[30695] in CVS-changelog-for-Kerberos-V5
krb5 commit: Restrict test KDB to local principals
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 13 20:14:08 2020
Date: Mon, 13 Jan 2020 20:13:54 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202001140113.00E1DsCI025619@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8c4bbfa21fe539fc8644e77814bf05ad00574750
commit 8c4bbfa21fe539fc8644e77814bf05ad00574750
Author: Isaac Boukris <iboukris@gmail.com>
Date: Sun Jan 12 18:57:10 2020 +0100
Restrict test KDB to local principals
Ignoring the lookup realm for principal matching could cause the test
KDB module to successfully look up entries (with the correct key data)
for principals that a real KDB wouldn't have, such as krbtgt/B@A
within realm C. Add a realm check to test_get_principal(), allowing
only local principal names or incoming cross-TGS names.
[ghudson@mit.edu: changed error code; rewrote commit message]
src/plugins/kdb/test/kdb_test.c | 27 ++++++++++++++++++++++++++-
src/tests/gssapi/t_s4u.py | 4 +++-
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index 69a4663..76974df 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -332,6 +332,27 @@ tgtname(krb5_context context, const krb5_data *tgs_realm,
return princ;
}
+/* Return true if search_for is within context's default realm or is an
+ * incoming cross-realm TGS name. */
+static krb5_boolean
+request_for_us(krb5_context context, krb5_const_principal search_for)
+{
+ char *defrealm;
+ krb5_data realm;
+ krb5_boolean for_us;
+ krb5_principal local_tgs;
+
+ check(krb5_get_default_realm(context, &defrealm));
+ realm = string2data(defrealm);
+ local_tgs = tgtname(context, &realm, &realm);
+ krb5_free_default_realm(context, defrealm);
+
+ for_us = krb5_realm_compare(context, local_tgs, search_for) ||
+ krb5_principal_compare_any_realm(context, local_tgs, search_for);
+ krb5_free_principal(context, local_tgs);
+ return for_us;
+}
+
static krb5_error_code
test_get_principal(krb5_context context, krb5_const_principal search_for,
unsigned int flags, krb5_db_entry **entry)
@@ -346,6 +367,9 @@ test_get_principal(krb5_context context, krb5_const_principal search_for,
*entry = NULL;
+ if (!request_for_us(context, search_for))
+ return KRB5_KDB_NOENTRY;
+
check(krb5_unparse_name_flags(context, search_for,
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&search_name));
@@ -449,7 +473,8 @@ lookup_princ_by_cert(krb5_context context, const krb5_data *client_cert,
cert_princ_name = k5memdup0(client_cert->data, client_cert->length, &ret);
check(ret);
- check(krb5_parse_name(context, cert_princ_name, princ));
+ check(krb5_parse_name_flags(context, cert_princ_name,
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, princ));
free(cert_princ_name);
}
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 1a395c3..e174727 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -163,11 +163,13 @@ testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'},
kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}},
'dbmodules': {'test': {'db_library': 'test',
'princs': testprincs,
- 'alias': {'enterprise@abc': '@UREALM'}}}}
+ 'alias': {'enterprise@abc': '@UREALM',
+ 'user@UREALM': '@UREALM'}}}}
kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}},
'dbmodules': {'test': {'db_library': 'test',
'princs': testprincs,
'alias': {'user@SREALM': '@SREALM',
+ 'user@UREALM': 'user',
'enterprise@abc': 'user'}}}}
r1, r2 = cross_realms(2, xtgts=(),
args=({'realm': 'SREALM', 'kdc_conf': kdcconf1},
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
