From: Greg Hudson Date: Mon, 9 Feb 2015 20:23:05 +0000 (-0500) Subject: Rename krbtgt variable in KDC code X-Git-Tag: krb5-1.14-alpha1~104 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7cad84e1df664f9a1513a2899661bf2b62908dd7;p=thirdparty%2Fkrb5.git Rename krbtgt variable in KDC code In a TGS request, the header ticket server is usually a local or cross-realm TGS principal, but for ticket modification requests it doesn't have to be. Similarly, the server for an AS request is usually a krbtgt principal, but in some cases it is not. Since the KDC code must consider all possibilities, avoid using the name "krbtgt" for entries which aren't necessarily TGTs. In process_tgs_req(), rename krbtgt to header_server and tgskey to header_key. In handle_authdata(), rename the parameters similarly and pass NULL from process_as_req() for the header_server and header_key parameters; the code which uses those parameters is adjusted to match. In validate_transit_path(), rename krbtgt to header_srv. Do not change the semantics of the sign_authdata DAL method at this time, but more accurately document the krbtgt and krbtgt_key parameters. --- diff --git a/src/include/kdb.h b/src/include/kdb.h index 1563a6297f..67d7557556 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -1223,9 +1223,11 @@ typedef struct _kdb_vftabl { * * server: The DB entry of the service principal. * - * krbtgt: For TGS requests, the DB entry of the (possibly foreign) - * ticket granting service of the TGT. For AS requests, the DB entry - * of the service principal. + * krbtgt: For TGS requests, the DB entry of the server of the ticket in + * the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt + * principal, but not always. For AS requests, the DB entry of the + * service principal; this is usually a local krbtgt principal, but not + * always. * * client_key: The reply key for the KDC request, before any FAST armor * is applied. For AS requests, this may be the client's long-term key @@ -1234,9 +1236,9 @@ typedef struct _kdb_vftabl { * * server_key: The server key used to encrypt the returned ticket. * - * krbtgt_key: For TGS requests, the key of the (possibly foreign) ticket - * granting service of the TGT. for AS requests, the service - * principal's key. + * krbtgt_key: For TGS requests, the key used to decrypt the ticket in + * the PA-TGS-REQ padata. For AS requests, the server key used to + * encrypt the returned ticket. * * session_key: The session key of the ticket being granted to the * requestor. diff --git a/src/include/krb5/kdcauthdata_plugin.h b/src/include/krb5/kdcauthdata_plugin.h index 96985668ca..53fe69cdc7 100644 --- a/src/include/krb5/kdcauthdata_plugin.h +++ b/src/include/krb5/kdcauthdata_plugin.h @@ -107,9 +107,10 @@ typedef krb5_error_code krb5_kdcauthdata_moddata moddata, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *tgs, krb5_keyblock *client_key, + krb5_db_entry *header_server, + krb5_keyblock *client_key, krb5_keyblock *server_key, - krb5_keyblock *tgs_key, + krb5_keyblock *header_key, krb5_data *req_pkt, krb5_kdc_req *req, krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_req, diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index a1db9244c1..66531268d9 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -260,10 +260,10 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->c_flags, state->client, state->server, - state->server, + NULL, &state->client_keyblock, &state->server_keyblock, - &state->server_keyblock, + NULL, state->req_pkt, state->request, NULL, /* for_user_princ */ diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 64a78e7955..c8cd80df5c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -102,7 +102,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response) { krb5_keyblock * subkey = 0; - krb5_keyblock * tgskey = 0; + krb5_keyblock *header_key = NULL; krb5_kdc_req *request = 0; krb5_db_entry *server = NULL; krb5_db_entry *stkt_server = NULL; @@ -124,7 +124,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, const char *status = 0; krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */ krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */ - krb5_db_entry *client = NULL, *krbtgt = NULL; + krb5_db_entry *client = NULL, *header_server = NULL; krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ @@ -181,7 +181,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, errcode = kdc_process_tgs_req(kdc_active_realm, request, from, pkt, &header_ticket, - &krbtgt, &tgskey, &subkey, &pa_tgs_req); + &header_server, &header_key, &subkey, + &pa_tgs_req); if (header_ticket && header_ticket->enc_part2) cprinc = header_ticket->enc_part2->client; @@ -613,7 +614,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { errcode = validate_transit_path(kdc_context, header_enc_tkt->client, - server, krbtgt); + server, header_server); if (errcode) { status = "NON_TRANSITIVE"; goto cleanup; @@ -640,11 +641,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, goto cleanup; } - errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt, + errcode = handle_authdata(kdc_context, c_flags, client, server, + header_server, subkey != NULL ? subkey : header_ticket->enc_part2->session, &encrypting_key, /* U2U or server key */ - tgskey, + header_key, pkt, request, s4u_x509_user ? @@ -840,7 +842,7 @@ cleanup: if (state) kdc_free_rstate(state); krb5_db_free_principal(kdc_context, server); - krb5_db_free_principal(kdc_context, krbtgt); + krb5_db_free_principal(kdc_context, header_server); krb5_db_free_principal(kdc_context, client); if (session_key.contents != NULL) krb5_free_keyblock_contents(kdc_context, &session_key); @@ -852,8 +854,8 @@ cleanup: krb5_free_authdata(kdc_context, kdc_issued_auth_data); if (subkey != NULL) krb5_free_keyblock(kdc_context, subkey); - if (tgskey != NULL) - krb5_free_keyblock(kdc_context, tgskey); + if (header_key != NULL) + krb5_free_keyblock(kdc_context, header_key); if (reply.padata) krb5_free_pa_data(kdc_context, reply.padata); if (reply_encpart.enc_padata) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 704e130633..2055d03711 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -314,8 +314,8 @@ copy_tgt_authdata(krb5_context context, krb5_kdc_req *request, static krb5_error_code fetch_kdb_authdata(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *krbtgt, krb5_keyblock *client_key, - krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, + krb5_db_entry *header_server, krb5_keyblock *client_key, + krb5_keyblock *server_key, krb5_keyblock *header_key, krb5_kdc_req *req, krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_req, krb5_enc_tkt_part *enc_tkt_reply) @@ -324,6 +324,8 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, krb5_authdata **tgt_authdata, **db_authdata = NULL; krb5_boolean tgs_req = (req->msg_type == KRB5_TGS_REQ); krb5_const_principal actual_client; + krb5_db_entry *krbtgt; + krb5_keyblock *krbtgt_key; /* * Check whether KDC issued authorization data should be included. @@ -361,6 +363,15 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags, else actual_client = enc_tkt_reply->client; + /* + * For DAL major version 5, always pass "krbtgt" and "krbtgt_key" + * parameters which are usually, but not always, for local or cross-realm + * TGT principals. In the future we might rename the parameters and pass + * NULL for AS requests. + */ + krbtgt = (header_server != NULL) ? header_server : server; + krbtgt_key = (header_key != NULL) ? header_key : server_key; + tgt_authdata = tgs_req ? enc_tkt_req->authorization_data : NULL; ret = krb5_db_sign_authdata(context, flags, actual_client, client, server, krbtgt, client_key, server_key, @@ -694,8 +705,8 @@ cleanup: krb5_error_code handle_authdata(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *krbtgt, krb5_keyblock *client_key, - krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, + krb5_db_entry *header_server, krb5_keyblock *client_key, + krb5_keyblock *server_key, krb5_keyblock *header_key, krb5_data *req_pkt, krb5_kdc_req *req, krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_req, @@ -720,9 +731,9 @@ handle_authdata(krb5_context context, unsigned int flags, for (i = 0; i < n_authdata_modules; i++) { h = &authdata_modules[i]; ret = h->vt.handle(context, h->data, flags, client, server, - krbtgt, client_key, server_key, krbtgt_key, - req_pkt, req, for_user_princ, enc_tkt_req, - enc_tkt_reply); + header_server, client_key, server_key, + header_key, req_pkt, req, for_user_princ, + enc_tkt_req, enc_tkt_reply); if (ret) kdc_err(context, ret, "from authdata module %s", h->vt.name); } @@ -738,15 +749,16 @@ handle_authdata(krb5_context context, unsigned int flags, if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) { /* Fetch authdata from the KDB if appropriate. */ - ret = fetch_kdb_authdata(context, flags, client, server, krbtgt, - client_key, server_key, krbtgt_key, req, + ret = fetch_kdb_authdata(context, flags, client, server, header_server, + client_key, server_key, header_key, req, for_user_princ, enc_tkt_req, enc_tkt_reply); if (ret) return ret; /* Validate and insert AD-SIGNTICKET authdata. This must happen last * since it contains a signature over the other authdata. */ - ret = handle_signticket(context, flags, client, server, krbtgt_key, + ret = handle_signticket(context, flags, client, server, + (header_key != NULL) ? header_key : server_key, req, for_user_princ, enc_tkt_req, enc_tkt_reply); if (ret) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 48be1ae2c5..bf6f17b0ac 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1599,7 +1599,7 @@ krb5_error_code validate_transit_path(krb5_context context, krb5_const_principal client, krb5_db_entry *server, - krb5_db_entry *krbtgt) + krb5_db_entry *header_srv) { /* Incoming */ if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) { @@ -1607,9 +1607,9 @@ validate_transit_path(krb5_context context, } /* Outgoing */ - if (isflagset(krbtgt->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) && - (!krb5_principal_compare(context, server->princ, krbtgt->princ) || - !krb5_realm_compare(context, client, krbtgt->princ))) { + if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) && + (!krb5_principal_compare(context, server->princ, header_srv->princ) || + !krb5_realm_compare(context, client, header_srv->princ))) { return KRB5KDC_ERR_PATH_NOT_ACCEPTED; } diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 479a13cba6..c522f0bd2e 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -210,10 +210,10 @@ handle_authdata (krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, - krb5_db_entry *krbtgt, + krb5_db_entry *header_server, krb5_keyblock *client_key, krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, + krb5_keyblock *header_key, krb5_data *req_pkt, krb5_kdc_req *request, krb5_const_principal for_user_princ,