rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Add dns_canonicalize_hostname=fallback support

Browse Source
This commit is contained in:
Robbie Harwood 2019-04-24 11:45:11 -04:00
parent 9d9730eb07
commit 0555bc87c8
3 changed files with 899 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

409
Add-dns_canonicalize_hostname-fallback-support.patch Normal file
View File

@ -0,0 +1,409 @@
From 18d45e4b48c363f631b1acd7dac5902351bf1a0e Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 4 Dec 2018 15:22:55 -0500
Subject: [PATCH] Add dns_canonicalize_hostname=fallback support
Turn dns_canonicalize_hostname into a tristate variable, allowing the
value "fallback" as well as the true/false booleans. If it is set to
fallback, delay DNS canonicalization and attempt it only in
krb5_get_credentials() if the KDC responds that the requested server
principal name is unknown.
[ghudson@mit.edu: added TGS tests; refactored code; edited commit
message and documentation]
ticket: 8765 (new)
(cherry picked from commit 6c20cb1c89acaa03db897182a3b28d5f8f284907)
---
doc/admin/conf_files/krb5_conf.rst | 4 ++
src/include/k5-int.h | 8 ++-
src/include/k5-trace.h | 3 ++
src/lib/krb5/krb/get_creds.c | 79 ++++++++++++++++++++++++++----
src/lib/krb5/krb/init_ctx.c | 27 +++++++++-
src/lib/krb5/krb/t_copy_context.c | 2 +-
src/lib/krb5/os/os-proto.h | 4 ++
src/lib/krb5/os/sn2princ.c | 19 +++++--
src/tests/gcred.c | 5 +-
src/tests/t_sn2princ.py | 34 ++++++++++++-
10 files changed, 167 insertions(+), 18 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 7b4389f6b..e9f7e8c59 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -201,6 +201,10 @@ The libdefaults section may contain any of the following relations:
means that short hostnames will not be canonicalized to
fully-qualified hostnames. The default value is true.
+ If this option is set to ``fallback`` (new in release 1.18), DNS
+ canonicalization will only be performed the server hostname is not
+ found with the original name when requesting credentials.
+
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 255cee822..1e6a739e9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1159,6 +1159,12 @@ k5_plugin_register_dyn(krb5_context context, int interface_id,
void
k5_plugin_free_context(krb5_context context);
+enum dns_canonhost {
+ CANONHOST_FALSE = 0,
+ CANONHOST_TRUE = 1,
+ CANONHOST_FALLBACK = 2
+};
+
struct _kdb5_dal_handle; /* private, in kdb5.h */
typedef struct _kdb5_dal_handle kdb5_dal_handle;
struct _kdb_log_context;
@@ -1222,7 +1228,7 @@ struct _krb5_context {
krb5_boolean allow_weak_crypto;
krb5_boolean ignore_acceptor_hostname;
- krb5_boolean dns_canonicalize_hostname;
+ enum dns_canonhost dns_canonicalize_hostname;
krb5_trace_callback trace_callback;
void *trace_callback_data;
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 2aa379b76..f3ed6a45d 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -191,6 +191,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
#define TRACE_FAST_REQUIRED(c) \
TRACE(c, "Using FAST due to KRB5_FAST_REQUIRED flag")
+#define TRACE_GET_CREDS_FALLBACK(c, hostname) \
+ TRACE(c, "Falling back to canonicalized server hostname {str}", hostname)
+
#define TRACE_GIC_PWD_CHANGED(c) \
TRACE(c, "Getting initial TGT with changed password")
#define TRACE_GIC_PWD_CHANGEPW(c, tries) \
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 69900adfa..0a04d68b9 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -39,6 +39,7 @@
#include "k5-int.h"
#include "int-proto.h"
+#include "os-proto.h"
#include "fast.h"
/*
@@ -1249,6 +1250,26 @@ krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx,
return EINVAL;
}
+static krb5_error_code
+try_get_creds(krb5_context context, krb5_flags options, krb5_ccache ccache,
+ krb5_creds *in_creds, krb5_creds *creds_out)
+{
+ krb5_error_code code;
+ krb5_tkt_creds_context ctx = NULL;
+
+ code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx);
+ if (code)
+ goto cleanup;
+ code = krb5_tkt_creds_get(context, ctx);
+ if (code)
+ goto cleanup;
+ code = krb5_tkt_creds_get_creds(context, ctx, creds_out);
+
+cleanup:
+ krb5_tkt_creds_free(context, ctx);
+ return code;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_credentials(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
@@ -1256,7 +1277,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
{
krb5_error_code code;
krb5_creds *ncreds = NULL;
- krb5_tkt_creds_context ctx = NULL;
+ krb5_creds canon_creds, store_creds;
+ krb5_principal_data canon_server;
+ krb5_data canon_components[2];
+ char *hostname = NULL, *canon_hostname = NULL;
*out_creds = NULL;
@@ -1265,22 +1289,59 @@ krb5_get_credentials(krb5_context context, krb5_flags options,
if (ncreds == NULL)
goto cleanup;
- /* Make and execute a krb5_tkt_creds context to get the credential. */
- code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx);
- if (code != 0)
+ code = try_get_creds(context, options, ccache, in_creds, ncreds);
+ if (!code) {
+ *out_creds = ncreds;
+ return 0;
+ }
+
+ /* Possibly try again with the canonicalized hostname, if the server is
+ * host-based and we are configured for fallback canonicalization. */
+ if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
goto cleanup;
- code = krb5_tkt_creds_get(context, ctx);
- if (code != 0)
+ if (context->dns_canonicalize_hostname != CANONHOST_FALLBACK)
goto cleanup;
- code = krb5_tkt_creds_get_creds(context, ctx, ncreds);
- if (code != 0)
+ if (in_creds->server->type != KRB5_NT_SRV_HST ||
+ in_creds->server->length != 2)
goto cleanup;
+ hostname = k5memdup0(in_creds->server->data[1].data,
+ in_creds->server->data[1].length, &code);
+ if (hostname == NULL)
+ goto cleanup;
+ code = k5_expand_hostname(context, hostname, TRUE, &canon_hostname);
+ if (code)
+ goto cleanup;
+
+ TRACE_GET_CREDS_FALLBACK(context, canon_hostname);
+
+ /* Make shallow copies of in_creds and its server to alter the hostname. */
+ canon_components[0] = in_creds->server->data[0];
+ canon_components[1] = string2data(canon_hostname);
+ canon_server = *in_creds->server;
+ canon_server.data = canon_components;
+ canon_creds = *in_creds;
+ canon_creds.server = &canon_server;
+
+ code = try_get_creds(context, options | KRB5_GC_NO_STORE, ccache,
+ &canon_creds, ncreds);
+ if (code)
+ goto cleanup;
+
+ if (!(options & KRB5_GC_NO_STORE)) {
+ /* Store the creds under the originally requested server name. The
+ * ccache layer will also store them under the ticket server name. */
+ store_creds = *ncreds;
+ store_creds.server = in_creds->server;
+ (void)krb5_cc_store_cred(context, ccache, &store_creds);
+ }
+
*out_creds = ncreds;
ncreds = NULL;
cleanup:
+ free(hostname);
+ free(canon_hostname);
krb5_free_creds(context, ncreds);
- krb5_tkt_creds_free(context, ctx);
return code;
}
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 947e50400..d263d5cc5 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -101,6 +101,30 @@ get_boolean(krb5_context ctx, const char *name, int def_val, int *boolean_out)
return retval;
}
+static krb5_error_code
+get_tristate(krb5_context ctx, const char *name, const char *third_option,
+ int third_option_val, int def_val, int *val_out)
+{
+ krb5_error_code retval;
+ char *str;
+ int match;
+
+ retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, name,
+ NULL, def_val, val_out);
+ if (retval != PROF_BAD_BOOLEAN)
+ return retval;
+ retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, name,
+ NULL, NULL, &str);
+ if (retval)
+ return retval;
+ match = (strcasecmp(third_option, str) == 0);
+ free(str);
+ if (!match)
+ return EINVAL;
+ *val_out = third_option_val;
+ return 0;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_init_context(krb5_context *context)
{
@@ -213,7 +237,8 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
goto cleanup;
ctx->ignore_acceptor_hostname = tmp;
- retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
+ retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback",
+ CANONHOST_FALLBACK, 1, &tmp);
if (retval)
goto cleanup;
ctx->dns_canonicalize_hostname = tmp;
diff --git a/src/lib/krb5/krb/t_copy_context.c b/src/lib/krb5/krb/t_copy_context.c
index fa810be8a..a6e48cd25 100644
--- a/src/lib/krb5/krb/t_copy_context.c
+++ b/src/lib/krb5/krb/t_copy_context.c
@@ -145,7 +145,7 @@ main(int argc, char **argv)
ctx->udp_pref_limit = 2345;
ctx->use_conf_ktypes = TRUE;
ctx->ignore_acceptor_hostname = TRUE;
- ctx->dns_canonicalize_hostname = FALSE;
+ ctx->dns_canonicalize_hostname = CANONHOST_FALSE;
free(ctx->plugin_base_dir);
check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index 634e82d70..066d30221 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -83,6 +83,10 @@ struct sendto_callback_info {
void *data;
};
+krb5_error_code k5_expand_hostname(krb5_context context, const char *host,
+ krb5_boolean is_fallback,
+ char **canonhost_out);
+
krb5_error_code k5_locate_server(krb5_context, const krb5_data *realm,
struct serverlist *serverlist,
enum locate_service_type svc,
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index 5932fd9b3..98d2600aa 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -53,19 +53,23 @@ use_reverse_dns(krb5_context context)
return value;
}
-krb5_error_code KRB5_CALLCONV
-krb5_expand_hostname(krb5_context context, const char *host,
- char **canonhost_out)
+krb5_error_code
+k5_expand_hostname(krb5_context context, const char *host,
+ krb5_boolean is_fallback, char **canonhost_out)
{
struct addrinfo *ai = NULL, hint;
char namebuf[NI_MAXHOST], *copy, *p;
int err;
const char *canonhost;
+ krb5_boolean use_dns;
*canonhost_out = NULL;
canonhost = host;
- if (context->dns_canonicalize_hostname) {
+ use_dns = (context->dns_canonicalize_hostname == CANONHOST_TRUE ||
+ (is_fallback &&
+ context->dns_canonicalize_hostname == CANONHOST_FALLBACK));
+ if (use_dns) {
/* Try a forward lookup of the hostname. */
memset(&hint, 0, sizeof(hint));
hint.ai_flags = AI_CANONNAME;
@@ -112,6 +116,13 @@ cleanup:
return (*canonhost_out == NULL) ? ENOMEM : 0;
}
+krb5_error_code KRB5_CALLCONV
+krb5_expand_hostname(krb5_context context, const char *host,
+ char **canonhost_out)
+{
+ return k5_expand_hostname(context, host, FALSE, canonhost_out);
+}
+
/* If hostname appears to have a :port or :instance trailer (used in MSSQLSvc
* principals), return a pointer to the separator. Otherwise return NULL. */
static const char *
diff --git a/src/tests/gcred.c b/src/tests/gcred.c
index b14e4fc9a..cac524c51 100644
--- a/src/tests/gcred.c
+++ b/src/tests/gcred.c
@@ -66,6 +66,7 @@ main(int argc, char **argv)
krb5_principal client, server;
krb5_ccache ccache;
krb5_creds in_creds, *creds;
+ krb5_ticket *ticket;
krb5_flags options = 0;
char *name;
int c;
@@ -102,9 +103,11 @@ main(int argc, char **argv)
in_creds.client = client;
in_creds.server = server;
check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds));
- check(krb5_unparse_name(ctx, creds->server, &name));
+ check(krb5_decode_ticket(&creds->ticket, &ticket));
+ check(krb5_unparse_name(ctx, ticket->server, &name));
printf("%s\n", name);
+ krb5_free_ticket(ctx, ticket);
krb5_free_unparsed_name(ctx, name);
krb5_free_creds(ctx, creds);
krb5_free_principal(ctx, client);
diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
index 1ffda51f4..fe435a2d5 100755
--- a/src/tests/t_sn2princ.py
+++ b/src/tests/t_sn2princ.py
@@ -7,10 +7,15 @@ conf = {'domain_realm': {'kerberos.org': 'R1',
'mit.edu': 'R3'}}
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
+fallback_canon_conf = {'libdefaults':
+ {'rdns': 'false',
+ 'dns_canonicalize_hostname': 'fallback'}}
-realm = K5Realm(create_kdb=False, krb5_conf=conf)
+realm = K5Realm(realm='R1', create_host=False, krb5_conf=conf)
no_rdns = realm.special_env('no_rdns', False, krb5_conf=no_rdns_conf)
no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
+fallback_canon = realm.special_env('fallback_canon', False,
+ krb5_conf=fallback_canon_conf)
def testbase(host, nametype, princhost, princrealm, env=None):
# Run the sn2princ harness with a specified host and name type and
@@ -37,6 +42,10 @@ def testu(host, princhost, princrealm):
# Test with the unknown name type.
testbase(host, 'unknown', princhost, princrealm)
+def testfc(host, princhost, princrealm):
+ # Test with the host-based name type with canonicalization fallback.
+ testbase(host, 'srv-hst', princhost, princrealm, env=fallback_canon)
+
# With the unknown principal type, we do not canonicalize or downcase,
# but we do remove a trailing period and look up the realm.
mark('unknown type')
@@ -71,6 +80,29 @@ if offline:
oname = 'ptr-mismatch.kerberos.org'
fname = 'www.kerberos.org'
+# Test fallback canonicalization krb5_sname_to_principal() results
+# (same as dns_canonicalize_hostname=false).
+mark('dns_canonicalize_host=fallback')
+testfc(oname, oname, 'R1')
+
+# Test fallback canonicalization in krb5_get_credentials().
+oprinc = 'host/' + oname
+fprinc = 'host/' + fname
+shutil.copy(realm.ccache, realm.ccache + '.save')
+realm.addprinc(fprinc)
+# oprinc doesn't exist, so we get the canonicalized fprinc as a fallback.
+msgs = ('Falling back to canonicalized server hostname ' + fname,)
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=fprinc, expected_trace=msgs)
+realm.addprinc(oprinc)
+# oprinc now exists, but we still get the fprinc ticket from the cache.
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=fprinc)
+# Without the cached result, we sould get oprinc in preference to fprinc.
+os.rename(realm.ccache + '.save', realm.ccache)
+realm.run(['./gcred', 'srv-hst', oprinc], env=fallback_canon,
+ expected_msg=oprinc)
+
# Verify forward resolution before testing for it.
try:
ai = socket.getaddrinfo(oname, None, 0, 0, 0, socket.AI_CANONNAME)

484
Clear-forwardable-flag-instead-of-denying-request.patch Normal file
View File

@ -0,0 +1,484 @@
From 297ad5039231e655eaae7c142991326fd863e70a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Nov 2018 13:40:43 -0500
Subject: [PATCH] Clear forwardable flag instead of denying request
If the client requests a forwardable or proxiable ticket and the
option cannot be honored by policy, issue a non-forwardable or
non-proxiable ticket rather than denying the request.
Add a test script for testing KDC request options and populate it with
tests for the forwardable and proxiable flags.
ticket: 7871
(cherry picked from commit 08e948cce2c79a3604066fcf7a64fc527456f83d)
---
src/kdc/do_as_req.c | 19 ++------
src/kdc/do_tgs_req.c | 56 ++++-----------------
src/kdc/kdc_util.c | 82 ++++++++++++++++++-------------
src/kdc/kdc_util.h | 9 ++--
src/kdc/tgs_policy.c | 8 +--
src/tests/Makefile.in | 1 +
src/tests/gcred.c | 28 ++++++++---
src/tests/t_kdcoptions.py | 100 ++++++++++++++++++++++++++++++++++++++
8 files changed, 189 insertions(+), 114 deletions(-)
create mode 100644 src/tests/t_kdcoptions.py
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 588c1375a..8a96c12a9 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -192,13 +192,6 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
au_state->stage = ENCR_REP;
- if ((errcode = validate_forwardable(state->request, *state->client,
- *state->server, state->kdc_time,
- &state->status))) {
- errcode += ERROR_TABLE_BASE_krb5;
- goto egress;
- }
-
errcode = check_indicators(kdc_context, state->server,
state->auth_indicators);
if (errcode) {
@@ -708,12 +701,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
/* Copy options that request the corresponding ticket flags. */
- state->enc_tkt_reply.flags = OPTS2FLAGS(state->request->kdc_options);
+ state->enc_tkt_reply.flags = get_ticket_flags(state->request->kdc_options,
+ state->client, state->server,
+ NULL);
state->enc_tkt_reply.times.authtime = state->authtime;
- setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL);
- setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
-
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
@@ -732,10 +724,9 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;
- if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID);
+ if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED))
state->enc_tkt_reply.times.starttime = state->request->from;
- } else
+ else
state->enc_tkt_reply.times.starttime = state->kdc_time;
kdc_get_ticket_endtime(kdc_active_realm,
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 587342a6c..1da099318 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -378,15 +378,16 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
