char *desc, PAC_INFO_HDR *hdr, +static BOOL pac_io_pac_info_hdr(const char *desc, PAC_BUFFER *hdr, prs_struct *ps, int depth) { if (NULL == hdr) @@ -563,19 +608,19 @@ static BOOL pac_io_pac_data(const char *desc, PAC_DATA *data, return False; if (UNMARSHALLING(ps) && data->num_buffers > 0) { - if ((data->pac_info_hdr_ptr = PRS_ALLOC_MEM(ps, PAC_INFO_HDR, data->num_buffers)) == NULL) { + if ((data->pac_buffer = PRS_ALLOC_MEM(ps, PAC_BUFFER, data->num_buffers)) == NULL) { return False; } } for (i=0; inum_buffers; i++) { - if (!pac_io_pac_info_hdr(desc, &data->pac_info_hdr_ptr[i], ps, + if (!pac_io_pac_info_hdr(desc, &data->pac_buffer[i], ps, depth)) return False; } for (i=0; inum_buffers; i++) { - if (!pac_io_pac_info_hdr_ctr(desc, &data->pac_info_hdr_ptr[i], + if (!pac_io_pac_info_hdr_ctr(desc, &data->pac_buffer[i], ps, depth)) return False; } @@ -583,25 +628,300 @@ static BOOL pac_io_pac_data(const char *desc, PAC_DATA *data, return True; } -PAC_DATA *decode_pac_data(DATA_BLOB *auth_data, TALLOC_CTX *ctx) +static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data, + PAC_SIGNATURE_DATA *sig, + krb5_context context, + krb5_keyblock *keyblock) +{ + krb5_error_code ret; + krb5_checksum cksum; + krb5_keyusage usage = 0; + + smb_krb5_checksum_from_pac_sig(&cksum, sig); + +#ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */ + usage = KRB5_KU_OTHER_CKSUM; +#elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */ + usage = KRB5_KEYUSAGE_APP_DATA_CKSUM; +#else +#error UNKNOWN_KRB5_KEYUSAGE +#endif + + ret = smb_krb5_verify_checksum(context, + keyblock, + usage, + &cksum, + pac_data.data, + pac_data.length); + + if (ret) { + DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", + error_message(ret), ret)); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} + +static NTSTATUS parse_pac_data(TALLOC_CTX *mem_ctx, DATA_BLOB *pac_data_blob, PAC_DATA *pac_data) { - DATA_BLOB pac_data_blob = unwrap_pac(auth_data); prs_struct ps; - PAC_DATA *pac_data; + PAC_DATA *my_pac; - DEBUG(5,("dump_pac_data\n")); - prs_init(&ps, pac_data_blob.length, ctx, UNMARSHALL); - prs_copy_data_in(&ps, (char *)pac_data_blob.data, pac_data_blob.length); - prs_set_offset(&ps, 0); + if (!prs_init(&ps, pac_data_blob->length, mem_ctx, UNMARSHALL)) + return NT_STATUS_NO_MEMORY; - data_blob_free(&pac_data_blob); + if (!prs_copy_data_in(&ps, (char *)pac_data_blob->data, pac_data_blob->length)) + return NT_STATUS_INVALID_PARAMETER; + + prs_set_offset(&ps, 0); - pac_data = TALLOC_ZERO_P(ctx, PAC_DATA); - pac_io_pac_data("pac data", pac_data, &ps, 0); + my_pac = TALLOC_ZERO_P(mem_ctx, PAC_DATA); + if (!pac_io_pac_data("pac data", my_pac, &ps, 0)) + return NT_STATUS_INVALID_PARAMETER; prs_mem_free(&ps); - return pac_data; + *pac_data = *my_pac; + + return NT_STATUS_OK; +} + +/* just for debugging, will be removed later - Guenther */ +char *pac_group_attr_string(uint32 attr) +{ + fstring name = ""; + + if (!attr) + return NULL; + + if (attr & SE_GROUP_MANDATORY) fstrcat(name, "SE_GROUP_MANDATORY "); + if (attr & SE_GROUP_ENABLED_BY_DEFAULT) fstrcat(name, "SE_GROUP_ENABLED_BY_DEFAULT "); + if (attr & SE_GROUP_ENABLED) fstrcat(name, "SE_GROUP_ENABLED "); + if (attr & SE_GROUP_OWNER) fstrcat(name, "SE_GROUP_OWNER "); + if (attr & SE_GROUP_USE_FOR_DENY_ONLY) fstrcat(name, "SE_GROUP_USE_FOR_DENY_ONLY "); + if (attr & SE_GROUP_LOGON_ID) fstrcat(name, "SE_GROUP_LOGON_ID "); + if (attr & SE_GROUP_RESOURCE) fstrcat(name, "SE_GROUP_RESOURCE "); + + return SMB_STRDUP(name); +} + +/* just for debugging, will be removed later - Guenther */ +static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { + + DOM_SID dom_sid, res_group_dom_sid; + int i; + char *attr_string; + uint32 user_flgs = logon_info->info3.user_flgs; + + if (logon_info->info3.ptr_res_group_dom_sid) { + sid_copy(&res_group_dom_sid, &logon_info->res_group_dom_sid.sid); + } + sid_copy(&dom_sid, &logon_info->info3.dom_sid.sid); + + DEBUG(10,("The PAC:\n")); + + DEBUGADD(10,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); + if (user_flgs & LOGON_EXTRA_SIDS) + DEBUGADD(10,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); + if (user_flgs & LOGON_RESOURCE_GROUPS) + DEBUGADD(10,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); + DEBUGADD(10,("\tUser SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.user_rid)); + DEBUGADD(10,("\tGroup SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.group_rid)); + + DEBUGADD(10,("\tGroup Membership (Global and Universal Groups of own domain):\n")); + for (i = 0; i < logon_info->info3.num_groups; i++) { + attr_string = pac_group_attr_string(logon_info->info3.gids[i].attr); + DEBUGADD(10,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", + i, sid_string_static(&dom_sid), + logon_info->info3.gids[i].g_rid, + logon_info->info3.gids[i].attr, + attr_string)); + SAFE_FREE(attr_string); + } + + DEBUGADD(10,("\tGroup Membership (Domain Local Groups and Groups from Trusted Domains):\n")); + for (i = 0; i < logon_info->info3.num_other_sids; i++) { + attr_string = pac_group_attr_string(logon_info->info3.other_sids_attrib[i]); + DEBUGADD(10,("\t\t%d: sid: %s\n\t\t attr: 0x%x == %s\n", + i, sid_string_static(&logon_info->info3.other_sids[i].sid), + logon_info->info3.other_sids_attrib[i], + attr_string)); + SAFE_FREE(attr_string); + } + + DEBUGADD(10,("\tGroup Membership (Ressource Groups (SID History ?)):\n")); + for (i = 0; i < logon_info->info3.res_group_count; i++) { + attr_string = pac_group_attr_string(logon_info->res_groups.group_membership[i].attrs); + DEBUGADD(10,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", + i, sid_string_static(&res_group_dom_sid), + logon_info->res_groups.group_membership[i].rid, + logon_info->res_groups.group_membership[i].attrs, + attr_string)); + SAFE_FREE(attr_string); + } +} + +NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, + DATA_BLOB *pac_data_blob, + krb5_context context, + krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + PAC_DATA **pac_data) + +{ + DATA_BLOB modified_pac_blob; + PAC_DATA *my_pac; + NTSTATUS nt_status; + krb5_error_code ret; + PAC_SIGNATURE_DATA *srv_sig = NULL; + PAC_SIGNATURE_DATA *kdc_sig = NULL; + PAC_LOGON_NAME *logon_name = NULL; + PAC_LOGON_INFO *logon_info = NULL; + krb5_principal client_principal_pac; + NTTIME tgs_authtime_nttime; + int i, srv_sig_pos = 0, kdc_sig_pos = 0; + fstring username; + + *pac_data = NULL; + + my_pac = talloc(mem_ctx, PAC_DATA); + if (!my_pac) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = parse_pac_data(mem_ctx, pac_data_blob, my_pac); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("decode_pac_data: failed to parse PAC\n")); + return nt_status; + } + + modified_pac_blob = data_blob_talloc(mem_ctx, pac_data_blob->data, pac_data_blob->length); + + if (my_pac->num_buffers < 4) { + nt_status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + /* store signatures */ + for (i=0; i < my_pac->num_buffers; i++) { + + switch (my_pac->pac_buffer[i].type) { + + case PAC_TYPE_SERVER_CHECKSUM: + if (!my_pac->pac_buffer[i].ctr->pac.srv_cksum) { + break; + } + + srv_sig = my_pac->pac_buffer[i].ctr->pac.srv_cksum; + + /* get position of signature buffer */ + srv_sig_pos = my_pac->pac_buffer[i].offset; + srv_sig_pos += sizeof(uint32); + + break; + + case PAC_TYPE_PRIVSVR_CHECKSUM: + if (!my_pac->pac_buffer[i].ctr->pac.privsrv_cksum) { + break; + } + + kdc_sig = my_pac->pac_buffer[i].ctr->pac.privsrv_cksum; + + /* get position of signature buffer */ + kdc_sig_pos = my_pac->pac_buffer[i].offset; + kdc_sig_pos += sizeof(uint32); + + break; + + case PAC_TYPE_LOGON_NAME: + if (!my_pac->pac_buffer[i].ctr->pac.logon_name) { + break; + } + + logon_name = my_pac->pac_buffer[i].ctr->pac.logon_name; + break; + + case PAC_TYPE_LOGON_INFO: + if (!my_pac->pac_buffer[i].ctr->pac.logon_info) { + break; + } + + logon_info = my_pac->pac_buffer[i].ctr->pac.logon_info; + break; + } + + } + + if (!srv_sig || !kdc_sig || !logon_name || !logon_info) { + nt_status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + /* zero PAC_SIGNATURE_DATA signature buffer */ + memset(&modified_pac_blob.data[srv_sig_pos], '\0', srv_sig->signature.buf_len); + memset(&modified_pac_blob.data[kdc_sig_pos], '\0', kdc_sig->signature.buf_len); + + /* check server signature */ + nt_status = check_pac_checksum(mem_ctx, modified_pac_blob, srv_sig, context, service_keyblock); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("decode_pac_data: failed to verify PAC server signature\n")); + goto out; + } + + /* Convert to NT time, so as not to loose accuracy in comparison */ + unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime); + + if (!nt_time_equals(&tgs_authtime_nttime, &logon_name->logon_time)) { + + DEBUG(2,("decode_pac_data: Logon time mismatch between ticket and PAC!