From 844712eab3d7297d8da69bf8472a7af4aacb40f6 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 30 Aug 2009 18:00:29 +0000 Subject: enhance authdata context interface to handle automatic verification of KDC issued auth data git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22665 dc483132-0cff-0310-8789-dd5450dbe970 --- src/configure.in | 1 + src/include/kdb_ext.h | 1 + src/include/krb5/authdata_plugin.h | 16 +++++++--- src/lib/krb5/asn.1/asn1_k_decode.c | 7 +++-- src/lib/krb5/krb/authdata.c | 63 ++++++++++++++++++++++++++++++++++++-- src/lib/krb5/krb/pac.c | 7 ++++- src/tests/gssapi/t_namingexts.c | 2 ++ 7 files changed, 87 insertions(+), 10 deletions(-) diff --git a/src/configure.in b/src/configure.in index 8aa1867..122d06a 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1098,6 +1098,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/preauth/wpse plugins/authdata/greet plugins/authdata/greet_client + plugins/authdata/greet_server clients clients/klist clients/kinit clients/kvno clients/kdestroy clients/kpasswd clients/ksu diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index 59323e2..5695971 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -101,6 +101,7 @@ typedef struct _kdb_sign_auth_data_req { krb5_keyblock *server_key; /* Key used to generate server signature */ krb5_timestamp authtime; /* Authtime of TGT */ krb5_authdata **auth_data; /* Authorization data from TGT */ + krb5_keyblock *session_key; /* Reply session key */ } kdb_sign_auth_data_req; typedef struct _kdb_sign_auth_data_rep { diff --git a/src/include/krb5/authdata_plugin.h b/src/include/krb5/authdata_plugin.h index fd2acf9..6f0fdea 100644 --- a/src/include/krb5/authdata_plugin.h +++ b/src/include/krb5/authdata_plugin.h @@ -68,7 +68,7 @@ struct _krb5_db_entry_new; * functions. */ /* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */ -typedef struct krb5plugin_authdata_ftable_v0 { +typedef struct krb5plugin_authdata_server_ftable_v0 { /* Not-usually-visible name. */ char *name; @@ -107,9 +107,11 @@ typedef struct krb5plugin_authdata_ftable_v0 { krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply); -} krb5plugin_authdata_ftable_v0; +} krb5plugin_server_authdata_ftable_v0; -typedef struct krb5plugin_authdata_ftable_v1 { +typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0; + +typedef struct krb5plugin_authdata_server_ftable_v1 { /* Not-usually-visible name. */ char *name; @@ -155,7 +157,9 @@ typedef struct krb5plugin_authdata_ftable_v1 { krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply); -} krb5plugin_authdata_ftable_v1; +} krb5plugin_authdata_server_ftable_v1; + +typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1; typedef krb5_error_code (*authdata_client_plugin_init_proc)(krb5_context context, void **plugin_context); @@ -258,7 +262,9 @@ typedef krb5_error_code void *request_context, const krb5_auth_context *auth_context, const krb5_keyblock *key, - const krb5_ap_req *req); + const krb5_ap_req *req, + krb5_boolean kdc_issued_flag, + krb5_const_principal issuer); typedef struct krb5plugin_authdata_client_ftable_v0 { char *name; diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 30b48e8..a232ffc 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1687,8 +1687,11 @@ asn1_error_code asn1_decode_ad_kdcissued val->elements = NULL; {begin_structure(); get_field(val->ad_checksum, 0, asn1_decode_checksum); - opt_field(val->i_principal, 1, asn1_decode_realm, 0); - opt_field(val->i_principal, 2, asn1_decode_principal_name, 0); + if (tagnum == 1) { + alloc_principal(val->i_principal); + opt_field(val->i_principal, 1, asn1_decode_realm, 0); + opt_field(val->i_principal, 2, asn1_decode_principal_name, 0); + } get_field(val->elements, 