Constrained delegation without PAC support

Merge Luke's users/lhoward/s4u2proxy branch to trunk. Implements a Heimdal-compatible mechanism for allowing constrained delegation without back-end support for PACs. Back-end support exists in LDAP only (via a new krbAllowedToDelegateTo attribute), not DB2. ticket: 6580 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-11-14 04:46:30 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-11-14 04:46:30 +0000
commit: 0524889196c42d81dcc4c74277522b46f987cabb (patch)
tree: 9f906eb1a4a32346ae94837c4fe199410e2dd10f /src/plugins
parent: 26044e2a3c3104b9c3f32a6ae58145e7e6394672 (diff)
download: krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.gz
krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.xz
krb5-0524889196c42d81dcc4c74277522b46f987cabb.zip
7 files changed, 115 insertions, 19 deletions
diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c
index 9a0533286e..fad044a55d 100644
--- a/src/plugins/authdata/greet_server/greet_auth.c
+++ b/src/plugins/authdata/greet_server/greet_auth.c
@@ -69,7 +69,7 @@ greet_kdc_verify(krb5_context context,
                                  NULL,
                                  KRB5_AUTHDATA_KDC_ISSUED,
                                  &tgt_authdata);
-    if (code != 0)
+    if (code != 0 || tgt_authdata == NULL)
         return 0;
 
     code = krb5_verify_authdata_kdc_issued(context,
@@ -113,6 +113,7 @@ greet_kdc_sign(krb5_context context,
     krb5_error_code code;
     krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL;
     krb5_authdata **if_relevant = NULL;
+    krb5_authdata **tkt_authdata;
 
     ad_datum.ad_type = -42;
     ad_datum.contents = (krb5_octet *)greeting->data;
@@ -138,13 +139,20 @@ greet_kdc_sign(krb5_context context,
         return code;
     }
 
-    /* this isn't very friendly to other plugins... */
-    krb5_free_authdata(context, enc_tkt_reply->authorization_data);
-    enc_tkt_reply->authorization_data = if_relevant;
+    code = krb5_merge_authdata(context,
+                               if_relevant,
+                               enc_tkt_reply->authorization_data,
+                               &tkt_authdata);
+    if (code == 0) {
+        krb5_free_authdata(context, enc_tkt_reply->authorization_data);
+        enc_tkt_reply->authorization_data = tkt_authdata;
+    } else {
+        krb5_free_authdata(context, if_relevant);
+    }
 
     krb5_free_authdata(context, kdc_issued);
 
-    return 0;
+    return code;
 }
 
 static krb5_error_code
@@ -165,17 +173,12 @@ greet_authdata(krb5_context context,
     krb5_error_code code;
     krb5_data *greeting = NULL;
 
-    if (request->msg_type == KRB5_TGS_REQ) {
-        code = greet_kdc_verify(context, enc_tkt_request, &greeting);
-        if (code != 0)
-            return code;
-    }
+    if (request->msg_type != KRB5_TGS_REQ)
+	return 0;
 
-    if (greeting == NULL) {
-        code = greet_hello(context, &greeting);
-        if (code != 0)
-            return code;
-    }
+    code = greet_hello(context, &greeting);
+    if (code != 0)
+        return code;
 
     code = greet_kdc_sign(context, enc_tkt_reply, tgs->princ, greeting);
 
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
index 717daee227..27f094f82e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
@@ -75,6 +75,40 @@ krb5_ldap_audit_as(krb5_context context,
     return code;
 }
 
+static krb5_error_code
+krb5_ldap_check_allowed_to_delegate(krb5_context context,
+                                    unsigned int method,
+                                    const krb5_data *request,
+                                    krb5_data *response)
+{
+    const kdb_check_allowed_to_delegate_req *req;
+    krb5_error_code code;
+    krb5_tl_data *tlp;
+
+    req = (const kdb_check_allowed_to_delegate_req *)request->data;
+
+    code = KRB5KDC_ERR_POLICY;
+
+    for (tlp = req->server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) {
+        krb5_principal acl;
+
+        if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL)
+            continue;
+
+        if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0)
+            continue;
+
+        if (krb5_principal_compare(context, req->proxy, acl)) {
+            code = 0;
+            krb5_free_principal(context, acl);
+            break;
+        }
+        krb5_free_principal(context, acl);
+    }
+
+    return code;
+}
+
 krb5_error_code
 krb5_ldap_invoke(krb5_context context,
                  unsigned int method,
@@ -90,6 +124,9 @@ krb5_ldap_invoke(krb5_context context,
     case KRB5_KDB_METHOD_AUDIT_AS:
         code = krb5_ldap_audit_as(context, method, req, rep);
         break;
+    case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE:
+        code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep);
+        break;
     default:
         break;
     }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
index fd226b13d3..886f8b4359 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
@@ -662,6 +662,15 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.53.1
                 EQUALITY distinguishedNameMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
 
