- pull in patch for RT#7046: tag a ccache containing credentials obtained via
S4U2Proxy with the principal name of the proxying principal (part of #761317)
This commit is contained in:
parent
03e76d7832
commit
fb7c02faff
301
krb5-trunk-7046.patch
Normal file
301
krb5-trunk-7046.patch
Normal file
@ -0,0 +1,301 @@
|
||||
commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
|
||||
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
|
||||
Date: Wed Dec 7 19:38:13 2011 +0000
|
||||
|
||||
ticket: 7046
|
||||
subject: Allow S4U2Proxy delegated credentials to be saved
|
||||
|
||||
The initial implementation of client-side S4U2Proxy support did not
|
||||
allow delegated proxy credentials to be stored (gss_store_cred would
|
||||
error out, and gss_krb5_copy_ccache would generate a non-working
|
||||
cache). To make this work, we save the impersonator name in a cache
|
||||
config variable and in a cred structure field (replacing the
|
||||
proxy_cred flag), and make the default principal of the proxy cache
|
||||
the subject principal as the caller would expect for a regular
|
||||
delegated cred.
|
||||
|
||||
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
|
||||
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 514e2ea..b25c159 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
|
||||
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
|
||||
#define KRB5_CONF_V4_REALM "v4_realm"
|
||||
#define KRB5_CONF_ASTERISK "*"
|
||||
+
|
||||
+/* Cache configuration variables */
|
||||
#define KRB5_CONF_FAST_AVAIL "fast_avail"
|
||||
+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
|
||||
|
||||
/* Error codes used in KRB_ERROR protocol messages.
|
||||
Return values of library routines are based on a different error table
|
||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
index c815b35..c08e059 100644
|
||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* If an impersonator config entry exists in ccache, set *impersonator_out to
|
||||
+ * the parsed principal. Otherwise set *impersonator_out to NULL. */
|
||||
+static krb5_error_code
|
||||
+get_impersonator(krb5_context context, krb5_ccache ccache,
|
||||
+ krb5_principal *impersonator_out)
|
||||
+{
|
||||
+ krb5_error_code code;
|
||||
+ krb5_data data = empty_data(), data0 = empty_data();
|
||||
+
|
||||
+ *impersonator_out = NULL;
|
||||
+
|
||||
+ code = krb5_cc_get_config(context, ccache, NULL,
|
||||
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
|
||||
+ if (code)
|
||||
+ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
|
||||
+
|
||||
+ code = krb5int_copy_data_contents_add0(context, &data, &data0);
|
||||
+ if (code)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ code = krb5_parse_name(context, data0.data, impersonator_out);
|
||||
+
|
||||
+cleanup:
|
||||
+ krb5_free_data_contents(context, &data);
|
||||
+ krb5_free_data_contents(context, &data0);
|
||||
+ return code;
|
||||
+}
|
||||
+
|
||||
/* Check ccache and scan it for its expiry time. On success, cred takes
|
||||
* ownership of ccache. */
|
||||
static krb5_error_code
|
||||
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ code = get_impersonator(context, ccache, &cred->impersonator);
|
||||
+ if (code)
|
||||
+ goto cleanup;
|
||||
+
|
||||
(void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
|
||||
cred->ccache = ccache;
|
||||
|
||||
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
|
||||
|
||||
cred->usage = args->cred_usage;
|
||||
cred->name = NULL;
|
||||
+ cred->impersonator = NULL;
|
||||
cred->iakerb_mech = args->iakerb;
|
||||
cred->default_identity = (name == NULL);
|
||||
#ifndef LEAN_CLIENT
|
||||
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
index 016a2e6..6b7d530 100644
|
||||
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
|
||||
/* name/type of credential */
|
||||
gss_cred_usage_t usage;
|
||||
krb5_gss_name_t name;
|
||||
- unsigned int proxy_cred : 1;
|
||||
+ krb5_principal impersonator;
|
||||
unsigned int default_identity : 1;
|
||||
unsigned int iakerb_mech : 1;
|
||||
unsigned int destroy_ccache : 1;
|
||||
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
|
||||
index 1b8120c..d7b9ffa 100644
|
||||
--- a/src/lib/gssapi/krb5/init_sec_context.c
|
||||
+++ b/src/lib/gssapi/krb5/init_sec_context.c
|
||||
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
|
||||
krb5_error_code code;
|
||||
krb5_creds in_creds, evidence_creds, *result_creds = NULL;
|
||||
krb5_flags flags = 0;
|
||||
- krb5_principal cc_princ = NULL;
|
||||
|
||||
*out_creds = NULL;
|
||||
|
||||
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
|
||||
|
||||
assert(cred->name != NULL);
|
||||
|
||||
- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
|
||||
- goto cleanup;
|
||||
-
|
||||
/*
|
||||
* Do constrained delegation if we have proxy credentials and
|
||||
* we're not trying to get a ticket to ourselves (in which case
|
||||
* we can just use the S4U2Self or evidence ticket directly).
