BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2)
{
#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
return krb5_principal_compare_any_realm(context, princ1, princ2);
/* krb5_princ_size is a macro in MIT */
#elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
int i, len1, len2;
const krb5_data *p1, *p2;
len1 = krb5_princ_size(context, princ1);
len2 = krb5_princ_size(context, princ2);
if (len1 != len2)
return False;
for (i = 0; i < len1; i++) {
p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
return False;
}
return True;
#else
#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
#endif
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_principal_compare(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2)
{
if(!krb5_realm_compare(context, princ1, princ2))
return FALSE;
return krb5_principal_compare_any_realm(context, princ1, princ2);
}
static krb5_error_code armor_ap_request
(struct kdc_request_state *state, krb5_fast_armor *armor)
{
krb5_error_code retval = 0;
krb5_auth_context authcontext = NULL;
krb5_ticket *ticket = NULL;
krb5_keyblock *subkey = NULL;
kdc_realm_t *kdc_active_realm = state->realm_data;
assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST);
krb5_clear_error_message(kdc_context);
retval = krb5_auth_con_init(kdc_context, &authcontext);
if (retval == 0)
retval = krb5_auth_con_setflags(kdc_context,
authcontext, 0); /*disable replay cache*/
retval = krb5_rd_req(kdc_context, &authcontext,
&armor->armor_value, NULL /*server*/,
kdc_active_realm->realm_keytab, NULL, &ticket);
if (retval != 0) {
const char * errmsg = krb5_get_error_message(kdc_context, retval);
krb5_set_error_message(kdc_context, retval,
_("%s while handling ap-request armor"),
errmsg);
krb5_free_error_message(kdc_context, errmsg);
}
if (retval == 0) {
if (!krb5_principal_compare_any_realm(kdc_context,
tgs_server,
ticket->server)) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
_("ap-request armor for something other "
"than the local TGS"));
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
if (retval == 0) {
retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
if (retval != 0 || subkey == NULL) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
_("ap-request armor without subkey"));
retval = KRB5KDC_ERR_POLICY;
}
}
if (retval == 0)
retval = krb5_c_fx_cf2_simple(kdc_context,
subkey, "subkeyarmor",
ticket->enc_part2->session, "ticketarmor",
&state->armor_key);
if (ticket)
krb5_free_ticket(kdc_context, ticket);
if (subkey)
krb5_free_keyblock(kdc_context, subkey);
if (authcontext)
krb5_auth_con_free(kdc_context, authcontext);
return retval;
}
static krb5_error_code
tkt_store(krb5_context context,
krb5_tkt_creds_context ctx,
krb5_data *in,
krb5_data *out,
krb5_realm *realm,
unsigned int *flags)
{
krb5_boolean bret;
_krb5_debugx(context, 10, "tkt_step_store: %s", ctx->server_name);
ctx->error = 0;
ctx->state = NULL;
if (ctx->options & KRB5_GC_NO_STORE)
return 0;
if (ctx->tickets) {
store_tgts(context, ctx->ccache, ctx->tickets);
free(ctx->tickets);
ctx->tickets = NULL;
}
heim_assert(ctx->cred != NULL, "store but no credential");
krb5_cc_store_cred(context, ctx->ccache, ctx->cred);
/*
* Store an referrals entry since the server changed from that
* expected and if we want to find it again next time, it
* better have the right name.
*
* We only need to compare any realm since the referrals
* matching code will do the same for us.
