Changeset 988 for vendor/current/source4/kdc/wdc-samba4.c

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

File:

• vendor/current/source4/kdc/wdc-samba4.c (modified) (12 diffs)

vendor/current/source4/kdc/wdc-samba4.c

@@ -35 +35 @@
         krb5_error_code ret;
         NTSTATUS nt_status;
+        struct samba_kdc_entry *skdc_entry =
+                talloc_get_type_abort(client->ctx,
+                struct samba_kdc_entry);
 
         mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context");
@@ -41 +44 @@
         }
 
-        nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
+        nt_status = samba_kdc_get_pac_blob(mem_ctx, skdc_entry, &pac_blob);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 talloc_free(mem_ctx);
@@ -47 +50 @@
         }
 
-        ret = samba_make_krb5_pac(context, pac_blob, pac);
+        ret = samba_make_krb5_pac(context, pac_blob, NULL, pac);
 
         talloc_free(mem_ctx);
@@ -57 +60 @@
 static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
                                            const krb5_principal client_principal,
+                                           const krb5_principal delegated_proxy_principal,
                                            struct hdb_entry_ex *client,
                                            struct hdb_entry_ex *server,
@@ -62 +66 @@
                                            krb5_pac *pac)
 {
-        struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry);
+        struct samba_kdc_entry *p =
+                talloc_get_type_abort(server->ctx,
+                struct samba_kdc_entry);
+        struct samba_kdc_entry *krbtgt_skdc_entry =
+                talloc_get_type_abort(krbtgt->ctx,
+                struct samba_kdc_entry);
         TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context");
         DATA_BLOB *pac_blob;
+        DATA_BLOB *deleg_blob = NULL;
         krb5_error_code ret;
         NTSTATUS nt_status;
+        struct PAC_SIGNATURE_DATA *pac_srv_sig;
+        struct PAC_SIGNATURE_DATA *pac_kdc_sig;
+        bool is_in_db, is_untrusted;
 
         if (!mem_ctx) {
@@ -73 +86 @@
 
         /* The user account may be set not to want the PAC */
-        if (!samba_princ_needs_pac(server)) {
+        if (!samba_princ_needs_pac(p)) {
                 talloc_free(mem_ctx);
                 return EINVAL;
@@ -81 +94 @@
          * RODC, then we need to regenerate the PAC - we can't trust
          * it */
-        if (samba_krbtgt_was_untrusted_rodc(krbtgt)) {
+        ret = samba_krbtgt_is_in_db(krbtgt_skdc_entry, &is_in_db, &is_untrusted);
+        if (ret != 0) {
+                talloc_free(mem_ctx);
+                return ret;
+        }
+
+        if (is_untrusted) {
+                struct samba_kdc_entry *client_skdc_entry = NULL;
+
                 if (client == NULL) {
                         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
                 }
-                nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
+
+                client_skdc_entry = talloc_get_type_abort(client->ctx,
+                                                          struct samba_kdc_entry);
+
+                nt_status = samba_kdc_get_pac_blob(mem_ctx, client_skdc_entry, &pac_blob);
                 if (!NT_STATUS_IS_OK(nt_status)) {
                         talloc_free(mem_ctx);
@@ -97 +122 @@
                 }
 
+                pac_srv_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA);
+                if (!pac_srv_sig) {
+                        talloc_free(mem_ctx);
+                        return ENOMEM;
+                }
+
+                pac_kdc_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA);
+                if (!pac_kdc_sig) {
+                        talloc_free(mem_ctx);
+                        return ENOMEM;
+                }
+
                 nt_status = samba_kdc_update_pac_blob(mem_ctx, context,
-                                                      pac, pac_blob);
+                                                      *pac, pac_blob,
+                                                      pac_srv_sig, pac_kdc_sig);
                 if (!NT_STATUS_IS_OK(nt_status)) {
                         DEBUG(0, ("Building PAC failed: %s\n",
@@ -105 +143 @@
                         return EINVAL;
                 }
-        }
+                
+                if (is_in_db) {
+                        /* Now check the KDC signature, fetching the correct key based on the enc type */
+                        ret = kdc_check_pac(context, pac_srv_sig->signature, pac_kdc_sig, krbtgt);
+                        if (ret != 0) {
+                                DEBUG(1, ("PAC KDC signature failed to verify\n"));
+                                talloc_free(mem_ctx);
+                                return ret;
+                        }
+                }
+        }
+
+        if (delegated_proxy_principal) {
+                deleg_blob = talloc_zero(mem_ctx, DATA_BLOB);
+                if (!deleg_blob) {
+                        talloc_free(mem_ctx);
+                        return ENOMEM;
+                }
+
+                nt_status = samba_kdc_update_delegation_info_blob(mem_ctx,
+                                        context, *pac,
+                                        server->entry.principal,
+                                        delegated_proxy_principal,
+                                        deleg_blob);
+                if (!NT_STATUS_IS_OK(nt_status)) {
+                        DEBUG(0, ("Building PAC failed: %s\n",
+                                  nt_errstr(nt_status)));
+                        talloc_free(mem_ctx);
+                        return EINVAL;
+                }
+        }
+
         /* We now completely regenerate this pac */
         krb5_pac_free(context, *pac);
 
-        ret = samba_make_krb5_pac(context, pac_blob, pac);
+        ret = samba_make_krb5_pac(context, pac_blob, deleg_blob, pac);
 
         talloc_free(mem_ctx);
@@ -133 +202 @@
         }
 
-        if (nb_name == NULL) {
+        if ((nb_name == NULL) || (nb_name[0] == '\0')) {
                 return NULL;
         }
 
         /* Strip space padding */
-        i = strlen(nb_name) - 1;
-        while (i > 0 && nb_name[i] == ' ') {
-                nb_name[i] = '\0';
+        for (len = strlen(nb_name) - 1;
+             (len > 0) && (nb_name[len] == ' ');
+             --len) {
+                nb_name[len] = '\0';
         }
 
@@ -155 +225 @@
         return kdata;
 }
+
+/* this function allocates 'data' using malloc.
+ * The caller is responsible for freeing it */
+static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
+{
+        krb5_error_code ret = 0;
+        PA_DATA pa;
+        unsigned char *buf;
+        size_t len;
+
+        if (!e_data)
+                return;
+
+        e_data->data   = NULL;
+        e_data->length = 0;
+
+        pa.padata_type          = KRB5_PADATA_PW_SALT;
+        pa.padata_value.length  = 12;
+        pa.padata_value.data    = malloc(pa.padata_value.length);
+        if (!pa.padata_value.data) {
+                e_data->length = 0;
+                e_data->data = NULL;
+                return;
+        }
+
+        SIVAL(pa.padata_value.data, 0, NT_STATUS_V(nt_status));
+        SIVAL(pa.padata_value.data, 4, 0);
+        SIVAL(pa.padata_value.data, 8, 1);
+
+        ASN1_MALLOC_ENCODE(PA_DATA, buf, len, &pa, &len, ret);
+        free(pa.padata_value.data);
+        if (ret) {
+                return;
+        }
+
+        e_data->data   = buf;
+        e_data->length = len;
+
+        return;
+}
+
 
 static krb5_error_code samba_wdc_check_client_access(void *priv,
@@ -213 +324 @@
 
 struct krb5plugin_windc_ftable windc_plugin_table = {
-        .minor_version = KRB5_WINDC_PLUGING_MINOR,
+        .minor_version = KRB5_WINDC_PLUGIN_MINOR,
         .init = samba_wdc_plugin_init,
         .fini = samba_wdc_plugin_fini,