From cef06b5ca180654471fa6d4aa0493ae3f53de2ea Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 28 Jun 2011 13:24:50 +0200
Subject: HEIMDAL:kdc: pass down the delegated_proxy_principal to the
 verify_pac() function

This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze
---
 source4/heimdal/kdc/krb5tgs.c      | 45 ++++++++++++++++++++++++++------------
 source4/heimdal/kdc/windc.c        |  5 ++++-
 source4/heimdal/kdc/windc_plugin.h | 11 +++++-----
 3 files changed, 41 insertions(+), 20 deletions(-)

(limited to 'source4')

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index e4fdb144eb..f13da57e45 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -279,6 +279,7 @@ static krb5_error_code
 check_PAC(krb5_context context,
 	  krb5_kdc_configuration *config,
 	  const krb5_principal client_principal,
+	  const krb5_principal delegated_proxy_principal,
 	  hdb_entry_ex *client,
 	  hdb_entry_ex *server,
 	  hdb_entry_ex *krbtgt,
@@ -336,6 +337,7 @@ check_PAC(krb5_context context,
 		}
 
 		ret = _kdc_pac_verify(context, client_principal,
+				      delegated_proxy_principal,
 				      client, server, krbtgt, &pac, &signed_pac);
 		if (ret) {
 		    krb5_pac_free(context, pac);
@@ -1479,9 +1481,9 @@ tgs_build_reply(krb5_context context,
 		const struct sockaddr *from_addr)
 {
     krb5_error_code ret;
-    krb5_principal cp = NULL, sp = NULL, tp = NULL;
+    krb5_principal cp = NULL, sp = NULL, tp = NULL, dp = NULL;
     krb5_principal krbtgt_principal = NULL;
-    char *spn = NULL, *cpn = NULL, *tpn = NULL;
+    char *spn = NULL, *cpn = NULL, *tpn = NULL, *dpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
     HDB *clientdb, *s4u2self_impersonated_clientdb;
     krb5_realm ref_realm = NULL;
@@ -1802,7 +1804,7 @@ server_lookup:
 	krb5_free_error_message(context, msg);
     }
 
-    ret = check_PAC(context, config, cp,
+    ret = check_PAC(context, config, cp, NULL,
 		    client, server, krbtgt,
 		    &tkey_check->key, &tkey_check->key,
 		    ekey, &tkey_sign->key,
@@ -2029,12 +2031,23 @@ server_lookup:
 	if (ret)
 	    goto out;
 
+	ret = _krb5_principalname2krb5_principal(context,
+						 &dp,
+						 t->sname,
+						 t->realm);
+	if (ret)
+	    goto out;
+
+	ret = krb5_unparse_name(context, dp, &dpn);
+	if (ret)
+	    goto out;
+
 	/* check that ticket is valid */
 	if (adtkt.flags.forwardable == 0) {
 	    kdc_log(context, config, 0,
 		    "Missing forwardable flag on ticket for "
-		    "constrained delegation from %s as %s to %s ",
-		    cpn, tpn, spn);
+		    "constrained delegation from %s (%s) as %s to %s ",
+		    cpn, dpn, tpn, spn);
 	    ret = KRB5KDC_ERR_BADOPTION;
 	    goto out;
 	}
@@ -2043,8 +2056,8 @@ server_lookup:
 					   client, server, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
-		    "constrained delegation from %s as %s to %s not allowed",
-		    cpn, tpn, spn);
+		    "constrained delegation from %s (%s) as %s to %s not allowed",
+		    cpn, dpn, tpn, spn);
 	    goto out;
 	}
 
@@ -2060,7 +2073,7 @@ server_lookup:
 	 * TODO: pass in t->sname and t->realm and build
 	 * a S4U_DELEGATION_INFO blob to the PAC.
 	 */
-	ret = check_PAC(context, config, tp,
+	ret = check_PAC(context, config, tp, dp,
 			client, server, krbtgt,
 			&clientkey->key, &tkey_check->key,
 			ekey, &tkey_sign->key,
@@ -2071,8 +2084,8 @@ server_lookup:
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
 		    "Verify delegated PAC failed to %s for client"
-		    "%s as %s from %s with %s",
-		    spn, cpn, tpn, from, msg);
+		    "%s (%s) as %s from %s with %s",
+		    spn, cpn, dpn, tpn, from, msg);
 	    krb5_free_error_message(context, msg);
 	    goto out;
 	}
@@ -2093,15 +2106,15 @@ server_lookup:
 	    const char *msg = krb5_get_error_message(context, ret);
 	    kdc_log(context, config, 0,
 		    "KRB5SignedPath check from service %s failed "
-		    "for delegation to %s for client %s "
+		    "for delegation to %s for client %s (%s)"
 		    "from %s failed with %s",
-		    spn, tpn, cpn, from, msg);
+		    spn, tpn, dpn, cpn, from, msg);
 	    krb5_free_error_message(context, msg);
 	    goto out;
 	}
 
 	kdc_log(context, config, 0, "constrained delegation for %s "
-		"from %s to %s", tpn, cpn, spn);
+		"from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
 
     /*
@@ -2198,7 +2211,9 @@ out:
 	    free(tpn);
     free(spn);
     free(cpn);
-	
+    if (dpn)
+	free(dpn);
+
     krb5_data_free(&rspac);
     krb5_free_keyblock_contents(context, &sessionkey);
     if(krbtgt_out)
@@ -2214,6 +2229,8 @@ out:
 	krb5_free_principal(context, tp);
     if (cp)
 	krb5_free_principal(context, cp);
+    if (dp)
+	krb5_free_principal(context, dp);
     if (sp)
 	krb5_free_principal(context, sp);
     if (ref_realm)
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index 6efbeee9dd..a58cebb8b2 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -84,6 +84,7 @@ _kdc_pac_generate(krb5_context context,
 krb5_error_code
 _kdc_pac_verify(krb5_context context,
 		const krb5_principal client_principal,
+		const krb5_principal delegated_proxy_principal,
 		hdb_entry_ex *client,
 		hdb_entry_ex *server,
 		hdb_entry_ex *krbtgt,
@@ -96,7 +97,9 @@ _kdc_pac_verify(krb5_context context,
 	return 0;
 
     ret = windcft->pac_verify(windcctx, context,
-			      client_principal, client, server, krbtgt, pac);
+			      client_principal,
+			      delegated_proxy_principal,
+			      client, server, krbtgt, pac);
     if (ret == 0)
 	*verified = 1;
     return ret;
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index 4755a5ea8f..b328e3ffb3 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -57,10 +57,11 @@ typedef krb5_error_code
 
 typedef krb5_error_code
 (*krb5plugin_windc_pac_verify)(void *, krb5_context,
-			       const krb5_principal,
-			       struct hdb_entry_ex *,
-			       struct hdb_entry_ex *,
-			       struct hdb_entry_ex *,
+			       const krb5_principal, /* new ticket client */
+			       const krb5_principal, /* delegation proxy */
+			       struct hdb_entry_ex *,/* client */
+			       struct hdb_entry_ex *,/* server */
+			       struct hdb_entry_ex *,/* krbtgt */
 			       krb5_pac *);
 
 typedef krb5_error_code
@@ -72,7 +73,7 @@ typedef krb5_error_code
 	KDC_REQ *, krb5_data *);
 
 
-#define KRB5_WINDC_PLUGIN_MINOR			5
+#define KRB5_WINDC_PLUGIN_MINOR			6
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
 
 typedef struct krb5plugin_windc_ftable {
-- 
cgit