From e54d07a9b690b19839f97e2223e27fc4229f8e3d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Apr 2011 14:40:54 +0200
Subject: [PATCH] kdc: check and regenerate the PAC in the s4u2proxy case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
---
 kdc/krb5tgs.c | 61 ++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 18 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 4a533d188..3bc66bb40 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2007,24 +2007,6 @@ server_lookup:
 	    goto out;
 	}
 
-	/* check that ticket is valid */
-	if (adtkt.flags.forwardable == 0) {
-	    kdc_log(context, config, 0,
-		    "Missing forwardable flag on ticket for "
-		    "constrained delegation from %s to %s ", cpn, spn);
-	    ret = KRB5KDC_ERR_BADOPTION;
-	    goto out;
-	}
-
-	ret = check_constrained_delegation(context, config, clientdb,
-					   client, sp);
-	if (ret) {
-	    kdc_log(context, config, 0,
-		    "constrained delegation from %s to %s not allowed",
-		    cpn, spn);
-	    goto out;
-	}
-
 	ret = _krb5_principalname2krb5_principal(context,
 						 &tp,
 						 adtkt.cname,
@@ -2036,11 +2018,54 @@ server_lookup:
 	if (ret)
 	    goto out;
 
+	/* check that ticket is valid */
+	if (adtkt.flags.forwardable == 0) {
+	    kdc_log(context, config, 0,
+		    "Missing forwardable flag on ticket for "
+		    "constrained delegation from %s as %s to %s ",
+		    cpn, tpn, spn);
+	    ret = KRB5KDC_ERR_BADOPTION;
+	    goto out;
+	}
+
+	ret = check_constrained_delegation(context, config, clientdb,
+					   client, sp);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "constrained delegation from %s as %s to %s not allowed",
+		    cpn, tpn, spn);
+	    goto out;
+	}
+
 	ret = verify_flags(context, config, &adtkt, tpn);
 	if (ret) {
 	    goto out;
 	}
 
+	krb5_data_free(&rspac);
+	/*
+	 * generate the PAC for the user.
+	 *
+	 * TODO: pass in t->sname and t->realm and build
+	 * a S4U_DELEGATION_INFO blob to the PAC.
+	 */
+	ret = check_PAC(context, config, tp,
+			client, server, krbtgt,
+			&clientkey->key, &tkey_check->key,
+			ekey, &tkey_sign->key,
+			&adtkt, &rspac, &ad_signedpath);
+	if (ret == 0 && !ad_signedpath)
+	    ret = KRB5KDC_ERR_BADOPTION;
+	if (ret) {
+	    const char *msg = krb5_get_error_message(context, ret);
+	    kdc_log(context, config, 0,
+		    "Verify delegated PAC failed to %s for client"
+		    "%s as %s from %s with %s",
+		    spn, cpn, tpn, from, msg);
+	    krb5_free_error_message(context, msg);
+	    goto out;
+	}
+
 	/*
 	 * Check that the KDC issued the user's ticket.
 	 */