kdc: Check name in request against name in user-to-user TGT

Assists Samba to address CVE-2020-25719 Again, this may be contary to RFC4120 3.3.3 https://datatracker.ietf.org/doc/html/rfc4120/#section-3.3.3 (clearer at the GSS spec here: https://datatracker.ietf.org/doc/html/draft-swift-win2k-krb-user2user-03 ) as server-name is decribed as optional, however Windows AD and Samba both require that the server-name exist and be a valid SPN matching the provided TGT. The lookup of SPN -> entry ensures that the SPN the client thought it was connecting to was held by the target server. it could be the typical user principal, or a service principal, but needs to be checked for the client not to be fooled into connecting to the wrong service. The check is the same as needed for S4U2Self so the same HDB hook is re-used. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 (Similar to Samba commit f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79)
2021-11-16 13:09:06 +13:00
parent 4112f6fc79
commit 3e197ecbee
2 changed files with 97 additions and 16 deletions
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -292,9 +292,9 @@ typedef struct HDB {
    krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);

    /**
-     * Check if s4u2self is allowed from this client to this server
+     * Check if s4u2self is allowed from this client to this server or the SPN is a valid SPN of this client (for user2user)
     */
-    krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *);
+    krb5_error_code (*hdb_check_client_matches_target_service)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *);

    /**
     * Enable/disable synchronous updates