kdc: move PAC into astgs_request_t structure

This commit is contained in:
Luke Howard
2021-12-23 19:23:22 +11:00
committed by Nico Williams
parent d95be72681
commit 2e8b172f38
3 changed files with 31 additions and 35 deletions

View File

@@ -1017,7 +1017,7 @@ pa_gss_display_name(gss_name_t name,
struct pa_gss_finalize_pac_plugin_ctx {
astgs_request_t r;
krb5_pac mspac;
krb5_pac pac;
krb5_data *pac_data;
};
@@ -1031,7 +1031,7 @@ pa_gss_finalize_pac_cb(krb5_context context,
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
return authorizer->finalize_pac(plugctx, context,
pa_gss_finalize_pac_ctx->mspac,
pa_gss_finalize_pac_ctx->pac,
pa_gss_finalize_pac_ctx->pac_data);
}
@@ -1039,12 +1039,12 @@ pa_gss_finalize_pac_cb(krb5_context context,
krb5_error_code
_kdc_gss_finalize_pac(astgs_request_t r,
gss_client_params *gcp,
krb5_pac mspac)
krb5_pac pac)
{
krb5_error_code ret;
struct pa_gss_finalize_pac_plugin_ctx ctx;
ctx.mspac = mspac;
ctx.pac = pac;
ctx.pac_data = &gcp->pac_data;
krb5_clear_error_message(r->context);

View File

@@ -605,13 +605,13 @@ out:
}
static krb5_error_code
pa_gss_finalize_pac(astgs_request_t r, krb5_pac mspac)
pa_gss_finalize_pac(astgs_request_t r)
{
gss_client_params *gcp = (gss_client_params *)r->pa_state;
heim_assert(gcp != NULL, "invalid GSS-API client params");
return _kdc_gss_finalize_pac(r, gcp, mspac);
return _kdc_gss_finalize_pac(r, gcp, r->pac);
}
static void
@@ -985,7 +985,7 @@ struct kdc_patypes {
krb5_error_code (*validate)(astgs_request_t,
const PA_DATA *pa,
struct kdc_pa_auth_status *auth_status);
krb5_error_code (*finalize_pac)(astgs_request_t r, krb5_pac mspac);
krb5_error_code (*finalize_pac)(astgs_request_t r);
void (*cleanup)(astgs_request_t r);
};
@@ -1860,7 +1860,6 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
krb5_boolean is_tgs)
{
krb5_error_code ret;
krb5_pac p = NULL;
krb5_data data;
uint16_t rodc_id;
krb5_principal client;
@@ -1886,13 +1885,13 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
? &r->reply_key : NULL,
r->pac_attributes,
&p);
&r->pac);
if (ret) {
_kdc_r_log(r, 4, "PAC generation failed for -- %s",
r->cname);
return ret;
}
if (p == NULL)
if (r->pac == NULL)
return 0;
rodc_id = r->server->entry.kvno >> 16;
@@ -1900,10 +1899,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
/* libkrb5 expects ticket and PAC client names to match */
ret = _krb5_principalname2krb5_principal(r->context, &client,
r->et.cname, r->et.crealm);
if (ret) {
krb5_pac_free(r->context, p);
if (ret)
return ret;
}
/*
* Include the canonical name of the principal in the authorization
@@ -1923,14 +1920,14 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
}
if (r->pa_used && r->pa_used->finalize_pac) {
ret = r->pa_used->finalize_pac(r, p);
if (ret) {
krb5_pac_free(r->context, p);
ret = r->pa_used->finalize_pac(r);
if (ret)
return ret;
}
}
ret = _krb5_pac_sign(r->context, p, r->et.authtime,
ret = _krb5_pac_sign(r->context,
r->pac,
r->et.authtime,
client,
&skey->key, /* Server key */
&tkey->key, /* TGS key */
@@ -1940,7 +1937,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
is_tgs ? &r->pac_attributes : NULL,
&data);
krb5_free_principal(r->context, client);
krb5_pac_free(r->context, p);
krb5_pac_free(r->context, r->pac);
r->pac = NULL;
if (ret) {
_kdc_r_log(r, 4, "PAC signing failed for -- %s",
r->cname);
@@ -2819,6 +2817,7 @@ out:
krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->session_key);
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
krb5_pac_free(r->context, r->pac);
return ret;
}

View File

@@ -599,7 +599,6 @@ tgs_make_reply(astgs_request_t r,
hdb_entry_ex *client,
krb5_principal client_principal,
const char *tgt_realm,
krb5_pac mspac,
uint16_t rodc_id,
krb5_boolean add_ticket_sig,
const METHOD_DATA *enc_pa_data)
@@ -824,7 +823,7 @@ tgs_make_reply(astgs_request_t r,
* restrictive authorization data. Policy for unknown authorization types
* is implementation dependent.
*/
if (mspac && !et.flags.anonymous) {
if (r->pac && !et.flags.anonymous) {
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
(long)r->pac_attributes);
@@ -837,7 +836,7 @@ tgs_make_reply(astgs_request_t r,
krb5_boolean is_tgs =
krb5_principal_is_krbtgt(r->context, server->entry.principal);
ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, tgt_name, serverkey,
krbtgtkey, rodc_id, NULL, r->client_princ,
add_ticket_sig, &et,
is_tgs ? &r->pac_attributes : NULL);
@@ -1479,7 +1478,6 @@ tgs_build_reply(astgs_request_t priv,
const EncryptionKey *ekey;
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_pac mspac = NULL;
krb5_pac user2user_pac = NULL;
uint16_t rodc_id;
krb5_boolean add_ticket_sig = FALSE;
@@ -1992,7 +1990,7 @@ server_lookup:
ret = _kdc_check_pac(context, config, cp, NULL, client, server, krbtgt, krbtgt,
&priv->ticket_key->key, &priv->ticket_key->key, tgt,
&kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
&kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
_kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
@@ -2146,15 +2144,15 @@ server_lookup:
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
krb5_pac_free(context, mspac);
mspac = NULL;
krb5_pac_free(context, priv->pac);
priv->pac = NULL;
ret = _kdc_pac_generate(context,
s4u2self_impersonated_client,
server,
NULL,
KRB5_PAC_WAS_GIVEN_IMPLICITLY,
&mspac);
&priv->pac);
if (ret) {
kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn);
goto out;
@@ -2214,7 +2212,7 @@ server_lookup:
/*
* We require that the service's krbtgt has a PAC.
*/
if (mspac == NULL) {
if (priv->pac == NULL) {
ret = KRB5KDC_ERR_BADOPTION;
_kdc_audit_addreason((kdc_request_t)priv, "Missing PAC");
kdc_log(context, config, 4,
@@ -2223,8 +2221,8 @@ server_lookup:
goto out;
}
krb5_pac_free(context, mspac);
mspac = NULL;
krb5_pac_free(context, priv->pac);
priv->pac = NULL;
krb5_free_principal(context, priv->client_princ);
priv->client_princ = NULL;
@@ -2324,7 +2322,7 @@ server_lookup:
*/
ret = _kdc_check_pac(context, config, tp, dp, adclient, server, krbtgt, client,
&clientkey->key, &priv->ticket_key->key, &adtkt,
&ad_kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
&ad_kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
if (adclient)
_kdc_free_ent(context, adclient);
if (ret) {
@@ -2339,12 +2337,12 @@ server_lookup:
goto out;
}
if (mspac == NULL || !ad_kdc_issued) {
if (priv->pac == NULL || !ad_kdc_issued) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 4,
"Ticket not signed with PAC; service %s failed for "
"for delegation to %s for client %s (%s) from %s; (%s).",
spn, tpn, dpn, cpn, from, mspac ? "Ticket unsigned" : "No PAC");
spn, tpn, dpn, cpn, from, priv->pac ? "Ticket unsigned" : "No PAC");
_kdc_audit_addreason((kdc_request_t)priv,
"Constrained delegation ticket not signed");
goto out;
@@ -2472,7 +2470,6 @@ server_lookup:
client,
cp,
tgt_realm,
mspac,
rodc_id,
add_ticket_sig,
&enc_pa_data);
@@ -2509,7 +2506,6 @@ out:
free_EncTicketPart(&adtkt);
krb5_pac_free(context, mspac);
krb5_pac_free(context, user2user_pac);
return ret;
@@ -2647,6 +2643,7 @@ out:
_kdc_free_ent(r->context, krbtgt);
_kdc_free_fast_state(&r->fast);
krb5_pac_free(r->context, r->pac);
if (auth_data) {
free_AuthorizationData(auth_data);