kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when the ticket is ready. Create sign and verify the PAC KDC signature if the plugin did not, allowing for S4U2Proxy to work, instead of KRB5SignedPath. Use the header key to verify PAC server signature, as the same key used to encrypt/decrypt the ticket should be used for PAC server signature, like U2U tickets are signed witht the tgt session-key and not with the longterm key, and so krbtgt should be no different and the header key should be used. Lookup the delegated client in DB instead of passing the delegator DB entry. Add PAC ticket-signatures and related functions. Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests against new KDC will not work if the evidence ticket was acquired from an old KDC, and vide versa. Closes: #767
This commit is contained in:
Isaac Boukris
committed by
Luke Howard
Luke Howard
parent
bb1d8f2a8c
commit
2ffaba9401
45
kdc/windc.c
45
kdc/windc.c
@@ -91,17 +91,32 @@ _kdc_pac_generate(krb5_context context,
|
||||
hdb_entry_ex *client,
|
||||
krb5_pac *pac)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
struct generate_uc uc;
|
||||
|
||||
if (!have_plugin)
|
||||
*pac = NULL;
|
||||
|
||||
if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
|
||||
client->entry.principal->realm,
|
||||
"disable_pac", NULL))
|
||||
return 0;
|
||||
|
||||
uc.client = client;
|
||||
uc.pac = pac;
|
||||
if (have_plugin) {
|
||||
|
||||
(void)_krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, generate);
|
||||
return 0;
|
||||
uc.client = client;
|
||||
uc.pac = pac;
|
||||
|
||||
ret = _krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, generate);
|
||||
if (ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
return ret;
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
if (*pac == NULL)
|
||||
ret = krb5_pac_init(context, pac);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
struct verify_uc {
|
||||
@@ -111,26 +126,23 @@ struct verify_uc {
|
||||
hdb_entry_ex *server;
|
||||
hdb_entry_ex *krbtgt;
|
||||
krb5_pac *pac;
|
||||
int *verified;
|
||||
};
|
||||
|
||||
static krb5_error_code KRB5_LIB_CALL
|
||||
verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
||||
{
|
||||
krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
|
||||
struct verify_uc *uc = (struct verify_uc *)userctx;
|
||||
struct verify_uc *uc = (struct verify_uc *)userctx;
|
||||
krb5_error_code ret;
|
||||
|
||||
if (ft->pac_verify == NULL)
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
ret = ft->pac_verify((void *)plug, context,
|
||||
uc->client_principal,
|
||||
uc->delegated_proxy_principal,
|
||||
uc->client, uc->server, uc->krbtgt, uc->pac);
|
||||
if (ret == 0)
|
||||
(*uc->verified) = 1;
|
||||
|
||||
return 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
@@ -140,13 +152,12 @@ _kdc_pac_verify(krb5_context context,
|
||||
hdb_entry_ex *client,
|
||||
hdb_entry_ex *server,
|
||||
hdb_entry_ex *krbtgt,
|
||||
krb5_pac *pac,
|
||||
int *verified)
|
||||
krb5_pac *pac)
|
||||
{
|
||||
struct verify_uc uc;
|
||||
|
||||
if (!have_plugin)
|
||||
return 0;
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
uc.client_principal = client_principal;
|
||||
uc.delegated_proxy_principal = delegated_proxy_principal;
|
||||
@@ -154,11 +165,9 @@ _kdc_pac_verify(krb5_context context,
|
||||
uc.server = server;
|
||||
uc.krbtgt = krbtgt;
|
||||
uc.pac = pac;
|
||||
uc.verified = verified;
|
||||
|
||||
(void)_krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
return _krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, verify);
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct check_uc {
|
||||
|
||||
Reference in New Issue
Block a user