+##### A list of services to which a service principal can delegate.
+dn: cn=schema
+changetype: modify
+add: attributetypes
+attributetype:  ( 1.3.6.1.4.1.5322.21.2.4
+                NAME 'krbAllowedToDelegateTo'
+                EQUALITY caseExactIA5Match
+                SUBSTR caseExactSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 
 ########################################################################
 ########################################################################
@@ -745,7 +754,7 @@ add: objectclasses
 objectClasses: ( 2.16.840.1.113719.1.301.6.8.1
                 NAME 'krbPrincipalAux'
                 AUXILIARY
-                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )
 
 
 ###### This class is used to create additional principals and stand alone principals.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
index 9525e60d62..65e07d6cde 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
@@ -533,6 +533,13 @@ attributetype ( 2.16.840.1.113719.1.301.4.53.1
                 EQUALITY distinguishedNameMatch
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
 
+##### A list of services to which a service principal can delegate.
+attributetype ( 1.3.6.1.4.1.5322.21.2.4
+                NAME 'krbAllowedToDelegateTo'
+                EQUALITY caseExactIA5Match
+                SUBSTR caseExactSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+
 ########################################################################
 ########################################################################
 # 		        Object Class Definitions                       #
@@ -602,7 +609,7 @@ objectclass ( 2.16.840.1.113719.1.301.6.8.1
                 NAME 'krbPrincipalAux'
 		SUP top
                 AUXILIARY
-                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+                MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )
 
 
 ###### This class is used to create additional principals and stand alone principals.
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 8625984d87..a5ab6598a1 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -2085,6 +2085,43 @@ populate_krb5_db_entry (krb5_context context,
 	}
     }
 
+    /* ALLOWED TO DELEGATE TO */
+    {
+	char **a2d2 = NULL;
+	int i;
+	krb5_tl_data **tlp;
+
+	st = krb5_ldap_get_strings(ld, ent, "krbAllowedToDelegateTo",
+				   &a2d2, &attr_present);
+	if (st != 0)
+	    goto cleanup;
+
+	if (attr_present == TRUE) {
+	    for (tlp = &entry->tl_data; *tlp; tlp = &(*tlp)->tl_data_next)
+		;
+	    for (i = 0; a2d2[i] != NULL; i++) {
+		krb5_tl_data *tl = k5alloc(sizeof(*tl), &st);
+		if (st != 0) {
+		    ldap_value_free(a2d2);
+		    goto cleanup;
+		}
+		tl->tl_data_type = KRB5_TL_CONSTRAINED_DELEGATION_ACL;
+		tl->tl_data_length = strlen(a2d2[i]);
+		tl->tl_data_contents = (krb5_octet *)strdup(a2d2[i]);
+		if (tl->tl_data_contents == NULL) {
+		    st = ENOMEM;
+		    ldap_value_free(a2d2);
+		    free(tl);
+		    goto cleanup;
+		}
+		tl->tl_data_next = NULL;
+		*tlp = tl;
+		tlp = &tl->tl_data_next;
+	    }
+	    ldap_value_free(a2d2);
+	}
+    }
+
     /* KRBOBJECTREFERENCES */
     {
 	int i=0;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index ecc4d3c8aa..c59944406c 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -61,6 +61,7 @@ char     *principal_attributes[] = { "krbprincipalname",
 				     "krbLastPwdChange",
 				     "krbExtraData",
 				     "krbObjectReferences",
+				     "krbAllowedToDelegateTo",
 				     NULL };
 
 /* Must match KDB_*_ATTR macros in ldap_principal.h.  */
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 42a76859a0..3474b7cda1 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -1082,7 +1082,8 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 		    || ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
 		    || ptr->tl_data_type == KRB5_TL_KADM_DATA
-		    || ptr->tl_data_type == KDB_TL_USER_INFO)
+		    || ptr->tl_data_type == KDB_TL_USER_INFO
+		    || ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
 		    continue;
 		count++;
 	    }
@@ -1102,7 +1103,8 @@ krb5_ldap_put_principal(context, entries, nentries, db_args)
 			|| ptr->tl_data_type == KRB5_TL_DB_ARGS
 #endif
 			|| ptr->tl_data_type == KRB5_TL_KADM_DATA
-			|| ptr->tl_data_type == KDB_TL_USER_INFO)
+			|| ptr->tl_data_type == KDB_TL_USER_INFO
+			|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL)
 			continue;
 		    if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
 			break;
author	Greg Hudson <ghudson@mit.edu>	2009-11-14 04:46:30 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-11-14 04:46:30 +0000
commit	0524889196c42d81dcc4c74277522b46f987cabb (patch)
tree	9f906eb1a4a32346ae94837c4fe199410e2dd10f /src/plugins
parent	26044e2a3c3104b9c3f32a6ae58145e7e6394672 (diff)
download	krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.gz krb5-0524889196c42d81dcc4c74277522b46f987cabb.tar.xz krb5-0524889196c42d81dcc4c74277522b46f987cabb.zip