krb5 commit: Change definition of KRB5_KDB_FLAG_CROSS_REALM
Greg Hudson
ghudson at mit.edu
Tue Aug 20 16:49:07 EDT 2019
https://github.com/krb5/krb5/commit/e12e890f063f41bf8aef45e44a3ee329f64139d2
commit e12e890f063f41bf8aef45e44a3ee329f64139d2
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat Aug 17 22:59:25 2019 +0000
Change definition of KRB5_KDB_FLAG_CROSS_REALM
Set the CROSS_REALM flag if the header ticket was issued by a
different realm, instead of when the client is part of a different
realm. The affected corner cases are:
* In the final request of a cross-realm S4U2Self request, the header
ticket client is local but the header ticket was issued by a
different realm. The CROSS_REALM flag will now be set in this case.
* If a foreign client renews or validates a locally issued ticket, the
CROSS_REALM flag will no longer be set.
* If a foreign client requests a local TGT and then uses it to make a
request, the CROSS_REALM flag will no longer be set.
Also add a new flag KRB5_KDB_FLAG_ISSUING_REFERRAL, which is set when
the KDC decides to issue a referral or alternate TGT. Use the new
flag meanings to simplify S4U2Self processing.
[ghudson at mit.edu: edited comments and commit messages]
ticket: 8827 (new)
src/include/kdb.h | 14 +++++++++++---
src/kdc/do_tgs_req.c | 10 +++++-----
src/kdc/kdc_util.c | 13 ++++++-------
src/kdc/kdc_util.h | 3 +--
4 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index d89cd5b..86d4a64 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -123,6 +123,9 @@
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
/* Allow in-realm aliases */
#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000
+/* Issuing referral */
+#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000
+
#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
@@ -1010,9 +1013,14 @@ typedef struct _kdb_vftabl {
* client entry during an S4U2Proxy TGS request. Also affects PAC
* generation.
*
- * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry
- * during a TGS request, if the client principal is not part of the
- * realm being served.
+ * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC after looking up a server
+ * entry during a TGS request, if the header ticket was issued by a
+ * different realm.
+ *
+ * KRB5_KDB_FLAG_ISSUING_REFERRAL: Set by the KDC after looking up a server
+ * entry during a TGS request, if the requested server principal is not
+ * part of the realm being served, and a referral or alternate TGT will
+ * be issued instead.
*
* KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and
* for AS request client principal lookups with canonicalization
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index bf65520..a7a01c2 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -262,15 +262,16 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
}
- if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
+ if (!is_local_principal(kdc_active_realm, header_ticket->server))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
+ if (is_referral)
+ setflag(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_active_realm,
request,
header_enc_tkt->client,
- header_ticket->server,
- is_referral,
+ c_flags,
server,
subkey,
header_enc_tkt->session,
@@ -539,8 +540,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
}
}
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && !is_referral)
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 450f964..05684d2 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1453,8 +1453,7 @@ krb5_error_code
kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
- krb5_const_principal header_srv_princ,
- krb5_boolean issuing_referral,
+ unsigned int c_flags,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
@@ -1464,7 +1463,6 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
const char **status)
{
krb5_error_code code;
- krb5_boolean is_local_tgt;
krb5_pa_data *pa_data;
int flags;
krb5_db_entry *princ;
@@ -1573,8 +1571,8 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
* final cross-realm requests in a multi-realm scenario.
*/
- is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
- if (is_local_tgt && issuing_referral) {
+ if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+ isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
*status = "LOOKING_UP_SERVER";
@@ -1588,7 +1586,8 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
krb5_db_entry no_server;
krb5_pa_data **e_data = NULL;
- if (!is_local_tgt && !issuing_referral) {
+ if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+ !isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) {
/* A local server should not need a cross-realm TGT to impersonate
* a local principal. */
*status = "NOT_CROSS_REALM_REQUEST";
@@ -1633,7 +1632,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
}
*princ_ptr = princ;
- } else if (is_local_tgt) {
+ } else if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
/*
* The server is asking to impersonate a principal from another realm,
* using a local TGT. It should instead ask that principal's realm and
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 483a763..8d4d3f1 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -260,8 +260,7 @@ krb5_error_code
kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm,
krb5_kdc_req *request,
krb5_const_principal client_princ,
- krb5_const_principal header_srv_princ,
- krb5_boolean issuing_referral,
+ unsigned int c_flags,
const krb5_db_entry *server,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
More information about the cvs-krb5
mailing list