Patch from Luke Howard
authorSam Hartman <hartmans@mit.edu>
Tue, 6 Jan 2009 22:32:30 +0000 (22:32 +0000)
committerSam Hartman <hartmans@mit.edu>
Tue, 6 Jan 2009 22:32:30 +0000 (22:32 +0000)
to make an explicit call to check the ACL for s4u delegations rather than relying on tl-data.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21712 dc483132-0cff-0310-8789-dd5450dbe970

src/include/kdb_ext.h
src/kdc/kdc_util.c

index 0b4c4a97f9d9ea27d0f35170486ec36e1592a99c..87959538e9dc1304482a39a57423bfe50cf1b51d 100644 (file)
@@ -90,7 +90,7 @@ krb5_error_code krb5_db_invoke ( krb5_context kcontext,
 #define KRB5_KDB_METHOD_AUDIT_AS                       0x00000050
 #define KRB5_KDB_METHOD_AUDIT_TGS                      0x00000060
 #define KRB5_KDB_METHOD_REFRESH_POLICY                 0x00000070
-#define KRB5_KDB_METHOD_GET_PAC_PRINC                  0x00000080
+#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE      0x00000080
 
 typedef struct _kdb_sign_auth_data_req {
     krb5_magic magic;
@@ -162,4 +162,10 @@ typedef struct _kdb_audit_tgs_req {
     krb5_error_code error_code;
 } kdb_audit_tgs_req;
 
+typedef struct _kdb_check_allowed_to_delegate_req {
+    krb5_magic magic;
+    const krb5_db_entry *server;
+    krb5_const_principal proxy;
+} kdb_check_allowed_to_delegate_req;
+
 #endif /* KRB5_KDB5_EXT__ */
index aa8d40d9455ea1dec1f31d77fe77e921700a349a..f956de292e80f020fff4e30d573a1ff57915f334 100644 (file)
@@ -1971,61 +1971,46 @@ kdc_process_s4u2self_req(krb5_context context,
     return 0;
 }
 
-static krb5_boolean
-check_constrained_delegation_acl(krb5_context context,
-                                krb5_tl_data *tl_data,
-                                krb5_const_principal spn)
-{
-    krb5_principal acl;
-    krb5_boolean ret;
-
-    assert(tl_data->tl_data_contents[tl_data->tl_data_length] == '\0');
-
-    if (krb5_parse_name_flags(context,
-                             (char *)tl_data->tl_data_contents,
-                             KRB5_PRINCIPAL_PARSE_NO_REALM,
-                             &acl) != 0)
-       return FALSE;
-
-    ret = krb5_principal_compare_flags(context, acl, spn, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM);
-
-    krb5_free_principal(context, acl);
-
-    return ret;
-}
-
 static krb5_error_code
 check_allowed_to_delegate_to(krb5_context context,
                             const krb5_db_entry *server,
                             krb5_const_principal proxy)
 {
-    krb5_tl_data               *tl_data;
-    krb5_boolean               allowed = FALSE;
+    kdb_check_allowed_to_delegate_req   req;
+    krb5_data                  req_data;
+    krb5_data                  rep_data;
+    krb5_error_code            code;
 
     /* Can't get a TGT (otherwise it would be unconstrained delegation) */
     if (krb5_is_tgs_principal(proxy)) {
        return KRB5KDC_ERR_POLICY;
     }
 
-    /* Must be in same realm -- ACLs are non-qualified SPNs */
-    if (!krb5_realm_compare(kdc_context, server->princ, proxy)) {
+    /* Must be in same realm */
+    if (!krb5_realm_compare(context, server->princ, proxy)) {
        return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */
     }
 
-    for (tl_data = server->tl_data; tl_data != NULL; tl_data = tl_data->tl_data_next) {
-        if (tl_data->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) {
-           if (check_constrained_delegation_acl(context, tl_data, proxy)) {
-               allowed = TRUE;
-               break;
-           }
-        }
-    }
+    req.server = server;
+    req.proxy = proxy;
 
-    if (allowed == FALSE) {
-       return KRB5KDC_ERR_POLICY;
+    req_data.data = (void *)&req;
+    req_data.length = sizeof(req);
+
+    rep_data.data = NULL;
+    rep_data.length = 0;
+
+    code = krb5_db_invoke(context,
+                         KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE,
+                         &req_data,
+                         &rep_data);
+    if (code == KRB5_KDB_DBTYPE_NOSUP) {
+       code = KRB5KDC_ERR_POLICY;
     }
 
-    return 0;
+    assert(rep_data.length == 0);
+
+    return code;
 }
 
 krb5_error_code