diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-11-22 18:03:10 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2012-01-11 12:04:18 -0500 |
commit | 677e977ce506c91a85d1006b0600cfad4765814f (patch) | |
tree | 992da5e3371a15c1717e71edf23f02238e71cfe9 /daemons | |
parent | 21a14149ea5048d9d962911bd5a49a35302f4f7f (diff) | |
download | freeipa.git-677e977ce506c91a85d1006b0600cfad4765814f.tar.gz freeipa.git-677e977ce506c91a85d1006b0600cfad4765814f.tar.xz freeipa.git-677e977ce506c91a85d1006b0600cfad4765814f.zip |
ipa-kdb: Support re-signing PAC with different checksum
Fixes: https://fedorahosted.org/freeipa/ticket/2122
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 54 |
1 files changed, 52 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 3d4975e7..cce1ca90 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -50,6 +50,12 @@ krb5int_find_authdata(krb5_context context, #define krb5_find_authdata krb5int_find_authdata #endif +#ifndef KRB5_PAC_SERVER_CHECKSUM +#define KRB5_PAC_SERVER_CHECKSUM 6 +#endif +#ifndef KRB5_PAC_PRIVSVR_CHECKSUM +#define KRB5_PAC_PRIVSVR_CHECKSUM 6 +#endif static char *user_pac_attrs[] = { "objectClass", @@ -552,6 +558,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, { krb5_authdata **authdata = NULL; krb5_error_code kerr; + krb5_ui_4 *buffer_types = NULL; + size_t num_buffers; + krb5_pac old_pac = NULL; + krb5_pac new_pac = NULL; + krb5_data data; + size_t i; /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, @@ -573,16 +585,54 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, kerr = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, - pac); + &old_pac); if (kerr) { goto done; } - kerr = krb5_pac_verify(context, *pac, authtime, + kerr = krb5_pac_verify(context, old_pac, authtime, client_princ, krbtgt_key, NULL); + if (kerr) { + goto done; + } + + /* extract buffers and rebuilt pac from scratch so that when re-signing + * with a different cksum type does not cause issues due to mismatching + * signature buffer lengths */ + kerr = krb5_pac_init(context, &new_pac); + if (kerr) { + goto done; + } + + kerr = krb5_pac_get_types(context, old_pac, &num_buffers, &buffer_types); + if (kerr) { + goto done; + } + + for (i = 0; i < num_buffers; i++) { + if (buffer_types[i] == KRB5_PAC_SERVER_CHECKSUM || + buffer_types[i] == KRB5_PAC_PRIVSVR_CHECKSUM) { + continue; + } + kerr = krb5_pac_get_buffer(context, old_pac, + buffer_types[i], &data); + if (kerr == 0) { + kerr = krb5_pac_add_buffer(context, new_pac, + buffer_types[i], &data); + } + krb5_free_data_contents(context, &data); + if (kerr) { + krb5_pac_free(context, new_pac); + goto done; + } + } + + *pac = new_pac; done: krb5_free_authdata(context, authdata); + krb5_pac_free(context, old_pac); + free(buffer_types); return kerr; } |