Allow des-mdX keys as well as des-crc (patch from assar).

Deal better with conversion of inter-realm tickets.
Misc cleanup.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13177 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 0bb8e6d140df9b49c159e5377e1780979b423761..e4e5c2a68fd85a1b798322fc849c05b60a650707 100644 (file)
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,21 @@
+2001-04-13  Ken Raeburn  <raeburn@mit.edu>
+
+       * k524init.c (prog): New variable.
+       (main): Set it, and use it when printing error messages.  When
+       reinitializing v4 ticket file, reject case where client and server
+       realms are different.  Print krb4 errors properly.
+
+       * conv_princ.c (krb524_convert_princs): Accept new arg SREALM,
+       passed through to krb5_524_conv_principal.
+       * krb524.h (krb524_convert_princs): Update prototype.
+       * cnv_tkt_skey.c (krb524_convert_tkt_skey): Pass extra arg.
+       Reject tickets with transited realms for simplicity.
+       * conv_creds.c (krb524_convert_creds_plain): Pass extra arg.  Use
+       the server realm instead of the client realm.
+
+       * cnv_tkt_skey.c (krb524_convert_tkt_skey): Permit non-CRC DES
+       enctypes; patch from Assar Westerlund.
+
 2001-04-10  Ken Raeburn  <raeburn@mit.edu>
 
        * conv_creds.c, encode.c, krb524.h, test.c: Always use prototypes,

diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c
index 8aa730f93513c1a23d79d5de32178a1b93c37edc..9a31eb7e8b89896b6fff318d011b8bb028fd03aa 100644 (file)
--- a/src/krb524/cnv_tkt_skey.c
+++ b/src/krb524/cnv_tkt_skey.c
@@ -59,7 +59,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
      struct sockaddr_in *saddr;
 {
      char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-     char sname[ANAME_SZ], sinst[INST_SZ];
+     char sname[ANAME_SZ], sinst[INST_SZ], srealm[REALM_SZ];
      krb5_enc_tkt_part *v5etkt;
      int ret, lifetime, v4endtime;
      krb5_timestamp server_time;
@@ -72,15 +72,36 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
      }
      v5etkt = v5tkt->enc_part2;
 
+     if (v5etkt->transited.tr_contents.length != 0) {
+        /* Some intermediate realms transited -- do we accept them?
+
+           Simple answer: No.
+
+           More complicated answer: Check our local config file to
+           see if the path is correct, and base the answer on that.
+           This denies the krb4 application server any ability to do
+           its own validation as krb5 servers can.
+
+           Fast answer: Not right now.  */
+         krb5_free_enc_tkt_part(context, v5etkt);
+         v5tkt->enc_part2 = NULL;
+         return KRB5KRB_AP_ERR_ILL_CR_TKT;
+     }
+     /* We could also encounter a case where luser@R1 gets a ticket
+       for krbtgt/R3@R2, and then tries to convert it.  But the
+       converted ticket would be one the v4 KDC code should reject
+       anyways.  So we don't need to worry about it here.  */
+
      if ((ret = krb524_convert_princs(context, v5etkt->client, v5tkt->server,
                                     pname, pinst, prealm, sname,
-                                    sinst))) {
+                                    sinst, srealm))) {
          krb5_free_enc_tkt_part(context, v5etkt);
          v5tkt->enc_part2 = NULL;
          return ret;
      }
-     
-     if (v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC ||
+     if ((v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC &&
+         v5etkt->session->enctype != ENCTYPE_DES_CBC_MD4 &&
+         v5etkt->session->enctype != ENCTYPE_DES_CBC_MD5) ||
         v5etkt->session->length != sizeof(C_Block)) {
          if (krb524_debug)
               fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n",

diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c
index 89a8d54d5d93636d6198f8497e06dcd95d4bbe45..c1e4b89a356bd48df4f2326560ae498096a58ad5 100644 (file)
--- a/src/krb524/conv_creds.c
+++ b/src/krb524/conv_creds.c
@@ -128,14 +128,14 @@ krb524_convert_creds_plain(context, v5creds, v4creds)
 #endif
      int ret;
      krb5_timestamp endtime;
-     
+     char dummy[REALM_SZ];
      memset((char *) v4creds, 0, sizeof(CREDENTIALS));
 
      if ((ret = krb524_convert_princs(context, v5creds->client, 
                                      v5creds->server,
                                      v4creds->pname, v4creds->pinst,
-                                     v4creds->realm, v4creds->service,
-                                     v4creds->instance)))
+                                     dummy, v4creds->service,
+                                     v4creds->instance, v4creds->realm)))
          return ret;
 
      /* Check enctype too */

diff --git a/src/krb524/conv_princ.c b/src/krb524/conv_princ.c
index d462c8e43239936dfde65f3bb26a97f6ff89d65e..f52c0dd133eaa561e7ea1111a60cdc906b8d76d4 100644 (file)
--- a/src/krb524/conv_princ.c
+++ b/src/krb524/conv_princ.c
@@ -25,17 +25,16 @@
 #include "krb524.h"
 
 int krb524_convert_princs(context, client, server, pname, pinst, prealm, 
-                         sname, sinst)
+                         sname, sinst, srealm)
      krb5_context context;
      krb5_principal client, server;
-     char *pname, *pinst, *prealm, *sname, *sinst;
+     char *pname, *pinst, *prealm, *sname, *sinst, *srealm;
 {
-     char dummy[REALM_SZ];
      int ret;
      
      if ((ret = krb5_524_conv_principal(context, client, pname, pinst, 
                                        prealm)))
          return ret;
      
