2 Unix SMB/CIFS implementation.
4 Kerberos backend for GENSEC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Luke Howard 2002-2003
9 Copyright (C) Stefan Metzmacher 2004-2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #include "system/kerberos.h"
29 #include "system/time.h"
30 #include "system/network.h"
31 #include "auth/kerberos/kerberos.h"
32 #include "librpc/gen_ndr/ndr_krb5pac.h"
33 #include "auth/auth.h"
35 #ifdef KRB5_DO_VERIFY_PAC
36 static NTSTATUS kerberos_pac_checksum(DATA_BLOB pac_data,
37 struct PAC_SIGNATURE_DATA *sig,
38 struct smb_krb5_context *smb_krb5_context,
46 cksum.cksumtype = (CKSUMTYPE)sig->type;
47 cksum.checksum.length = sizeof(sig->signature);
48 cksum.checksum.data = sig->signature;
51 ret = krb5_crypto_init(smb_krb5_context->krb5_context,
52 &gensec_krb5_state->keyblock,
56 DEBUG(0,("krb5_crypto_init() failed\n"));
57 return NT_STATUS_FOOBAR;
59 for (i=0; i < 40; i++) {
61 ret = krb5_verify_checksum(smb_krb5_context->krb5_context,
68 DEBUG(0,("PAC Verified: keyusage: %d\n", keyusage));
72 krb5_crypto_destroy(smb_krb5_context->krb5_context, crypto);
75 DEBUG(0,("NOT verifying PAC checksums yet!\n"));
76 //return NT_STATUS_LOGON_FAILURE;
78 DEBUG(0,("PAC checksums verified!\n"));
85 NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
86 struct PAC_LOGON_INFO **logon_info_out,
88 struct smb_krb5_context *smb_krb5_context)
91 struct PAC_SIGNATURE_DATA srv_sig;
92 struct PAC_SIGNATURE_DATA *srv_sig_ptr;
93 struct PAC_SIGNATURE_DATA kdc_sig;
94 struct PAC_SIGNATURE_DATA *kdc_sig_ptr;
95 struct PAC_LOGON_INFO *logon_info = NULL;
96 struct PAC_DATA pac_data;
97 #ifdef KRB5_DO_VERIFY_PAC
98 DATA_BLOB tmp_blob = data_blob(NULL, 0);
102 status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
103 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
104 if (!NT_STATUS_IS_OK(status)) {
105 DEBUG(0,("can't parse the PAC\n"));
108 NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
110 if (pac_data.num_buffers < 3) {
111 /* we need logon_ingo, service_key and kdc_key */
112 DEBUG(0,("less than 3 PAC buffers\n"));
113 return NT_STATUS_FOOBAR;
116 for (i=0; i < pac_data.num_buffers; i++) {
117 switch (pac_data.buffers[i].type) {
118 case PAC_TYPE_LOGON_INFO:
119 if (!pac_data.buffers[i].info) {
122 logon_info = &pac_data.buffers[i].info->logon_info;
124 case PAC_TYPE_SRV_CHECKSUM:
125 if (!pac_data.buffers[i].info) {
128 srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
129 srv_sig = pac_data.buffers[i].info->srv_cksum;
131 case PAC_TYPE_KDC_CHECKSUM:
132 if (!pac_data.buffers[i].info) {
135 kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
136 kdc_sig = pac_data.buffers[i].info->kdc_cksum;
138 case PAC_TYPE_UNKNOWN_10:
146 DEBUG(0,("PAC no logon_info\n"));
147 return NT_STATUS_FOOBAR;
151 DEBUG(0,("PAC no srv_key\n"));
152 return NT_STATUS_FOOBAR;
156 DEBUG(0,("PAC no kdc_key\n"));
157 return NT_STATUS_FOOBAR;
159 #ifdef KRB5_DO_VERIFY_PAC
160 /* clear the kdc_key */
161 /* memset((void *)kdc_sig_ptr , '\0', sizeof(*kdc_sig_ptr));*/
163 status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
164 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
165 if (!NT_STATUS_IS_OK(status)) {
168 status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
169 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
170 if (!NT_STATUS_IS_OK(status)) {
171 DEBUG(0,("can't parse the PAC\n"));
174 /*NDR_PRINT_DEBUG(PAC_DATA, &pac_data);*/
176 /* verify by kdc_key */
177 status = kerberos_pac_checksum(tmp_blob, &kdc_sig, smb_krb5_context, 0);
179 if (!NT_STATUS_IS_OK(status)) {
183 /* clear the service_key */
184 /* memset((void *)srv_sig_ptr , '\0', sizeof(*srv_sig_ptr));*/
186 status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
187 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
188 if (!NT_STATUS_IS_OK(status)) {
191 status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
192 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
193 if (!NT_STATUS_IS_OK(status)) {
194 DEBUG(0,("can't parse the PAC\n"));
197 NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
199 /* verify by servie_key */
200 status = kerberos_pac_checksum(tmp_blob, &srv_sig, smb_krb5_context, 0);
202 if (!NT_STATUS_IS_OK(status)) {
206 DEBUG(0,("account_name: %s [%s]\n",
207 logon_info->info3.base.account_name.string,
208 logon_info->info3.base.full_name.string));
209 *logon_info_out = logon_info;