From 70c303a7f357b2c73955b24128ac8a72b656d4e6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 31 Mar 2012 22:09:22 -0400 Subject: [PATCH] auth-krb: Move pac related util functions in a single place. Signed-off-by: Andreas Schneider --- auth/kerberos/gssapi_pac.c | 1 + auth/kerberos/kerberos_pac.c | 37 ++++++++++++++++++-------- auth/kerberos/pac_utils.h | 50 ++++++++++++++++++++++++++++++++++++ auth/kerberos/wscript_build | 1 + libcli/auth/krb5_wrap.c | 49 ----------------------------------- libcli/auth/krb5_wrap.h | 32 ----------------------- source3/auth/auth_generic.c | 2 +- source3/include/smb_krb5.h | 1 + source4/auth/gensec/gensec_gssapi.c | 1 + source4/auth/gensec/gensec_krb5.c | 1 + source4/auth/kerberos/kerberos_pac.c | 1 + source4/kdc/pac-glue.c | 1 + source4/torture/auth/pac.c | 1 + 13 files changed, 85 insertions(+), 93 deletions(-) create mode 100644 auth/kerberos/pac_utils.h mode change 100644 => 100755 auth/kerberos/wscript_build diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c index 07c7c942056..05065b2725b 100644 --- a/auth/kerberos/gssapi_pac.c +++ b/auth/kerberos/gssapi_pac.c @@ -22,6 +22,7 @@ #ifdef HAVE_KRB5 #include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #if 0 /* FIXME - need proper configure/waf test diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 5155c9fd289..eacf39d321e 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -26,7 +26,7 @@ #ifdef HAVE_KRB5 #include "librpc/gen_ndr/ndr_krb5pac.h" -#include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -36,8 +36,18 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_error_code ret; krb5_checksum cksum; krb5_keyusage usage = 0; - - smb_krb5_checksum_from_pac_sig(&cksum, sig); + krb5_boolean checksum_valid = false; + krb5_data input; + +#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ + cksum.cksumtype = (krb5_cksumtype)sig->type; + cksum.checksum.length = sig->signature.length; + cksum.checksum.data = sig->signature.data; +#else /* MIT */ + cksum.checksum_type = (krb5_cksumtype)sig->type; + cksum.length = sig->signature.length; + cksum.contents = sig->signature.data; +#endif #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */ usage = KRB5_KU_OTHER_CKSUM; @@ -47,14 +57,19 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, #error UNKNOWN_KRB5_KEYUSAGE #endif - ret = smb_krb5_verify_checksum(context, - keyblock, - usage, - &cksum, - pac_data.data, - pac_data.length); - - if (ret) { + input.data = (char *)pac_data.data; + input.length = pac_data.length; + + ret = krb5_c_verify_checksum(context, + keyblock, + usage, + &input, + &cksum, + &checksum_valid); + if (!checksum_valid) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + } + if (ret){ DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n", error_message(ret), ret)); return ret; diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h new file mode 100644 index 00000000000..9fe08de834c --- /dev/null +++ b/auth/kerberos/pac_utils.h @@ -0,0 +1,50 @@ +/* + Unix SMB/CIFS implementation. + kerberos authorization data (PAC) utility library + Copyright (C) Andrew Bartlett 2011 + Copyright (C) Simo Sorce 2010-2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _PAC_UTILS_H +#define _PAC_UTILS_H + +#include "libcli/auth/krb5_wrap.h" +struct PAC_SIGNATURE_DATA; +struct PAC_DATA; + +krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + struct PAC_SIGNATURE_DATA *sig, + krb5_context context, + const krb5_keyblock *keyblock); + +NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_data_blob, + krb5_context context, + const krb5_keyblock *krbtgt_keyblock, + const krb5_keyblock *service_keyblock, + krb5_const_principal client_principal, + time_t tgs_authtime, + struct PAC_DATA **pac_data_out); + +NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + gss_name_t gss_client_name, + DATA_BLOB *pac_data); +NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, + gss_ctx_id_t gssapi_context, + DATA_BLOB *session_key, + uint32_t *keytype); +#endif /* _PAC_UTILS_H */ diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build old mode 100644 new mode 100755 index 2421b1654f8..f49cc517bab --- a/auth/kerberos/wscript_build +++ b/auth/kerberos/wscript_build @@ -1,3 +1,4 @@ +#!