krb5 commit: Process TGS authdata after transited in KDC
Greg Hudson
ghudson at mit.edu
Thu Mar 19 22:15:00 EDT 2015
https://github.com/krb5/krb5/commit/2dc19c3899a98e23378c19d91594470f7350756c
commit 2dc19c3899a98e23378c19d91594470f7350756c
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Mar 19 13:42:56 2015 -0400
Process TGS authdata after transited in KDC
The CAMMAC authorization data container requires a checksum over the
encrypted part of the issued ticket, with the CAMMAC contents
substituted for the authdata field. For this to work, we must
finalize the non-authdata fields of the encrypted ticket part before
adding authdata. Call handle_authdata() after checking and modifying
the transited field and potentially setting the
transited-policy-checked flag.
Also remove a redundant and inoperative conditional change to
enc_tkt_reply.times.starttime which happens after the ticket is
encrypted. We do the same thing right after setting up the ticket
times.
src/kdc/do_tgs_req.c | 42 ++++++++++++++++++------------------------
1 files changed, 18 insertions(+), 24 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index fa88623..64a78e7 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -576,25 +576,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
- errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
- subkey != NULL ? subkey :
- header_ticket->enc_part2->session,
- &encrypting_key, /* U2U or server key */
- tgskey,
- pkt,
- request,
- s4u_x509_user ?
- s4u_x509_user->user_id.user : NULL,
- subject_tkt,
- &enc_tkt_reply);
- if (errcode) {
- krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
- errcode);
- status = "HANDLE_AUTHDATA";
- goto cleanup;
- }
-
-
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
@@ -659,6 +640,24 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
goto cleanup;
}
+ errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
+ subkey != NULL ? subkey :
+ header_ticket->enc_part2->session,
+ &encrypting_key, /* U2U or server key */
+ tgskey,
+ pkt,
+ request,
+ s4u_x509_user ?
+ s4u_x509_user->user_id.user : NULL,
+ subject_tkt,
+ &enc_tkt_reply);
+ if (errcode) {
+ krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
+ errcode);
+ status = "HANDLE_AUTHDATA";
+ goto cleanup;
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
@@ -731,11 +730,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
/* copy the time fields */
reply_encpart.times = enc_tkt_reply.times;
- /* starttime is optional, and treated as authtime if not present.
- so we can nuke it if it matches */
- if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
- enc_tkt_reply.times.starttime = 0;
-
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrentry.magic = 0;
More information about the cvs-krb5
mailing list