ipa-kdb: postpone ticket checksum configuration

Postpone ticket checksum configuration after KDB module was initialized. This, in practice, should now happen when a master key is retrieved. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com>
2025-01-11 08:41:55 -06:00 · 2023-05-25 09:19:57 +03:00 · 2023-05-25 09:19:57 +03:00 · fefa024829
commit fefa024829
parent 803a44777f
4 changed files with 86 additions and 65 deletions
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@ -529,52 +529,6 @@ static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
    return tgtp;
 }

-static char *no_attrs[] = {
-    LDAP_NO_ATTRS,
-
-    NULL
-};
-
-static krb5_error_code
-should_support_pac_tkt_sign(krb5_context kcontext, bool *result)
-{
-    struct ipadb_context *ipactx;
-    krb5_error_code kerr;
-    LDAPMessage *res = NULL;
-    char *masters_dn = NULL;
-    int count;
-
-    char *kdc_filter = "(&(cn=KDC)(objectClass=ipaConfigObject)"
-                       "(!(ipaConfigString=pacTktSignSupported)))";
-
-    ipactx = ipadb_get_context(kcontext);
-    if (!ipactx) {
-        kerr = KRB5_KDB_DBNOTINITED;
-        goto done;
-    }
-
-    count = asprintf(&masters_dn, "cn=masters,cn=ipa,cn=etc,%s", ipactx->base);
-    if (count < 0) {
-        kerr = ENOMEM;
-        goto done;
-    }
-
-    kerr = ipadb_simple_search(ipactx, masters_dn, LDAP_SCOPE_SUBTREE,
-                               kdc_filter, no_attrs, &res);
-    if (kerr)
-        goto done;
-
-    count = ldap_count_entries(ipactx->lcontext, res);
-
-    if (result)
-        *result = (count == 0);
-
-done:
-    free(masters_dn);
-    ldap_msgfree(res);
-    return kerr;
-}
-
 /* INTERFACE */

 static krb5_error_code ipadb_init_library(void)
@ -595,7 +549,6 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
    krb5_error_code kerr;
    int ret;
    int i;
-    bool pac_tkt_sign_supported;

    /* make sure the context is freed to avoid leaking it */
    ipactx = ipadb_get_context(kcontext);
@ -667,6 +620,8 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
        goto fail;
    }

+    ipactx->optional_pac_tkt_chksum = IPADB_TRISTATE_UNDEFINED;
+
    ret = ipadb_get_connection(ipactx);
    if (ret != 0) {
        /* Not a fatal failure, as the LDAP server may be temporarily down. */
@ -680,13 +635,6 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
        goto fail;
    }

-    /* Enforce PAC ticket signature verification if supported by all KDCs */
-    kerr = should_support_pac_tkt_sign(kcontext, &pac_tkt_sign_supported);
-    if (kerr) {
-        ret = kerr;
-        goto fail;
-    }
-    ipactx->optional_pac_tkt_chksum = !pac_tkt_sign_supported;

    return 0;

--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -126,6 +126,12 @@ struct ipadb_global_config {
    bool disable_preauth_for_spns;
 };

+enum ipadb_tristate_option {
+	IPADB_TRISTATE_FALSE = FALSE,
+	IPADB_TRISTATE_TRUE = TRUE,
+	IPADB_TRISTATE_UNDEFINED,
+};
+
 #define IPA_CONTEXT_MAGIC 0x0c027ea7
 struct ipadb_context {
    int magic;
@ -143,7 +149,7 @@ struct ipadb_context {
    krb5_key_salt_tuple *def_encs;
    int n_def_encs;
    struct ipadb_mspac *mspac;
-    bool optional_pac_tkt_chksum;
+    enum ipadb_tristate_option optional_pac_tkt_chksum;
 #ifdef HAVE_KRB5_CERTAUTH_PLUGIN
    krb5_certauth_moddata certauth_moddata;
 #endif
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@ -158,12 +158,75 @@ static bool ipadb_need_retry(struct ipadb_context *ipactx, int error)
    return false;
 }

