kdc: move PAC into astgs_request_t structure

2021-12-23 19:23:22 +11:00
parent d95be72681
commit 2e8b172f38
3 changed files with 31 additions and 35 deletions
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -1017,7 +1017,7 @@ pa_gss_display_name(gss_name_t name,
 struct pa_gss_finalize_pac_plugin_ctx {
    astgs_request_t r;
-    krb5_pac mspac;
+    krb5_pac pac;
    krb5_data *pac_data;
 };
@@ -1031,7 +1031,7 @@ pa_gss_finalize_pac_cb(krb5_context context,
    struct pa_gss_finalize_pac_plugin_ctx *pa_gss_finalize_pac_ctx = userctx;
    return authorizer->finalize_pac(plugctx, context,
-				    pa_gss_finalize_pac_ctx->mspac,
+				    pa_gss_finalize_pac_ctx->pac,
 				    pa_gss_finalize_pac_ctx->pac_data);
 }
@@ -1039,12 +1039,12 @@ pa_gss_finalize_pac_cb(krb5_context context,
 krb5_error_code
 _kdc_gss_finalize_pac(astgs_request_t r,
 		      gss_client_params *gcp,
-		      krb5_pac mspac)
+		      krb5_pac pac)
 {
    krb5_error_code ret;
    struct pa_gss_finalize_pac_plugin_ctx ctx;
-    ctx.mspac = mspac;
+    ctx.pac = pac;
    ctx.pac_data = &gcp->pac_data;
    krb5_clear_error_message(r->context);
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -605,13 +605,13 @@ out:
 }
 static krb5_error_code
-pa_gss_finalize_pac(astgs_request_t r, krb5_pac mspac)
+pa_gss_finalize_pac(astgs_request_t r)
 {
    gss_client_params *gcp = (gss_client_params *)r->pa_state;
    heim_assert(gcp != NULL, "invalid GSS-API client params");
-    return _kdc_gss_finalize_pac(r, gcp, mspac);
+    return _kdc_gss_finalize_pac(r, gcp, r->pac);
 }
 static void
@@ -985,7 +985,7 @@ struct kdc_patypes {
    krb5_error_code (*validate)(astgs_request_t,
 				const PA_DATA *pa,
 				struct kdc_pa_auth_status *auth_status);
-    krb5_error_code (*finalize_pac)(astgs_request_t r, krb5_pac mspac);
+    krb5_error_code (*finalize_pac)(astgs_request_t r);
    void (*cleanup)(astgs_request_t r);
 };
@@ -1860,7 +1860,6 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
 	     krb5_boolean is_tgs)
 {
    krb5_error_code ret;
    krb5_pac p = NULL;
    krb5_data data;
    uint16_t rodc_id;
    krb5_principal client;
@@ -1886,13 +1885,13 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
 			    r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
 				? &r->reply_key : NULL,
 			    r->pac_attributes,
-			    &p);
+			    &r->pac);
    if (ret) {
 	_kdc_r_log(r, 4, "PAC generation failed for -- %s",
 		   r->cname);
 	return ret;
    }
-    if (p == NULL)
+    if (r->pac == NULL)
 	return 0;
    rodc_id = r->server->entry.kvno >> 16;
@@ -1900,10 +1899,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
    /* libkrb5 expects ticket and PAC client names to match */
    ret = _krb5_principalname2krb5_principal(r->context, &client,
 					     r->et.cname, r->et.crealm);
-    if (ret) {
+    if (ret)
 	krb5_pac_free(r->context, p);
 	return ret;
    }
    /*
     * Include the canonical name of the principal in the authorization
@@ -1923,14 +1920,14 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
    }
    if (r->pa_used && r->pa_used->finalize_pac) {
-	ret = r->pa_used->finalize_pac(r, p);
+	ret = r->pa_used->finalize_pac(r);
-	if (ret) {
+	if (ret)
 	    krb5_pac_free(r->context, p);
 	    return ret;
    }
    }
-    ret = _krb5_pac_sign(r->context, p, r->et.authtime,
+    ret = _krb5_pac_sign(r->context,
 			 r->pac,
 			 r->et.authtime,
 			 client,
 			 &skey->key, /* Server key */
 			 &tkey->key, /* TGS key */
@@ -1940,7 +1937,8 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
 			 is_tgs ? &r->pac_attributes : NULL,
 			 &data);
    krb5_free_principal(r->context, client);
-    krb5_pac_free(r->context, p);
+    krb5_pac_free(r->context, r->pac);
    r->pac = NULL;
    if (ret) {
 	_kdc_r_log(r, 4, "PAC signing failed for -- %s",
 		   r->cname);
@@ -2819,6 +2817,7 @@ out:
    krb5_free_keyblock_contents(r->context, &r->reply_key);
    krb5_free_keyblock_contents(r->context, &r->session_key);
    krb5_free_keyblock_contents(r->context, &r->strengthen_key);
    krb5_pac_free(r->context, r->pac);
    return ret;
 }
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -599,7 +599,6 @@ tgs_make_reply(astgs_request_t r,
 	       hdb_entry_ex *client,
 	       krb5_principal client_principal,
 	       const char *tgt_realm,
 	       krb5_pac mspac,
 	       uint16_t rodc_id,
 	       krb5_boolean add_ticket_sig,
 	       const METHOD_DATA *enc_pa_data)
@@ -824,7 +823,7 @@ tgs_make_reply(astgs_request_t r,
     * restrictive authorization data. Policy for unknown authorization types
     * is implementation dependent.
