git.samba.org / lorikeet-heimdal.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7bde9ce)
kdc-plugin: Provide plugin with delegated proxy HDB entry and PAC
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Mon, 19 Jun 2023 03:53:56 +0000 (15:53 +1200)
committerJoseph Sutton <josephsutton@catalyst.net.nz>
Mon, 26 Jun 2023 00:52:21 +0000 (12:52 +1200)
These are needed to be able to enforce Microsoft’s authentication
policies properly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
kdc/kdc-plugin.c patch | blob | history
kdc/kdc-plugin.h patch | blob | history
kdc/krb5tgs.c patch | blob | history
kdc/mssfu.c patch | blob | history

diff --git a/kdc/kdc-plugin.c b/kdc/kdc-plugin.c
index d408688eb94b7c1a38a85438376e44720c2b1412..f18044963ed90c45ce6ef4485d041c0d40d40d4e 100644 (file)
--- a/kdc/kdc-plugin.c
+++ b/kdc/kdc-plugin.c
@@ -141,7 +141,7 @@ _kdc_pac_generate(astgs_request_t r,
 struct verify_uc {
     astgs_request_t r;
     krb5_const_principal client_principal;
-    krb5_principal delegated_proxy_principal;
+    hdb_entry *delegated_proxy;
     hdb_entry *client;
     hdb_entry *server;
     hdb_entry *krbtgt;
@@ -163,7 +163,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
     ret = ft->pac_verify((void *)plug,
                         uc->r,
                         uc->client_principal,
-                        uc->delegated_proxy_principal,
+                        uc->delegated_proxy,
                         uc->client, uc->server, uc->krbtgt,
                         uc->ticket, uc->pac,
                         uc->is_trusted);
@@ -173,7 +173,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
 krb5_error_code
 _kdc_pac_verify(astgs_request_t r,
                krb5_const_principal client_principal,
-               const krb5_principal delegated_proxy_principal,
+               hdb_entry *delegated_proxy,
                hdb_entry *client,
                hdb_entry *server,
                hdb_entry *krbtgt,
@@ -188,7 +188,7 @@ _kdc_pac_verify(astgs_request_t r,
 
     uc.r = r;
     uc.client_principal = client_principal;
-    uc.delegated_proxy_principal = delegated_proxy_principal;
+    uc.delegated_proxy = delegated_proxy;
     uc.client = client;
     uc.server = server;
     uc.krbtgt = krbtgt;
@@ -203,7 +203,8 @@ _kdc_pac_verify(astgs_request_t r,
 struct update_uc {
     astgs_request_t r;
     krb5_const_principal client_principal;
-    krb5_principal delegated_proxy_principal;
+    hdb_entry *delegated_proxy;
+    krb5_const_pac delegated_proxy_pac;
     hdb_entry *client;
     hdb_entry *server;
     hdb_entry *krbtgt;
@@ -223,7 +224,8 @@ update(krb5_context context, const void *plug, void *plugctx, void *userctx)
     ret = ft->pac_update((void *)plug,
                         uc->r,
                         uc->client_principal,
-                        uc->delegated_proxy_principal,
+                        uc->delegated_proxy,
+                        uc->delegated_proxy_pac,
                         uc->client, uc->server, uc->krbtgt, uc->pac);
     return ret;
 }
@@ -231,7 +233,8 @@ update(krb5_context context, const void *plug, void *plugctx, void *userctx)
 krb5_error_code
 _kdc_pac_update(astgs_request_t r,
                krb5_const_principal client_principal,
-               const krb5_principal delegated_proxy_principal,
+               hdb_entry *delegated_proxy,
+               krb5_const_pac delegated_proxy_pac,
                hdb_entry *client,
                hdb_entry *server,
                hdb_entry *krbtgt,
@@ -244,7 +247,8 @@ _kdc_pac_update(astgs_request_t r,
 
