[30453] in CVS-changelog-for-Kerberos-V5
krb5 commit: Expand S4U2Self exception in KDC lineage check
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Mar 13 19:39:19 2019
Date: Wed, 13 Mar 2019 19:39:13 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201903132339.x2DNdD40019790@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/26c3818737cf16d476043a4acec8afb0fa67e47f
commit 26c3818737cf16d476043a4acec8afb0fa67e47f
Author: Isaac Boukris <iboukris@gmail.com>
Date: Tue Jan 15 02:53:25 2019 +0200
Expand S4U2Self exception in KDC lineage check
An S4U2Self TGS-REQ using only a certificate to identify the user will
not include PA-FOR-USER, so we need to check both types when making an
exception in the lineage check. (S4U2Self requests are allowed to
bypass the lineage check because cross-realm S4U2Self ends with a
backwards cross-realm request to the server realm.)
[ghudson@mit.edu: factored out padata check; deindented the code block
by combining conditionals; rewrote commit message]
ticket: 8780 (new)
src/kdc/kdc_util.c | 27 +++++++++++++++++----------
1 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f274109..0dcc0c3 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -193,6 +193,17 @@ comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket,
return(0);
}
+/* Return true if padata contains an entry of either S4U2Self type. */
+static inline krb5_boolean
+has_s4u2self_padata(krb5_pa_data **padata)
+{
+ if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_FOR_USER) != NULL)
+ return TRUE;
+ if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_S4U_X509_USER) != NULL)
+ return TRUE;
+ return FALSE;
+}
+
/* If a header ticket is decrypted, *ticket_out is filled in even on error. */
krb5_error_code
kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
@@ -305,16 +316,12 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
}
/* make sure the client is of proper lineage (see above) */
- if (foreign_server &&
- !krb5int_find_pa_data(kdc_context,
- request->padata, KRB5_PADATA_FOR_USER)) {
- if (is_local_principal(kdc_active_realm,
- ticket->enc_part2->client)) {
- /* someone in a foreign realm claiming to be local */
- krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
- retval = KRB5KDC_ERR_POLICY;
- goto cleanup_authenticator;
- }
+ if (foreign_server && !has_s4u2self_padata(request->padata) &&
+ is_local_principal(kdc_active_realm, ticket->enc_part2->client)) {
+ /* someone in a foreign realm claiming to be local */
+ krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
+ retval = KRB5KDC_ERR_POLICY;
+ goto cleanup_authenticator;
}
/*
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
