heimdal: remove checking of KDC PAC signature, delegate to wdc plugin
The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
This commit is contained in:
Andrew Bartlett
committed by
Nicolas Williams
Nicolas Williams
parent
5c8e3c6108
commit
324ac13b32
@@ -285,7 +285,6 @@ check_PAC(krb5_context context,
|
|||||||
hdb_entry_ex *server,
|
hdb_entry_ex *server,
|
||||||
hdb_entry_ex *krbtgt,
|
hdb_entry_ex *krbtgt,
|
||||||
const EncryptionKey *server_check_key,
|
const EncryptionKey *server_check_key,
|
||||||
const EncryptionKey *krbtgt_check_key,
|
|
||||||
const EncryptionKey *server_sign_key,
|
const EncryptionKey *server_sign_key,
|
||||||
const EncryptionKey *krbtgt_sign_key,
|
const EncryptionKey *krbtgt_sign_key,
|
||||||
EncTicketPart *tkt,
|
EncTicketPart *tkt,
|
||||||
@@ -331,7 +330,7 @@ check_PAC(krb5_context context,
|
|||||||
|
|
||||||
ret = krb5_pac_verify(context, pac, tkt->authtime,
|
ret = krb5_pac_verify(context, pac, tkt->authtime,
|
||||||
client_principal,
|
client_principal,
|
||||||
server_check_key, krbtgt_check_key);
|
server_check_key, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_pac_free(context, pac);
|
krb5_pac_free(context, pac);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -1554,7 +1553,6 @@ tgs_build_reply(krb5_context context,
|
|||||||
|
|
||||||
Key *tkey_check;
|
Key *tkey_check;
|
||||||
Key *tkey_sign;
|
Key *tkey_sign;
|
||||||
Key *tkey_krbtgt_check = NULL;
|
|
||||||
int flags = HDB_F_FOR_TGS_REQ;
|
int flags = HDB_F_FOR_TGS_REQ;
|
||||||
|
|
||||||
memset(&sessionkey, 0, sizeof(sessionkey));
|
memset(&sessionkey, 0, sizeof(sessionkey));
|
||||||
@@ -1870,16 +1868,6 @@ server_lookup:
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Check if we would know the krbtgt key for the PAC. We would
|
|
||||||
* only know this if the krbtgt principal was the same (ie, in our
|
|
||||||
* realm, regardless of KVNO)
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (krb5_principal_compare(context, krbtgt_out->entry.principal, krbtgt->entry.principal))
|
|
||||||
tkey_krbtgt_check = tkey_check;
|
|
||||||
|
|
||||||
|
|
||||||
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
|
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
|
||||||
NULL, &clientdb, &client);
|
NULL, &clientdb, &client);
|
||||||
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
if(ret == HDB_ERR_NOT_FOUND_HERE) {
|
||||||
@@ -1913,7 +1901,6 @@ server_lookup:
|
|||||||
ret = check_PAC(context, config, cp, NULL,
|
ret = check_PAC(context, config, cp, NULL,
|
||||||
client, server, krbtgt,
|
client, server, krbtgt,
|
||||||
&tkey_check->key,
|
&tkey_check->key,
|
||||||
tkey_krbtgt_check ? &tkey_krbtgt_check->key : NULL,
|
|
||||||
ekey, &tkey_sign->key,
|
ekey, &tkey_sign->key,
|
||||||
tgt, &rspac, &signedpath);
|
tgt, &rspac, &signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -2185,7 +2172,7 @@ server_lookup:
|
|||||||
*/
|
*/
|
||||||
ret = check_PAC(context, config, tp, dp,
|
ret = check_PAC(context, config, tp, dp,
|
||||||
client, server, krbtgt,
|
client, server, krbtgt,
|
||||||
&clientkey->key, &tkey_check->key,
|
&clientkey->key,
|
||||||
ekey, &tkey_sign->key,
|
ekey, &tkey_sign->key,
|
||||||
&adtkt, &rspac, &ad_signedpath);
|
&adtkt, &rspac, &ad_signedpath);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
|||||||
Reference in New Issue
Block a user