krb5 commit: Propagate auth indicators in TGS requests
Greg Hudson
ghudson at mit.edu
Wed Jul 22 13:29:39 EDT 2015
https://github.com/krb5/krb5/commit/97973cf89cdc18a80c2bf5450caa1548c5be0b7b
commit 97973cf89cdc18a80c2bf5450caa1548c5be0b7b
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Jan 26 16:18:38 2015 -0500
Propagate auth indicators in TGS requests
For normal and S4U2Proxy TGS requests (but not S4U2Self requests),
extract indicators from the subject ticket and include them in the
issued ticket.
ticket: 8157
src/kdc/do_tgs_req.c | 15 ++++++++++++++-
src/kdc/kdc_authdata.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 4 ++++
3 files changed, 60 insertions(+), 1 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index fbc7fe7..d196569 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -138,6 +138,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
krb5_pa_data **e_data = NULL;
kdc_realm_t *kdc_active_realm = NULL;
krb5_audit_state *au_state = NULL;
+ krb5_data **auth_indicators = NULL;
memset(&reply, 0, sizeof(reply));
memset(&reply_encpart, 0, sizeof(reply_encpart));
@@ -380,6 +381,17 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
subject_tkt = header_enc_tkt;
authtime = subject_tkt->times.authtime;
+ /* Extract auth indicators from the subject ticket, except for S4U2Proxy
+ * requests (where the client didn't authenticate). */
+ if (s4u_x509_user == NULL) {
+ errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
+ &auth_indicators);
+ if (errcode) {
+ status = "GET_AUTH_INDICATORS";
+ goto cleanup;
+ }
+ }
+
if (is_referral)
ticket_reply.server = server->princ;
else
@@ -660,7 +672,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
- NULL,
+ auth_indicators,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
@@ -873,6 +885,7 @@ cleanup:
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
krb5_free_pa_data(kdc_context, e_data);
+ k5_free_data_ptr_list(auth_indicators);
return retval;
}
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 50b4636..1b067cb 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -778,6 +778,48 @@ cleanup:
return ret;
}
+/* Extract any properly verified authentication indicators from the authdata in
+ * enc_tkt. */
+krb5_error_code
+get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt,
+ krb5_db_entry *local_tgt, krb5_data ***indicators_out)
+{
+ krb5_error_code ret;
+ krb5_authdata **cammacs = NULL, **adp;
+ krb5_cammac *cammac = NULL;
+ krb5_data **indicators = NULL, der_cammac;
+
+ *indicators_out = NULL;
+
+ ret = krb5_find_authdata(context, enc_tkt->authorization_data, NULL,
+ KRB5_AUTHDATA_CAMMAC, &cammacs);
+ if (ret)
+ goto cleanup;
+
+ for (adp = cammacs; adp != NULL && *adp != NULL; adp++) {
+ der_cammac = make_data((*adp)->contents, (*adp)->length);
+ ret = decode_krb5_cammac(&der_cammac, &cammac);
+ if (ret)
+ goto cleanup;
+ if (cammac_check_kdcver(context, cammac, enc_tkt, local_tgt)) {
+ ret = authind_extract(context, cammac->elements, &indicators);
+ if (ret)
+ goto cleanup;
+ }
+ k5_free_cammac(context, cammac);
+ cammac = NULL;
+ }
+
+ *indicators_out = indicators;
+ indicators = NULL;
+
+cleanup:
+ krb5_free_authdata(context, cammacs);
+ k5_free_cammac(context, cammac);
+ k5_free_data_ptr_list(indicators);
+ return ret;
+}
+
krb5_error_code
handle_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index ea87e96..9b4a5df 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -236,6 +236,10 @@ krb5_error_code
unload_authdata_plugins(krb5_context context);
krb5_error_code
+get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt,
+ krb5_db_entry *local_tgt, krb5_data ***indicators_out);
+
+krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
More information about the cvs-krb5
mailing list