Ticket History #8876: Fix AS-REQ checking of KDB-modified indicators

# Fri Feb 21 13:01:57 2020 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Fix AS-REQ checking of KDB-modified indicators

Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.

For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.

https://github.com/krb5/krb5/commit/109e30ce22c20f18b8233119f274935bdf573886
Author: Greg Hudson <ghudson@mit.edu>
Commit: 109e30ce22c20f18b8233119f274935bdf573886
Branch: master
src/kdc/do_as_req.c | 14 ++++++------
src/plugins/kdb/test/kdb_test.c | 42 +++++++++++++++++++++++++++++++++++++-
src/tests/t_authdata.py | 11 ++++++++++
3 files changed, 58 insertions(+), 9 deletions(-)

# Fri Feb 21 13:01:57 2020 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Fri Feb 21 13:01:57 2020 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Fri Feb 21 13:01:57 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Fri Feb 21 13:01:57 2020 ghudson@mit.edu (Greg Hudson) - Target_Version 1.18-next added

# Wed Mar 18 12:52:42 2020 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.18.1 added

# Wed Mar 18 12:52:42 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 1.1KiB

Fix AS-REQ checking of KDB-modified indicators

Commit 7196c03f18f14695abeb5ae4923004469b172f0f (ticket 8823) gave the
KDB the ability to modify auth indicators, but it happens after the
asserted indicators are checked against the server principal
requirements. In finish_process_as_req(), move the call to
check_indicators() after the call to handle_authdata() so that the
final indicator list is checked.

For the test case, add string attribute functionality to the test KDB
module, and fix a bug where test_get_principal() would return failure
if a principal has no keys. Also add a test case for AS-REQ
enforcement of normally asserted auth indicators.

(cherry picked from commit 109e30ce22c20f18b8233119f274935bdf573886)

https://github.com/krb5/krb5/commit/dc840f670d5b756a773d72fa345aa5e6da298b22
Author: Greg Hudson <ghudson@mit.edu>
Commit: dc840f670d5b756a773d72fa345aa5e6da298b22
Branch: krb5-1.18
src/kdc/do_as_req.c | 14 ++++++------
src/plugins/kdb/test/kdb_test.c | 42 +++++++++++++++++++++++++++++++++++++-
src/tests/t_authdata.py | 11 ++++++++++
3 files changed, 58 insertions(+), 9 deletions(-)

# Wed Mar 18 14:08:34 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted