kdc: Avoid races and multiple DB lookups in s4u2self check

Assists Samba to address CVE-2020-25719 Passing in target_server as a string principal means that for an alias we must looking up the DB twice. This is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. We also avoid doing a name comparison if the HDB plugin provides a validation hook, this allows the HDB layer more freedom to choose how to handle things. In Samba AD the client record has already been bound to the the original client by the SID check in the PAC, so the record is known to match the ticket. Likewise by looking up server only once we ensure that the keys looked up originally (to decrypt) are in the record we confirm the SID for here. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Andrew Bartlett <abartlet@samba.org> (Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)
2021-11-16 12:51:28 +13:00
parent 6b635f66de
commit ea8e8a4a8a
2 changed files with 19 additions and 9 deletions
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -294,7 +294,7 @@ typedef struct HDB {
    /**
     * Check if s4u2self is allowed from this client to this server
     */
-    krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
+    krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, hdb_entry_ex *);

    /**
     * Enable/disable synchronous updates