From 6581735ddea7215935e91c34a2103de1acfe3952 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 5 Feb 2010 03:43:54 +0000 Subject: [PATCH] Fix cross-realm handling of AD-SIGNEDPATH Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT. Previously we were avoiding it when answering a cross-realm client, which was wrong. Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present). ticket: 6655 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_authdata.c | 14 +++++++------- src/kdc/kdc_util.c | 11 +++++++++++ src/kdc/kdc_util.h | 1 + 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 8b01ad388..50975580c 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -897,10 +897,6 @@ verify_ad_signedpath_checksum(krb5_context context, valid); krb5_free_data(context, data); - - if (code == 0 && *valid == FALSE) - code = KRB5KRB_AP_ERR_MODIFIED; - return code; } @@ -952,8 +948,10 @@ verify_ad_signedpath(krb5_context context, if (code != 0) goto cleanup; - *pdelegated = sp->delegated; - sp->delegated = NULL; + if (*path_is_signed) { + *pdelegated = sp->delegated; + sp->delegated = NULL; + } cleanup: krb5_free_ad_signedpath(context, sp); @@ -1179,7 +1177,9 @@ handle_signedpath_authdata (krb5_context context, } } - if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) && + /* No point in including signedpath authdata for a cross-realm TGT, since + * it will be presented to a different KDC. */ + if (!is_cross_tgs_principal(server->princ) && !only_pac_p(context, enc_tkt_reply->authorization_data)) { code = make_ad_signedpath(context, for_user_princ, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 6ee96b266..281bcc8ee 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal) return FALSE; } +/* Returns TRUE if principal is the name of a cross-realm TGS. */ +krb5_boolean +is_cross_tgs_principal(krb5_const_principal principal) +{ + return (krb5_princ_size(kdc_context, principal) >= 2 && + data_eq_string(*krb5_princ_component(kdc_context, principal, 0), + KRB5_TGS_NAME) && + !data_eq(*krb5_princ_component(kdc_context, principal, 1), + *krb5_princ_realm(kcd_context, principal))); +} + /* * given authentication data (provides seed for checksum), verify checksum * for source data. diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 96e29d906..258389508 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -42,6 +42,7 @@ krb5_error_code check_hot_list (krb5_ticket *); krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal); krb5_boolean is_local_principal(krb5_const_principal princ1); krb5_boolean krb5_is_tgs_principal (krb5_const_principal); +krb5_boolean is_cross_tgs_principal(krb5_const_principal); krb5_error_code add_to_transited (krb5_data *, krb5_data *, -- 2.26.2