else
ticket_reply.server = request->server; /* XXX careful for realm... */
- enc_tkt_reply.flags = OPTS2FLAGS(request->kdc_options);
- enc_tkt_reply.flags |= COPY_TKT_FLAGS(header_enc_tkt->flags);
+ enc_tkt_reply.flags = get_ticket_flags(request->kdc_options, client,
+ server, header_enc_tkt);
enc_tkt_reply.times.starttime = 0;
- if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
-
- /* Indicate support for encrypted padata (RFC 6806). */
- setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
+ /* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting S4U2Self
+ * for forwardable tickets to be issued. */
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ !is_referral &&
+ !isflagset(server->attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/* don't use new addresses unless forwarded, see below */
@@ -401,37 +402,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
* realms may refuse to issue renewable tickets
*/
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
-
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- /*
- * If S4U2Self principal is not forwardable, then mark ticket as
- * unforwardable. This behaviour matches Windows, but it is
- * different to the MIT AS-REQ path, which returns an error
- * (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
- *
- * Consider this block the S4U2Self equivalent to
- * validate_forwardable().
- */
- if (client != NULL &&
- isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- /*
- * Forwardable flag is propagated along referral path.
- */
- else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- /*
- * OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
- * S4U2Self in order for forwardable tickets to be returned.
- */
- else if (!is_referral &&
- !isflagset(server->attributes,
- KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- }
- }
-
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) ||
isflagset(request->kdc_options, KDC_OPT_PROXY)) {
@@ -440,16 +410,10 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
- /* We don't currently handle issuing anonymous tickets based on
- * non-anonymous ones, so just ignore the option. */
- if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS) &&
- !isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
- clear(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
- if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
+ if (isflagset(request->kdc_options, KDC_OPT_POSTDATED))
enc_tkt_reply.times.starttime = request->from;
- } else
+ else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 96c88edc1..f2741090e 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -697,29 +697,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return(KDC_ERR_CANNOT_POSTDATE);
}
- /*
- * A Windows KDC will return KDC_ERR_PREAUTH_REQUIRED instead of
- * KDC_ERR_POLICY in the following case:
- *
- * - KDC_OPT_FORWARDABLE is set in KDCOptions but local
- * policy has KRB5_KDB_DISALLOW_FORWARDABLE set for the
- * client, and;
- * - KRB5_KDB_REQUIRES_PRE_AUTH is set for the client but
- * preauthentication data is absent in the request.
- *
- * Hence, this check most be done after the check for preauth
- * data, and is now performed by validate_forwardable() (the
- * contents of which were previously below).
- */
-
- /* Client and server must allow proxiable tickets */
- if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE) &&
- (isflagset(client.attributes, KRB5_KDB_DISALLOW_PROXIABLE) ||
- isflagset(server.attributes, KRB5_KDB_DISALLOW_PROXIABLE))) {
- *status = "PROXIABLE NOT ALLOWED";
- return(KDC_ERR_POLICY);
- }
-
/* Check to see if client is locked out */
if (isflagset(client.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
*status = "CLIENT LOCKED OUT";
@@ -752,19 +729,54 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
return 0;
}
-int
-validate_forwardable(krb5_kdc_req *request, krb5_db_entry client,
- krb5_db_entry server, krb5_timestamp kdc_time,
- const char **status)
+/*
+ * Compute ticket flags based on the request, the client and server DB entry
+ * (which may prohibit forwardable or proxiable tickets), and the header
+ * ticket. client may be NULL for a TGS request (although it may be set, such
+ * as for an S4U2Self request). header_enc may be NULL for an AS request.
