diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-10-17 17:18:43 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-11-07 14:25:07 -0500 |
| commit | 94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241 (patch) | |
| tree | 326aed08f25322a758484b6919ae2caa0294b36d /daemons/ipa-kdb/ipa_kdb_mspac.c | |
| parent | 18537d55a7fd21c81af8b56fde69c895b2fa3597 (diff) | |
| download | freeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.tar.gz freeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.tar.xz freeipa-94a8bc1917fcc6571a7d9bdf7b53efea8c9d9241.zip | |
MS-PAC: Add support for verifying PAC in TGS requests
Fake code for now, to be rebased later
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 69 |
1 files changed, 62 insertions, 7 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 37ec063b5..3d4975e73 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -26,6 +26,7 @@ #include "gen_ndr/ndr_krb5pac.h" #define KRB5INT_PAC_SIGN_AVAILABLE 1 +#define KRB5INT_FIND_AUTHDATA_AVAILABLE 1 #if KRB5INT_PAC_SIGN_AVAILABLE krb5_error_code @@ -40,6 +41,14 @@ krb5int_pac_sign(krb5_context context, #define KRB5_PAC_LOGON_INFO 1 #endif +#if KRB5INT_FIND_AUTHDATA_AVAILABLE +krb5_error_code +krb5int_find_authdata(krb5_context context, + krb5_authdata *const *ticket_authdata, + krb5_authdata *const *ap_req_authdata, + krb5_authdatatype ad_type, krb5_authdata ***results); +#define krb5_find_authdata krb5int_find_authdata +#endif static char *user_pac_attrs[] = { @@ -531,6 +540,51 @@ done: return kerr; } +static krb5_error_code ipadb_verify_pac(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_db_entry *client, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + krb5_pac *pac) +{ + krb5_authdata **authdata = NULL; + krb5_error_code kerr; + + /* find the existing PAC, if present */ + kerr = krb5_find_authdata(context, tgt_auth_data, NULL, + KRB5_AUTHDATA_WIN2K_PAC, &authdata); + if (kerr != 0) { + return kerr; + } + + /* check pac data */ + if (authdata == NULL || authdata[0] == NULL) { + kerr = 0; /* none */ + goto done; + } + if (authdata[1] != NULL) { + kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */ + goto done; + } + + kerr = krb5_pac_parse(context, + authdata[0]->contents, + authdata[0]->length, + pac); + if (kerr) { + goto done; + } + + kerr = krb5_pac_verify(context, *pac, authtime, + client_princ, krbtgt_key, NULL); + +done: + krb5_free_authdata(context, authdata); + return kerr; +} krb5_error_code ipadb_sign_authdata(krb5_context context, unsigned int flags, @@ -566,20 +620,21 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { kerr = ipadb_get_pac(context, client, &pac); - if (kerr != 0) { + if (kerr != 0 && kerr != ENOENT) { goto done; } } -#if 0 + if (!is_as_req) { - code = ks_verify_pac(context, flags, ks_client_princ, client, - server_key, krbtgt_key, authtime, - tgt_auth_data, &pac); - if (code != 0) { + kerr = ipadb_verify_pac(context, flags, + ks_client_princ, client, + server_key, krbtgt_key, + authtime, tgt_auth_data, &pac); + if (kerr != 0) { goto done; } } - +#if 0 if (pac == NULL && client != NULL) { code = ks_get_pac(context, client, &pac); |