summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-03-25 14:57:42 +0100
committerStefan Metzmacher <metze@samba.org>2011-05-18 07:46:33 +0200
commitcc0ff48f28d13fd155489e08f75e64ff0e11b1de (patch)
treee0f28b44812e8219d5734094f92725c9390b8ab4 /source4/heimdal/kdc
parent28734295557620c36ffe8f51dcef7158c46d78a0 (diff)
downloadsamba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.tar.gz
samba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.tar.bz2
samba-cc0ff48f28d13fd155489e08f75e64ff0e11b1de.zip
HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksums
For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/krb5tgs.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 037934f2a6..5cfe7c8791 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -282,8 +282,9 @@ check_PAC(krb5_context context,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
- const EncryptionKey *server_key,
+ const EncryptionKey *server_check_key,
const EncryptionKey *krbtgt_check_key,
+ const EncryptionKey *server_sign_key,
const EncryptionKey *krbtgt_sign_key,
EncTicketPart *tkt,
krb5_data *rspac,
@@ -328,7 +329,7 @@ check_PAC(krb5_context context,
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
- krbtgt_check_key, NULL);
+ server_check_key, krbtgt_check_key);
if (ret) {
krb5_pac_free(context, pac);
return ret;
@@ -351,7 +352,7 @@ check_PAC(krb5_context context,
*signedpath = 1;
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client_principal,
- server_key, krbtgt_sign_key, rspac);
+ server_sign_key, krbtgt_sign_key, rspac);
}
krb5_pac_free(context, pac);
@@ -1789,7 +1790,9 @@ server_lookup:
}
ret = check_PAC(context, config, cp,
- client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
+ client, server, krbtgt,
+ &tkey_check->key, &tkey_check->key,
+ ekey, &tkey_sign->key,
tgt, &rspac, &signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);