2025-03-27 22:50:26 +03:00 · 2012-03-31 22:09:22 -04:00 · 2012-03-31 22:09:22 -04:00 · 70c303a7f3
commit 70c303a7f3
parent 3fd6deda7d
13 changed files with 83 additions and 91 deletions
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@ -22,6 +22,7 @@
 #ifdef HAVE_KRB5

 #include "libcli/auth/krb5_wrap.h"
+#include "auth/kerberos/pac_utils.h"

 #if 0
 /* FIXME - need proper configure/waf test
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@ -26,7 +26,7 @@
 #ifdef HAVE_KRB5

 #include "librpc/gen_ndr/ndr_krb5pac.h"
-#include "libcli/auth/krb5_wrap.h"
+#include "auth/kerberos/pac_utils.h"

 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 					  struct PAC_SIGNATURE_DATA *sig,
@ -36,8 +36,18 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 	krb5_error_code ret;
 	krb5_checksum cksum;
 	krb5_keyusage usage = 0;
+	krb5_boolean checksum_valid = false;
+	krb5_data input;

-	smb_krb5_checksum_from_pac_sig(&cksum, sig);
+#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+	cksum.cksumtype	= (krb5_cksumtype)sig->type;
+	cksum.checksum.length	= sig->signature.length;
+	cksum.checksum.data	= sig->signature.data;
+#else /* MIT */
+	cksum.checksum_type	= (krb5_cksumtype)sig->type;
+	cksum.length		= sig->signature.length;
+	cksum.contents		= sig->signature.data;
+#endif

 #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
 	usage = KRB5_KU_OTHER_CKSUM;
@ -47,14 +57,19 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 #error UNKNOWN_KRB5_KEYUSAGE
 #endif

-	ret = smb_krb5_verify_checksum(context,
-				       keyblock,
-				       usage,
-				       &cksum,
-				       pac_data.data,
-				       pac_data.length);
+	input.data = (char *)pac_data.data;
+	input.length = pac_data.length;

-	if (ret) {
+	ret = krb5_c_verify_checksum(context,
+				     keyblock,
+				     usage,
+				     &input,
+				     &cksum,
+				     &checksum_valid);
+	if (!checksum_valid) {
+		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	}
+	if (ret){
 		DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
 			error_message(ret), ret));
 		return ret;
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@ -0,0 +1,50 @@
+/*
+   Unix SMB/CIFS implementation.
+   kerberos authorization data (PAC) utility library
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
+   Copyright (C) Simo Sorce 2010-2012
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _PAC_UTILS_H
+#define _PAC_UTILS_H
+
+#include "libcli/auth/krb5_wrap.h"
+struct PAC_SIGNATURE_DATA;
+struct PAC_DATA;
+
+krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+				   struct PAC_SIGNATURE_DATA *sig,
+				   krb5_context context,
+				   const krb5_keyblock *keyblock);
+
+NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+			     DATA_BLOB pac_data_blob,
+			     krb5_context context,
+			     const krb5_keyblock *krbtgt_keyblock,
+			     const krb5_keyblock *service_keyblock,
+			     krb5_const_principal client_principal,
+			     time_t tgs_authtime,
+			     struct PAC_DATA **pac_data_out);
+
+NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
+				gss_ctx_id_t gssapi_context,
+				gss_name_t gss_client_name,
+				DATA_BLOB *pac_data);
+NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
+				gss_ctx_id_t gssapi_context,
+				DATA_BLOB *session_key,
+				uint32_t *keytype);
+#endif /* _PAC_UTILS_H */
--- a/auth/kerberos/wscript_build
+++ b/auth/kerberos/wscript_build
@ -1,3 +1,4 @@
+#!/usr/bin/env python
 bld.SAMBA_SUBSYSTEM('KRB5_PAC',
                    source='gssapi_pac.c kerberos_pac.c',
                    deps='gssapi_krb5 krb5 ndr-krb5pac com_err')
--- a/libcli/auth/krb5_wrap.c
+++ b/libcli/auth/krb5_wrap.c
@ -186,55 +186,6 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 	return krb5_principal_compare_any_realm(context, princ1, princ2);
 }

