kdc: pass down the delegated_proxy_principal to the verify_pac() function

This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 3e688d03370ba3496bfb4021d1a2a9f4bed77e9b..b0d5455080bbe900fa7340d28ae22bd8c824792b 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -279,6 +279,7 @@ static krb5_error_code
 check_PAC(krb5_context context,
          krb5_kdc_configuration *config,
          const krb5_principal client_principal,
+         const krb5_principal delegated_proxy_principal,
          hdb_entry_ex *client,
          hdb_entry_ex *server,
          hdb_entry_ex *krbtgt,
@@ -336,6 +337,7 @@ check_PAC(krb5_context context,
                }
 
                ret = _kdc_pac_verify(context, client_principal,
+                                     delegated_proxy_principal,
                                      client, server, krbtgt, &pac, &signed_pac);
                if (ret) {
                    krb5_pac_free(context, pac);
@@ -1480,9 +1482,9 @@ tgs_build_reply(krb5_context context,
                const struct sockaddr *from_addr)
 {
     krb5_error_code ret;
-    krb5_principal cp = NULL, sp = NULL, tp = NULL;
+    krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
     krb5_principal krbtgt_principal = NULL;
-    char *spn = NULL, *cpn = NULL, *tpn = NULL;
+    char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
     HDB *clientdb, *s4u2self_impersonated_clientdb;
     krb5_realm ref_realm = NULL;
@@ -1805,7 +1807,7 @@ server_lookup:
        krb5_free_error_message(context, msg);
     }
 
-    ret = check_PAC(context, config, cp,
+    ret = check_PAC(context, config, cp, NULL,
                    client, server, krbtgt,
                    &tkey_check->key, &tkey_check->key,
                    ekey, &tkey_sign->key,
@@ -2032,12 +2034,23 @@ server_lookup:
        if (ret)
            goto out;
 
+       ret = _krb5_principalname2krb5_principal(context,
+                                                &dp,
+                                                t->sname,
+                                                t->realm);
+       if (ret)
+           goto out;
+
+       ret = krb5_unparse_name(context, dp, &dpn);
+       if (ret)
+           goto out;
+
        /* check that ticket is valid */
        if (adtkt.flags.forwardable == 0) {
            kdc_log(context, config, 0,
                    "Missing forwardable flag on ticket for "
-                   "constrained delegation from %s as %s to %s ",
-                   cpn, tpn, spn);
+                   "constrained delegation from %s (%s) as %s to %s ",
+                   cpn, dpn, tpn, spn);
            ret = KRB5KDC_ERR_BADOPTION;
            goto out;
        }
@@ -2046,8 +2059,8 @@ server_lookup:
                                           client, server, sp);
        if (ret) {
            kdc_log(context, config, 0,
-                   "constrained delegation from %s as %s to %s not allowed",
-                   cpn, tpn, spn);
+                   "constrained delegation from %s (%s) as %s to %s not allowed",
+                   cpn, dpn, tpn, spn);
            goto out;
        }
 
@@ -2064,7 +2077,7 @@ server_lookup:
         * TODO: pass in t->sname and t->realm and build
         * a S4U_DELEGATION_INFO blob to the PAC.
         */
-       ret = check_PAC(context, config, tp,
+       ret = check_PAC(context, config, tp, dp,
                        client, server, krbtgt,
                        &clientkey->key, &tkey_check->key,
                        ekey, &tkey_sign->key,
@@ -2073,8 +2086,8 @@ server_lookup:
            const char *msg = krb5_get_error_message(context, ret);
            kdc_log(context, config, 0,
                    "Verify delegated PAC failed to %s for client"
-                   "%s as %s from %s with %s",
-                   spn, cpn, tpn, from, msg);
+                   "%s (%s) as %s from %s with %s",
+                   spn, cpn, dpn, tpn, from, msg);
            krb5_free_error_message(context, msg);
            goto out;
        }
@@ -2093,9 +2106,9 @@ server_lookup:
            const char *msg = krb5_get_error_message(context, ret);
            kdc_log(context, config, 0,
                    "KRB5SignedPath check from service %s failed "
-                   "for delegation to %s for client %s "
+                   "for delegation to %s for client %s (%s)"
                    "from %s failed with %s",
-                   spn, tpn, cpn, from, msg);
+                   spn, tpn, dpn, cpn, from, msg);
            krb5_free_error_message(context, msg);
            goto out;
        }
@@ -2104,14 +2117,14 @@ server_lookup:
            ret = KRB5KDC_ERR_BADOPTION;
            kdc_log(context, config, 0,
                    "Ticket not signed with PAC nor SignedPath service %s failed "
-                   "for delegation to %s for client %s "
+                   "for delegation to %s for client %s (%s)"
                    "from %s",
-                   spn, tpn, cpn, from);
+                   spn, tpn, dpn, cpn, from);
            goto out;
        }
 
