s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing

[Samba.git] / source4 / auth / gensec / gensec_krb5_mit.c

#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "gensec_krb5.h"

static krb5_error_code smb_krb5_get_longterm_key(krb5_context context,
                                                 krb5_const_principal server,
                                                 krb5_kvno kvno,
                                                 krb5_enctype etype,
                                                 krb5_keytab keytab,
                                                 krb5_keyblock **keyblock_out)
{
        krb5_error_code code = EINVAL;

        krb5_keytab_entry kt_entry;

        code = krb5_kt_get_entry(context,
                                 keytab,
                                 server,
                                 kvno,
                                 etype,
                                 &kt_entry);
        if (code != 0) {
                return code;
        }

        code = krb5_copy_keyblock(context,
                                  &kt_entry.key,
                                  keyblock_out);
        krb5_free_keytab_entry_contents(context, &kt_entry);

        return code;
}

krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
                                        krb5_auth_context *auth_context,
                                        const krb5_data *request,
                                        krb5_keytab keytab,
                                        krb5_principal acceptor_principal,
                                        krb5_data *reply,
                                        krb5_ticket **pticket,
                                        krb5_keyblock **pkeyblock)
{
        krb5_error_code code;
        krb5_flags ap_req_options = 0;
        krb5_ticket *ticket = NULL;
        krb5_keyblock *keyblock = NULL;

        *pticket = NULL;
        *pkeyblock = NULL;
        reply->length = 0;
        reply->data = NULL;

        code = krb5_rd_req(context,
                           auth_context,
                           request,
                           acceptor_principal,
                           keytab,
                           &ap_req_options,
                           &ticket);
        if (code != 0) {
                DBG_ERR("krb5_rd_req failed: %s\n",
                        error_message(code));
                return code;
        }

        /*
         * Get the long term key from the keytab to be able to verify the PAC
         * signature.
         *
         * FIXME: Use ticket->enc_part.kvno ???
         * Getting the latest kvno with passing 0 fixes:
         * make -j test TESTS="samba4.winbind.pac.ad_member"
         */
        code = smb_krb5_get_longterm_key(context,
                                         ticket->server,
                                         0, /* kvno */
                                         ticket->enc_part.enctype,
                                         keytab,
                                         &keyblock);
        if (code != 0) {
                DBG_ERR("smb_krb5_get_longterm_key failed: %s\n",
                        error_message(code));
                krb5_free_ticket(context, ticket);

                return code;
        }

        code = krb5_mk_rep(context, *auth_context, reply);
        if (code != 0) {
                DBG_ERR("krb5_mk_rep failed: %s\n",
                        error_message(code));
                krb5_free_ticket(context, ticket);
                krb5_free_keyblock(context, keyblock);
        }

        *pticket = ticket;
        *pkeyblock = keyblock;

        return code;
}