From 07f92976ad159438ad521b7f29146a69d17c85be Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Mon, 11 May 2009 20:55:19 +0000 Subject: [PATCH] pull up r22272 from trunk ------------------------------------------------------------------------ r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines Changed paths: M /trunk/src/lib/krb5/krb/gc_via_tkt.c ticket: 6473 tags: pullup In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from credentials obtained using a foreign TGT, unless the TGT also has ok-as-delegate set. ticket: 6473 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22327 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/gc_via_tkt.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 059da828a..e8dbd97fe 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -144,6 +144,16 @@ check_reply_server(krb5_context context, krb5_flags kdcoptions, return 0; } +/* Return true if a TGS credential is for the client's local realm. */ +static inline int +tgt_is_local_realm(krb5_creds *tgt) +{ + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); +} + krb5_error_code krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, krb5_flags kdcoptions, krb5_address *const *address, @@ -289,6 +299,14 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, goto error_3; } + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + /* make sure the response hasn't been tampered with..... */ retval = 0; -- 2.26.2