From 000bcfe34f318f613ec7c8744b3f886ef4ffb8ba Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 7 May 2012 09:32:07 -0400
Subject: ipa-kdb: Add MS-PAC on constrained delegation.

---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 48 ++++++++++++++++++++++-------------------
 1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index bb05dce98..799386703 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -546,10 +546,9 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
                                         krb5_keyblock *server_key,
                                         krb5_keyblock *krbtgt_key,
                                         krb5_timestamp authtime,
-                                        krb5_authdata **tgt_auth_data,
+                                        krb5_authdata **authdata,
                                         krb5_pac *pac)
 {
-    krb5_authdata **authdata = NULL;
     krb5_keyblock *srv_key = NULL;
     krb5_keyblock *priv_key = NULL;
     krb5_error_code kerr;
@@ -560,23 +559,6 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
     krb5_data data;
     size_t i;
 
-    /* find the existing PAC, if present */
-    kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
-                              KRB5_AUTHDATA_WIN2K_PAC, &authdata);
-    if (kerr != 0) {
-        return kerr;
-    }
-
-    /* check pac data */
-    if (authdata == NULL || authdata[0] == NULL) {
-        kerr = 0; /* none */
-        goto done;
-    }
-    if (authdata[1] != NULL) {
-        kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
-        goto done;
-    }
-
     kerr = krb5_pac_parse(context,
                           authdata[0]->contents,
                           authdata[0]->length,
@@ -755,6 +737,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
                                     krb5_authdata ***signed_auth_data)
 {
     krb5_const_principal ks_client_princ;
+    krb5_authdata **pac_auth_data = NULL;
     krb5_authdata *authdata[2] = { NULL, NULL };
     krb5_authdata ad;
     krb5_boolean is_as_req;
@@ -782,12 +765,33 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     }
 
     if (!is_as_req) {
-        kerr = ipadb_verify_pac(context, flags, ks_client_princ,
-                                server, krbtgt, server_key, krbtgt_key,
-                                authtime, tgt_auth_data, &pac);
+        /* find the existing PAC, if present */
+        kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
+                                  KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);
         if (kerr != 0) {
             goto done;
         }
+        /* check or generate pac data */
+        if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
+            if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+                kerr = ipadb_get_pac(context, client, &pac);
+                if (kerr != 0 && kerr != ENOENT) {
+                    goto done;
+                }
+            }
+        } else {
+            if (pac_auth_data[1] != NULL) {
+                kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
+                goto done;
+            }
+
+            kerr = ipadb_verify_pac(context, flags, ks_client_princ,
+                                    server, krbtgt, server_key, krbtgt_key,
+                                    authtime, pac_auth_data, &pac);
+            if (kerr != 0) {
+                goto done;
+            }
+        }
     }
 
     if (pac == NULL) {
-- 
cgit