|
||||
*/
|
||||
- if (cred->proxy_cred &&
|
||||
- !krb5_principal_compare(context, cc_princ, server->princ)) {
|
||||
+ if (cred->impersonator &&
|
||||
+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
|
||||
krb5_creds mcreds;
|
||||
|
||||
flags |= KRB5_GC_CANONICALIZE |
|
||||
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
|
||||
memset(&mcreds, 0, sizeof(mcreds));
|
||||
|
||||
mcreds.magic = KV5M_CREDS;
|
||||
- mcreds.times.endtime = cred->tgt_expire;
|
||||
- mcreds.server = cc_princ;
|
||||
+ mcreds.server = cred->impersonator;
|
||||
mcreds.client = cred->name->princ;
|
||||
|
||||
code = krb5_cc_retrieve_cred(context, cred->ccache,
|
||||
- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
|
||||
- &mcreds,
|
||||
+ KRB5_TC_MATCH_AUTHDATA, &mcreds,
|
||||
&evidence_creds);
|
||||
if (code)
|
||||
goto cleanup;
|
||||
|
||||
assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
|
||||
|
||||
- in_creds.client = cc_princ;
|
||||
+ in_creds.client = cred->impersonator;
|
||||
in_creds.second_ticket = evidence_creds.ticket;
|
||||
} else {
|
||||
in_creds.client = cred->name->princ;
|
||||
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
|
||||
|
||||
cleanup:
|
||||
krb5_free_authdata(context, in_creds.authdata);
|
||||
- krb5_free_principal(context, cc_princ);
|
||||
krb5_free_cred_contents(context, &evidence_creds);
|
||||
krb5_free_creds(context, result_creds);
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
|
||||
index 5b2ea2f..4fd3694 100644
|
||||
--- a/src/lib/gssapi/krb5/rel_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/rel_cred.c
|
||||
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
|
||||
if (cred->name)
|
||||
kg_release_name(context, &cred->name);
|
||||
|
||||
+ krb5_free_principal(context, cred->impersonator);
|
||||
+
|
||||
if (cred->req_enctypes)
|
||||
free(cred->req_enctypes);
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
index 4ac2ce3..4b37c5a 100644
|
||||
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
|
||||
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
|
||||
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
|
||||
+ * creds, setting a cache config variable with the impersonator principal name,
|
||||
+ * and saving the impersonator principal name in the cred structure.
|
||||
+ */
|
||||
+static krb5_error_code
|
||||
+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
|
||||
+ krb5_gss_cred_id_t impersonator_cred)
|
||||
+{
|
||||
+ krb5_error_code code;
|
||||
+ krb5_data data;
|
||||
+ char *str;
|
||||
+
|
||||
+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
|
||||
+ cred->ccache);
|
||||
+ if (code)
|
||||
+ return code;
|
||||
+
|
||||
+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
|
||||
+ if (code)
|
||||
+ return code;
|
||||
+
|
||||
+ data = string2data(str);
|
||||
+ code = krb5_cc_set_config(context, cred->ccache, NULL,
|
||||
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
|
||||
+ krb5_free_unparsed_name(context, str);
|
||||
+ if (code)
|
||||
+ return code;
|
||||
+
|
||||
+ return krb5_copy_principal(context, impersonator_cred->name->princ,
|
||||
+ &cred->impersonator);
|
||||
+}
|
||||
+
|
||||
OM_uint32
|
||||
kg_compose_deleg_cred(OM_uint32 *minor_status,
|
||||
krb5_gss_cred_id_t impersonator_cred,
|
||||
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
||||
|
||||
if (!kg_is_initiator_cred(impersonator_cred) ||
|
||||
impersonator_cred->name == NULL ||
|
||||
- impersonator_cred->proxy_cred) {
|
||||
+ impersonator_cred->impersonator != NULL) {
|
||||
code = G_BAD_USAGE;
|
||||
goto cleanup;
|
||||
}
|
||||
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
|
||||
- /*
|
||||
- * Only return a "proxy" credential for use with constrained
|
||||
- * delegation if the subject credentials are forwardable.
