sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook

Browse Source 
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-05-20 08:29:30 +02:00 committed by Andrew Bartlett
parent f61833082a
commit 0022ea9efb
4 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source4/heimdal/kdc/kerberos5.c
View File

@ -982,6 +982,7 @@ _kdc_as_rep(krb5_context context,
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
const EncryptionKey *pk_reply_key = NULL;
memset(&rep, 0, sizeof(rep));
memset(&session_key, 0, sizeof(session_key));
@ -1625,7 +1626,7 @@ _kdc_as_rep(krb5_context context,
copy_HostAddresses(et.caddr, ek.caddr);
}
#if PKINIT
#ifdef PKINIT
if (pkp) {
e_text = "Failed to build PK-INIT reply";
ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
@ -1640,6 +1641,11 @@ _kdc_as_rep(krb5_context context,
if (ret)
goto out;
/*
* Send reply key as constant value to pac generate which allows
* parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA).
*/
pk_reply_key = reply_key;
} else
#endif
{
@ -1668,7 +1674,7 @@ _kdc_as_rep(krb5_context context,
krb5_pac p = NULL;
krb5_data data;
ret = _kdc_pac_generate(context, client, &p);
ret = _kdc_pac_generate(context, client, pk_reply_key, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
client_name);

2
source4/heimdal/kdc/krb5tgs.c
View File

@ -1990,7 +1990,7 @@ server_lookup:
krb5_free_error_message(context, msg);
goto out;
}
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
tpn);

4
source4/heimdal/kdc/windc.c
View File

@ -73,11 +73,15 @@ krb5_kdc_windc_init(krb5_context context)
krb5_error_code
_kdc_pac_generate(krb5_context context,
hdb_entry_ex *client,
const krb5_keyblock *pk_reply_key,
krb5_pac *pac)
{
*pac = NULL;
if (windcft == NULL)
return 0;
if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL)
return (windcft->pac_pk_generate)(windcctx, context,
client, pk_reply_key, pac);
return (windcft->pac_generate)(windcctx, context, client, pac);
}

10
source4/heimdal/kdc/windc_plugin.h
View File

@ -53,7 +53,14 @@ struct hdb_entry_ex;
typedef krb5_error_code
(*krb5plugin_windc_pac_generate)(void *, krb5_context,
struct hdb_entry_ex *, krb5_pac *);
struct hdb_entry_ex *, /* client */
krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
struct hdb_entry_ex *, /* client */
const krb5_keyblock *, /* pk_replykey */
krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_pac_verify)(void *, krb5_context,
@ -83,6 +90,7 @@ typedef struct krb5plugin_windc_ftable {
krb5plugin_windc_pac_generate pac_generate;
krb5plugin_windc_pac_verify pac_verify;
krb5plugin_windc_client_access client_access;
krb5plugin_windc_pac_pk_generate pac_pk_generate;
} krb5plugin_windc_ftable;
#endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */