PAC verification fails for enterprise principals

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PAC verification fails for enterprise principals

Stefan (metze) Metzmacher
Hi,

I found that krb5_pac_verify() fails if I asked for
S4U2Self with an enterprise principal.

The problem is that k5_pac_validate_client()
uses this:

    ret = krb5_parse_name_flags(context, pac_princname,
                                KRB5_PRINCIPAL_PARSE_NO_REALM,
                                &pac_principal);
    if (ret != 0) {
        free(pac_princname);
        return ret;
    }

    free(pac_princname);

    if (pac_authtime != authtime ||
        !krb5_principal_compare_flags(context,
                                      pac_principal,
                                      principal,
                                   KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
        ret = KRB5KRB_AP_WRONG_PRINC;

The value in the Client Info PAC element is the principal without
the realm part.
The KRB5_PRINCIPAL_PARSE_NO_REALM means we'll discard the @... part
of an enterprise principal.

The question is should I somehow add a flags variable that may
get |= KRB5_PRINCIPAL_PARSE_ENTERPRISE?

Heimdal uses a different approach:

    ret = krb5_unparse_name_flags(context, principal,
                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM |
                                  KRB5_PRINCIPAL_UNPARSE_DISPLAY,
                                  &principal_string);
    if (ret) {
        free(logon_string);
        return ret;
    }

    ret = strcmp(logon_string, principal_string);
    if (ret != 0) {
        ret = EINVAL;

I'd prefer to take over the logic from Heimal, if that's ok
I'll prepare a patch for that.

metze


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAC verification fails for enterprise principals

Greg Hudson
On 08/23/2017 07:19 PM, Stefan Metzmacher wrote:
> I found that krb5_pac_verify() fails if I asked for
> S4U2Self with an enterprise principal.

> I'd prefer to take over the logic from Heimal, if that's ok
> I'll prepare a patch for that.

That is probably fine.  I can't easily verify that quoting problems
won't get in the way, but if it's not causing a problem for Heimdal then
it's probably fine.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev