ipa/SOURCES/0020-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel.patch

From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Jan 26 2024 09:35:57 +0000
Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available


The Bronze-Bit check introduced in commit
a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be
present in the evidence ticket in order for S4U2Proxy requests to be
accepted. This actually requires SIDs to be set.

However, domains that were initialized before commit
e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs
configured. This would results in all S4U2Proxy requests to fail
(including all the HTTP API requests).

This present commit disables the check for the Bronze-Bit exploit
(CVE-2020-17049) in case the domain is not able to generate PACs.
Instead, it prints a warning message in the KDC logs each time a
S4U2Proxy request is processed.

Fixes: https://pagure.io/freeipa/issue/9521

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index c6926f7..621c235 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -368,17 +368,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
                                                   char **trusted_realm);
 
 /* Try to detect a Bronze-Bit attack based on the content of the request and
- * data from the KDB.
+ * data from the KDB. This check will work only if the domain supports MS-PAC.
  *
  *   context     krb5 context
  *   request     KDB request
- *   detected    Set to "true" if a bronze bit attack is detected and the
- *               pointer is not NULL. Remains unset otherwise.
+ *   supported   If not NULL, set to "false" in case the Bronze-Bit exploit
+ *               detection process silently failed to complete because the
+ *               domain does not meet requirements. Set to "true" otherwise.
+ *   detected    If not NULL, set to "true" if a Bronze-Bit attack is detected.
+ *               Set to "false" otherwise.
  *   status      If the call fails and the pointer is not NULL, set it with a
  *               message describing the cause of the failure. */
 krb5_error_code
 ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
-                                  bool *detected, const char **status);
+                                  bool *supported, bool *detected,
+                                  const char **status);
 
 /* DELEGATION CHECKS */
 
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index ee0546c..713e9a0 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -186,11 +186,19 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata,
                         krb5_deltat *renew_lifetime_out)
 {
     krb5_error_code kerr;
+    bool supported;
 
-    kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status);
+    kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL,
+                                             status);
     if (kerr)
         return KRB5KDC_ERR_POLICY;
 
+    if (!supported)
+        krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes "
+                         "FreeIPA vulnerable to the Bronze-Bit exploit "
+                         "(CVE-2020-17049). Please generate SIDs to enable "
+                         "PAC support.");
+
     *status = NULL;
     *lifetime_out = 0;
     *renew_lifetime_out = 0;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 05d5b40..a18beff 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3301,11 +3301,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
 
 krb5_error_code
 ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
-                                  bool *detected, const char **status)
+                                  bool *supported, bool *detected,
+                                  const char **status)
 {
     krb5_error_code kerr;
     const char *st = NULL;
     size_t i, j;
+    bool in_supported = true, in_detected = false;
+    struct ipadb_context *ipactx;
     krb5_ticket *evidence_tkt;
     krb5_authdata **authdata, **ifrel = NULL;
     krb5_pac pac = NULL;
@@ -3325,6 +3328,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
         goto end;
     }
 
+    ipactx = ipadb_get_context(context);
+    if (!ipactx) {
+        kerr = KRB5_KDB_DBNOTINITED;
+        goto end;
+    }
+
+    /* Handle the case where the domain is not able to generate PACs (probably
+     * because SIDs are not set). In this case, we just skip the Bronze-Bit
+     * check. */
+    if (!ipactx->mspac) {
+        in_supported = false;
+        kerr = 0;
+        goto end;
+    }
+
     evidence_tkt = request->second_ticket[0];
 
     /* No need to check the Forwardable flag. If it was not set, this request
@@ -3449,8 +3467,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
             /* This evidence ticket cannot be forwardable given the privileges
              * of the proxy principal.
              * This is a Bronze Bit attack. */
-            if (detected)
-                *detected = true;
+            in_detected = true;
             st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED";
             kerr = EBADE;
             goto end;
@@ -3462,6 +3479,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request,
 end:
     if (st && status)
         *status = st;
+    if (supported)
+        *supported = in_supported;
+    if (detected)
+        *detected = in_detected;
 
     krb5_free_authdata(context, ifrel);
     krb5_pac_free(context, pac);