+Mon Nov 21 17:23:50 1994 Theodore Y. Ts'o (tytso@dcl)
+
+ * do_tgs_req.c (process_tgs_req):
+ * do_as_req.c (process_as_req): Use the list of encryption types
+ passed as part of the KDC request to determine which
+ encryption to use for encrypting the ticket. The
+ encryption must be one that is supported by the KDC, as
+ well as being one which is marked as being supported by
+ the server of the ticket. In a AS request, also use this
+ encryption for encrypting the KDC response. In a TGS
+ request, use the encryption type of the TGT authenticator
+ to determine how to encrypt the KDC response.
+
Tue Nov 8 17:51:30 1994 Theodore Y. Ts'o (tytso@dcl)
* do_tgs_req.c (process_tgs_req): Use published interface to call
goto errout;
}
- for (i = 0; i < request->netypes; i++)
- if (valid_etype(request->etype[i]))
+ for (i = 0; i < request->netypes; i++) {
+ krb5_keytype ok_keytype;
+
+ if (!valid_etype(request->etype[i]))
+ continue;
+
+ if (request->etype[i] == ETYPE_DES_CBC_MD5 &&
+ !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))
+ continue;
+
+ ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype;
+
+ if (server.key.keytype == ok_keytype ||
+ server.alt_key.keytype == ok_keytype)
break;
+ }
+
if (i == request->netypes) {
/* unsupported etype */
}
ticket_reply.server = request->server;
- ticket_reply.enc_part.etype = useetype;
- ticket_reply.enc_part.kvno = server.kvno;
enc_tkt_reply.flags = 0;
setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL);
in the database) */
if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key))
goto errout;
- retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply);
+ retval = krb5_encrypt_tkt_part(&eblock, &encrypting_key, &ticket_reply);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
if (retval)
goto errout;
+ ticket_reply.enc_part.kvno = server.kvno;
/* Start assembling the response */
reply.msg_type = KRB5_AS_REP;
}
reply.client = request->client;
- /* XXX need separate etypes for ticket encryption and kdc_rep encryption */
- reply.enc_part.etype = useetype;
- reply.enc_part.kvno = client.kvno;
+
reply.ticket = &ticket_reply;
reply_encpart.session = session_key;
if (retval = KDB_CONVERT_KEY_OUTOF_DB(&client.key, &encrypting_key))
goto errout;
- retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply_encpart,
+ reply.enc_part.kvno = client.kvno;
+ retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply_encpart, &eblock,
&encrypting_key, &reply, response);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
krb5_data **response; /* filled in with a response packet */
{
krb5_encrypt_block eblock;
+ krb5_keytype second_ticket_etype = ETYPE_UNKNOWN;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
goto cleanup;
}
- for (i = 0; i < request->netypes; i++)
- if (valid_etype(request->etype[i]))
+ /*
+ * If we are using user-to-user authentication, then the resulting
+ * ticket has to use the same encryption system as was used to
+ * encrypt the ticket, since that's the same encryption system
+ * that's used for the ticket session key --- and that's what we
+ * use to encrypt the ticket!
+ */
+ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+ second_ticket_etype = request->second_ticket[st_idx]->enc_part.etype;
+
+ for (i = 0; i < request->netypes; i++) {
+ krb5_keytype ok_keytype;
+
+ if (!valid_etype(request->etype[i]))
+ continue;
+
+ if (second_ticket_etype != ETYPE_UNKNOWN &&
+ second_ticket_etype != request->etype[i])
+ continue;
+
+ if (request->etype[i] == ETYPE_DES_CBC_MD5 &&
+ !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))
+ continue;
+
+ ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype;
+
+ if (server.key.keytype == ok_keytype ||
+ server.alt_key.keytype == ok_keytype)
break;
+ }
+
if (i == request->netypes) {
/* unsupported etype */
status = "BAD_ENCRYPTION_TYPE";
}
ticket_reply.server = request->server; /* XXX careful for realm... */
- ticket_reply.enc_part.etype = useetype;
- ticket_reply.enc_part.kvno = server.kvno;
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
ticket_reply.enc_part2 = &enc_tkt_reply;
+ /*
+ * If we are doing user-to-user authentication, then make sure
+ * that the client for the second ticket matches the request
+ * server, and then encrypt the ticket using the session key of
+ * the second ticket.
+ */
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_keyblock *st_sealing_key;
krb5_kvno st_srv_kvno;
goto cleanup;
}
- if (retval = krb5_encrypt_tkt_part(request->second_ticket[st_idx]->enc_part2->session,
+ ticket_reply.enc_part.kvno = 0;
+ if (retval = krb5_encrypt_tkt_part(&eblock,
+ request->second_ticket[st_idx]->enc_part2->session,
&ticket_reply)) {
status = "2ND_TKT_ENCRYPT";
goto cleanup;
goto cleanup;
}
- retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply);
+ ticket_reply.enc_part.kvno = server.kvno;
+ retval = krb5_encrypt_tkt_part(&eblock, &encrypting_key, &ticket_reply);
memset((char *)encrypting_key.contents, 0, encrypting_key.length);
krb5_xfree(encrypting_key.contents);
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0; /* always */
reply.client = header_ticket->enc_part2->client;
- reply.enc_part.etype = useetype;
reply.enc_part.kvno = 0; /* We are using the session key */
reply.ticket = &ticket_reply;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
- retval = krb5_encode_kdc_rep(KRB5_TGS_REP, &reply_encpart,
+ retval = krb5_encode_kdc_rep(KRB5_TGS_REP, &reply_encpart, &eblock,
req_authdat->authenticator->subkey ?
req_authdat->authenticator->subkey :
header_ticket->enc_part2->session,
projects / krb5.git / commitdiff