|
 |
963210 |
From 802cf0263965eef725208f00eccb62df0b082319 Mon Sep 17 00:00:00 2001
|
|
|
963210 |
From: Matt Rogers <mrogers@redhat.com>
|
|
|
963210 |
Date: Mon, 5 Dec 2016 12:17:59 -0500
|
|
|
963210 |
Subject: [PATCH] Improve PKINIT UPN SAN matching
|
|
|
963210 |
|
|
|
963210 |
Add the match_client() kdcpreauth callback and use it in
|
|
|
963210 |
verify_client_san(). match_client() preserves the direct UPN to
|
|
|
963210 |
request principal comparison and adds a direct comparison to the
|
|
|
963210 |
client principal, falling back to an alias DB search and comparison
|
|
|
963210 |
against the client principal. Change crypto_retreive_X509_sans() to
|
|
|
963210 |
parse UPN values as enterprise principals.
|
|
|
963210 |
|
|
|
963210 |
[ghudson@mit.edu: use match_client for both kinds of SANs]
|
|
|
963210 |
|
|
|
963210 |
ticket: 8528 (new)
|
|
|
963210 |
(cherry picked from commit 46ff765e1fb8cbec2bb602b43311269e695dbedc)
|
|
|
963210 |
---
|
|
|
167778 |
src/include/krb5/kdcpreauth_plugin.h | 13 +++++++++
|
|
|
167778 |
src/kdc/kdc_preauth.c | 28 +++++++++++++++++--
|
|
|
167778 |
.../preauth/pkinit/pkinit_crypto_openssl.c | 4 ++-
|
|
|
167778 |
src/plugins/preauth/pkinit/pkinit_srv.c | 10 ++++---
|
|
|
963210 |
4 files changed, 48 insertions(+), 7 deletions(-)
|
|
|
963210 |
|
|
|
963210 |
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
|
|
|
963210 |
index f455effae..92aa5a5a5 100644
|
|
|
963210 |
--- a/src/include/krb5/kdcpreauth_plugin.h
|
|
|
963210 |
+++ b/src/include/krb5/kdcpreauth_plugin.h
|
|
|
963210 |
@@ -221,6 +221,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
|
|
|
963210 |
|
|
|
963210 |
/* End of version 3 kdcpreauth callbacks. */
|
|
|
963210 |
|
|
|
963210 |
+ /*
|
|
|
963210 |
+ * Return true if princ matches the principal named in the request or the
|
|
|
963210 |
+ * client principal (possibly canonicalized). If princ does not match,
|
|
|
963210 |
+ * attempt a database lookup of princ with aliases allowed and compare the
|
|
|
963210 |
+ * result to the client principal, returning true if it matches.
|
|
|
963210 |
+ * Otherwise, return false.
|
|
|
963210 |
+ */
|
|
|
963210 |
+ krb5_boolean (*match_client)(krb5_context context,
|
|
|
963210 |
+ krb5_kdcpreauth_rock rock,
|
|
|
963210 |
+ krb5_principal princ);
|
|
|
963210 |
+
|
|
|
963210 |
+ /* End of version 4 kdcpreauth callbacks. */
|
|
|
963210 |
+
|
|
|
963210 |
} *krb5_kdcpreauth_callbacks;
|
|
|
963210 |
|
|
|
963210 |
/* Optional: preauth plugin initialization function. */
|
|
|
963210 |
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
|
|
963210 |
index 605fcb7ad..0ce79c667 100644
|
|
|
963210 |
--- a/src/kdc/kdc_preauth.c
|
|
|
963210 |
+++ b/src/kdc/kdc_preauth.c
|
|
|
963210 |
@@ -568,8 +568,31 @@ set_cookie(krb5_context context, krb5_kdcpreauth_rock rock,
|
|
|
963210 |
return kdc_fast_set_cookie(rock->rstate, pa_type, data);
|
|
|
963210 |
}
|
|
|
963210 |
|
|
|
963210 |
+static krb5_boolean
|
|
|
963210 |
+match_client(krb5_context context, krb5_kdcpreauth_rock rock,
|
|
|
963210 |
+ krb5_principal princ)
|
|
|
963210 |
+{
|
|
|
963210 |
+ krb5_db_entry *ent;
|
|
|
963210 |
+ krb5_boolean match = FALSE;
|
|
|
963210 |
+ krb5_principal req_client = rock->request->client;
|
|
|
963210 |
+ krb5_principal client = rock->client->princ;
|
|
|
963210 |
+
|
|
|
963210 |
+ /* Check for a direct match against the request principal or
|
|
|
963210 |
+ * the post-canon client principal. */
|
|
|
963210 |
+ if (krb5_principal_compare_flags(context, princ, req_client,
|
|
|
963210 |
+ KRB5_PRINCIPAL_COMPARE_ENTERPRISE) ||
|
|
|
963210 |
+ krb5_principal_compare(context, princ, client))
|
|
|
963210 |
+ return TRUE;
|
|
|
963210 |
+
|
|
