- pull in patch for RT#7046: tag a ccache containing credentials obtained via

S4U2Proxy with the principal name of the proxying principal (part of #761317)
This commit is contained in:
Nalin Dahyabhai 2011-12-13 10:47:31 -05:00
parent 03e76d7832
commit fb7c02faff
2 changed files with 307 additions and 0 deletions

301
krb5-trunk-7046.patch Normal file
View File

@ -0,0 +1,301 @@
commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:13 2011 +0000
ticket: 7046
subject: Allow S4U2Proxy delegated credentials to be saved
The initial implementation of client-side S4U2Proxy support did not
allow delegated proxy credentials to be stored (gss_store_cred would
error out, and gss_krb5_copy_ccache would generate a non-working
cache). To make this work, we save the impersonator name in a cache
config variable and in a cred structure field (replacing the
proxy_cred flag), and make the default principal of the proxy cache
the subject principal as the caller would expect for a regular
delegated cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 514e2ea..b25c159 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
+
+/* Cache configuration variables */
#define KRB5_CONF_FAST_AVAIL "fast_avail"
+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c815b35..c08e059 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
return 0;
}
+/* If an impersonator config entry exists in ccache, set *impersonator_out to
+ * the parsed principal. Otherwise set *impersonator_out to NULL. */
+static krb5_error_code
+get_impersonator(krb5_context context, krb5_ccache ccache,
+ krb5_principal *impersonator_out)
+{
+ krb5_error_code code;
+ krb5_data data = empty_data(), data0 = empty_data();
+
+ *impersonator_out = NULL;
+
+ code = krb5_cc_get_config(context, ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ if (code)
+ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
+
+ code = krb5int_copy_data_contents_add0(context, &data, &data0);
+ if (code)
+ goto cleanup;
+
+ code = krb5_parse_name(context, data0.data, impersonator_out);
+
+cleanup:
+ krb5_free_data_contents(context, &data);
+ krb5_free_data_contents(context, &data0);
+ return code;
+}
+
/* Check ccache and scan it for its expiry time. On success, cred takes
* ownership of ccache. */
static krb5_error_code
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
goto cleanup;
}
+ code = get_impersonator(context, ccache, &cred->impersonator);
+ if (code)
+ goto cleanup;
+
(void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
cred->ccache = ccache;
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
cred->usage = args->cred_usage;
cred->name = NULL;
+ cred->impersonator = NULL;
cred->iakerb_mech = args->iakerb;
cred->default_identity = (name == NULL);
#ifndef LEAN_CLIENT
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 016a2e6..6b7d530 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
/* name/type of credential */
gss_cred_usage_t usage;
krb5_gss_name_t name;
- unsigned int proxy_cred : 1;
+ krb5_principal impersonator;
unsigned int default_identity : 1;
unsigned int iakerb_mech : 1;
unsigned int destroy_ccache : 1;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 1b8120c..d7b9ffa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
krb5_error_code code;
krb5_creds in_creds, evidence_creds, *result_creds = NULL;
krb5_flags flags = 0;
- krb5_principal cc_princ = NULL;
*out_creds = NULL;
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
assert(cred->name != NULL);
- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
- goto cleanup;
-
/*
* Do constrained delegation if we have proxy credentials and
* we're not trying to get a ticket to ourselves (in which case
* we can just use the S4U2Self or evidence ticket directly).
*/
- if (cred->proxy_cred &&
- !krb5_principal_compare(context, cc_princ, server->princ)) {
+ if (cred->impersonator &&
+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
krb5_creds mcreds;
flags |= KRB5_GC_CANONICALIZE |
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
memset(&mcreds, 0, sizeof(mcreds));
mcreds.magic = KV5M_CREDS;
- mcreds.times.endtime = cred->tgt_expire;
- mcreds.server = cc_princ;
+ mcreds.server = cred->impersonator;
mcreds.client = cred->name->princ;
code = krb5_cc_retrieve_cred(context, cred->ccache,
- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
- &mcreds,
+ KRB5_TC_MATCH_AUTHDATA, &mcreds,
&evidence_creds);
if (code)
goto cleanup;
assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
- in_creds.client = cc_princ;
+ in_creds.client = cred->impersonator;
in_creds.second_ticket = evidence_creds.ticket;
} else {