*/
bret = krb5_principal_compare_any_realm(context,
ctx->cred->server,
ctx->in_cred->server);
if (!bret) {
krb5_creds ref = *ctx->cred;
krb5_principal_data refp = *ctx->in_cred->server;
refp.realm = "";
ref.server = &refp;
krb5_cc_store_cred(context, ctx->ccache, &ref);
}
return 0;
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_kt_compare(krb5_context context,
krb5_keytab_entry *entry,
krb5_const_principal principal,
krb5_kvno vno,
krb5_enctype enctype)
{
/* krb5_principal_compare() does not special-case the referral realm */
if (principal != NULL && strcmp(principal->realm, "") == 0 &&
!(krb5_principal_compare_any_realm(context, entry->principal, principal) ||
compare_aliases(context, entry, principal))) {
return FALSE;
} else if (principal != NULL && strcmp(principal->realm, "") != 0 &&
!(krb5_principal_compare(context, entry->principal, principal) ||
compare_aliases(context, entry, principal))) {
return FALSE;
}
if (vno && vno != entry->vno)
return FALSE;
if (enctype && enctype != entry->keyblock.keytype)
return FALSE;
return TRUE;
}
static krb5_error_code
get_cred_kdc_referral(krb5_context context,
krb5_kdc_flags flags,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
krb5_const_realm client_realm;
krb5_error_code ret;
krb5_creds tgt, referral, ticket;
int loop = 0;
int ok_as_delegate = 1;
if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) {
krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
N_("Name too short to do referals, skipping", ""));
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
}
memset(&tgt, 0, sizeof(tgt));
memset(&ticket, 0, sizeof(ticket));
flags.b.canonicalize = 1;
*out_creds = NULL;
client_realm = krb5_principal_get_realm(context, in_creds->client);
/* find tgt for the clients base realm */
{
krb5_principal tgtname;
ret = krb5_make_principal(context, &tgtname,
client_realm,
KRB5_TGS_NAME,
client_realm,
NULL);
if(ret)
return ret;
ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
krb5_free_principal(context, tgtname);
if (ret)
return ret;
}
referral = *in_creds;
ret = krb5_copy_principal(context, in_creds->server, &referral.server);
if (ret) {
krb5_free_cred_contents(context, &tgt);
return ret;
}
ret = krb5_principal_set_realm(context, referral.server, client_realm);
if (ret) {
krb5_free_cred_contents(context, &tgt);
krb5_free_principal(context, referral.server);
return ret;
}
while (loop++ < 17) {
krb5_creds **tickets;
krb5_creds mcreds;
char *referral_realm;
/* Use cache if we are not doing impersonation or contrainte deleg */
if (impersonate_principal == NULL || flags.b.constrained_delegation) {
krb5_cc_clear_mcred(&mcreds);
mcreds.server = referral.server;
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &ticket);
} else
ret = EINVAL;
if (ret) {
ret = get_cred_kdc_address(context, ccache, flags, NULL,
&referral, &tgt, impersonate_principal,
second_ticket, &ticket);
if (ret)
goto out;
}
/* Did we get the right ticket ? */
if (krb5_principal_compare_any_realm(context,
referral.server,
ticket.server))
break;
if (!krb5_principal_is_krbtgt(context, ticket.server)) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
N_("Got back an non krbtgt "
"ticket referrals", ""));
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
referral_realm = ticket.server->name.name_string.val[1];
/* check that there are no referrals loops */
tickets = *ret_tgts;
krb5_cc_clear_mcred(&mcreds);
mcreds.server = ticket.server;
while(tickets && *tickets){
if(krb5_compare_creds(context,
KRB5_TC_DONT_MATCH_REALM,
&mcreds,
*tickets))
{
krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
N_("Referral from %s "
"loops back to realm %s", ""),
tgt.server->realm,
referral_realm);
ret = KRB5_GET_IN_TKT_LOOP;
goto out;
}
tickets++;
}
/*
* if either of the chain or the ok_as_delegate was stripped
* by the kdc, make sure we strip it too.
*/
if (ok_as_delegate == 0 || ticket.flags.b.ok_as_delegate == 0) {
ok_as_delegate = 0;
ticket.flags.b.ok_as_delegate = 0;
}
ret = add_cred(context, &ticket, ret_tgts);
if (ret)
goto out;
/* try realm in the referral */
ret = krb5_principal_set_realm(context,
referral.server,
referral_realm);
krb5_free_cred_contents(context, &tgt);
tgt = ticket;
memset(&ticket, 0, sizeof(ticket));
if (ret)
goto out;
}
ret = krb5_copy_creds(context, &ticket, out_creds);
out:
krb5_free_principal(context, referral.server);
krb5_free_cred_contents(context, &tgt);
krb5_free_cred_contents(context, &ticket);
return ret;
}
static void
get_princ_kt(krb5_context context,
krb5_principal *principal,
char *name)
{
krb5_error_code ret;
krb5_principal tmp;
krb5_ccache ccache;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
char *def_realm;
if (name == NULL) {
/*
* If the credential cache exists and specifies a client principal,
* use that.
