LCOV - code coverage report
Current view: top level - auth/kerberos - kerberos_pac.c (source / functions) Hit Total Coverage
Test: coverage report for master 469b22b8 Lines: 155 265 58.5 %
Date: 2024-06-10 12:05:21 Functions: 3 6 50.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             :    kerberos authorization data (PAC) utility library
       4             :    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
       5             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
       6             :    Copyright (C) Andrew Tridgell 2001
       7             :    Copyright (C) Luke Howard 2002-2003
       8             :    Copyright (C) Stefan Metzmacher 2004-2005
       9             :    Copyright (C) Guenther Deschner 2005,2007,2008
      10             : 
      11             :    This program is free software; you can redistribute it and/or modify
      12             :    it under the terms of the GNU General Public License as published by
      13             :    the Free Software Foundation; either version 3 of the License, or
      14             :    (at your option) any later version.
      15             : 
      16             :    This program is distributed in the hope that it will be useful,
      17             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      18             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      19             :    GNU General Public License for more details.
      20             : 
      21             :    You should have received a copy of the GNU General Public License
      22             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      23             : */
      24             : 
      25             : #include "includes.h"
      26             : 
      27             : #undef DBGC_CLASS
      28             : #define DBGC_CLASS DBGC_AUTH
      29             : 
      30             : #ifdef HAVE_KRB5
      31             : 
      32             : #include "librpc/gen_ndr/ndr_krb5pac.h"
      33             : #include "librpc/gen_ndr/auth.h"
      34             : #include "auth/common_auth.h"
      35             : #include "auth/kerberos/pac_utils.h"
      36             : #include "lib/krb5_wrap/krb5_samba.h"
      37             : 
      38        4997 : krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
      39             :                                           struct PAC_SIGNATURE_DATA *sig,
      40             :                                           krb5_context context,
      41             :                                           const krb5_keyblock *keyblock)
      42             : {
      43          14 :         krb5_error_code ret;
      44          14 :         krb5_checksum cksum;
      45        4997 :         krb5_keyusage usage = 0;
      46        4997 :         krb5_boolean checksum_valid = false;
      47          14 :         krb5_data input;
      48        4997 :         size_t idx = 0;
      49          14 :         struct {
      50             :                 krb5_cksumtype cksum_type;
      51             :                 krb5_enctype enc_type;
      52        4997 :         } supported_types[] = {
      53             :                 {CKSUMTYPE_HMAC_SHA1_96_AES_256, ENCTYPE_AES256_CTS_HMAC_SHA1_96},
      54             :                 {CKSUMTYPE_HMAC_SHA1_96_AES_128, ENCTYPE_AES128_CTS_HMAC_SHA1_96},
      55             :                 /* RFC8009 types. Not supported by AD yet but used by FreeIPA and MIT Kerberos */
      56             :                 {CKSUMTYPE_HMAC_SHA256_128_AES128, ENCTYPE_AES128_CTS_HMAC_SHA256_128},
      57             :                 {CKSUMTYPE_HMAC_SHA384_192_AES256, ENCTYPE_AES256_CTS_HMAC_SHA384_192},
      58             :                 {0, 0},
      59             :         };
      60             : 
      61        9653 :         for(idx = 0; supported_types[idx].cksum_type != 0; idx++) {
      62        8489 :                 if (sig->type == supported_types[idx].cksum_type) {
      63        3833 :                         if (KRB5_KEY_TYPE(keyblock) != supported_types[idx].enc_type) {
      64        1948 :                                 return EINVAL;
      65             :                         }
      66             :                         /* ok */
      67        1885 :                         break;
      68             :                 }
      69             :         }
      70             : 
      71             :         /* do not do key type check for HMAC-MD5 */
      72        3049 :         if ((sig->type != CKSUMTYPE_HMAC_MD5) &&
      73        1929 :             (supported_types[idx].cksum_type == 0)) {
      74          44 :                 DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
      75             :                         (int)sig->type));
      76          44 :                 return EINVAL;
      77             :         }
      78             : 
      79             : #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
      80        1976 :         cksum.cksumtype = (krb5_cksumtype)sig->type;
      81        1976 :         cksum.checksum.length   = sig->signature.length;
      82        1976 :         cksum.checksum.data     = sig->signature.data;
      83             : #else /* MIT */
      84        1029 :         cksum.checksum_type     = (krb5_cksumtype)sig->type;
      85        1029 :         cksum.length            = sig->signature.length;
      86        1029 :         cksum.contents          = sig->signature.data;
      87             : #endif
      88             : 
      89             : #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
      90        1976 :         usage = KRB5_KU_OTHER_CKSUM;
      91             : #elif defined(HAVE_KRB5_KEYUSAGE_APP_DATA_CKSUM) /* MIT */
      92        1029 :         usage = KRB5_KEYUSAGE_APP_DATA_CKSUM;