in_creds.client = cred->name->princ;
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
cleanup:
krb5_free_authdata(context, in_creds.authdata);
- krb5_free_principal(context, cc_princ);
krb5_free_cred_contents(context, &evidence_creds);
krb5_free_creds(context, result_creds);
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 5b2ea2f..4fd3694 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
if (cred->name)
kg_release_name(context, &cred->name);
+ krb5_free_principal(context, cred->impersonator);
+
if (cred->req_enctypes)
free(cred->req_enctypes);
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4ac2ce3..4b37c5a 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
}
+/*
+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
+ * creds, setting a cache config variable with the impersonator principal name,
+ * and saving the impersonator principal name in the cred structure.
+ */
+static krb5_error_code
+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
+ krb5_gss_cred_id_t impersonator_cred)
+{
+ krb5_error_code code;
+ krb5_data data;
+ char *str;
+
+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+ cred->ccache);
+ if (code)
+ return code;
+
+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
+ if (code)
+ return code;
+
+ data = string2data(str);
+ code = krb5_cc_set_config(context, cred->ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ krb5_free_unparsed_name(context, str);
+ if (code)
+ return code;
+
+ return krb5_copy_principal(context, impersonator_cred->name->princ,
+ &cred->impersonator);
+}
+
OM_uint32
kg_compose_deleg_cred(OM_uint32 *minor_status,
krb5_gss_cred_id_t impersonator_cred,
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (!kg_is_initiator_cred(impersonator_cred) ||
impersonator_cred->name == NULL ||
- impersonator_cred->proxy_cred) {
+ impersonator_cred->impersonator != NULL) {
code = G_BAD_USAGE;
goto cleanup;
}
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (code != 0)
goto cleanup;
- /*
- * Only return a "proxy" credential for use with constrained
- * delegation if the subject credentials are forwardable.
- * Submitting non-forwardable credentials to the KDC for use
- * with constrained delegation will only return an error.
- */
cred->usage = GSS_C_INITIATE;
- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
cred->tgt_expire = subject_creds->times.endtime;
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
goto cleanup;
cred->destroy_ccache = 1;
- code = krb5_cc_initialize(context, cred->ccache,
- cred->proxy_cred ? impersonator_cred->name->princ :
- subject_creds->client);
+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
if (code != 0)
goto cleanup;
- if (cred->proxy_cred) {
- /* Impersonator's TGT will be necessary for S4U2Proxy */
- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
- cred->ccache);
+ /*
+ * Only return a "proxy" credential for use with constrained
+ * delegation if the subject credentials are forwardable.
+ * Submitting non-forwardable credentials to the KDC for use
+ * with constrained delegation will only return an error.
+ */
+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
+ code = make_proxy_cred(context, cred, impersonator_cred);
if (code != 0)
goto cleanup;
}
diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
index bff3cde..d587589 100644
--- a/src/lib/gssapi/krb5/store_cred.c
+++ b/src/lib/gssapi/krb5/store_cred.c
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
kcred = (krb5_gss_cred_id_t)input_cred_handle;
- if (kcred->ccache == NULL || kcred->proxy_cred) {
+ if (kcred->ccache == NULL) {
*minor_status = KG_CCACHE_NOMATCH;
major_status = GSS_S_DEFECTIVE_CREDENTIAL;
goto cleanup;
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index e87f249..46a9ae1 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- if (!cred->proxy_cred &&
- !krb5_principal_compare(context, princ, cred->name->princ)) {
+ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);

View File

@ -59,6 +59,7 @@ Patch75: krb5-pkinit-debug.patch
Patch86: krb5-1.9-debuginfo.patch
Patch92: krb5-1.10-alpha1-uninit.patch
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
Patch100: krb5-trunk-7046.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -225,6 +226,7 @@ ln -s NOTICE LICENSE
#%patch75 -p1 -b .pkinit-debug
%patch86 -p0 -b .debuginfo
%patch93 -p1 -b .2011-007
%patch100 -p1 -b .7046
# XXX Temporary, backported from trunk.
%patch92 -p1 -b .uninit
# XXX Temporary, fixed properly in trunk.
@ -739,6 +741,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
- apply upstream patch to fix a null pointer dereference when processing
TGS requests (CVE-2011-1530, #753748)