diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-09-10 10:39:45 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:38:03 -0500 |
| commit | 1757f8355cc54dc4ff9a075787543ef7ebb1dd5e (patch) | |
| tree | 5f28df480fe697f931f3d43b396d800d65bf5a68 /source4/auth/kerberos/kerberos_pac.c | |
| parent | 869ae3b7a05a3840756bb92eaec93933eaa6cc2c (diff) | |
| download | samba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.tar.gz samba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.tar.xz samba-1757f8355cc54dc4ff9a075787543ef7ebb1dd5e.zip | |
r10145: Allow a variable length signature, so we can support signing with
other than arcfour-hmac-md5. Currently we still fail to verify other
signatures however.
Andrew Bartlett
(This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
Diffstat (limited to 'source4/auth/kerberos/kerberos_pac.c')
| -rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 24 |
1 files changed, 7 insertions, 17 deletions
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 32946990709..df1a871f858 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -44,9 +44,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, Checksum cksum; cksum.cksumtype = (CKSUMTYPE)sig->type; - cksum.checksum.length = sizeof(sig->signature); - cksum.checksum.data = sig->signature; - + cksum.checksum.length = sig->signature.length; + cksum.checksum.data = sig->signature.data; ret = krb5_crypto_init(context, keyblock, @@ -172,11 +171,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, } if (krbtgt_keyblock) { - DATA_BLOB service_checksum_blob - = data_blob_const(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature)); - ret = check_pac_checksum(mem_ctx, - service_checksum_blob, &kdc_sig, + srv_sig_ptr->signature, &kdc_sig, context, krbtgt_keyblock); if (ret) { DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n", @@ -300,9 +296,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } sig->type = cksum.cksumtype; - if (cksum.checksum.length == sizeof(sig->signature)) { - memcpy(sig->signature, cksum.checksum.data, sizeof(sig->signature)); - } + sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length); free_Checksum(&cksum); return 0; @@ -319,7 +313,6 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_error_code ret; DATA_BLOB zero_blob = data_blob(NULL, 0); DATA_BLOB tmp_blob = data_blob(NULL, 0); - DATA_BLOB service_checksum_blob; struct PAC_SIGNATURE_DATA *kdc_checksum = NULL; struct PAC_SIGNATURE_DATA *srv_checksum = NULL; int i; @@ -367,8 +360,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } /* But wipe out the actual signatures */ - ZERO_STRUCT(kdc_checksum->signature); - ZERO_STRUCT(srv_checksum->signature); + memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length); + memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length); nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data, (ndr_push_flags_fn_t)ndr_push_PAC_DATA); @@ -382,11 +375,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum, context, service_keyblock); - service_checksum_blob - = data_blob_const(srv_checksum->signature, sizeof(srv_checksum->signature)); - /* Then sign Server checksum */ - ret = make_pac_checksum(mem_ctx, &service_checksum_blob, kdc_checksum, context, krbtgt_keyblock); + ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock); if (ret) { DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); |