diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-05-20 08:29:30 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-07-22 23:34:21 +0200 |
commit | 0022ea9efb0e7809fa2d060b294320eb0479cdd2 (patch) | |
tree | 6ae67bfcb027bfed91073526be8b9c6ccb26e600 /source4/heimdal | |
parent | f61833082ad5370bf67d316ec2f0a37e55d4eb60 (diff) | |
download | samba-0022ea9efb0e7809fa2d060b294320eb0479cdd2.tar.gz |
HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/heimdal')
-rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 10 | ||||
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 2 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc.c | 4 | ||||
-rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 10 |
4 files changed, 22 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index a75ec0eaaec..3282d5e0800 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -982,6 +982,7 @@ _kdc_as_rep(krb5_context context, #ifdef PKINIT pk_client_params *pkp = NULL; #endif + const EncryptionKey *pk_reply_key = NULL; memset(&rep, 0, sizeof(rep)); memset(&session_key, 0, sizeof(session_key)); @@ -1625,7 +1626,7 @@ _kdc_as_rep(krb5_context context, copy_HostAddresses(et.caddr, ek.caddr); } -#if PKINIT +#ifdef PKINIT if (pkp) { e_text = "Failed to build PK-INIT reply"; ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, @@ -1640,6 +1641,11 @@ _kdc_as_rep(krb5_context context, if (ret) goto out; + /* + * Send reply key as constant value to pac generate which allows + * parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA). + */ + pk_reply_key = reply_key; } else #endif { @@ -1668,7 +1674,7 @@ _kdc_as_rep(krb5_context context, krb5_pac p = NULL; krb5_data data; - ret = _kdc_pac_generate(context, client, &p); + ret = _kdc_pac_generate(context, client, pk_reply_key, &p); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", client_name); diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index c221c903461..334a6eb1dc8 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1990,7 +1990,7 @@ server_lookup: krb5_free_error_message(context, msg); goto out; } - ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); + ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", tpn); diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index ba87abb7cc0..fb1c8a6a993 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -73,11 +73,15 @@ krb5_kdc_windc_init(krb5_context context) krb5_error_code _kdc_pac_generate(krb5_context context, hdb_entry_ex *client, + const krb5_keyblock *pk_reply_key, krb5_pac *pac) { *pac = NULL; if (windcft == NULL) return 0; + if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL) + return (windcft->pac_pk_generate)(windcctx, context, + client, pk_reply_key, pac); return (windcft->pac_generate)(windcctx, context, client, pac); } diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index fa4ba434f3e..bf90826cb06 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -53,7 +53,14 @@ struct hdb_entry_ex; typedef krb5_error_code (*krb5plugin_windc_pac_generate)(void *, krb5_context, - struct hdb_entry_ex *, krb5_pac *); + struct hdb_entry_ex *, /* client */ + krb5_pac *); + +typedef krb5_error_code +(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context, + struct hdb_entry_ex *, /* client */ + const krb5_keyblock *, /* pk_replykey */ + krb5_pac *); typedef krb5_error_code (*krb5plugin_windc_pac_verify)(void *, krb5_context, @@ -83,6 +90,7 @@ typedef struct krb5plugin_windc_ftable { krb5plugin_windc_pac_generate pac_generate; krb5plugin_windc_pac_verify pac_verify; krb5plugin_windc_client_access client_access; + krb5plugin_windc_pac_pk_generate pac_pk_generate; } krb5plugin_windc_ftable; #endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */ |