diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2020-01-15 11:14:00 +0100 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-01-22 13:00:19 -0500 |
| commit | 94f7c9705879500b1dc8dda8592490efce05688f (patch) | |
| tree | f111a795cf36fb937fe32a161d9654d5a95206db /src/plugins | |
| parent | 96e5d384acf174e6079b0aeeec14bd8100d24840 (diff) | |
| download | krb5-94f7c9705879500b1dc8dda8592490efce05688f.zip krb5-94f7c9705879500b1dc8dda8592490efce05688f.tar.gz krb5-94f7c9705879500b1dc8dda8592490efce05688f.tar.bz2 | |
Allow cross-realm RBCD with PAC and other authdata
For cross-realm S4U2Proxy requests, require a PAC to be present to
bypass signedpath verification, but do not require it to be the only
authdata element. For within-realm requests, add and verify
signedpath authdata regardless of the presence of a PAC.
Simplify the test KDB authdata module and the existing RBCD tests as
we no longer need a way to suppress the test module's KDB authdata.
[ghudson@mit.edu: rewrote commit message; reordered a condition for
efficiency]
ticket: 8868 (new)
tags: pullup
target_version: 1.18
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/test/kdb_test.c | 23 |
1 files changed, 6 insertions, 17 deletions
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 76974df..d5b9158 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -66,7 +66,6 @@ * # intermediate_service may be in a different realm. * target_service = intermediate_service * } - * ad_type = mspac * } * * Key values are generated using a hash of the kvno, enctype, salt type, @@ -907,30 +906,20 @@ test_sign_authdata(krb5_context context, unsigned int flags, void *ad_info, krb5_data ***auth_indicators, krb5_authdata ***signed_auth_data) { - testhandle h = context->dal_handle->db_context; krb5_authdata *pac_ad = NULL, *test_ad = NULL, **list; krb5_data **inds, d; int i, val; - char *ad_type; generate_pac(context, flags, client_princ, server_princ, client, header_server, local_tgt, server_key, header_key, local_tgt_key, authtime, ad_info, &pac_ad); - /* - * Omit test_ad if ad_type is mspac (only), as handle_signticket() fails in - * constrained delegation if the PAC is not the only authorization data - * element. - */ - ad_type = get_string(h, "ad_type", NULL, NULL); - if (ad_type == NULL || strcmp(ad_type, "mspac") != 0) { - test_ad = ealloc(sizeof(*test_ad)); - test_ad->magic = KV5M_AUTHDATA; - test_ad->ad_type = TEST_AD_TYPE; - test_ad->contents = (uint8_t *)estrdup("db-authdata-test"); - test_ad->length = strlen((char *)test_ad->contents); - } - free(ad_type); + /* Add our TEST_AD_TYPE authdata */ + test_ad = ealloc(sizeof(*test_ad)); + test_ad->magic = KV5M_AUTHDATA; + test_ad->ad_type = TEST_AD_TYPE; + test_ad->contents = (uint8_t *)estrdup("db-authdata-test"); + test_ad->length = strlen((char *)test_ad->contents); list = ealloc(3 * sizeof(*list)); list[0] = (test_ad != NULL) ? test_ad : pac_ad; |