[krbdev.mit.edu #8931] git commit

Greg Hudson via RT rt-comment at krbdev.mit.edu
Fri Aug 7 18:49:14 EDT 2020 

Fri Aug 07 18:49:14 2020: Request 8931 was acted upon.
 Transaction: Ticket created by ghudson at mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson at mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8931 >



Cache S4U2Proxy requests by second ticket

krb5_get_credentials() does not know the client principal for an
S4U2Proxy request until the end, because it is in the encrypted part
of the evidence ticket.  However, we can check the cache by second
ticket, since all S4U2Proxy requests in a cache will generally be made
with the same evidence ticket.

In the ccache types, allow mcreds->client and mcreds->server to be
NULL (as Heimdal does) to ignore them for the purpose of matching.  In
krb5int_construct_matching_creds(), set mcreds->client to NULL for
S4U2Proxy requests.  Add a cache check to
k5_get_proxy_cred_from_kdc(), and remove the cache check from
krb5_get_credentials_for_proxy() and the krb5 mech's
get_credentials().

In get_proxy_cred_from_kdc(), fix a bug where cross-realm S4U2Proxy
would cache the evidence ticket used in the final request, rather than
the original evidence ticket.

[ghudson at mit.edu: debugged cache check and cross-realm caching;
switched from new flag to null matching cred principals; wrote commit
message]

https://github.com/krb5/krb5/commit/148b317e1eb5df28dad96679cb4b8a07c62d4786
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 148b317e1eb5df28dad96679cb4b8a07c62d4786
Branch: master
 src/lib/gssapi/krb5/init_sec_context.c |   61 ++++++++++++++------------------
 src/lib/krb5/ccache/cc_retr.c          |   13 +++----
 src/lib/krb5/ccache/ccapi/stdcc_util.c |   30 ++++++++--------
 src/lib/krb5/ccache/ccfns.c            |    3 +-
 src/lib/krb5/krb/get_creds.c           |    5 +++
 src/lib/krb5/krb/s4u_creds.c           |   58 +++++++++++++++--------------
 src/tests/s4u2proxy.c                  |    3 ++
 7 files changed, 88 insertions(+), 85 deletions(-)

More information about the krb5-bugs mailing list