HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook

author Stefan Metzmacher <metze@samba.org>

Fri, 20 May 2016 06:29:30 +0000 (08:29 +0200)

committer Andrew Bartlett <abartlet@samba.org>

Fri, 22 Jul 2016 21:34:21 +0000 (23:34 +0200)
author Stefan Metzmacher <metze@samba.org>
Fri, 20 May 2016 06:29:30 +0000 (08:29 +0200)
committer Andrew Bartlett <abartlet@samba.org>
Fri, 22 Jul 2016 21:34:21 +0000 (23:34 +0200)
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c

index a75ec0eaaecdeb4cc5cfeebf94167c8847aa97ce..3282d5e08006dde63d9092e9907034e4d173a288 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -982,6 +982,7 @@ _kdc_as_rep(krb5_context context,
  #ifdef PKINIT
      pk_client_params *pkp = NULL;
  #endif
+    const EncryptionKey *pk_reply_key = NULL;
  
      memset(&rep, 0, sizeof(rep));
      memset(&session_key, 0, sizeof(session_key));
@@ -1625,7 +1626,7 @@ _kdc_as_rep(krb5_context context,
         copy_HostAddresses(et.caddr, ek.caddr);
      }
  
-#if PKINIT
+#ifdef PKINIT
      if (pkp) {
          e_text = "Failed to build PK-INIT reply";
         ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
@@ -1640,6 +1641,11 @@ _kdc_as_rep(krb5_context context,
         if (ret)
             goto out;
  
+       /*
+        * Send reply key as constant value to pac generate which allows
+        * parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA).
+        */
+       pk_reply_key = reply_key;
      } else
  #endif
      {
@@ -1668,7 +1674,7 @@ _kdc_as_rep(krb5_context context,
         krb5_pac p = NULL;
         krb5_data data;
  
-       ret = _kdc_pac_generate(context, client, &p);
+       ret = _kdc_pac_generate(context, client, pk_reply_key, &p);
         if (ret) {
             kdc_log(context, config, 0, "PAC generation failed for -- %s",
                     client_name);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c

index c221c90346142b838759c6d9655e9722ee8767e6..334a6eb1dc88859e41224db42c4e480758f28bff 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1990,7 +1990,7 @@ server_lookup:
                     krb5_free_error_message(context, msg);
                     goto out;
                 }
-               ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
+               ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p);
                 if (ret) {
                     kdc_log(context, config, 0, "PAC generation failed for -- %s",
                             tpn);
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c

index ba87abb7cc0b93fd20535149571426a3735c1e33..fb1c8a6a993f11555f08b9b8b8b0bfec30603e04 100644 (file)
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -73,11 +73,15 @@ krb5_kdc_windc_init(krb5_context context)
  krb5_error_code
  _kdc_pac_generate(krb5_context context,
                   hdb_entry_ex *client,
+                 const krb5_keyblock *pk_reply_key,
                   krb5_pac *pac)
  {
      *pac = NULL;
      if (windcft == NULL)
         return 0;
+    if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL)
+       return (windcft->pac_pk_generate)(windcctx, context,
+                                         client, pk_reply_key, pac);
      return (windcft->pac_generate)(windcctx, context, client, pac);
  }
  
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h

index fa4ba434f3edbc4c2bcaed7a56e0ef313c8d47ca..bf90826cb06c3d3cf7ac36801066447c7ce2478b 100644 (file)
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -53,7 +53,14 @@ struct hdb_entry_ex;
  
  typedef krb5_error_code
  (*krb5plugin_windc_pac_generate)(void *, krb5_context,
-                                struct hdb_entry_ex *, krb5_pac *);
+                                struct hdb_entry_ex *, /* client */
+                                krb5_pac *);
+
+typedef krb5_error_code
+(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
+                                   struct hdb_entry_ex *, /* client */
+                                   const krb5_keyblock *, /* pk_replykey */
+                                   krb5_pac *);
  
  typedef krb5_error_code
  (*krb5plugin_windc_pac_verify)(void *, krb5_context,
@@ -83,6 +90,7 @@ typedef struct krb5plugin_windc_ftable {
      krb5plugin_windc_pac_generate      pac_generate;
      krb5plugin_windc_pac_verify                pac_verify;
      krb5plugin_windc_client_access     client_access;
+    krb5plugin_windc_pac_pk_generate    pac_pk_generate;
  } krb5plugin_windc_ftable;
  
  #endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */
author	Stefan Metzmacher <metze@samba.org>
	Fri, 20 May 2016 06:29:30 +0000 (08:29 +0200)
committer	Andrew Bartlett <abartlet@samba.org>
	Fri, 22 Jul 2016 21:34:21 +0000 (23:34 +0200)
source4/heimdal/kdc/kerberos5.c		patch \| blob \| blame \| history
source4/heimdal/kdc/krb5tgs.c		patch \| blob \| blame \| history
source4/heimdal/kdc/windc.c		patch \| blob \| blame \| history
source4/heimdal/kdc/windc_plugin.h		patch \| blob \| blame \| history