        kdc_log(context, config, 0, "constrained delegation for %s "
-               "from %s to %s", tpn, cpn, spn);
+               "from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
 
     /*
@@ -2208,6 +2221,8 @@ out:
            free(tpn);
     free(spn);
     free(cpn);
+    if (dpn)
+       free(dpn);
 
     krb5_data_free(&rspac);
     krb5_free_keyblock_contents(context, &sessionkey);
@@ -2224,6 +2239,8 @@ out:
        krb5_free_principal(context, tp);
     if (cp)
        krb5_free_principal(context, cp);
+    if (dp)
+       krb5_free_principal(context, dp);
     if (sp)
        krb5_free_principal(context, sp);
     if (ref_realm)

diff --git a/kdc/windc.c b/kdc/windc.c
index 7e6daa679f30c4eb77c0597dbd95eadef7f519d0..ba87abb7cc0b93fd20535149571426a3735c1e33 100644 (file)
--- a/kdc/windc.c
+++ b/kdc/windc.c
@@ -84,6 +84,7 @@ _kdc_pac_generate(krb5_context context,
 krb5_error_code
 _kdc_pac_verify(krb5_context context,
                const krb5_principal client_principal,
+               const krb5_principal delegated_proxy_principal,
                hdb_entry_ex *client,
                hdb_entry_ex *server,
                hdb_entry_ex *krbtgt,
@@ -96,7 +97,9 @@ _kdc_pac_verify(krb5_context context,
        return 0;
 
     ret = windcft->pac_verify(windcctx, context,
-                             client_principal, client, server, krbtgt, pac);
+                             client_principal,
+                             delegated_proxy_principal,
+                             client, server, krbtgt, pac);
     if (ret == 0)
        *verified = 1;
     return ret;

diff --git a/kdc/windc_plugin.h b/kdc/windc_plugin.h
index a9af19357b14b06e49f8ca78a5ebd084fa624c4f..fa4ba434f3edbc4c2bcaed7a56e0ef313c8d47ca 100644 (file)
--- a/kdc/windc_plugin.h
+++ b/kdc/windc_plugin.h
@@ -57,10 +57,11 @@ typedef krb5_error_code
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_verify)(void *, krb5_context,
-                              const krb5_principal,
-                              struct hdb_entry_ex *,
-                              struct hdb_entry_ex *,
-                              struct hdb_entry_ex *,
+                              const krb5_principal, /* new ticket client */
+                              const krb5_principal, /* delegation proxy */
+                              struct hdb_entry_ex *,/* client */
+                              struct hdb_entry_ex *,/* server */
+                              struct hdb_entry_ex *,/* krbtgt */
                               krb5_pac *);
 
 typedef krb5_error_code
@@ -72,7 +73,7 @@ typedef krb5_error_code
        KDC_REQ *, krb5_data *);
 
 
-#define KRB5_WINDC_PLUGIN_MINOR                        5
+#define KRB5_WINDC_PLUGIN_MINOR                        6
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
 
 typedef struct krb5plugin_windc_ftable {