[16640] in Kerberos-V5-bugs
[krbdev.mit.edu #8953] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Oct 29 19:29:18 2020
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-11282-1604014120-563.8953-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8953":;
Date: Thu, 29 Oct 2020 19:28:40 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Thu Oct 29 19:28:40 2020: Request 8953 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8953 >
Move more KDC checks to validate_tgs_request()
Move the following validity checks:
* the INVALID ticket flag check from kdc_process_tgs_req()
* the lineage check from process_tgs_req()
* the user-to-user second ticket client check from process_tgs_req()
* all S4U2Self validity checks from kdc_process_s4u2self_req()
* S4U2Proxy validity checks (but not KDB authorization checks) from
kdc_process_s4u2proxy_req()
In process_tgs_req(), call validate_tgs_request() after
kdc_process_s4u2self_req() and decrypt_2ndtkt() so that their outputs
can be used as validation inputs. Add stkt and is_crossrealm locals
for convenience, and remove st_idx.
There are some minor behavior changes:
* For invalid S4U2Self request options, the status string is changed
from "INVALID AS OPTIONS" to "INVALID S4U2SELF OPTIONS".
* For a header ticket with the INVALID flag, the reply code is changed
to KRB_AP_ERR_TKT_NYV (as specified in RFC 4120) and the status
string to "TICKET NOT VALID".
* For a lineage check failure, the explicit KDC log is removed, and
the status string is changed to "INVALID LINEAGE".
* For a user-to-user second ticket client mismatch, the explicit audit
call is removed, and the log message does not include the second
ticket client.
* e_data returned from the KDB check_policy_as() method will be
included in the error for S4U2Self requests.
https://github.com/krb5/krb5/commit/3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00
Branch: master
src/kdc/do_tgs_req.c | 137 +++++++++++++------------------
src/kdc/kdc_util.c | 141 +++-----------------------------
src/kdc/kdc_util.h | 17 +++--
src/kdc/tgs_policy.c | 225 +++++++++++++++++++++++++++++++++++++++++++------
4 files changed, 275 insertions(+), 245 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
