HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksums

For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.

metze

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 037934f2a654e0531b0e0a0be2f91cbe3c269127..5cfe7c87914e4be2433f221d5298d3b7d91545f4 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -282,8 +282,9 @@ check_PAC(krb5_context context,
          hdb_entry_ex *client,
          hdb_entry_ex *server,
          hdb_entry_ex *krbtgt,
-         const EncryptionKey *server_key,
+         const EncryptionKey *server_check_key,
          const EncryptionKey *krbtgt_check_key,
+         const EncryptionKey *server_sign_key,
          const EncryptionKey *krbtgt_sign_key,
          EncTicketPart *tkt,
          krb5_data *rspac,
@@ -328,7 +329,7 @@ check_PAC(krb5_context context,
 
                ret = krb5_pac_verify(context, pac, tkt->authtime,
                                      client_principal,
-                                     krbtgt_check_key, NULL);
+                                     server_check_key, krbtgt_check_key);
                if (ret) {
                    krb5_pac_free(context, pac);
                    return ret;
@@ -351,7 +352,7 @@ check_PAC(krb5_context context,
                    *signedpath = 1;
                    ret = _krb5_pac_sign(context, pac, tkt->authtime,
                                         client_principal,
-                                        server_key, krbtgt_sign_key, rspac);
+                                        server_sign_key, krbtgt_sign_key, rspac);
                }
                krb5_pac_free(context, pac);
                
@@ -1789,7 +1790,9 @@ server_lookup:
     }
 
     ret = check_PAC(context, config, cp,
-                   client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
+                   client, server, krbtgt,
+                   &tkey_check->key, &tkey_check->key,
+                   ekey, &tkey_sign->key,
                    tgt, &rspac, &signedpath);
     if (ret) {
        const char *msg = krb5_get_error_message(context, ret);