\n")); + DEBUGADD(2, ("decode_pac_data: PAC: %s\n", + http_timestring(nt_time_to_unix(&logon_name->logon_time)))); + DEBUGADD(2, ("decode_pac_data: Ticket: %s\n", + http_timestring(nt_time_to_unix(&tgs_authtime_nttime)))); + + nt_status = NT_STATUS_ACCESS_DENIED; + goto out; + } + + if (!logon_name->len) { + DEBUG(2,("decode_pac_data: No Logon Name available\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE); + + ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); + if (ret) { + DEBUG(2,("decode_pac_data: Could not parse name from incoming PAC: [%s]: %s\n", + username, error_message(ret))); + nt_status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + if (!smb_krb5_principal_compare_any_realm(context, client_principal, client_principal_pac)) { + DEBUG(2,("decode_pac_data: Name in PAC [%s] does not match principal name in ticket\n", + username)); + nt_status = NT_STATUS_ACCESS_DENIED; + goto out; + } + + DEBUG(10,("Successfully validated Kerberos PAC\n")); + + dump_pac_logon_info(logon_info); + + *pac_data = my_pac; + + nt_status = NT_STATUS_OK; + +out: + if (client_principal_pac) { + krb5_free_principal(context, client_principal_pac); + } + + return nt_status; } #endif -- cgit From aa0dff680d2ea351a0a21cb86a51cd99887237c4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 1 Oct 2005 09:43:53 +0000 Subject: r10671: Attempt to fix the build on machines without kerberos headers. Volker (This used to be commit cb816e65a95802d5172c410d1acda2da070b871d) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 2e7866c055..d28376c775 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -763,7 +763,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { } } -NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, + NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, DATA_BLOB *pac_data_blob, krb5_context context, krb5_keyblock *service_keyblock, -- cgit From ebf8a843754ba02f57b38ae01bf143a242132572 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 4 Oct 2005 11:21:57 +0000 Subject: r10710: Fix uninitialized variable. (Thanks to Chengjie Liu ) Guenther (This used to be commit 241466ee650d1db1b89a4b5b640f27f6b83644c6) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index d28376c775..9fd30e9dfb 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -780,7 +780,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { PAC_SIGNATURE_DATA *kdc_sig = NULL; PAC_LOGON_NAME *logon_name = NULL; PAC_LOGON_INFO *logon_info = NULL; - krb5_principal client_principal_pac; + krb5_principal client_principal_pac = NULL; NTTIME tgs_authtime_nttime; int i, srv_sig_pos = 0, kdc_sig_pos = 0; fstring username; -- cgit From ad93243f2399c2f349434dbbb33ed3766a817a8d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 19 Oct 2005 14:34:17 +0000 Subject: r11183: add small helper function to return a PAC_LOGON_INFO. Guenther (This used to be commit a8d5d6b845efb62e73e281549528376f3ee74211) --- source3/libads/authdata.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 9fd30e9dfb..55e736ce6a 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -924,4 +924,20 @@ out: return nt_status; } + PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data) +{ + PAC_LOGON_INFO *logon_info = NULL; + int i; + + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->pac_buffer[i].type != PAC_TYPE_LOGON_INFO) + continue; + + logon_info = pac_data->pac_buffer[i].ctr->pac.logon_info; + break; + } + return logon_info; +} + #endif -- cgit From 4ea92f30985466489a3b3faf5a1c90667175aad6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Feb 2006 23:22:56 +0000 Subject: r13581: Correctly parse a non-null terminated, little-endian UCS2 string in the PAC_LOGON_NAME structure. This was broken on big-endian machines (Solaris SPARC and ppc). Fixes Bug #3330. Jerry, this should be in 3.0.21c. Guenther (This used to be commit 9732490811f8f02ee547ddc6e2694e1122a3a518) --- source3/libads/authdata.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 55e736ce6a..bb4236c4fc 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -42,16 +42,7 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, if (!prs_uint16("len", ps, depth, &logon_name->len)) return False; - if (UNMARSHALLING(ps) && logon_name->len) { - logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len); - if (!logon_name->username) { - DEBUG(3, ("No memory available\n")); - return False; - } - } - - if (!prs_uint16s(True, "name", ps, depth, logon_name->username, - (logon_name->len / sizeof(uint16)))) + if (!prs_string_len("name", ps, depth, logon_name->username, logon_name->len)) return False; return True; @@ -891,7 +882,8 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { nt_status = NT_STATUS_INVALID_PARAMETER; goto out; } - rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE); + + rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0); ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); if (ret) { -- cgit From 115996503ced64c478ed1cc857bd5a1528644b46 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Feb 2006 03:08:42 +0000 Subject: r13585: Sorry Gunther, had to revert this. It's got a buffer overrun. Spoke to Jerry about the correct fix. Will add this after. Jeremy. (This used to be commit 33e13aabd3825c59d15dc897536e2ccf8c8f6d5e) --- source3/libads/authdata.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index bb4236c4fc..55e736ce6a 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -42,7 +42,16 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, if (!prs_uint16("len", ps, depth, &logon_name->len)) return False; - if (!prs_string_len("name", ps, depth, logon_name->username, logon_name->len)) + if (UNMARSHALLING(ps) && logon_name->len) { + logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len); + if (!logon_name->username) { + DEBUG(3, ("No memory available\n")); + return False; + } + } + + if (!prs_uint16s(True, "name", ps, depth, logon_name->username, + (logon_name->len / sizeof(uint16)))) return False; return True; @@ -882,8 +891,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { nt_status = NT_STATUS_INVALID_PARAMETER; goto out; } - - rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0); + rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE); ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); if (ret) { -- cgit From a57f37420b2b41b1905e2eefa385036b9ddb5bcf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Feb 2006 03:29:02 +0000 Subject: r13588: Second attempt to fix Bug #3330 - treat the string as a uint8 array and copy as such. Gunther please check (sorry I reverted your earlier fix). Jeremy. (This used to be commit 7a17b39c80703909f102487690d2117d874b0e15) --- source3/libads/authdata.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 55e736ce6a..c3c160dafb 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -42,24 +42,24 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, if (!prs_uint16("len", ps, depth, &logon_name->len)) return False; + /* The following string is always in little endian 16 bit values, + copy as 8 bits to avoid endian reversal on big-endian machines. + len is the length in bytes. */ + if (UNMARSHALLING(ps) && logon_name->len) { - logon_name->username = PRS_ALLOC_MEM(ps, uint16, logon_name->len); + logon_name->username = PRS_ALLOC_MEM(ps, uint8, logon_name->len); if (!logon_name->username) { DEBUG(3, ("No memory available\n")); return False; } } - if (!prs_uint16s(True, "name", ps, depth, logon_name->username, - (logon_name->len / sizeof(uint16)))) + if (!prs_uint8s(True, "name", ps, depth, logon_name->username, logon_name->len)) return False; return True; - } - - #if 0 /* Unused (handled now in net_io_user_info3()) - Guenther */ static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, prs_struct *ps, int depth) @@ -891,7 +891,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { nt_status = NT_STATUS_INVALID_PARAMETER; goto out; } - rpcstr_pull(username, logon_name->username, sizeof(username), -1, STR_TERMINATE); + rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0); ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); if (ret) { -- cgit From 995205fc60f87e1a02aa1c6f309db55ae18e908a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 6 Sep 2006 18:32:20 +0000 Subject: r18188: merge 3.0-libndr branch (This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675) --- source3/libads/authdata.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index c3c160dafb..71294941a6 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -878,9 +878,9 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { DEBUG(2,("decode_pac_data: Logon time mismatch between ticket and PAC!\n")); DEBUGADD(2, ("decode_pac_data: PAC: %s\n", - http_timestring(nt_time_to_unix(&logon_name->logon_time)))); + http_timestring(nt_time_to_unix(logon_name->logon_time)))); DEBUGADD(2, ("decode_pac_data: Ticket: %s\n", - http_timestring(nt_time_to_unix(&tgs_authtime_nttime)))); + http_timestring(nt_time_to_unix(tgs_authtime_nttime)))); nt_status = NT_STATUS_ACCESS_DENIED; goto out; -- cgit From 71ee55f98d87ff70e5feb0d2b280e9c71f7b9b6a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 22 May 2007 20:20:01 +0000 Subject: r23080: Fix bug #4637 - we hads missed some cases where we were calling PRS_ALLOC_MEM with zero count. Jeremy. (This used to be commit 9a10736e6fa276ca4b0726fbb7baf0daafbdc46d) --- source3/libads/authdata.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 71294941a6..8e951dde80 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -120,10 +120,14 @@ static BOOL pac_io_krb_sid_and_attr_array(const char *desc, return False; if (UNMARSHALLING(ps)) { - array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); - if (!array->krb_sid_and_attrs) { - DEBUG(3, ("No memory available\n")); - return False; + if (num) { + array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); + if (!array->krb_sid_and_attrs) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + array->krb_sid_and_attrs = NULL; } } @@ -184,10 +188,14 @@ static BOOL pac_io_group_membership_array(const char *desc, return False; if (UNMARSHALLING(ps)) { - array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); - if (!array->group_membership) { - DEBUG(3, ("No memory available\n")); - return False; + if (num) { + array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); + if (!array->group_membership) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + array->group_membership = NULL; } } @@ -456,10 +464,14 @@ static BOOL pac_io_pac_signature_data(const char *desc, return False; if (UNMARSHALLING(ps) && length) { - data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); - if (!data->signature.buffer) { - DEBUG(3, ("No memory available\n")); - return False; + if (siglen) { + data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); + if (!data->signature.buffer) { + DEBUG(3, ("No memory available\n")); + return False; + } + } else { + data->signature.buffer = NULL; } } -- cgit From 3272b1dd602196b2105afda1f9979a8f9596d71e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 30 May 2007 21:55:49 +0000 Subject: r23251: whoops! Fix compile error (This used to be commit 22a3ea40ac69fa3722abf28db845ab284a65ad97) --- source3/libads/authdata.