git.samba.org / ira / wip.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix some more callers of PAC_DATA.
[ira/wip.git] / source3 / libads / kerberos_verify.c
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 12e8ee9955b68b8f8ba3cc0281fc902323a4264c..f112dd34e3709f6aef38b3fb37c856918d708b57 100644 (file)
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -20,8 +20,7 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
@@ -38,7 +37,7 @@ const krb5_data *krb5_princ_component(krb5_context, krb5_principal, int );
  ads_keytab_add_entry function for details.
 ***********************************************************************************/
 
-static BOOL ads_keytab_verify_ticket(krb5_context context,
+static bool ads_keytab_verify_ticket(krb5_context context,
                                        krb5_auth_context auth_context,
                                        const DATA_BLOB *ticket,
                                        krb5_ticket **pp_tkt,
@@ -46,7 +45,7 @@ static BOOL ads_keytab_verify_ticket(krb5_context context,
                                        krb5_error_code *perr)
 {
        krb5_error_code ret = 0;
-       BOOL auth_ok = False;
+       bool auth_ok = False;
        krb5_keytab keytab = NULL;
        krb5_kt_cursor kt_cursor;
        krb5_keytab_entry kt_entry;
@@ -211,7 +210,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
                                                krb5_error_code *perr)
 {
        krb5_error_code ret = 0;
-       BOOL auth_ok = False;
+       bool auth_ok = False;
        char *password_s = NULL;
        krb5_data password;
        krb5_enctype enctypes[] = { 
@@ -286,6 +285,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
                if (ret == KRB5KRB_AP_ERR_TKT_NYV || 
                    ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
                    ret == KRB5KRB_AP_ERR_SKEW) {
+                       krb5_free_keyblock(context, key);
                        break;
                }
 
@@ -309,10 +309,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
                           time_t time_offset,
                           const DATA_BLOB *ticket,
                           char **principal,
-                          PAC_DATA **pac_data,
+                          struct PAC_DATA **pac_data,
                           DATA_BLOB *ap_rep,
                           DATA_BLOB *session_key,
-                          BOOL use_replay_cache)
+                          bool use_replay_cache)
 {
        NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
        NTSTATUS pac_ret;
@@ -329,9 +329,9 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
        krb5_principal host_princ = NULL;
        krb5_const_principal client_principal = NULL;
        char *host_princ_s = NULL;
-       BOOL auth_ok = False;
-       BOOL got_replay_mutex = False;
-       BOOL got_auth_data = False;
+       bool auth_ok = False;
+       bool got_replay_mutex = False;
+       bool got_auth_data = False;
 
        ZERO_STRUCT(packet);
        ZERO_STRUCT(auth_data);
@@ -427,9 +427,16 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
        /* Try secrets.tdb first and fallback to the krb5.keytab if
           necessary */
 
-        auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+       auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
                                            ticket, &tkt, &keyblock, &ret);
 
+       if (!auth_ok &&
+           (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+            ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+            ret == KRB5KRB_AP_ERR_SKEW)) {
+               goto auth_failed;
+       }
+
        if (!auth_ok && lp_use_kerberos_keytab()) {
                auth_ok = ads_keytab_verify_ticket(context, auth_context, 
                                                   ticket, &tkt, &keyblock, &ret);
@@ -446,6 +453,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 #endif
        }       
 
+ auth_failed:
        if (!auth_ok) {
                DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
                         error_message(ret)));
@@ -493,8 +501,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
                DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n"));
        }
 
-       if (got_auth_data && pac_data != NULL) {
-
+       if (got_auth_data) {
                pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
                if (!NT_STATUS_IS_OK(pac_ret)) {
                        DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
Unnamed repository; edit this file 'description' to name the repository.