From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 5 Oct 2018 11:43:51 +0000 (+0300)
Subject: Add more constraints to S4U2Self processing
X-Git-Tag: krb5-1.17-beta1~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=586e901145c2b874828748610bf95aa32b281fc4;p=thirdparty%2Fkrb5.git

Add more constraints to S4U2Self processing

Of the eight possible combinations of local or cross TGT, local or
non-local user, and local server or referral, four are valid.  The
previous commit rejects two of the invalid cases (local TGT and
referral, with local or non-local user).  Document the four valid
cases and reject the remaining two invalid combinations.

[ghudson@mit.edu: rewrote commit message; added comment documenting
valid combinations; adjusted style and comments]

ticket: 8748 (new)
---

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d1c81a54da..dfeaf7ec64 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1546,6 +1546,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         return KRB5KDC_ERR_BADOPTION;
     }
 
+    /*
+     * Valid S4U2Self requests can occur in the following combinations:
+     *
+     * (1) local TGT, local user, local server
+     * (2) cross TGT, local user, issuing referral
+     * (3) cross TGT, non-local user, issuing referral
+     * (4) cross TGT, non-local user, local server
+     *
+     * The first case is for a single-realm S4U2Self scenario; the second,
+     * third, and fourth cases are for the initial, intermediate (if any), and
+     * final cross-realm requests in a multi-realm scenario.
+     */
+
     is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
     if (is_local_tgt && issuing_referral) {
         /* The requesting server appears to no longer exist, and we found
@@ -1562,6 +1575,13 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         krb5_db_entry no_server;
         krb5_pa_data **e_data = NULL;
 
+        if (!is_local_tgt && !issuing_referral) {
+            /* A local server should not need a cross-realm TGT to impersonate
+             * a local principal. */
+            *status = "NOT_CROSS_REALM_REQUEST";
+            return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
+        }
+
         code = krb5_db_get_principal(kdc_context,
                                      (*s4u_x509_user)->user_id.user,
                                      KRB5_KDB_FLAG_INCLUDE_PAC, &princ);
@@ -1584,6 +1604,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
         }
 
         *princ_ptr = princ;
+    } else if (is_local_tgt) {
+        /*
+         * The server is asking to impersonate a principal from another realm,
+         * using a local TGT.  It should instead ask that principal's realm and
+         * follow referrals back to us.
+         */
+        *status = "S4U2SELF_CLIENT_NOT_OURS";
+        return KRB5KDC_ERR_POLICY; /* match Windows error */
     }
 
     return 0;