kdc: move PAC into astgs_request_t structure
This commit is contained in:

committed by
Nico Williams

parent
d95be72681
commit
2e8b172f38
@@ -1017,7 +1017,7 @@ pa_gss_display_name(gss_name_t name,
|
||||
|
||||
struct pa_gss_finalize_pac_plugin_ctx {
|
||||
astgs_request_t r;
|
||||
krb5_pac mspac;
|
||||
krb5_pac pac;
|
||||
krb5_data *pac_data;
|
||||
};
|
||||
|
||||
@@ -1031,7 +1031,7 @@ pa_gss_finalize_pac_cb(krb5_context context,
|
||||
struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
|
||||
|
||||
return authorizer->finalize_pac(plugctx, context,
|
||||
pa_gss_finalize_pac_ctx->mspac,
|
||||
pa_gss_finalize_pac_ctx->pac,
|
||||
pa_gss_finalize_pac_ctx->pac_data);
|
||||
}
|
||||
|
||||
@@ -1039,12 +1039,12 @@ pa_gss_finalize_pac_cb(krb5_context context,
|
||||
krb5_error_code
|
||||
_kdc_gss_finalize_pac(astgs_request_t r,
|
||||
gss_client_params *gcp,
|
||||
krb5_pac mspac)
|
||||
krb5_pac pac)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct pa_gss_finalize_pac_plugin_ctx ctx;
|
||||
|
||||
ctx.mspac = mspac;
|
||||
ctx.pac = pac;
|
||||
ctx.pac_data = &gcp->pac_data;
|
||||
|
||||
krb5_clear_error_message(r->context);
|
||||
|
@@ -605,13 +605,13 @@ out:
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
pa_gss_finalize_pac(astgs_request_t r, krb5_pac mspac)
|
||||
pa_gss_finalize_pac(astgs_request_t r)
|
||||
{
|
||||
gss_client_params *gcp = (gss_client_params *)r->pa_state;
|
||||
|
||||
heim_assert(gcp != NULL, "invalid GSS-API client params");
|
||||
|
||||
return _kdc_gss_finalize_pac(r, gcp, mspac);
|
||||
return _kdc_gss_finalize_pac(r, gcp, r->pac);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -985,7 +985,7 @@ struct kdc_patypes {
|
||||
krb5_error_code (*validate)(astgs_request_t,
|
||||
const PA_DATA *pa,
|
||||
struct kdc_pa_auth_status *auth_status);
|
||||
krb5_error_code (*finalize_pac)(astgs_request_t r, krb5_pac mspac);
|
||||
krb5_error_code (*finalize_pac)(astgs_request_t r);
|
||||
void (*cleanup)(astgs_request_t r);
|
||||
};
|
||||
|
||||
@@ -1860,7 +1860,6 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
||||
krb5_boolean is_tgs)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_pac p = NULL;
|
||||
krb5_data data;
|
||||
uint16_t rodc_id;
|
||||
krb5_principal client;
|
||||
@@ -1886,13 +1885,13 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
||||
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
|
||||
? &r->reply_key : NULL,
|
||||
r->pac_attributes,
|
||||
&p);
|
||||
&r->pac);
|
||||
if (ret) {
|
||||
_kdc_r_log(r, 4, "PAC generation failed for -- %s",
|
||||
r->cname);
|
||||
return ret;
|
||||
}
|
||||
if (p == NULL)
|
||||
if (r->pac == NULL)
|
||||
return 0;
|
||||
|
||||
rodc_id = r->server->entry.kvno >> 16;
|
||||
@@ -1900,10 +1899,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
||||
/* libkrb5 expects ticket and PAC client names to match */
|
||||
ret = _krb5_principalname2krb5_principal(r->context, &client,
|
||||
r->et.cname, r->et.crealm);
|
||||
if (ret) {
|
||||
krb5_pac_free(r->context, p);
|
||||
if (ret)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Include the canonical name of the principal in the authorization
|
||||
@@ -1923,14 +1920,14 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
||||
}
|
||||
|
||||
if (r->pa_used && r->pa_used->finalize_pac) {
|
||||
ret = r->pa_used->finalize_pac(r, p);
|
||||
if (ret) {
|
||||
krb5_pac_free(r->context, p);
|
||||
ret = r->pa_used->finalize_pac(r);
|
||||
if (ret)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
ret = _krb5_pac_sign(r->context, p, r->et.authtime,
|
||||
ret = _krb5_pac_sign(r->context,
|
||||
r->pac,
|
||||
r->et.authtime,
|
||||
client,
|
||||
&skey->key, /* Server key */
|
||||
&tkey->key, /* TGS key */
|
||||
@@ -1940,7 +1937,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
|
||||
is_tgs ? &r->pac_attributes : NULL,
|
||||
&data);
|
||||
krb5_free_principal(r->context, client);
|
||||
krb5_pac_free(r->context, p);
|
||||
krb5_pac_free(r->context, r->pac);
|
||||
r->pac = NULL;
|
||||
if (ret) {
|
||||
_kdc_r_log(r, 4, "PAC signing failed for -- %s",
|
||||
r->cname);
|
||||
@@ -2819,6 +2817,7 @@ out:
|
||||
krb5_free_keyblock_contents(r->context, &r->reply_key);
|
||||
krb5_free_keyblock_contents(r->context, &r->session_key);
|
||||
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
|
||||
krb5_pac_free(r->context, r->pac);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -599,7 +599,6 @@ tgs_make_reply(astgs_request_t r,
|
||||
hdb_entry_ex *client,
|
||||
krb5_principal client_principal,
|
||||
const char *tgt_realm,
|
||||
krb5_pac mspac,
|
||||
uint16_t rodc_id,
|
||||
krb5_boolean add_ticket_sig,
|
||||
const METHOD_DATA *enc_pa_data)
|
||||
@@ -824,7 +823,7 @@ tgs_make_reply(astgs_request_t r,
|
||||
* restrictive authorization data. Policy for unknown authorization types
|
||||
* is implementation dependent.
