Incorrect delegation state shown on acceptor side by context flags

Vipul Mehta vipulmehta.1989 at gmail.com
Fri May 17 07:33:56 EDT 2013


Hi,

It seems there is a bug in MIT kerberos gss source code where the
delegation state is set in context flags on acceptor side.

I am using a keytab on server side to acquire credentials with in memory
credential cache : *cred->usage == GSS_C_BOTH*
Client has *delegation flag set to false* but has a *forwardable TGT*.

On context establishment on server side :

*A)* If we use it it like :
*gss_accept_sec_context(&min_stat,
                                      context,
                                      server_creds,
                                      &recv_tok,
                                      GSS_C_NO_CHANNEL_BINDINGS,
                                      &client,
                                      &doid,
                                      &send_tok,
                                      ret_flags,
                                      NULL,     /* ignore time_rec */
                                      NULL);    *
This will work fine and *ret_flags* will have delegation bit false.

*B)* But if we use it like :
*delegated_gss_cred = NULL;
gss_accept_sec_context(&min_stat,
                                      context,
                                      server_creds,
                                      &recv_tok,
                                      GSS_C_NO_CHANNEL_BINDINGS,
                                      &client,
                                      &doid,
                                      &send_tok,
                                      ret_flags,
                                      NULL,     /* ignore time_rec */
                                      &delegated_gss_cred);    *

Then, it will set delegation bit in *ret_flags* to true.

.....................................................................................
If we look down the code in *accept_sec_context.c*, it has :

* if (delegated_cred_handle != NULL &&
        deleg_cred == NULL && /* no unconstrained delegation */
        cred->usage == GSS_C_BOTH &&
        (ticket->enc_part2->flags & TKT_FLG_FORWARDABLE)) {
        /*
         * Now, we always fabricate a delegated credentials handle
         * containing the service ticket to ourselves, which can be
         * used for S4U2Proxy.
         */
        major_status = create_constrained_deleg_creds(minor_status, cred,
                                                      ticket, &deleg_cred,
                                                      context);
        if (GSS_ERROR(major_status))
            goto fail;
        ctx->gss_flags |= GSS_C_DELEG_FLAG;
    }
*

*[ case A  ] : *( delegated_cred_handle =  address of(NULL) ) == NULL
*[ case B ] : *( delegated_cred_handle = address of(NULL pointer) ) != NULL

So, for case B, the above if() condition will be true and it will set the
context delegation flag to true on acceptor side though delegation flag is
false on initiator side.

-- 
Regards,
Vipul


More information about the Kerberos mailing list