Add authentication indicators in AS-REQs

Add an auth_indicators parameter to handle_authdata().  In
finish_process_as_req(), supply the auth indicators asserted by
preauth modules.  In handle_authdata(), wrap any supplied auth
indicators in CAMMAC and IF-RELEVANT containers and include them in
the ticket.

ticket: 8157

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 121d027b919e49f8dc7b056cfcb3eff2d3d9455a..1a76adabe65587b6fca206f41813edf539a32e18 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -282,6 +282,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                               state->request,
                               NULL, /* for_user_princ */
                               NULL, /* enc_tkt_request */
+                              state->auth_indicators,
                               &state->enc_tkt_reply);
     if (errcode) {
         krb5_klog_syslog(LOG_INFO, _("AS_REQ : handle_authdata (%d)"),

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index f6d5cd3852963180aeb420f6323aa9b07ea723e0..fbc7fe76adcedffeccabb5f3f74ea8d89ac23d4b 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -660,6 +660,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
                               s4u_x509_user ?
                               s4u_x509_user->user_id.user : NULL,
                               subject_tkt,
+                              NULL,
                               &enc_tkt_reply);
     if (errcode) {
         krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index e06bbe630ffe77323e991bc7754a3173c59c4761..50b463603ba63167a272bdbcc9e7de778ed648fa 100644 (file)
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -738,6 +738,46 @@ cleanup:
     return ret;
 }
 
+/* Add authentication indicator authdata to enc_tkt_reply, wrapped in a CAMMAC
+ * and an IF-RELEVANT container. */
+static krb5_error_code
+add_auth_indicators(krb5_context context, krb5_data *const *auth_indicators,
+                    krb5_keyblock *server_key, krb5_db_entry *krbtgt,
+                    krb5_enc_tkt_part *enc_tkt_reply)
+{
+    krb5_error_code ret;
+    krb5_data *der_indicators = NULL;
+    krb5_authdata ad, *list[2], **cammac = NULL;
+
+    /* Format the authentication indicators into an authdata list. */
+    ret = encode_utf8_strings(auth_indicators, &der_indicators);
+    if (ret)
+        goto cleanup;
+    ad.ad_type = KRB5_AUTHDATA_AUTH_INDICATOR;
+    ad.length = der_indicators->length;
+    ad.contents = (uint8_t *)der_indicators->data;
+    list[0] = &ad;
+    list[1] = NULL;
+
+    /* Wrap the list in CAMMAC and IF-RELEVANT containers. */
+    ret = cammac_create(context, enc_tkt_reply, server_key, krbtgt, list,
+                        &cammac);
+    if (ret)
+        goto cleanup;
+
+    /* Add the wrapped authdata to the ticket, without copying or filtering. */
+    ret = merge_authdata(context, cammac, &enc_tkt_reply->authorization_data,
+                         FALSE, FALSE);
+    if (ret)
+        goto cleanup;
+    cammac = NULL;              /* merge_authdata() freed */
+
+cleanup:
+    krb5_free_data(context, der_indicators);
+    krb5_free_authdata(context, cammac);
+    return ret;
+}
+
 krb5_error_code
 handle_authdata(krb5_context context, unsigned int flags,
                 krb5_db_entry *client, krb5_db_entry *server,
@@ -746,6 +786,7 @@ handle_authdata(krb5_context context, unsigned int flags,
                 krb5_keyblock *header_key, krb5_data *req_pkt,
                 krb5_kdc_req *req, krb5_const_principal for_user_princ,
                 krb5_enc_tkt_part *enc_tkt_req,
+                krb5_data *const *auth_indicators,
                 krb5_enc_tkt_part *enc_tkt_reply)
 {
     kdcauthdata_handle *h;
@@ -783,6 +824,15 @@ handle_authdata(krb5_context context, unsigned int flags,
             return ret;
     }
 
+    /* Add auth indicators if any were given. */
+    if (auth_indicators != NULL && *auth_indicators != NULL &&
+        !isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED)) {
+        ret = add_auth_indicators(context, auth_indicators, server_key,
+                                  local_tgt, enc_tkt_reply);
+        if (ret)
+            return ret;
+    }
+
     if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) {
         /* Fetch authdata from the KDB if appropriate. */
         ret = fetch_kdb_authdata(context, flags, client, server, header_server,

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index bc98fbffb9c912f8e30545e970237e836d5d9826..ea87e965bfc7c752c1025e0c70facbd938a03f11 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -249,6 +249,7 @@ handle_authdata (krb5_context context,
                  krb5_kdc_req *request,
                  krb5_const_principal for_user_princ,
                  krb5_enc_tkt_part *enc_tkt_request,
+                 krb5_data *const *auth_indicators,
                  krb5_enc_tkt_part *enc_tkt_reply);
 
 /* replay.c */