svn rev #21727: trunk/src/kdc/
hartmans@MIT.EDU
hartmans at MIT.EDU
Mon Jan 12 14:59:17 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=21727
Commit By: hartmans
Log Message:
Patch from Luke Howard:
Previously when using the kdb keytab, there was a check to confirm that the server
was supported as a server and that attackers
could not force an enctype downgrade.
Add these to kdc_get_server_key
Changed Files:
U trunk/src/kdc/do_tgs_req.c
U trunk/src/kdc/kdc_util.c
U trunk/src/kdc/kdc_util.h
Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c 2009-01-12 19:43:13 UTC (rev 21726)
+++ trunk/src/kdc/do_tgs_req.c 2009-01-12 19:59:16 UTC (rev 21727)
@@ -282,6 +282,7 @@
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
c_flags,
+ TRUE, /* match_enctype */
&st_client,
&st_nprincs,
&st_sealing_key,
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2009-01-12 19:43:13 UTC (rev 21726)
+++ trunk/src/kdc/kdc_util.c 2009-01-12 19:59:16 UTC (rev 21727)
@@ -292,7 +292,8 @@
goto cleanup_auth_context;
#endif
- if ((retval = kdc_get_server_key(apreq->ticket, 0, krbtgt, nprincs, &key, &kvno)))
+ if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server,
+ krbtgt, nprincs, &key, &kvno)))
goto cleanup_auth_context;
/*
* We do not use the KDB keytab because other parts of the TGS need the TGT key.
@@ -408,11 +409,11 @@
*/
krb5_error_code
kdc_get_server_key(krb5_ticket *ticket, unsigned int flags,
- krb5_db_entry *server,
+ krb5_boolean match_enctype, krb5_db_entry *server,
int *nprincs, krb5_keyblock **key, krb5_kvno *kvno)
{
krb5_error_code retval;
- krb5_boolean more;
+ krb5_boolean more, similar;
krb5_key_data * server_key;
*nprincs = 1;
@@ -438,23 +439,43 @@
}
return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
}
+ if (server->attributes & KRB5_KDB_DISALLOW_SVR ||
+ server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
+ retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
retval = krb5_dbe_find_enctype(kdc_context, server,
- ticket->enc_part.enctype, -1,
- (krb5_int32)ticket->enc_part.kvno, &server_key);
+ match_enctype ? ticket->enc_part.enctype : -1,
+ -1, (krb5_int32)ticket->enc_part.kvno,
+ &server_key);
if (retval)
goto errout;
if (!server_key) {
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
}
- *kvno = server_key->key_data_kvno;
if ((*key = (krb5_keyblock *)malloc(sizeof **key))) {
retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock,
server_key,
*key, NULL);
} else
retval = ENOMEM;
+ retval = krb5_c_enctype_compare(kdc_context, ticket->enc_part.enctype,
+ (*key)->enctype, &similar);
+ if (retval)
+ goto errout;
+ if (!similar) {
+ retval = KRB5_KDB_NO_PERMITTED_KEY;
+ goto errout;
+ }
+ (*key)->enctype = ticket->enc_part.enctype;
+ *kvno = server_key->key_data_kvno;
errout:
+ if (retval != 0) {
+ krb5_db_free_principal(kdc_context, server, *nprincs);
+ *nprincs = 0;
+ }
+
return retval;
}
@@ -1985,7 +2006,7 @@
/* Must be in same realm */
if (!krb5_realm_compare(context, server->princ, proxy)) {
- return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */
+ return KRB5KDC_ERR_BADOPTION;
}
req.server = server;
Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h 2009-01-12 19:43:13 UTC (rev 21726)
+++ trunk/src/kdc/kdc_util.h 2009-01-12 19:59:16 UTC (rev 21727)
@@ -69,6 +69,7 @@
krb5_keyblock **);
krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
+ krb5_boolean match_enctype,
krb5_db_entry *, int *,
krb5_keyblock **, krb5_kvno *);
More information about the cvs-krb5
mailing list