oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: provide kdc_request_get_explicit_armor_{clientdb,client,pac}()

Browse Source 
_kdc_fast_check_armor_pac() already checks the PAC of the armor,
but it should also remember it if it's an TGS-REQ with explicit armor.

This will allow the kdc pac hooks to generate a compound identity PAC
with PAC_TYPE_DEVICE_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Closes: #967
This commit is contained in:
Stefan Metzmacher
2022-02-24 18:17:57 +01:00
committed by Luke Howard
parent 11d8a053f5
commit 8495f63bc3
6 changed files with 51 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
kdc/fast.c
View File

@@ -465,7 +465,6 @@ fast_unwrap_request(astgs_request_t r,
krb5_flags ap_req_options; krb5_flags ap_req_options;
krb5_keyblock armorkey; krb5_keyblock armorkey;
krb5_keyblock explicit_armorkey; krb5_keyblock explicit_armorkey;
krb5_boolean explicit_armor;
krb5_error_code ret; krb5_error_code ret;
krb5_ap_req ap_req; krb5_ap_req ap_req;
KrbFastReq fastreq; KrbFastReq fastreq;
@@ -519,7 +518,7 @@ fast_unwrap_request(astgs_request_t r,
goto out; goto out;
} }
explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
/* /*
* *
@@ -626,11 +625,11 @@ fast_unwrap_request(astgs_request_t r,
ac->remote_subkey, ac->remote_subkey,
&ticket->ticket.key, &ticket->ticket.key,
&armorkey, &armorkey,
explicit_armor ? NULL : &r->armor_crypto); r->explicit_armor_present ? NULL : &r->armor_crypto);
if (ret) if (ret)
goto out; goto out;
if (explicit_armor) { if (r->explicit_armor_present) {
ret = _krb5_fast_explicit_armor_key(r->context, ret = _krb5_fast_explicit_armor_key(r->context,
&armorkey, &armorkey,
tgs_ac->remote_subkey, tgs_ac->remote_subkey,
@@ -888,6 +887,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
goto out; goto out;
} }
if (r->explicit_armor_present) {
r->explicit_armor_clientdb = armor_db;
armor_db = NULL;
r->explicit_armor_client = armor_client;
armor_client = NULL;
r->explicit_armor_pac = mspac;
mspac = NULL;
}
out: out:
krb5_xfree(armor_client_principal_name); krb5_xfree(armor_client_principal_name);
if (armor_client) if (armor_client)

20
kdc/kdc-accessors.h
View File

@@ -346,4 +346,24 @@ ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes)
ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes) ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes)
/*
* const HDB *
* kdc_request_get_explicit_armor_clientdb(astgs_request_t);
*/
ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb)
/*
* const hdb_entry *
* kdc_request_get_explicit_armor_client(astgs_request_t);
*/
ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client);
/*
* krb5_const_pac
* kdc_request_get_explicit_armor_pac(astgs_request_t);
*/
ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac);
#endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */ #endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */

5
kdc/kdc_locl.h
View File

@@ -182,6 +182,7 @@ struct astgs_request_desc {
/* only valid for tgs-req */ /* only valid for tgs-req */
unsigned int rk_is_subkey : 1; unsigned int rk_is_subkey : 1;
unsigned int fast_asserted : 1; unsigned int fast_asserted : 1;
unsigned int explicit_armor_present : 1;
krb5_crypto armor_crypto; krb5_crypto armor_crypto;
hdb_entry *armor_server; hdb_entry *armor_server;
@@ -189,6 +190,10 @@ struct astgs_request_desc {
krb5_ticket *armor_ticket; krb5_ticket *armor_ticket;
Key *armor_key; Key *armor_key;
hdb_entry *explicit_armor_client;
HDB *explicit_armor_clientdb;
krb5_pac explicit_armor_pac;
KDCFastState fast; KDCFastState fast;
}; };

6
kdc/krb5tgs.c
View File

@@ -2204,6 +2204,12 @@ out:
krb5_free_ticket(r->context, r->armor_ticket); krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server) if (r->armor_server)
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server); _kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
if (r->explicit_armor_client)
_kdc_free_ent(r->context,
r->explicit_armor_clientdb,
r->explicit_armor_client);
if (r->explicit_armor_pac)
krb5_pac_free(r->context, r->explicit_armor_pac);
krb5_free_keyblock_contents(r->context, &r->reply_key); krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->strengthen_key); krb5_free_keyblock_contents(r->context, &r->strengthen_key);

3
kdc/libkdc-exports.def
View File

@@ -32,6 +32,9 @@ EXPORTS
kdc_request_get_config kdc_request_get_config
kdc_request_get_cname kdc_request_get_cname
kdc_request_get_error_code kdc_request_get_error_code
kdc_request_get_explicit_armor_pac
kdc_request_get_explicit_armor_clientdb
kdc_request_get_explicit_armor_client
kdc_request_get_from kdc_request_get_from
kdc_request_get_krbtgt kdc_request_get_krbtgt
kdc_request_get_krbtgtdb kdc_request_get_krbtgtdb

3
kdc/version-script.map
View File

@@ -35,6 +35,9 @@ HEIMDAL_KDC_1.0 {
kdc_request_get_config; kdc_request_get_config;
kdc_request_get_cname; kdc_request_get_cname;
kdc_request_get_error_code; kdc_request_get_error_code;
kdc_request_get_explicit_armor_pac;
kdc_request_get_explicit_armor_clientdb;
kdc_request_get_explicit_armor_client;
kdc_request_get_from; kdc_request_get_from;
kdc_request_get_krbtgt; kdc_request_get_krbtgt;
kdc_request_get_krbtgtdb; kdc_request_get_krbtgtdb;