diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-02-05 03:43:54 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-02-05 03:43:54 +0000 |
| commit | 6581735ddea7215935e91c34a2103de1acfe3952 (patch) | |
| tree | 4903c4e428d912a25124525c7fe8a0e5a9250f25 /src/kdc | |
| parent | bebdddf413bc4edbe6a738f6f01aa3428d2e8381 (diff) | |
| download | krb5-6581735ddea7215935e91c34a2103de1acfe3952.tar.gz krb5-6581735ddea7215935e91c34a2103de1acfe3952.tar.xz krb5-6581735ddea7215935e91c34a2103de1acfe3952.zip | |
Fix cross-realm handling of AD-SIGNEDPATH
Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.
Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).
ticket: 6655
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/kdc_authdata.c | 14 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 11 | ||||
| -rw-r--r-- | src/kdc/kdc_util.h | 1 |
3 files changed, 19 insertions, 7 deletions
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 8b01ad388..50975580c 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -897,10 +897,6 @@ verify_ad_signedpath_checksum(krb5_context context, valid); krb5_free_data(context, data); - - if (code == 0 && *valid == FALSE) - code = KRB5KRB_AP_ERR_MODIFIED; - return code; } @@ -952,8 +948,10 @@ verify_ad_signedpath(krb5_context context, if (code != 0) goto cleanup; - *pdelegated = sp->delegated; - sp->delegated = NULL; + if (*path_is_signed) { + *pdelegated = sp->delegated; + sp->delegated = NULL; + } cleanup: krb5_free_ad_signedpath(context, sp); @@ -1179,7 +1177,9 @@ handle_signedpath_authdata (krb5_context context, } } - if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) && + /* No point in including signedpath authdata for a cross-realm TGT, since + * it will be presented to a different KDC. */ + if (!is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { code = make_ad_signedpath(context, for_user_princ, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 6ee96b266..281bcc8ee 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal) return FALSE; } +/* Returns TRUE if principal is the name of a cross-realm TGS. */ +krb5_boolean +is_cross_tgs_principal(krb5_const_principal principal) +{ + return (krb5_princ_size(kdc_context, principal) >= 2 && + data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME) && + !data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kcd_context, principal))); +} + /* * given authentication data (provides seed for checksum), verify checksum * for source data. diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 96e29d906..258389508 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -42,6 +42,7 @@ krb5_error_code check_hot_list (krb5_ticket *); krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal); krb5_boolean is_local_principal(krb5_const_principal princ1); krb5_boolean krb5_is_tgs_principal (krb5_const_principal); +krb5_boolean is_cross_tgs_principal(krb5_const_principal); krb5_error_code add_to_transited (krb5_data *, krb5_data *, |