diff options
Diffstat (limited to 'auth')
-rw-r--r-- | auth/kerberos/kerberos_pac.c | 47 |
1 files changed, 28 insertions, 19 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index ae4557b..b6272ac 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -33,6 +33,7 @@ #include "librpc/gen_ndr/auth.h" #include "auth/common_auth.h" #include "auth/kerberos/pac_utils.h" +#include "lib/krb5_wrap/krb5_samba.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, struct PAC_SIGNATURE_DATA *sig, @@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, krb5_keyusage usage = 0; krb5_boolean checksum_valid = false; krb5_data input; - - switch (sig->type) { - case CKSUMTYPE_HMAC_MD5: - /* ignores the key type */ - break; - case CKSUMTYPE_HMAC_SHA1_96_AES_256: - if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { - return EINVAL; - } - /* ok */ - break; - case CKSUMTYPE_HMAC_SHA1_96_AES_128: - if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { - return EINVAL; + size_t idx = 0; + struct { + krb5_cksumtype cksum_type; + krb5_enctype enc_type; + } supported_types[] = { + {CKSUMTYPE_HMAC_SHA1_96_AES_256, ENCTYPE_AES256_CTS_HMAC_SHA1_96}, + {CKSUMTYPE_HMAC_SHA1_96_AES_128, ENCTYPE_AES128_CTS_HMAC_SHA1_96}, + /* RFC8009 types. Not supported by AD yet but used by FreeIPA and MIT Kerberos */ + {CKSUMTYPE_HMAC_SHA256_128_AES128, ENCTYPE_AES128_CTS_HMAC_SHA256_128}, + {CKSUMTYPE_HMAC_SHA384_192_AES256, ENCTYPE_AES256_CTS_HMAC_SHA384_192}, + {0, 0}, + }; + + for(idx = 0; supported_types[idx].cksum_type != 0; idx++) { + if (sig->type == supported_types[idx].cksum_type) { + if (KRB5_KEY_TYPE(keyblock) != supported_types[idx].enc_type) { + return EINVAL; + } + /* ok */ + break; } - /* ok */ - break; - default: - DEBUG(2,("check_pac_checksum: Checksum Type %"PRIu32" is not supported\n", - sig->type)); + } + + /* do not do key type check for HMAC-MD5 */ + if ((sig->type != CKSUMTYPE_HMAC_MD5) && + (supported_types[idx].cksum_type == 0)) { + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", + (int)sig->type)); return EINVAL; } |