From 39ee644a94c2187f9cda2a0690587b675d5ff575 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 27 Sep 2023 18:23:28 +0200
Subject: [PATCH] Allow to make AD-SIGNEDPATH optional

Resolves: RHEL-10514
Signed-off-by: Julien Rische <jrische@redhat.com>
---
 ...Allow-to-make-AD-SIGNEDPATH-optional.patch | 126 ++++++++++++++++++
 krb5.spec                                     |   7 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch

diff --git a/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch b/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch
new file mode 100644
index 0000000..6f522cd
--- /dev/null
+++ b/downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch
@@ -0,0 +1,126 @@
+From 274464a6faaee694c30ae4d1412a8ab516b1a982 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Wed, 20 Sep 2023 16:22:06 +0200
+Subject: [PATCH] [downstream] Allow to make AD-SIGNEDPATH optional
+
+MIT krb5 1.20 and newer KDCs do generate a minimal PAC instead of
+AD-SIGNEDPATH. As a consequence, an evidence ticket generated by an
+older KDC would fail to be processed by a newer KDC for a constrained
+delegation request.
+
+This commit modifies this behavior to check the AD-SIGNEDPATH whenever
+it is present in a TGS-REQ, but do not require it in case a PAC is
+provided AND the KDB plugin supports its verification. This is done
+regardless to the fact the constrained delegation request is from a
+local realm or a cross-realm.
+
+To enable this mechanism, the KDB plugin must set the
+"optional_ab_signedpath" string attribute to "true" for the local TGS
+principal.
+---
+ src/include/kdb.h      |  1 +
+ src/kdc/kdc_authdata.c | 65 +++++++++++++++++++++++++++++++++---------
+ 2 files changed, 52 insertions(+), 14 deletions(-)
+
+diff --git a/src/include/kdb.h b/src/include/kdb.h
+index c56947ab81..95d07d0195 100644
+--- a/src/include/kdb.h
++++ b/src/include/kdb.h
+@@ -136,6 +136,7 @@
+ /* String attribute names recognized by krb5 */
+ #define KRB5_KDB_SK_SESSION_ENCTYPES            "session_enctypes"
+ #define KRB5_KDB_SK_REQUIRE_AUTH                "require_auth"
++#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH      "optional_ad_signedpath"
+ 
+ #if !defined(_WIN32)
+ 
+diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
+index 1ebe872467..c0fcccdf21 100644
+--- a/src/kdc/kdc_authdata.c
++++ b/src/kdc/kdc_authdata.c
+@@ -668,6 +668,13 @@ has_pac(krb5_context context, krb5_authdata **authdata)
+     return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_WIN2K_PAC);
+ }
+ 
++/* Return true if the AD-SIGNEDPATH is present in authorization data. */
++static krb5_boolean
++has_ad_signedpath(krb5_context context, krb5_authdata **authdata)
++{
++    return has_kdc_issued_authdata(context, authdata, KRB5_AUTHDATA_SIGNTICKET);
++}
++
+ /* Verify AD-SIGNTICKET authdata if we need to, and insert an AD-SIGNEDPATH
+  * element if we should. */
+ static krb5_error_code
+@@ -680,24 +687,54 @@ handle_signticket(krb5_context context, unsigned int flags,
+ {
+     krb5_error_code ret = 0;
+     krb5_principal *deleg_path = NULL;
+-    krb5_boolean signed_path = FALSE;
+-    krb5_boolean s4u2proxy;
++    krb5_boolean s4u2proxy, adsp_present, adsp_optional, adsp_valid = FALSE;
++    char *str;
+ 
+     s4u2proxy = isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
+ 
+-    /* For cross-realm the Windows PAC must have been verified, and it
+-     * fulfills the same role as the signed path. */
+-    if (req->msg_type == KRB5_TGS_REQ &&
+-        (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) ||
+-         !has_pac(context, enc_tkt_req->authorization_data))) {
+-        ret = verify_signedpath(context, local_tgt, local_tgt_key, enc_tkt_req,
+-                                &deleg_path, &signed_path);
+-        if (ret)
+-            goto cleanup;
++    if (req->msg_type == KRB5_TGS_REQ) {
++        adsp_present = has_ad_signedpath(context,
++                                         enc_tkt_req->authorization_data);
++
++        /* In case of constained delegation, based on the value of the
++         * "optional_ad_signedpath" string attribute of the local TGS principal:
++         * - "true": in case AD-SIGNEDPATH is absent, the PAC must be present
++         * - "false" or undefined: AD-SIGNEDPATH must be present
++         */
++        if (s4u2proxy && !adsp_present) {
++            ret = krb5_dbe_get_string(context, local_tgt,
++                                      KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
++                                      &str);
++            /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not
++             * available here.
++             */
++            adsp_optional = !ret && str && (strncasecmp(str, "true", 4) == 0
++                                         || strncasecmp(str, "t",    1) == 0
++                                         || strncasecmp(str, "yes",  3) == 0
++                                         || strncasecmp(str, "y",    1) == 0
++                                         || strncasecmp(str, "1",    1) == 0
++                                         || strncasecmp(str, "on",   2) == 0);
++
++            if (!adsp_optional ||
++                !has_pac(context, enc_tkt_req->authorization_data)) {
++                ret = KRB5KDC_ERR_BADOPTION;
++                goto cleanup;
++            }
++        }
+ 
+-        if (s4u2proxy && signed_path == FALSE) {
+-            ret = KRB5KDC_ERR_BADOPTION;
+-            goto cleanup;
++        /* If AD-SIGNEDPATH is present, verify it */
++        if (adsp_present) {
++            ret = verify_signedpath(context, local_tgt, local_tgt_key,
++                                    enc_tkt_req, &deleg_path, &adsp_valid);
++            if (ret)
++                goto cleanup;
++
++            /* In case of contrained delegation, if AD-SIGNEDPATH is present, it
++             * has to be valid */
++            if (s4u2proxy && !adsp_valid) {
++                ret = KRB5KDC_ERR_BADOPTION;
++                goto cleanup;
++            }
+         }
+     }
+ 
+-- 
+2.41.0
+
diff --git a/krb5.spec b/krb5.spec
index f1f242e..df62543 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 25%{?dist}
+Release: 26%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -99,6 +99,7 @@ Patch153: Add-PAC-ticket-signature-APIs.patch
 Patch154: Factor-out-PAC-checksum-verification.patch
 Patch155: Add-PAC-full-checksums.patch
 Patch156: downstream-Support-PAC-full-checksum-w-o-ticket-chec.patch
+Patch157: downstream-Allow-to-make-AD-SIGNEDPATH-optional.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -709,6 +710,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Sep 27 2023 Julien Rische <jrische@redhat.com> - 1.18.2-26
+- Allow to make AD-SIGNEDPATH optional
+  Resolves: RHEL-10514
+
 * Thu Jul 06 2023 Julien Rische <jrische@redhat.com> - 1.18.2-25
 - Bump release number