From 6cb81f7b37d541efb54bcdca46b1e0f6bc8afef9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 Jul 2009 08:29:03 +1000 Subject: s4:heimdal: import lorikeet-heimdal-200907162216 (commit d09910d6803aad96b52ee626327ee55b14ea0de8) This includes in particular changes to the KDC to resolve bug 6272, originally by Matthieu Patou . We need to sort the AuthorizationData elements to put the PAC first, or else WinXP breaks when browsed from Win2k8. Andrew Bartlett --- source4/heimdal/kdc/krb5tgs.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) (limited to 'source4/heimdal/kdc') diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 6b98506e81..635eb27e75 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -805,17 +805,34 @@ tgs_make_reply(krb5_context context, et.flags.hw_authent = tgt->flags.hw_authent; et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + + if(rspac->length) { + /* + * No not need to filter out the any PAC from the + * auth_data since it's signed by the KDC. + */ + ret = _kdc_tkt_add_if_relevant_ad(context, &et, + KRB5_AUTHDATA_WIN2K_PAC, rspac); + if (ret) + goto out; + } if (auth_data) { - /* XXX Check enc-authorization-data */ - et.authorization_data = calloc(1, sizeof(*et.authorization_data)); + unsigned int i = 0; + + /* XXX check authdata */ if (et.authorization_data == NULL) { ret = ENOMEM; + krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - ret = copy_AuthorizationData(auth_data, et.authorization_data); - if (ret) - goto out; + for(i = 0; i < auth_data->len ; i++) { + ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]); + if (ret) { + krb5_set_error_message(context, ret, "malloc: out of memory"); + goto out; + } + } /* Filter out type KRB5SignedPath */ ret = find_KRB5SignedPath(context, et.authorization_data, NULL); @@ -832,18 +849,6 @@ tgs_make_reply(krb5_context context, } } - if(rspac->length) { - /* - * No not need to filter out the any PAC from the - * auth_data since it's signed by the KDC. - */ - ret = _kdc_tkt_add_if_relevant_ad(context, &et, - KRB5_AUTHDATA_WIN2K_PAC, - rspac); - if (ret) - goto out; - } - ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key); if (ret) goto out; -- cgit