r20640: Commit part 2/2

Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
author: Andrew Bartlett <abartlet@samba.org> 2007-01-10 01:57:32 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 14:37:20 -0500
commit: f7242f643763ccb6e10801af4ce53d0873e2d3e1 (patch)
tree: cd06665f49d12795e23699e6666d85da1f64d7bd /source4/heimdal/kdc/kerberos5.c
parent: 08976cb3d2adfe5ea90ed53e6aa6fa8161649f7a (diff)
download: samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.tar.gz
samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.tar.bz2
samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.zip
1 files changed, 203 insertions, 70 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index dd88e2ea50..bf727ee739 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.225 2006/11/10 03:36:32 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.231 2007/01/04 13:27:27 lha Exp $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -635,6 +635,69 @@ get_pa_etype_info2(krb5_context context,
 }
 
 /*
+ *
+ */
+
+static void
+log_as_req(krb5_context context,
+	   krb5_kdc_configuration *config,
+	   krb5_enctype cetype,
+	   krb5_enctype setype,
+	   const KDC_REQ_BODY *b)
+{
+    krb5_error_code ret;
+    struct rk_strpool *p = NULL;
+    char *str;
+    int i;
+    
+    for (i = 0; i < b->etype.len; i++) {
+	ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
+	if (ret == 0) {
+	    p = rk_strpoolprintf(p, "%s", str);
+	    free(str);
+	} else
+	    p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
+	if (p && i + 1 < b->etype.len)
+	    p = rk_strpoolprintf(p, ", ");
+	if (p == NULL) {
+	    kdc_log(context, config, 0, "out of memory");
+	    return;
+	}
+    }
+    if (p == NULL)
+	p = rk_strpoolprintf(p, "no encryption types");
+    
+    str = rk_strpoolcollect(p);
+    kdc_log(context, config, 0, "Client supported enctypes: %s", str);
+    free(str);
+
+    {
+	char *cet;
+	char *set;
+
+	ret = krb5_enctype_to_string(context, cetype, &cet);
+	if(ret == 0) {
+	    ret = krb5_enctype_to_string(context, setype, &set);
+	    if (ret == 0) {
+		kdc_log(context, config, 5, "Using %s/%s", cet, set);
+		free(set);
+	    }
+	    free(cet);
+	}
+	if (ret != 0)
+	    kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype);
+    }
+    
+    {
+	char str[128];
+	unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(), 
+		      str, sizeof(str));
+	if(*str)
+	    kdc_log(context, config, 2, "Requested flags: %s", str);
+    }
+}
+
+/*
  * verify the flags on `client' and `server', returning 0
  * if they are OK and generating an error messages and returning
  * and error code otherwise.
@@ -798,6 +861,39 @@ _kdc_check_addresses(krb5_context context,
     return result;
 }
 
+/*
+ *
+ */
+
+static krb5_boolean
+send_pac_p(krb5_context context, KDC_REQ *req)
+{
+    krb5_error_code ret;
+    PA_PAC_REQUEST pacreq;
+    PA_DATA *pa;
+    int i = 0;
+    
+    pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
+    if (pa == NULL)
+	return TRUE;
+
+    ret = decode_PA_PAC_REQUEST(pa->padata_value.data,
+				pa->padata_value.length,
+				&pacreq,
+				NULL);
+    if (ret)
+	return TRUE;
+    i = pacreq.include_pac;
+    free_PA_PAC_REQUEST(&pacreq);
+    if (i == 0)
+	return FALSE;
+    return TRUE;
+}
+
+/*
+ *
+ */
+
 krb5_error_code
 _kdc_as_rep(krb5_context context, 
 	    krb5_kdc_configuration *config,
@@ -882,6 +978,10 @@ _kdc_as_rep(krb5_context context,
 	goto out;
     }
 
+    ret = _kdc_windc_client_access(context, client, req);
+    if(ret)
+	goto out;
+
     ret = _kdc_check_flags(context, config, 
 			   client, client_name,
 			   server, server_name,
@@ -889,13 +989,6 @@ _kdc_as_rep(krb5_context context,
     if(ret)
 	goto out;
 
-    if (client->check_client_access) {
-	ret = client->check_client_access(context, client, 
-					  b->addresses);
-	if(ret)
-	    goto out;
-    }
-
     memset(&et, 0, sizeof(et));
     memset(&ek, 0, sizeof(ek));
 
@@ -1224,57 +1317,7 @@ _kdc_as_rep(krb5_context context,
 	}
     }
 
-    {
-	struct rk_strpool *p = NULL;
-	char *str;
-	int i;
-
-	for (i = 0; i < b->etype.len; i++) {
-	    ret = krb5_enctype_to_string(context, b->etype.val[i], &str);
-	    if (ret == 0) {
-		p = rk_strpoolprintf(p, "%s", str);
-		free(str);
-	    } else
-		p = rk_strpoolprintf(p, "%d", b->etype.val[i]);
-	    if (p && i + 1 < b->etype.len)
-		p = rk_strpoolprintf(p, ", ");
-	    if (p == NULL) {
-		kdc_log(context, config, 0, "out of memory");
-		goto out;
-	    }
-	}
-	if (p == NULL)
-	    p = rk_strpoolprintf(p, "no encryption types");
-
-	str = rk_strpoolcollect(p);
-	kdc_log(context, config, 0, "Client supported enctypes: %s", str);
-	free(str);
-    }
-    {
-	char *cet;
-	char *set;
-
-	ret = krb5_enctype_to_string(context, cetype, &cet);
-	if(ret == 0) {
-	    ret = krb5_enctype_to_string(context, setype, &set);
-	    if (ret == 0) {
-		kdc_log(context, config, 5, "Using %s/%s", cet, set);
-		free(set);
-	    }
-	    free(cet);
-	}
-	if (ret != 0)
-	    kdc_log(context, config, 5, "Using e-types %d/%d", cetype, setype);
-    }
-    
-    {
-	char str[128];
-	unparse_flags(KDCOptions2int(f), asn1_KDCOptions_units(), 
-		      str, sizeof(str));
-	if(*str)
-	    kdc_log(context, config, 2, "Requested flags: %s", str);
-    }
-    
+    log_as_req(context, config, cetype, setype, b);
 
