Skip to content

Commit

Permalink
Expand S4U2Self exception in KDC lineage check
Browse files Browse the repository at this point in the history 
An S4U2Self TGS-REQ using only a certificate to identify the user will
not include PA-FOR-USER, so we need to check both types when making an
exception in the lineage check.  (S4U2Self requests are allowed to
bypass the lineage check because cross-realm S4U2Self ends with a
backwards cross-realm request to the server realm.)

[ghudson@mit.edu: factored out padata check; deindented the code block
by combining conditionals; rewrote commit message]

ticket: 8780 (new)
  • Loading branch information
@iboukris @greghudson
iboukris authored and greghudson committed Mar 13, 2019
1 parent 4c16e5f commit 26c3818
Showing 1 changed file with 17 additions and 10 deletions.
27 changes: 17 additions & 10 deletions src/kdc/kdc_util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,17 @@ comp_cksum(krb5_context kcontext, krb5_data *source, krb5_ticket *ticket,
return(0);
}

/* Return true if padata contains an entry of either S4U2Self type. */
static inline krb5_boolean
has_s4u2self_padata(krb5_pa_data **padata)
{
if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_FOR_USER) != NULL)
return TRUE;
if (krb5int_find_pa_data(NULL, padata, KRB5_PADATA_S4U_X509_USER) != NULL)
return TRUE;
return FALSE;
}

/* If a header ticket is decrypted, *ticket_out is filled in even on error. */
krb5_error_code
kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
Expand Down Expand Up @@ -305,16 +316,12 @@ kdc_process_tgs_req(kdc_realm_t *kdc_active_realm,
}

/* make sure the client is of proper lineage (see above) */
if (foreign_server &&
!krb5int_find_pa_data(kdc_context,
request->padata, KRB5_PADATA_FOR_USER)) {
if (is_local_principal(kdc_active_realm,
ticket->enc_part2->client)) {
/* someone in a foreign realm claiming to be local */
krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
retval = KRB5KDC_ERR_POLICY;
goto cleanup_authenticator;
}
if (foreign_server && !has_s4u2self_padata(request->padata) &&
is_local_principal(kdc_active_realm, ticket->enc_part2->client)) {
/* someone in a foreign realm claiming to be local */
krb5_klog_syslog(LOG_INFO, _("PROCESS_TGS: failed lineage check"));
retval = KRB5KDC_ERR_POLICY;
goto cleanup_authenticator;
}

/*
Expand Down

0 comments on commit 26c3818

Please sign in to comment.