Skip to content

Commit

Permalink
Rename krbtgt variable in KDC code
Browse files Browse the repository at this point in the history 
In a TGS request, the header ticket server is usually a local or
cross-realm TGS principal, but for ticket modification requests it
doesn't have to be.  Similarly, the server for an AS request is
usually a krbtgt principal, but in some cases it is not.  Since the
KDC code must consider all possibilities, avoid using the name
"krbtgt" for entries which aren't necessarily TGTs.

In process_tgs_req(), rename krbtgt to header_server and tgskey to
header_key.  In handle_authdata(), rename the parameters similarly and
pass NULL from process_as_req() for the header_server and header_key
parameters; the code which uses those parameters is adjusted to match.
In validate_transit_path(), rename krbtgt to header_srv.

Do not change the semantics of the sign_authdata DAL method at this
time, but more accurately document the krbtgt and krbtgt_key
parameters.
  • Loading branch information
@greghudson
greghudson committed Jun 15, 2015
1 parent 1c3c404 commit 7cad84e
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 35 deletions.
14 changes: 8 additions & 6 deletions src/include/kdb.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1223,9 +1223,11 @@ typedef struct _kdb_vftabl {
*
* server: The DB entry of the service principal.
*
* krbtgt: For TGS requests, the DB entry of the (possibly foreign)
* ticket granting service of the TGT. For AS requests, the DB entry
* of the service principal.
* krbtgt: For TGS requests, the DB entry of the server of the ticket in
* the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt
* principal, but not always. For AS requests, the DB entry of the
* service principal; this is usually a local krbtgt principal, but not
* always.
*
* client_key: The reply key for the KDC request, before any FAST armor
* is applied. For AS requests, this may be the client's long-term key
Expand All @@ -1234,9 +1236,9 @@ typedef struct _kdb_vftabl {
*
* server_key: The server key used to encrypt the returned ticket.
*
* krbtgt_key: For TGS requests, the key of the (possibly foreign) ticket
* granting service of the TGT. for AS requests, the service
* principal's key.
* krbtgt_key: For TGS requests, the key used to decrypt the ticket in
* the PA-TGS-REQ padata. For AS requests, the server key used to
* encrypt the returned ticket.
*
* session_key: The session key of the ticket being granted to the
* requestor.
Expand Down
5 changes: 3 additions & 2 deletions src/include/krb5/kdcauthdata_plugin.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,10 @@ typedef krb5_error_code
krb5_kdcauthdata_moddata moddata,
unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
krb5_db_entry *tgs, krb5_keyblock *client_key,
krb5_db_entry *header_server,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *tgs_key,
krb5_keyblock *header_key,
krb5_data *req_pkt, krb5_kdc_req *req,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
Expand Down
4 changes: 2 additions & 2 deletions src/kdc/do_as_req.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,10 +260,10 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->c_flags,
state->client,
state->server,
state->server,
NULL,
&state->client_keyblock,
&state->server_keyblock,
&state->server_keyblock,
NULL,
state->req_pkt,
state->request,
NULL, /* for_user_princ */
Expand Down
20 changes: 11 additions & 9 deletions src/kdc/do_tgs_req.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const krb5_fulladdr *from, krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_keyblock * tgskey = 0;
krb5_keyblock *header_key = NULL;
krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_db_entry *stkt_server = NULL;
Expand All @@ -124,7 +124,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
krb5_db_entry *client = NULL, *krbtgt = NULL;
krb5_db_entry *client = NULL, *header_server = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
Expand Down Expand Up @@ -181,7 +181,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,

errcode = kdc_process_tgs_req(kdc_active_realm,
request, from, pkt, &header_ticket,
&krbtgt, &tgskey, &subkey, &pa_tgs_req);
&header_server, &header_key, &subkey,
&pa_tgs_req);
if (header_ticket && header_ticket->enc_part2)
cprinc = header_ticket->enc_part2->client;

