From: Tom Yu Date: Mon, 8 Feb 2010 20:55:43 +0000 (+0000) Subject: pull up r23697 from trunk X-Git-Tag: krb5-1.8-beta1~11 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=e983c0f99cba07cb7c0a23cf4b8ac3aaba553c46;p=krb5.git pull up r23697 from trunk ------------------------------------------------------------------------ r23697 | ghudson | 2010-02-04 22:43:54 -0500 (Thu, 04 Feb 2010) | 12 lines ticket: 6655 subject: Fix cross-realm handling of AD-SIGNEDPATH target_version: 1.8 tags: pullup Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT. Previously we were avoiding it when answering a cross-realm client, which was wrong. Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present). ticket: 6655 version_fixed: 1.8 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23708 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 8b01ad388..50975580c 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -897,10 +897,6 @@ verify_ad_signedpath_checksum(krb5_context context, valid); krb5_free_data(context, data); - - if (code == 0 && *valid == FALSE) - code = KRB5KRB_AP_ERR_MODIFIED; - return code; } @@ -952,8 +948,10 @@ verify_ad_signedpath(krb5_context context, if (code != 0) goto cleanup; - *pdelegated = sp->delegated; - sp->delegated = NULL; + if (*path_is_signed) { + *pdelegated = sp->delegated; + sp->delegated = NULL; + } cleanup: krb5_free_ad_signedpath(context, sp); @@ -1179,7 +1177,9 @@ handle_signedpath_authdata (krb5_context context, } } - if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) && + /* No point in including signedpath authdata for a cross-realm TGT, since + * it will be presented to a different KDC. */ + if (!is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { code = make_ad_signedpath(context, for_user_princ, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 6ee96b266..281bcc8ee 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal) return FALSE; } +/* Returns TRUE if principal is the name of a cross-realm TGS. */ +krb5_boolean +is_cross_tgs_principal(krb5_const_principal principal) +{ + return (krb5_princ_size(kdc_context, principal) >= 2 && + data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME) && + !data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kcd_context, principal))); +} + /* * given authentication data (provides seed for checksum), verify checksum * for source data. diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 96e29d906..258389508 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -42,6 +42,7 @@ krb5_error_code check_hot_list (krb5_ticket *); krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal); krb5_boolean is_local_principal(krb5_const_principal princ1); krb5_boolean krb5_is_tgs_principal (krb5_const_principal); +krb5_boolean is_cross_tgs_principal(krb5_const_principal); krb5_error_code add_to_transited (krb5_data *, krb5_data *,