From ac73e9e2f5529346da66ee0a00c3014e00fc4d55 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Tue, 6 Jan 2009 22:32:30 +0000 Subject: [PATCH] Patch from Luke Howard to make an explicit call to check the ACL for s4u delegations rather than relying on tl-data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21712 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb_ext.h | 8 +++++- src/kdc/kdc_util.c | 61 ++++++++++++++++--------------------------- 2 files changed, 30 insertions(+), 39 deletions(-) diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index 0b4c4a97f..87959538e 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -90,7 +90,7 @@ krb5_error_code krb5_db_invoke ( krb5_context kcontext, #define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 #define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060 #define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 -#define KRB5_KDB_METHOD_GET_PAC_PRINC 0x00000080 +#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 typedef struct _kdb_sign_auth_data_req { krb5_magic magic; @@ -162,4 +162,10 @@ typedef struct _kdb_audit_tgs_req { krb5_error_code error_code; } kdb_audit_tgs_req; +typedef struct _kdb_check_allowed_to_delegate_req { + krb5_magic magic; + const krb5_db_entry *server; + krb5_const_principal proxy; +} kdb_check_allowed_to_delegate_req; + #endif /* KRB5_KDB5_EXT__ */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index aa8d40d94..f956de292 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1971,61 +1971,46 @@ kdc_process_s4u2self_req(krb5_context context, return 0; } -static krb5_boolean -check_constrained_delegation_acl(krb5_context context, - krb5_tl_data *tl_data, - krb5_const_principal spn) -{ - krb5_principal acl; - krb5_boolean ret; - - assert(tl_data->tl_data_contents[tl_data->tl_data_length] == '\0'); - - if (krb5_parse_name_flags(context, - (char *)tl_data->tl_data_contents, - KRB5_PRINCIPAL_PARSE_NO_REALM, - &acl) != 0) - return FALSE; - - ret = krb5_principal_compare_flags(context, acl, spn, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM); - - krb5_free_principal(context, acl); - - return ret; -} - static krb5_error_code check_allowed_to_delegate_to(krb5_context context, const krb5_db_entry *server, krb5_const_principal proxy) { - krb5_tl_data *tl_data; - krb5_boolean allowed = FALSE; + kdb_check_allowed_to_delegate_req req; + krb5_data req_data; + krb5_data rep_data; + krb5_error_code code; /* Can't get a TGT (otherwise it would be unconstrained delegation) */ if (krb5_is_tgs_principal(proxy)) { return KRB5KDC_ERR_POLICY; } - /* Must be in same realm -- ACLs are non-qualified SPNs */ - if (!krb5_realm_compare(kdc_context, server->princ, proxy)) { + /* Must be in same realm */ + if (!krb5_realm_compare(context, server->princ, proxy)) { return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */ } - for (tl_data = server->tl_data; tl_data != NULL; tl_data = tl_data->tl_data_next) { - if (tl_data->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL) { - if (check_constrained_delegation_acl(context, tl_data, proxy)) { - allowed = TRUE; - break; - } - } - } + req.server = server; + req.proxy = proxy; - if (allowed == FALSE) { - return KRB5KDC_ERR_POLICY; + req_data.data = (void *)&req; + req_data.length = sizeof(req); + + rep_data.data = NULL; + rep_data.length = 0; + + code = krb5_db_invoke(context, + KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, + &req_data, + &rep_data); + if (code == KRB5_KDB_DBTYPE_NOSUP) { + code = KRB5KDC_ERR_POLICY; } - return 0; + assert(rep_data.length == 0); + + return code; } krb5_error_code -- 2.26.2