+ */
+krb5_flags
+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc)
{
- *status = NULL;
- if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE) &&
- (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE) ||
- isflagset(server.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))) {
- *status = "FORWARDABLE NOT ALLOWED";
- return(KDC_ERR_POLICY);
- } else
- return 0;
+ krb5_flags flags;
+
+ /* Indicate support for encrypted padata (RFC 6806), and set flags based on
+ * request options and the header ticket. */
+ flags = OPTS2FLAGS(reqflags) | TKT_FLG_ENC_PA_REP;
+ if (reqflags & KDC_OPT_POSTDATED)
+ flags |= TKT_FLG_INVALID;
+ if (header_enc != NULL)
+ flags |= COPY_TKT_FLAGS(header_enc->flags);
+ if (header_enc == NULL)
+ flags |= TKT_FLG_INITIAL;
+
+ /* For TGS requests, indicate if the service is marked ok-as-delegate. */
+ if (header_enc != NULL && (server->attributes & KRB5_KDB_OK_AS_DELEGATE))
+ flags |= TKT_FLG_OK_AS_DELEGATE;
+
+ /* Unset PROXIABLE if it is disallowed. */
+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_PROXIABLE))
+ flags &= ~TKT_FLG_PROXIABLE;
+ if (server->attributes & KRB5_KDB_DISALLOW_PROXIABLE)
+ flags &= ~TKT_FLG_PROXIABLE;
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_PROXIABLE))
+ flags &= ~TKT_FLG_PROXIABLE;
+
+ /* Unset FORWARDABLE if it is disallowed. */
+ if (client != NULL && (client->attributes & KRB5_KDB_DISALLOW_FORWARDABLE))
+ flags &= ~TKT_FLG_FORWARDABLE;
+ if (server->attributes & KRB5_KDB_DISALLOW_FORWARDABLE)
+ flags &= ~TKT_FLG_FORWARDABLE;
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_FORWARDABLE))
+ flags &= ~TKT_FLG_FORWARDABLE;
+
+ /* We don't currently handle issuing anonymous tickets based on
+ * non-anonymous ones. */
+ if (header_enc != NULL && !(header_enc->flags & TKT_FLG_ANONYMOUS))
+ flags &= ~TKT_FLG_ANONYMOUS;
+
+ return flags;
}
/* Return KRB5KDC_ERR_POLICY if indicators does not contain the required auth
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 25077cbf5..1314bdd58 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -85,16 +85,15 @@ validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
const char **, krb5_pa_data ***);
-int
-validate_forwardable(krb5_kdc_req *, krb5_db_entry,
- krb5_db_entry, krb5_timestamp,
- const char **);
-
int
validate_tgs_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, krb5_timestamp,
const char **, krb5_pa_data ***);
+krb5_flags
+get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_enc_tkt_part *header_enc);
+
krb5_error_code
check_indicators(krb5_context context, krb5_db_entry *server,
krb5_data *const *indicators);
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index 907fcd330..554345ba5 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -63,9 +63,9 @@ static check_tgs_svc_pol_fn * const svc_pol_fns[] = {
};
static const struct tgsflagrule tgsflagrules[] = {
- { (KDC_OPT_FORWARDED | KDC_OPT_FORWARDABLE), TKT_FLG_FORWARDABLE,
+ { KDC_OPT_FORWARDED, TKT_FLG_FORWARDABLE,
"TGT NOT FORWARDABLE", KDC_ERR_BADOPTION },
- { (KDC_OPT_PROXY | KDC_OPT_PROXIABLE), TKT_FLG_PROXIABLE,
+ { KDC_OPT_PROXY, TKT_FLG_PROXIABLE,
"TGT NOT PROXIABLE", KDC_ERR_BADOPTION },
{ (KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED), TKT_FLG_MAY_POSTDATE,
