krb5 commit: Expand S4U2Self exception in KDC lineage check

[Greg Hudson]

https://github.com/krb5/krb5/commit/26c3818737cf16d476043a4acec8afb0fa67e47f
commit 26c3818737cf16d476043a4acec8afb0fa67e47f
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Jan 15 02:53:25 2019 +0200

    Expand S4U2Self exception in KDC lineage check
    
    An S4U2Self TGS-REQ using only a certificate to identify the user will
    not include PA-FOR-USER, so we need to check both types when making an
    exception in the lineage check.  (S4U2Self requests are allowed to
    bypass the lineage check because cross-realm S4U2Self ends with a
    backwards cross-realm request to the server realm.)
    
    [ghudson at mit.edu: factored out padata check; deindented the code block
    by combining conditionals; rewrote commit message]
    
    ticket: 8780 (new)

 src/kdc/kdc_util.c |   27 +++++++++++++++++----------
 1 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f274109..0dcc0c3 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -193,6 +193,17 @@ comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket,
     return(0);
 }
 
+/* Return true if padata contains an entry of either S4U2Self type. */
+static inline krb5_boolean
+has_s4u2self_padata(krb5_pa_data **padata)
+{
+    if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_FOR_USER) != NULL)
+        return TRUE;
+    if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_S4U_X509_USER) != NULL)
+        return TRUE;
+    return FALSE;
+}
+
 /* If a header ticket is decrypted, *ticket_out is filled in even on error. */
 krb5_error_code
 kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
@@ -305,16 +316,12 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
     }
 
     /* make sure the client is of proper lineage (see above) */
-    if (foreign_server &&
-        !krb5int_find_pa_data(kdc_context,
-                              request->padata, KRB5_PADATA_FOR_USER)) {
-        if (is_local_principal(kdc_active_realm,
-                               ticket->enc_part2->client)) {
-            /* someone in a foreign realm claiming to be local */
-            krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
-            retval = KRB5KDC_ERR_POLICY;
-            goto cleanup_authenticator;
-        }
+    if (foreign_server && !has_s4u2self_padata(request->padata) &&
+        is_local_principal(kdc_active_realm, ticket->enc_part2->client)) {
+        /* someone in a foreign realm claiming to be local */
+        krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
+        retval = KRB5KDC_ERR_POLICY;
+        goto cleanup_authenticator;
     }
 
     /*