respect keytab principal given

jcmturner · Jan 31, 2020 · 0b0d9d7 · 0b0d9d7
1 parent 04c044e
commit 0b0d9d7
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 3 deletions.
diff --git a/v8/messages/APReq.go b/v8/messages/APReq.go
@@ -153,7 +153,7 @@ func (a *APReq) Marshal() ([]byte, error) {
 
 // Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration.
 // The service ticket encrypted part and authenticator will be decrypted as part of this operation.
-func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddress) (bool, error) {
+func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddress, snameOverride *types.PrincipalName) (bool, error) {
 	// Decrypt ticket's encrypted part with service key
 	//TODO decrypt with service's session key from its TGT is use-to-user. Need to figure out how to get TGT.
 	//if types.IsFlagSet(&a.APOptions, flags.APOptionUseSessionKey) {
@@ -178,7 +178,11 @@ func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddre
 	//		return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
 	//	}
 	//}
-	err := a.Ticket.DecryptEncPart(kt, &a.Ticket.SName)
+	sname := &a.Ticket.SName
+	if snameOverride != nil {
+		sname = snameOverride
+	}
+	err := a.Ticket.DecryptEncPart(kt, sname)
 	if err != nil {
 		return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
 	}

diff --git a/v8/service/APExchange.go b/v8/service/APExchange.go
@@ -11,7 +11,7 @@ import (
 // VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
 func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error) {
 	var creds *credentials.Credentials
-	ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress())
+	ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal())
 	if err != nil || !ok {
 		return false, creds, err
 	}

diff --git a/v8/service/APExchange_test.go b/v8/service/APExchange_test.go
@@ -2,6 +2,7 @@ package service
 
 import (
 	"encoding/hex"
+	"strings"
 	"testing"
 	"time"
 
@@ -60,6 +61,51 @@ func TestVerifyAPREQ(t *testing.T) {
 	}
 }
 
+func TestVerifyAPREQWithPrincipalOverride(t *testing.T) {
+	t.Parallel()
+	cl := getClient()
+	sname := types.PrincipalName{
+		NameType:   nametype.KRB_NT_PRINCIPAL,
+		NameString: []string{"HTTP", "host.test.gokrb5"},
+	}
+	b, _ := hex.DecodeString(testdata.HTTP_KEYTAB)
+	kt := keytab.New()
+	kt.Unmarshal(b)
+	st := time.Now().UTC()
+	tkt, sessionKey, err := messages.NewTicket(cl.Credentials.CName(), cl.Credentials.Domain(),
+		sname, "TEST.GOKRB5",
+		types.NewKrbFlags(),
+		kt,
+		18,
+		1,
+		st,
+		st,
+		st.Add(time.Duration(24)*time.Hour),
+		st.Add(time.Duration(48)*time.Hour),
+	)
+	if err != nil {
+		t.Fatalf("Error getting test ticket: %v", err)
+	}
+	apReq, err := messages.NewAPReq(
+		tkt,
+		sessionKey,
+		newTestAuthenticator(*cl.Credentials),
+	)
+	if err != nil {
+		t.Fatalf("Error getting test AP_REQ: %v", err)
+	}
+
+	h, _ := types.GetHostAddress("127.0.0.1:1234")
+	s := NewSettings(kt, ClientAddress(h), KeytabPrincipal("foo"))
+	ok, _, err := VerifyAPREQ(&apReq, s)
+	if ok || err == nil {
+		t.Fatalf("Validation of AP_REQ should have failed")
+	}
+	if !strings.Contains(err.Error(), "Looking for [foo] realm") {
+		t.Fatalf("Looking for wrong entity: %s", err.Error())
+	}
+}
+
 func TestVerifyAPREQ_KRB_AP_ERR_BADMATCH(t *testing.T) {
 	t.Parallel()
 	cl := getClient()