diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-28 09:37:04 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:56 -0500 |
commit | 66da650727112126200c118604404dc804758913 (patch) | |
tree | c305829488d2f5486c0c79f4de5ac173a6ea0260 | |
parent | 99777452f0d191461bf7b92397bb44378cdb4cfb (diff) | |
download | samba-66da650727112126200c118604404dc804758913.tar.gz samba-66da650727112126200c118604404dc804758913.tar.xz samba-66da650727112126200c118604404dc804758913.zip |
r7979: Metze reminded me to try one more combination, and we can now verify
the 'PAC', required for interopability with Active Directory.
This is still a cludge, as it doesn't handle different encryption
types, but that should be fairly easy to fix (needs PIDL/IDL changes).
Andrew Bartlett
(This used to be commit 690cfc44cef9b349cc31417d8353b6ce1c7832e1)
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 46 |
1 files changed, 14 insertions, 32 deletions
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 84a7c56cc9..9d57245798 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -42,7 +42,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx, krb5_error_code ret; krb5_crypto crypto; Checksum cksum; - int i; cksum.cksumtype = (CKSUMTYPE)sig->type; cksum.checksum.length = sizeof(sig->signature); @@ -57,30 +56,21 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx, DEBUG(0,("krb5_crypto_init() failed\n")); return NT_STATUS_FOOBAR; } - for (i=0; i < 40; i++) { - keyusage = i; - ret = krb5_verify_checksum(smb_krb5_context->krb5_context, - crypto, - keyusage, - pac_data.data, - pac_data.length, - &cksum); - if (!ret) { - DEBUG(0, ("PAC Verified: keyusage: %d\n", keyusage)); - break; - } else { - DEBUG(2, ("PAC Verification failed: %s\n", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); - } + ret = krb5_verify_checksum(smb_krb5_context->krb5_context, + crypto, + KRB5_KU_OTHER_CKSUM, + pac_data.data, + pac_data.length, + &cksum); + if (ret) { + DEBUG(2, ("PAC Verification failed: %s\n", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); } krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto); if (ret) { - DEBUG(0,("NOT verifying PAC checksums yet!\n")); - //return NT_STATUS_LOGON_FAILURE; - } else { - DEBUG(0,("PAC checksums verified!\n")); + return NT_STATUS_ACCESS_DENIED; } return NT_STATUS_OK; @@ -100,7 +90,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx, struct PAC_LOGON_INFO *logon_info = NULL; struct PAC_DATA pac_data; DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length); - DATA_BLOB tmp_blob; int i; status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data, @@ -109,7 +98,6 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx, DEBUG(0,("can't parse the PAC\n")); return status; } - NDR_PRINT_DEBUG(PAC_DATA, &pac_data); if (pac_data.num_buffers < 3) { /* we need logon_ingo, service_key and kdc_key */ @@ -161,16 +149,10 @@ static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx, return NT_STATUS_FOOBAR; } - memset(&modified_pac_blob.data[modified_pac_blob.length - 48], - '\0', 48); - - status = ndr_pull_struct_blob(&modified_pac_blob, mem_ctx, &pac_data, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("can't parse the PAC\n")); - return status; - } - NDR_PRINT_DEBUG(PAC_DATA, &pac_data); + memset(&modified_pac_blob.data[modified_pac_blob.length - 20], + '\0', 16); + memset(&modified_pac_blob.data[modified_pac_blob.length - 44], + '\0', 16); /* verify by servie_key */ status = kerberos_pac_checksum(mem_ctx, |