summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-06-28 09:37:04 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:56 -0500
commit66da650727112126200c118604404dc804758913 (patch)
treec305829488d2f5486c0c79f4de5ac173a6ea0260
parent99777452f0d191461bf7b92397bb44378cdb4cfb (diff)
downloadsamba-66da650727112126200c118604404dc804758913.tar.gz
samba-66da650727112126200c118604404dc804758913.tar.xz
samba-66da650727112126200c118604404dc804758913.zip
r7979: Metze reminded me to try one more combination, and we can now verify
the 'PAC', required for interopability with Active Directory. This is still a cludge, as it doesn't handle different encryption types, but that should be fairly easy to fix (needs PIDL/IDL changes). Andrew Bartlett (This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
-rw-r--r--source4/auth/kerberos/kerberos_pac.c46
1 files changed, 14 insertions, 32 deletions
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 84a7c56cc9..9d57245798 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -42,7 +42,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
krb5_error_code ret;
krb5_crypto crypto;
Checksum cksum;
- int i;
cksum.cksumtype = (CKSUMTYPE)sig->type;
cksum.checksum.length = sizeof(sig->signature);
@@ -57,30 +56,21 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
DEBUG(0,("krb5_crypto_init() failed\n"));
return NT_STATUS_FOOBAR;
}
- for (i=0; i < 40; i++) {
- keyusage = i;
- ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
- crypto,
- keyusage,
- pac_data.data,
- pac_data.length,
- &cksum);
- if (!ret) {
- DEBUG(0, ("PAC Verified: keyusage: %d\n", keyusage));
- break;
- } else {
- DEBUG(2, ("PAC Verification failed: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
- }
+ ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
+ crypto,
+ KRB5_KU_OTHER_CKSUM,
+ pac_data.data,
+ pac_data.length,
+ &cksum);
+ if (ret) {
+ DEBUG(2, ("PAC Verification failed: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto);
if (ret) {
- DEBUG(0,("NOT verifying PAC checksums yet!\n"));
- //return NT_STATUS_LOGON_FAILURE;
- } else {
- DEBUG(0,("PAC checksums verified!\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
@@ -100,7 +90,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_DATA pac_data;
DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length);
- DATA_BLOB tmp_blob;
int i;
status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
@@ -109,7 +98,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
DEBUG(0,("can't parse the PAC\n"));
return status;
}
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
if (pac_data.num_buffers < 3) {
/* we need logon_ingo, service_key and kdc_key */
@@ -161,16 +149,10 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
return NT_STATUS_FOOBAR;
}
- memset(&modified_pac_blob.data[modified_pac_blob.length - 48],
- '\0', 48);
-
- status = ndr_pull_struct_blob(&modified_pac_blob, mem_ctx, &pac_data,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("can't parse the PAC\n"));
- return status;
- }
- NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
+ memset(&modified_pac_blob.data[modified_pac_blob.length - 20],
+ '\0', 16);
+ memset(&modified_pac_blob.data[modified_pac_blob.length - 44],
+ '\0', 16);
/* verify by servie_key */
status = kerberos_pac_checksum(mem_ctx,