      93             : #else
      94             : #error UNKNOWN_KRB5_KEYUSAGE
      95             : #endif
      96             : 
      97        3005 :         input.data = (char *)pac_data.data;
      98        3005 :         input.length = pac_data.length;
      99             : 
     100        3005 :         ret = krb5_c_verify_checksum(context,
     101             :                                      keyblock,
     102             :                                      usage,
     103             :                                      &input,
     104             :                                      &cksum,
     105             :                                      &checksum_valid);
     106        3005 :         if (!checksum_valid) {
     107         802 :                 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
     108             :         }
     109        3005 :         if (ret){
     110         802 :                 DEBUG(2,("check_pac_checksum: PAC Verification failed: %s (%d)\n",
     111             :                         error_message(ret), ret));
     112         802 :                 return ret;
     113             :         }
     114             : 
     115        2189 :         return ret;
     116             : }
     117             : 
     118             : /**
     119             : * @brief Decode a blob containing a NDR encoded PAC structure
     120             : *
     121             : * @param mem_ctx          - The memory context
     122             : * @param pac_data_blob    - The data blob containing the NDR encoded data
     123             : * @param context          - The Kerberos Context
     124             : * @param service_keyblock - The Service Key used to verify the checksum
     125             : * @param client_principal - The client principal
     126             : * @param tgs_authtime     - The ticket timestamp
     127             : * @param pac_data_out     - [out] The decoded PAC
     128             : *
     129             : * @return - A NTSTATUS error code
     130             : */
     131        4840 : NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
     132             :                              DATA_BLOB pac_data_blob,
     133             :                              krb5_context context,
     134             :                              const krb5_keyblock *krbtgt_keyblock,
     135             :                              const krb5_keyblock *service_keyblock,
     136             :                              krb5_const_principal client_principal,
     137             :                              time_t tgs_authtime,
     138             :                              struct PAC_DATA **pac_data_out)
     139             : {
     140           7 :         NTSTATUS status;
     141           7 :         enum ndr_err_code ndr_err;
     142           7 :         krb5_error_code ret;
     143           7 :         DATA_BLOB modified_pac_blob;
     144             : 
     145           7 :         NTTIME tgs_authtime_nttime;
     146           7 :         int i;
     147             : 
     148        4840 :         struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
     149        4840 :         struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
     150        4840 :         struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
     151        4840 :         struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
     152        4840 :         struct PAC_LOGON_NAME *logon_name = NULL;
     153        4840 :         struct PAC_LOGON_INFO *logon_info = NULL;
     154        4840 :         struct PAC_DATA *pac_data = NULL;
     155        4840 :         struct PAC_DATA_RAW *pac_data_raw = NULL;
     156             : 
     157        4840 :         DATA_BLOB *srv_sig_blob = NULL;
     158        4840 :         DATA_BLOB *kdc_sig_blob = NULL;
     159             : 
     160           7 :         bool bool_ret;
     161             : 
     162        4840 :         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
     163        4840 :         if (!tmp_ctx) {
     164           0 :                 return NT_STATUS_NO_MEMORY;
     165             :         }
     166             : 
     167        4840 :         if (pac_data_out) {
     168        3585 :                 *pac_data_out = NULL;
     169             :         }
     170             : 
     171        4840 :         pac_data = talloc(tmp_ctx, struct PAC_DATA);
     172        4840 :         pac_data_raw = talloc(tmp_ctx, struct PAC_DATA_RAW);
     173        4840 :         kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
     174        4840 :         srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
     175        4840 :         if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
     176           0 :                 talloc_free(tmp_ctx);
     177           0 :                 return NT_STATUS_NO_MEMORY;
     178             :         }
     179             : 
     180        4840 :         ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
     181             :                        (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
     182        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     183           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     184           0 :                 DEBUG(0,("can't parse the PAC: %s\n",
     185             :                         nt_errstr(status)));
     186           0 :                 talloc_free(tmp_ctx);
     187           0 :                 return status;
     188             :         }
     189             : 
     190        4840 :         if (pac_data->num_buffers < 4) {
     191             :                 /* we need logon_info, service_key and kdc_key */
