[krbdev.mit.edu #7790] PoC to fix cross realm S4U2Self

Wed Dec 4 14:21:13 EST 2013

--- krb5-1.11.3/src/lib/krb5/krb/s4u_creds.c.orig	2013-11-27 17:14:33.589000000 +0100
+++ krb5-1.11.3/src/lib/krb5/krb/s4u_creds.c	2013-11-27 18:18:15.081000000 +0100
@@ -460,10 +460,13 @@
     krb5_pa_s4u_x509_user s4u_user;
     int referral_count = 0, i;
     krb5_flags kdcopt;
+    char *myprinc;
+    krb5_principal dummy_krb5_princ;
 
     memset(&tgtq, 0, sizeof(tgtq));
     memset(&s4u_creds, 0, sizeof(s4u_creds));
     memset(referral_tgts, 0, sizeof(referral_tgts));
+    memset(&dummy_krb5_princ, 0, sizeof(dummy_krb5_princ));
     *out_creds = NULL;
 
     memset(&s4u_user, 0, sizeof(s4u_user));
@@ -564,6 +567,51 @@
             }
         }
 
+	TRACE(context, "XXX: type {int} s4u_creds {princ} tgtptr {data}", krb5_princ_type(context, s4u_creds.server), s4u_creds.server, &(tgtptr->server->data[1]));
+	if (krb5_princ_component(context, s4u_creds.server, 0) != NULL
+			&& strcmp(krb5_princ_component(context, s4u_creds.server, 0), "krbtgt") != 0) {
+		if (krb5_princ_type(context, s4u_creds.server) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+			code = krb5_unparse_name_flags(context, s4u_creds.server, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &myprinc);
+			if (code != 0) {
+			    krb5_free_pa_data(context, in_padata);
+			    goto cleanup;
+			}
+	TRACE(context, "XXXX: myprinc {str}", myprinc);
+
+			code = krb5_parse_name(context, myprinc, &dummy_krb5_princ);
+			if (code != 0) {
+			    krb5_free_pa_data(context, in_padata);
+			    goto cleanup;
+			}
+
+	TRACE(context, "XXXXX: dummy_krb5_princ {princ}", dummy_krb5_princ);
+			if (data_eq(*krb5_princ_realm(context, dummy_krb5_princ), tgtptr->server->data[1])) {
+				code = krb5_copy_principal(context, dummy_krb5_princ, &s4u_creds.server);
+				if (code != 0) {
+				    krb5_free_pa_data(context, in_padata);
+				    goto cleanup;
+				}
+			}
+	TRACE(context, "XXXXXX: type {int} s4u_creds {princ} tgtptr {data}", krb5_princ_type(context, s4u_creds.server), s4u_creds.server, &(tgtptr->server->data[1]));
+
+		} else if (!data_eq(*krb5_princ_realm(context, s4u_creds.server), tgtptr->server->data[1]) && krb5_princ_type(context, s4u_creds.server) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+			code = krb5_unparse_name(context, s4u_creds.server, &myprinc);
+			if (code != 0) {
+			    krb5_free_pa_data(context, in_padata);
+			    goto cleanup;
+			}
+			krb5_free_principal(context, s4u_creds.server);
+
+			code = krb5_parse_name_flags(context, myprinc,
+						     KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+						     &s4u_creds.server);
+			if (code != 0) {
+			    krb5_free_pa_data(context, in_padata);
+			    goto cleanup;
+			}
+		}
+	}
+
         /* Rewrite server realm to match TGS realm */
         krb5_free_data_contents(context, &s4u_creds.server->realm);
 