+static char *no_attrs[] = {
+    LDAP_NO_ATTRS,
+
+    NULL
+};
+
+static int
+should_support_pac_tkt_sign(struct ipadb_context *ipactx, bool *result)
+{
+    int ret;
+    LDAPMessage *res = NULL;
+    char *masters_dn = NULL;
+    int count;
+
+    char *kdc_filter = "(&(cn=KDC)(objectClass=ipaConfigObject)"
+                       "(!(ipaConfigString=pacTktSignSupported)))";
+
+    if (!ipactx) {
+        ret = KRB5_KDB_DBNOTINITED;
+        goto done;
+    }
+
+    count = asprintf(&masters_dn, "cn=masters,cn=ipa,cn=etc,%s", ipactx->base);
+    if (count < 0) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = ipadb_simple_search(ipactx, masters_dn, LDAP_SCOPE_SUBTREE,
+                               kdc_filter, no_attrs, &res);
+    if (ret)
+        goto done;
+
+    count = ldap_count_entries(ipactx->lcontext, res);
+
+    if (result)
+        *result = (count == 0);
+
+done:
+    free(masters_dn);
+    ldap_msgfree(res);
+    return ret;
+}
+
 static int ipadb_check_connection(struct ipadb_context *ipactx)
 {
+    int ret = 0;
+
    if (ipactx->lcontext == NULL) {
-        return ipadb_get_connection(ipactx);
+        ret = ipadb_get_connection(ipactx);
    }
-    return 0;
+    if ((ret == 0) && (ipactx->optional_pac_tkt_chksum == IPADB_TRISTATE_UNDEFINED)) {
+        bool pac_tkt_sign_supported;
+
+	/* Enforce PAC ticket signature verification if supported by all KDCs
+	 * To avoid loops as all search functions call into
+	 * ipadb_check_connection(), mark that the init is complete at this
+	 * point. Default to not issuing PAC to be safe.
+         */
+        ipactx->optional_pac_tkt_chksum = IPADB_TRISTATE_FALSE;
+	ret = should_support_pac_tkt_sign(ipactx,
+                                          &pac_tkt_sign_supported);
+        if (ret == 0) {
+            ipactx->optional_pac_tkt_chksum = !pac_tkt_sign_supported;
+        } else {
+            ipactx->optional_pac_tkt_chksum = IPADB_TRISTATE_UNDEFINED;
+	}
+    }
+    return ret;
 }

 krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx,
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -114,12 +114,12 @@ static char *std_principal_obj_classes[] = {

 #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"

-#define OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME "optional_pac_tkt_chksum"
+#ifndef KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM
+#define KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM "optional_pac_tkt_chksum"
+#endif

 #ifndef KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
-#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME "pac_privsvr_enctype"
-#else
-#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
+#define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype"
 #endif

 static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
@ -1748,10 +1748,14 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
         */
        if (!is_local_tgs_princ) {
            kerr = krb5_dbe_set_string(kcontext, *entry,
-                                       OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
+                                       KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE,
                                       "aes256-sha1");
        }

+        /* We should have been initialized at this point already */
+        if (ipactx->optional_pac_tkt_chksum == IPADB_TRISTATE_UNDEFINED) {
+                return KRB5_KDB_SERVER_INTERNAL_ERR;
+        }
        /* PAC ticket signature should be optional for foreign realms, and local
         * realm if not supported by all servers
         */
@ -1761,7 +1765,7 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
            opt_pac_tkt_chksum_val = "false";

        kerr = krb5_dbe_set_string(kcontext, *entry,
-                                   OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
+                                   KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM,
                                   opt_pac_tkt_chksum_val);
    }

@ -2878,8 +2882,8 @@ remove_virtual_str_attrs(krb5_context kcontext, krb5_db_entry *entry)
    char *str_attr_val;
    krb5_error_code kerr;
    const char *str_attrs[] = {
-        OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
-        OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
+        KRB5_KDB_SK_OPTIONAL_PAC_TKT_CHKSUM,
+        KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE,
        NULL};

    for(int i = 0; str_attrs[i] != NULL; i++) {