From e25325539a86912ce620875ef07beff5bcde6060 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 16 Jul 2009 09:53:14 +1000 Subject: s4:heimdal: import lorikeet-heimdal-200907152325 (commit 2bef9cd5378c01e9c2a74d6221761883bd11a5c5) --- source4/heimdal/kdc/kaserver.c | 16 +++++++-------- source4/heimdal/kdc/kerberos5.c | 24 ++++++++++++++++++++-- source4/heimdal/kdc/krb5tgs.c | 44 +++++++++++++++++++++++++++-------------- 3 files changed, 59 insertions(+), 25 deletions(-) (limited to 'source4/heimdal/kdc') diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 3702ab9281..69b5bb1d6e 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -493,10 +493,10 @@ do_authenticate (krb5_context context, goto out; } - ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - TRUE); + ret = kdc_check_flags (context, config, + client_entry, client_name, + server_entry, server_name, + TRUE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); goto out; @@ -790,10 +790,10 @@ do_getticket (krb5_context context, goto out; } - ret = _kdc_check_flags (context, config, - client_entry, client_name, - server_entry, server_name, - FALSE); + ret = kdc_check_flags (context, config, + client_entry, client_name, + server_entry, server_name, + FALSE); if (ret) { make_error_reply (hdr, KAPWEXPIRED, reply); goto out; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index e364dcc1d1..43d54bf702 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -678,6 +678,12 @@ kdc_check_flags(krb5_context context, hdb_entry *client = &client_ex->entry; /* check client */ + if (client->flags.locked_out) { + kdc_log(context, config, 0, + "Client (%s) is locked out", client_name); + return KRB5KDC_ERR_POLICY; + } + if (client->flags.invalid) { kdc_log(context, config, 0, "Client (%s) has invalid bit set", client_name); @@ -727,6 +733,11 @@ kdc_check_flags(krb5_context context, if (server_ex != NULL) { hdb_entry *server = &server_ex->entry; + if (server->flags.locked_out) { + kdc_log(context, config, 0, + "Client server locked out -- %s", server_name); + return KRB5KDC_ERR_POLICY; + } if (server->flags.invalid) { kdc_log(context, config, 0, "Server has invalid flag set -- %s", server_name); @@ -883,6 +894,7 @@ _kdc_as_rep(krb5_context context, AS_REP rep; KDCOptions f = b->kdc_options; hdb_entry_ex *client = NULL, *server = NULL; + HDB *clientdb; krb5_enctype cetype, setype, sessionetype; krb5_data e_data; EncTicketPart et; @@ -966,7 +978,7 @@ _kdc_as_rep(krb5_context context, */ ret = _kdc_db_fetch(context, config, client_princ, - HDB_F_GET_CLIENT | flags, NULL, &client); + HDB_F_GET_CLIENT | flags, &clientdb, &client); if(ret){ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, krb5_get_err_text(context, ret)); @@ -1114,8 +1126,8 @@ _kdc_as_rep(krb5_context context, "No client key matching pa-data (%s) -- %s", estr, client_name); free(estr); - free_EncryptedData(&enc_data); + continue; } @@ -1159,6 +1171,10 @@ _kdc_as_rep(krb5_context context, e_text = "Failed to decrypt PA-DATA"; free_EncryptedData(&enc_data); + + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD); + ret = KRB5KDC_ERR_PREAUTH_FAILED; continue; } @@ -1323,6 +1339,10 @@ _kdc_as_rep(krb5_context context, goto out; } + if (clientdb->hdb_auth_status) + (clientdb->hdb_auth_status)(context, clientdb, client, + HDB_AUTH_SUCCESS); + /* * Verify flags after the user been required to prove its identity * with in a preauth mech. diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 59104da3d6..6b98506e81 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -492,6 +492,7 @@ check_tgs_flags(krb5_context context, static krb5_error_code check_constrained_delegation(krb5_context context, krb5_kdc_configuration *config, + HDB *clientdb, hdb_entry_ex *client, krb5_const_principal server) { @@ -499,21 +500,32 @@ check_constrained_delegation(krb5_context context, krb5_error_code ret; int i; - ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); - if (ret) { - krb5_clear_error_message(context); - return ret; - } + /* if client delegates to itself, that ok */ + if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) + return 0; - if (acl) { - for (i = 0; i < acl->len; i++) { - if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) - return 0; + if (clientdb->hdb_check_constrained_delegation) { + ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server); + if (ret == 0) + return 0; + } else { + ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl); + if (ret) { + krb5_clear_error_message(context); + return ret; + } + + if (acl) { + for (i = 0; i < acl->len; i++) { + if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE) + return 0; + } } + ret = KRB5KDC_ERR_BADOPTION; } kdc_log(context, config, 0, "Bad request for constrained delegation"); - return KRB5KDC_ERR_BADOPTION; + return ret; } /* @@ -1369,6 +1381,7 @@ tgs_build_reply(krb5_context context, krb5_principal client_principal = NULL; char *spn = NULL, *cpn = NULL; hdb_entry_ex *server = NULL, *client = NULL; + HDB *clientdb; krb5_realm ref_realm = NULL; EncTicketPart *tgt = &ticket->ticket; krb5_principals spp = NULL; @@ -1531,7 +1544,7 @@ server_lookup: } ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, - NULL, &client); + &clientdb, &client); if(ret) { const char *krbtgt_realm; @@ -1792,7 +1805,7 @@ server_lookup: if (ret) { kdc_log(context, config, 0, "failed to decrypt ticket for " - "constrained delegation from %s to %s ", spn, cpn); + "constrained delegation from %s to %s ", cpn, spn); goto out; } @@ -1800,16 +1813,17 @@ server_lookup: if (adtkt.flags.forwardable == 0) { kdc_log(context, config, 0, "Missing forwardable flag on ticket for " - "constrained delegation from %s to %s ", spn, cpn); + "constrained delegation from %s to %s ", cpn, spn); ret = KRB5KDC_ERR_BADOPTION; goto out; } - ret = check_constrained_delegation(context, config, client, sp); + ret = check_constrained_delegation(context, config, clientdb, + client, sp); if (ret) { kdc_log(context, config, 0, "constrained delegation from %s to %s not allowed", - spn, cpn); + cpn, spn); goto out; } -- cgit