diff options
| author | Simo Sorce <ssorce@redhat.com> | 2012-05-07 09:32:07 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-07 09:39:10 +0200 |
| commit | 000bcfe34f318f613ec7c8744b3f886ef4ffb8ba (patch) | |
| tree | cf7f2e1f26fe020812e528276d771fabd6f8808f /daemons/ipa-kdb/ipa_kdb_mspac.c | |
| parent | ae2d5edd1ab8b60a36e93432f522470ae9b858fb (diff) | |
| download | freeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.tar.gz freeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.tar.xz freeipa-000bcfe34f318f613ec7c8744b3f886ef4ffb8ba.zip | |
ipa-kdb: Add MS-PAC on constrained delegation.
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 48 |
1 files changed, 26 insertions, 22 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index bb05dce98..799386703 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -546,10 +546,9 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, + krb5_authdata **authdata, krb5_pac *pac) { - krb5_authdata **authdata = NULL; krb5_keyblock *srv_key = NULL; krb5_keyblock *priv_key = NULL; krb5_error_code kerr; @@ -560,23 +559,6 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, krb5_data data; size_t i; - /* find the existing PAC, if present */ - kerr = krb5_find_authdata(context, tgt_auth_data, NULL, - KRB5_AUTHDATA_WIN2K_PAC, &authdata); - if (kerr != 0) { - return kerr; - } - - /* check pac data */ - if (authdata == NULL || authdata[0] == NULL) { - kerr = 0; /* none */ - goto done; - } - if (authdata[1] != NULL) { - kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */ - goto done; - } - kerr = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, @@ -755,6 +737,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_authdata ***signed_auth_data) { krb5_const_principal ks_client_princ; + krb5_authdata **pac_auth_data = NULL; krb5_authdata *authdata[2] = { NULL, NULL }; krb5_authdata ad; krb5_boolean is_as_req; @@ -782,12 +765,33 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, } if (!is_as_req) { - kerr = ipadb_verify_pac(context, flags, ks_client_princ, - server, krbtgt, server_key, krbtgt_key, - authtime, tgt_auth_data, &pac); + /* find the existing PAC, if present */ + kerr = krb5_find_authdata(context, tgt_auth_data, NULL, + KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data); if (kerr != 0) { goto done; } + /* check or generate pac data */ + if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { + kerr = ipadb_get_pac(context, client, &pac); + if (kerr != 0 && kerr != ENOENT) { + goto done; + } + } + } else { + if (pac_auth_data[1] != NULL) { + kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */ + goto done; + } + + kerr = ipadb_verify_pac(context, flags, ks_client_princ, + server, krbtgt, server_key, krbtgt_key, + authtime, pac_auth_data, &pac); + if (kerr != 0) { + goto done; + } + } } if (pac == NULL) { |