oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

CVE-2019-14870: Apply forwardable policy in protocol-transition

Browse Source 
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This commit is contained in:
Isaac Boukris
2019-11-05 02:37:30 +01:00
committed by Jeffrey Altman
parent 51415eaaae
commit 013210d1eb
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
kdc/krb5tgs.c
View File

@@ -2181,10 +2181,12 @@ server_lookup:
/*
* If the service isn't trusted for authentication to
* delegation, remove the forward flag.
* delegation or if the impersonate client is disallowed
* forwardable, remove the forwardable flag.
*/
if (client->entry.flags.trusted_for_delegation) {
if (client->entry.flags.trusted_for_delegation &&
s4u2self_impersonated_client->entry.flags.forwardable) {
str = "[forwardable]";
} else {
b->kdc_options.forwardable = 0;

11
tests/kdc/check-kdc.in
View File

@@ -217,6 +217,8 @@ ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
${kadmin} add -p foo --use-defaults ${ps} || exit 1
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
@@ -809,6 +811,15 @@ echo "test impersonate unknown client"; > messages.log
${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
{ ec=1 ; eval "${testfailed}"; }
echo "test delegate sensitive client"; > messages.log
${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} \
--out-cache=${o2cache} \
--delegation-credential-cache=${ocache} \
${server}@${R} && \
{ ec=1 ; eval "${testfailed}"; }
echo "test constrained delegation"; > messages.log
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
{ ec=1 ; eval "${testfailed}"; }