     192           0 :                 DEBUG(0,("less than 4 PAC buffers\n"));
     193           0 :                 talloc_free(tmp_ctx);
     194           0 :                 return NT_STATUS_INVALID_PARAMETER;
     195             :         }
     196             : 
     197        4840 :         ndr_err = ndr_pull_struct_blob(
     198             :                                 &pac_data_blob, pac_data_raw, pac_data_raw,
     199             :                                 (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
     200        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     201           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     202           0 :                 DEBUG(0,("can't parse the PAC: %s\n",
     203             :                         nt_errstr(status)));
     204           0 :                 talloc_free(tmp_ctx);
     205           0 :                 return status;
     206             :         }
     207             : 
     208        4840 :         if (pac_data_raw->num_buffers < 4) {
     209             :                 /* we need logon_info, service_key and kdc_key */
     210           0 :                 DEBUG(0,("less than 4 PAC buffers\n"));
     211           0 :                 talloc_free(tmp_ctx);
     212           0 :                 return NT_STATUS_INVALID_PARAMETER;
     213             :         }
     214             : 
     215        4840 :         if (pac_data->num_buffers != pac_data_raw->num_buffers) {
     216             :                 /* we need logon_info, service_key and kdc_key */
     217           0 :                 DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
     218             :                           "PAC_DATA_RAW has %d\n", pac_data->num_buffers,
     219             :                           pac_data_raw->num_buffers));
     220           0 :                 talloc_free(tmp_ctx);
     221           0 :                 return NT_STATUS_INVALID_PARAMETER;
     222             :         }
     223             : 
     224       41501 :         for (i=0; i < pac_data->num_buffers; i++) {
     225       36661 :                 struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
     226       36661 :                 struct PAC_BUFFER_RAW *raw_buf = &pac_data_raw->buffers[i];
     227             : 
     228       36661 :                 if (data_buf->type != raw_buf->type) {
     229           0 :                         DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
     230             :                                   "%d while PAC_DATA_RAW has %d\n", i,
     231             :                                   data_buf->type, raw_buf->type));
     232           0 :                         talloc_free(tmp_ctx);
     233           0 :                         return NT_STATUS_INVALID_PARAMETER;
     234             :                 }
     235       36661 :                 switch (data_buf->type) {
     236        4840 :                 case PAC_TYPE_LOGON_INFO:
     237        4840 :                         if (!data_buf->info) {
     238           0 :                                 break;
     239             :                         }
     240        4840 :                         logon_info = data_buf->info->logon_info.info;
     241        4840 :                         break;
     242        4840 :                 case PAC_TYPE_SRV_CHECKSUM:
     243        4840 :                         if (!data_buf->info) {
     244           0 :                                 break;
     245             :                         }
     246        4840 :                         srv_sig_ptr = &data_buf->info->srv_cksum;
     247        4840 :                         srv_sig_blob = &raw_buf->info->remaining;
     248        4840 :                         break;
     249        4840 :                 case PAC_TYPE_KDC_CHECKSUM:
     250        4840 :                         if (!data_buf->info) {
     251           0 :                                 break;
     252             :                         }
     253        4840 :                         kdc_sig_ptr = &data_buf->info->kdc_cksum;
     254        4840 :                         kdc_sig_blob = &raw_buf->info->remaining;
     255        4840 :                         break;
     256        4840 :                 case PAC_TYPE_LOGON_NAME:
     257        4840 :                         logon_name = &data_buf->info->logon_name;
     258        4840 :                         break;
     259       17301 :                 default:
     260       17301 :                         break;
     261             :                 }
     262             :         }
     263             : 
     264        4840 :         if (!logon_info) {
     265           0 :                 DEBUG(0,("PAC no logon_info\n"));
     266           0 :                 talloc_free(tmp_ctx);
     267           0 :                 return NT_STATUS_INVALID_PARAMETER;
     268             :         }
     269             : 
     270        4840 :         if (!logon_name) {
     271           0 :                 DEBUG(0,("PAC no logon_name\n"));
     272           0 :                 talloc_free(tmp_ctx);
     273           0 :                 return NT_STATUS_INVALID_PARAMETER;
     274             :         }
     275             : 
     276        4840 :         if (!srv_sig_ptr || !srv_sig_blob) {
     277           0 :                 DEBUG(0,("PAC no srv_key\n"));
     278           0 :                 talloc_free(tmp_ctx);
     279           0 :                 return NT_STATUS_INVALID_PARAMETER;
     280             :         }
     281             : 
     282        4840 :         if (!kdc_sig_ptr || !kdc_sig_blob) {
     283           0 :                 DEBUG(0,("PAC no kdc_key\n"));
     284           0 :                 talloc_free(tmp_ctx);
