2 Unix SMB/CIFS implementation.
4 Kerberos backend for GENSEC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Luke Howard 2002-2003
9 Copyright (C) Stefan Metzmacher 2004-2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #include "system/kerberos.h"
29 #include "system/time.h"
30 #include "system/network.h"
31 #include "auth/kerberos/kerberos.h"
32 #include "librpc/gen_ndr/ndr_krb5pac.h"
33 #include "auth/auth.h"
35 static NTSTATUS kerberos_pac_checksum(TALLOC_CTX *mem_ctx,
37 struct PAC_SIGNATURE_DATA *sig,
38 struct smb_krb5_context *smb_krb5_context,
39 krb5_keyblock *keyblock,
47 cksum.cksumtype = (CKSUMTYPE)sig->type;
48 cksum.checksum.length = sizeof(sig->signature);
49 cksum.checksum.data = sig->signature;
52 ret = krb5_crypto_init(smb_krb5_context->krb5_context,
57 DEBUG(0,("krb5_crypto_init() failed\n"));
58 return NT_STATUS_FOOBAR;
60 for (i=0; i < 40; i++) {
62 ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
69 DEBUG(0, ("PAC Verified: keyusage: %d\n", keyusage));
72 DEBUG(2, ("PAC Verification failed: %s\n",
73 smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
77 krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto);
80 DEBUG(0,("NOT verifying PAC checksums yet!\n"));
81 //return NT_STATUS_LOGON_FAILURE;
83 DEBUG(0,("PAC checksums verified!\n"));
89 NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
90 struct PAC_LOGON_INFO **logon_info_out,
92 struct smb_krb5_context *smb_krb5_context,
93 krb5_keyblock *keyblock)
96 struct PAC_SIGNATURE_DATA srv_sig;
97 struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
98 struct PAC_SIGNATURE_DATA kdc_sig;
99 struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
100 struct PAC_LOGON_INFO *logon_info = NULL;
101 struct PAC_DATA pac_data;
102 DATA_BLOB modified_pac_blob = data_blob_talloc(mem_ctx, blob.data, blob.length);
106 status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
107 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
108 if (!NT_STATUS_IS_OK(status)) {
109 DEBUG(0,("can't parse the PAC\n"));
112 NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
114 if (pac_data.num_buffers < 3) {
115 /* we need logon_ingo, service_key and kdc_key */
116 DEBUG(0,("less than 3 PAC buffers\n"));
117 return NT_STATUS_FOOBAR;
120 for (i=0; i < pac_data.num_buffers; i++) {
121 switch (pac_data.buffers[i].type) {
122 case PAC_TYPE_LOGON_INFO:
123 if (!pac_data.buffers[i].info) {
126 logon_info = &pac_data.buffers[i].info->logon_info;
128 case PAC_TYPE_SRV_CHECKSUM:
129 if (!pac_data.buffers[i].info) {
132 srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
133 srv_sig = pac_data.buffers[i].info->srv_cksum;
135 case PAC_TYPE_KDC_CHECKSUM:
136 if (!pac_data.buffers[i].info) {
139 kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
140 kdc_sig = pac_data.buffers[i].info->kdc_cksum;
142 case PAC_TYPE_UNKNOWN_10:
150 DEBUG(0,("PAC no logon_info\n"));
151 return NT_STATUS_FOOBAR;
155 DEBUG(0,("PAC no srv_key\n"));
156 return NT_STATUS_FOOBAR;
160 DEBUG(0,("PAC no kdc_key\n"));
161 return NT_STATUS_FOOBAR;
164 memset(&modified_pac_blob.data[modified_pac_blob.length - 48],
167 status = ndr_pull_struct_blob(&modified_pac_blob, mem_ctx, &pac_data,
168 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
169 if (!NT_STATUS_IS_OK(status)) {
170 DEBUG(0,("can't parse the PAC\n"));
173 NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
175 /* verify by servie_key */
176 status = kerberos_pac_checksum(mem_ctx,
177 modified_pac_blob, &srv_sig,
178 smb_krb5_context, keyblock, 0);
180 if (!NT_STATUS_IS_OK(status)) {
183 DEBUG(0,("account_name: %s [%s]\n",
184 logon_info->info3.base.account_name.string,
185 logon_info->info3.base.full_name.string));
186 *logon_info_out = logon_info;