From: Sam Hartman Date: Wed, 8 Jan 2003 02:20:42 +0000 (+0000) Subject: For new encryption types and for RC4, encrypt the krb_cred message in X-Git-Tag: krb5-1.3-alpha1~186 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=eec2af6fac160c29b70068e12a7acfc1a06dabb3;p=krb5.git For new encryption types and for RC4, encrypt the krb_cred message in the initial gssapi token if credentials are being delegated. For consistency with Microsoft, we encrypt the credentials using the session key not the subsession key. Ticket: 1054 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15091 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 8fd4fb162..506b95870 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,10 @@ +2003-01-07 Sam Hartman + + * init_sec_context.c (make_gss_checksum): New function to + construct the checksum in the authenticator, used directly or + indirectly depending on whether krb5_cred is encrypted. + (make_ap_req_v1): use it + 2003-01-07 Ken Raeburn * Makefile.original: Deleted. diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 412266d81..1fab732d2 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -1,5 +1,5 @@ /* - * Copyright 2000,2002 by the Massachusetts Institute of Technology. + * Copyright 2000,2002, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -138,95 +138,78 @@ cleanup: krb5_free_principal(context, in_creds.server); return code; } - -static krb5_error_code -make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) - krb5_context context; +struct gss_checksum_data { krb5_gss_ctx_id_rec *ctx; krb5_gss_cred_id_t cred; - krb5_creds *k_cred; - gss_channel_bindings_t chan_bindings; - gss_OID mech_type; - gss_buffer_t token; + krb5_checksum md5; + krb5_data checksum_data; +}; + +static krb5_error_code KRB5_CALLCONV +make_gss_checksum (krb5_context context, krb5_auth_context auth_context, + void *cksum_data, krb5_data **out) { - krb5_flags mk_req_flags = 0; krb5_error_code code; - krb5_data checksum_data; - krb5_checksum md5; - krb5_data ap_req; + krb5_int32 con_flags; unsigned char *ptr; + struct gss_checksum_data *data = cksum_data; krb5_data credmsg; - unsigned char *t; - int tlen; - krb5_int32 con_flags; - - ap_req.data = 0; - checksum_data.data = 0; + data->checksum_data.data = 0; credmsg.data = 0; - - /* build the checksum buffer */ - - /* compute the hash of the channel bindings */ - - if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0))) - return(code); - - krb5_auth_con_set_req_cksumtype(context, ctx->auth_context, - CKSUMTYPE_KG_CB); - /* build the checksum field */ - if (ctx->gss_flags & GSS_C_DELEG_FLAG) { + if (data->ctx->gss_flags & GSS_C_DELEG_FLAG) { /* first get KRB_CRED message, so we know its length */ /* clear the time check flag that was set in krb5_auth_con_init() */ - krb5_auth_con_getflags(context, ctx->auth_context, &con_flags); - krb5_auth_con_setflags(context, ctx->auth_context, + krb5_auth_con_getflags(context, auth_context, &con_flags); + krb5_auth_con_setflags(context, auth_context, con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - code = krb5_fwd_tgt_creds(context, ctx->auth_context, 0, - cred->princ, ctx->there, cred->ccache, 1, + code = krb5_fwd_tgt_creds(context, auth_context, 0, + data->cred->princ, data->ctx->there, + data->cred->ccache, 1, &credmsg); /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ - krb5_auth_con_setflags(context, ctx->auth_context, con_flags); + krb5_auth_con_setflags(context, auth_context, con_flags); if (code) { /* don't fail here; just don't accept/do the delegation request */ - ctx->gss_flags &= ~GSS_C_DELEG_FLAG; + data->ctx->gss_flags &= ~GSS_C_DELEG_FLAG; - checksum_data.length = 24; + data->checksum_data.length = 24; } else { if (credmsg.length+28 > KRB5_INT16_MAX) { krb5_free_data_contents(context, &credmsg); return(KRB5KRB_ERR_FIELD_TOOLONG); } - checksum_data.length = 28+credmsg.length; + data->checksum_data.length = 28+credmsg.length; } } else { - checksum_data.length = 24; + data->checksum_data.length = 24; } /* now allocate a buffer to hold the checksum data and (maybe) KRB_CRED msg */ - if ((checksum_data.data = - (char *) xmalloc(checksum_data.length)) == NULL) { + if ((data->checksum_data.data = + (char *) xmalloc(data->checksum_data.length)) == NULL) { if (credmsg.data) krb5_free_data_contents(context, &credmsg); return(ENOMEM); } - ptr = checksum_data.data; + ptr = data->checksum_data.data; - TWRITE_INT(ptr, md5.length, 0); - TWRITE_STR(ptr, (unsigned char *) md5.contents, md5.length); - TWRITE_INT(ptr, ctx->gss_flags, 0); + TWRITE_INT(ptr, data->md5.length, 0); + TWRITE_STR(ptr, (unsigned char *) data->md5.contents, data->md5.length); + TWRITE_INT(ptr, data->ctx->gss_flags, 0); /* done with this, free it */ - xfree(md5.contents); + xfree(data->md5.contents); if (credmsg.data) { TWRITE_INT16(ptr, KRB5_GSS_FOR_CREDS_OPTION, 0); @@ -236,6 +219,60 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) /* free credmsg data */ krb5_free_data_contents(context, &credmsg); } + *out = &data->checksum_data; + return 0; +} + +static krb5_error_code +make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) + krb5_context context; + krb5_gss_ctx_id_rec *ctx; + krb5_gss_cred_id_t cred; + krb5_creds *k_cred; + gss_channel_bindings_t chan_bindings; + gss_OID mech_type; + gss_buffer_t token; +{ + krb5_flags mk_req_flags = 0; + krb5_error_code code; + struct gss_checksum_data cksum_struct; + krb5_checksum md5; + krb5_data ap_req; + krb5_data *checksum_data = NULL; + unsigned char *ptr; + unsigned char *t; + int tlen; + + + ap_req.data = 0; + + /* compute the hash of the channel bindings */ + + if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0))) + return(code); + + krb5_auth_con_set_req_cksumtype(context, ctx->auth_context, + CKSUMTYPE_KG_CB); + cksum_struct.md5 = md5; + cksum_struct.ctx = ctx; + cksum_struct.cred = cred; + cksum_struct.checksum_data.data = NULL; + switch (k_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES3_CBC_SHA1: + code = make_gss_checksum(context, ctx->auth_context, &cksum_struct, + &checksum_data); + if (code) + goto cleanup; + break; + default: + krb5_auth_con_set_checksum_func(context, ctx->auth_context, + make_gss_checksum, &cksum_struct); + break; + } + /* call mk_req. subkey and ap_req need to be used or destroyed */ @@ -245,7 +282,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; if ((code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags, - &checksum_data, k_cred, &ap_req))) + checksum_data, k_cred, &ap_req))) goto cleanup; /* store the interesting stuff from creds and authent */ @@ -278,9 +315,7 @@ make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token) code = 0; -cleanup: - if (checksum_data.data) - xfree(checksum_data.data); + cleanup: if (ap_req.data) krb5_free_data_contents(context, &ap_req); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 997292fe4..b3fb0ddec 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,7 +1,7 @@ 2003-01-07 Sam Hartman * mk_req_ext.c (krb5_mk_req_extended): Fix logic error in checksum function handling - + (krb5_mk_req_extended): For consistency with Microsoft, never use a subkey before calling the checksum callback 2003-01-06 Sam Hartman diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index a6510019d..1ed14a922 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -121,6 +121,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, /* generate subkey if needed */ + if (!in_data &&(*auth_context)->checksum_func) { + retval = (*auth_context)->checksum_func( context, + *auth_context, + (*auth_context)->checksum_func_data, + &in_data); + if (retval) + goto cleanup; + } + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not @@ -140,14 +149,6 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup; } - if (!in_data &&(*auth_context)->checksum_func) { - retval = (*auth_context)->checksum_func( context, - *auth_context, - (*auth_context)->checksum_func_data, - &in_data); - if (retval) - goto cleanup_cksum; - } if (in_data) {