*/
if (krb5_cc_default(context, &ccache) == 0) {
ret = krb5_cc_get_principal(context, ccache, principal);
krb5_cc_close(context, ccache);
if (ret == 0)
return;
}
}
if (name) {
/* If the principal specifies an explicit realm, just use that. */
int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
parse_name_realm(context, name, parseflags, NULL, &tmp);
if (krb5_principal_get_realm(context, tmp) != NULL) {
*principal = tmp;
return;
}
} else {
/* Otherwise, search keytab for bare name of the default principal. */
get_default_principal(context, &tmp);
set_princ_realm(context, tmp, NULL);
}
def_realm = get_default_realm(context);
ret = krb5_kt_start_seq_get(context, kt, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
while (ret == 0 &&
krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
const char *realm;
if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
continue;
if (*principal &&
krb5_principal_compare(context, *principal, entry.principal))
continue;
/* The default realm takes precedence */
realm = krb5_principal_get_realm(context, entry.principal);
if (*principal && strcmp(def_realm, realm) == 0) {
krb5_free_principal(context, *principal);
ret = krb5_copy_principal(context, entry.principal, principal);
break;
}
if (!*principal)
ret = krb5_copy_principal(context, entry.principal, principal);
}
if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
krb5_err(context, 1, ret, "get_princ_kt");
if (!*principal) {
if (name)
parse_name_realm(context, name, 0, NULL, principal);
else
krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
}
krb5_free_principal(context, tmp);
free(def_realm);
}
static krb5_error_code
tkt_referral_recv(krb5_context context,
krb5_tkt_creds_context ctx,
krb5_data *in,
krb5_data *out,
krb5_realm *realm,
unsigned int *flags)
{
krb5_error_code ret;
krb5_creds outcred, mcred;
unsigned long n;
_krb5_debugx(context, 10, "tkt_referral_recv: %s", ctx->server_name);
memset(&outcred, 0, sizeof(outcred));
ret = parse_tgs_rep(context, ctx, in, &outcred);
if (ret) {
_krb5_debugx(context, 10, "tkt_referral_recv: parse_tgs_rep %d", ret);
tkt_reset(context, ctx);
ctx->state = tkt_capath_init;
return 0;
}
/*
* Check if we found the right ticket
*/
if (krb5_principal_compare_any_realm(context, ctx->next.server, outcred.server)) {
ret = krb5_copy_creds(context, &outcred, &ctx->cred);
if (ret)
return (ctx->error = ret);
krb5_free_cred_contents(context, &outcred);
ctx->state = tkt_store;
return 0;
}
if (!krb5_principal_is_krbtgt(context, outcred.server)) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
N_("Got back an non krbtgt "
"ticket referrals", ""));
krb5_free_cred_contents(context, &outcred);
ctx->state = tkt_capath_init;
return 0;
}
_krb5_debugx(context, 10, "KDC for realm %s sends a referrals to %s",
ctx->tgt.server->realm, outcred.server->name.name_string.val[1]);
/*
* check if there is a loop
*/
krb5_cc_clear_mcred(&mcred);
mcred.server = outcred.server;
for (n = 0; ctx->tickets && ctx->tickets[n]; n++) {
if(krb5_compare_creds(context,
KRB5_TC_DONT_MATCH_REALM,
&mcred,
ctx->tickets[n]))
{
_krb5_debugx(context, 5, "Referral from %s loops back to realm %s",
ctx->tgt.server->realm,
outcred.server->realm);
ctx->state = tkt_capath_init;
return 0;
}
}
#define MAX_KDC_REFERRALS_LOOPS 15
if (n > MAX_KDC_REFERRALS_LOOPS) {
ctx->state = tkt_capath_init;
return 0;
}
/*
* filter out ok-as-delegate if needed
*/
if (ctx->ok_as_delegate == 0 || outcred.flags.b.ok_as_delegate == 0) {
ctx->ok_as_delegate = 0;
outcred.flags.b.ok_as_delegate = 0;
}
/* add to iteration cache */
ret = add_cred(context, &outcred, &ctx->tickets);
if (ret) {
ctx->state = tkt_capath_init;
return 0;
}
/* set up next server to talk to */
krb5_free_cred_contents(context, &ctx->tgt);
ctx->tgt = outcred;
/*
* Setup next target principal to target
*/
ret = krb5_principal_set_realm(context, ctx->next.server,
ctx->tgt.server->realm);
if (ret) {
ctx->state = tkt_capath_init;
return 0;
}
ctx->state = tkt_referral_send;
return 0;
}
static krb5_error_code
verify_logonname(krb5_context context,
const struct PAC_INFO_BUFFER *logon_name,
const krb5_data *data,
time_t authtime,
krb5_const_principal principal)
{
krb5_error_code ret;
krb5_principal p2;
uint32_t time1, time2;
krb5_storage *sp;
uint16_t len;
char *s;
sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
logon_name->buffersize);
if (sp == NULL)
return krb5_enomem(context);
krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