     */
-    if (mspac && !et.flags.anonymous) {
+    if (r->pac && !et.flags.anonymous) {
 	_kdc_audit_addkv((kdc_request_t)r, 0, "pac_attributes", "%lx",
 			 (long)r->pac_attributes);
@@ -837,7 +836,7 @@ tgs_make_reply(astgs_request_t r,
 	    krb5_boolean is_tgs =
 		krb5_principal_is_krbtgt(r->context, server->entry.principal);
-	    ret = _krb5_kdc_pac_sign_ticket(r->context, mspac, tgt_name, serverkey,
+	    ret = _krb5_kdc_pac_sign_ticket(r->context, r->pac, tgt_name, serverkey,
 					    krbtgtkey, rodc_id, NULL, r->client_princ,
 					    add_ticket_sig, &et,
 					    is_tgs ? &r->pac_attributes : NULL);
@@ -1479,7 +1478,6 @@ tgs_build_reply(astgs_request_t priv,
    const EncryptionKey *ekey;
    krb5_keyblock sessionkey;
    krb5_kvno kvno;
    krb5_pac mspac = NULL;
    krb5_pac user2user_pac = NULL;
    uint16_t rodc_id;
    krb5_boolean add_ticket_sig = FALSE;
@@ -1992,7 +1990,7 @@ server_lookup:
    ret = _kdc_check_pac(context, config, cp, NULL, client, server, krbtgt, krbtgt,
 			 &priv->ticket_key->key, &priv->ticket_key->key, tgt,
-			 &kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
+			 &kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
    if (ret) {
 	const char *msg = krb5_get_error_message(context, ret);
        _kdc_audit_addreason((kdc_request_t)priv, "PAC check failed");
@@ -2146,15 +2144,15 @@ server_lookup:
 		goto out; /* kdc_check_flags() calls _kdc_audit_addreason() */
 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
-	    krb5_pac_free(context, mspac);
+	    krb5_pac_free(context, priv->pac);
-	    mspac = NULL;
+	    priv->pac = NULL;
 	    ret = _kdc_pac_generate(context,
 				    s4u2self_impersonated_client,
 				    server,
 				    NULL,
 				    KRB5_PAC_WAS_GIVEN_IMPLICITLY,
-				    &mspac);
+				    &priv->pac);
 	    if (ret) {
 		kdc_log(context, config, 4, "PAC generation failed for -- %s", tpn);
 		goto out;
@@ -2214,7 +2212,7 @@ server_lookup:
 	/*
 	 * We require that the service's krbtgt has a PAC.
 	 */
-	if (mspac == NULL) {
+	if (priv->pac == NULL) {
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    _kdc_audit_addreason((kdc_request_t)priv, "Missing PAC");
 	    kdc_log(context, config, 4,
@@ -2223,8 +2221,8 @@ server_lookup:
 	    goto out;
 	}
-	krb5_pac_free(context, mspac);
+	krb5_pac_free(context, priv->pac);
-	mspac = NULL;
+	priv->pac = NULL;
 	krb5_free_principal(context, priv->client_princ);
 	priv->client_princ = NULL;
@@ -2324,7 +2322,7 @@ server_lookup:
 	 */
 	ret = _kdc_check_pac(context, config, tp, dp, adclient, server, krbtgt, client,
 			     &clientkey->key, &priv->ticket_key->key, &adtkt,
-			     &ad_kdc_issued, &mspac, &priv->client_princ, &priv->pac_attributes);
+			     &ad_kdc_issued, &priv->pac, &priv->client_princ, &priv->pac_attributes);
 	if (adclient)
 	    _kdc_free_ent(context, adclient);
 	if (ret) {
@@ -2339,12 +2337,12 @@ server_lookup:
 	    goto out;
 	}
-	if (mspac == NULL || !ad_kdc_issued) {
+	if (priv->pac == NULL || !ad_kdc_issued) {
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    kdc_log(context, config, 4,
 		    "Ticket not signed with PAC; service %s failed for "
 		    "for delegation to %s for client %s (%s) from %s; (%s).",
-		    spn, tpn, dpn, cpn, from, mspac ? "Ticket unsigned" : "No PAC");
+		    spn, tpn, dpn, cpn, from, priv->pac ? "Ticket unsigned" : "No PAC");
            _kdc_audit_addreason((kdc_request_t)priv,
                                 "Constrained delegation ticket not signed");
 	    goto out;
@@ -2472,7 +2470,6 @@ server_lookup:
 			 client,
 			 cp,
                         tgt_realm,
 			 mspac,
 			 rodc_id,
 			 add_ticket_sig,
 			 &enc_pa_data);
@@ -2509,7 +2506,6 @@ out:
    free_EncTicketPart(&adtkt);
    krb5_pac_free(context, mspac);
    krb5_pac_free(context, user2user_pac);
    return ret;
@@ -2647,6 +2643,7 @@ out:
 	_kdc_free_ent(r->context, krbtgt);
    _kdc_free_fast_state(&r->fast);
    krb5_pac_free(r->context, r->pac);
    if (auth_data) {
 	free_AuthorizationData(auth_data);