+Fri Sep 1 20:03:41 1995 Theodore Y. Ts'o <tytso@dcl>
+
+ * get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then
+ set the time_offset fields from the returned ticket's
+ authtime value.
+
+ * init_ctx.c (krb5_init_context): Initialize new fields in
+ krb5_context (clockskew, kdc_req_sumtype, and
+ kdc_default_options).
+
+ * gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary
+ sanity checking on the KDC response to make sure we detect
+ tampering.
+
+ * send_tgs.c (krb5_send_tgs): Set the expected nonce in the
+ response structure.
Fri Sep 1 11:16:43 EDT 1995 Paul Park (pjpark@mit.edu)
- * ser_ctx.c - Add handling of new time offset fields in the os_context.
+ * ser_ctx.c - Add handling of new time offset fields in the os_context.
Tue Aug 29 14:14:26 EDT 1995 Paul Park (pjpark@mit.edu)
* Makefile.in, .Sanitize, ser_{actx,adata,addr,auth,cksum,ctx,eblk,key,
#include "k5-int.h"
#include "int-proto.h"
+extern krb5_deltat krb5_clockskew;
+#define in_clock_skew(date, now) (labs((date)-(now)) < krb5_clockskew)
+
static krb5_error_code
krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds)
krb5_context context;
if (retval) /* neither proper reply nor error! */
goto error_4;
-#if 0
- /* XXX need access to the actual assembled request...
- need a change to send_tgs */
- if ((err_reply->ctime != request.ctime) ||
- !krb5_principal_compare(context,err_reply->server,request.server) ||
- !krb5_principal_compare(context, err_reply->client, request.client))
- retval = KRB5_KDCREP_MODIFIED;
- else
-#endif
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+ retval = err_reply->error + ERROR_TABLE_BASE_krb5;
krb5_free_error(context, err_reply);
goto error_4;
goto error_3;
}
- /* now it's decrypted and ready for prime time */
- if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) {
+ /* make sure the response hasn't been tampered with..... */
+ if (!krb5_principal_compare(context, dec_rep->client, tkt->client) ||
+ !krb5_principal_compare(context, dec_rep->enc_part2->server,
+ in_cred->server) ||
+ !krb5_principal_compare(context, dec_rep->ticket->server,
+ in_cred->server) ||
+ (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) ||
+ ((in_cred->times.starttime != 0) &&
+ (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) ||
+ ((in_cred->times.endtime != 0) &&
+ (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) ||
+ ((kdcoptions & KDC_OPT_RENEWABLE) &&
+ (in_cred->times.renew_till != 0) &&
+ (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) ||
+ ((kdcoptions & KDC_OPT_RENEWABLE_OK) &&
+ (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
+ (in_cred->times.endtime != 0) &&
+ (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime))
+ ) {
retval = KRB5_KDCREP_MODIFIED;
goto error_3;
}
-#if 0
- /* XXX probably need access to the request */
- /* check the contents for sanity: */
- if (!krb5_principal_compare(context, dec_rep->client, request.client)
- || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server)
- || !krb5_principal_compare(context, dec_rep->ticket->server, request.server)
- || (request.nonce != dec_rep->enc_part2->nonce)
- /* XXX check for extraneous flags */
- /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */
- || ((request.from != 0) &&
- (request.from != dec_rep->enc_part2->times.starttime))
- || ((request.till != 0) &&
- (dec_rep->enc_part2->times.endtime > request.till))
- || ((request.kdc_options & KDC_OPT_RENEWABLE) &&
- (request.rtime != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.rtime))
- || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) &&
- (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
- (request.till != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.till))
- )
- retval = KRB5_KDCREP_MODIFIED;
-
- if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) {
+ if (!in_cred->times.starttime &&
+ !in_clock_skew(dec_rep->enc_part2->times.starttime,
+ tgsrep.request_time)) {
retval = KRB5_KDCREP_SKEW;
goto error_3;
}
-#endif
-
retval = krb5_kdcrep2creds(context, dec_rep, address,
&in_cred->second_ticket, out_cred);
krb5_keyblock *decrypt_key = 0;
krb5_timestamp time_now;
/* krb5_pa_data *padata; */
+ krb5_pa_data **preauth_to_use = 0;
int f_salt = 0, use_salt = 0;
krb5_data salt;
char k4_version; /* same type as *(krb5_data::data) */
request.from = creds->times.starttime;
request.till = creds->times.endtime;
request.rtime = creds->times.renew_till;
- if ((retval = krb5_timeofday(context, &time_now)))
- goto cleanup;
-
- /* XXX we know they are the same size... */
- request.nonce = (krb5_int32) time_now;
if (etypes)
request.etype = etypes;
request.unenc_authdata = 0;
request.second_ticket = 0;
+ if ((retval = krb5_timeofday(context, &time_now)))
+ goto cleanup;
+
+ /* XXX we know they are the same size... */
+ request.nonce = (krb5_int32) time_now;
+
/* encode & send to KDC */
retval = encode_krb5_as_req(&request, &packet);
if (!etypes)
/* some other error code--??? */
goto cleanup;
- /* it was an error */
+ if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
+ err_reply->e_data.length > 0) {
+ retval = decode_krb5_padata_sequence(&err_reply->e_data,
+ &preauth_to_use);
+ /* XXX we need to actually do something with the info */
+ krb5_free_pa_data(context, preauth_to_use);
+ }
- if ((err_reply->ctime != request.nonce) ||
- !krb5_principal_compare(context, err_reply->server, request.server) ||
- !krb5_principal_compare(context, err_reply->client, request.client))
- retval = KRB5_KDCREP_MODIFIED;
- else
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+ retval = err_reply->error + ERROR_TABLE_BASE_krb5;
/* XXX somehow make error msg text available to application? */
retval = KRB5_KDCREP_SKEW;
goto cleanup;
}
-
+
+ if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)
+ krb5_set_time_offsets(context,
+ as_reply->enc_part2->times.authtime - time_now,
+ 0);
/* XXX issue warning if as_reply->enc_part2->key_exp is nearby */
{
krb5_context ctx;
krb5_error_code retval;
+ int tmp;
*context = 0;
if ((retval = krb5_os_init_context(ctx)))
goto cleanup;
-
ctx->default_realm = 0;
+ profile_get_integer(ctx->profile, "libdefaults",
+ "clockskew", 0, 5 * 60,
+ &tmp);
+ ctx->clockskew = tmp;
+ ctx->kdc_req_sumtype = CKSUMTYPE_RSA_MD5;
+ ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK;
+ profile_get_integer(ctx->profile, "libdefaults",
+ "kdc_timesync", 0, 0,
+ &tmp);
+ ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
*context = ctx;
return 0;
#include "k5-int.h"
krb5_deltat krb5_clockskew = 5 * 60; /* five minutes */
-krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD4;
+krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD5;
krb5_flags krb5_kdc_default_options = KDC_OPT_RENEWABLE_OK;
if ((retval = krb5_timeofday(context, &time_now)))
return(retval);
/* XXX we know they are the same size... */
- tgsreq.nonce = (krb5_int32) time_now;
+ rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now;
+ rep->request_time = time_now;
tgsreq.addresses = (krb5_address **) addrs;
projects / krb5.git / commitdiff