Constrained delegation without PAC support

Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-11-14 04:46:30 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-11-14 04:46:30 +0000
commit: 0524889196c42d81dcc4c74277522b46f987cabb (patch)
tree: 9f906eb1a4a32346ae94837c4fe199410e2dd10f /src/lib/krb5/krb/copy_auth.c
parent: 26044e2a3c3104b9c3f32a6ae58145e7e6394672 (diff)
download: krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.gz
krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.xz
krb5-0524889196c42d81dcc4c74277522b46f987cabb.zip
1 files changed, 41 insertions, 20 deletions
diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c
index 0262fe5bb..d4c270078 100644
--- a/src/lib/krb5/krb/copy_auth.c
+++ b/src/lib/krb5/krb/copy_auth.c
@@ -223,34 +223,47 @@ grow_find_authdata(krb5_context context, struct find_authdata_context *fctx,
 
 static krb5_error_code
 find_authdata_1(krb5_context context, krb5_authdata *const *in_authdat,
-                krb5_authdatatype ad_type, struct find_authdata_context *fctx)
+                krb5_authdatatype ad_type, struct find_authdata_context *fctx,
+                int from_ap_req)
 {
     int i = 0;
-    krb5_error_code retval=0;
+    krb5_error_code retval = 0;
 
     for (i = 0; in_authdat[i]; i++) {
         krb5_authdata *ad = in_authdat[i];
-        if (ad->ad_type == ad_type && retval ==0)
-            retval = grow_find_authdata(context, fctx, ad);
-        else switch (ad->ad_type) {
-                krb5_authdata **decoded_container;
-            case KRB5_AUTHDATA_IF_RELEVANT:
-                if (retval == 0)
-                    retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container);
-                if (retval == 0) {
-                    retval = find_authdata_1(context,
-                                             decoded_container, ad_type, fctx);
-                    krb5_free_authdata(context, decoded_container);
-                }
-                break;
-            default:
-                break;
+        krb5_authdata **decoded_container;
+
+        switch (ad->ad_type) {
+        case KRB5_AUTHDATA_IF_RELEVANT:
+            if (retval == 0)
+                retval = krb5_decode_authdata_container(context,
+                                                        ad->ad_type,
+                                                        ad,
+                                                        &decoded_container);
+            if (retval == 0) {
+                retval = find_authdata_1(context,
+                                         decoded_container,
+                                         ad_type,
+                                         fctx,
+                                         from_ap_req);
+                krb5_free_authdata(context, decoded_container);
             }
+            break;
+        case KRB5_AUTHDATA_SIGNTICKET:
+        case KRB5_AUTHDATA_KDC_ISSUED:
+        case KRB5_AUTHDATA_WIN2K_PAC:
+            if (from_ap_req)
+                continue;
+        default:
+            if (ad->ad_type == ad_type && retval == 0)
+                retval = grow_find_authdata(context, fctx, ad);
+            break;
+        }
     }
+
     return retval;
 }
 
-
 krb5_error_code
 krb5int_find_authdata(krb5_context context,
                       krb5_authdata *const *ticket_authdata,
@@ -266,9 +279,9 @@ krb5int_find_authdata(krb5_context context,
     if (fctx.out == NULL)
         return ENOMEM;
     if (ticket_authdata)
-        retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx);
+        retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx, 0);
     if ((retval==0) && ap_req_authdata)
-        retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx);
+        retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx, 1);
     if ((retval== 0) && fctx.length)
         *results = fctx.out;
     else krb5_free_authdata(context, fctx.out);
@@ -300,6 +313,9 @@ krb5_make_authdata_kdc_issued(krb5_context context,
     if (code != 0)
         return code;
 
+    if (!krb5_c_is_keyed_cksum(cksumtype))
+        return KRB5KRB_AP_ERR_INAPP_CKSUM;
+
     code = encode_krb5_authdata(ad_kdci.elements, &data);
     if (code != 0)
         return code;
@@ -361,6 +377,11 @@ krb5_verify_authdata_kdc_issued(krb5_context context,
     if (code != 0)
         return code;
 
+    if (!krb5_c_is_keyed_cksum(ad_kdci->ad_checksum.checksum_type)) {
+        krb5_free_ad_kdcissued(context, ad_kdci);
+        return KRB5KRB_AP_ERR_INAPP_CKSUM;
+    }
+
     code = encode_krb5_authdata(ad_kdci->elements, &data2);
     if (code != 0) {
         krb5_free_ad_kdcissued(context, ad_kdci);
author	Greg Hudson <ghudson@mit.edu>	2009-11-14 04:46:30 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-11-14 04:46:30 +0000
commit	0524889196c42d81dcc4c74277522b46f987cabb (patch)
tree	9f906eb1a4a32346ae94837c4fe199410e2dd10f /src/lib/krb5/krb/copy_auth.c
parent	26044e2a3c3104b9c3f32a6ae58145e7e6394672 (diff)
download	krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.gz krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.xz krb5-0524889196c42d81dcc4c74277522b46f987cabb.zip