svn commit: samba r10145 - in branches/SAMBA_4_0/source: auth/kerberos librpc/idl

abartlet at samba.org abartlet at samba.org
Sat Sep 10 10:39:45 GMT 2005


Author: abartlet
Date: 2005-09-10 10:39:45 +0000 (Sat, 10 Sep 2005)
New Revision: 10145

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10145

Log:
Allow a variable length signature, so we can support signing with
other than arcfour-hmac-md5.  Currently we still fail to verify other
signatures however.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
   branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c	2005-09-10 09:30:23 UTC (rev 10144)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c	2005-09-10 10:39:45 UTC (rev 10145)
@@ -44,10 +44,9 @@
 	Checksum cksum;
 
 	cksum.cksumtype		= (CKSUMTYPE)sig->type;
-	cksum.checksum.length	= sizeof(sig->signature);
-	cksum.checksum.data	= sig->signature;
+	cksum.checksum.length	= sig->signature.length;
+	cksum.checksum.data	= sig->signature.data;
 
-
 	ret = krb5_crypto_init(context,
 			       keyblock,
 			       0,
@@ -172,11 +171,8 @@
 	}
 
 	if (krbtgt_keyblock) {
-		DATA_BLOB service_checksum_blob
-			= data_blob_const(srv_sig_ptr->signature, sizeof(srv_sig_ptr->signature));
-
 		ret = check_pac_checksum(mem_ctx, 
-					    service_checksum_blob, &kdc_sig, 
+					    srv_sig_ptr->signature, &kdc_sig, 
 					    context, krbtgt_keyblock);
 		if (ret) {
 			DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
@@ -300,9 +296,7 @@
 	}
 
 	sig->type = cksum.cksumtype;
-	if (cksum.checksum.length == sizeof(sig->signature)) {
-		memcpy(sig->signature, cksum.checksum.data, sizeof(sig->signature));
-	}
+	sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length);
 	free_Checksum(&cksum);
 
 	return 0;
@@ -319,7 +313,6 @@
 	krb5_error_code ret;
 	DATA_BLOB zero_blob = data_blob(NULL, 0);
 	DATA_BLOB tmp_blob = data_blob(NULL, 0);
-	DATA_BLOB service_checksum_blob;
 	struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
 	struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
 	int i;
@@ -367,8 +360,8 @@
 	}
 
 	/* But wipe out the actual signatures */
-	ZERO_STRUCT(kdc_checksum->signature);
-	ZERO_STRUCT(srv_checksum->signature);
+	memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
+	memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
 
 	nt_status = ndr_push_struct_blob(&tmp_blob, mem_ctx, pac_data,
 					 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
@@ -382,11 +375,8 @@
 	ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum,
 				context, service_keyblock);
 
-	service_checksum_blob
-		= data_blob_const(srv_checksum->signature, sizeof(srv_checksum->signature));
-
 	/* Then sign Server checksum */
-	ret = make_pac_checksum(mem_ctx, &service_checksum_blob, kdc_checksum, context, krbtgt_keyblock);
+	ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock);
 	if (ret) {
 		DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", 
 			  smb_get_krb5_error_message(context, ret, mem_ctx)));

Modified: branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl
===================================================================
--- branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl	2005-09-10 09:30:23 UTC (rev 10144)
+++ branches/SAMBA_4_0/source/librpc/idl/krb5pac.idl	2005-09-10 10:39:45 UTC (rev 10145)
@@ -20,7 +20,7 @@
 
 	typedef [flag(NDR_PAHEX)] struct {
 		uint32 type;
-		uint8 signature[16];
+		[flag(NDR_REMAINING)] DATA_BLOB signature;
 	} PAC_SIGNATURE_DATA;
 
 	typedef [gensize] struct {



More information about the samba-cvs mailing list