summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-kdb/ipa_kdb_mspac.c
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2012-05-07 09:32:07 -0400
committerMartin Kosek <mkosek@redhat.com>2012-06-07 09:39:10 +0200
commit000bcfe34f318f613ec7c8744b3f886ef4ffb8ba (patch)
treecf7f2e1f26fe020812e528276d771fabd6f8808f /daemons/ipa-kdb/ipa_kdb_mspac.c
parentae2d5edd1ab8b60a36e93432f522470ae9b858fb (diff)
downloadfreeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.tar.gz
freeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.tar.xz
freeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.zip
ipa-kdb: Add MS-PAC on constrained delegation.
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
-rw-r--r--daemons/ipa-kdb/ipa_kdb_mspac.c48
1 files changed, 26 insertions, 22 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index bb05dce98..799386703 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -546,10 +546,9 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
- krb5_authdata **tgt_auth_data,
+ krb5_authdata **authdata,
krb5_pac *pac)
{
- krb5_authdata **authdata = NULL;
krb5_keyblock *srv_key = NULL;
krb5_keyblock *priv_key = NULL;
krb5_error_code kerr;
@@ -560,23 +559,6 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
krb5_data data;
size_t i;
- /* find the existing PAC, if present */
- kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
- KRB5_AUTHDATA_WIN2K_PAC, &authdata);
- if (kerr != 0) {
- return kerr;
- }
-
- /* check pac data */
- if (authdata == NULL || authdata[0] == NULL) {
- kerr = 0; /* none */
- goto done;
- }
- if (authdata[1] != NULL) {
- kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
- goto done;
- }
-
kerr = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
@@ -755,6 +737,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
krb5_authdata ***signed_auth_data)
{
krb5_const_principal ks_client_princ;
+ krb5_authdata **pac_auth_data = NULL;
krb5_authdata *authdata[2] = { NULL, NULL };
krb5_authdata ad;
krb5_boolean is_as_req;
@@ -782,12 +765,33 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
}
if (!is_as_req) {
- kerr = ipadb_verify_pac(context, flags, ks_client_princ,
- server, krbtgt, server_key, krbtgt_key,
- authtime, tgt_auth_data, &pac);
+ /* find the existing PAC, if present */
+ kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
+ KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);
if (kerr != 0) {
goto done;
}
+ /* check or generate pac data */
+ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+ kerr = ipadb_get_pac(context, client, &pac);
+ if (kerr != 0 && kerr != ENOENT) {
+ goto done;
+ }
+ }
+ } else {
+ if (pac_auth_data[1] != NULL) {
+ kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
+ goto done;
+ }
+
+ kerr = ipadb_verify_pac(context, flags, ks_client_princ,
+ server, krbtgt, server_key, krbtgt_key,
+ authtime, pac_auth_data, &pac);
+ if (kerr != 0) {
+ goto done;
+ }
+ }
}
if (pac == NULL) {