From bb5552ece2a351dc3ccab52cceea1eaffeacd768 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Mon, 14 Dec 2020 13:16:17 -0500

Subject: [PATCH] Add support for start_realm cache config

When making TGS requests, if start_realm is set in the cache, use the

named realm to look up the initial TGT for referral or cross-realm

requests.  (Also correct a comment in struct _tkt_creds_context: the

ccache field is an owner pointer, not an alias.)

Add an internal API k5_cc_store_primary_cred(), which sets start_realm

if the cred being stored is a TGT for a realm other than the client

realm.  Use this API when acquiring initial tickets with a

caller-specified output ccache, when renewing or validating tickets

with kinit, when accepting a delegated credential in a GSS context,

and when storing a single cred with kvno --out-cache.

ticket: 8332

tags: pullup

target_version: 1.19

(cherry picked from commit 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96)

[rharwood@redhat.com: backport around spelling and canonicalization fallback]

---

 doc/formats/ccache_file_format.rst       |  6 +++++

 src/clients/kinit/kinit.c                |  2 +-

 src/clients/kvno/kvno.c                  |  5 ++++-

 src/include/k5-int.h                     |  4 ++++

 src/lib/gssapi/krb5/accept_sec_context.c |  2 +-

 src/lib/krb5/ccache/ccfns.c              | 20 +++++++++++++++++

 src/lib/krb5/krb/get_creds.c             | 28 ++++++++++++++++++------

 src/lib/krb5/krb/get_in_tkt.c            |  2 +-

 src/lib/krb5/libkrb5.exports             |  1 +

 src/lib/krb5_32.def                      |  3 +++

 src/tests/t_crossrealm.py                |  8 +++++++

 src/tests/t_pkinit.py                    |  3 +++

 12 files changed, 73 insertions(+), 11 deletions(-)

diff --git a/doc/formats/ccache_file_format.rst b/doc/formats/ccache_file_format.rst

index 6349e0d29..6138c1b58 100644

--- a/doc/formats/ccache_file_format.rst

+++ b/doc/formats/ccache_file_format.rst

@@ -174,3 +174,9 @@ refresh_time

     decimal representation of a timestamp at which the GSS mechanism

     should attempt to refresh the credential cache from the client

     keytab.

+

+start_realm

+    This key indicates the realm of the ticket-granting ticket to be

+    used for TGS requests, when making a referrals request or

+    beginning a cross-realm request.  If it is not present, the client

+    realm is used.

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c

index 3fdae2878..e5ebeb895 100644

--- a/src/clients/kinit/kinit.c

+++ b/src/clients/kinit/kinit.c

@@ -828,7 +828,7 @@ k5_kinit(struct k_opts *opts, struct k5_data *k5)

         if (opts->verbose)

             fprintf(stderr, _("Initialized cache\n"));

-        ret = krb5_cc_store_cred(k5->ctx, k5->out_cc, &my_creds);

+        ret = k5_cc_store_primary_cred(k5->ctx, k5->out_cc, &my_creds);

         if (ret) {

             com_err(progname, ret, _("while storing credentials"));

             goto cleanup;

diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c

index c5f6bf700..f83c68a99 100644

--- a/src/clients/kvno/kvno.c

+++ b/src/clients/kvno/kvno.c

@@ -561,7 +561,10 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,

                 }

                 initialized = 1;

             }

-            ret = krb5_cc_store_cred(context, out_ccache, creds);

+            if (count == 1)

+                ret = k5_cc_store_primary_cred(context, out_ccache, creds);

+            else

+                ret = krb5_cc_store_cred(context, out_ccache, creds);

             if (ret) {

                 com_err(prog, ret, _("while storing creds in output ccache"));

                 exit(1);

diff --git a/src/include/k5-int.h b/src/include/k5-int.h

index eb18a4cd6..912aaedac 100644

--- a/src/include/k5-int.h

+++ b/src/include/k5-int.h

@@ -307,6 +307,7 @@ typedef unsigned char   u_char;

 #define KRB5_CC_CONF_PA_TYPE                   "pa_type"

 #define KRB5_CC_CONF_PROXY_IMPERSONATOR        "proxy_impersonator"

 #define KRB5_CC_CONF_REFRESH_TIME              "refresh_time"

+#define KRB5_CC_CONF_START_REALM               "start_realm"

 /* Error codes used in KRB_ERROR protocol messages.

