source4/kdc/kdc-glue.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    PAC Glue between Samba and the KDC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
   7    Copyright (C) Simo Sorce <idra@samba.org> 2010
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/kerberos.h"
  26 #include "auth/kerberos/kerberos.h"
  27 #include <hdb.h>
  28 #include "kdc/samba_kdc.h"
  29 #include "kdc/pac-glue.h"
  30 #include "librpc/gen_ndr/ndr_krb5pac.h"
  31 #include "auth/kerberos/pac_utils.h"
  32 #include "kdc/kdc-glue.h"
  33
  34 #undef DBGC_CLASS
  35 #define DBGC_CLASS DBGC_KERBEROS
  36
  37 int kdc_check_pac(krb5_context context,
  38                   DATA_BLOB srv_sig,
  39                   struct PAC_SIGNATURE_DATA *kdc_sig,
  40                   hdb_entry *ent)
  41 {
  42         krb5_enctype etype;
  43         int ret;
  44         krb5_keyblock keyblock;
  45         Key *key;
  46
  47         if (kdc_sig->type == CKSUMTYPE_HMAC_MD5) {
  48                 etype = ENCTYPE_ARCFOUR_HMAC;
  49         } else {
  50                 ret = krb5_cksumtype_to_enctype(context,
  51                                                 kdc_sig->type,
  52                                                 &etype);
  53                 if (ret != 0) {
  54                         return ret;
  55                 }
  56         }
  57
  58         ret = hdb_enctype2key(context, ent, NULL, etype, &key);
  59
  60         if (ret != 0) {
  61                 return ret;
  62         }
  63
  64         keyblock = key->key;
  65
  66         return check_pac_checksum(srv_sig, kdc_sig,
  67                                  context, &keyblock);
  68 }
  69
  70 struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
  71 {
  72         const hdb_entry *device = kdc_request_get_armor_client(r);
  73         struct samba_kdc_entry *device_skdc_entry = NULL;
  74         const hdb_entry *device_krbtgt = NULL;
  75         const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
  76         const krb5_const_pac device_pac = kdc_request_get_armor_pac(r);
  77
  78         if (device != NULL) {
  79                 device_skdc_entry = talloc_get_type_abort(device->context,
  80                                                           struct samba_kdc_entry);
  81
  82                 device_krbtgt = kdc_request_get_armor_server(r);
  83                 if (device_krbtgt != NULL) {
  84                         device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
  85                                                                          struct samba_kdc_entry);
  86                 }
  87         }
  88
  89         return samba_kdc_entry_pac(device_pac,
  90                                    device_skdc_entry,
  91                                    samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
  92 }