|
||||
*/
|
||||
if (mspac && !et.flags.anonymous) {
|
||||
if (r->pac && !et.flags.anonymous) {
|
||||
_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
|
||||
(long)r->pac_attributes);
|
||||
|
||||
@@ -837,7 +836,7 @@ tgs_make_reply(astgs_request_t r,
|
||||
krb5_boolean is_tgs =
|
||||
krb5_principal_is_krbtgt(r->context, server->entry.principal);
|
||||
|
||||
ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
|
||||
ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, tgt_name, serverkey,
|
||||
krbtgtkey, rodc_id, NULL, r->client_princ,
|
||||
add_ticket_sig, &et,
|
||||
is_tgs ? &r->pac_attributes : NULL);
|
||||
@@ -1479,7 +1478,6 @@ tgs_build_reply(astgs_request_t priv,
|
||||
const EncryptionKey *ekey;
|
||||
krb5_keyblock sessionkey;
|
||||
krb5_kvno kvno;
|
||||
krb5_pac mspac = NULL;
|
||||
krb5_pac user2user_pac = NULL;
|
||||
uint16_t rodc_id;
|
||||
krb5_boolean add_ticket_sig = FALSE;
|
||||
@@ -1992,7 +1990,7 @@ server_lookup:
|
||||
|
||||
ret = _kdc_check_pac(context, config, cp, NULL, client, server, krbtgt, krbtgt,
|
||||
&priv->ticket_key->key, &priv->ticket_key->key, tgt,
|
||||
&kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
|
||||
&kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
|
||||
if (ret) {
|
||||
const char *msg = krb5_get_error_message(context, ret);
|
||||
_kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
|
||||
@@ -2146,15 +2144,15 @@ server_lookup:
|
||||
goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
|
||||
|
||||
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
|
||||
krb5_pac_free(context, mspac);
|
||||
mspac = NULL;
|
||||
krb5_pac_free(context, priv->pac);
|
||||
priv->pac = NULL;
|
||||
|
||||
ret = _kdc_pac_generate(context,
|
||||
s4u2self_impersonated_client,
|
||||
server,
|
||||
NULL,
|
||||
KRB5_PAC_WAS_GIVEN_IMPLICITLY,
|
||||
&mspac);
|
||||
&priv->pac);
|
||||
if (ret) {
|
||||
kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn);
|
||||
goto out;
|
||||
@@ -2214,7 +2212,7 @@ server_lookup:
|
||||
/*
|
||||
* We require that the service's krbtgt has a PAC.
|
||||
*/
|
||||
if (mspac == NULL) {
|
||||
if (priv->pac == NULL) {
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
_kdc_audit_addreason((kdc_request_t)priv, "Missing PAC");
|
||||
kdc_log(context, config, 4,
|
||||
@@ -2223,8 +2221,8 @@ server_lookup:
|
||||
goto out;
|
||||
}
|
||||
|
||||
krb5_pac_free(context, mspac);
|
||||
mspac = NULL;
|
||||
krb5_pac_free(context, priv->pac);
|
||||
priv->pac = NULL;
|
||||
|
||||
krb5_free_principal(context, priv->client_princ);
|
||||
priv->client_princ = NULL;
|
||||
@@ -2324,7 +2322,7 @@ server_lookup:
|
||||
*/
|
||||
ret = _kdc_check_pac(context, config, tp, dp, adclient, server, krbtgt, client,
|
||||
&clientkey->key, &priv->ticket_key->key, &adtkt,
|
||||
&ad_kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
|
||||
&ad_kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
|
||||
if (adclient)
|
||||
_kdc_free_ent(context, adclient);
|
||||
if (ret) {
|
||||
@@ -2339,12 +2337,12 @@ server_lookup:
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (mspac == NULL || !ad_kdc_issued) {
|
||||
if (priv->pac == NULL || !ad_kdc_issued) {
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
kdc_log(context, config, 4,
|
||||
"Ticket not signed with PAC; service %s failed for "
|
||||
"for delegation to %s for client %s (%s) from %s; (%s).",
|
||||
spn, tpn, dpn, cpn, from, mspac ? "Ticket unsigned" : "No PAC");
|
||||
spn, tpn, dpn, cpn, from, priv->pac ? "Ticket unsigned" : "No PAC");
|
||||
_kdc_audit_addreason((kdc_request_t)priv,
|
||||
"Constrained delegation ticket not signed");
|
||||
goto out;
|
||||
@@ -2472,7 +2470,6 @@ server_lookup:
|
||||
client,
|
||||
cp,
|
||||
tgt_realm,
|
||||
mspac,
|
||||
rodc_id,
|
||||
add_ticket_sig,
|
||||
&enc_pa_data);
|
||||
@@ -2509,7 +2506,6 @@ out:
|
||||
|
||||
free_EncTicketPart(&adtkt);
|
||||
|
||||
krb5_pac_free(context, mspac);
|
||||
krb5_pac_free(context, user2user_pac);
|
||||
|
||||
return ret;
|
||||
@@ -2647,6 +2643,7 @@ out:
|
||||
_kdc_free_ent(r->context, krbtgt);
|
||||
|
||||
_kdc_free_fast_state(&r->fast);
|
||||
krb5_pac_free(r->context, r->pac);
|
||||
|
||||
if (auth_data) {
|
||||
free_AuthorizationData(auth_data);
|
||||
|
Reference in New Issue
Block a user