diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-03-25 14:57:42 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-05-18 07:46:33 +0200 |
commit | cc0ff48f28d13fd155489e08f75e64ff0e11b1de (patch) | |
tree | e0f28b44812e8219d5734094f92725c9390b8ab4 /source4/heimdal/kdc | |
parent | 28734295557620c36ffe8f51dcef7158c46d78a0 (diff) | |
download | samba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.tar.gz samba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.tar.bz2 samba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.zip |
HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksums
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.
metze
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 037934f2a6..5cfe7c8791 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -282,8 +282,9 @@ check_PAC(krb5_context context, hdb_entry_ex *client, hdb_entry_ex *server, hdb_entry_ex *krbtgt, - const EncryptionKey *server_key, + const EncryptionKey *server_check_key, const EncryptionKey *krbtgt_check_key, + const EncryptionKey *server_sign_key, const EncryptionKey *krbtgt_sign_key, EncTicketPart *tkt, krb5_data *rspac, @@ -328,7 +329,7 @@ check_PAC(krb5_context context, ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal, - krbtgt_check_key, NULL); + server_check_key, krbtgt_check_key); if (ret) { krb5_pac_free(context, pac); return ret; @@ -351,7 +352,7 @@ check_PAC(krb5_context context, *signedpath = 1; ret = _krb5_pac_sign(context, pac, tkt->authtime, client_principal, - server_key, krbtgt_sign_key, rspac); + server_sign_key, krbtgt_sign_key, rspac); } krb5_pac_free(context, pac); @@ -1789,7 +1790,9 @@ server_lookup: } ret = check_PAC(context, config, cp, - client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key, + client, server, krbtgt, + &tkey_check->key, &tkey_check->key, + ekey, &tkey_sign->key, tgt, &rspac, &signedpath); if (ret) { const char *msg = krb5_get_error_message(context, ret); |