oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Resign the PAC in tgsreq if we have a PAC.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19669 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2007-01-04 10:56:23 +00:00
parent b8884f1904
commit 9b7ae5c640
1 changed files with 46 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
kdc/krb5tgs.c
View File

@@ -282,6 +282,8 @@ check_PAC(krb5_context context,
hdb_entry_ex *client, hdb_entry_ex *client,
const EncryptionKey *ekey, const EncryptionKey *ekey,
EncTicketPart *tkt, EncTicketPart *tkt,
const EncryptionKey *sessionkey,
krb5_data *rspac,
int *require_signedpath) int *require_signedpath)
{ {
AuthorizationData *ad = tkt->authorization_data; AuthorizationData *ad = tkt->authorization_data;
@@ -330,9 +332,17 @@ check_PAC(krb5_context context,
} }
ret = _kdc_pac_verify(context, client, pac); ret = _kdc_pac_verify(context, client, pac);
if (ret) {
_krb5_pac_free(context, pac);
return ret;
}
*require_signedpath = 0;
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client->entry.principal,
sessionkey, ekey, rspac);
_krb5_pac_free(context, pac); _krb5_pac_free(context, pac);
if (ret == 0)
*require_signedpath = 0;
return ret; return ret;
} }
@@ -645,7 +655,7 @@ tgs_make_reply(krb5_context context,
krb5_const_principal tgt_name, krb5_const_principal tgt_name,
const EncTicketPart *tgt, const EncTicketPart *tgt,
const EncryptionKey *ekey, const EncryptionKey *ekey,
krb5_enctype etype, const krb5_keyblock *sessionkey,
krb5_kvno kvno, krb5_kvno kvno,
AuthorizationData *auth_data, AuthorizationData *auth_data,
hdb_entry_ex *server, hdb_entry_ex *server,
@@ -655,6 +665,7 @@ tgs_make_reply(krb5_context context,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype, krb5_enctype krbtgt_etype,
KRB5SignedPathPrincipals *spp, KRB5SignedPathPrincipals *spp,
const krb5_data *rspac,
const char **e_text, const char **e_text,
krb5_data *reply) krb5_data *reply)
{ {
@@ -802,7 +813,21 @@ tgs_make_reply(krb5_context context,
} }
} }
krb5_generate_random_keyblock(context, etype, &et.key); if(rspac->length) {
/*
* No not need to filter out the any PAC from the
* auth_data since its signed by the KDC.
*/
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
rspac);
if (ret)
goto out;
}
ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
if (ret)
goto out;
et.crealm = tgt->crealm; et.crealm = tgt->crealm;
et.cname = tgt_name->name; et.cname = tgt_name->name;
@@ -810,6 +835,10 @@ tgs_make_reply(krb5_context context,
/* MIT must have at least one last_req */ /* MIT must have at least one last_req */
ek.last_req.len = 1; ek.last_req.len = 1;
ek.last_req.val = calloc(1, sizeof(*ek.last_req.val)); ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
if (ek.last_req.val == NULL) {
ret = ENOMEM;
goto out;
}
ek.nonce = b->nonce; ek.nonce = b->nonce;
ek.flags = et.flags; ek.flags = et.flags;
ek.authtime = et.authtime; ek.authtime = et.authtime;
@@ -832,7 +861,7 @@ tgs_make_reply(krb5_context context,
krbtgt, krbtgt,
krbtgt_etype, krbtgt_etype,
NULL, NULL,
NULL, spp,
&et); &et);
if (ret) if (ret)
goto out; goto out;
@@ -850,7 +879,7 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with etype list, even if we don't want a session key with
DES3? */ DES3? */
ret = _kdc_encode_reply(context, config, ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, etype, &rep, &et, &ek, et.key.keytype,
kvno, kvno,
ekey, 0, &tgt->key, e_text, reply); ekey, 0, &tgt->key, e_text, reply);
out: out:
@@ -1224,8 +1253,10 @@ tgs_build_reply(krb5_context context,
EncTicketPart *tgt = &ticket->ticket; EncTicketPart *tgt = &ticket->ticket;
KRB5SignedPathPrincipals *spp = NULL; KRB5SignedPathPrincipals *spp = NULL;
const EncryptionKey *ekey; const EncryptionKey *ekey;
krb5_keyblock sessionkey;
krb5_enctype etype; krb5_enctype etype;
krb5_kvno kvno; krb5_kvno kvno;
krb5_data rspac;
PrincipalName *s; PrincipalName *s;
Realm r; Realm r;
@@ -1234,7 +1265,9 @@ tgs_build_reply(krb5_context context,
char opt_str[128]; char opt_str[128];
int require_signedpath = 0; int require_signedpath = 0;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt)); memset(&adtkt, 0, sizeof(adtkt));
krb5_data_zero(&rspac);
s = b->sname; s = b->sname;
r = b->realm; r = b->realm;
@@ -1662,8 +1695,9 @@ server_lookup:
kvno = server->entry.kvno; kvno = server->entry.kvno;
} }
krb5_generate_random_keyblock(context, etype, &sessionkey);
/* check PAC if there is one */ /* check PAC if there is one */
{ {
Key *tkey; Key *tkey;
@@ -1676,7 +1710,7 @@ server_lookup:
} }
ret = check_PAC(context, config, client, &tkey->key, ret = check_PAC(context, config, client, &tkey->key,
tgt, &require_signedpath); tgt, &sessionkey, &rspac, &require_signedpath);
if (ret) { if (ret) {
kdc_log(context, config, 0, kdc_log(context, config, 0,
"check_PAC check failed for %s (%s) from %s with %s", "check_PAC check failed for %s (%s) from %s with %s",
@@ -1709,7 +1743,7 @@ server_lookup:
client_principal, client_principal,
tgt, tgt,
ekey, ekey,
etype, &sessionkey,
kvno, kvno,
auth_data, auth_data,
server, server,
@@ -1719,6 +1753,7 @@ server_lookup:
krbtgt, krbtgt,
krbtgt_etype, krbtgt_etype,
spp, spp,
&rspac,
e_text, e_text,
reply); reply);
@@ -1726,6 +1761,8 @@ out:
free(spn); free(spn);
free(cpn); free(cpn);
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
if(server) if(server)
_kdc_free_ent(context, server); _kdc_free_ent(context, server);
if(client) if(client)