From: Greg Hudson Date: Mon, 26 Jan 2015 21:18:38 +0000 (-0500) Subject: Propagate auth indicators in TGS requests X-Git-Tag: krb5-1.14-alpha1~56 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97973cf89cdc18a80c2bf5450caa1548c5be0b7b;p=thirdparty%2Fkrb5.git Propagate auth indicators in TGS requests For normal and S4U2Proxy TGS requests (but not S4U2Self requests), extract indicators from the subject ticket and include them in the issued ticket. ticket: 8157 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index fbc7fe76ad..d196569b3b 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -138,6 +138,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_pa_data **e_data = NULL; kdc_realm_t *kdc_active_realm = NULL; krb5_audit_state *au_state = NULL; + krb5_data **auth_indicators = NULL; memset(&reply, 0, sizeof(reply)); memset(&reply_encpart, 0, sizeof(reply_encpart)); @@ -380,6 +381,17 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, subject_tkt = header_enc_tkt; authtime = subject_tkt->times.authtime; + /* Extract auth indicators from the subject ticket, except for S4U2Proxy + * requests (where the client didn't authenticate). */ + if (s4u_x509_user == NULL) { + errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt, + &auth_indicators); + if (errcode) { + status = "GET_AUTH_INDICATORS"; + goto cleanup; + } + } + if (is_referral) ticket_reply.server = server->princ; else @@ -660,7 +672,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, s4u_x509_user ? s4u_x509_user->user_id.user : NULL, subject_tkt, - NULL, + auth_indicators, &enc_tkt_reply); if (errcode) { krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"), @@ -873,6 +885,7 @@ cleanup: if (enc_tkt_reply.authorization_data != NULL) krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); krb5_free_pa_data(kdc_context, e_data); + k5_free_data_ptr_list(auth_indicators); return retval; } diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 50b463603b..1b067cb0ba 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -778,6 +778,48 @@ cleanup: return ret; } +/* Extract any properly verified authentication indicators from the authdata in + * enc_tkt. */ +krb5_error_code +get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *local_tgt, krb5_data ***indicators_out) +{ + krb5_error_code ret; + krb5_authdata **cammacs = NULL, **adp; + krb5_cammac *cammac = NULL; + krb5_data **indicators = NULL, der_cammac; + + *indicators_out = NULL; + + ret = krb5_find_authdata(context, enc_tkt->authorization_data, NULL, + KRB5_AUTHDATA_CAMMAC, &cammacs); + if (ret) + goto cleanup; + + for (adp = cammacs; adp != NULL && *adp != NULL; adp++) { + der_cammac = make_data((*adp)->contents, (*adp)->length); + ret = decode_krb5_cammac(&der_cammac, &cammac); + if (ret) + goto cleanup; + if (cammac_check_kdcver(context, cammac, enc_tkt, local_tgt)) { + ret = authind_extract(context, cammac->elements, &indicators); + if (ret) + goto cleanup; + } + k5_free_cammac(context, cammac); + cammac = NULL; + } + + *indicators_out = indicators; + indicators = NULL; + +cleanup: + krb5_free_authdata(context, cammacs); + k5_free_cammac(context, cammac); + k5_free_data_ptr_list(indicators); + return ret; +} + krb5_error_code handle_authdata(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index ea87e965bf..9b4a5df5d9 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -235,6 +235,10 @@ load_authdata_plugins(krb5_context context); krb5_error_code unload_authdata_plugins(krb5_context context); +krb5_error_code +get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *local_tgt, krb5_data ***indicators_out); + krb5_error_code handle_authdata (krb5_context context, unsigned int flags,