    Return values of library routines are based on a different error table

@@ -1910,6 +1911,9 @@ krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);

 krb5_error_code KRB5_CALLCONV

 krb5int_cc_default(krb5_context, krb5_ccache *);

+krb5_error_code

+k5_cc_store_primary_cred(krb5_context, krb5_ccache, krb5_creds *);

+

 /* Fill in the buffer with random alpha-numeric data. */

 krb5_error_code

 krb5int_random_string(krb5_context, char *string, unsigned int length);

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c

index 3d5b84b15..abccb5d11 100644

--- a/src/lib/gssapi/krb5/accept_sec_context.c

+++ b/src/lib/gssapi/krb5/accept_sec_context.c

@@ -216,7 +216,7 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred)

     if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))

         goto cleanup;

-    if ((retval = krb5_cc_store_cred(context, ccache, creds[0])))

+    if ((retval = k5_cc_store_primary_cred(context, ccache, creds[0])))

         goto cleanup;

     /* generate a delegated credential handle */

diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c

index 62a6983d8..23edc2578 100644

--- a/src/lib/krb5/ccache/ccfns.c

+++ b/src/lib/krb5/ccache/ccfns.c

@@ -297,3 +297,23 @@ krb5_cc_switch(krb5_context context, krb5_ccache cache)

         return 0;

     return cache->ops->switch_to(context, cache);

 }

+

+krb5_error_code

+k5_cc_store_primary_cred(krb5_context context, krb5_ccache cache,

+                         krb5_creds *creds)

+{

+    krb5_error_code ret;

+

+    /* Write a start realm if we're writing a TGT and the client realm isn't

+     * the same as the TGS realm. */

+    if (IS_TGS_PRINC(creds->server) &&

+        !data_eq(creds->client->realm, creds->server->data[1])) {

+        ret = krb5_cc_set_config(context, cache, NULL,

+                                 KRB5_CC_CONF_START_REALM,

+                                 &creds->server->data[1]);

+        if (ret)

+            return ret;

+    }

+

+    return krb5_cc_store_cred(context, cache, creds);

+}

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c

index e0a3b5cd8..b40f705fc 100644

--- a/src/lib/krb5/krb/get_creds.c

+++ b/src/lib/krb5/krb/get_creds.c

@@ -149,7 +149,8 @@ struct _krb5_tkt_creds_context {

     krb5_principal client;      /* Caller-requested client principal (alias) */

     krb5_principal server;      /* Server principal (alias) */

     krb5_principal req_server;  /* Caller-requested server principal */

-    krb5_ccache ccache;         /* Caller-provided ccache (alias) */

+    krb5_ccache ccache;         /* Caller-provided ccache */

+    krb5_data start_realm;      /* Realm of starting TGT in ccache */

     krb5_flags req_options;     /* Caller-requested KRB5_GC_* options */

     krb5_flags req_kdcopt;      /* Caller-requested options as KDC options */

     krb5_authdata **authdata;   /* Caller-requested authdata */

@@ -783,7 +784,7 @@ get_cached_local_tgt(krb5_context context, krb5_tkt_creds_context ctx,

         return code;

     /* Construct the principal name. */

-    code = krb5int_tgtname(context, &ctx->client->realm, &ctx->client->realm,

+    code = krb5int_tgtname(context, &ctx->start_realm, &ctx->start_realm,

                            &tgtname);

     if (code != 0)

         return code;

@@ -821,7 +822,7 @@ init_realm_path(krb5_context context, krb5_tkt_creds_context ctx)

     size_t nrealms;

     /* Get the client realm path and count its length. */

-    code = k5_client_realm_path(context, &ctx->client->realm,

+    code = k5_client_realm_path(context, &ctx->start_realm,

                                 &ctx->server->realm, &realm_path);

     if (code != 0)

         return code;

@@ -933,7 +934,7 @@ step_get_tgt(krb5_context context, krb5_tkt_creds_context ctx)

                 ctx->cur_realm = path_realm;

                 ctx->next_realm = ctx->last_realm;

             }

-        } else if (data_eq(*tgt_realm, ctx->client->realm)) {

+        } else if (data_eq(*tgt_realm, ctx->start_realm)) {

             /* We were referred back to the local realm, which is bad. */

             return KRB5_KDCREP_MODIFIED;

         } else {

@@ -963,7 +964,7 @@ begin_get_tgt(krb5_context context, krb5_tkt_creds_context ctx)

     ctx->state = STATE_GET_TGT;

-    is_local_service = data_eq(ctx->client->realm, ctx->server->realm);

+    is_local_service = data_eq(ctx->start_realm, ctx->server->realm);

     if (!is_local_service) {

         /* See if we have a cached TGT for the server realm. */

         code = get_cached_tgt(context, ctx, &ctx->server->realm, &cached_tgt);

@@ -1048,10 +1049,10 @@ begin(krb5_context context, krb5_tkt_creds_context ctx)

     if (code != 0 || ctx->state == STATE_COMPLETE)

         return code;

-    /* If the server realm is unspecified, start with the client realm. */

+    /* If the server realm is unspecified, start with the TGT realm. */

     if (krb5_is_referral_realm(&ctx->server->realm)) {

         krb5_free_data_contents(context, &ctx->server->realm);

