|
 |
a53771 |
From 92a4b760d741494dacbb4d9db4cf2db9e3b01f2c Mon Sep 17 00:00:00 2001
|
|
|
a53771 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
a53771 |
Date: Mon, 29 Mar 2021 14:32:56 -0400
|
|
|
a53771 |
Subject: [PATCH] Fix KCM flag transmission for remove_cred
|
|
|
a53771 |
|
|
|
a53771 |
MIT krb5 uses low bits for KRB5_TC flags, while Heimdal uses high bits
|
|
|
a53771 |
so that the same flag word can also hold KRB5_GC flags. Add a mapping
|
|
|
a53771 |
function and send the Heimdal flag values when performing a
|
|
|
a53771 |
remove_cred operation.
|
|
|
a53771 |
|
|
|
a53771 |
ticket: 8995
|
|
|
a53771 |
(cherry picked from commit 11a82cf424f9c905bb73680c64524f087090d4ef)
|
|
|
a53771 |
(cherry picked from commit 04f0de4420508161ce439f262f2761ff51a07ab0)
|
|
|
a53771 |
---
|
|
|
a53771 |
src/include/kcm.h | 19 +++++++++++++++++++
|
|
|
a53771 |
src/lib/krb5/ccache/cc_kcm.c | 36 +++++++++++++++++++++++++++++++++++-
|
|
|
a53771 |
2 files changed, 54 insertions(+), 1 deletion(-)
|
|
|
a53771 |
|
|
|
a53771 |
diff --git a/src/include/kcm.h b/src/include/kcm.h
|
|
|
a53771 |
index e4140c3a0..9b66f1cbd 100644
|
|
|
a53771 |
--- a/src/include/kcm.h
|
|
|
a53771 |
+++ b/src/include/kcm.h
|
|
|
a53771 |
@@ -56,8 +56,27 @@
|
|
|
a53771 |
* are marshalled as zero-terminated strings. Principals and credentials are
|
|
|
a53771 |
* marshalled in the v4 FILE ccache format. UUIDs are 16 bytes. UUID lists
|
|
|
a53771 |
* are not delimited, so nothing can come after them.
|
|
|
a53771 |
+ *
|
|
|
a53771 |
+ * Flag words must use Heimdal flag values, which are not the same as MIT krb5
|
|
|
a53771 |
+ * values for KRB5_GC and KRB5_TC constants. The same flag word may contain
|
|
|
a53771 |
+ * both kinds of flags in Heimdal, but not in MIT krb5. Defines for the
|
|
|
a53771 |
+ * applicable Heimdal flag values are given below using KCM_GC and KCM_TC
|
|
|
a53771 |
+ * prefixes.
|
|
|
a53771 |
*/
|
|
|
a53771 |
|
|
|
a53771 |
+#define KCM_GC_CACHED (1U << 0)
|
|
|
a53771 |
+
|
|
|
a53771 |
+#define KCM_TC_DONT_MATCH_REALM (1U << 31)
|
|
|
a53771 |
+#define KCM_TC_MATCH_KEYTYPE (1U << 30)
|
|
|
a53771 |
+#define KCM_TC_MATCH_SRV_NAMEONLY (1U << 29)
|
|
|
a53771 |
+#define KCM_TC_MATCH_FLAGS_EXACT (1U << 28)
|
|
|
a53771 |
+#define KCM_TC_MATCH_FLAGS (1U << 27)
|
|
|
a53771 |
+#define KCM_TC_MATCH_TIMES_EXACT (1U << 26)
|
|
|
a53771 |
+#define KCM_TC_MATCH_TIMES (1U << 25)
|
|
|
a53771 |
+#define KCM_TC_MATCH_AUTHDATA (1U << 24)
|
|
|
a53771 |
+#define KCM_TC_MATCH_2ND_TKT (1U << 23)
|
|
|
a53771 |
+#define KCM_TC_MATCH_IS_SKEY (1U << 22)
|
|
|
a53771 |
+
|
|
|
a53771 |
/* Opcodes without comments are currently unused in the MIT client
|
|
|
a53771 |
* implementation. */
|
|
|
a53771 |
typedef enum kcm_opcode {
|
|
|
a53771 |
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
|
|
|
a53771 |
index 772928e4d..1f81a2190 100644
|
|
|
a53771 |
--- a/src/lib/krb5/ccache/cc_kcm.c
|
|
|
a53771 |
+++ b/src/lib/krb5/ccache/cc_kcm.c
|
|
|
a53771 |
@@ -110,6 +110,40 @@ map_invalid(krb5_error_code code)
|
|
|
a53771 |
KRB5_KCM_MALFORMED_REPLY : code;
|
|
|
a53771 |
}
|
|
|
a53771 |
|
|
|
a53771 |
+/*
|
|
|
a53771 |
+ * Map an MIT krb5 KRB5_TC flag word to the equivalent Heimdal flag word. Note
|
|
|
a53771 |
+ * that there is no MIT krb5 equivalent for Heimdal's KRB5_TC_DONT_MATCH_REALM
|
|
|
a53771 |
+ * (which is like KRB5_TC_MATCH_SRV_NAMEONLY but also applies to the client
|
|
|
a53771 |
+ * principal) and no Heimdal equivalent for MIT krb5's KRB5_TC_SUPPORTED_KTYPES
|
|
|
a53771 |
+ * (which matches against enctypes from the krb5_context rather than the
|
|
|
a53771 |
+ * matching cred).
|
|
|
a53771 |
+ */
|
|
|
a53771 |
+static inline krb5_flags
|
|
|
a53771 |
+map_tcflags(krb5_flags mitflags)
|
|
|
a53771 |
+{
|
|
|
a53771 |
+ krb5_flags heimflags = 0;
|
|
|
a53771 |
+
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_TIMES)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_TIMES;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_IS_SKEY)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_IS_SKEY;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_FLAGS)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_FLAGS;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_TIMES_EXACT)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_TIMES_EXACT;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_FLAGS_EXACT)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_FLAGS_EXACT;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_AUTHDATA)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_AUTHDATA;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_SRV_NAMEONLY)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_SRV_NAMEONLY;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_2ND_TKT)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_2ND_TKT;
|
|
|
a53771 |
+ if (mitflags & KRB5_TC_MATCH_KTYPE)
|
|
|
a53771 |
+ heimflags |= KCM_TC_MATCH_KEYTYPE;
|
|
|
a53771 |
+ return heimflags;
|
|
|
a53771 |
+}
|
|
|
a53771 |
+
|
|
|
a53771 |
/* Begin a request for the given opcode. If cache is non-null, supply the
|
|
|
a53771 |
* cache name as a request parameter. */
|
|
|
a53771 |
static void
|
|
|
a53771 |
@@ -936,7 +970,7 @@ kcm_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
|
|
|
a53771 |
struct kcmreq req;
|
|
|
a53771 |
|
|
|
a53771 |
kcmreq_init(&req, KCM_OP_REMOVE_CRED, cache);
|
|
|
a53771 |
- k5_buf_add_uint32_be(&req.reqbuf, flags);
|
|
|
a53771 |
+ k5_buf_add_uint32_be(&req.reqbuf, map_tcflags(flags));
|
|
|
a53771 |
k5_marshal_mcred(&req.reqbuf, mcred);
|
|
|
a53771 |
ret = cache_call(context, cache, &req;;
|
|
|
a53771 |
kcmreq_free(&req;;
|