CHECK(ret, krb5_ret_uint32(sp, &time1), out);
CHECK(ret, krb5_ret_uint32(sp, &time2), out);
{
uint64_t t1, t2;
t1 = unix2nttime(authtime);
t2 = ((uint64_t)time2 << 32) | time1;
if (t1 != t2) {
krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "PAC timestamp mismatch");
return EINVAL;
}
}
CHECK(ret, krb5_ret_uint16(sp, &len), out);
if (len == 0) {
krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "PAC logon name length missing");
return EINVAL;
}
s = malloc(len);
if (s == NULL) {
krb5_storage_free(sp);
return krb5_enomem(context);
}
ret = krb5_storage_read(sp, s, len);
if (ret != len) {
krb5_storage_free(sp);
krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
return EINVAL;
}
krb5_storage_free(sp);
{
size_t ucs2len = len / 2;
uint16_t *ucs2;
size_t u8len;
unsigned int flags = WIND_RW_LE;
ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
if (ucs2 == NULL)
return krb5_enomem(context);
ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
free(s);
if (ret) {
free(ucs2);
krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
return ret;
}
ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
if (ret) {
free(ucs2);
krb5_set_error_message(context, ret, "Failed to count length of UCS-2 string");
return ret;
}
u8len += 1; /* Add space for NUL */
s = malloc(u8len);
if (s == NULL) {
free(ucs2);
return krb5_enomem(context);
}
ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len);
free(ucs2);
if (ret) {
free(s);
krb5_set_error_message(context, ret, "Failed to convert to UTF-8");
return ret;
}
}
ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
free(s);
if (ret)
return ret;
if (krb5_principal_compare_any_realm(context, principal, p2) != TRUE) {
ret = EINVAL;
krb5_set_error_message(context, ret, "PAC logon name mismatch");
}
krb5_free_principal(context, p2);
return ret;
out:
return ret;
}
/*ARGSUSED*/
void
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
krb5_error_code errcode;
krb5_timestamp rtime;
unsigned int s_flags = 0;
krb5_data encoded_req_body;
krb5_enctype useenctype;
struct as_req_state *state;
state = k5alloc(sizeof(*state), &errcode);
if (state == NULL) {
(*respond)(arg, errcode, NULL);
return;
}
state->respond = respond;
state->arg = arg;
state->request = request;
state->req_pkt = req_pkt;
state->from = from;
state->active_realm = kdc_active_realm;
errcode = kdc_make_rstate(kdc_active_realm, &state->rstate);
if (errcode != 0) {
(*respond)(arg, errcode, NULL);
return;
}
if (state->request->msg_type != KRB5_AS_REQ) {
state->status = "msg_type mismatch";
errcode = KRB5_BADMSGTYPE;
goto errout;
}
if (fetch_asn1_field((unsigned char *) req_pkt->data,
1, 4, &encoded_req_body) != 0) {
errcode = ASN1_BAD_ID;
state->status = "Finding req_body";
goto errout;
}
errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
state->rstate, &state->inner_body);
if (errcode) {
state->status = "error decoding FAST";
goto errout;
}
if (state->inner_body == NULL) {
/* Not a FAST request; copy the encoded request body. */
errcode = krb5_copy_data(kdc_context, &encoded_req_body,
&state->inner_body);
if (errcode) {
state->status = "storing req body";
goto errout;
}
}
state->rock.request = state->request;
state->rock.inner_body = state->inner_body;
state->rock.rstate = state->rstate;
state->rock.vctx = vctx;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->client,
&state->cname))) {
state->status = "UNPARSING_CLIENT";
goto errout;
}
limit_string(state->cname);
if (!state->request->server) {
state->status = "NULL_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->server,
&state->sname))) {
state->status = "UNPARSING_SERVER";
goto errout;
}
limit_string(state->sname);
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
/*
* Note that according to the referrals draft we should
* always canonicalize enterprise principal names.
*/
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
if (include_pac_p(kdc_context, state->request)) {
setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
errcode = krb5_db_get_principal(kdc_context, state->request->client,
state->c_flags, &state->client);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "CLIENT_NOT_FOUND";
if (vague_errors)
errcode = KRB5KRB_ERR_GENERIC;
else
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_CLIENT";
goto errout;
}
state->rock.client = state->client;
/*
* If the backend returned a principal that is not in the local
* realm, then we need to refer the client to that realm.
