svn rev #23697: trunk/src/kdc/

Thu Feb 4 22:43:54 EST 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23697
Commit By: ghudson
Log Message:
ticket: 6655
subject: Fix cross-realm handling of AD-SIGNEDPATH
target_version: 1.8
tags: pullup

Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.

Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).



Changed Files:
U   trunk/src/kdc/kdc_authdata.c
U   trunk/src/kdc/kdc_util.c
U   trunk/src/kdc/kdc_util.h
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================

--- trunk/src/kdc/kdc_authdata.c	2010-02-05 03:25:49 UTC (rev 23696)
+++ trunk/src/kdc/kdc_authdata.c	2010-02-05 03:43:54 UTC (rev 23697)
@@ -897,10 +897,6 @@
                                   valid);
 
     krb5_free_data(context, data);
-
-    if (code == 0 && *valid == FALSE)
-        code = KRB5KRB_AP_ERR_MODIFIED;
-
     return code;
 }
 
@@ -952,8 +948,10 @@
     if (code != 0)
         goto cleanup;
 
-    *pdelegated = sp->delegated;
-    sp->delegated = NULL;
+    if (*path_is_signed) {
+        *pdelegated = sp->delegated;
+        sp->delegated = NULL;
+    }
 
 cleanup:
     krb5_free_ad_signedpath(context, sp);
@@ -1179,7 +1177,9 @@
         }
     }
 
-    if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+    /* No point in including signedpath authdata for a cross-realm TGT, since
+     * it will be presented to a different KDC. */
+    if (!is_cross_tgs_principal(server->princ) &&
         !only_pac_p(context, enc_tkt_reply->authorization_data)) {
         code = make_ad_signedpath(context,
                                   for_user_princ,

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2010-02-05 03:25:49 UTC (rev 23696)
+++ trunk/src/kdc/kdc_util.c	2010-02-05 03:43:54 UTC (rev 23697)
@@ -192,6 +192,17 @@
     return FALSE;
 }
 
+/* Returns TRUE if principal is the name of a cross-realm TGS. */
+krb5_boolean
+is_cross_tgs_principal(krb5_const_principal principal)
+{
+    return (krb5_princ_size(kdc_context, principal) >= 2 &&
+            data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+                           KRB5_TGS_NAME) &&
+            !data_eq(*krb5_princ_component(kdc_context, principal, 1),
+                     *krb5_princ_realm(kcd_context, principal)));
+}
+
 /*
  * given authentication data (provides seed for checksum), verify checksum
  * for source data.

Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h	2010-02-05 03:25:49 UTC (rev 23696)
+++ trunk/src/kdc/kdc_util.h	2010-02-05 03:43:54 UTC (rev 23697)
@@ -42,6 +42,7 @@
 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
 krb5_boolean is_local_principal(krb5_const_principal princ1);
 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
+krb5_boolean is_cross_tgs_principal(krb5_const_principal);
 krb5_error_code
 add_to_transited (krb5_data *,
                   krb5_data *,