|
||||
- * Submitting non-forwardable credentials to the KDC for use
|
||||
- * with constrained delegation will only return an error.
|
||||
- */
|
||||
cred->usage = GSS_C_INITIATE;
|
||||
- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
|
||||
|
||||
cred->tgt_expire = subject_creds->times.endtime;
|
||||
|
||||
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
|
||||
goto cleanup;
|
||||
cred->destroy_ccache = 1;
|
||||
|
||||
- code = krb5_cc_initialize(context, cred->ccache,
|
||||
- cred->proxy_cred ? impersonator_cred->name->princ :
|
||||
- subject_creds->client);
|
||||
+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
|
||||
- if (cred->proxy_cred) {
|
||||
- /* Impersonator's TGT will be necessary for S4U2Proxy */
|
||||
- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
|
||||
- cred->ccache);
|
||||
+ /*
|
||||
+ * Only return a "proxy" credential for use with constrained
|
||||
+ * delegation if the subject credentials are forwardable.
|
||||
+ * Submitting non-forwardable credentials to the KDC for use
|
||||
+ * with constrained delegation will only return an error.
|
||||
+ */
|
||||
+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
|
||||
+ code = make_proxy_cred(context, cred, impersonator_cred);
|
||||
if (code != 0)
|
||||
goto cleanup;
|
||||
}
|
||||
diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
|
||||
index bff3cde..d587589 100644
|
||||
--- a/src/lib/gssapi/krb5/store_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/store_cred.c
|
||||
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
|
||||
|
||||
kcred = (krb5_gss_cred_id_t)input_cred_handle;
|
||||
|
||||
- if (kcred->ccache == NULL || kcred->proxy_cred) {
|
||||
+ if (kcred->ccache == NULL) {
|
||||
*minor_status = KG_CCACHE_NOMATCH;
|
||||
major_status = GSS_S_DEFECTIVE_CREDENTIAL;
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
|
||||
index e87f249..46a9ae1 100644
|
||||
--- a/src/lib/gssapi/krb5/val_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/val_cred.c
|
||||
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
|
||||
*minor_status = code;
|
||||
return(GSS_S_DEFECTIVE_CREDENTIAL);
|
||||
}
|
||||
- if (!cred->proxy_cred &&
|
||||
- !krb5_principal_compare(context, princ, cred->name->princ)) {
|
||||
+ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
|
||||
k5_mutex_unlock(&cred->lock);
|
||||
*minor_status = KG_CCACHE_NOMATCH;
|
||||
return(GSS_S_DEFECTIVE_CREDENTIAL);
|
@ -59,6 +59,7 @@ Patch75: krb5-pkinit-debug.patch
|
||||
Patch86: krb5-1.9-debuginfo.patch
|
||||
Patch92: krb5-1.10-alpha1-uninit.patch
|
||||
Patch93: http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
|
||||
Patch100: krb5-trunk-7046.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -225,6 +226,7 @@ ln -s NOTICE LICENSE
|
||||
#%patch75 -p1 -b .pkinit-debug
|
||||
%patch86 -p0 -b .debuginfo
|
||||
%patch93 -p1 -b .2011-007
|
||||
%patch100 -p1 -b .7046
|
||||
# XXX Temporary, backported from trunk.
|
||||
%patch92 -p1 -b .uninit
|
||||
# XXX Temporary, fixed properly in trunk.
|
||||
@ -739,6 +741,10 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Tue Dec 13 2011 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- pull in patch for RT#7046: tag a ccache containing credentials obtained via
|
||||
S4U2Proxy with the principal name of the proxying principal (part of #761317)
|
||||
|
||||
* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.10-0.alpha1.2
|
||||
- apply upstream patch to fix a null pointer dereference when processing
|
||||
TGS requests (CVE-2011-1530, #753748)
|
||||
|
Loading…
Reference in New Issue
Block a user