summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb/ipa_kdb_mspac.c
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2011-10-17 17:18:43 -0400
committerSimo Sorce <ssorce@redhat.com>2011-11-07 14:25:07 -0500
commit94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241 (patch)
tree326aed08f25322a758484b6919ae2caa0294b36d /daemons/ipa-kdb/ipa_kdb_mspac.c
parent18537d55a7fd21c81af8b56fde69c895b2fa3597 (diff)
downloadfreeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.tar.gz
freeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.tar.xz
freeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.zip
MS-PAC: Add support for verifying PAC in TGS requests
Fake code for now, to be rebased later
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
-rw-r--r--daemons/ipa-kdb/ipa_kdb_mspac.c69
1 files changed, 62 insertions, 7 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 37ec063b5..3d4975e73 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -26,6 +26,7 @@
#include "gen_ndr/ndr_krb5pac.h"
#define KRB5INT_PAC_SIGN_AVAILABLE 1
+#define KRB5INT_FIND_AUTHDATA_AVAILABLE 1
#if KRB5INT_PAC_SIGN_AVAILABLE
krb5_error_code
@@ -40,6 +41,14 @@ krb5int_pac_sign(krb5_context context,
#define KRB5_PAC_LOGON_INFO 1
#endif
+#if KRB5INT_FIND_AUTHDATA_AVAILABLE
+krb5_error_code
+krb5int_find_authdata(krb5_context context,
+ krb5_authdata *const *ticket_authdata,
+ krb5_authdata *const *ap_req_authdata,
+ krb5_authdatatype ad_type, krb5_authdata ***results);
+#define krb5_find_authdata krb5int_find_authdata
+#endif
static char *user_pac_attrs[] = {
@@ -531,6 +540,51 @@ done:
return kerr;
}
+static krb5_error_code ipadb_verify_pac(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_pac *pac)
+{
+ krb5_authdata **authdata = NULL;
+ krb5_error_code kerr;
+
+ /* find the existing PAC, if present */
+ kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
+ KRB5_AUTHDATA_WIN2K_PAC, &authdata);
+ if (kerr != 0) {
+ return kerr;
+ }
+
+ /* check pac data */
+ if (authdata == NULL || authdata[0] == NULL) {
+ kerr = 0; /* none */
+ goto done;
+ }
+ if (authdata[1] != NULL) {
+ kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
+ goto done;
+ }
+
+ kerr = krb5_pac_parse(context,
+ authdata[0]->contents,
+ authdata[0]->length,
+ pac);
+ if (kerr) {
+ goto done;
+ }
+
+ kerr = krb5_pac_verify(context, *pac, authtime,
+ client_princ, krbtgt_key, NULL);
+
+done:
+ krb5_free_authdata(context, authdata);
+ return kerr;
+}
krb5_error_code ipadb_sign_authdata(krb5_context context,
unsigned int flags,
@@ -566,20 +620,21 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
kerr = ipadb_get_pac(context, client, &pac);
- if (kerr != 0) {
+ if (kerr != 0 && kerr != ENOENT) {
goto done;
}
}
-#if 0
+
if (!is_as_req) {
- code = ks_verify_pac(context, flags, ks_client_princ, client,
- server_key, krbtgt_key, authtime,
- tgt_auth_data, &pac);
- if (code != 0) {
+ kerr = ipadb_verify_pac(context, flags,
+ ks_client_princ, client,
+ server_key, krbtgt_key,
+ authtime, tgt_auth_data, &pac);
+ if (kerr != 0) {
goto done;
}
}
-
+#if 0
if (pac == NULL && client != NULL) {
code = ks_get_pac(context, client, &pac);