"TGT NOT POSTDATABLE", KDC_ERR_BADOPTION },
@@ -98,12 +98,8 @@ check_tgs_opts(krb5_kdc_req *req, krb5_ticket *tkt, const char **status)
}
static const struct tgsflagrule svcdenyrules[] = {
- { KDC_OPT_FORWARDABLE, KRB5_KDB_DISALLOW_FORWARDABLE,
- "NON-FORWARDABLE TICKET", KDC_ERR_POLICY },
{ KDC_OPT_RENEWABLE, KRB5_KDB_DISALLOW_RENEWABLE,
"NON-RENEWABLE TICKET", KDC_ERR_POLICY },
- { KDC_OPT_PROXIABLE, KRB5_KDB_DISALLOW_PROXIABLE,
- "NON-PROXIABLE TICKET", KDC_ERR_POLICY },
{ KDC_OPT_ALLOW_POSTDATE, KRB5_KDB_DISALLOW_POSTDATED,
"NON-POSTDATABLE TICKET", KDC_ERR_CANNOT_POSTDATE },
{ KDC_OPT_ENC_TKT_IN_SKEY, KRB5_KDB_DISALLOW_DUP_SKEY,
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index c96c5d6b7..d2a37c616 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -171,6 +171,7 @@ check-pytests: unlockiter
$(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS)
clean:
$(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred
diff --git a/src/tests/gcred.c b/src/tests/gcred.c
index cb0ae6af5..b14e4fc9a 100644
--- a/src/tests/gcred.c
+++ b/src/tests/gcred.c
@@ -66,20 +66,32 @@ main(int argc, char **argv)
krb5_principal client, server;
krb5_ccache ccache;
krb5_creds in_creds, *creds;
+ krb5_flags options = 0;
char *name;
+ int c;
check(krb5_init_context(&ctx));
- /* Parse arguments. */
- assert(argc == 3);
- check(krb5_parse_name(ctx, argv[2], &server));
- if (strcmp(argv[1], "unknown") == 0)
+ while ((c = getopt(argc, argv, "f")) != -1) {
+ switch (c) {
+ case 'f':
+ options |= KRB5_GC_FORWARDABLE;
+ break;
+ default:
+ abort();
+ }
+ }
+ argc -= optind;
+ argv += optind;
+ assert(argc == 2);
+ check(krb5_parse_name(ctx, argv[1], &server));
+ if (strcmp(argv[0], "unknown") == 0)
server->type = KRB5_NT_UNKNOWN;
- else if (strcmp(argv[1], "principal") == 0)
+ else if (strcmp(argv[0], "principal") == 0)
server->type = KRB5_NT_PRINCIPAL;
- else if (strcmp(argv[1], "srv-inst") == 0)
+ else if (strcmp(argv[0], "srv-inst") == 0)
server->type = KRB5_NT_SRV_INST;
- else if (strcmp(argv[1], "srv-hst") == 0)
+ else if (strcmp(argv[0], "srv-hst") == 0)
server->type = KRB5_NT_SRV_HST;
else
abort();
@@ -89,7 +101,7 @@ main(int argc, char **argv)
memset(&in_creds, 0, sizeof(in_creds));
in_creds.client = client;
in_creds.server = server;
- check(krb5_get_credentials(ctx, 0, ccache, &in_creds, &creds));
+ check(krb5_get_credentials(ctx, options, ccache, &in_creds, &creds));
check(krb5_unparse_name(ctx, creds->server, &name));
printf("%s\n", name);
diff --git a/src/tests/t_kdcoptions.py b/src/tests/t_kdcoptions.py
new file mode 100644
index 000000000..7ec57508c
--- /dev/null
+++ b/src/tests/t_kdcoptions.py
@@ -0,0 +1,100 @@
+from k5test import *
+import re
+
+# KDC option test coverage notes:
+#
+# FORWARDABLE here
+# FORWARDED no test
+# PROXIABLE here
+# PROXY no test
+# ALLOW_POSTDATE no test
+# POSTDATED no test
+# RENEWABLE t_renew.py
+# CNAME_IN_ADDL_TKT gssapi/t_s4u.py
+# CANONICALIZE t_kdb.py and various other tests
+# REQUEST_ANONYMOUS t_pkinit.py
+# DISABLE_TRANSITED_CHECK no test
+# RENEWABLE_OK t_renew.py
+# ENC_TKT_IN_SKEY t_u2u.py
+# RENEW t_renew.py
+# VALIDATE no test
+
+# Run klist -f and return the flags on the ticket for svcprinc.