*/
if (!is_local_principal(kdc_active_realm, state->client->princ)) {
/* Entry is a referral to another realm */
state->status = "REFERRAL";
errcode = KRB5KDC_ERR_WRONG_REALM;
goto errout;
}
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
errcode = krb5_db_get_principal(kdc_context, state->request->server,
s_flags, &state->server);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "SERVER_NOT_FOUND";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_SERVER";
goto errout;
}
if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) {
state->status = "TIMEOFDAY";
goto errout;
}
state->authtime = state->kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(kdc_active_realm,
state->request, *state->client,
*state->server, state->kdc_time,
&state->status, &state->e_data))) {
if (!state->status)
state->status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype = select_session_keytype(kdc_active_realm, state->server,
state->request->nktypes,
state->request->ktype)) == 0) {
/* unsupported ktype */
state->status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto errout;
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
&state->session_key))) {
state->status = "RANDOM_KEY_FAILED";
goto errout;
}
/*
* Canonicalization is only effective if we are issuing a TGT
* (the intention is to allow support for Windows "short" realm
* aliases, nothing more).
*/
if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
krb5_is_tgs_principal(state->request->server) &&
krb5_is_tgs_principal(state->server->princ)) {
state->ticket_reply.server = state->server->princ;
} else {
state->ticket_reply.server = state->request->server;
}
state->enc_tkt_reply.flags = 0;
state->enc_tkt_reply.times.authtime = state->authtime;
setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL);
setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(state->request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_PROXIABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
state->enc_tkt_reply.session = &state->session_key;
if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
state->client_princ = *(state->client->princ);
} else {
state->client_princ = *(state->request->client);
/* The realm is always canonicalized */
state->client_princ.realm = state->client->princ->realm;
}
state->enc_tkt_reply.client = &state->client_princ;
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;
if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(state->enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID);
state->enc_tkt_reply.times.starttime = state->request->from;
} else
state->enc_tkt_reply.times.starttime = state->kdc_time;
kdc_get_ticket_endtime(kdc_active_realm,
state->enc_tkt_reply.times.starttime,
kdc_infinity, state->request->till, state->client,
state->server, &state->enc_tkt_reply.times.endtime);
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
!isflagset(state->client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
(state->enc_tkt_reply.times.endtime < state->request->till)) {
/* we set the RENEWABLE option for later processing */
setflag(state->request->kdc_options, KDC_OPT_RENEWABLE);
state->request->rtime = state->request->till;
}
rtime = (state->request->rtime == 0) ? kdc_infinity :
state->request->rtime;
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE)) {
/*
* XXX Should we squelch the output renew_till to be no
* earlier than the endtime of the ticket?
*/
setflag(state->enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
state->enc_tkt_reply.times.renew_till =
min(rtime, state->enc_tkt_reply.times.starttime +
min(state->client->max_renewable_life,
min(state->server->max_renewable_life,
max_renewable_life_for_realm)));
} else
state->enc_tkt_reply.times.renew_till = 0; /* XXX */
/*
* starttime is optional, and treated as authtime if not present.
* so we can nuke it if it matches
*/
if (state->enc_tkt_reply.times.starttime ==
state->enc_tkt_reply.times.authtime)
state->enc_tkt_reply.times.starttime = 0;
state->enc_tkt_reply.caddrs = state->request->addresses;
state->enc_tkt_reply.authorization_data = 0;
/* If anonymous requests are being used, adjust the realm of the client
* principal. */
if (isflagset(state->request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) {
if (!krb5_principal_compare_any_realm(kdc_context,
state->request->client,
krb5_anonymous_principal())) {
errcode = KRB5KDC_ERR_BADOPTION;
state->status = "Anonymous requested but anonymous "
"principal not used.";
goto errout;
}
setflag(state->enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
krb5_free_principal(kdc_context, state->request->client);
state->request->client = NULL;
errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
&state->request->client);
if (errcode) {
state->status = "Copying anonymous principal";
goto errout;
}
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
/*
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
check_padata(kdc_context, &state->rock, state->req_pkt,