Expand Down Expand Up @@ -613,7 +614,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
server, krbtgt);
server, header_server);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
Expand All @@ -640,11 +641,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
goto cleanup;
}

errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
errcode = handle_authdata(kdc_context, c_flags, client, server,
header_server,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
tgskey,
header_key,
pkt,
request,
s4u_x509_user ?
Expand Down Expand Up @@ -840,7 +842,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
if (state)
kdc_free_rstate(state);
krb5_db_free_principal(kdc_context, server);
krb5_db_free_principal(kdc_context, krbtgt);
krb5_db_free_principal(kdc_context, header_server);
krb5_db_free_principal(kdc_context, client);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
Expand All @@ -852,8 +854,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
if (tgskey != NULL)
krb5_free_keyblock(kdc_context, tgskey);
if (header_key != NULL)
krb5_free_keyblock(kdc_context, header_key);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
Expand Down
32 changes: 22 additions & 10 deletions src/kdc/kdc_authdata.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,8 +314,8 @@ copy_tgt_authdata(krb5_context context, krb5_kdc_req *request,
static krb5_error_code
fetch_kdb_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
krb5_db_entry *krbtgt, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *krbtgt_key,
krb5_db_entry *header_server, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_kdc_req *req, krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
krb5_enc_tkt_part *enc_tkt_reply)
Expand All @@ -324,6 +324,8 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
krb5_authdata **tgt_authdata, **db_authdata = NULL;
krb5_boolean tgs_req = (req->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
krb5_db_entry *krbtgt;
krb5_keyblock *krbtgt_key;

/*
* Check whether KDC issued authorization data should be included.
Expand Down Expand Up @@ -361,6 +363,15 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
else
actual_client = enc_tkt_reply->client;

/*
* For DAL major version 5, always pass "krbtgt" and "krbtgt_key"
* parameters which are usually, but not always, for local or cross-realm
* TGT principals. In the future we might rename the parameters and pass
* NULL for AS requests.
*/
krbtgt = (header_server != NULL) ? header_server : server;
krbtgt_key = (header_key != NULL) ? header_key : server_key;

tgt_authdata = tgs_req ? enc_tkt_req->authorization_data : NULL;
ret = krb5_db_sign_authdata(context, flags, actual_client, client,
server, krbtgt, client_key, server_key,
Expand Down Expand Up @@ -694,8 +705,8 @@ handle_signticket(krb5_context context, unsigned int flags,
krb5_error_code
handle_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
krb5_db_entry *krbtgt, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *krbtgt_key,
krb5_db_entry *header_server, krb5_keyblock *client_key,
krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_data *req_pkt, krb5_kdc_req *req,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
Expand All @@ -720,9 +731,9 @@ handle_authdata(krb5_context context, unsigned int flags,
for (i = 0; i < n_authdata_modules; i++) {
h = &authdata_modules[i];
ret = h->vt.handle(context, h->data, flags, client, server,
krbtgt, client_key, server_key, krbtgt_key,
req_pkt, req, for_user_princ, enc_tkt_req,
enc_tkt_reply);
header_server, client_key, server_key,
header_key, req_pkt, req, for_user_princ,
enc_tkt_req, enc_tkt_reply);
if (ret)
kdc_err(context, ret, "from authdata module %s", h->vt.name);
}
Expand All @@ -738,15 +749,16 @@ handle_authdata(krb5_context context, unsigned int flags,

if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) {
/* Fetch authdata from the KDB if appropriate. */
ret = fetch_kdb_authdata(context, flags, client, server, krbtgt,
client_key, server_key, krbtgt_key, req,
ret = fetch_kdb_authdata(context, flags, client, server, header_server,
client_key, server_key, header_key, req,
for_user_princ, enc_tkt_req, enc_tkt_reply);
if (ret)
return ret;

/* Validate and insert AD-SIGNTICKET authdata. This must happen last
* since it contains a signature over the other authdata. */
ret = handle_signticket(context, flags, client, server, krbtgt_key,
ret = handle_signticket(context, flags, client, server,
(header_key != NULL) ? header_key : server_key,
req, for_user_princ, enc_tkt_req,
enc_tkt_reply);
if (ret)
Expand Down
8 changes: 4 additions & 4 deletions src/kdc/kdc_util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1599,17 +1599,17 @@ krb5_error_code
validate_transit_path(krb5_context context,
krb5_const_principal client,
krb5_db_entry *server,
krb5_db_entry *krbtgt)
krb5_db_entry *header_srv)
{
/* Incoming */
if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
}

/* Outgoing */
if (isflagset(krbtgt->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
(!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
!krb5_realm_compare(context, client, krbtgt->princ))) {
if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
(!krb5_principal_compare(context, server->princ, header_srv->princ) ||
!krb5_realm_compare(context, client, header_srv->princ))) {
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
}

Expand Down
4 changes: 2 additions & 2 deletions src/kdc/kdc_util.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,10 +210,10 @@ handle_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_db_entry *header_server,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_keyblock *header_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
Expand Down

0 comments on commit 7cad84e

Please sign in to comment.