+def get_flags(realm, svcprinc):
+ grab_flags = False
+ for line in realm.run([klist, '-f']).splitlines():
+ if grab_flags:
+ return re.findall(r'Flags: ([a-zA-Z]*)', line)[0]
+ grab_flags = line.endswith(svcprinc)
+
+
+# Get the flags on the ticket for svcprinc, and check for an expected
+# element and an expected-absent element, either of which can be None.
+def check_flags(realm, svcprinc, expected_flag, expected_noflag):
+ flags = get_flags(realm, svcprinc)
+ if expected_flag is not None and not expected_flag in flags:
+ fail('expected flag ' + expected_flag)
+ if expected_noflag is not None and expected_noflag in flags:
+ fail('did not expect flag ' + expected_noflag)
+
+
+# Run kinit with the given flags, and check the flags on the resulting
+# TGT.
+def kinit_check_flags(realm, flags, expected_flag, expected_noflag):
+ realm.kinit(realm.user_princ, password('user'), flags)
+ check_flags(realm, realm.krbtgt_princ, expected_flag, expected_noflag)
+
+
+# Run kinit with kflags. Then get credentials for the host principal
+# with gflags, and check the flags on the resulting ticket.
+def gcred_check_flags(realm, kflags, gflags, expected_flag, expected_noflag):
+ realm.kinit(realm.user_princ, password('user'), kflags)
+ realm.run(['./gcred'] + gflags + ['unknown', realm.host_princ])
+ check_flags(realm, realm.host_princ, expected_flag, expected_noflag)
+
+
+realm = K5Realm()
+
+mark('proxiable (AS)')
+kinit_check_flags(realm, [], None, 'P')
+kinit_check_flags(realm, ['-p'], 'P', None)
+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.user_princ])
+kinit_check_flags(realm, ['-p'], None, 'P')
+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.user_princ])
+realm.run([kadminl, 'modprinc', '-allow_proxiable', realm.krbtgt_princ])
+kinit_check_flags(realm, ['-p'], None, 'P')
+realm.run([kadminl, 'modprinc', '+allow_proxiable', realm.krbtgt_princ])
+
+mark('proxiable (TGS)')
+gcred_check_flags(realm, [], [], None, 'P')
+gcred_check_flags(realm, ['-p'], [], 'P', None)
+
+# Not tested: PROXIABLE option set with a non-proxiable TGT (because
+# there is no krb5_get_credentials() flag to request this; would
+# expect a non-proxiable ticket).
+
+# Not tested: proxiable TGT but PROXIABLE flag not set (because we
+# internally set the PROXIABLE option when using a proxiable TGT;
+# would expect a non-proxiable ticket).
+
+mark('forwardable (AS)')
+kinit_check_flags(realm, [], None, 'F')
+kinit_check_flags(realm, ['-f'], 'F', None)
+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.user_princ])
+kinit_check_flags(realm, ['-f'], None, 'F')
+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.user_princ])
+realm.run([kadminl, 'modprinc', '-allow_forwardable', realm.krbtgt_princ])
+kinit_check_flags(realm, ['-f'], None, 'F')
+realm.run([kadminl, 'modprinc', '+allow_forwardable', realm.krbtgt_princ])
+
+mark('forwardable (TGS)')
+realm.kinit(realm.user_princ, password('user'))
+gcred_check_flags(realm, [], [], None, 'F')
+gcred_check_flags(realm, [], ['-f'], None, 'F')
+gcred_check_flags(realm, ['-f'], [], 'F', None)
+
+# Not tested: forwardable TGT but FORWARDABLE flag not set (because we
+# internally set the FORWARDABLE option when using a forwardable TGT;
+# would expect a non-proxiable ticket).
+
+success('KDC option tests')

7
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 13%{?dist}
Release: 14%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -85,6 +85,8 @@ Patch112: Remove-confvalidator-utility.patch
Patch113: Remove-ovsec_adm_export-dump-format-support.patch
Patch114: Fix-potential-close-1-in-cc_file.c.patch
Patch115: Check-more-errors-in-OpenSSL-crypto-backend.patch
Patch116: Clear-forwardable-flag-instead-of-denying-request.patch
Patch117: Add-dns_canonicalize_hostname-fallback-support.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -721,6 +723,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Apr 24 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-14
- Add dns_canonicalize_hostname=fallback support
* Wed Apr 24 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-13
- Check more errors in OpenSSL crypto backend