- void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
-				     struct PAC_SIGNATURE_DATA *sig)
-{
-#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
-	cksum->cksumtype	= (krb5_cksumtype)sig->type;
-	cksum->checksum.length	= sig->signature.length;
-	cksum->checksum.data	= sig->signature.data;
-#else
-	cksum->checksum_type	= (krb5_cksumtype)sig->type;
-	cksum->length		= sig->signature.length;
-	cksum->contents		= sig->signature.data;
-#endif
-}
-
- krb5_error_code smb_krb5_verify_checksum(krb5_context context,
-					  const krb5_keyblock *keyblock,
-					 krb5_keyusage usage,
-					 krb5_checksum *cksum,
-					 uint8_t *data,
-					 size_t length)
-{
-	krb5_error_code ret;
-
-	/* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
-
-	krb5_boolean checksum_valid = false;
-	krb5_data input;
-	
-	input.data = (char *)data;
-	input.length = length;
-	
-	ret = krb5_c_verify_checksum(context, 
-				     keyblock, 
-				     usage,
-				     &input, 
-				     cksum,
-				     &checksum_valid);
-	if (ret) {
-		DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
-			 error_message(ret)));
-		return ret;
-	}
-	
-	if (!checksum_valid)
-		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-
-	return ret;
-}
-
 char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
 			  OM_uint32 maj_stat, OM_uint32 min_stat, 
 			  const gss_OID mech)
--- a/libcli/auth/krb5_wrap.h
+++ b/libcli/auth/krb5_wrap.h
@ -21,8 +21,6 @@
 */

 #include "system/kerberos.h"
-struct PAC_SIGNATURE_DATA;
-struct PAC_DATA;

 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
 #define KRB5_KEY_TYPE(k)	((k)->keytype)
@ -57,38 +55,8 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 bool smb_krb5_principal_compare_any_realm(krb5_context context, 
 					  krb5_const_principal princ1, 
 					   krb5_const_principal princ2);
- void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
-				     struct PAC_SIGNATURE_DATA *sig);
- krb5_error_code smb_krb5_verify_checksum(krb5_context context,
-					  const krb5_keyblock *keyblock,
-					 krb5_keyusage usage,
-					 krb5_checksum *cksum,
-					 uint8_t *data,
-					  size_t length);
 char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
 			  OM_uint32 maj_stat, OM_uint32 min_stat, 
 			  const gss_OID mech);
 char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx);

-krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
-				   struct PAC_SIGNATURE_DATA *sig,
-				   krb5_context context,
-				   const krb5_keyblock *keyblock);
-
-NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
-			     DATA_BLOB pac_data_blob,
-			     krb5_context context,
-			     const krb5_keyblock *krbtgt_keyblock,
-			     const krb5_keyblock *service_keyblock,
-			     krb5_const_principal client_principal,
-			     time_t tgs_authtime,
-			     struct PAC_DATA **pac_data_out);
-
-NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
-				gss_ctx_id_t gssapi_context,
-				gss_name_t gss_client_name,
-				DATA_BLOB *pac_data);
-NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
-				gss_ctx_id_t gssapi_context,
-				DATA_BLOB *session_key, 
-				uint32_t *keytype);
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@ -27,7 +27,7 @@
 #include "auth/gensec/gensec.h"
 #include "lib/param/param.h"
 #ifdef HAVE_KRB5
-#include "libcli/auth/krb5_wrap.h"
+#include "auth/kerberos/pac_utils.h"
 #endif
 #include "librpc/crypto/gse.h"
 #include "auth/credentials/credentials.h"
--- a/source3/include/smb_krb5.h
+++ b/source3/include/smb_krb5.h
@ -35,6 +35,7 @@
 #endif

 #include "libcli/auth/krb5_wrap.h"
+#include "auth/kerberos/pac_utils.h"

 #ifndef KRB5_ADDR_NETBIOS
 #define KRB5_ADDR_NETBIOS 0x14
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@ -42,6 +42,7 @@
 #include <gssapi/gssapi_spnego.h>
 #include "gensec_gssapi.h"
 #include "lib/util/util_net.h"
+#include "auth/kerberos/pac_utils.h"

 _PUBLIC_ NTSTATUS gensec_gssapi_init(void);

--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@ -40,6 +40,7 @@
 #include "auth/auth_sam_reply.h"
 #include "lib/util/util_net.h"
 #include "../lib/util/asn1.h"
+#include "auth/kerberos/pac_utils.h"

 _PUBLIC_ NTSTATUS gensec_krb5_init(void);

--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@ -31,6 +31,7 @@
 #include <ldb.h>
 #include "auth/auth_sam_reply.h"
 #include "auth/kerberos/kerberos_util.h"
+#include "auth/kerberos/pac_utils.h"

 _PUBLIC_  NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
 					   DATA_BLOB blob,
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@ -32,6 +32,7 @@
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "libcli/security/security.h"
 #include "dsdb/samdb/samdb.h"
+#include "auth/kerberos/pac_utils.h"

 static
 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@ -31,6 +31,7 @@
 #include "param/param.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "torture/auth/proto.h"
+#include "auth/kerberos/pac_utils.h"

 static bool torture_pac_self_check(struct torture_context *tctx)
 {