Line data Source code
1 : /* 2 : Unix SMB/CIFS implementation. 3 : 4 : PAC Glue between Samba and the KDC 5 : 6 : Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009 7 : Copyright (C) Simo Sorce <idra@samba.org> 2010 8 : 9 : This program is free software; you can redistribute it and/or modify 10 : it under the terms of the GNU General Public License as published by 11 : the Free Software Foundation; either version 3 of the License, or 12 : (at your option) any later version. 13 : 14 : This program is distributed in the hope that it will be useful, 15 : but WITHOUT ANY WARRANTY; without even the implied warranty of 16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 : GNU General Public License for more details. 18 : 19 : 20 : You should have received a copy of the GNU General Public License 21 : along with this program. If not, see <http://www.gnu.org/licenses/>. 22 : */ 23 : 24 : #include "includes.h" 25 : #include "system/kerberos.h" 26 : #include "auth/kerberos/kerberos.h" 27 : #include <hdb.h> 28 : #include "kdc/samba_kdc.h" 29 : #include "kdc/pac-glue.h" 30 : #include "librpc/gen_ndr/ndr_krb5pac.h" 31 : #include "auth/kerberos/pac_utils.h" 32 : #include "kdc/kdc-glue.h" 33 : 34 : #undef DBGC_CLASS 35 : #define DBGC_CLASS DBGC_KERBEROS 36 : 37 90 : int kdc_check_pac(krb5_context context, 38 : DATA_BLOB srv_sig, 39 : struct PAC_SIGNATURE_DATA *kdc_sig, 40 : hdb_entry *ent) 41 : { 42 0 : krb5_enctype etype; 43 0 : int ret; 44 0 : krb5_keyblock keyblock; 45 0 : Key *key; 46 : 47 90 : if (kdc_sig->type == CKSUMTYPE_HMAC_MD5) { 48 24 : etype = ENCTYPE_ARCFOUR_HMAC; 49 : } else { 50 66 : ret = krb5_cksumtype_to_enctype(context, 51 66 : kdc_sig->type, 52 : &etype); 53 66 : if (ret != 0) { 54 30 : return ret; 55 : } 56 : } 57 : 58 60 : ret = hdb_enctype2key(context, ent, NULL, etype, &key); 59 : 60 60 : if (ret != 0) { 61 0 : return ret; 62 : } 63 : 64 60 : keyblock = key->key; 65 : 66 60 : return check_pac_checksum(srv_sig, kdc_sig, 67 : context, &keyblock); 68 : } 69 : 70 97289 : struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r) 71 : { 72 97289 : const hdb_entry *device = kdc_request_get_armor_client(r); 73 97289 : struct samba_kdc_entry *device_skdc_entry = NULL; 74 97289 : const hdb_entry *device_krbtgt = NULL; 75 97289 : const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; 76 97289 : const krb5_const_pac device_pac = kdc_request_get_armor_pac(r); 77 : 78 97289 : if (device != NULL) { 79 743 : device_skdc_entry = talloc_get_type_abort(device->context, 80 : struct samba_kdc_entry); 81 : 82 743 : device_krbtgt = kdc_request_get_armor_server(r); 83 743 : if (device_krbtgt != NULL) { 84 743 : device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, 85 : struct samba_kdc_entry); 86 : } 87 : } 88 : 89 97289 : return samba_kdc_entry_pac(device_pac, 90 : device_skdc_entry, 91 97289 : samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); 92 : }