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 8e951dde80..9dfb9cba09 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -451,10 +451,11 @@ static BOOL pac_io_pac_signature_data(const char *desc, PAC_SIGNATURE_DATA *data, uint32 length, prs_struct *ps, int depth) { - uint32 siglen = length - sizeof(uint32); + uint32 siglen = 0; + prs_debug(ps, depth, desc, "pac_io_pac_signature_data"); depth++; - + if (data == NULL) return False; @@ -463,6 +464,9 @@ static BOOL pac_io_pac_signature_data(const char *desc, if (!prs_uint32("type", ps, depth, &data->type)) return False; + if ( length > sizeof(uint32) ) + siglen = length - sizeof(uint32); + if (UNMARSHALLING(ps) && length) { if (siglen) { data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 9dfb9cba09..86e3e9edcf 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -10,7 +10,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/libads/authdata.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 86e3e9edcf..d61ffc2397 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -19,8 +19,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From fce64f683346192c86341b9dd0a0a8e0f83157dc Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 19 Jul 2007 13:34:45 +0000 Subject: r23969: Some helper routines to retrieve a PAC and PAC elements. Guenther (This used to be commit d4c87c792a955be7d5ef59fc683fc48e3d8afe16) --- source3/libads/authdata.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index d61ffc2397..4610bcb59d 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -955,4 +955,164 @@ out: return logon_info; } +/**************************************************************** +****************************************************************/ + + NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + PAC_DATA **pac_ret) +{ + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; + DATA_BLOB tkt, ap_rep, sesskey1, sesskey2; + PAC_DATA *pac_data = NULL; + char *client_princ_out = NULL; + const char *auth_princ = NULL; + const char *local_service = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + + ZERO_STRUCT(tkt); + ZERO_STRUCT(ap_rep); + ZERO_STRUCT(sesskey1); + ZERO_STRUCT(sesskey2); + + if (!name || !pass) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!strchr_m(name, '@')) { + auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name, + lp_realm()); + } else { + auth_princ = name; + } + NT_STATUS_HAVE_NO_MEMORY(auth_princ); + + local_service = talloc_asprintf(mem_ctx, "%s$@%s", + global_myname(), lp_realm()); + NT_STATUS_HAVE_NO_MEMORY(local_service); + + ret = kerberos_kinit_password_ext(auth_princ, + pass, + time_offset, + NULL, + NULL, + cc, + True, + True, + 0, + &status); + if (ret) { + /* status already set */ + goto out; + } + + ret = cli_krb5_get_ticket(local_service, + time_offset, + &tkt, + &sesskey1, + 0, + cc, + NULL); + if (ret) { + status = krb5_to_nt_status(ret); + goto out; + } + + status = ads_verify_ticket(mem_ctx, + lp_realm(), + time_offset, + &tkt, + &client_princ_out, + &pac_data, + &ap_rep, + &sesskey2, + False); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + if (!pac_data) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + + *pac_ret = pac_data; + +out: + ads_kdestroy(cc); + + data_blob_free(&tkt); + data_blob_free(&ap_rep); + data_blob_free(&sesskey1); + data_blob_free(&sesskey2); + + SAFE_FREE(client_princ_out); + + return status; +} + +/**************************************************************** +****************************************************************/ + +static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + PAC_LOGON_INFO **logon_info) +{ + NTSTATUS status; + PAC_DATA *pac_data = NULL; + PAC_LOGON_INFO *info = NULL; + + status = kerberos_return_pac(mem_ctx, + name, + pass, + time_offset, + &pac_data); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (!pac_data) { + return NT_STATUS_INVALID_USER_BUFFER; + } + + info = get_logon_info_from_pac(pac_data); + if (!info) { + return NT_STATUS_INVALID_USER_BUFFER; + } + + *logon_info = info; + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + NET_USER_INFO_3 **info3) +{ + NTSTATUS status; + PAC_LOGON_INFO *logon_info = NULL; + + status = kerberos_return_pac_logon_info(mem_ctx, + name, + pass, + time_offset, + &logon_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *info3 = &logon_info->info3; + + return NT_STATUS_OK; +} #endif -- cgit From f659ffc0ee6acfb79edb00f4c985e940f8c5ddaa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 19 Jul 2007 13:36:41 +0000 Subject: r23970: Allow to set the debuglevel at which to dump the PAC logon info. Guenther (This used to be commit 7d321aad83cb7b9cc766bc89a886676337a2bad8) --- source3/libads/authdata.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 4610bcb59d..5616ccd5a5 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 Copyright (C) Stefan Metzmacher 2004-2005 - Copyright (C) Guenther Deschner 2005 + Copyright (C) Guenther Deschner 2005,2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -723,8 +723,8 @@ char *pac_group_attr_string(uint32 attr) } /* just for debugging, will be removed later - Guenther */ -static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { - +static void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) +{ DOM_SID dom_sid, res_group_dom_sid; int i; char *attr_string; @@ -734,21 +734,21 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { sid_copy(&res_group_dom_sid, &logon_info->res_group_dom_sid.sid); } sid_copy(&dom_sid, &logon_info->info3.dom_sid.sid); - - DEBUG(10,("The PAC:\n")); - - DEBUGADD(10,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); + + DEBUG(lvl,("The PAC:\n")); + + DEBUGADD(lvl,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); if (user_flgs & LOGON_EXTRA_SIDS) - DEBUGADD(10,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); + DEBUGADD(lvl,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); if (user_flgs & LOGON_RESOURCE_GROUPS) - DEBUGADD(10,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); - DEBUGADD(10,("\tUser SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.user_rid)); - DEBUGADD(10,("\tGroup SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.group_rid)); + DEBUGADD(lvl,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); + DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.user_rid)); + DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.group_rid)); - DEBUGADD(10,("\tGroup Membership (Global and Universal Groups of own domain):\n")); + DEBUGADD(lvl,("\tGroup Membership (Global and Universal Groups of own domain):\n")); for (i = 0; i < logon_info->info3.num_groups; i++) { attr_string = pac_group_attr_string(logon_info->info3.gids[i].attr); - DEBUGADD(10,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", + DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", i, sid_string_static(&dom_sid), logon_info->info3.gids[i].g_rid, logon_info->info3.gids[i].attr, @@ -756,20 +756,20 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { SAFE_FREE(attr_string); } - DEBUGADD(10,("\tGroup Membership (Domain Local Groups and Groups from Trusted Domains):\n")); + DEBUGADD(lvl,("\tGroup Membership (Domain Local Groups and Groups from Trusted Domains):\n")); for (i = 0; i < logon_info->info3.num_other_sids; i++) { attr_string = pac_group_attr_string(logon_info->info3.other_sids_attrib[i]); - DEBUGADD(10,("\t\t%d: sid: %s\n\t\t attr: 0x%x == %s\n", + DEBUGADD(lvl,("\t\t%d: sid: %s\n\t\t attr: 0x%x == %s\n", i, sid_string_static(&logon_info->info3.other_sids[i].sid), logon_info->info3.other_sids_attrib[i], attr_string)); SAFE_FREE(attr_string); } - DEBUGADD(10,("\tGroup Membership (Ressource Groups (SID History ?)):\n")); + DEBUGADD(lvl,("\tGroup Membership (Ressource Groups (SID History ?)):\n")); for (i = 0; i < logon_info->info3.res_group_count; i++) { attr_string = pac_group_attr_string(logon_info->res_groups.group_membership[i].attrs); - DEBUGADD(10,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", + DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", i, sid_string_static(&res_group_dom_sid), logon_info->res_groups.group_membership[i].rid, logon_info->res_groups.group_membership[i].attrs, @@ -925,7 +925,7 @@ static void dump_pac_logon_info(PAC_LOGON_INFO *logon_info) { DEBUG(10,("Successfully validated Kerberos PAC\n")); - dump_pac_logon_info(logon_info); + dump_pac_logon_info(10, logon_info); *pac_data = my_pac; -- cgit From 2349acdd4366f665b9091d879682bc578b03c42d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 19 Jul 2007 13:47:53 +0000 Subject: r23973: For debugging, add (undocumented) net ads kerberos commands (kinit, renew, pac). Guenther (This used to be commit 4cada7c1485c9957e553d6e75cb6f30f4338489f) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 5616ccd5a5..b19bec43c5 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -723,7 +723,7 @@ char *pac_group_attr_string(uint32 attr) } /* just for debugging, will be removed later - Guenther */ -static void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) +void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) { DOM_SID dom_sid, res_group_dom_sid; int i; -- cgit From cdd140fe2774c1e65cdf43091a746ad2ef0fd3e7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Aug 2007 13:53:25 +0000 Subject: r24158: SE_GROUP_RESOURCE in the other_sids list apparently means a domain local group. Fix a typo in the PAC debugging routine (This used to be commit b0b66b2e7af133b199868b946fad70016e1cefbd) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index b19bec43c5..a76a7ca485 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -766,7 +766,7 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) SAFE_FREE(attr_string); } - DEBUGADD(lvl,("\tGroup Membership (Ressource Groups (SID History ?)):\n")); + DEBUGADD(lvl,("\tGroup Membership (Resource Groups (SID History ?)):\n")); for (i = 0; i < logon_info->info3.res_group_count; i++) { attr_string = pac_group_attr_string(logon_info->res_groups.group_membership[i].attrs); DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", -- cgit From 3e00e2e9cecb829edf0a1d780abe78346d13ed2f Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 14 Aug 2007 16:04:37 +0000 Subject: r24424: Fix the build. Guenther (This used to be commit 029bf26f8a571ae060f7be60fd3e8c61d86004f7) --- source3/libads/authdata.