3, asn1_decode_authorization_data); end_structure(); } diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index ffb9806..a267683 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -297,6 +297,40 @@ krb5_authdata_import_attributes(krb5_context kcontext, return code; } +static krb5_error_code +k5_get_kdc_issued_authdata(krb5_context kcontext, + const krb5_ap_req *ap_req, + krb5_principal *kdc_issuer, + krb5_authdata ***kdc_issued_authdata) +{ + krb5_error_code code; + krb5_authdata **authdata; + krb5_authdata **ticket_authdata; + + *kdc_issuer = NULL; + *kdc_issued_authdata = NULL; + + ticket_authdata = ap_req->ticket->enc_part2->authorization_data; + + code = krb5int_find_authdata(kcontext, + ticket_authdata, + NULL, + KRB5_AUTHDATA_KDC_ISSUED, + &authdata); + if (code != 0) + return code; + + code = krb5_verify_authdata_kdc_issued(kcontext, + ap_req->ticket->enc_part2->session, + authdata[0], + kdc_issuer, + kdc_issued_authdata); + + krb5_free_authdata(kcontext, authdata); + + return code; +} + krb5_error_code krb5int_authdata_verify(krb5_context kcontext, krb5_authdata_context context, @@ -309,13 +343,18 @@ krb5int_authdata_verify(krb5_context kcontext, krb5_error_code code = 0; krb5_authdata **authen_authdata; krb5_authdata **ticket_authdata; + krb5_principal kdc_issuer = NULL; + krb5_authdata **kdc_issued_authdata = NULL; authen_authdata = (*auth_context)->authentp->authorization_data; ticket_authdata = ap_req->ticket->enc_part2->authorization_data; + k5_get_kdc_issued_authdata(kcontext, ap_req, + &kdc_issuer, &kdc_issued_authdata); for (i = 0; i < context->n_modules; i++) { struct _krb5_authdata_context_module *module = &context->modules[i]; krb5_authdata **authdata; + krb5_boolean kdc_issued_flag = FALSE; if ((module->flags & usage) == 0) continue; @@ -328,7 +367,22 @@ krb5int_authdata_verify(krb5_context kcontext, authen_authdata, module->ad_type, &authdata); - if (code != 0 || authdata == NULL) + if (code != 0) + break; + + if (authdata == NULL && kdc_issued_authdata != NULL) { + code = krb5int_find_authdata(kcontext, + kdc_issued_authdata, + NULL, + module->ad_type, + &authdata); + if (code != 0) + break; + + kdc_issued_flag = TRUE; + } + + if (authdata == NULL) continue; assert(authdata[0] != NULL); @@ -343,7 +397,9 @@ krb5int_authdata_verify(krb5_context kcontext, *(module->request_context_pp), auth_context, key, - ap_req); + ap_req, + kdc_issued_flag, + kdc_issuer); } if (code != 0 && (module->flags & AD_INFORMATIONAL)) code = 0; @@ -352,6 +408,9 @@ krb5int_authdata_verify(krb5_context kcontext, break; } + krb5_free_principal(kcontext, kdc_issuer); + krb5_free_authdata(kcontext, kdc_issued_authdata); + return code; } diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 7bb37b7..de3b3e8 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -1001,7 +1001,9 @@ mspac_verify(krb5_context context, void *request_context, const krb5_auth_context *auth_context, const krb5_keyblock *key, - const krb5_ap_req *req) + const krb5_ap_req *req, + krb5_boolean kdc_issued_flag, + krb5_const_principal issuer) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; @@ -1009,6 +1011,9 @@ mspac_verify(krb5_context context, if (pacctx->pac == NULL) return EINVAL; + if (kdc_issued_flag) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + code = krb5_pac_verify(context, pacctx->pac, req->ticket->enc_part2->times.authtime, diff --git a/src/tests/gssapi/t_namingexts.c b/src/tests/gssapi/t_namingexts.c index 084c252..11b0d5f 100644 --- a/src/tests/gssapi/t_namingexts.c +++ b/src/tests/gssapi/t_namingexts.c @@ -386,9 +386,11 @@ int main(int argc, char *argv[]) gss_release_name(&tmp, &tmp_name); +#if 0 major = testGreetAuthzData(&minor, name); if (GSS_ERROR(major)) goto out; +#endif } else { fprintf(stderr, "Usage: %s [principal] [keytab]\n", argv[0]); exit(1); -- cgit v1.1