From: Tom Yu Date: Wed, 15 Apr 2009 20:07:15 +0000 (+0000) Subject: pull up r22154, r22159, r22160 from trunk X-Git-Tag: krb5-1.7-beta1~24 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=25b06efa597dc69c5e5e85ed805893f03ffcc570;p=krb5.git pull up r22154, r22159, r22160 from trunk ------------------------------------------------------------------------ r22160 | hartmans | 2009-04-02 23:33:01 -0400 (Thu, 02 Apr 2009) | 12 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/src/appl/bsd/kcmd.c M /trunk/src/config-files/krb5.conf.M M /trunk/src/lib/krb5/krb/init_ctx.c M /trunk/src/lib/krb5/krb/mk_req_ext.c ticket: 1624 Unfortunately, pre-1.7 krshd fails to support keyed checksums because it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override ------------------------------------------------------------------------ r22159 | tlyu | 2009-04-02 19:30:28 -0400 (Thu, 02 Apr 2009) | 3 lines Changed paths: M /trunk/src/appl/bsd/krlogind.c M /trunk/src/appl/bsd/krshd.c ticket: 1624 Fix krshd and krlogind to use krb5_c_verify_checksum. ------------------------------------------------------------------------ r22154 | hartmans | 2009-04-01 14:25:02 -0400 (Wed, 01 Apr 2009) | 8 lines Changed paths: M /trunk/doc/admin.texinfo M /trunk/src/config-files/krb5.conf.M M /trunk/src/lib/krb5/krb/mk_req_ext.c M /trunk/src/lib/krb5/krb/send_tgs.c ticket: 1624 Target_version: 1.7 tags: pullup Use the preferred checksum for non-DES keys in the kdc_req path and all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. ticket: 1624 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22243 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 8f5e69e8f..9a1983757 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -462,7 +462,8 @@ Kerberos library. The default is @value{DefaultKDCTimesync}. An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -The possible values and their meanings are as follows. +The +kdc_req_checksum_type is only used for DES keys. The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset. If set, then the selected checksum is used regardless of the type of key being used. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index c4212b302..199056944 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -473,6 +473,8 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; + if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) + goto bad2; if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 01b4ef205..a097d33f0 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -1358,21 +1358,26 @@ recvauth(valid_checksum) if (authenticator->checksum) { struct sockaddr_in adr; socklen_t adr_length = sizeof(adr); - char * chksumbuf = NULL; + krb5_data chksumbuf; + krb5_boolean valid = 0; + + chksumbuf.data = NULL; if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; - if (asprintf(&chksumbuf, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) + if (asprintf(&chksumbuf.data, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; + error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index aa3f2edb9..080f2db12 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1810,8 +1810,11 @@ recvauth(netfd, peersin, valid_checksum) struct sockaddr_storage adr; unsigned int adr_length = sizeof(adr); int e; - char namebuf[32], *chksumbuf = NULL; + char namebuf[32]; + krb5_boolean valid = 0; + krb5_data chksumbuf; + chksumbuf.data = NULL; if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; @@ -1819,19 +1822,20 @@ recvauth(netfd, peersin, valid_checksum) namebuf, sizeof(namebuf), NI_NUMERICSERV); if (e) fatal(netfd, "local error: can't examine port number"); - if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) + if (asprintf(&chksumbuf.data, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 9115e32c9..2f2fbb239 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -143,15 +143,11 @@ clock. This corrective factor is only used by the Kerberos library. For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 7e0159aa2..67dad8cb2 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -208,7 +208,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) ctx->kdc_req_sumtype = tmp; profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, &tmp); ctx->default_ap_req_sumtype = tmp; diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index ed23fef4b..b2f65535f 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -204,8 +204,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 80c277262..84c89d56b 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -51,6 +51,7 @@ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) {