summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/kerberos5.c5
-rw-r--r--source4/heimdal/kdc/krb5tgs.c51
-rw-r--r--source4/heimdal/kdc/misc.c8
-rw-r--r--source4/heimdal/kdc/windc.c3
-rw-r--r--source4/heimdal/kdc/windc_plugin.h1
5 files changed, 51 insertions, 17 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c3e94757e3..05df86e143 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -988,7 +988,8 @@ _kdc_as_rep(krb5_context context,
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, &clientdb, &client);
+ HDB_F_GET_CLIENT | flags, 0,
+ &clientdb, &client);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
@@ -999,7 +1000,7 @@ _kdc_as_rep(krb5_context context,
ret = _kdc_db_fetch(context, config, server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
- NULL, &server);
+ 0, NULL, &server);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index dd14ae6513..3560a0df66 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -281,8 +281,10 @@ check_PAC(krb5_context context,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
+ hdb_entry_ex *krbtgt,
const EncryptionKey *server_key,
- const EncryptionKey *krbtgt_key,
+ const EncryptionKey *krbtgt_check_key,
+ const EncryptionKey *krbtgt_sign_key,
EncTicketPart *tkt,
krb5_data *rspac,
int *signedpath)
@@ -325,14 +327,14 @@ check_PAC(krb5_context context,
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
- krbtgt_key, NULL);
+ krbtgt_check_key, NULL);
if (ret) {
krb5_pac_free(context, pac);
return ret;
}
ret = _kdc_pac_verify(context, client_principal,
- client, server, &pac);
+ client, server, krbtgt, &pac);
if (ret) {
krb5_pac_free(context, pac);
return ret;
@@ -341,7 +343,7 @@ check_PAC(krb5_context context,
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client_principal,
- server_key, krbtgt_key, rspac);
+ server_key, krbtgt_sign_key, rspac);
krb5_pac_free(context, pac);
@@ -1156,7 +1158,7 @@ tgs_parse_request(krb5_context context,
ap_req.ticket.sname,
ap_req.ticket.realm);
- ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
+ ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
@@ -1454,6 +1456,8 @@ tgs_build_reply(krb5_context context,
krb5_kvno kvno;
krb5_data rspac;
+ hdb_entry_ex *krbtgt_out = NULL;
+
METHOD_DATA enc_pa_data;
PrincipalName *s;
@@ -1463,7 +1467,8 @@ tgs_build_reply(krb5_context context,
char opt_str[128];
int signedpath = 0;
- Key *tkey;
+ Key *tkey_check;
+ Key *tkey_sign;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
@@ -1495,7 +1500,7 @@ tgs_build_reply(krb5_context context,
}
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p,
- HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
+ HDB_F_GET_KRBTGT, t->enc_part.kvno,
NULL, &uu);
krb5_free_principal(context, p);
if(ret){
@@ -1548,7 +1553,7 @@ tgs_build_reply(krb5_context context,
server_lookup:
ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
- NULL, &server);
+ 0, NULL, &server);
if(ret){
const char *new_rlm, *msg;
@@ -1609,7 +1614,7 @@ server_lookup:
}
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
- &clientdb, &client);
+ 0, &clientdb, &client);
if(ret) {
const char *krbtgt_realm, *msg;
@@ -1704,15 +1709,31 @@ server_lookup:
*/
ret = hdb_enctype2key(context, &krbtgt->entry,
- krbtgt_etype, &tkey);
+ krbtgt_etype, &tkey_check);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
+ /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */
+ ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ if (ret) {
+ kdc_log(context, config, 0,
+ "Failed to find krbtgt in DB for krbtgt PAC signature");
+ goto out;
+ }
+
+ ret = hdb_enctype2key(context, &krbtgt_out->entry,
+ krbtgt_etype, &tkey_sign);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Failed to find key for krbtgt PAC signature");
+ goto out;
+ }
+
ret = check_PAC(context, config, cp,
- client, server, ekey, &tkey->key,
+ client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
tgt, &rspac, &signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
@@ -1814,7 +1835,7 @@ server_lookup:
krb5_pac p = NULL;
krb5_data_free(&rspac);
ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
- &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
+ 0, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
if (ret) {
const char *msg;
@@ -1840,7 +1861,7 @@ server_lookup:
if (p != NULL) {
ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
s4u2self_impersonated_client->entry.principal,
- ekey, &tkey->key,
+ ekey, &tkey_sign->key,
&rspac);
krb5_pac_free(context, p);
if (ret) {
@@ -2070,7 +2091,7 @@ server_lookup:
spn,
client,
cp,
- krbtgt,
+ krbtgt_out,
krbtgt_etype,
spp,
&rspac,
@@ -2084,6 +2105,8 @@ out:
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
+ if(krbtgt_out)
+ _kdc_free_ent(context, krbtgt_out);
if(server)
_kdc_free_ent(context, server);
if(client)
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 39f91dcf10..3080748463 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -40,12 +40,19 @@ _kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
+ krb5int32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
{
hdb_entry_ex *ent;
krb5_error_code ret;
int i;
+ unsigned kvno;
+
+ if (kvno_ptr) {
+ kvno = *kvno_ptr;
+ flags |= HDB_F_KVNO_SPECIFIED;
+ }
ent = calloc (1, sizeof (*ent));
if (ent == NULL) {
@@ -88,6 +95,7 @@ _kdc_db_fetch(krb5_context context,
config->db[i],
principal,
flags | HDB_F_DECRYPT,
+ kvno,
ent);
krb5_free_principal(context, enterprise_principal);
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index 524bc90d90..a8f1eb15d1 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -86,6 +86,7 @@ _kdc_pac_verify(krb5_context context,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
+ hdb_entry_ex *krbtgt,
krb5_pac *pac)
{
if (windcft == NULL) {
@@ -93,7 +94,7 @@ _kdc_pac_verify(krb5_context context,
return EINVAL;
}
return (windcft->pac_verify)(windcctx, context,
- client_principal, client, server, pac);
+ client_principal, client, server, krbtgt, pac);
}
krb5_error_code
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index 0ec8e066c7..037fc8cbda 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -60,6 +60,7 @@ typedef krb5_error_code
const krb5_principal,
struct hdb_entry_ex *,
struct hdb_entry_ex *,
+ struct hdb_entry_ex *,
krb5_pac *);
typedef krb5_error_code