krb5 commit: Allow referrals for cross-realm S4U2Self requests
Greg Hudson
ghudson at mit.edu
Fri Oct 12 21:58:08 EDT 2018
https://github.com/krb5/krb5/commit/bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
commit bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Oct 5 14:14:32 2018 +0300
Allow referrals for cross-realm S4U2Self requests
According to MS-SFU 3.2.5.1.1, the KDC should issue a referral for
S4U2Self requests if the requesting service is not in the KDC's realm.
Commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f explicitly prevents
referrals for S4U2Self requests; on further analysis, this appears to
have been preserving a bug rather than applying a proper constraint.
However, we should not issue referrals for within-realm S4U2Self
requests. (This should only come up if a server possesses a TGT but
its principal entry has been deleted.)
Remove the S4U2Self referral check in process_tgs_req(). Instead add
a more specific check in kdc_process_s4u2self_req(), adding new
parameters for the header server principal and a flag indicating
whether a referral is indicated.
[ghudson at mit.edu: rewrote commit message; adjusted style slightly]
ticket: 8747 (new)
src/kdc/do_tgs_req.c | 12 +++---------
src/kdc/kdc_util.c | 11 +++++++++++
src/kdc/kdc_util.h | 2 ++
3 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index bf21781..587342a 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -269,6 +269,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
errcode = kdc_process_s4u2self_req(kdc_active_realm,
request,
header_enc_tkt->client,
+ header_ticket->server,
+ is_referral,
server,
subkey,
header_enc_tkt->session,
@@ -288,16 +290,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
if (errcode)
goto cleanup;
- if (s4u_x509_user != NULL) {
+ if (s4u_x509_user != NULL)
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
- if (is_referral) {
- /* The requesting server appears to no longer exist, and we found
- * a referral instead. Treat this as a server lookup failure. */
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- status = "LOOKING_UP_SERVER";
- goto cleanup;
- }
- }
/* Deal with user-to-user and constrained delegation */
errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..d1c81a5 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1441,6 +1441,8 @@ krb5_error_code
kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
+ krb5_const_principal header_srv_princ,
+ krb5_boolean issuing_referral,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
@@ -1450,6 +1452,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
const char **status)
{
krb5_error_code code;
+ krb5_boolean is_local_tgt;
krb5_pa_data *pa_data;
int flags;
krb5_db_entry *princ;
@@ -1543,6 +1546,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
return KRB5KDC_ERR_BADOPTION;
}
+ is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
+ if (is_local_tgt && issuing_referral) {
+ /* The requesting server appears to no longer exist, and we found
+ * a referral instead. Treat this as a server lookup failure. */
+ *status = "LOOKING_UP_SERVER";
+ return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ }
+
/*
* Do not attempt to lookup principals in foreign realms.
*/
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 1885c9f..6ec645f 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -269,6 +269,8 @@ krb5_error_code
kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
+ krb5_const_principal header_srv_princ,
+ krb5_boolean issuing_referral,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
More information about the cvs-krb5
mailing list