From: Ken Raeburn Date: Sat, 14 Apr 2001 03:04:23 +0000 (+0000) Subject: Allow des-mdX keys as well as des-crc (patch from assar). X-Git-Tag: krb5-1.3-alpha1~1569 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f45fcfc445175b2dfcb91efaffb460bb3fb8b53b;p=krb5.git Allow des-mdX keys as well as des-crc (patch from assar). Deal better with conversion of inter-realm tickets. Misc cleanup. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13177 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 0bb8e6d14..e4e5c2a68 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,21 @@ +2001-04-13 Ken Raeburn + + * k524init.c (prog): New variable. + (main): Set it, and use it when printing error messages. When + reinitializing v4 ticket file, reject case where client and server + realms are different. Print krb4 errors properly. + + * conv_princ.c (krb524_convert_princs): Accept new arg SREALM, + passed through to krb5_524_conv_principal. + * krb524.h (krb524_convert_princs): Update prototype. + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Pass extra arg. + Reject tickets with transited realms for simplicity. + * conv_creds.c (krb524_convert_creds_plain): Pass extra arg. Use + the server realm instead of the client realm. + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Permit non-CRC DES + enctypes; patch from Assar Westerlund. + 2001-04-10 Ken Raeburn * conv_creds.c, encode.c, krb524.h, test.c: Always use prototypes, diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index 8aa730f93..9a31eb7e8 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -59,7 +59,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, struct sockaddr_in *saddr; { char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - char sname[ANAME_SZ], sinst[INST_SZ]; + char sname[ANAME_SZ], sinst[INST_SZ], srealm[REALM_SZ]; krb5_enc_tkt_part *v5etkt; int ret, lifetime, v4endtime; krb5_timestamp server_time; @@ -72,15 +72,36 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, } v5etkt = v5tkt->enc_part2; + if (v5etkt->transited.tr_contents.length != 0) { + /* Some intermediate realms transited -- do we accept them? + + Simple answer: No. + + More complicated answer: Check our local config file to + see if the path is correct, and base the answer on that. + This denies the krb4 application server any ability to do + its own validation as krb5 servers can. + + Fast answer: Not right now. */ + krb5_free_enc_tkt_part(context, v5etkt); + v5tkt->enc_part2 = NULL; + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + /* We could also encounter a case where luser@R1 gets a ticket + for krbtgt/R3@R2, and then tries to convert it. But the + converted ticket would be one the v4 KDC code should reject + anyways. So we don't need to worry about it here. */ + if ((ret = krb524_convert_princs(context, v5etkt->client, v5tkt->server, pname, pinst, prealm, sname, - sinst))) { + sinst, srealm))) { krb5_free_enc_tkt_part(context, v5etkt); v5tkt->enc_part2 = NULL; return ret; } - - if (v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC || + if ((v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC && + v5etkt->session->enctype != ENCTYPE_DES_CBC_MD4 && + v5etkt->session->enctype != ENCTYPE_DES_CBC_MD5) || v5etkt->session->length != sizeof(C_Block)) { if (krb524_debug) fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n", diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c index 89a8d54d5..c1e4b89a3 100644 --- a/src/krb524/conv_creds.c +++ b/src/krb524/conv_creds.c @@ -128,14 +128,14 @@ krb524_convert_creds_plain(context, v5creds, v4creds) #endif int ret; krb5_timestamp endtime; - + char dummy[REALM_SZ]; memset((char *) v4creds, 0, sizeof(CREDENTIALS)); if ((ret = krb524_convert_princs(context, v5creds->client, v5creds->server, v4creds->pname, v4creds->pinst, - v4creds->realm, v4creds->service, - v4creds->instance))) + dummy, v4creds->service, + v4creds->instance, v4creds->realm))) return ret; /* Check enctype too */ diff --git a/src/krb524/conv_princ.c b/src/krb524/conv_princ.c index d462c8e43..f52c0dd13 100644 --- a/src/krb524/conv_princ.c +++ b/src/krb524/conv_princ.c @@ -25,17 +25,16 @@ #include "krb524.h" int krb524_convert_princs(context, client, server, pname, pinst, prealm, - sname, sinst) + sname, sinst, srealm) krb5_context context; krb5_principal client, server; - char *pname, *pinst, *prealm, *sname, *sinst; + char *pname, *pinst, *prealm, *sname, *sinst, *srealm; { - char dummy[REALM_SZ]; int ret; if ((ret = krb5_524_conv_principal(context, client, pname, pinst, prealm))) return ret; - return krb5_524_conv_principal(context, server, sname, sinst, dummy); + return krb5_524_conv_principal(context, server, sname, sinst, srealm); } diff --git a/src/krb524/k524init.c b/src/krb524/k524init.c index f86f4ee3f..a029096c5 100644 --- a/src/krb524/k524init.c +++ b/src/krb524/k524init.c @@ -38,6 +38,7 @@ extern int optind; extern char *optarg; +char *prog = "k524init"; int main(argc, argv) int argc; @@ -55,9 +56,17 @@ int main(argc, argv) krb5_context context; krb5_error_code retval; + if (argv[0]) { + prog = strrchr (argv[0], '/'); + if (prog) + prog++; + else + prog = argv[0]; + } + retval = krb5_init_context(&context); if (retval) { - com_err(argv[0], retval, "while initializing krb5"); + com_err(prog, retval, "while initializing krb5"); exit(1); } @@ -76,25 +85,25 @@ int main(argc, argv) } if (lose || (argc - optind > 1)) { - fprintf(stderr, "Usage: k524init [-p principal]\n"); + fprintf(stderr, "Usage: %s [-p principal] [-n]\n", prog); exit(1); } krb524_init_ets(context); if ((code = krb5_cc_default(context, &cc))) { - com_err("k524init", code, "opening default credentials cache"); + com_err(prog, code, "opening default credentials cache"); exit(1); } if ((code = krb5_cc_get_principal(context, cc, &client))) { - com_err("k524init", code, "while retrieving user principal name"); + com_err(prog, code, "while retrieving user principal name"); exit(1); } if (princ) { if ((code = krb5_parse_name(context, princ, &server))) { - com_err("k524init", code, "while parsing service principal name"); + com_err(prog, code, "while parsing service principal name"); exit(1); } } else { @@ -104,48 +113,70 @@ int main(argc, argv) "krbtgt", krb5_princ_realm(context, client)->data, NULL))) { - com_err("k524init", code, "while creating service principal name"); + com_err(prog, code, "while creating service principal name"); exit(1); } } + if (!nodelete) { + krb5_data *crealm = krb5_princ_realm (context, client); + krb5_data *srealm = krb5_princ_realm (context, server); + if (crealm->length != srealm->length + || memcmp (crealm->data, srealm->data, crealm->length)) { + /* Since krb4 ticket files don't store the realm name + separately, and the client realm is assumed to be the + realm of the first ticket, let's not store an initial + ticket with the wrong realm name, since it'll confuse + other programs. */ + fprintf (stderr, + "%s: Client and server principals' realm names are different;\n" + "\tbecause of limitations in the krb4 ticket file implementation,\n" + "\tthis doesn't work for an initial ticket. Try `%s -n'\n" + "\tif you already have other krb4 tickets, or convert the\n" + "\tticket-granting ticket from your home realm.\n", + prog, prog); + exit (1); + } + } + memset((char *) &increds, 0, sizeof(increds)); increds.client = client; increds.server = server; increds.times.endtime = 0; increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; if ((code = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) { - com_err("k524init", code, "getting V5 credentials"); + com_err(prog, code, "getting V5 credentials"); exit(1); } if ((code = krb524_convert_creds_kdc(context, v5creds, &v4creds))) { - com_err("k524init", code, "converting to V4 credentials"); + com_err(prog, code, "converting to V4 credentials"); exit(1); } /* this is stolen from the v4 kinit */ if (!nodelete) { - /* initialize ticket cache */ - if ((code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm) != KSUCCESS)) { - com_err("k524init", code, "trying to create the V4 ticket file"); - exit(1); - } + /* initialize ticket cache */ + code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm); + if (code != KSUCCESS) { + fprintf (stderr, "%s: %s trying to create the V4 ticket file", + prog, krb_get_err_text (code)); + exit(1); + } } /* stash ticket, session key, etc. for future use */ + /* This routine does *NOT* return one of the usual com_err codes. */ if ((code = krb_save_credentials(v4creds.service, v4creds.instance, v4creds.realm, v4creds.session, v4creds.lifetime, v4creds.kvno, &(v4creds.ticket_st), v4creds.issue_date))) { - com_err("k524init", code, "trying to save the V4 ticket"); + fprintf (stderr, "%s: %s trying to save the V4 ticket\n", + prog, krb_get_err_text (code)); exit(1); } exit(0); } - - - diff --git a/src/krb524/krb524.h b/src/krb524/krb524.h index 8105f37ac..71b03a66f 100644 --- a/src/krb524/krb524.h +++ b/src/krb524/krb524.h @@ -38,9 +38,9 @@ int krb524_convert_tkt_skey /* conv_princ.c */ int krb524_convert_princs - (krb5_context context, krb5_principal client, - krb5_principal server, char *pname, - char *pinst, char *prealm, char *sname, char *sinst); + (krb5_context context, krb5_principal client, krb5_principal server, + char *pname, char *pinst, char *prealm, + char *sname, char *sinst, char *srealm); /* conv_creds.c */