From 97973cf89cdc18a80c2bf5450caa1548c5be0b7b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 26 Jan 2015 16:18:38 -0500 Subject: [PATCH] Propagate auth indicators in TGS requests For normal and S4U2Proxy TGS requests (but not S4U2Self requests), extract indicators from the subject ticket and include them in the issued ticket. ticket: 8157 --- src/kdc/do_tgs_req.c | 15 ++++++++++++++- src/kdc/kdc_authdata.c | 42 ++++++++++++++++++++++++++++++++++++++++++ src/kdc/kdc_util.h | 4 ++++ 3 files changed, 60 insertions(+), 1 deletion(-) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index fbc7fe76ad..d196569b3b 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -138,6 +138,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_pa_data **e_data = NULL; kdc_realm_t *kdc_active_realm = NULL; krb5_audit_state *au_state = NULL; + krb5_data **auth_indicators = NULL; memset(&reply, 0, sizeof(reply)); memset(&reply_encpart, 0, sizeof(reply_encpart)); @@ -380,6 +381,17 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, subject_tkt = header_enc_tkt; authtime = subject_tkt->times.authtime; + /* Extract auth indicators from the subject ticket, except for S4U2Proxy + * requests (where the client didn't authenticate). */ + if (s4u_x509_user == NULL) { + errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt, + &auth_indicators); + if (errcode) { + status = "GET_AUTH_INDICATORS"; + goto cleanup; + } + } + if (is_referral) ticket_reply.server = server->princ; else @@ -660,7 +672,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, s4u_x509_user ? s4u_x509_user->user_id.user : NULL, subject_tkt, - NULL, + auth_indicators, &enc_tkt_reply); if (errcode) { krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"), @@ -873,6 +885,7 @@ cleanup: if (enc_tkt_reply.authorization_data != NULL) krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data); krb5_free_pa_data(kdc_context, e_data); + k5_free_data_ptr_list(auth_indicators); return retval; } diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 50b463603b..1b067cb0ba 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -778,6 +778,48 @@ cleanup: return ret; } +/* Extract any properly verified authentication indicators from the authdata in + * enc_tkt. */ +krb5_error_code +get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *local_tgt, krb5_data ***indicators_out) +{ + krb5_error_code ret; + krb5_authdata **cammacs = NULL, **adp; + krb5_cammac *cammac = NULL; + krb5_data **indicators = NULL, der_cammac; + + *indicators_out = NULL; + + ret = krb5_find_authdata(context, enc_tkt->authorization_data, NULL, + KRB5_AUTHDATA_CAMMAC, &cammacs); + if (ret) + goto cleanup; + + for (adp = cammacs; adp != NULL && *adp != NULL; adp++) { + der_cammac = make_data((*adp)->contents, (*adp)->length); + ret = decode_krb5_cammac(&der_cammac, &cammac); + if (ret) + goto cleanup; + if (cammac_check_kdcver(context, cammac, enc_tkt, local_tgt)) { + ret = authind_extract(context, cammac->elements, &indicators); + if (ret) + goto cleanup; + } + k5_free_cammac(context, cammac); + cammac = NULL; + } + + *indicators_out = indicators; + indicators = NULL; + +cleanup: + krb5_free_authdata(context, cammacs); + k5_free_cammac(context, cammac); + k5_free_data_ptr_list(indicators); + return ret; +} + krb5_error_code handle_authdata(krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index ea87e965bf..9b4a5df5d9 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -235,6 +235,10 @@ load_authdata_plugins(krb5_context context); krb5_error_code unload_authdata_plugins(krb5_context context); +krb5_error_code +get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, + krb5_db_entry *local_tgt, krb5_data ***indicators_out); + krb5_error_code handle_authdata (krb5_context context, unsigned int flags, -- 2.47.3