     285           0 :                 return NT_STATUS_INVALID_PARAMETER;
     286             :         }
     287             : 
     288             :         /* Find and zero out the signatures,
     289             :          * as required by the signing algorithm */
     290             : 
     291             :         /* We find the data blobs above,
     292             :          * now we parse them to get at the exact portion we should zero */
     293        4840 :         ndr_err = ndr_pull_struct_blob(
     294             :                         kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
     295             :                         (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
     296        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     297           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     298           0 :                 DEBUG(0,("can't parse the KDC signature: %s\n",
     299             :                         nt_errstr(status)));
     300           0 :                 talloc_free(tmp_ctx);
     301           0 :                 return status;
     302             :         }
     303             : 
     304        4840 :         ndr_err = ndr_pull_struct_blob(
     305             :                         srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
     306             :                         (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
     307        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     308           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     309           0 :                 DEBUG(0,("can't parse the SRV signature: %s\n",
     310             :                         nt_errstr(status)));
     311           0 :                 talloc_free(tmp_ctx);
     312           0 :                 return status;
     313             :         }
     314             : 
     315             :         /* Now zero the decoded structure */
     316        4840 :         memset(kdc_sig_wipe->signature.data,
     317             :                 '\0', kdc_sig_wipe->signature.length);
     318        4840 :         memset(srv_sig_wipe->signature.data,
     319             :                 '\0', srv_sig_wipe->signature.length);
     320             : 
     321             :         /* and re-encode, back into the same place it came from */
     322        4840 :         ndr_err = ndr_push_struct_blob(
     323             :                         kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
     324             :                         (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
     325        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     326           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     327           0 :                 DEBUG(0,("can't repack the KDC signature: %s\n",
     328             :                         nt_errstr(status)));
     329           0 :                 talloc_free(tmp_ctx);
     330           0 :                 return status;
     331             :         }
     332        4840 :         ndr_err = ndr_push_struct_blob(
     333             :                         srv_sig_blob, pac_data_raw, srv_sig_wipe,
     334             :                         (ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
     335        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     336           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     337           0 :                 DEBUG(0,("can't repack the SRV signature: %s\n",
     338             :                         nt_errstr(status)));
     339           0 :                 talloc_free(tmp_ctx);
     340           0 :                 return status;
     341             :         }
     342             : 
     343             :         /* push out the whole structure, but now with zero'ed signatures */
     344        4840 :         ndr_err = ndr_push_struct_blob(
     345             :                         &modified_pac_blob, pac_data_raw, pac_data_raw,
     346             :                         (ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
     347        4840 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     348           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     349           0 :                 DEBUG(0,("can't repack the RAW PAC: %s\n",
     350             :                         nt_errstr(status)));
     351           0 :                 talloc_free(tmp_ctx);
     352           0 :                 return status;
     353             :         }
     354             : 
     355        4840 :         if (service_keyblock) {
     356             :                 /* verify by service_key */
     357        4822 :                 ret = check_pac_checksum(modified_pac_blob, srv_sig_ptr,
     358             :                                          context,
     359             :                                          service_keyblock);
     360        4822 :                 if (ret) {
     361        2676 :                         DEBUG(5, ("PAC Decode: Failed to verify the service "
     362             :                                   "signature: %s\n", error_message(ret)));
     363        2676 :                         return NT_STATUS_ACCESS_DENIED;
     364             :                 }
     365             : 
     366        2146 :                 if (krbtgt_keyblock) {
     367             :                         /* verify the service key checksum by krbtgt_key */
     368           7 :                         ret = check_pac_checksum(srv_sig_ptr->signature, kdc_sig_ptr,
     369             :                                                  context, krbtgt_keyblock);
     370           7 :                         if (ret) {
     371           0 :                                 DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
     372             :                                           smb_get_krb5_error_message(context, ret, tmp_ctx)));
     373           0 :                                 talloc_free(tmp_ctx);
     374           0 :                                 return NT_STATUS_ACCESS_DENIED;
     375             :                         }
     376             :                 }
     377             :         }
     378             : 
     379        2164 :         if (tgs_authtime) {
     380             :                 /* Convert to NT time, so as not to lose accuracy in comparison */
     381        1262 :                 unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
     382             : 
     383        1262 :                 if (tgs_authtime_nttime != logon_name->logon_time) {
     384           1 :                         DEBUG(2, ("PAC Decode: "
     385             :                                   "Logon time mismatch between ticket and PAC!\n"));
     386           1 :                         DEBUG(2, ("PAC Decode: PAC: %s\n",
     387             :                                   nt_time_string(tmp_ctx, logon_name->logon_time)));
     388           1 :                         DEBUG(2, ("PAC Decode: Ticket: %s\n",
     389             :                                   nt_time_string(tmp_ctx, tgs_authtime_nttime)));
     390           1 :                         talloc_free(tmp_ctx);
     391           1 :                         return NT_STATUS_ACCESS_DENIED;
     392             :                 }
     393             :         }
     394             : 
     395        2163 :         if (client_principal) {
     396           6 :                 char *client_principal_string;
     397        1261 :                 ret = krb5_unparse_name_flags(context, client_principal,
     398             :                                               KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY,
     399             :                                               &client_principal_string);
     400        1261 :                 if (ret) {
     401           0 :                         DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n",
     402             :                                   logon_name->account_name, error_message(ret)));
     403           0 :                         talloc_free(tmp_ctx);
     404           0 :                         return NT_STATUS_INVALID_PARAMETER;
     405             :                 }
     406             : 
     407        1261 :                 bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0;
     408             : 
     409        1261 :                 if (!bool_ret) {
     410           2 :                         DEBUG(2, ("Name in PAC [%s] does not match principal name "
     411             :                                   "in ticket [%s]\n",
     412             :                                   logon_name->account_name,
     413             :                                   client_principal_string));
     414           2 :                         SAFE_FREE(client_principal_string);
     415           2 :                         talloc_free(tmp_ctx);
     416           2 :                         return NT_STATUS_ACCESS_DENIED;
     417             :                 }
     418        1259 :                 SAFE_FREE(client_principal_string);
     419             : 
     420             :         }
     421             : 
     422        2161 :         DEBUG(3,("Found account name from PAC: %s [%s]\n",
     423             :                  logon_info->info3.base.account_name.string,
     424             :                  logon_info->info3.base.full_name.string));
     425             : 
     426        2161 :         DEBUG(10,("Successfully validated Kerberos PAC\n"));
     427             : 
     428        2161 :         if (DEBUGLEVEL >= 10) {
     429           0 :                 const char *s;
     430           0 :                 s = NDR_PRINT_STRUCT_STRING(tmp_ctx, PAC_DATA, pac_data);
     431           0 :                 if (s) {
     432           0 :                         DEBUGADD(10,("%s\n", s));
     433             :                 }
     434             :         }
     435             : 
     436        2161 :         if (pac_data_out) {
     437         906 :                 *pac_data_out = talloc_steal(mem_ctx, pac_data);
     438             :         }
     439             : 
     440        2161 :         return NT_STATUS_OK;
     441             : }
     442             : 
     443          20 : NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
     444             :                                  DATA_BLOB blob,
     445             :                                  krb5_context context,
     446             :                                  const krb5_keyblock *krbtgt_keyblock,
     447             :                                  const krb5_keyblock *service_keyblock,
     448             :                                  krb5_const_principal client_principal,
     449             :                                  time_t tgs_authtime,
     450             :                                  struct PAC_LOGON_INFO **logon_info)
     451             : {
     452           2 :         NTSTATUS nt_status;
     453           2 :         struct PAC_DATA *pac_data;
     454           2 :         int i;
     455          20 :         nt_status = kerberos_decode_pac(mem_ctx,
     456             :                                         blob,
     457             :                                         context,
     458             :                                         krbtgt_keyblock,
     459             :                                         service_keyblock,
     460             :                                         client_principal,
     461             :                                         tgs_authtime,
     462             :                                         &pac_data);
     463          20 :         if (!NT_STATUS_IS_OK(nt_status)) {
     464           0 :                 return nt_status;
     465             :         }
     466             : 
     467          20 :         *logon_info = NULL;
     468         148 :         for (i=0; i < pac_data->num_buffers; i++) {
     469         128 :                 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
     470         108 :                         continue;
     471             :                 }
     472          20 :                 *logon_info = pac_data->buffers[i].info->logon_info.info;
     473             :         }
     474          20 :         if (!*logon_info) {
     475           0 :                 return NT_STATUS_INVALID_PARAMETER;
     476             :         }
     477          20 :         return NT_STATUS_OK;
     478             : }
     479             : 
     480           0 : static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
     481             :                                 struct auth4_context *auth_ctx,
     482             :                                 TALLOC_CTX *mem_ctx,
     483             :                                 struct smb_krb5_context *smb_krb5_context,
     484             :                                 DATA_BLOB *pac_blob,
     485             :                                 const char *princ_name,
     486             :                                 const struct tsocket_address *remote_address,
     487             :                                 uint32_t session_info_flags,
     488             :                                 struct auth_session_info **session_info)
     489             : {
     490           0 :         struct PAC_DATA_CTR *pac_data_ctr = NULL;
     491           0 :         NTSTATUS status;
     492             : 
     493           0 :         if (pac_blob == NULL) {
     494           0 :                 return NT_STATUS_NO_IMPERSONATION_TOKEN;
     495             :         }
     496             : 
     497           0 :         pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
     498           0 :         if (pac_data_ctr == NULL) {
     499           0 :                 status = NT_STATUS_NO_MEMORY;
     500           0 :                 goto fail;
     501             :         }
     502             : 
     503           0 :         status = kerberos_decode_pac(pac_data_ctr,
     504             :                                      *pac_blob,
     505             :                                      NULL,
     506             :                                      NULL,
     507             :                                      NULL,
     508             :                                      NULL,
     509             :                                      0,
     510           0 :                                      &pac_data_ctr->pac_data);
     511           0 :         if (!NT_STATUS_IS_OK(status)) {
     512           0 :                 goto fail;
     513             :         }
     514             : 
     515           0 :         pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
     516             :                                                   pac_blob->data,
     517             :                                                   pac_blob->length);
     518           0 :         if (pac_data_ctr->pac_blob.length != pac_blob->length) {
     519           0 :                 status = NT_STATUS_NO_MEMORY;
     520           0 :                 goto fail;
     521             :         }
     522             : 
     523           0 :         *session_info = talloc_zero(mem_ctx, struct auth_session_info);
     524           0 :         if (*session_info == NULL) {
     525           0 :                 status = NT_STATUS_NO_MEMORY;
     526           0 :                 goto fail;
     527             :         }
     528             : 
     529           0 :         TALLOC_FREE(auth_ctx->private_data);
     530           0 :         auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
     531             : 
     532           0 :         return NT_STATUS_OK;
     533             : 
     534           0 : fail:
     535           0 :         TALLOC_FREE(pac_data_ctr);
     536             : 
     537           0 :         return status;
     538             : }
     539             : 
     540           0 : struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
     541             : {
     542           0 :         struct auth4_context *auth_ctx = NULL;
     543             : 
     544           0 :         auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
     545           0 :         if (auth_ctx == NULL) {
     546           0 :                 return NULL;
     547             :         }
     548           0 :         auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
     549             : 
     550           0 :         return auth_ctx;
     551             : }
     552             : 
     553           0 : struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
     554             :                                                     TALLOC_CTX *mem_ctx)
     555             : {
     556           0 :         struct PAC_DATA_CTR *p = NULL;
     557           0 :         SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
     558           0 :         p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
     559           0 :         auth_ctx->private_data = NULL;
     560           0 :         return talloc_move(mem_ctx, &p);
     561             : }
     562             : 
     563             : #endif

Generated by: LCOV version 1.14