s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.
[amitay/samba.git] / source4 / kdc / kdc-glue.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    PAC Glue between Samba and the KDC
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7    Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include <hdb.h>
28 #include "kdc/samba_kdc.h"
29 #include "kdc/pac-glue.h"
30 #include "librpc/gen_ndr/ndr_krb5pac.h"
31 #include "auth/kerberos/pac_utils.h"
32 #include "kdc/kdc-glue.h"
33
34 int kdc_check_pac(krb5_context context,
35                   DATA_BLOB srv_sig,
36                   struct PAC_SIGNATURE_DATA *kdc_sig,
37                   struct hdb_entry_ex *ent)
38 {
39         krb5_enctype etype;
40         int ret;
41         krb5_keyblock keyblock;
42         Key *key;
43
44         if (kdc_sig->type == CKSUMTYPE_HMAC_MD5) {
45                 etype = ENCTYPE_ARCFOUR_HMAC;
46         } else {
47                 ret = krb5_cksumtype_to_enctype(context,
48                                                 kdc_sig->type,
49                                                 &etype);
50                 if (ret != 0) {
51                         return ret;
52                 }
53         }
54
55 #if HDB_ENCTYPE2KEY_TAKES_KEYSET
56         ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
57 #else
58         ret = hdb_enctype2key(context, &ent->entry, etype, &key);
59 #endif
60
61         if (ret != 0) {
62                 return ret;
63         }
64
65         keyblock = key->key;
66
67         return check_pac_checksum(srv_sig, kdc_sig,
68                                  context, &keyblock);
69 }