From: Isaac Boukris Date: Sat, 17 Aug 2019 22:59:25 +0000 (+0000) Subject: Change definition of KRB5_KDB_FLAG_CROSS_REALM X-Git-Tag: krb5-1.18-beta1~74 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F970%2Fhead;p=thirdparty%2Fkrb5.git Change definition of KRB5_KDB_FLAG_CROSS_REALM Set the CROSS_REALM flag if the header ticket was issued by a different realm, instead of when the client is part of a different realm. The affected corner cases are: * In the final request of a cross-realm S4U2Self request, the header ticket client is local but the header ticket was issued by a different realm. The CROSS_REALM flag will now be set in this case. * If a foreign client renews or validates a locally issued ticket, the CROSS_REALM flag will no longer be set. * If a foreign client requests a local TGT and then uses it to make a request, the CROSS_REALM flag will no longer be set. Also add a new flag KRB5_KDB_FLAG_ISSUING_REFERRAL, which is set when the KDC decides to issue a referral or alternate TGT. Use the new flag meanings to simplify S4U2Self processing. [ghudson@mit.edu: edited comments and commit messages] ticket: 8827 (new) --- diff --git a/src/include/kdb.h b/src/include/kdb.h index d89cd5b6ea..86d4a64ae2 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -123,6 +123,9 @@ #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 /* Allow in-realm aliases */ #define KRB5_KDB_FLAG_ALIAS_OK 0x00002000 +/* Issuing referral */ +#define KRB5_KDB_FLAG_ISSUING_REFERRAL 0x00004000 + #define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \ KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) @@ -1010,9 +1013,14 @@ typedef struct _kdb_vftabl { * client entry during an S4U2Proxy TGS request. Also affects PAC * generation. * - * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry - * during a TGS request, if the client principal is not part of the - * realm being served. + * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC after looking up a server + * entry during a TGS request, if the header ticket was issued by a + * different realm. + * + * KRB5_KDB_FLAG_ISSUING_REFERRAL: Set by the KDC after looking up a server + * entry during a TGS request, if the requested server principal is not + * part of the realm being served, and a referral or alternate TGT will + * be issued instead. * * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and * for AS request client principal lookups with canonicalization diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index bf655200d0..a7a01c2699 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -262,15 +262,16 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, goto cleanup; } - if (!is_local_principal(kdc_active_realm, header_enc_tkt->client)) + if (!is_local_principal(kdc_active_realm, header_ticket->server)) setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); + if (is_referral) + setflag(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_active_realm, request, header_enc_tkt->client, - header_ticket->server, - is_referral, + c_flags, server, subkey, header_enc_tkt->session, @@ -539,8 +540,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, } } - if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && - !isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) + if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && !is_referral) enc_tkt_reply.client = s4u_x509_user->user_id.user; else enc_tkt_reply.client = subject_tkt->client; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 450f964b13..05684d2854 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1453,8 +1453,7 @@ krb5_error_code kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, - krb5_const_principal header_srv_princ, - krb5_boolean issuing_referral, + unsigned int c_flags, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, @@ -1464,7 +1463,6 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, const char **status) { krb5_error_code code; - krb5_boolean is_local_tgt; krb5_pa_data *pa_data; int flags; krb5_db_entry *princ; @@ -1573,8 +1571,8 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, * final cross-realm requests in a multi-realm scenario. */ - is_local_tgt = !is_cross_tgs_principal(header_srv_princ); - if (is_local_tgt && issuing_referral) { + if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) && + isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) { /* The requesting server appears to no longer exist, and we found * a referral instead. Treat this as a server lookup failure. */ *status = "LOOKING_UP_SERVER"; @@ -1588,7 +1586,8 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_db_entry no_server; krb5_pa_data **e_data = NULL; - if (!is_local_tgt && !issuing_referral) { + if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM) && + !isflagset(c_flags, KRB5_KDB_FLAG_ISSUING_REFERRAL)) { /* A local server should not need a cross-realm TGT to impersonate * a local principal. */ *status = "NOT_CROSS_REALM_REQUEST"; @@ -1633,7 +1632,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, } *princ_ptr = princ; - } else if (is_local_tgt) { + } else if (!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { /* * The server is asking to impersonate a principal from another realm, * using a local TGT. It should instead ask that principal's realm and diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 483a7639a7..8d4d3f12c4 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -260,8 +260,7 @@ krb5_error_code kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, - krb5_const_principal header_srv_princ, - krb5_boolean issuing_referral, + unsigned int c_flags, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,