     uc.r = r;
     uc.client_principal = client_principal;
-    uc.delegated_proxy_principal = delegated_proxy_principal;
+    uc.delegated_proxy = delegated_proxy;
+    uc.delegated_proxy_pac = delegated_proxy_pac;
     uc.client = client;
     uc.server = server;
     uc.krbtgt = krbtgt;
diff --git a/kdc/kdc-plugin.h b/kdc/kdc-plugin.h
index e286a403397b81da05922633e315b437956cfa14..7d44f0a52437627468fe366c68a97225928b8fe5 100644 (file)
--- a/kdc/kdc-plugin.h
+++ b/kdc/kdc-plugin.h
@@ -66,7 +66,7 @@ typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
                                           astgs_request_t,
                                           krb5_const_principal, /* new ticket client */
-                                          const krb5_principal, /* delegation proxy */
+                                          hdb_entry *, /* delegation proxy */
                                           hdb_entry *,/* client */
                                           hdb_entry *,/* server */
                                           hdb_entry *,/* krbtgt */
@@ -85,7 +85,8 @@ typedef krb5_error_code
 (KRB5_CALLCONV *krb5plugin_kdc_pac_update)(void *,
                                           astgs_request_t,
                                           krb5_const_principal, /* new ticket client */
-                                          const krb5_principal, /* delegation proxy */
+                                          hdb_entry *, /* delegation proxy */
+                                          krb5_const_pac, /* delegation proxy pac */
                                           hdb_entry *,/* client */
                                           hdb_entry *,/* server */
                                           hdb_entry *,/* krbtgt */
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index fdbb4a5d5d05793cec09893d71014bc0d5e875ac..79dbe6622f46e703d5c520e0843b201ada4ea918 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -78,7 +78,7 @@ _kdc_synthetic_princ_used_p(krb5_context context, krb5_ticket *ticket)
 krb5_error_code
 _kdc_check_pac(astgs_request_t r,
               const krb5_principal client_principal,
-              const krb5_principal delegated_proxy_principal,
+              hdb_entry *delegated_proxy,
               hdb_entry *client,
               hdb_entry *server,
               hdb_entry *krbtgt,
@@ -125,7 +125,7 @@ _kdc_check_pac(astgs_request_t r,
 
     /* Verify the KDC signatures. */
     ret = _kdc_pac_verify(r,
-                         client_principal, delegated_proxy_principal,
+                         client_principal, delegated_proxy,
                          client, server, krbtgt, tkt, pac, &is_trusted);
     if (ret == 0) {
        if (is_trusted) {
@@ -1923,7 +1923,7 @@ server_lookup:
        if (ret)
            goto out;
     } else if (priv->pac != NULL) {
-       ret = _kdc_pac_update(priv, priv->client_princ, NULL,
+       ret = _kdc_pac_update(priv, priv->client_princ, NULL, NULL,
                              priv->client, priv->server, priv->krbtgt,
                              &priv->pac);
        if (ret == KRB5_PLUGIN_NO_HANDLE) {
diff --git a/kdc/mssfu.c b/kdc/mssfu.c
index 4fe373eb526a4d5d339ba9326e1578fedc26011f..c583c9b667dace32d8c98aa88748233756aef7a9 100644 (file)
--- a/kdc/mssfu.c
+++ b/kdc/mssfu.c
@@ -492,7 +492,7 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
      * TODO: pass in t->sname and t->realm and build
      * a S4U_DELEGATION_INFO blob to the PAC.
      */
-    ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name,
+    ret = _kdc_check_pac(r, s4u_client_name, s4u_server,
                         s4u_client, r->server, r->krbtgt, r->client,
                         &clientkey->key, &r->ticket_key->key, &evidence_tkt,
                         &ad_kdc_issued, &s4u_pac,
@@ -523,7 +523,7 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
 
     heim_assert(s4u_pac != NULL, "ad_kdc_issued implies the PAC is non-NULL");
 
-    ret = _kdc_pac_update(r, s4u_client_name, s4u_server_name,
+    ret = _kdc_pac_update(r, s4u_client_name, s4u_server, r->pac,
                          s4u_client, r->server, r->krbtgt,
                          &s4u_pac);
     if (ret == KRB5_PLUGIN_NO_HANDLE) {
Lorikeet-Heimal