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index a76a7ca485..793b9adb06 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -958,11 +958,11 @@ out: /**************************************************************** ****************************************************************/ - NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - PAC_DATA **pac_ret) +NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + const char *name, + const char *pass, + time_t time_offset, + PAC_DATA **pac_ret) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -- cgit From 201f0e1ce405273ffc19d280f91d8eee17bdaaec Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 14 Aug 2007 19:47:57 +0000 Subject: r24432: Expand kerberos_return_pac() so that it can be used in winbindd. Guenther (This used to be commit e70bf0ecc3ec6d3ba8ba384024bbdf9a783072ea) --- source3/libads/authdata.c | 78 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 6 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 793b9adb06..bbcd2db56a 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -962,6 +962,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, const char *name, const char *pass, time_t time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + BOOL request_pac, + BOOL add_netbios_addr, + time_t renewable_time, PAC_DATA **pac_ret) { krb5_error_code ret; @@ -982,6 +988,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + if (cache_name) { + cc = cache_name; + } + if (!strchr_m(name, '@')) { auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name, lp_realm()); @@ -997,18 +1007,41 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, ret = kerberos_kinit_password_ext(auth_princ, pass, time_offset, - NULL, - NULL, + expire_time, + renew_till_time, cc, - True, - True, - 0, + request_pac, + add_netbios_addr, + renewable_time, &status); if (ret) { + DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", + auth_princ, error_message(ret), ret)); /* status already set */ goto out; } + DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc)); + if (expire_time) { + DEBUGADD(10,("\tvalid until: %s (%d)\n", + http_timestring(*expire_time), + (int)*expire_time)); + } + if (renew_till_time) { + DEBUGADD(10,("\trenewable till: %s (%d)\n", + http_timestring(*renew_till_time), + (int)*renew_till_time)); + } + + /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set, + * in that case fallback to NTLM - gd */ + + if (expire_time && renew_till_time && + (*expire_time == 0) && (*renew_till_time == 0)) { + return NT_STATUS_INVALID_LOGON_TYPE; + } + + ret = cli_krb5_get_ticket(local_service, time_offset, &tkt, @@ -1017,6 +1050,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, cc, NULL); if (ret) { + DEBUG(1,("failed to get ticket for %s: %s\n", + local_service, error_message(ret))); status = krb5_to_nt_status(ret); goto out; } @@ -1031,10 +1066,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, &sesskey2, False); if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("ads_verify_ticket failed: %s\n", + nt_errstr(status))); goto out; } if (!pac_data) { + DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } @@ -1042,7 +1080,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, *pac_ret = pac_data; out: - ads_kdestroy(cc); + if (cc != cache_name) { + ads_kdestroy(cc); + } data_blob_free(&tkt); data_blob_free(&ap_rep); @@ -1061,6 +1101,12 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, const char *name, const char *pass, time_t time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + BOOL request_pac, + BOOL add_netbios_addr, + time_t renewable_time, PAC_LOGON_INFO **logon_info) { NTSTATUS status; @@ -1071,17 +1117,25 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, name, pass, time_offset, + expire_time, + renew_till_time, + cache_name, + request_pac, + add_netbios_addr, + renewable_time, &pac_data); if (!NT_STATUS_IS_OK(status)) { return status; } if (!pac_data) { + DEBUG(3,("no pac\n")); return NT_STATUS_INVALID_USER_BUFFER; } info = get_logon_info_from_pac(pac_data); if (!info) { + DEBUG(1,("no logon_info\n")); return NT_STATUS_INVALID_USER_BUFFER; } @@ -1097,6 +1151,12 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, const char *name, const char *pass, time_t time_offset, + time_t *expire_time, + time_t *renew_till_time, + const char *cache_name, + BOOL request_pac, + BOOL add_netbios_addr, + time_t renewable_time, NET_USER_INFO_3 **info3) { NTSTATUS status; @@ -1106,6 +1166,12 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, name, pass, time_offset, + expire_time, + renew_till_time, + cache_name, + request_pac, + add_netbios_addr, + renewable_time, &logon_info); if (!NT_STATUS_IS_OK(status)) { return status; -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/libads/authdata.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index bbcd2db56a..db58cf0400 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -26,7 +26,7 @@ #ifdef HAVE_KRB5 -static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, +static bool pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, prs_struct *ps, int depth) { if (NULL == logon_name) @@ -60,7 +60,7 @@ static BOOL pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, } #if 0 /* Unused (handled now in net_io_user_info3()) - Guenther */ -static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, +static bool pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, prs_struct *ps, int depth) { if (NULL == sid_and_attr) @@ -84,7 +84,7 @@ static BOOL pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, } -static BOOL pac_io_krb_attrs(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, +static bool pac_io_krb_attrs(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, prs_struct *ps, int depth) { if (NULL == sid_and_attr) @@ -101,7 +101,7 @@ static BOOL pac_io_krb_attrs(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, return True; } -static BOOL pac_io_krb_sid_and_attr_array(const char *desc, +static bool pac_io_krb_sid_and_attr_array(const char *desc, KRB_SID_AND_ATTR_ARRAY *array, uint32 num, prs_struct *ps, int depth) @@ -150,7 +150,7 @@ static BOOL pac_io_krb_sid_and_attr_array(const char *desc, } #endif -static BOOL pac_io_group_membership(const char *desc, +static bool pac_io_group_membership(const char *desc, GROUP_MEMBERSHIP *membership, prs_struct *ps, int depth) { @@ -169,7 +169,7 @@ static BOOL pac_io_group_membership(const char *desc, } -static BOOL pac_io_group_membership_array(const char *desc, +static bool pac_io_group_membership_array(const char *desc, GROUP_MEMBERSHIP_ARRAY *array, uint32 num, prs_struct *ps, int depth) @@ -211,7 +211,7 @@ static BOOL pac_io_group_membership_array(const char *desc, } #if 0 /* Unused, replaced using an expanded net_io_user_info3() now - Guenther */ -static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, +static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { uint32 garbage, i; @@ -395,11 +395,11 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, } #endif -static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, +static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { uint32 garbage; - BOOL kerb_validation_info = True; + bool kerb_validation_info = True; if (NULL == info) return False; @@ -446,7 +446,7 @@ static BOOL pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, -static BOOL pac_io_pac_signature_data(const char *desc, +static bool pac_io_pac_signature_data(const char *desc, PAC_SIGNATURE_DATA *data, uint32 length, prs_struct *ps, int depth) { @@ -487,7 +487,7 @@ static BOOL pac_io_pac_signature_data(const char *desc, return True; } -static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_BUFFER *hdr, +static bool pac_io_pac_info_hdr_ctr(const char *desc, PAC_BUFFER *hdr, prs_struct *ps, int depth) { if (NULL == hdr) @@ -581,7 +581,7 @@ static BOOL pac_io_pac_info_hdr_ctr(const char *desc, PAC_BUFFER *hdr, return True; } -static BOOL pac_io_pac_info_hdr(const char *desc, PAC_BUFFER *hdr, +static bool pac_io_pac_info_hdr(const char *desc, PAC_BUFFER *hdr, prs_struct *ps, int depth) { if (NULL == hdr) @@ -604,7 +604,7 @@ static BOOL pac_io_pac_info_hdr(const char *desc, PAC_BUFFER *hdr, return True; } -static BOOL pac_io_pac_data(const char *desc, PAC_DATA *data, +static bool pac_io_pac_data(const char *desc, PAC_DATA *data, prs_struct *ps, int depth) { int i; @@ -965,8 +965,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t *expire_time, time_t *renew_till_time, const char *cache_name, - BOOL request_pac, - BOOL add_netbios_addr, + bool request_pac, + bool add_netbios_addr, time_t renewable_time, PAC_DATA **pac_ret) { @@ -1104,8 +1104,8 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, time_t *expire_time, time_t *renew_till_time, const char *cache_name, - BOOL request_pac, - BOOL add_netbios_addr, + bool request_pac, + bool add_netbios_addr, time_t renewable_time, PAC_LOGON_INFO **logon_info) { @@ -1154,8 +1154,8 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, time_t *expire_time, time_t *renew_till_time, const char *cache_name, - BOOL request_pac, - BOOL add_netbios_addr, + bool request_pac, + bool add_netbios_addr, time_t renewable_time, NET_USER_INFO_3 **info3) { -- cgit From 900288a2b86abd247f9eb4cd15dc5617a17cfef1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:11:36 +0100 Subject: Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09) --- source3/libads/authdata.