-        code = krb5int_copy_data_contents(context, &ctx->client->realm,

+        code = krb5int_copy_data_contents(context, &ctx->start_realm,

                                           &ctx->server->realm);

         TRACE_TKT_CREDS_REFERRAL_REALM(context, ctx->server);

         if (code != 0)

@@ -1100,6 +1101,18 @@ krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache,

     code = krb5_cc_dup(context, ccache, &ctx->ccache);

     if (code != 0)

         goto cleanup;

+

+    /* Get the start realm from the cache config, defaulting to the client

+     * realm. */

+    code = krb5_cc_get_config(context, ccache, NULL, "start_realm",

+                              &ctx->start_realm);

+    if (code != 0) {

+        code = krb5int_copy_data_contents(context, &ctx->client->realm,

+                                          &ctx->start_realm);

+        if (code != 0)

+            goto cleanup;

+    }

+

     code = krb5_copy_authdata(context, in_creds->authdata, &ctx->authdata);

     if (code != 0)

         goto cleanup;

@@ -1139,6 +1152,7 @@ krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx)

     krb5int_fast_free_state(context, ctx->fast_state);

     krb5_free_creds(context, ctx->in_creds);

     krb5_cc_close(context, ctx->ccache);

+    krb5_free_data_contents(context, &ctx->start_realm);

     krb5_free_principal(context, ctx->req_server);

     krb5_free_authdata(context, ctx->authdata);

     krb5_free_creds(context, ctx->cur_tgt);

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c

index cc0f70e83..f5dd7518b 100644

--- a/src/lib/krb5/krb/get_in_tkt.c

+++ b/src/lib/krb5/krb/get_in_tkt.c

@@ -1779,7 +1779,7 @@ init_creds_step_reply(krb5_context context,

         code = krb5_cc_initialize(context, out_ccache, ctx->cred.client);

         if (code != 0)

             goto cc_cleanup;

-        code = krb5_cc_store_cred(context, out_ccache, &ctx->cred);

+        code = k5_cc_store_primary_cred(context, out_ccache, &ctx->cred);

         if (code != 0)

             goto cc_cleanup;

         if (fast_avail) {

diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports

index 5aba29ee4..cab5b3b17 100644

--- a/src/lib/krb5/libkrb5.exports

+++ b/src/lib/krb5/libkrb5.exports

@@ -125,6 +125,7 @@ k5_add_pa_data_from_data

 k5_alloc_pa_data

 k5_authind_decode

 k5_build_conf_principals

+k5_cc_store_primary_cred

 k5_ccselect_free_context

 k5_change_error_message_code

 k5_etypes_contains

diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def

index a0734c729..de5823c17 100644

--- a/src/lib/krb5_32.def

+++ b/src/lib/krb5_32.def

@@ -499,3 +499,6 @@ EXPORTS

 	k5_size_context					@467 ; PRIVATE GSSAPI

 	k5_size_keyblock				@468 ; PRIVATE GSSAPI

 	k5_size_principal				@469 ; PRIVATE GSSAPI

+

+; new in 1.19

+	k5_cc_store_primary_cred			@470 ; PRIVATE

diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py

index fa7fd2604..28b397cfb 100755

--- a/src/tests/t_crossrealm.py

+++ b/src/tests/t_crossrealm.py

@@ -77,6 +77,14 @@ r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),

                                 {'realm': 'B.X'}))

 test_kvno(r1, r3.host_princ, 'KDC domain walk')

 check_klist(r1, (tgt(r1, r1), r3.host_princ))

+

+# Test start_realm in this setup.

+r1.run([kvno, '--out-cache', r1.ccache, r2.krbtgt_princ])

+r1.run([klist, '-C'], expected_msg='config: start_realm = X')

+msgs = ('Requesting TGT krbtgt/B.X@X using TGT krbtgt/X@X',

+        'Received TGT for service realm: krbtgt/B.X@X')

+r1.run([kvno, r3.host_princ], expected_trace=msgs)

+

 stop(r1, r2, r3)

 # Test client capaths.  The client in A will ask for a cross TGT to D,

diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py

index ecd450e8a..f224383c8 100755

--- a/src/tests/t_pkinit.py

+++ b/src/tests/t_pkinit.py

@@ -130,6 +130,9 @@ realm.run([kvno, realm.host_princ])

 out = realm.run(['./adata', realm.host_princ])

 if '97:' in out:

     fail('auth indicators seen in anonymous PKINIT ticket')

+# Verify start_realm setting and test referrals TGS request.

+realm.run([klist, '-C'], expected_msg='start_realm = KRBTEST.COM')

+realm.run([kvno, '-S', 'host', hostname])

 # Test anonymous kadmin.

 mark('anonymous kadmin')