|
963210 |
+ if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent))
|
|
|
963210 |
+ return FALSE;
|
|
|
963210 |
+ match = krb5_principal_compare(context, ent->princ, client);
|
|
|
963210 |
+ krb5_db_free_principal(context, ent);
|
|
|
963210 |
+ return match;
|
|
|
963210 |
+}
|
|
|
963210 |
+
|
|
|
963210 |
static struct krb5_kdcpreauth_callbacks_st callbacks = {
|
|
|
963210 |
- 3,
|
|
|
963210 |
+ 4,
|
|
|
963210 |
max_time_skew,
|
|
|
963210 |
client_keys,
|
|
|
963210 |
free_keys,
|
|
|
963210 |
@@ -583,7 +606,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
|
|
|
963210 |
client_keyblock,
|
|
|
963210 |
add_auth_indicator,
|
|
|
963210 |
get_cookie,
|
|
|
963210 |
- set_cookie
|
|
|
963210 |
+ set_cookie,
|
|
|
963210 |
+ match_client
|
|
|
963210 |
};
|
|
|
963210 |
|
|
|
963210 |
static krb5_error_code
|
|
|
963210 |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
963210 |
index 74fffbf32..bc6e7662e 100644
|
|
|
963210 |
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
963210 |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
963210 |
@@ -2190,7 +2190,9 @@ crypto_retrieve_X509_sans(krb5_context context,
|
|
|
963210 |
/* Prevent abuse of embedded null characters. */
|
|
|
963210 |
if (memchr(name.data, '\0', name.length))
|
|
|
963210 |
break;
|
|
|
963210 |
- ret = krb5_parse_name(context, name.data, &upns[u]);
|
|
|
963210 |
+ ret = krb5_parse_name_flags(context, name.data,
|
|
|
963210 |
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
|
|
|
963210 |
+ &upns[u]);
|
|
|
963210 |
if (ret) {
|
|
|
963210 |
pkiDebug("%s: failed parsing ms-upn san value\n",
|
|
|
963210 |
__FUNCTION__);
|
|
|
963210 |
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
963210 |
index 295be25e1..b5638a367 100644
|
|
|
963210 |
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
963210 |
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
963210 |
@@ -121,6 +121,8 @@ static krb5_error_code
|
|
|
963210 |
verify_client_san(krb5_context context,
|
|
|
963210 |
pkinit_kdc_context plgctx,
|
|
|
963210 |
pkinit_kdc_req_context reqctx,
|
|
|
963210 |
+ krb5_kdcpreauth_callbacks cb,
|
|
|
963210 |
+ krb5_kdcpreauth_rock rock,
|
|
|
963210 |
krb5_principal client,
|
|
|
963210 |
int *valid_san)
|
|
|
963210 |
{
|
|
|
963210 |
@@ -171,7 +173,7 @@ verify_client_san(krb5_context context,
|
|
|
963210 |
__FUNCTION__, client_string, san_string);
|
|
|
963210 |
krb5_free_unparsed_name(context, san_string);
|
|
|
963210 |
#endif
|
|
|
963210 |
- if (krb5_principal_compare(context, princs[i], client)) {
|
|
|
963210 |
+ if (cb->match_client(context, rock, princs[i])) {
|
|
|
963210 |
pkiDebug("%s: pkinit san match found\n", __FUNCTION__);
|
|
|
963210 |
*valid_san = 1;
|
|
|
963210 |
retval = 0;
|
|
|
963210 |
@@ -199,7 +201,7 @@ verify_client_san(krb5_context context,
|
|
|
963210 |
__FUNCTION__, client_string, san_string);
|
|
|
963210 |
krb5_free_unparsed_name(context, san_string);
|
|
|
963210 |
#endif
|
|
|
963210 |
- if (krb5_principal_compare(context, upns[i], client)) {
|
|
|
963210 |
+ if (cb->match_client(context, rock, upns[i])) {
|
|
|
963210 |
pkiDebug("%s: upn san match found\n", __FUNCTION__);
|
|
|
963210 |
*valid_san = 1;
|
|
|
963210 |
retval = 0;
|
|
|
963210 |
@@ -387,8 +389,8 @@ pkinit_server_verify_padata(krb5_context context,
|
|
|
963210 |
}
|
|
|
963210 |
if (is_signed) {
|
|
|
963210 |
|
|
|
963210 |
- retval = verify_client_san(context, plgctx, reqctx, request->client,
|
|
|
963210 |
- &valid_san);
|
|
|
963210 |
+ retval = verify_client_san(context, plgctx, reqctx, cb, rock,
|
|
|
963210 |
+ request->client, &valid_san);
|
|
|
963210 |
if (retval)
|
|
|
963210 |
goto cleanup;
|
|
|
963210 |
if (!valid_san) {
|