-     return krb5_524_conv_principal(context, server, sname, sinst, dummy);
+     return krb5_524_conv_principal(context, server, sname, sinst, srealm);
 }

diff --git a/src/krb524/k524init.c b/src/krb524/k524init.c
index f86f4ee3fb68f622aa9c4b8b117746743fb03817..a029096c5aaff0210f65b778d49190f61f23a55e 100644 (file)
--- a/src/krb524/k524init.c
+++ b/src/krb524/k524init.c
@@ -38,6 +38,7 @@
 
 extern int optind;
 extern char *optarg;
+char *prog = "k524init";
 
 int main(argc, argv)
      int argc;
@@ -55,9 +56,17 @@ int main(argc, argv)
      krb5_context context;
      krb5_error_code retval;
 
+     if (argv[0]) {
+        prog = strrchr (argv[0], '/');
+        if (prog)
+            prog++;
+        else
+            prog = argv[0];
+     }
+
      retval = krb5_init_context(&context);
      if (retval) {
-            com_err(argv[0], retval, "while initializing krb5");
+            com_err(prog, retval, "while initializing krb5");
             exit(1);
      }
 
@@ -76,25 +85,25 @@ int main(argc, argv)
      }
 
      if (lose || (argc - optind > 1)) {
-        fprintf(stderr, "Usage: k524init [-p principal]\n");
+        fprintf(stderr, "Usage: %s [-p principal] [-n]\n", prog);
         exit(1);
      }
 
      krb524_init_ets(context);
 
      if ((code = krb5_cc_default(context, &cc))) {
-         com_err("k524init", code, "opening default credentials cache");
+         com_err(prog, code, "opening default credentials cache");
          exit(1);
      }
 
      if ((code = krb5_cc_get_principal(context, cc, &client))) {
-        com_err("k524init", code, "while retrieving user principal name");
+        com_err(prog, code, "while retrieving user principal name");
         exit(1);
      }
 
      if (princ) {
         if ((code = krb5_parse_name(context, princ, &server))) {
-            com_err("k524init", code, "while parsing service principal name");
+            com_err(prog, code, "while parsing service principal name");
             exit(1);
         }
      } else {
@@ -104,48 +113,70 @@ int main(argc, argv)
                                          "krbtgt",
                                          krb5_princ_realm(context, client)->data,
                                          NULL))) {
-            com_err("k524init", code, "while creating service principal name");
+            com_err(prog, code, "while creating service principal name");
             exit(1);
         }
      }
 
+     if (!nodelete) {
+        krb5_data *crealm = krb5_princ_realm (context, client);
+        krb5_data *srealm = krb5_princ_realm (context, server);
+        if (crealm->length != srealm->length
+            || memcmp (crealm->data, srealm->data, crealm->length)) {
+            /* Since krb4 ticket files don't store the realm name
+               separately, and the client realm is assumed to be the
+               realm of the first ticket, let's not store an initial
+               ticket with the wrong realm name, since it'll confuse
+               other programs.  */
+            fprintf (stderr,
+                     "%s: Client and server principals' realm names are different;\n"
+                     "\tbecause of limitations in the krb4 ticket file implementation,\n"
+                     "\tthis doesn't work for an initial ticket.  Try `%s -n'\n"
+                     "\tif you already have other krb4 tickets, or convert the\n"
+                     "\tticket-granting ticket from your home realm.\n",
+                     prog, prog);
+            exit (1);
+        }
+     }
+
      memset((char *) &increds, 0, sizeof(increds));
      increds.client = client;
      increds.server = server;
      increds.times.endtime = 0;
      increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
      if ((code = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) {
-         com_err("k524init", code, "getting V5 credentials");
+         com_err(prog, code, "getting V5 credentials");
          exit(1);
      }
 
      if ((code = krb524_convert_creds_kdc(context, v5creds, &v4creds))) {
-         com_err("k524init", code, "converting to V4 credentials");
+         com_err(prog, code, "converting to V4 credentials");
          exit(1);
      }
      
      /* this is stolen from the v4 kinit */
 
      if (!nodelete) {
-       /* initialize ticket cache */
-       if ((code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm) != KSUCCESS)) {
-          com_err("k524init", code, "trying to create the V4 ticket file");
-          exit(1);
-       }
+        /* initialize ticket cache */
+        code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm);
+        if (code != KSUCCESS) {
+            fprintf (stderr, "%s: %s trying to create the V4 ticket file",
+                     prog, krb_get_err_text (code));
+            exit(1);
+        }
      }
 
      /* stash ticket, session key, etc. for future use */
+     /* This routine does *NOT* return one of the usual com_err codes.  */
      if ((code = krb_save_credentials(v4creds.service, v4creds.instance,
                                      v4creds.realm, v4creds.session,
                                      v4creds.lifetime, v4creds.kvno,
                                      &(v4creds.ticket_st), 
                                      v4creds.issue_date))) {
-        com_err("k524init", code, "trying to save the V4 ticket");
+        fprintf (stderr, "%s: %s trying to save the V4 ticket\n",
+                 prog, krb_get_err_text (code));
         exit(1);
      }
 
      exit(0);
 }
-
-
-

diff --git a/src/krb524/krb524.h b/src/krb524/krb524.h
index 8105f37ac9b52735d228b491294f1420f182842f..71b03a66fc1a939e5d63f27db0e02d341f08ced0 100644 (file)
--- a/src/krb524/krb524.h
+++ b/src/krb524/krb524.h
@@ -38,9 +38,9 @@ int krb524_convert_tkt_skey
 /* conv_princ.c */
 
 int krb524_convert_princs
-       (krb5_context context, krb5_principal client, 
-                  krb5_principal server, char *pname, 
-                  char *pinst, char *prealm, char *sname, char *sinst);
+       (krb5_context context, krb5_principal client, krb5_principal server,
+        char *pname, char *pinst, char *prealm,
+        char *sname, char *sinst, char *srealm);
 
 /* conv_creds.c */