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index db58cf0400..500f2d455e 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -742,14 +742,16 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) DEBUGADD(lvl,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); if (user_flgs & LOGON_RESOURCE_GROUPS) DEBUGADD(lvl,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); - DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.user_rid)); - DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_static(&dom_sid), logon_info->info3.group_rid)); + DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_dbg(&dom_sid), + logon_info->info3.user_rid)); + DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_dbg(&dom_sid), + logon_info->info3.group_rid)); DEBUGADD(lvl,("\tGroup Membership (Global and Universal Groups of own domain):\n")); for (i = 0; i < logon_info->info3.num_groups; i++) { attr_string = pac_group_attr_string(logon_info->info3.gids[i].attr); DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", - i, sid_string_static(&dom_sid), + i, sid_string_dbg(&dom_sid), logon_info->info3.gids[i].g_rid, logon_info->info3.gids[i].attr, attr_string)); @@ -760,7 +762,8 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) for (i = 0; i < logon_info->info3.num_other_sids; i++) { attr_string = pac_group_attr_string(logon_info->info3.other_sids_attrib[i]); DEBUGADD(lvl,("\t\t%d: sid: %s\n\t\t attr: 0x%x == %s\n", - i, sid_string_static(&logon_info->info3.other_sids[i].sid), + i, sid_string_dbg( + &logon_info->info3.other_sids[i].sid), logon_info->info3.other_sids_attrib[i], attr_string)); SAFE_FREE(attr_string); @@ -770,7 +773,7 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) for (i = 0; i < logon_info->info3.res_group_count; i++) { attr_string = pac_group_attr_string(logon_info->res_groups.group_membership[i].attrs); DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", - i, sid_string_static(&res_group_dom_sid), + i, sid_string_dbg(&res_group_dom_sid), logon_info->res_groups.group_membership[i].rid, logon_info->res_groups.group_membership[i].attrs, attr_string)); -- cgit From 866af9a800cbfc022ce6144ee706c0826eb6c39b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Jan 2008 23:43:33 -0800 Subject: Coverity 512, uninitialized var. Jeremy. (This used to be commit 1b7cc80c61ccbf766801080f5a3f0260f40ccc17) --- source3/libads/authdata.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 500f2d455e..9a6f1061df 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -214,7 +214,7 @@ static bool pac_io_group_membership_array(const char *desc, static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { - uint32 garbage, i; + uint32 garbage = 0, i; if (NULL == info) return False; @@ -398,7 +398,7 @@ static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { - uint32 garbage; + uint32 garbage = 0; bool kerb_validation_info = True; if (NULL == info) -- cgit From a92eb76688600efbf4a4056c2543f348e2fee8aa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 17 Jan 2008 10:24:34 +0100 Subject: Finally enable pidl generated SAMR & NETLOGON headers and clients. Guenther (This used to be commit f7100156a7df7ac3ae84e45a47153b38d9375215) --- source3/libads/authdata.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 9a6f1061df..644f8515bc 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -429,8 +429,8 @@ static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, if (info->info3.ptr_res_groups) { - if (!(info->info3.user_flgs & LOGON_RESOURCE_GROUPS)) { - DEBUG(0,("user_flgs attribute does not have LOGON_RESOURCE_GROUPS\n")); + if (!(info->info3.user_flgs & NETLOGON_RESOURCE_GROUPS)) { + DEBUG(0,("user_flgs attribute does not have NETLOGON_RESOURCE_GROUPS\n")); /* return False; */ } @@ -738,10 +738,10 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) DEBUG(lvl,("The PAC:\n")); DEBUGADD(lvl,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); - if (user_flgs & LOGON_EXTRA_SIDS) - DEBUGADD(lvl,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); - if (user_flgs & LOGON_RESOURCE_GROUPS) - DEBUGADD(lvl,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); + if (user_flgs & NETLOGON_EXTRA_SIDS) + DEBUGADD(lvl,("\tUser Flags: NETLOGON_EXTRA_SIDS 0x%x (%d)\n", NETLOGON_EXTRA_SIDS, NETLOGON_EXTRA_SIDS)); + if (user_flgs & NETLOGON_RESOURCE_GROUPS) + DEBUGADD(lvl,("\tUser Flags: NETLOGON_RESOURCE_GROUPS 0x%x (%d)\n", NETLOGON_RESOURCE_GROUPS, NETLOGON_RESOURCE_GROUPS)); DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_dbg(&dom_sid), logon_info->info3.user_rid)); DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_dbg(&dom_sid), -- cgit From 86843631a2bf533d869be693e1b049ce634c0f6e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 01:57:20 +0100 Subject: Align our krb5 PAC decoding routines to the samba4 ones. (while keeping all the trans krb5 lib support) Guenther (This used to be commit c06e507737bb07ff995876e49341de3f60b0da35) --- source3/libads/authdata.c | 458 +++++++++++++++++++++++----------------------- 1 file changed, 224 insertions(+), 234 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 644f8515bc..1f90f76267 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -643,11 +643,11 @@ static bool pac_io_pac_data(const char *desc, PAC_DATA *data, return True; } -static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, - DATA_BLOB pac_data, - PAC_SIGNATURE_DATA *sig, - krb5_context context, - krb5_keyblock *keyblock) +static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data, + struct PAC_SIGNATURE_DATA *sig, + krb5_context context, + krb5_keyblock *keyblock) { krb5_error_code ret; krb5_checksum cksum; @@ -663,299 +663,289 @@ static NTSTATUS check_pac_checksum(TALLOC_CTX *mem_ctx, #error UNKNOWN_KRB5_KEYUSAGE #endif - ret = smb_krb5_verify_checksum(context, - keyblock, - usage, + ret = smb_krb5_verify_checksum(context, + keyblock, + usage, &cksum, - pac_data.data, + pac_data.data, pac_data.length); if (ret) { - DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", + DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", error_message(ret), ret)); - return NT_STATUS_ACCESS_DENIED; + return ret; } - return NT_STATUS_OK; -} - -static NTSTATUS parse_pac_data(TALLOC_CTX *mem_ctx, DATA_BLOB *pac_data_blob, PAC_DATA *pac_data) -{ - prs_struct ps; - PAC_DATA *my_pac; - - if (!prs_init(&ps, pac_data_blob->length, mem_ctx, UNMARSHALL)) - return NT_STATUS_NO_MEMORY; - - if (!prs_copy_data_in(&ps, (char *)pac_data_blob->data, pac_data_blob->length)) - return NT_STATUS_INVALID_PARAMETER; - - prs_set_offset(&ps, 0); - - my_pac = TALLOC_ZERO_P(mem_ctx, PAC_DATA); - if (!pac_io_pac_data("pac data", my_pac, &ps, 0)) - return NT_STATUS_INVALID_PARAMETER; - - prs_mem_free(&ps); - - *pac_data = *my_pac; - - return NT_STATUS_OK; -} - -/* just for debugging, will be removed later - Guenther */ -char *pac_group_attr_string(uint32 attr) -{ - fstring name = ""; - - if (!attr) - return NULL; - - if (attr & SE_GROUP_MANDATORY) fstrcat(name, "SE_GROUP_MANDATORY "); - if (attr & SE_GROUP_ENABLED_BY_DEFAULT) fstrcat(name, "SE_GROUP_ENABLED_BY_DEFAULT "); - if (attr & SE_GROUP_ENABLED) fstrcat(name, "SE_GROUP_ENABLED "); - if (attr & SE_GROUP_OWNER) fstrcat(name, "SE_GROUP_OWNER "); - if (attr & SE_GROUP_USE_FOR_DENY_ONLY) fstrcat(name, "SE_GROUP_USE_FOR_DENY_ONLY "); - if (attr & SE_GROUP_LOGON_ID) fstrcat(name, "SE_GROUP_LOGON_ID "); - if (attr & SE_GROUP_RESOURCE) fstrcat(name, "SE_GROUP_RESOURCE "); - - return SMB_STRDUP(name); + return ret; } -/* just for debugging, will be removed later - Guenther */ -void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) -{ - DOM_SID dom_sid, res_group_dom_sid; - int i; - char *attr_string; - uint32 user_flgs = logon_info->info3.user_flgs; - - if (logon_info->info3.ptr_res_group_dom_sid) { - sid_copy(&res_group_dom_sid, &logon_info->res_group_dom_sid.sid); - } - sid_copy(&dom_sid, &logon_info->info3.dom_sid.sid); - - DEBUG(lvl,("The PAC:\n")); - - DEBUGADD(lvl,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); - if (user_flgs & NETLOGON_EXTRA_SIDS) - DEBUGADD(lvl,("\tUser Flags: NETLOGON_EXTRA_SIDS 0x%x (%d)\n", NETLOGON_EXTRA_SIDS, NETLOGON_EXTRA_SIDS)); - if (user_flgs & NETLOGON_RESOURCE_GROUPS) - DEBUGADD(lvl,("\tUser Flags: NETLOGON_RESOURCE_GROUPS 0x%x (%d)\n", NETLOGON_RESOURCE_GROUPS, NETLOGON_RESOURCE_GROUPS)); - DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_dbg(&dom_sid), - logon_info->info3.user_rid)); - DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_dbg(&dom_sid), - logon_info->info3.group_rid)); - - DEBUGADD(lvl,("\tGroup Membership (Global and Universal Groups of own domain):\n")); - for (i = 0; i < logon_info->info3.num_groups; i++) { - attr_string = pac_group_attr_string(logon_info->info3.gids[i].attr); - DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", - i, sid_string_dbg(&dom_sid), - logon_info->info3.gids[i].g_rid, - logon_info->info3.gids[i].attr, - attr_string)); - SAFE_FREE(attr_string); - } - - DEBUGADD(lvl,("\tGroup Membership (Domain Local Groups and Groups from Trusted Domains):\n")); - for (i = 0; i < logon_info->info3.num_other_sids; i++) { - attr_string = pac_group_attr_string(logon_info->info3.other_sids_attrib[i]); - DEBUGADD(lvl,("\t\t%d: sid: %s\n\t\t attr: 0x%x == %s\n", - i, sid_string_dbg( - &logon_info->info3.other_sids[i].sid), - logon_info->info3.other_sids_attrib[i], - attr_string)); - SAFE_FREE(attr_string); - } - - DEBUGADD(lvl,("\tGroup Membership (Resource Groups (SID History ?)):\n")); - for (i = 0; i < logon_info->info3.res_group_count; i++) { - attr_string = pac_group_attr_string(logon_info->res_groups.group_membership[i].attrs); - DEBUGADD(lvl,("\t\t%d: sid: %s-%d\n\t\t attr: 0x%x == %s\n", - i, sid_string_dbg(&res_group_dom_sid), - logon_info->res_groups.group_membership[i].rid, - logon_info->res_groups.group_membership[i].attrs, - attr_string)); - SAFE_FREE(attr_string); - } -} +/**************************************************************** +****************************************************************/ NTSTATUS decode_pac_data(TALLOC_CTX *mem_ctx, DATA_BLOB *pac_data_blob, - krb5_context context, + krb5_context context, krb5_keyblock *service_keyblock, krb5_const_principal client_principal, time_t tgs_authtime, - PAC_DATA **pac_data) - + struct PAC_DATA **pac_data_out) { - DATA_BLOB modified_pac_blob; - PAC_DATA *my_pac; - NTSTATUS nt_status; + NTSTATUS status; + enum ndr_err_code ndr_err; krb5_error_code ret; - PAC_SIGNATURE_DATA *srv_sig = NULL; - PAC_SIGNATURE_DATA *kdc_sig = NULL; - PAC_LOGON_NAME *logon_name = NULL; - PAC_LOGON_INFO *logon_info = NULL; - krb5_principal client_principal_pac = NULL; - NTTIME tgs_authtime_nttime; - int i, srv_sig_pos = 0, kdc_sig_pos = 0; - fstring username; + DATA_BLOB modified_pac_blob; - *pac_data = NULL; + NTTIME tgs_authtime_nttime; + krb5_principal client_principal_pac = NULL; + int i; - my_pac = talloc(mem_ctx, PAC_DATA); - if (!my_pac) { + struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; + struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL; + struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL; + struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL; + struct PAC_LOGON_NAME *logon_name = NULL; + struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_RAW *pac_data_raw = NULL; + + DATA_BLOB *srv_sig_blob = NULL; + DATA_BLOB *kdc_sig_blob = NULL; + + *pac_data_out = NULL; + + pac_data = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA); + pac_data_raw = TALLOC_ZERO_P(mem_ctx, struct PAC_DATA_RAW); + kdc_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA); + srv_sig_wipe = TALLOC_ZERO_P(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) { return NT_STATUS_NO_MEMORY; } - nt_status = parse_pac_data(mem_ctx, pac_data_blob, my_pac); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("decode_pac_data: failed to parse PAC\n")); - return nt_status; + ndr_err = ndr_pull_struct_blob(pac_data_blob, pac_data, + pac_data, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the PAC: %s\n", + nt_errstr(status))); + return status; } - modified_pac_blob = data_blob_talloc(mem_ctx, pac_data_blob->data, pac_data_blob->length); + if (pac_data->num_buffers < 4) { + /* we need logon_ingo, service_key and kdc_key */ + DEBUG(0,("less than 4 PAC buffers\n")); + return NT_STATUS_INVALID_PARAMETER; + } - if (my_pac->num_buffers < 4) { - nt_status = NT_STATUS_INVALID_PARAMETER; - goto out; + ndr_err = ndr_pull_struct_blob(pac_data_blob, pac_data_raw, + pac_data_raw, + (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the PAC: %s\n", + nt_errstr(status))); + return status; } - /* store signatures */ - for (i=0; i < my_pac->num_buffers; i++) { - - switch (my_pac->pac_buffer[i].type) { - - case PAC_TYPE_SERVER_CHECKSUM: - if (!my_pac->pac_buffer[i].ctr->pac.srv_cksum) { + if (pac_data_raw->num_buffers < 4) { + /* we need logon_ingo, service_key and kdc_key */ + DEBUG(0,("less than 4 PAC buffers\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_data->num_buffers != pac_data_raw->num_buffers) { + /* we need logon_ingo, service_key and kdc_key */ + DEBUG(0,("misparse! PAC_DATA has %d buffers while PAC_DATA_RAW has %d\n", + pac_data->num_buffers, pac_data_raw->num_buffers)); + return NT_STATUS_INVALID_PARAMETER; + } + + for (i=0; i < pac_data->num_buffers; i++) { + if (pac_data->buffers[i].type != pac_data_raw->buffers[i].type) { + DEBUG(0,("misparse! PAC_DATA buffer %d has type %d while PAC_DATA_RAW has %d\n", + i, pac_data->buffers[i].type, pac_data->buffers[i].type)); + return NT_STATUS_INVALID_PARAMETER; + } + switch (pac_data->buffers[i].type) { + case PAC_TYPE_LOGON_INFO: + if (!pac_data->buffers[i].info) { break; } - - srv_sig = my_pac->pac_buffer[i].ctr->pac.srv_cksum; - - /* get position of signature buffer */ - srv_sig_pos = my_pac->pac_buffer[i].offset; - srv_sig_pos += sizeof(uint32); - + logon_info = pac_data->buffers[i].info->logon_info.info; break; - - case PAC_TYPE_PRIVSVR_CHECKSUM: - if (!my_pac->pac_buffer[i].ctr->pac.privsrv_cksum) { + case PAC_TYPE_SRV_CHECKSUM: + if (!pac_data->buffers[i].info) { break; } - - kdc_sig = my_pac->pac_buffer[i].ctr->pac.privsrv_cksum; - - /* get position of signature buffer */ - kdc_sig_pos = my_pac->pac_buffer[i].offset; - kdc_sig_pos += sizeof(uint32); - + srv_sig_ptr = &pac_data->buffers[i].info->srv_cksum; + srv_sig_blob = &pac_data_raw->buffers[i].info->remaining; break; - - case PAC_TYPE_LOGON_NAME: - if (!my_pac->pac_buffer[i].ctr->pac.logon_name) { + case PAC_TYPE_KDC_CHECKSUM: + if (!pac_data->buffers[i].info) { break; } - - logon_name = my_pac->pac_buffer[i].ctr->pac.logon_name; + kdc_sig_ptr = &pac_data->buffers[i].info->kdc_cksum; + kdc_sig_blob = &pac_data_raw->buffers[i].info->remaining; + break; + case PAC_TYPE_LOGON_NAME: + logon_name = &pac_data->buffers[i].info->logon_name; break; + default: + break; + } + } - case PAC_TYPE_LOGON_INFO: - if (!my_pac->pac_buffer[i].ctr->pac.logon_info) { - break; - } + if (!logon_info) { + DEBUG(0,("PAC no logon_info\n")); + return NT_STATUS_INVALID_PARAMETER; + } - logon_info = my_pac->pac_buffer[i].ctr->pac.logon_info; - break; - } + if (!logon_name) { + DEBUG(0,("PAC no logon_name\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (!srv_sig_ptr || !srv_sig_blob) { + DEBUG(0,("PAC no srv_key\n")); + return NT_STATUS_INVALID_PARAMETER; } - if (!srv_sig || !kdc_sig || !logon_name || !logon_info) { - nt_status = NT_STATUS_INVALID_PARAMETER; - goto out; + if (!kdc_sig_ptr || !kdc_sig_blob) { + DEBUG(0,("PAC no kdc_key\n")); + return NT_STATUS_INVALID_PARAMETER; } - /* zero PAC_SIGNATURE_DATA signature buffer */ - memset(&modified_pac_blob.data[srv_sig_pos], '\0', srv_sig->signature.buf_len); - memset(&modified_pac_blob.data[kdc_sig_pos], '\0', kdc_sig->signature.buf_len); + /* Find and zero out the signatures, as required by the signing algorithm */ - /* check server signature */ - nt_status = check_pac_checksum(mem_ctx, modified_pac_blob, srv_sig, context, service_keyblock); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("decode_pac_data: failed to verify PAC server signature\n")); - goto out; + /* We find the data blobs above, now we parse them to get at the exact portion we should zero */ + ndr_err = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe, + kdc_sig_wipe, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(status))); + return status; } - /* Convert to NT time, so as not to loose accuracy in comparison */ - unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime); + ndr_err = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe, + srv_sig_wipe, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the SRV signature: %s\n", + nt_errstr(status))); + return status; + } - if (!nt_time_equals(&tgs_authtime_nttime, &logon_name->logon_time)) { - - DEBUG(2,("decode_pac_data: Logon time mismatch between ticket and PAC!\n")); - DEBUGADD(2, ("decode_pac_data: PAC: %s\n", - http_timestring(nt_time_to_unix(logon_name->logon_time)))); - DEBUGADD(2, ("decode_pac_data: Ticket: %s\n", - http_timestring(nt_time_to_unix(tgs_authtime_nttime)))); - - nt_status = NT_STATUS_ACCESS_DENIED; - goto out; + /* Now zero the decoded structure */ + memset(kdc_sig_wipe->signature.data, '\0', kdc_sig_wipe->signature.length); + memset(srv_sig_wipe->signature.data, '\0', srv_sig_wipe->signature.length); + + /* and reencode, back into the same place it came from */ + ndr_err = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw, + kdc_sig_wipe, + (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the KDC signature: %s\n", + nt_errstr(status))); + return status; + } + ndr_err = ndr_push_struct_blob(srv_sig_blob, pac_data_raw, + srv_sig_wipe, + (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the SRV signature: %s\n", + nt_errstr(status))); + return status; } - if (!logon_name->len) { - DEBUG(2,("decode_pac_data: No Logon Name available\n")); - nt_status = NT_STATUS_INVALID_PARAMETER; - goto out; + /* push out the whole structure, but now with zero'ed signatures */ + ndr_err = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw, + pac_data_raw, + (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't repack the RAW PAC: %s\n", + nt_errstr(status))); + return status; } - rpcstr_pull(username, logon_name->username, sizeof(username), logon_name->len, 0); - ret = smb_krb5_parse_name_norealm(context, username, &client_principal_pac); + /* verify by service_key */ + ret = check_pac_checksum(mem_ctx, + modified_pac_blob, srv_sig_ptr, + context, + service_keyblock); if (ret) { - DEBUG(2,("decode_pac_data: Could not parse name from incoming PAC: [%s]: %s\n", - username, error_message(ret))); - nt_status = NT_STATUS_INVALID_PARAMETER; - goto out; + DEBUG(1, ("PAC Decode: Failed to verify the service signature: %s\n", + error_message(ret))); + return NT_STATUS_ACCESS_DENIED; } - if (!smb_krb5_principal_compare_any_realm(context, client_principal, client_principal_pac)) { - DEBUG(2,("decode_pac_data: Name in PAC [%s] does not match principal name in ticket\n", - username)); - nt_status = NT_STATUS_ACCESS_DENIED; - goto out; + /* Convert to NT time, so as not to loose accuracy in comparison */ + unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime); + + if (tgs_authtime_nttime != logon_name->logon_time) { + DEBUG(2, ("PAC Decode: Logon time mismatch between ticket and PAC!