Changeset 478 for vendor/current/source3/libads

Timestamp:

Aug 2, 2010, 6:40:21 PM (15 years ago)

Author:

Silvan Scherrer

Message:

Samba 3.5: vendor update to 3.5.4

Location:

vendor/current/source3/libads

Files:

• kerberos.c (modified) (10 diffs)
• kerberos_verify.c (modified) (5 diffs)

vendor/current/source3/libads/kerberos.c

@@ -716 +716 @@
 static char *print_kdc_line(char *mem_ctx,
                         const char *prev_line,
-                        const struct sockaddr_storage *pss)
+                        const struct sockaddr_storage *pss,
+                        const char *kdc_name)
 {
         char *kdc_str = NULL;
@@ -727 +728 @@
                 char addr[INET6_ADDRSTRLEN];
                 uint16_t port = get_sockaddr_port(pss);
+
+                DEBUG(10,("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
+                        kdc_name, port));
 
                 if (port != 0 && port != DEFAULT_KRB5_PORT) {
@@ -744 +748 @@
                                         print_canonical_sockaddr(mem_ctx, pss),
                                         gai_strerror(ret)));
+                                return NULL;
                         }
                         /* Success, use host:port */
@@ -752 +757 @@
                                         (unsigned int)port);
                 } else {
-                        kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
-                                        prev_line,
-                                        print_sockaddr(addr,
-                                                sizeof(addr),
-                                                pss));
+
+                        /* no krb5 lib currently supports "kdc = ipv6 address"
+                         * at all, so just fill in just the kdc_name if we have
+                         * it and let the krb5 lib figure out the appropriate
+                         * ipv6 address - gd */
+
+                        if (kdc_name) {
+                                kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+                                                prev_line, kdc_name);
+                        } else {
+                                kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+                                                prev_line,
+                                                print_sockaddr(addr,
+                                                        sizeof(addr),
+                                                        pss));
+                        }
                 }
         }
@@ -773 +789 @@
                 const char *realm,
                 const char *sitename,
-                struct sockaddr_storage *pss)
+                struct sockaddr_storage *pss,
+                const char *kdc_name)
 {
         int i;
@@ -780 +797 @@
         int count_site = 0;
         int count_nonsite;
-        char *kdc_str = print_kdc_line(mem_ctx, "", pss);
+        char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
 
         if (kdc_str == NULL) {
@@ -804 +821 @@
                         kdc_str = print_kdc_line(mem_ctx,
                                                 kdc_str,
-                                                &ip_srv_site[i].ss);
+                                                &ip_srv_site[i].ss,
+                                                NULL);
                         if (!kdc_str) {
                                 SAFE_FREE(ip_srv_site);
@@ -841 +859 @@
                 kdc_str = print_kdc_line(mem_ctx,
                                 kdc_str,
-                                &ip_srv_nonsite[i].ss);
+                                &ip_srv_nonsite[i].ss,
+                                NULL);
                 if (!kdc_str) {
                         SAFE_FREE(ip_srv_site);
@@ -869 +888 @@
                                                 const char *domain,
                                                 const char *sitename,
-                                                struct sockaddr_storage *pss)
+                                                struct sockaddr_storage *pss,
+                                                const char *kdc_name)
 {
         char *dname;
@@ -913 +933 @@
         strupper_m(realm_upper);
 
-        kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
+        kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
         if (!kdc_ip_string) {
                 goto done;

vendor/current/source3/libads/kerberos_verify.c

@@ -308 +308 @@
         krb5_error_code ret = 0;
         bool auth_ok = False;
+        bool cont = true;
         char *password_s = NULL;
-        krb5_data password;
+        /* Let's make some room for 2 password (old and new)*/
+        krb5_data passwords[2];
         krb5_enctype enctypes[] = { 
 #if defined(ENCTYPE_ARCFOUR_HMAC)
@@ -319 +321 @@
         };
         krb5_data packet;
-        int i;
+        int i, j;
 
         *pp_tkt = NULL;
@@ -325 +327 @@
         *perr = 0;
 
+        ZERO_STRUCT(passwords);
 
         if (!secrets_init()) {
@@ -339 +342 @@
         }
 
-        password.data = password_s;
-        password.length = strlen(password_s);
+        passwords[0].data = password_s;
+        passwords[0].length = strlen(password_s);
+
+        password_s = secrets_fetch_prev_machine_password(lp_workgroup());
+        if (password_s) {
+                DEBUG(10,("ads_secrets_verify_ticket: found previous password\n"));
+                passwords[1].data = password_s;
+                passwords[1].length = strlen(password_s);
+        }
 
         /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
@@ -348 +358 @@
 
         /* We need to setup a auth context with each possible encoding type in turn. */
-        for (i=0;enctypes[i];i++) {
-                krb5_keyblock *key = NULL;
-
-                if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
-                        ret = ENOMEM;
-                        goto out;
-                }
-        
-                if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
-                        SAFE_FREE(key);
-                        continue;
-                }
-
-                krb5_auth_con_setuseruserkey(context, auth_context, key);
-
-                if (!(ret = krb5_rd_req(context, &auth_context, &packet, 
-                                        NULL,
-                                        NULL, NULL, pp_tkt))) {
-                        DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
-                                (unsigned int)enctypes[i] ));
-                        auth_ok = True;
-                        krb5_copy_keyblock(context, key, keyblock);
+        for (j=0; j<2 && passwords[j].length; j++) {
+
+                for (i=0;enctypes[i];i++) {
+                        krb5_keyblock *key = NULL;
+
+                        if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
+                                ret = ENOMEM;
+                                goto out;
+                        }
+
+                        if (create_kerberos_key_from_string(context, host_princ, &passwords[j], key, enctypes[i], false)) {
+                                SAFE_FREE(key);
+                                continue;
+                        }
+
+                        krb5_auth_con_setuseruserkey(context, auth_context, key);
+
+                        if (!(ret = krb5_rd_req(context, &auth_context, &packet,
+                                                NULL,
+                                                NULL, NULL, pp_tkt))) {
+                                DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
+                                        (unsigned int)enctypes[i] ));
+                                auth_ok = True;
+                                cont = false;
+                                krb5_copy_keyblock(context, key, keyblock);
+                                krb5_free_keyblock(context, key);
+                                break;
+                        }
+
+                        DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
+                                        ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
+                                        (unsigned int)enctypes[i], error_message(ret)));
+
+                        /* successfully decrypted but ticket is just not valid at the moment */
+                        if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+                            ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+                            ret == KRB5KRB_AP_ERR_SKEW) {
+                                krb5_free_keyblock(context, key);
+                                cont = false;
+                                break;
+                        }
+
                         krb5_free_keyblock(context, key);
+                }
+                if (!cont) {
+                        /* If we found a valid pass then no need to try
+                         * the next one or we have invalid ticket so no need
+                         * to try next password*/
                         break;
                 }
-
-                DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
-                                ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
-                                (unsigned int)enctypes[i], error_message(ret)));
-
-                /* successfully decrypted but ticket is just not valid at the moment */
-                if (ret == KRB5KRB_AP_ERR_TKT_NYV || 
-                    ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
-                    ret == KRB5KRB_AP_ERR_SKEW) {
-                        krb5_free_keyblock(context, key);
-                        break;
-                }
-
-                krb5_free_keyblock(context, key);
-
         }
 
  out:
-        SAFE_FREE(password_s);
+        SAFE_FREE(passwords[0].data);
+        SAFE_FREE(passwords[1].data);
         *perr = ret;
         return auth_ok;