EncKDCRepPart ek;
/* PA methods can affect both the reply key and the session key (pkinit) */
+ int validated_pa_type;
krb5_enctype sessionetype;
krb5_keyblock reply_key;
krb5_keyblock session_key;
generate_pac(astgs_request_t r, Key *skey)
{
krb5_error_code ret;
+ const krb5_keyblock *pk_reply_key = NULL;
krb5_pac p = NULL;
krb5_data data;
- ret = _kdc_pac_generate(r->context, r->client, &p);
+ switch (r->validated_pa_type) {
+ case KRB5_PADATA_PK_AS_REQ:
+ case KRB5_PADATA_PK_AS_REQ_WIN:
+ pk_reply_key = &r->reply_key;
+ break;
+ }
+
+ ret = _kdc_pac_generate(r->context, r->client,
+ pk_reply_key, &p);
if (ret) {
_kdc_r_log(r, 4, "PAC generation failed for -- %s",
r->cname);
pat[n].name, r->cname);
found_pa = 1;
r->et.flags.pre_authent = 1;
+ r->validated_pa_type = pat[n].type;
}
}
}
if(rspac.data) {
krb5_pac p = NULL;
krb5_data_free(&rspac);
- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
+ ret = _kdc_pac_generate(context, s4u2self_impersonated_client,
+ NULL, &p);
if (ret) {
kdc_log(context, config, 4, "PAC generation failed for -- %s",
tpn);
struct generate_uc {
hdb_entry_ex *client;
+ const krb5_keyblock *pk_reply_key;
krb5_pac *pac;
};
if (ft->pac_generate == NULL)
return KRB5_PLUGIN_NO_HANDLE;
+
+ if (ft->pac_pk_generate != NULL && uc->pk_reply_key != NULL) {
+ return ft->pac_pk_generate((void *)plug, context,
+ uc->client, uc->pk_reply_key, uc->pac);
+ }
+
return ft->pac_generate((void *)plug, context, uc->client, uc->pac);
}
krb5_error_code
_kdc_pac_generate(krb5_context context,
hdb_entry_ex *client,
+ const krb5_keyblock *pk_reply_key,
krb5_pac *pac)
{
struct generate_uc uc;
return 0;
uc.client = client;
+ uc.pk_reply_key = pk_reply_key;
uc.pac = pac;
(void)_krb5_plugin_run_f(context, &windc_plugin_data,
typedef krb5_error_code
(*krb5plugin_windc_pac_generate)(void *, krb5_context,
- struct hdb_entry_ex *, krb5_pac *);
+ struct hdb_entry_ex *, /* client */
+ krb5_pac *);
+
+typedef krb5_error_code
+(*krb5plugin_windc_pac_pk_generate)(void *, krb5_context,
+ struct hdb_entry_ex *, /* client */
+ const krb5_keyblock *, /* pk_replykey */
+ krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_pac_verify)(void *, krb5_context,
KDC_REQ *, METHOD_DATA *);
-#define KRB5_WINDC_PLUGIN_MINOR 6
+#define KRB5_WINDC_PLUGIN_MINOR 7
#define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
typedef struct krb5plugin_windc_ftable {
krb5plugin_windc_pac_generate pac_generate;
krb5plugin_windc_pac_verify pac_verify;
krb5plugin_windc_client_access client_access;
+ krb5plugin_windc_pac_pk_generate pac_pk_generate;
} krb5plugin_windc_ftable;
#endif /* HEIMDAL_KRB5_PAC_PLUGIN_H */
return 0;
}
+static krb5_error_code
+pac_pk_generate(void *ctx, krb5_context context,
+ struct hdb_entry_ex *client,
+ const krb5_keyblock *pk_replykey,
+ krb5_pac *pac)
+{
+ krb5_error_code ret;
+ krb5_data data;
+
+ krb5_warnx(context, "pac pk generate");
+
+ data.data = "\x00\x01";
+ data.length = 2;
+
+ ret = krb5_pac_init(context, pac);
+ if (ret)
+ return ret;
+
+ ret = krb5_pac_add_buffer(context, *pac, 1, &data);
+ if (ret)
+ return ret;
+
+ return 0;
+}
+
static krb5_error_code
pac_verify(void *ctx, krb5_context context,
const krb5_principal new_ticket_client,
windc_fini,
pac_generate,
pac_verify,
- client_access
+ client_access,
+ pac_pk_generate
};
static const krb5plugin_windc_ftable *const windc_plugins[] = {