\n")); + DEBUG(2, ("PAC Decode: PAC: %s\n", nt_time_string(mem_ctx, logon_name->logon_time))); + DEBUG(2, ("PAC Decode: Ticket: %s\n", nt_time_string(mem_ctx, tgs_authtime_nttime))); + return NT_STATUS_ACCESS_DENIED; } - DEBUG(10,("Successfully validated Kerberos PAC\n")); + ret = smb_krb5_parse_name_norealm(context, logon_name->account_name, + &client_principal_pac); + if (ret) { + DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n", + logon_name->account_name, + error_message(ret))); + return NT_STATUS_INVALID_PARAMETER; + } - dump_pac_logon_info(10, logon_info); + if (!smb_krb5_principal_compare_any_realm(context, client_principal, client_principal_pac)) { + DEBUG(2, ("Name in PAC [%s] does not match principal name in ticket\n", + logon_name->account_name)); + krb5_free_principal(context, client_principal_pac); + return NT_STATUS_ACCESS_DENIED; + } - *pac_data = my_pac; + DEBUG(3,("Found account name from PAC: %s [%s]\n", + logon_info->info3.base.account_name.string, + logon_info->info3.base.full_name.string)); - nt_status = NT_STATUS_OK; + DEBUG(10,("Successfully validated Kerberos PAC\n")); -out: - if (client_principal_pac) { - krb5_free_principal(context, client_principal_pac); + if (DEBUGLEVEL >= 10) { + const char *s; + s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_DATA, pac_data); + if (s) { + DEBUGADD(10,("%s\n", s)); + } } - return nt_status; + *pac_data_out = pac_data; + + return NT_STATUS_OK; } - PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data) +/**************************************************************** +****************************************************************/ + +struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data) { - PAC_LOGON_INFO *logon_info = NULL; int i; - + for (i=0; i < pac_data->num_buffers; i++) { - if (pac_data->pac_buffer[i].type != PAC_TYPE_LOGON_INFO) + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { continue; + } - logon_info = pac_data->pac_buffer[i].ctr->pac.logon_info; - break; + return pac_data->buffers[i].info->logon_info.info; } - return logon_info; + + return NULL; } /**************************************************************** @@ -971,12 +961,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, - PAC_DATA **pac_ret) + struct PAC_DATA **pac_ret) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; DATA_BLOB tkt, ap_rep, sesskey1, sesskey2; - PAC_DATA *pac_data = NULL; + struct PAC_DATA *pac_data = NULL; char *client_princ_out = NULL; const char *auth_princ = NULL; const char *local_service = NULL; @@ -1110,11 +1100,11 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, - PAC_LOGON_INFO **logon_info) + struct PAC_LOGON_INFO **logon_info) { NTSTATUS status; - PAC_DATA *pac_data = NULL; - PAC_LOGON_INFO *info = NULL; + struct PAC_DATA *pac_data = NULL; + struct PAC_LOGON_INFO *info = NULL; status = kerberos_return_pac(mem_ctx, name, @@ -1160,10 +1150,10 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, bool request_pac, bool add_netbios_addr, time_t renewable_time, - NET_USER_INFO_3 **info3) + struct netr_SamInfo3 **info3) { NTSTATUS status; - PAC_LOGON_INFO *logon_info = NULL; + struct PAC_LOGON_INFO *logon_info = NULL; status = kerberos_return_pac_logon_info(mem_ctx, name, -- cgit From 3ea40eda9435d91d9672fc054739cf1c926f2d2c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 01:57:57 +0100 Subject: Some more cleanup in authdata.c. Guenther (This used to be commit 5483f5fb44bb2138a1348c05845a2b8f3588697a) --- source3/libads/authdata.c | 628 +--------------------------------------------- 1 file changed, 7 insertions(+), 621 deletions(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 1f90f76267..79972875ac 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -1,23 +1,23 @@ -/* +/* Unix SMB/CIFS implementation. kerberos authorization data (PAC) utility library - Copyright (C) Jim McDonough 2003 + Copyright (C) Jim McDonough 2003 Copyright (C) Andrew Bartlett 2004-2005 Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 Copyright (C) Stefan Metzmacher 2004-2005 Copyright (C) Guenther Deschner 2005,2007 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -26,622 +26,8 @@ #ifdef HAVE_KRB5 -static bool pac_io_logon_name(const char *desc, PAC_LOGON_NAME *logon_name, - prs_struct *ps, int depth) -{ - if (NULL == logon_name) - return False; - - prs_debug(ps, depth, desc, "pac_io_logon_name"); - depth++; - - if (!smb_io_time("logon_time", &logon_name->logon_time, ps, depth)) - return False; - - if (!prs_uint16("len", ps, depth, &logon_name->len)) - return False; - - /* The following string is always in little endian 16 bit values, - copy as 8 bits to avoid endian reversal on big-endian machines. - len is the length in bytes. */ - - if (UNMARSHALLING(ps) && logon_name->len) { - logon_name->username = PRS_ALLOC_MEM(ps, uint8, logon_name->len); - if (!logon_name->username) { - DEBUG(3, ("No memory available\n")); - return False; - } - } - - if (!prs_uint8s(True, "name", ps, depth, logon_name->username, logon_name->len)) - return False; - - return True; -} - -#if 0 /* Unused (handled now in net_io_user_info3()) - Guenther */ -static bool pac_io_krb_sids(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, - prs_struct *ps, int depth) -{ - if (NULL == sid_and_attr) - return False; - - prs_debug(ps, depth, desc, "pac_io_krb_sids"); - depth++; - - if (UNMARSHALLING(ps)) { - sid_and_attr->sid = PRS_ALLOC_MEM(ps, DOM_SID2, 1); - if (!sid_and_attr->sid) { - DEBUG(3, ("No memory available\n")); - return False; - } - } - - if(!smb_io_dom_sid2("sid", sid_and_attr->sid, ps, depth)) - return False; - - return True; -} - - -static bool pac_io_krb_attrs(const char *desc, KRB_SID_AND_ATTRS *sid_and_attr, - prs_struct *ps, int depth) -{ - if (NULL == sid_and_attr) - return False; - - prs_debug(ps, depth, desc, "pac_io_krb_attrs"); - depth++; - - if (!prs_uint32("sid_ptr", ps, depth, &sid_and_attr->sid_ptr)) - return False; - if (!prs_uint32("attrs", ps, depth, &sid_and_attr->attrs)) - return False; - - return True; -} - -static bool pac_io_krb_sid_and_attr_array(const char *desc, - KRB_SID_AND_ATTR_ARRAY *array, - uint32 num, - prs_struct *ps, int depth) -{ - int i; - - if (NULL == array) - return False; - - prs_debug(ps, depth, desc, "pac_io_krb_sid_and_attr_array"); - depth++; - - - if (!prs_uint32("count", ps, depth, &array->count)) - return False; - - if (UNMARSHALLING(ps)) { - if (num) { - array->krb_sid_and_attrs = PRS_ALLOC_MEM(ps, KRB_SID_AND_ATTRS, num); - if (!array->krb_sid_and_attrs) { - DEBUG(3, ("No memory available\n")); - return False; - } - } else { - array->krb_sid_and_attrs = NULL; - } - } - - for (i=0; ikrb_sid_and_attrs[i], - ps, depth)) - return False; - - } - for (i=0; ikrb_sid_and_attrs[i], - ps, depth)) - return False; - - } - - return True; - -} -#endif - -static bool pac_io_group_membership(const char *desc, - GROUP_MEMBERSHIP *membership, - prs_struct *ps, int depth) -{ - if (NULL == membership) - return False; - - prs_debug(ps, depth, desc, "pac_io_group_membership"); - depth++; - - if (!prs_uint32("rid", ps, depth, &membership->rid)) - return False; - if (!prs_uint32("attrs", ps, depth, &membership->attrs)) - return False; - - return True; -} - - -static bool pac_io_group_membership_array(const char *desc, - GROUP_MEMBERSHIP_ARRAY *array, - uint32 num, - prs_struct *ps, int depth) -{ - int i; - - if (NULL == array) - return False; - - prs_debug(ps, depth, desc, "pac_io_group_membership_array"); - depth++; - - - if (!prs_uint32("count", ps, depth, &array->count)) - return False; - - if (UNMARSHALLING(ps)) { - if (num) { - array->group_membership = PRS_ALLOC_MEM(ps, GROUP_MEMBERSHIP, num); - if (!array->group_membership) { - DEBUG(3, ("No memory available\n")); - return False; - } - } else { - array->group_membership = NULL; - } - } - - for (i=0; igroup_membership[i], - ps, depth)) - return False; - - } - - return True; - -} - -#if 0 /* Unused, replaced using an expanded net_io_user_info3() now - Guenther */ -static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, - prs_struct *ps, int depth) -{ - uint32 garbage = 0, i; - - if (NULL == info) - return False; - - prs_debug(ps, depth, desc, "pac_io_pac_logon_info"); - depth++; - - if (!prs_align(ps)) - return False; - if (!prs_uint32("unknown", ps, depth, &garbage)) /* 00081001 */ - return False; - if (!prs_uint32("unknown", ps, depth, &garbage)) /* cccccccc */ - return False; - if (!prs_uint32("bufferlen", ps, depth, &garbage)) - return False; - if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) /* 00000000 */ - return False; - - if (!prs_uint32("pointer", ps, depth, &garbage)) - return False; - - if (!prs_align(ps)) - return False; - if (!smb_io_time("logon_time", &info->logon_time, ps, depth)) - return False; - if (!smb_io_time("logoff_time", &info->logoff_time, ps, depth)) - return False; - if (!smb_io_time("kickoff_time", &info->kickoff_time, ps, depth)) - return False; - if (!smb_io_time("pass_last_set_time", &info->pass_last_set_time, - ps, depth)) - return False; - if (!smb_io_time("pass_can_change_time", &info->pass_can_change_time, - ps, depth)) - return False; - if (!smb_io_time("pass_must_change_time", &info->pass_must_change_time, - ps, depth)) - return False; - - if (!smb_io_unihdr("hdr_user_name", &info->hdr_user_name, ps, depth)) - return False; - if (!smb_io_unihdr("hdr_full_name", &info->hdr_full_name, ps, depth)) - return False; - if (!smb_io_unihdr("hdr_logon_script", &info->hdr_logon_script, - ps, depth)) - return False; - if (!smb_io_unihdr("hdr_profile_path", &info->hdr_profile_path, - ps, depth)) - return False; - if (!smb_io_unihdr("hdr_home_dir", &info->hdr_home_dir, ps, depth)) - return False; - if (!smb_io_unihdr("hdr_dir_drive", &info->hdr_dir_drive, ps, depth)) - return False; - - if (!prs_uint16("logon_count", ps, depth, &info->logon_count)) - return False; - if (!prs_uint16("bad_password_count", ps, depth, &info->bad_password_count)) - return False; - if (!prs_uint32("user_rid", ps, depth, &info->user_rid)) - return False; - if (!prs_uint32("group_rid", ps, depth, &info->group_rid)) - return False; - if (!prs_uint32("group_count", ps, depth, &info->group_count)) - return False; - /* I haven't seen this contain anything yet, but when it does - we will have to make sure we decode the contents in the middle - all the unistr2s ... */ - if (!prs_uint32("group_mem_ptr", ps, depth, - &info->group_membership_ptr)) - return False; - if (!prs_uint32("user_flags", ps, depth, &info->user_flags)) - return False; - - if (!prs_uint8s(False, "session_key", ps, depth, info->session_key, 16)) - return False; - - if (!smb_io_unihdr("hdr_dom_controller", - &info->hdr_dom_controller, ps, depth)) - return False; - if (!smb_io_unihdr("hdr_dom_name", &info->hdr_dom_name, ps, depth)) - return False; - - /* this should be followed, but just get ptr for now */ - if (!prs_uint32("ptr_dom_sid", ps, depth, &info->ptr_dom_sid)) - return False; - - if (!prs_uint8s(False, "lm_session_key", ps, depth, info->lm_session_key, 8)) - return False; - - if (!prs_uint32("acct_flags", ps, depth, &info->acct_flags)) - return False; - - for (i = 0; i < 7; i++) - { - if (!prs_uint32("unkown", ps, depth, &info->unknown[i])) /* unknown */ - return False; - } - - if (!prs_uint32("sid_count", ps, depth, &info->sid_count)) - return False; - if (!prs_uint32("ptr_extra_sids", ps, depth, &info->ptr_extra_sids)) - return False; - if (!prs_uint32("ptr_res_group_dom_sid", ps, depth, - &info->ptr_res_group_dom_sid)) - return False; - if (!prs_uint32("res_group_count", ps, depth, &info->res_group_count)) - return False; - if (!prs_uint32("ptr_res_groups", ps, depth, &info->ptr_res_groups)) - return False; - - if(!smb_io_unistr2("uni_user_name", &info->uni_user_name, - info->hdr_user_name.