90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose Sumit Bose <sbose@redhat.com>
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose Copyright (C) 2011, 2012, 2013 Red Hat
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose This program is free software; you can redistribute it and/or modify
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose it under the terms of the GNU Lesser General Public License as published by
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose the Free Software Foundation; either version 3 of the License, or
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose (at your option) any later version.
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose This program is distributed in the hope that it will be useful,
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose GNU Lesser General Public License for more details.
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose You should have received a copy of the GNU Lesser General Public License
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose/* A short documentation about authdata plugins can be found in
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose * http://http://k5wiki.kerberos.org/wiki/Projects/VerifyAuthData */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bosesssdpac_init(krb5_context kcontext, void **plugin_context)
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bosesssdpac_fini(krb5_context kcontext, void *plugin_context)
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose sssdctx = (struct sssd_context *)calloc(1, sizeof(*sssdctx));
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose data = malloc(sizeof(char) * authdata[0]->length);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose memcpy(data, authdata[0]->contents, authdata[0]->length);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_free_data_contents(kcontext, &sssdctx->data);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_free_data_contents(kcontext, &sssdctx->data);
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bosestatic krb5_error_code sssdpac_verify(krb5_context kcontext,
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose if (sssdctx == NULL || sssdctx->data.data == NULL) {
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose kerr = krb5_pac_parse(kcontext, sssdctx->data.data,
b4c44ebb8997d3debb33607c123ccfd9926e0cbaThomas Oulevey /* deallocate pac */
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek /* The krb5 documentation says:
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * A checksum mismatch can occur if the PAC was copied from a
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * Open Directory (as of 10.6) generates PACs with no server checksum
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * at all. One should consider not failing the whole authentication
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * because of this reason, but, instead, treating the ticket as
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * if it did not contain a PAC or marking the PAC information as
6e51d44a65b15c2f0491b0a8b452caac0bc00584Jakub Hrozek * non-verified.
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,
92af6f25864b5c389b57d0f659686801b45ca58cSumit Bose /* Ignore the error */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_ser_pack_int32((krb5_int32)sssdctx->data.length,
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_ser_pack_bytes((krb5_octet *)sssdctx->data.data,
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_ser_pack_int32(0, &bp, &remain); /* length */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_ser_pack_int32(0, &bp, &remain); /* verified */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose struct sssd_context *sssdctx = (struct sssd_context *)request_context;
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose /* length */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose /* verified */
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bose krb5_free_data_contents(kcontext, &sssdctx->data);
90fd1bbd6035cdab46faa3a695a2fb2be6508b17Sumit Bosestatic krb5_authdatatype sssdpac_ad_types[] = { KRB5_AUTHDATA_WIN2K_PAC, 0 };