summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-07 02:29:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:52 -0500
commit918c7634c21deb0aa89388bb3d9e147bfc8576c8 (patch)
tree4c56c62cda7f8f72f3eb808e26029c87f8479ef0 /source4/heimdal/lib
parentf7ca7308490c5bb41c6e42e7fe52f6b2586d3d5d (diff)
downloadsamba-918c7634c21deb0aa89388bb3d9e147bfc8576c8.tar.gz
samba-918c7634c21deb0aa89388bb3d9e147bfc8576c8.tar.bz2
samba-918c7634c21deb0aa89388bb3d9e147bfc8576c8.zip
r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the client wants a ticket. This should also allow us to interop with windows KDCs. If we get an invalid PAC at the TGS stage, we just drop it. I'm slowly trying to move the application logic out of hdb-ldb.c, and back in with the rest of Samba's auth system, for consistancy. This continues that trend. Andrew Bartlett (This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
Diffstat (limited to 'source4/heimdal/lib')
-rw-r--r--source4/heimdal/lib/hdb/hdb.h11
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h8
-rw-r--r--source4/heimdal/lib/krb5/mk_req.c2
-rw-r--r--source4/heimdal/lib/krb5/ticket.c27
4 files changed, 37 insertions, 11 deletions
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 41cc03cf36..45ea5a9f30 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -61,14 +61,19 @@ typedef struct hdb_entry_ex {
krb5_error_code (*free_private)(krb5_context, struct hdb_entry_ex *);
krb5_error_code (*check_client_access)(krb5_context, struct hdb_entry_ex *, HostAddresses *);
krb5_error_code (*authz_data_as_req)(krb5_context, struct hdb_entry_ex *,
- AuthorizationData *in,
+ METHOD_DATA* pa_data_seq,
+ time_t authtime,
EncryptionKey *tgtkey,
- AuthorizationData *out);
+ EncryptionKey *sessionkey,
+ AuthorizationData **out);
krb5_error_code (*authz_data_tgs_req)(krb5_context, struct hdb_entry_ex *,
+ krb5_principal client,
AuthorizationData *in,
+ time_t authtime,
EncryptionKey *tgtkey,
EncryptionKey *servicekey,
- AuthorizationData *out);
+ EncryptionKey *sessionkey,
+ AuthorizationData **out);
} hdb_entry_ex;
typedef struct HDB{
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 07d9329337..2645c29fe7 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -399,4 +399,12 @@ _krb5_xunlock (
krb5_context /*context*/,
int /*fd*/);
+int
+_krb5_find_type_in_ad(krb5_context context,
+ int type,
+ krb5_data *data,
+ int *found,
+ krb5_keyblock *sessionkey,
+ const AuthorizationData *ad);
+
#endif /* __krb5_private_h__ */
diff --git a/source4/heimdal/lib/krb5/mk_req.c b/source4/heimdal/lib/krb5/mk_req.c
index adc077e13f..44e5d9c222 100644
--- a/source4/heimdal/lib/krb5/mk_req.c
+++ b/source4/heimdal/lib/krb5/mk_req.c
@@ -64,7 +64,9 @@ krb5_mk_req_exact(krb5_context context,
if (auth_context && *auth_context && (*auth_context)->keytype)
this_cred.session.keytype = (*auth_context)->keytype;
+ /* This is the network contact with the KDC */
ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
+
krb5_free_cred_contents(context, &this_cred);
if (ret)
return ret;
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 7dae26acf2..b3efeb39d3 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -101,8 +101,8 @@ static int
find_type_in_ad(krb5_context context,
int type,
krb5_data *data,
- int *found,
- int failp,
+ krb5_boolean *found,
+ krb5_boolean failp,
krb5_keyblock *sessionkey,
const AuthorizationData *ad,
int level)
@@ -129,7 +129,7 @@ find_type_in_ad(krb5_context context,
krb5_set_error_string(context, "malloc - out of memory");
goto out;
}
- *found = 1;
+ *found = TRUE;
continue;
}
switch (ad->val[i].ad_type) {
@@ -228,6 +228,19 @@ out:
return ret;
}
+int
+_krb5_find_type_in_ad(krb5_context context,
+ int type,
+ krb5_data *data,
+ krb5_boolean *found,
+ krb5_keyblock *sessionkey,
+ const AuthorizationData *ad)
+{
+ krb5_data_zero(data);
+ return find_type_in_ad(context, type, data, found, TRUE, sessionkey, ad, 0);
+}
+
+
/*
* Extract the authorization data type of `type' from the
* 'ticket'. Store the field in `data'. This function is to use for
@@ -242,9 +255,7 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
{
AuthorizationData *ad;
krb5_error_code ret;
- int found = 0;
-
- krb5_data_zero(data);
+ krb5_boolean found = 0;
ad = ticket->ticket.authorization_data;
if (ticket->ticket.authorization_data == NULL) {
@@ -252,8 +263,8 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
return ENOENT; /* XXX */
}
- ret = find_type_in_ad(context, type, data, &found, 1, &ticket->ticket.key,
- ticket->ticket.authorization_data, 0);
+ ret = _krb5_find_type_in_ad(context, type, data, &found, &ticket->ticket.key,
+ ticket->ticket.authorization_data);
if (ret)
return ret;
if (!found) {