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_full_name", &info->uni_full_name, - info->hdr_full_name.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_logon_script", &info->uni_logon_script, - info->hdr_logon_script.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_profile_path", &info->uni_profile_path, - info->hdr_profile_path.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_home_dir", &info->uni_home_dir, - info->hdr_home_dir.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_dir_drive", &info->uni_dir_drive, - info->hdr_dir_drive.buffer, ps, depth)) - return False; - - if (info->group_membership_ptr) { - if (!pac_io_group_membership_array("group membership", - &info->groups, - info->group_count, - ps, depth)) - return False; - } - - - if(!smb_io_unistr2("uni_dom_controller", &info->uni_dom_controller, - info->hdr_dom_controller.buffer, ps, depth)) - return False; - if(!smb_io_unistr2("uni_dom_name", &info->uni_dom_name, - info->hdr_dom_name.buffer, ps, depth)) - return False; - - if(info->ptr_dom_sid) - if(!smb_io_dom_sid2("dom_sid", &info->dom_sid, ps, depth)) - return False; - - - if (info->sid_count && info->ptr_extra_sids) - if (!pac_io_krb_sid_and_attr_array("extra_sids", - &info->extra_sids, - info->sid_count, - ps, depth)) - return False; - - if (info->ptr_res_group_dom_sid) - if (!smb_io_dom_sid2("res_group_dom_sid", - &info->res_group_dom_sid, ps, depth)) - return False; - - if (info->ptr_res_groups) { - - if (!(info->user_flgs & LOGON_RESOURCE_GROUPS)) { - DEBUG(0,("user_flgs attribute does not have LOGON_RESOURCE_GROUPS\n")); - /* return False; */ - } - - if (!pac_io_group_membership_array("res group membership", - &info->res_groups, - info->res_group_count, - ps, depth)) - return False; - } - - return True; -} -#endif - -static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, - prs_struct *ps, int depth) -{ - uint32 garbage = 0; - bool kerb_validation_info = True; - - if (NULL == info) - return False; - - prs_debug(ps, depth, desc, "pac_io_pac_logon_info"); - depth++; - - if (!prs_align(ps)) - return False; - if (!prs_uint32("unknown", ps, depth, &garbage)) /* 00081001 */ - return False; - if (!prs_uint32("unknown", ps, depth, &garbage)) /* cccccccc */ - return False; - if (!prs_uint32("bufferlen", ps, depth, &garbage)) - return False; - if (!prs_uint32("bufferlenhi", ps, depth, &garbage)) /* 00000000 */ - return False; - - if(!net_io_user_info3("", &info->info3, ps, depth, 3, kerb_validation_info)) - return False; - - if (info->info3.ptr_res_group_dom_sid) { - if (!smb_io_dom_sid2("res_group_dom_sid", - &info->res_group_dom_sid, ps, depth)) - return False; - } - - if (info->info3.ptr_res_groups) { - - if (!(info->info3.user_flgs & NETLOGON_RESOURCE_GROUPS)) { - DEBUG(0,("user_flgs attribute does not have NETLOGON_RESOURCE_GROUPS\n")); - /* return False; */ - } - - if (!pac_io_group_membership_array("res group membership", - &info->res_groups, - info->info3.res_group_count, - ps, depth)) - return False; - } - - return True; -} - - - -static bool pac_io_pac_signature_data(const char *desc, - PAC_SIGNATURE_DATA *data, uint32 length, - prs_struct *ps, int depth) -{ - uint32 siglen = 0; - - prs_debug(ps, depth, desc, "pac_io_pac_signature_data"); - depth++; - - if (data == NULL) - return False; - - if (!prs_align(ps)) - return False; - if (!prs_uint32("type", ps, depth, &data->type)) - return False; - - if ( length > sizeof(uint32) ) - siglen = length - sizeof(uint32); - - if (UNMARSHALLING(ps) && length) { - if (siglen) { - data->signature.buffer = PRS_ALLOC_MEM(ps, uint8, siglen); - if (!data->signature.buffer) { - DEBUG(3, ("No memory available\n")); - return False; - } - } else { - data->signature.buffer = NULL; - } - } - - data->signature.buf_len = siglen; - - if (!prs_uint8s(False, "signature", ps, depth, data->signature.buffer, data->signature.buf_len)) - return False; - - - return True; -} - -static bool pac_io_pac_info_hdr_ctr(const char *desc, PAC_BUFFER *hdr, - prs_struct *ps, int depth) -{ - if (NULL == hdr) - return False; - - prs_debug(ps, depth, desc, "pac_io_pac_info_hdr_ctr"); - depth++; - - if (!prs_align(ps)) - return False; - - if (hdr->offset != prs_offset(ps)) { - DEBUG(5,("offset in header(x%x) and data(x%x) do not match, correcting\n", - hdr->offset, prs_offset(ps))); - prs_set_offset(ps, hdr->offset); - } - - if (UNMARSHALLING(ps) && hdr->size > 0) { - hdr->ctr = PRS_ALLOC_MEM(ps, PAC_INFO_CTR, 1); - if (!hdr->ctr) { - DEBUG(3, ("No memory available\n")); - return False; - } - } - - switch(hdr->type) { - case PAC_TYPE_LOGON_INFO: - DEBUG(5, ("PAC_TYPE_LOGON_INFO\n")); - if (UNMARSHALLING(ps)) - hdr->ctr->pac.logon_info = PRS_ALLOC_MEM(ps, PAC_LOGON_INFO, 1); - if (!hdr->ctr->pac.logon_info) { - DEBUG(3, ("No memory available\n")); - return False; - } - if (!pac_io_pac_logon_info(desc, hdr->ctr->pac.logon_info, - ps, depth)) - return False; - break; - - case PAC_TYPE_SERVER_CHECKSUM: - DEBUG(5, ("PAC_TYPE_SERVER_CHECKSUM\n")); - if (UNMARSHALLING(ps)) - hdr->ctr->pac.srv_cksum = PRS_ALLOC_MEM(ps, PAC_SIGNATURE_DATA, 1); - if (!hdr->ctr->pac.srv_cksum) { - DEBUG(3, ("No memory available\n")); - return False; - } - if (!pac_io_pac_signature_data(desc, hdr->ctr->pac.srv_cksum, - hdr->size, ps, depth)) - return False; - break; - - case PAC_TYPE_PRIVSVR_CHECKSUM: - DEBUG(5, ("PAC_TYPE_PRIVSVR_CHECKSUM\n")); - if (UNMARSHALLING(ps)) - hdr->ctr->pac.privsrv_cksum = PRS_ALLOC_MEM(ps, PAC_SIGNATURE_DATA, 1); - if (!hdr->ctr->pac.privsrv_cksum) { - DEBUG(3, ("No memory available\n")); - return False; - } - if (!pac_io_pac_signature_data(desc, - hdr->ctr->pac.privsrv_cksum, - hdr->size, ps, depth)) - return False; - break; - - case PAC_TYPE_LOGON_NAME: - DEBUG(5, ("PAC_TYPE_LOGON_NAME\n")); - if (UNMARSHALLING(ps)) - hdr->ctr->pac.logon_name = PRS_ALLOC_MEM(ps, PAC_LOGON_NAME, 1); - if (!hdr->ctr->pac.logon_name) { - DEBUG(3, ("No memory available\n")); - return False; - } - if (!pac_io_logon_name(desc, hdr->ctr->pac.logon_name, - ps, depth)) - return False; - break; - - default: - /* dont' know, so we need to skip it */ - DEBUG(3, ("unknown PAC type %d\n", hdr->type)); - prs_set_offset(ps, prs_offset(ps) + hdr->size); - } - -#if 0 - /* obscure pad */ - if (!prs_uint32("pad", ps, depth, &hdr->pad)) - return False; -#endif - return True; -} - -static bool pac_io_pac_info_hdr(const char *desc, PAC_BUFFER *hdr, - prs_struct *ps, int depth) -{ - if (NULL == hdr) - return False; - - prs_debug(ps, depth, desc, "pac_io_pac_info_hdr"); - depth++; - - if (!prs_align(ps)) - return False; - if (!prs_uint32("type", ps, depth, &hdr->type)) - return False; - if (!prs_uint32("size", ps, depth, &hdr->size)) - return False; - if (!prs_uint32("offset", ps, depth, &hdr->offset)) - return False; - if (!prs_uint32("offsethi", ps, depth, &hdr->offsethi)) - return False; - - return True; -} - -static bool pac_io_pac_data(const char *desc, PAC_DATA *data, - prs_struct *ps, int depth) -{ - int i; - - if (NULL == data) - return False; - - prs_debug(ps, depth, desc, "pac_io_pac_data"); - depth++; - - if (!prs_align(ps)) - return False; - if (!prs_uint32("num_buffers", ps, depth, &data->num_buffers)) - return False; - if (!prs_uint32("version", ps, depth, &data->version)) - return False; - - if (UNMARSHALLING(ps) && data->num_buffers > 0) { - if ((data->pac_buffer = PRS_ALLOC_MEM(ps, PAC_BUFFER, data->num_buffers)) == NULL) { - return False; - } - } - - for (i=0; inum_buffers; i++) { - if (!pac_io_pac_info_hdr(desc, &data->pac_buffer[i], ps, - depth)) - return False; - } - - for (i=0; inum_buffers; i++) { - if (!pac_io_pac_info_hdr_ctr(desc, &data->pac_buffer[i], - ps, depth)) - return False; - } - - return True; -} +/**************************************************************** +****************************************************************/ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, DATA_BLOB pac_data, -- cgit From 7269a504fdd06fbbe24c2df8e084b41382d71269 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 19:38:48 +0100 Subject: Add my copyright. Guenther (This used to be commit d078a8757182d84dfd3307a2e1b751cf173aaa97) --- source3/libads/authdata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads/authdata.c') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 79972875ac..0bde3e6984 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -6,7 +6,7 @@ Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 Copyright (C) Stefan Metzmacher 2004-2005 - Copyright (C) Guenther Deschner 2005,2007 + Copyright (C) Guenther Deschner 2005,2007,2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit