oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
2087e07c1ef53b11163e9efdff71becdbc0212f7
heimdal/tests/plugin/windc.c
Luke Howard 2087e07c1e kdc: update PAC hooks for Samba 
Samba includes the user's long-term credentials (encrypted in the AS reply key)
to allow legacy authentication protocols such as NTLM to work even if the
pre-authentication mechanism replaced the reply key (as PKINIT does).

Samba also needs to know whether the client explicitly requested a PAC be
included (or excluded), in order to defer PAC exclusion until a service ticket
is issued (thereby avoiding a name binding attack if the user is renamed
between TGT and service ticket issuance).

References:

https://bugzilla.samba.org/show_bug.cgi?id=11441
https://bugzilla.samba.org/show_bug.cgi?id=14561

Closes: #864

Original authors:
 - Joseph Sutton <josephsutton@catalyst.net.nz>
 - Andrew Bartlett <abartlet@samba.org>
 - Stefan Metzmacher <metze@samba.org>
2021-12-14 13:51:53 +11:00

151 lines
3.4 KiB
C
Raw Blame History

#include <string.h>
#include <krb5_locl.h>
#include <hdb.h>
#include <hx509.h>
#include <kdc.h>
#include <windc_plugin.h>
static krb5_error_code KRB5_CALLCONV
windc_init(krb5_context context, void **ctx)
{
krb5_warnx(context, "windc init");
*ctx = NULL;
return 0;
}
static void KRB5_CALLCONV
windc_fini(void *ctx)
{
}
static krb5_error_code KRB5_CALLCONV
pac_generate(void *ctx, krb5_context context,
struct hdb_entry_ex *client,
struct hdb_entry_ex *server,
const krb5_keyblock *pk_replykey,
const krb5_boolean *pac_request,
krb5_pac *pac)
{
krb5_error_code ret;
krb5_data data;
if (pac_request != NULL && *pac_request == FALSE) {
*pac = NULL;
return 0;
}
krb5_warnx(context, "pac generate");
data.data = "\x00\x01";
data.length = 2;
ret = krb5_pac_init(context, pac);
if (ret)
return ret;
ret = krb5_pac_add_buffer(context, *pac, 1, &data);
if (ret)
return ret;
return 0;
}
static krb5_error_code KRB5_CALLCONV
pac_verify(void *ctx, krb5_context context,
const krb5_principal new_ticket_client,
const krb5_principal delegation_proxy,
struct hdb_entry_ex * client,
struct hdb_entry_ex * server,
struct hdb_entry_ex * krbtgt,
krb5_pac *pac)
{
krb5_error_code ret;
krb5_data data;
krb5_cksumtype cstype;
uint16_t rodc_id;
krb5_enctype etype;
Key *key;
krb5_warnx(context, "pac_verify");
ret = krb5_pac_get_buffer(context, *pac, 1, &data);
if (ret)
return ret;
krb5_data_free(&data);
ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id);
if (ret)
return ret;
if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) {
krb5_warnx(context, "Wrong RODCIdentifier");
return EINVAL;
}
ret = krb5_cksumtype_to_enctype(context, cstype, &etype);
if (ret)
return ret;
ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
if (ret)
return ret;
return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key);
}
static krb5_error_code KRB5_CALLCONV
client_access(void *ctx,
krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *client, const char *client_name,
hdb_entry_ex *server, const char *server_name,
KDC_REQ *req,
METHOD_DATA *data)
{
krb5_warnx(context, "client_access");
return 0;
}
static krb5plugin_windc_ftable windc = {
KRB5_WINDC_PLUGING_MINOR,
windc_init,
windc_fini,
pac_generate,
pac_verify,
client_access
};
static const krb5plugin_windc_ftable *const windc_plugins[] = {
&windc
};
krb5_error_code KRB5_CALLCONV
windc_plugin_load(krb5_context context,
krb5_get_instance_func_t *get_instance,
size_t *num_plugins,
const krb5plugin_windc_ftable *const **plugins);
static uintptr_t KRB5_CALLCONV
windc_get_instance(const char *libname)
{
if (strcmp(libname, "hdb") == 0)
return hdb_get_instance(libname);
else if (strcmp(libname, "krb5") == 0)
return krb5_get_instance(libname);
return 0;
}
krb5_error_code KRB5_CALLCONV
windc_plugin_load(krb5_context context,
krb5_get_instance_func_t *get_instance,
size_t *num_plugins,
const krb5plugin_windc_ftable *const **plugins)
{
*get_instance = windc_get_instance;
*num_plugins = sizeof(windc_plugins) / sizeof(windc_plugins[0]);
*plugins = windc_plugins;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink