From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 25 Sep 2023 15:14:03 +0200
Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
 older

Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
authdata is no longer generated. However, on krb5 versions prior to
1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
requirement is not needed, because the PAC signatures are already
fulfilling this role.

CentOS and RHEL downstream releases of krb5 will include the
"optional_ad_signedpath" KDB string attribute allowing to disable the
AD-SIGNEDPATH requirement in case the PAC is present.

This commit sets the "optional_ad_signedpath" string attribute to "true"
systematically on the TGS principal if the database abstract layer (DAL)
of krb5 is version 8 or older (prior to krb5 1.20).

Fixes: https://pagure.io/freeipa/issue/9448

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index e95cb453c..fadb132ed 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
 
 #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
 
+#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
+#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
+#endif
+
 static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
                                       char *attrname,
                                       krb5_tl_data **result, int *num)
@@ -178,6 +182,25 @@ done:
     return ret;
 }
 
+static bool
+is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
+{
+    krb5_data *primary;
+    size_t l_tgs_name;
+
+    if (2 != krb5_princ_size(kcontext, princ))
+        return false;
+
+    primary = krb5_princ_component(kcontext, princ, 0);
+
+    l_tgs_name = strlen(KRB5_TGS_NAME);
+
+    if (l_tgs_name != primary->length)
+        return false;
+
+    return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
+}
+
 static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
                                          krb5_int16 type,
                                          krb5_ui_2 length,
@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
 
     /* Lookup local names and aliases first. */
     kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
-    if (kerr != KRB5_KDB_NOENTRY) {
+    if (kerr == KRB5_KDB_NOENTRY) {
+        kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
+    }
+    if (kerr)
         return kerr;
+
+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
+    /* If TGS principal, some virtual attributes may be added */
+    if (is_tgs_princ(kcontext, (*entry)->princ)) {
+        kerr = krb5_dbe_set_string(kcontext, *entry,
+                                   KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
+                                   "true");
     }
+#endif
 
-    return dbget_alias(kcontext, ipactx, search_for, flags, entry);
+    return kerr;
 }
 
 void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
-- 
2.41.0