277 lines
12 KiB
Diff
277 lines
12 KiB
Diff
From 5ace3ea56c0d507ca3d976d06c0e68aa63c52f26 Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Wed, 15 Mar 2023 15:56:34 +0100
|
|
Subject: [PATCH] [downstream] Allow to set PAC ticket signature as optional
|
|
|
|
MS-PAC states that "The ticket signature SHOULD be included in tickets
|
|
that are not encrypted to the krbtgt account". However, the
|
|
implementation of krb5_kdc_verify_ticket() will require the ticket
|
|
signature to be present in case the target of the request is a service
|
|
principal.
|
|
|
|
In gradual upgrade environments, it results in S4U2Proxy requests
|
|
against a 1.20 KDC using a service ticket generated by an older version
|
|
KDC to fail.
|
|
|
|
This commit adds a krb5_kdc_verify_ticket_ext() function with an extra
|
|
switch parameter to tolerate the absence of ticket signature in this
|
|
scenario. If the ticket signature is present, it has to be valid,
|
|
regardless of this parameter.
|
|
|
|
This parameter is set based on the "optional_pac_tkt_chksum" string
|
|
attribute of the TGT KDB entry.
|
|
---
|
|
doc/admin/admin_commands/kadmin_local.rst | 6 ++++
|
|
doc/appdev/refs/api/index.rst | 1 +
|
|
src/include/kdb.h | 1 +
|
|
src/include/krb5/krb5.hin | 40 +++++++++++++++++++++++
|
|
src/kdc/kdc_util.c | 26 ++++++++++++---
|
|
src/lib/krb5/krb/pac.c | 31 +++++++++++++++---
|
|
src/lib/krb5/libkrb5.exports | 1 +
|
|
src/lib/krb5_32.def | 1 +
|
|
src/man/kadmin.man | 6 ++++
|
|
9 files changed, 105 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
|
|
index cf75e61584..45cce8bb57 100644
|
|
--- a/doc/admin/admin_commands/kadmin_local.rst
|
|
+++ b/doc/admin/admin_commands/kadmin_local.rst
|
|
@@ -671,6 +671,12 @@ KDC:
|
|
is in the same format as those used by the **pkinit_cert_match**
|
|
option in :ref:`krb5.conf(5)`. (New in release 1.16.)
|
|
|
|
+**optional_pac_tkt_chksum**
|
|
+ Boolean value defining the behavior of the KDC in case an expected
|
|
+ ticket checksum signed with one of this principal keys is not
|
|
+ present in the PAC. This is typically the case for TGS or
|
|
+ cross-realm TGS principals when processing S4U2Proxy requests.
|
|
+
|
|
This command requires the **modify** privilege.
|
|
|
|
Alias: **setstr**
|
|
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
|
|
index d12be47c3c..9b95ebd0f9 100644
|
|
--- a/doc/appdev/refs/api/index.rst
|
|
+++ b/doc/appdev/refs/api/index.rst
|
|
@@ -225,6 +225,7 @@ Rarely used public interfaces
|
|
krb5_is_referral_realm.rst
|
|
krb5_kdc_sign_ticket.rst
|
|
krb5_kdc_verify_ticket.rst
|
|
+ krb5_kdc_verify_ticket_ext.rst
|
|
krb5_kt_add_entry.rst
|
|
krb5_kt_end_seq_get.rst
|
|
krb5_kt_get_entry.rst
|
|
diff --git a/src/include/kdb.h b/src/include/kdb.h
|
|
index 21bddcfb88..b65c300d8a 100644
|
|
--- a/src/include/kdb.h
|
|
+++ b/src/include/kdb.h
|
|
@@ -134,6 +134,7 @@
|
|
/* String attribute names recognized by krb5 */
|
|
#define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes"
|
|
#define KRB5_KDB_SK_REQUIRE_AUTH "require_auth"
|
|
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
|
|
|
|
#if !defined(_WIN32)
|
|
|
|
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
|
index 2ba4010514..404719a3a4 100644
|
|
--- a/src/include/krb5/krb5.hin
|
|
+++ b/src/include/krb5/krb5.hin
|
|
@@ -8355,6 +8355,46 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
const krb5_keyblock *server,
|
|
const krb5_keyblock *privsvr, krb5_pac *pac_out);
|
|
|
|
+/**
|
|
+ * Verify a PAC, possibly including ticket signature
|
|
+ *
|
|
+ * @param [in] context Library context
|
|
+ * @param [in] enc_tkt Ticket enc-part, possibly containing a PAC
|
|
+ * @param [in] server_princ Canonicalized name of ticket server
|
|
+ * @param [in] server Key to validate server checksum (or NULL)
|
|
+ * @param [in] privsvr Key to validate KDC checksum (or NULL)
|
|
+ * @paran [in] optional_tkt_chksum Whether to require a ticket checksum
|
|
+ * @param [out] pac_out Verified PAC (NULL if no PAC included)
|
|
+ *
|
|
+ * This function is an extension of krb5_kdc_verify_ticket(), adding the @a
|
|
+ * optional_tkt_chksum parameter allowing to tolerate the absence of the PAC
|
|
+ * ticket signature.
|
|
+ *
|
|
+ * If a PAC is present in @a enc_tkt, verify its signatures. If @a privsvr is
|
|
+ * not NULL and @a server_princ is not a krbtgt or kadmin/changepw service and
|
|
+ * @a optional_tkt_chksum is FALSE, require a ticket signature over @a enc_tkt
|
|
+ * in addition to the KDC signature. Place the verified PAC in @a pac_out. If
|
|
+ * an invalid PAC signature is found, return an error matching the Windows KDC
|
|
+ * protocol code for that condition as closely as possible.
|
|
+ *
|
|
+ * If no PAC is present in @a enc_tkt, set @a pac_out to NULL and return
|
|
+ * successfully.
|
|
+ *
|
|
+ * @note This function does not validate the PAC_CLIENT_INFO buffer. If a
|
|
+ * specific value is expected, the caller can make a separate call to
|
|
+ * krb5_pac_verify_ext() with a principal but no keys.
|
|
+ *
|
|
+ * @retval 0 Success; otherwise - Kerberos error codes
|
|
+ */
|
|
+krb5_error_code KRB5_CALLCONV
|
|
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
|
+ const krb5_enc_tkt_part *enc_tkt,
|
|
+ krb5_const_principal server_princ,
|
|
+ const krb5_keyblock *server,
|
|
+ const krb5_keyblock *privsvr,
|
|
+ krb5_boolean optional_tkt_chksum,
|
|
+ krb5_pac *pac_out);
|
|
+
|
|
/** @deprecated Use krb5_kdc_sign_ticket() instead. */
|
|
krb5_error_code KRB5_CALLCONV
|
|
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
|
|
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
|
|
index b7a9aa4992..bdf1bf2dc8 100644
|
|
--- a/src/kdc/kdc_util.c
|
|
+++ b/src/kdc/kdc_util.c
|
|
@@ -535,6 +535,8 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
krb5_key_data *kd;
|
|
krb5_keyblock old_key;
|
|
krb5_kvno kvno;
|
|
+ krb5_boolean optional_tkt_chksum;
|
|
+ char *str = NULL;
|
|
int tries;
|
|
|
|
*pac_out = NULL;
|
|
@@ -545,8 +547,23 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
NULL, pac_out);
|
|
}
|
|
|
|
- ret = krb5_kdc_verify_ticket(context, enc_tkt, sprinc, server_key,
|
|
- tgt_key, pac_out);
|
|
+ /* Check if the absence of ticket signature is tolerated for this realm */
|
|
+ ret = krb5_dbe_get_string(context, tgt,
|
|
+ KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM, &str);
|
|
+ /* TODO: should be using _krb5_conf_boolean(), but os-proto.h is not
|
|
+ * available here.
|
|
+ */
|
|
+ optional_tkt_chksum = !ret && str && (strncasecmp(str, "true", 4) == 0
|
|
+ || strncasecmp(str, "t", 1) == 0
|
|
+ || strncasecmp(str, "yes", 3) == 0
|
|
+ || strncasecmp(str, "y", 1) == 0
|
|
+ || strncasecmp(str, "1", 1) == 0
|
|
+ || strncasecmp(str, "on", 2) == 0);
|
|
+
|
|
+ krb5_dbe_free_string(context, str);
|
|
+
|
|
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, sprinc, server_key,
|
|
+ tgt_key, optional_tkt_chksum, pac_out);
|
|
if (ret != KRB5KRB_AP_ERR_MODIFIED && ret != KRB5_BAD_ENCTYPE)
|
|
return ret;
|
|
|
|
@@ -559,8 +576,9 @@ get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &old_key, NULL);
|
|
if (ret)
|
|
return ret;
|
|
- ret = krb5_kdc_verify_ticket(context, enc_tkt, sprinc, server_key,
|
|
- &old_key, pac_out);
|
|
+ ret = krb5_kdc_verify_ticket_ext(context, enc_tkt, sprinc, server_key,
|
|
+ &old_key, optional_tkt_chksum,
|
|
+ pac_out);
|
|
krb5_free_keyblock_contents(context, &old_key);
|
|
if (!ret)
|
|
return 0;
|
|
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
|
index 954482e0c7..738887b388 100644
|
|
--- a/src/lib/krb5/krb/pac.c
|
|
+++ b/src/lib/krb5/krb/pac.c
|
|
@@ -636,6 +636,19 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
krb5_const_principal server_princ,
|
|
const krb5_keyblock *server,
|
|
const krb5_keyblock *privsvr, krb5_pac *pac_out)
|
|
+{
|
|
+ return krb5_kdc_verify_ticket_ext(context, enc_tkt, server_princ, server,
|
|
+ privsvr, FALSE, pac_out);
|
|
+}
|
|
+
|
|
+krb5_error_code KRB5_CALLCONV
|
|
+krb5_kdc_verify_ticket_ext(krb5_context context,
|
|
+ const krb5_enc_tkt_part *enc_tkt,
|
|
+ krb5_const_principal server_princ,
|
|
+ const krb5_keyblock *server,
|
|
+ const krb5_keyblock *privsvr,
|
|
+ krb5_boolean optional_tkt_chksum,
|
|
+ krb5_pac *pac_out)
|
|
{
|
|
krb5_error_code ret;
|
|
krb5_pac pac = NULL;
|
|
@@ -643,7 +656,7 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
krb5_authdata **authdata, *orig, **ifrel = NULL, **recoded_ifrel = NULL;
|
|
uint8_t z = 0;
|
|
krb5_authdata zpac = { KV5M_AUTHDATA, KRB5_AUTHDATA_WIN2K_PAC, 1, &z };
|
|
- krb5_boolean is_service_tkt;
|
|
+ krb5_boolean is_service_tkt, has_tkt_chksum = FALSE;
|
|
size_t i, j;
|
|
|
|
*pac_out = NULL;
|
|
@@ -706,11 +719,21 @@ krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt,
|
|
|
|
ret = verify_checksum(context, pac, KRB5_PAC_TICKET_CHECKSUM, privsvr,
|
|
KRB5_KEYUSAGE_APP_DATA_CKSUM, recoded_tkt);
|
|
- if (ret)
|
|
- goto cleanup;
|
|
+ if (ret) {
|
|
+ if (!optional_tkt_chksum)
|
|
+ goto cleanup;
|
|
+ else if (ret != ENOENT)
|
|
+ goto cleanup;
|
|
+ /* Otherwise ticket signature is absent but optional. Proceed... */
|
|
+ } else {
|
|
+ has_tkt_chksum = TRUE;
|
|
+ }
|
|
}
|
|
+ /* Else, we make the assumption the ticket signature is absent in case this
|
|
+ * is not a service ticket.
|
|
+ */
|
|
|
|
- ret = verify_pac_checksums(context, pac, is_service_tkt, server, privsvr);
|
|
+ ret = verify_pac_checksums(context, pac, has_tkt_chksum, server, privsvr);
|
|
if (ret)
|
|
goto cleanup;
|
|
|
|
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
|
|
index 4c50e935a2..d4b0455c8c 100644
|
|
--- a/src/lib/krb5/libkrb5.exports
|
|
+++ b/src/lib/krb5/libkrb5.exports
|
|
@@ -463,6 +463,7 @@ krb5_is_thread_safe
|
|
krb5_kdc_rep_decrypt_proc
|
|
krb5_kdc_sign_ticket
|
|
krb5_kdc_verify_ticket
|
|
+krb5_kdc_verify_ticket_ext
|
|
krb5_kt_add_entry
|
|
krb5_kt_client_default
|
|
krb5_kt_close
|
|
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
|
|
index b1610974b1..6ecd92c1ec 100644
|
|
--- a/src/lib/krb5_32.def
|
|
+++ b/src/lib/krb5_32.def
|
|
@@ -510,3 +510,4 @@ EXPORTS
|
|
k5_sname_compare @474 ; PRIVATE GSSAPI
|
|
krb5_kdc_sign_ticket @475 ;
|
|
krb5_kdc_verify_ticket @476 ;
|
|
+ krb5_kdc_verify_ticket_ext @477 ;
|
|
diff --git a/src/man/kadmin.man b/src/man/kadmin.man
|
|
index 73e1b03cdb..54efd4ebc9 100644
|
|
--- a/src/man/kadmin.man
|
|
+++ b/src/man/kadmin.man
|
|
@@ -715,6 +715,12 @@ attributes required for the client certificate used by the
|
|
principal during PKINIT authentication. The matching expression
|
|
is in the same format as those used by the \fBpkinit_cert_match\fP
|
|
option in krb5.conf(5)\&. (New in release 1.16.)
|
|
+.TP
|
|
+\fBoptional_pac_tkt_chksum\fP
|
|
+Boolean value defining the behavior of the KDC in case an expected ticket
|
|
+checksum signed with one of this principal keys is not present in the PAC. This
|
|
+is typically the case for TGS or cross-realm TGS principals when processing
|
|
+S4U2Proxy requests.
|
|
.UNINDENT
|
|
.sp
|
|
This command requires the \fBmodify\fP privilege.
|
|
--
|
|
2.40.1
|
|
|