/usr/bin/env python bld.SAMBA_SUBSYSTEM('KRB5_PAC', source='gssapi_pac.c kerberos_pac.c', deps='gssapi_krb5 krb5 ndr-krb5pac com_err') diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c index c16b35dceea..2f877e7f0a8 100644 --- a/libcli/auth/krb5_wrap.c +++ b/libcli/auth/krb5_wrap.c @@ -186,55 +186,6 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, return krb5_principal_compare_any_realm(context, princ1, princ2); } - void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig) -{ -#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM - cksum->cksumtype = (krb5_cksumtype)sig->type; - cksum->checksum.length = sig->signature.length; - cksum->checksum.data = sig->signature.data; -#else - cksum->checksum_type = (krb5_cksumtype)sig->type; - cksum->length = sig->signature.length; - cksum->contents = sig->signature.data; -#endif -} - - krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8_t *data, - size_t length) -{ - krb5_error_code ret; - - /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */ - - krb5_boolean checksum_valid = false; - krb5_data input; - - input.data = (char *)data; - input.length = length; - - ret = krb5_c_verify_checksum(context, - keyblock, - usage, - &input, - cksum, - &checksum_valid); - if (ret) { - DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", - error_message(ret))); - return ret; - } - - if (!checksum_valid) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - - return ret; -} - char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat, const gss_OID mech) diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h index 8723d2ddaa5..4c0ef93e4c9 100644 --- a/libcli/auth/krb5_wrap.h +++ b/libcli/auth/krb5_wrap.h @@ -21,8 +21,6 @@ */ #include "system/kerberos.h" -struct PAC_SIGNATURE_DATA; -struct PAC_DATA; #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ #define KRB5_KEY_TYPE(k) ((k)->keytype) @@ -57,38 +55,8 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, bool smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2); - void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum, - struct PAC_SIGNATURE_DATA *sig); - krb5_error_code smb_krb5_verify_checksum(krb5_context context, - const krb5_keyblock *keyblock, - krb5_keyusage usage, - krb5_checksum *cksum, - uint8_t *data, - size_t length); char *gssapi_error_string(TALLOC_CTX *mem_ctx, OM_uint32 maj_stat, OM_uint32 min_stat, const gss_OID mech); char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); -krb5_error_code check_pac_checksum(DATA_BLOB pac_data, - struct PAC_SIGNATURE_DATA *sig, - krb5_context context, - const krb5_keyblock *keyblock); - -NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, - DATA_BLOB pac_data_blob, - krb5_context context, - const krb5_keyblock *krbtgt_keyblock, - const krb5_keyblock *service_keyblock, - krb5_const_principal client_principal, - time_t tgs_authtime, - struct PAC_DATA **pac_data_out); - -NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, - gss_ctx_id_t gssapi_context, - gss_name_t gss_client_name, - DATA_BLOB *pac_data); -NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx, - gss_ctx_id_t gssapi_context, - DATA_BLOB *session_key, - uint32_t *keytype); diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index c37672620f4..9b9e96e89b3 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -27,7 +27,7 @@ #include "auth/gensec/gensec.h" #include "lib/param/param.h" #ifdef HAVE_KRB5 -#include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #endif #include "librpc/crypto/gse.h" #include "auth/credentials/credentials.h" diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h index 152652512d9..88e91e1670b 100644 --- a/source3/include/smb_krb5.h +++ b/source3/include/smb_krb5.h @@ -35,6 +35,7 @@ #endif #include "libcli/auth/krb5_wrap.h" +#include "auth/kerberos/pac_utils.h" #ifndef KRB5_ADDR_NETBIOS #define KRB5_ADDR_NETBIOS 0x14 diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c6d4fb5fd58..7de15c8673c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -42,6 +42,7 @@ #include #include "gensec_gssapi.h" #include "lib/util/util_net.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS gensec_gssapi_init(void); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index ca933f5b0fe..8dde8373a8e 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -40,6 +40,7 @@ #include "auth/auth_sam_reply.h" #include "lib/util/util_net.h" #include "../lib/util/asn1.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS gensec_krb5_init(void); diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 2e60af6f846..82a029871c6 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -31,6 +31,7 @@ #include #include "auth/auth_sam_reply.h" #include "auth/kerberos/kerberos_util.h" +#include "auth/kerberos/pac_utils.h" _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, DATA_BLOB blob, diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 3b0f00f8503..d654dc32cae 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -32,6 +32,7 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" #include "libcli/security/security.h" #include "dsdb/samdb/samdb.h" +#include "auth/kerberos/pac_utils.h" static NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 4840a79b7fd..827864242cb 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -31,6 +31,7 @@ #include "param/param.h" #include "librpc/gen_ndr/ndr_krb5pac.h" #include "torture/auth/proto.h" +#include "auth/kerberos/pac_utils.h" static bool torture_pac_self_check(struct torture_context *tctx) { -- 2.11.4.GIT