     if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
        || (f.request_anonymous && !config->allow_anonymous)) {
@@ -1330,7 +1373,9 @@ _kdc_as_rep(krb5_context context,
 	goto out;
     }
 
-    krb5_generate_random_keyblock(context, sessionetype, &et.key);
+    ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
+    if (ret)
+	goto out;
     copy_PrincipalName(&rep.cname, &et.cname);
     copy_Realm(&rep.crealm, &et.crealm);
     
@@ -1469,6 +1514,12 @@ _kdc_as_rep(krb5_context context,
 				  &reply_key, rep.padata);
 	if (ret)
 	    goto out;
+	ret = _kdc_add_inital_verified_cas(context,
+					   config,
+					   pkp,
+					   &et);
+	if (ret)
+	    goto out;
     }
 #endif
 
@@ -1479,16 +1530,37 @@ _kdc_as_rep(krb5_context context,
 	rep.padata = NULL;
     }
 
-    /* Add the PAC, via a HDB abstraction */
-    if (client->authz_data_as_req) {
-	    ret = client->authz_data_as_req(context, client, 
-					    req->padata, 
-					    et.authtime,
-					    &skey->key,
-					    &et.key,
-					    &et.authorization_data);
-	    if (ret) 
-		    goto out;
+    /* Add the PAC */
+    if (send_pac_p(context, req)) {
+	krb5_pac p = NULL;
+	krb5_data data;
+
+	ret = _kdc_pac_generate(context, client, &p);
+	if (ret) {
+	    kdc_log(context, config, 0, "PAC generation failed for -- %s", 
+		    client_name);
+	    goto out;
+	}
+	if (p != NULL) {
+	    ret = _krb5_pac_sign(context, p, et.authtime,
+				 client->entry.principal,
+				 &skey->key, /* Server key */ 
+				 &skey->key, /* FIXME: should be krbtgt key */
+				 &data);
+	    krb5_pac_free(context, p);
+	    if (ret) {
+		kdc_log(context, config, 0, "PAC signing failed for -- %s", 
+			client_name);
+		goto out;
+	    }
+
+	    ret = _kdc_tkt_add_if_relevant_ad(context, &et,
+					      KRB5_AUTHDATA_WIN2K_PAC,
+					      &data);
+	    krb5_data_free(&data);
+	    if (ret)
+		goto out;
+	}
     }
 
     _kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime, 
@@ -1552,3 +1624,64 @@ out2:
 	_kdc_free_ent(context, server);
     return ret;
 }
+
+/*
+ * Add the AuthorizationData `data� of `type� to the last element in
+ * the sequence of authorization_data in `tkt� wrapped in an IF_RELEVANT
+ */
+
+krb5_error_code
+_kdc_tkt_add_if_relevant_ad(krb5_context context,
+			    EncTicketPart *tkt,
+			    int type,
+			    const krb5_data *data)
+{
+    krb5_error_code ret;
+    size_t size;
+
+    if (tkt->authorization_data == NULL) {
+	tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
+	if (tkt->authorization_data == NULL) {
+	    krb5_set_error_string(context, "out of memory");
+	    return ENOMEM;
+	}
+    }
+	
+    /* add the entry to the last element */
+    {
+	AuthorizationData ad = { 0, NULL };
+	AuthorizationDataElement ade;
+
+	ade.ad_type = type;
+	ade.ad_data = *data;
+
+	ret = add_AuthorizationData(&ad, &ade);
+	if (ret) {
+	    krb5_set_error_string(context, "add AuthorizationData failed");
+	    return ret;
+	}
+
+	ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+
+	ASN1_MALLOC_ENCODE(AuthorizationData, 
+			   ade.ad_data.data, ade.ad_data.length, 
+			   &ad, &size, ret);
+	free_AuthorizationData(&ad);
+	if (ret) {
+	    krb5_set_error_string(context, "ASN.1 encode of "
+				  "AuthorizationData failed");
+	    return ret;
+	}
+	if (ade.ad_data.length != size)
+	    krb5_abortx(context, "internal asn.1 encoder error");
+	
+	ret = add_AuthorizationData(tkt->authorization_data, &ade);
+	der_free_octet_string(&ade.ad_data);
+	if (ret) {
+	    krb5_set_error_string(context, "add AuthorizationData failed");
+	    return ret;
+	}
+    }
+
+    return 0;
+}
author	Andrew Bartlett <abartlet@samba.org>	2007-01-10 01:57:32 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 14:37:20 -0500
commit	f7242f643763ccb6e10801af4ce53d0873e2d3e1 (patch)
tree	cd06665f49d12795e23699e6666d85da1f64d7bd /source4/heimdal/kdc/kerberos5.c
parent	08976cb3d2adfe5ea90ed53e6aa6fa8161649f7a (diff)
download	samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.tar.gz samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.tar.bz2 samba-f7242f643763ccb6e10801af4ce53d0873e2d3e1.zip