From 3968df0450c6038ea32338af9f0801f0a812f1e7 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sat, 2 Apr 2011 08:58:27 +0000 Subject: Don't include unverified assertions in TGTs, because we may trust them implicitly. git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml2@24795 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/authdata/saml_server/saml_kdc.cpp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/plugins/authdata/saml_server/saml_kdc.cpp b/src/plugins/authdata/saml_server/saml_kdc.cpp index 543aa18..7eda338 100644 --- a/src/plugins/authdata/saml_server/saml_kdc.cpp +++ b/src/plugins/authdata/saml_server/saml_kdc.cpp @@ -403,6 +403,20 @@ saml_kdc_vouch(krb5_context context, } static krb5_boolean +saml_is_tgs_princ(krb5_context context, + krb5_const_principal principal) +{ + if (krb5_princ_size(context, principal) != 2) + return FALSE; + + if (!data_eq_string(*krb5_princ_component(context, principal, 0), + (char *)KRB5_TGS_NAME)) + return FALSE; + + return TRUE; +} + +static krb5_boolean saml_is_idp_princ(krb5_context context, krb5_const_principal principal) { @@ -746,6 +760,7 @@ saml_kdc_encode(krb5_context context, return code; } + krb5_error_code saml_authdata(krb5_context context, unsigned int flags, @@ -791,6 +806,16 @@ saml_authdata(krb5_context context, assertion, fromTGT, &vouch); if (code != 0) goto cleanup; + + /* + * Don't include unverified assertions in TGTs, because we + * may trust them implicitly. + */ + if (vouch == FALSE && + saml_is_tgs_princ(context, server->princ)) { + delete assertion; + assertion = NULL; + } } else if (client != NULL) { code = saml_kdc_build_assertion(context, flags, client_princ, client, -- cgit v1.1