diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-11-22 18:03:10 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-11-22 19:00:47 -0500 |
| commit | 80560ceae195b705ecc65ed60398764cee840ac9 (patch) | |
| tree | 21a1733e856bb6893da46e4a86432fbc31b03a8c | |
| parent | aa05d883ca014d2fc32ba3b56642b3fd5382888c (diff) | |
| download | freeipa-sumit.tar.gz freeipa-sumit.tar.xz freeipa-sumit.zip | |
ipa-kdb: Support re-signing PAC with different checksumsumit
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 3d4975e73..63c18b5d5 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -552,6 +552,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, { krb5_authdata **authdata = NULL; krb5_error_code kerr; + krb5_ui_4 *buffer_types = NULL; + size_t num_buffers; + krb5_pac old_pac = NULL; + krb5_pac new_pac = NULL; + krb5_data data; + size_t i; /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, @@ -573,16 +579,50 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, kerr = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, - pac); + &old_pac); if (kerr) { goto done; } - kerr = krb5_pac_verify(context, *pac, authtime, + kerr = krb5_pac_verify(context, old_pac, authtime, client_princ, krbtgt_key, NULL); + if (kerr) { + goto done; + } + + /* extract buffers and rebuilt pac from scratch so that when re-signing + * with a different cksum type does not cause issues due to mismatching + * signature buffer lengths */ + kerr = krb5_pac_init(context, &new_pac); + if (kerr) { + goto done; + } + + kerr = krb5_pac_get_types(context, old_pac, &num_buffers, &buffer_types); + if (kerr) { + goto done; + } + + for (i = 0; i < num_buffers; i++) { + kerr = krb5_pac_get_buffer(context, old_pac, + buffer_types[i], &data); + if (kerr == 0) { + kerr = krb5_pac_add_buffer(context, &new_pac, + buffer_types[i], &data); + } + krb5_free_data_contents(context, &data); + if (kerr) { + krb5_pac_free(context, new_pac); + goto done; + } + } + + *pac = new_pac; done: krb5_free_authdata(context, authdata); + krb5_pac_free(context, old_pac); + free(buffer_types); return kerr; } |