state->request, &state->enc_tkt_reply, &state->pa_context,
&state->e_data, &state->typed_e_data, finish_preauth,
state);
} else
finish_preauth(state, 0);
return;
errout:
finish_process_as_req(state, errcode);
}
static void
test_princ(krb5_context context)
{
const char *princ = "*****@*****.**";
const char *princ_short = "lha";
const char *noquote;
krb5_error_code ret;
char *princ_unparsed;
char *princ_reformed = NULL;
const char *realm;
krb5_principal p, p2;
ret = krb5_parse_name(context, princ, &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_unparse_name(context, p, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ, princ_unparsed)) {
krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
}
free(princ_unparsed);
ret = krb5_unparse_name_flags(context, p,
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ_short, princ_unparsed))
krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
free(princ_unparsed);
realm = krb5_principal_get_realm(context, p);
if (asprintf(&princ_reformed, "%s@%s", princ_short, realm) < 0 || princ_reformed == NULL)
errx(1, "malloc");
ret = krb5_parse_name(context, princ_reformed, &p2);
free(princ_reformed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (!krb5_principal_compare(context, p, p2)) {
krb5_errx(context, 1, "p != p2");
}
krb5_free_principal(context, p2);
ret = krb5_set_default_realm(context, "SU.SE");
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_unparse_name_flags(context, p,
KRB5_PRINCIPAL_UNPARSE_SHORT,
&princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ_short, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
ret = krb5_parse_name(context, princ_short, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (!krb5_principal_compare(context, p, p2))
krb5_errx(context, 1, "p != p2");
krb5_free_principal(context, p2);
ret = krb5_unparse_name(context, p, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
ret = krb5_set_default_realm(context, "SAMBA.ORG");
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_parse_name(context, princ_short, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (krb5_principal_compare(context, p, p2))
krb5_errx(context, 1, "p == p2");
if (!krb5_principal_compare_any_realm(context, p, p2))
krb5_errx(context, 1, "(ignoring realms) p != p2");
ret = krb5_unparse_name(context, p2, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ, princ_unparsed) == 0)
krb5_errx(context, 1, "%s == %s", princ, princ_unparsed);
free(princ_unparsed);
krb5_free_principal(context, p2);
ret = krb5_parse_name(context, princ, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (!krb5_principal_compare(context, p, p2))
krb5_errx(context, 1, "p != p2");
ret = krb5_unparse_name(context, p2, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (strcmp(princ, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
krb5_free_principal(context, p2);
ret = krb5_unparse_name_flags(context, p,
KRB5_PRINCIPAL_UNPARSE_SHORT,
&princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_short");
if (strcmp(princ, princ_unparsed) != 0)
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
ret = krb5_unparse_name(context, p, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_short");
if (strcmp(princ, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
ret = krb5_parse_name_flags(context, princ,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&p2);
if (!ret)
krb5_err(context, 1, ret, "Should have failed to parse %s a "
"short name", princ);
ret = krb5_parse_name_flags(context, princ_short,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&p2);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_unparse_name_flags(context, p2,
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&princ_unparsed);
krb5_free_principal(context, p2);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
if (strcmp(princ_short, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
ret = krb5_parse_name_flags(context, princ_short,
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM,
&p2);
if (!ret)
krb5_err(context, 1, ret, "Should have failed to parse %s "
"because it lacked a realm", princ_short);
ret = krb5_parse_name_flags(context, princ,
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM,
&p2);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
if (!krb5_principal_compare(context, p, p2))
krb5_errx(context, 1, "p != p2");
ret = krb5_unparse_name_flags(context, p2,
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&princ_unparsed);
krb5_free_principal(context, p2);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
if (strcmp(princ_short, princ_unparsed))
krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
free(princ_unparsed);
krb5_free_principal(context, p);
/* test quoting */
princ = "test\\ [email protected]";
noquote = "test [email protected]";
ret = krb5_parse_name_flags(context, princ, 0, &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_unparse_name_flags(context, p, 0, &princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_flags");
