krb5 commit: Add more constraints to S4U2Self processing

Fri Oct 12 21:58:11 EDT 2018

https://github.com/krb5/krb5/commit/586e901145c2b874828748610bf95aa32b281fc4
commit 586e901145c2b874828748610bf95aa32b281fc4
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Fri Oct 5 14:43:51 2018 +0300

    Add more constraints to S4U2Self processing
    
    Of the eight possible combinations of local or cross TGT, local or
    non-local user, and local server or referral, four are valid.  The
    previous commit rejects two of the invalid cases (local TGT and
    referral, with local or non-local user).  Document the four valid
    cases and reject the remaining two invalid combinations.
    
    [ghudson at mit.edu: rewrote commit message; added comment documenting
    valid combinations; adjusted style and comments]
    
    ticket: 8748 (new)

 src/kdc/kdc_util.c |   28 ++++++++++++++++++++++++++++
 1 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d1c81a5..dfeaf7e 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1546,6 +1546,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         return KRB5KDC_ERR_BADOPTION;
     }
 
+    /*
+     * Valid S4U2Self requests can occur in the following combinations:
+     *
+     * (1) local TGT, local user, local server
+     * (2) cross TGT, local user, issuing referral
+     * (3) cross TGT, non-local user, issuing referral
+     * (4) cross TGT, non-local user, local server
+     *
+     * The first case is for a single-realm S4U2Self scenario; the second,
+     * third, and fourth cases are for the initial, intermediate (if any), and
+     * final cross-realm requests in a multi-realm scenario.
+     */
+
     is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
     if (is_local_tgt && issuing_referral) {
         /* The requesting server appears to no longer exist, and we found
@@ -1562,6 +1575,13 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         krb5_db_entry no_server;
         krb5_pa_data **e_data = NULL;
 
+        if (!is_local_tgt && !issuing_referral) {
+            /* A local server should not need a cross-realm TGT to impersonate
+             * a local principal. */
+            *status = "NOT_CROSS_REALM_REQUEST";
+            return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
+        }
+
         code = krb5_db_get_principal(kdc_context,
                                      (*s4u_x509_user)->user_id.user,
                                      KRB5_KDB_FLAG_INCLUDE_PAC, &princ);
@@ -1584,6 +1604,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         }
 
         *princ_ptr = princ;
+    } else if (is_local_tgt) {
+        /*
+         * The server is asking to impersonate a principal from another realm,
+         * using a local TGT.  It should instead ask that principal's realm and
+         * follow referrals back to us.
+         */
+        *status = "S4U2SELF_CLIENT_NOT_OURS";
+        return KRB5KDC_ERR_POLICY; /* match Windows error */
     }
 
     return 0;
