Line data Source code
1 :
2 : #include "includes.h"
3 : #include "system/kerberos.h"
4 : #include "auth/kerberos/kerberos.h"
5 : #include "gensec_krb5.h"
6 :
7 44 : static krb5_error_code smb_krb5_get_longterm_key(krb5_context context,
8 : krb5_const_principal server,
9 : krb5_kvno kvno,
10 : krb5_enctype etype,
11 : krb5_keytab keytab,
12 : krb5_keyblock **keyblock_out)
13 : {
14 44 : krb5_error_code code = EINVAL;
15 :
16 : krb5_keytab_entry kt_entry;
17 :
18 44 : code = krb5_kt_get_entry(context,
19 : keytab,
20 : server,
21 : kvno,
22 : etype,
23 : &kt_entry);
24 44 : if (code != 0) {
25 0 : return code;
26 : }
27 :
28 44 : code = krb5_copy_keyblock(context,
29 : &kt_entry.key,
30 : keyblock_out);
31 44 : krb5_free_keytab_entry_contents(context, &kt_entry);
32 :
33 44 : return code;
34 : }
35 :
36 52 : krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
37 : krb5_auth_context *auth_context,
38 : const krb5_data *request,
39 : krb5_keytab keytab,
40 : krb5_principal acceptor_principal,
41 : krb5_data *reply,
42 : krb5_ticket **pticket,
43 : krb5_keyblock **pkeyblock)
44 : {
45 : krb5_error_code code;
46 52 : krb5_flags ap_req_options = 0;
47 52 : krb5_ticket *ticket = NULL;
48 52 : krb5_keyblock *keyblock = NULL;
49 :
50 52 : *pticket = NULL;
51 52 : *pkeyblock = NULL;
52 52 : reply->length = 0;
53 52 : reply->data = NULL;
54 :
55 52 : code = krb5_rd_req(context,
56 : auth_context,
57 : request,
58 : acceptor_principal,
59 : keytab,
60 : &ap_req_options,
61 : &ticket);
62 52 : if (code != 0) {
63 8 : DBG_ERR("krb5_rd_req failed: %s\n",
64 : error_message(code));
65 8 : return code;
66 : }
67 :
68 : /*
69 : * Get the long term key from the keytab to be able to verify the PAC
70 : * signature.
71 : *
72 : * FIXME: Use ticket->enc_part.kvno ???
73 : * Getting the latest kvno with passing 0 fixes:
74 : * make -j test TESTS="samba4.winbind.pac.ad_member"
75 : */
76 44 : code = smb_krb5_get_longterm_key(context,
77 44 : ticket->server,
78 : 0, /* kvno */
79 44 : ticket->enc_part.enctype,
80 : keytab,
81 : &keyblock);
82 44 : if (code != 0) {
83 0 : DBG_ERR("smb_krb5_get_longterm_key failed: %s\n",
84 : error_message(code));
85 0 : krb5_free_ticket(context, ticket);
86 :
87 0 : return code;
88 : }
89 :
90 44 : code = krb5_mk_rep(context, *auth_context, reply);
91 44 : if (code != 0) {
92 0 : DBG_ERR("krb5_mk_rep failed: %s\n",
93 : error_message(code));
94 0 : krb5_free_ticket(context, ticket);
95 0 : krb5_free_keyblock(context, keyblock);
96 : }
97 :
98 44 : *pticket = ticket;
99 44 : *pkeyblock = keyblock;
100 :
101 44 : return code;
102 : }
|