if (strcmp(princ, princ_unparsed))
krb5_errx(context, 1, "q '%s' != '%s'", princ, princ_unparsed);
free(princ_unparsed);
ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_DISPLAY,
&princ_unparsed);
if (ret)
krb5_err(context, 1, ret, "krb5_unparse_name_flags");
if (strcmp(noquote, princ_unparsed))
krb5_errx(context, 1, "nq '%s' != '%s'", noquote, princ_unparsed);
free(princ_unparsed);
krb5_free_principal(context, p);
}
krb5_boolean KRB5_LIB_FUNCTION
krb5_compare_creds(krb5_context context, krb5_flags whichfields,
const krb5_creds * mcreds, const krb5_creds * creds)
{
krb5_boolean match = TRUE;
if (match && mcreds->server) {
if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY))
match = krb5_principal_compare_any_realm (context, mcreds->server,
creds->server);
else
match = krb5_principal_compare (context, mcreds->server,
creds->server);
}
if (match && mcreds->client) {
if(whichfields & KRB5_TC_DONT_MATCH_REALM)
match = krb5_principal_compare_any_realm (context, mcreds->client,
creds->client);
else
match = krb5_principal_compare (context, mcreds->client,
creds->client);
}
if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
match = mcreds->session.keytype == creds->session.keytype;
if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
match = mcreds->flags.i == creds->flags.i;
if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;
if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
match = krb5_times_equal(&mcreds->times, &creds->times);
if (match && (whichfields & KRB5_TC_MATCH_TIMES))
/* compare only expiration times */
match = (mcreds->times.renew_till <= creds->times.renew_till) &&
(mcreds->times.endtime <= creds->times.endtime);
if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
unsigned int i;
if(mcreds->authdata.len != creds->authdata.len)
match = FALSE;
else
for(i = 0; match && i < mcreds->authdata.len; i++)
match = (mcreds->authdata.val[i].ad_type ==
creds->authdata.val[i].ad_type) &&
(krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
&creds->authdata.val[i].ad_data) == 0);
}
if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);
if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
match = ((mcreds->second_ticket.length == 0) ==
(creds->second_ticket.length == 0));
return match;
}
krb5_error_code
pkinit_identity_initialize(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_opts *idopts,
pkinit_identity_crypto_context id_cryptoctx,
int do_matching,
krb5_principal princ)
{
krb5_error_code retval = EINVAL;
int i;
pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
if (!(princ && krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal()))) {
if (idopts == NULL || id_cryptoctx == NULL)
goto errout;
/*
* If identity was specified, use that. (For the kdc, this
* is specified as pkinit_identity in the kdc.conf. For users,
* this is specified on the command line via X509_user_identity.)
* If a user did not specify identity on the command line,
* then we will try alternatives which may have been specified
* in the config file.
*/
if (idopts->identity != NULL) {
retval = process_option_identity(context, plg_cryptoctx,
req_cryptoctx, idopts,
id_cryptoctx, idopts->identity);
} else if (idopts->identity_alt != NULL) {
for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) {
retval = process_option_identity(context, plg_cryptoctx,
req_cryptoctx, idopts,
id_cryptoctx,
idopts->identity_alt[i]);
}
} else {
pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
goto errout;
}
if (retval)
goto errout;
retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx, princ);
if (retval)
goto errout;
if (do_matching) {
retval = pkinit_cert_matching(context, plg_cryptoctx,
req_cryptoctx, id_cryptoctx, princ);
if (retval) {
pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
id_cryptoctx);
goto errout;
}
} else {
/* Tell crypto code to use the "default" */
retval = crypto_cert_select_default(context, plg_cryptoctx,
req_cryptoctx, id_cryptoctx);
if (retval) {
pkiDebug("%s: Failed while selecting default certificate\n",
__FUNCTION__);
crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
id_cryptoctx);
goto errout;
}
}
retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
id_cryptoctx);
if (retval)
goto errout;
} /* Not anonymous principal */
for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->anchors[i], CATYPE_ANCHORS);
if (retval)
goto errout;
}
for (i = 0; idopts->intermediates != NULL
&& idopts->intermediates[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->intermediates[i],
CATYPE_INTERMEDIATES);
if (retval)
goto errout;
}
for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx, idopts->crls[i],
CATYPE_CRLS);
if (retval)
goto errout;
}
if (idopts->ocsp != NULL) {
retval = ENOTSUP;
goto errout;
}
errout:
return retval;
}
NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
struct smb_iconv_convenience *iconv_convenience,
struct PAC_DATA **pac_data_out,
DATA_BLOB blob,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
krb5_const_principal client_principal,
time_t tgs_authtime,
krb5_error_code *k5ret)
{
krb5_error_code ret;
NTSTATUS status;
enum ndr_err_code ndr_err;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_LOGON_NAME *logon_name = NULL;
struct PAC_DATA *pac_data;
struct PAC_DATA_RAW *pac_data_raw;
DATA_BLOB *srv_sig_blob = NULL;
DATA_BLOB *kdc_sig_blob = NULL;
DATA_BLOB modified_pac_blob;
NTTIME tgs_authtime_nttime;
krb5_principal client_principal_pac;
int i;
krb5_clear_error_message(context);
if (k5ret) {
*k5ret = KRB5_PARSE_MALFORMED;
}
pac_data = talloc(mem_ctx, struct PAC_DATA);
pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
if (k5ret) {
*k5ret = ENOMEM;
}
return NT_STATUS_NO_MEMORY;
}
ndr_err = ndr_pull_struct_blob(&blob, pac_data,
iconv_convenience, pac_data,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
ndr_err = ndr_pull_struct_blob(&blob, pac_data_raw,
iconv_convenience, pac_data_raw,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("misparse! PAC_DATA has %d buffers while PAC_DATA_RAW has %d\n",
pac_data->num_buffers, pac_data_raw->num_buffers));
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < pac_data->num_buffers; i++) {
if (pac_data->buffers[i].type != pac_data_raw->buffers[i].type) {
DEBUG(0,("misparse! PAC_DATA buffer %d has type %d while PAC_DATA_RAW has %d\n",
i, pac_data->buffers[i].type, pac_data->buffers[i].type));
return NT_STATUS_INVALID_PARAMETER;
}
switch (pac_data->buffers[i].type) {
case PAC_TYPE_LOGON_INFO:
if (!pac_data->buffers[i].info) {
break;
}
logon_info = pac_data->buffers[i].info->logon_info.info;
break;
case PAC_TYPE_SRV_CHECKSUM:
if (!pac_data->buffers[i].info) {
break;
}
srv_sig_ptr = &pac_data->buffers[i].info->srv_cksum;
srv_sig_blob = &pac_data_raw->buffers[i].info->remaining;
break;
case PAC_TYPE_KDC_CHECKSUM:
if (!pac_data->buffers[i].info) {
break;
}
kdc_sig_ptr = &pac_data->buffers[i].info->kdc_cksum;
kdc_sig_blob = &pac_data_raw->buffers[i].info->remaining;
break;
case PAC_TYPE_LOGON_NAME:
logon_name = &pac_data->buffers[i].info->logon_name;
break;
default:
break;
}
}
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* Find and zero out the signatures, as required by the signing algorithm */
/* We find the data blobs above, now we parse them to get at the exact portion we should zero */
ndr_err = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe,
iconv_convenience, kdc_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe,
iconv_convenience, srv_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* Now zero the decoded structure */
memset(kdc_sig_wipe->signature.data, '\0', kdc_sig_wipe->signature.length);
memset(srv_sig_wipe->signature.data, '\0', srv_sig_wipe->signature.length);
/* and reencode, back into the same place it came from */
ndr_err = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw,
iconv_convenience,
kdc_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_push_struct_blob(srv_sig_blob, pac_data_raw,
iconv_convenience,
srv_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* push out the whole structure, but now with zero'ed signatures */
ndr_err = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw,
iconv_convenience,
pac_data_raw,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
return status;
}
/* verify by service_key */
ret = check_pac_checksum(mem_ctx,
modified_pac_blob, srv_sig_ptr,
context,
service_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the service signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_ACCESS_DENIED;
}
if (krbtgt_keyblock) {
ret = check_pac_checksum(mem_ctx,
srv_sig_ptr->signature, kdc_sig_ptr,
context, krbtgt_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_ACCESS_DENIED;
}
}
/* Convert to NT time, so as not to loose accuracy in comparison */
unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
if (tgs_authtime_nttime != logon_name->logon_time) {
DEBUG(2, ("PAC Decode: Logon time mismatch between ticket and PAC!\n"));
DEBUG(2, ("PAC Decode: PAC: %s\n", nt_time_string(mem_ctx, logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n", nt_time_string(mem_ctx, tgs_authtime_nttime)));
return NT_STATUS_ACCESS_DENIED;
}
ret = krb5_parse_name_flags(context, logon_name->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM,
&client_principal_pac);
if (ret) {
DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n",
logon_name->account_name,
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_INVALID_PARAMETER;
}
if (!krb5_principal_compare_any_realm(context, client_principal, client_principal_pac)) {
DEBUG(2, ("Name in PAC [%s] does not match principal name in ticket\n",
logon_name->account_name));
return NT_STATUS_ACCESS_DENIED;
}
#if 0
if (strcasecmp(logon_info->info3.base.account_name.string,
"Administrator")== 0) {
file_save("tmp_pac_data-admin.dat",blob.data,blob.length);
}
#endif
DEBUG(3,("Found account name from PAC: %s [%s]\n",
logon_info->info3.base.account_name.string,
logon_info->info3.base.full_name.string));
*pac_data_out = pac_data;
return NT_STATUS_OK;
}
