diff options
author | Luke Howard <lukeh@padl.com> | 2011-04-02 12:55:25 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2011-04-02 12:55:25 +0000 |
commit | 4ddf1ea3a271b892cf23c7c9154d5c759f9d370a (patch) | |
tree | 2a6dc947a187df90a0fc88b7a2d454213f1d60ca | |
parent | e13947f1bc142c9a15c213b09d4c4a1fd4cb960a (diff) | |
download | krb5-4ddf1ea3a271b892cf23c7c9154d5c759f9d370a.zip krb5-4ddf1ea3a271b892cf23c7c9154d5c759f9d370a.tar.gz krb5-4ddf1ea3a271b892cf23c7c9154d5c759f9d370a.tar.bz2 |
relax subject/authtime confirmation
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml2@24803 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/plugins/authdata/saml_server/saml_util.cpp | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/plugins/authdata/saml_server/saml_util.cpp b/src/plugins/authdata/saml_server/saml_util.cpp index 6a96134..23fd92e 100644 --- a/src/plugins/authdata/saml_server/saml_util.cpp +++ b/src/plugins/authdata/saml_server/saml_util.cpp @@ -419,6 +419,11 @@ saml_krb_confirm_keyinfo(krb5_context context, return 0; } +/* + * If the subject is not mapped to the anonymous Kerberos principal, and there + * exist subject confirmations, require that one matches the Kerberos principal + * name. + */ krb5_error_code saml_krb_confirm_subject(krb5_context context, const saml2::Subject *subject, @@ -432,10 +437,10 @@ saml_krb_confirm_subject(krb5_context context, krb5_boolean confirmed = FALSE; krb5_boolean bound = FALSE; - if (krb5_principal_compare(context, principal, - krb5_anonymous_principal())) { - confirmed = bound = TRUE; - } else { + if (!krb5_principal_compare(context, principal, + krb5_anonymous_principal()) && + confs.size() != 0) { + for (vector<SubjectConfirmation *>::const_iterator sc = confs.begin(); sc != confs.end(); sc++) { @@ -458,6 +463,8 @@ saml_krb_confirm_subject(krb5_context context, if (confirmed) break; } + } else { + confirmed = bound = TRUE; } *pConfirmed = confirmed; @@ -641,6 +648,7 @@ saml_krb_verify(krb5_context context, krb5_error_code code; krb5_boolean verified = FALSE; krb5_boolean bound = FALSE; + krb5_timestamp sauthtime; Signature *signature; Subject *subject; @@ -670,11 +678,17 @@ saml_krb_verify(krb5_context context, return KRB5KRB_AP_ERR_MODIFIED; } - if (saml_krb_get_authtime(context, assertion) < authtime) + /* + * Authtime is optional (derived from AuthnStatements); if present, + * assert that it is on or after the ticket authtime. + */ + sauthtime = saml_krb_get_authtime(context, assertion); + if (sauthtime != 0 && sauthtime < authtime) return KRB5KDC_ERR_CLIENT_NOTYET; /* - * Verify the assertion is appropriately bound to the ticket client + * Verify that the Subject in any SubjectConfirmationData matches + * matches the client principal. */ code = saml_krb_confirm_subject(context, subject, client_princ, authtime, &verified, &bound); |