summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/default_config.c6
-rw-r--r--source4/heimdal/kdc/kerberos5.c2
-rw-r--r--source4/heimdal/kdc/krb5tgs.c28
-rw-r--r--source4/heimdal/kdc/pkinit.c16
-rw-r--r--source4/heimdal/kdc/windc.c19
5 files changed, 43 insertions, 28 deletions
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index f5df4e0298..118bdf97aa 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -264,7 +264,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
if (c->pkinit_kdc_identity == NULL) {
if (c->pkinit_kdc_friendly_name == NULL)
- c->pkinit_kdc_friendly_name =
+ c->pkinit_kdc_friendly_name =
strdup("O=System Identity,CN=com.apple.kerberos.kdc");
c->pkinit_kdc_identity = strdup("KEYCHAIN:");
}
@@ -276,7 +276,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
if (c->enable_pkinit) {
if (c->pkinit_kdc_identity == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
-
+
if (c->pkinit_kdc_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
@@ -287,7 +287,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->pkinit_kdc_revoke);
}
-
+
*config = c;
return 0;
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 05df86e143..9fb0998a2a 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -910,7 +910,7 @@ _kdc_as_rep(krb5_context context,
const char *e_text = NULL;
krb5_crypto crypto;
Key *ckey, *skey;
- EncryptionKey *reply_key, session_key;
+ EncryptionKey *reply_key = NULL, session_key;
int flags = 0;
#ifdef PKINIT
pk_client_params *pkp = NULL;
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 06a535d4d4..23f9674bef 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -314,6 +314,7 @@ check_PAC(krb5_context context,
for (j = 0; j < child.len; j++) {
if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
+ int signed_pac = 0;
krb5_pac pac;
/* Found PAC */
@@ -334,19 +335,26 @@ check_PAC(krb5_context context,
}
ret = _kdc_pac_verify(context, client_principal,
- client, server, krbtgt, &pac);
+ client, server, krbtgt, &pac, &signed_pac);
if (ret) {
krb5_pac_free(context, pac);
return ret;
}
- *signedpath = 1;
-
- ret = _krb5_pac_sign(context, pac, tkt->authtime,
- client_principal,
- server_key, krbtgt_sign_key, rspac);
+ /*
+ * Only re-sign PAC if we could verify it with the PAC
+ * function. The no-verify case happens when we get in
+ * a PAC from cross realm from a Windows domain and
+ * that there is no PAC verification function.
+ */
+ if (signed_pac) {
+ *signedpath = 1;
+ ret = _krb5_pac_sign(context, pac, tkt->authtime,
+ client_principal,
+ server_key, krbtgt_key, rspac);
+ }
krb5_pac_free(context, pac);
-
+
return ret;
}
}
@@ -449,7 +457,7 @@ check_tgs_flags(krb5_context context,
}
if(f.renewable){
- if(!tgt->flags.renewable){
+ if(!tgt->flags.renewable || tgt->renew_till == NULL){
kdc_log(context, config, 0,
"Bad request for renewable ticket");
return KRB5KDC_ERR_BADOPTION;
@@ -802,7 +810,9 @@ tgs_make_reply(krb5_context context,
et.endtime = *et.starttime + life;
}
if(f.renewable_ok && tgt->flags.renewable &&
- et.renew_till == NULL && et.endtime < *b->till){
+ et.renew_till == NULL && et.endtime < *b->till &&
+ tgt->renew_till != NULL)
+ {
et.flags.renewable = 1;
ALLOC(et.renew_till);
*et.renew_till = *b->till;
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 4405bf4f19..9c0be23b14 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -227,10 +227,7 @@ generate_dh_keyblock(krb5_context context,
goto out;
}
- dh_gen_keylen = DH_size(client_params->u.dh.key);
- size = BN_num_bytes(client_params->u.dh.key->p);
- if (size < dh_gen_keylen)
- size = dh_gen_keylen;
+ size = DH_size(client_params->u.dh.key);
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
@@ -238,17 +235,20 @@ generate_dh_keyblock(krb5_context context,
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
- memset(dh_gen_key, 0, size - dh_gen_keylen);
- dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
- client_params->u.dh.public_key,
- client_params->u.dh.key);
+ dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
if (dh_gen_keylen == -1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
goto out;
}
+ if (dh_gen_keylen < size) {
+ size -= dh_gen_keylen;
+ memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
+ memset(dh_gen_key, 0, size);
+ }
+
ret = 0;
#ifdef HAVE_OPENSSL
} else if (client_params->keyex == USE_ECDH) {
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index a8f1eb15d1..6efbeee9dd 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -87,14 +87,19 @@ _kdc_pac_verify(krb5_context context,
hdb_entry_ex *client,
hdb_entry_ex *server,
hdb_entry_ex *krbtgt,
- krb5_pac *pac)
+ krb5_pac *pac,
+ int *verified)
{
- if (windcft == NULL) {
- krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function");
- return EINVAL;
- }
- return (windcft->pac_verify)(windcctx, context,
- client_principal, client, server, krbtgt, pac);
+ krb5_error_code ret;
+
+ if (windcft == NULL)
+ return 0;
+
+ ret = windcft->pac_verify(windcctx, context,
+ client_principal, client, server, krbtgt, pac);
+ if (ret == 0)
+ *verified = 1;
+ return ret;
}
krb5_error_code
generated by cgit (git 2.34.1) at 2024-06-30 17:01:16 +0000