ipa-kdb: Add MS-PAC on constrained delegation.

2025-02-25 18:55:28 -06:00 · 2012-05-07 09:32:07 -04:00
parent ae2d5edd1a
commit 000bcfe34f
1 changed files with 26 additions and 22 deletions
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -546,10 +546,9 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
                                        krb5_keyblock *server_key,
                                        krb5_keyblock *krbtgt_key,
                                        krb5_timestamp authtime,
-                                        krb5_authdata **tgt_auth_data,
+                                        krb5_authdata **authdata,
                                        krb5_pac *pac)
 {
-    krb5_authdata **authdata = NULL;
    krb5_keyblock *srv_key = NULL;
    krb5_keyblock *priv_key = NULL;
    krb5_error_code kerr;
@@ -560,23 +559,6 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
    krb5_data data;
    size_t i;

-    /* find the existing PAC, if present */
-    kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
-                              KRB5_AUTHDATA_WIN2K_PAC, &authdata);
-    if (kerr != 0) {
-        return kerr;
-    }
-
-    /* check pac data */
-    if (authdata == NULL || authdata[0] == NULL) {
-        kerr = 0; /* none */
-        goto done;
-    }
-    if (authdata[1] != NULL) {
-        kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
-        goto done;
-    }
-
    kerr = krb5_pac_parse(context,
                          authdata[0]->contents,
                          authdata[0]->length,
@@ -755,6 +737,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
                                    krb5_authdata ***signed_auth_data)
 {
    krb5_const_principal ks_client_princ;
+    krb5_authdata **pac_auth_data = NULL;
    krb5_authdata *authdata[2] = { NULL, NULL };
    krb5_authdata ad;
    krb5_boolean is_as_req;
@@ -782,12 +765,33 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
    }

    if (!is_as_req) {
-        kerr = ipadb_verify_pac(context, flags, ks_client_princ,
-                                server, krbtgt, server_key, krbtgt_key,
-                                authtime, tgt_auth_data, &pac);
+        /* find the existing PAC, if present */
+        kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
+                                  KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data);
        if (kerr != 0) {
            goto done;
        }
+        /* check or generate pac data */
+        if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
+            if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+                kerr = ipadb_get_pac(context, client, &pac);
+                if (kerr != 0 && kerr != ENOENT) {
+                    goto done;
+                }
+            }
+        } else {
+            if (pac_auth_data[1] != NULL) {
+                kerr = KRB5KDC_ERR_BADOPTION; /* FIXME: right error ? */
+                goto done;
+            }
+
+            kerr = ipadb_verify_pac(context, flags, ks_client_princ,
+                                    server, krbtgt, server_key, krbtgt_key,
+                                    authtime, pac_auth_data, &pac);
+            if (kerr != 0) {
+                goto done;
+            }
+        }
    }

    if (pac == NULL) {