kdc: pass down the delegated_proxy_principal to the verify_pac() function

This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>

kdc/krb5tgs.c

@@ -279,6 +279,7 @@ static krb5_error_code
 check_PAC(krb5_context context,
 	  krb5_kdc_configuration *config,
 	  const krb5_principal client_principal,
+	  const krb5_principal delegated_proxy_principal,
 	  hdb_entry_ex *client,
 	  hdb_entry_ex *server,
 	  hdb_entry_ex *krbtgt,
@@ -336,6 +337,7 @@ check_PAC(krb5_context context,
 		}
 
 		ret = _kdc_pac_verify(context, client_principal,
+				      delegated_proxy_principal,
 				      client, server, krbtgt, &pac, &signed_pac);
 		if (ret) {
 		    krb5_pac_free(context, pac);
@@ -1480,9 +1482,9 @@ tgs_build_reply(krb5_context context,
 		const struct sockaddr *from_addr)
 {
     krb5_error_code ret;
-    krb5_principal cp = NULL, sp = NULL, tp = NULL;
+    krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
     krb5_principal krbtgt_principal = NULL;
-    char *spn = NULL, *cpn = NULL, *tpn = NULL;
+    char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
     HDB *clientdb, *s4u2self_impersonated_clientdb;
     krb5_realm ref_realm = NULL;
@@ -1805,7 +1807,7 @@ server_lookup:
 	krb5_free_error_message(context, msg);
     }
 
-    ret = check_PAC(context, config, cp,
+    ret = check_PAC(context, config, cp, NULL,
 		    client, server, krbtgt,
 		    &tkey_check->key, &tkey_check->key,
 		    ekey, &tkey_sign->key,
@@ -2032,12 +2034,23 @@ server_lookup:
 	if (ret)
 	    goto out;
 
+	ret = _krb5_principalname2krb5_principal(context,
+						 &dp,
+						 t->sname,
+						 t->realm);
+	if (ret)
+	    goto out;
+
+	ret = krb5_unparse_name(context, dp, &dpn);
+	if (ret)
+	    goto out;
+
 	/* check that ticket is valid */
 	if (adtkt.flags.forwardable == 0) {
 	    kdc_log(context, config, 0,
 		    "Missing forwardable flag on ticket for "
-		    "constrained delegation from %s as %s to %s ",
+		    "constrained delegation from %s (%s) as %s to %s ",
-		    cpn, tpn, spn);
+		    cpn, dpn, tpn, spn);
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    goto out;
 	}
@@ -2046,8 +2059,8 @@ server_lookup:
 					   client, server, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
-		    "constrained delegation from %s as %s to %s not allowed",
+		    "constrained delegation from %s (%s) as %s to %s not allowed",
-		    cpn, tpn, spn);
+		    cpn, dpn, tpn, spn);
 	    goto out;
 	}
 
@@ -2064,7 +2077,7 @@ server_lookup:
 	 * TODO: pass in t->sname and t->realm and build
 	 * a S4U_DELEGATION_INFO blob to the PAC.
 	 */
-	ret = check_PAC(context, config, tp,
+	ret = check_PAC(context, config, tp, dp,
 			client, server, krbtgt,
 			&clientkey->key, &tkey_check->key,
 			ekey, &tkey_sign->key,
@@ -2073,8 +2086,8 @@ server_lookup:
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
 		    "Verify delegated PAC failed to %s for client"
-		    "%s as %s from %s with %s",
+		    "%s (%s) as %s from %s with %s",
-		    spn, cpn, tpn, from, msg);
+		    spn, cpn, dpn, tpn, from, msg);
 	    krb5_free_error_message(context, msg);
 	    goto out;
 	}
@@ -2093,9 +2106,9 @@ server_lookup:
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
 		    "KRB5SignedPath check from service %s failed "
-		    "for delegation to %s for client %s "
+		    "for delegation to %s for client %s (%s)"
 		    "from %s failed with %s",
-		    spn, tpn, cpn, from, msg);
+		    spn, tpn, dpn, cpn, from, msg);
 	    krb5_free_error_message(context, msg);
 	    goto out;
 	}
@@ -2104,14 +2117,14 @@ server_lookup:
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    kdc_log(context, config, 0,
 		    "Ticket not signed with PAC nor SignedPath service %s failed "
-		    "for delegation to %s for client %s "
+		    "for delegation to %s for client %s (%s)"
 		    "from %s",
-		    spn, tpn, cpn, from);
+		    spn, tpn, dpn, cpn, from);
 	    goto out;
 	}
 
 	kdc_log(context, config, 0, "constrained delegation for %s "
-		"from %s to %s", tpn, cpn, spn);
+		"from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
 
     /*
@@ -2208,6 +2221,8 @@ out:
 	    free(tpn);
     free(spn);
     free(cpn);
+    if (dpn)
+	free(dpn);
 
     krb5_data_free(&rspac);
     krb5_free_keyblock_contents(context, &sessionkey);
@@ -2224,6 +2239,8 @@ out:
 	krb5_free_principal(context, tp);
     if (cp)
 	krb5_free_principal(context, cp);
+    if (dp)
+	krb5_free_principal(context, dp);
     if (sp)
 	krb5_free_principal(context, sp);
     if (ref_realm)

kdc/windc.c

@@ -84,6 +84,7 @@ _kdc_pac_generate(krb5_context context,
 krb5_error_code
 _kdc_pac_verify(krb5_context context,
 		const krb5_principal client_principal,
+		const krb5_principal delegated_proxy_principal,
 		hdb_entry_ex *client,
 		hdb_entry_ex *server,
 		hdb_entry_ex *krbtgt,
@@ -96,7 +97,9 @@ _kdc_pac_verify(krb5_context context,
 	return 0;
 
     ret = windcft->pac_verify(windcctx, context,
-			      client_principal, client, server, krbtgt, pac);
+			      client_principal,
+			      delegated_proxy_principal,
+			      client, server, krbtgt, pac);
     if (ret == 0)
 	*verified = 1;
     return ret;

kdc/windc_plugin.h

@@ -57,10 +57,11 @@ typedef krb5_error_code
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_verify)(void *, krb5_context,
-			       const krb5_principal,
+			       const krb5_principal, /* new ticket client */
-			       struct hdb_entry_ex *,
+			       const krb5_principal, /* delegation proxy */
-			       struct hdb_entry_ex *,
+			       struct hdb_entry_ex *,/* client */
-			       struct hdb_entry_ex *,
+			       struct hdb_entry_ex *,/* server */
+			       struct hdb_entry_ex *,/* krbtgt */
 			       krb5_pac *);
 
 typedef krb5_error_code
@@ -72,7 +73,7 @@ typedef krb5_error_code
 	KDC_REQ *, krb5_data *);
 
 
-#define KRB5_WINDC_PLUGIN_MINOR			5
+#define KRB5_WINDC_PLUGIN_MINOR			6
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
 
 typedef struct krb5plugin_windc_ftable {