Changeset 480 for trunk/server/source3/libads/kerberos_verify.c

Timestamp:

Aug 2, 2010, 8:16:45 PM (15 years ago)

Author:

Silvan Scherrer

Message:

Samba Server 3.5: trunk update to 3.5.4

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source3/libads/kerberos_verify.c (modified) (5 diffs)

trunk/server/source3/libads/kerberos_verify.c

@@ -308 +308 @@
         krb5_error_code ret = 0;
         bool auth_ok = False;
+        bool cont = true;
         char *password_s = NULL;
-        krb5_data password;
+        /* Let's make some room for 2 password (old and new)*/
+        krb5_data passwords[2];
         krb5_enctype enctypes[] = { 
 #if defined(ENCTYPE_ARCFOUR_HMAC)
@@ -319 +321 @@
         };
         krb5_data packet;
-        int i;
+        int i, j;
 
         *pp_tkt = NULL;
@@ -325 +327 @@
         *perr = 0;
 
+        ZERO_STRUCT(passwords);
 
         if (!secrets_init()) {
@@ -339 +342 @@
         }
 
-        password.data = password_s;
-        password.length = strlen(password_s);
+        passwords[0].data = password_s;
+        passwords[0].length = strlen(password_s);
+
+        password_s = secrets_fetch_prev_machine_password(lp_workgroup());
+        if (password_s) {
+                DEBUG(10,("ads_secrets_verify_ticket: found previous password\n"));
+                passwords[1].data = password_s;
+                passwords[1].length = strlen(password_s);
+        }
 
         /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
@@ -348 +358 @@
 
         /* We need to setup a auth context with each possible encoding type in turn. */
-        for (i=0;enctypes[i];i++) {
-                krb5_keyblock *key = NULL;
-
-                if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
-                        ret = ENOMEM;
-                        goto out;
-                }
-        
-                if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
-                        SAFE_FREE(key);
-                        continue;
-                }
-
-                krb5_auth_con_setuseruserkey(context, auth_context, key);
-
-                if (!(ret = krb5_rd_req(context, &auth_context, &packet, 
-                                        NULL,
-                                        NULL, NULL, pp_tkt))) {
-                        DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
-                                (unsigned int)enctypes[i] ));
-                        auth_ok = True;
-                        krb5_copy_keyblock(context, key, keyblock);
+        for (j=0; j<2 && passwords[j].length; j++) {
+
+                for (i=0;enctypes[i];i++) {
+                        krb5_keyblock *key = NULL;
+
+                        if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
+                                ret = ENOMEM;
+                                goto out;
+                        }
+
+                        if (create_kerberos_key_from_string(context, host_princ, &passwords[j], key, enctypes[i], false)) {
+                                SAFE_FREE(key);
+                                continue;
+                        }
+
+                        krb5_auth_con_setuseruserkey(context, auth_context, key);
+
+                        if (!(ret = krb5_rd_req(context, &auth_context, &packet,
+                                                NULL,
+                                                NULL, NULL, pp_tkt))) {
+                                DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
+                                        (unsigned int)enctypes[i] ));
+                                auth_ok = True;
+                                cont = false;
+                                krb5_copy_keyblock(context, key, keyblock);
+                                krb5_free_keyblock(context, key);
+                                break;
+                        }
+
+                        DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
+                                        ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
+                                        (unsigned int)enctypes[i], error_message(ret)));
+
+                        /* successfully decrypted but ticket is just not valid at the moment */
+                        if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+                            ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
+                            ret == KRB5KRB_AP_ERR_SKEW) {
+                                krb5_free_keyblock(context, key);
+                                cont = false;
+                                break;
+                        }
+
                         krb5_free_keyblock(context, key);
+                }
+                if (!cont) {
+                        /* If we found a valid pass then no need to try
+                         * the next one or we have invalid ticket so no need
+                         * to try next password*/
                         break;
                 }
-
-                DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
-                                ("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
-                                (unsigned int)enctypes[i], error_message(ret)));
-
-                /* successfully decrypted but ticket is just not valid at the moment */
-                if (ret == KRB5KRB_AP_ERR_TKT_NYV || 
-                    ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
-                    ret == KRB5KRB_AP_ERR_SKEW) {
-                        krb5_free_keyblock(context, key);
-                        break;
-                }
-
-                krb5_free_keyblock(context, key);
-
         }
 
  out:
-        SAFE_FREE(password_s);
+        SAFE_FREE(passwords[0].data);
+        SAFE_FREE(passwords[1].data);
         *perr = ret;
         return auth_ok;