From 2dfb67c918a60af2373f764ae12b418716b2a260 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 2 Sep 1995 03:24:58 +0000 Subject: [PATCH] get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then set the time_offset fields from the returned ticket's authtime value. init_ctx.c (krb5_init_context): Initialize new fields in krb5_context (clockskew, kdc_req_sumtype, and kdc_default_options). gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary sanity checking on the KDC response to make sure we detect tampering. send_tgs.c (krb5_send_tgs): Set the expected nonce in the response structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6653 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 18 +++++++++- src/lib/krb5/krb/gc_via_tkt.c | 64 ++++++++++++++--------------------- src/lib/krb5/krb/get_in_tkt.c | 33 +++++++++++------- src/lib/krb5/krb/init_ctx.c | 12 ++++++- src/lib/krb5/krb/krbconfig.c | 2 +- src/lib/krb5/krb/send_tgs.c | 3 +- 6 files changed, 77 insertions(+), 55 deletions(-) diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 751962b1f..31ecd5d98 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,7 +1,23 @@ +Fri Sep 1 20:03:41 1995 Theodore Y. Ts'o + + * get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then + set the time_offset fields from the returned ticket's + authtime value. + + * init_ctx.c (krb5_init_context): Initialize new fields in + krb5_context (clockskew, kdc_req_sumtype, and + kdc_default_options). + + * gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary + sanity checking on the KDC response to make sure we detect + tampering. + + * send_tgs.c (krb5_send_tgs): Set the expected nonce in the + response structure. Fri Sep 1 11:16:43 EDT 1995 Paul Park (pjpark@mit.edu) - * ser_ctx.c - Add handling of new time offset fields in the os_context. + * ser_ctx.c - Add handling of new time offset fields in the os_context. Tue Aug 29 14:14:26 EDT 1995 Paul Park (pjpark@mit.edu) * Makefile.in, .Sanitize, ser_{actx,adata,addr,auth,cksum,ctx,eblk,key, diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index c2f531f48..5dbbaed42 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -28,6 +28,9 @@ #include "k5-int.h" #include "int-proto.h" +extern krb5_deltat krb5_clockskew; +#define in_clock_skew(date, now) (labs((date)-(now)) < krb5_clockskew) + static krb5_error_code krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) krb5_context context; @@ -162,16 +165,7 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) if (retval) /* neither proper reply nor error! */ goto error_4; -#if 0 - /* XXX need access to the actual assembled request... - need a change to send_tgs */ - if ((err_reply->ctime != request.ctime) || - !krb5_principal_compare(context,err_reply->server,request.server) || - !krb5_principal_compare(context, err_reply->client, request.client)) - retval = KRB5_KDCREP_MODIFIED; - else -#endif - retval = err_reply->error + ERROR_TABLE_BASE_krb5; + retval = err_reply->error + ERROR_TABLE_BASE_krb5; krb5_free_error(context, err_reply); goto error_4; @@ -187,42 +181,36 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) goto error_3; } - /* now it's decrypted and ready for prime time */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) { + /* make sure the response hasn't been tampered with..... */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client) || + !krb5_principal_compare(context, dec_rep->enc_part2->server, + in_cred->server) || + !krb5_principal_compare(context, dec_rep->ticket->server, + in_cred->server) || + (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) || + ((in_cred->times.starttime != 0) && + (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) || + ((in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) || + ((kdcoptions & KDC_OPT_RENEWABLE) && + (in_cred->times.renew_till != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) || + ((kdcoptions & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + ) { retval = KRB5_KDCREP_MODIFIED; goto error_3; } -#if 0 - /* XXX probably need access to the request */ - /* check the contents for sanity: */ - if (!krb5_principal_compare(context, dec_rep->client, request.client) - || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server) - || !krb5_principal_compare(context, dec_rep->ticket->server, request.server) - || (request.nonce != dec_rep->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */ - || ((request.from != 0) && - (request.from != dec_rep->enc_part2->times.starttime)) - || ((request.till != 0) && - (dec_rep->enc_part2->times.endtime > request.till)) - || ((request.kdc_options & KDC_OPT_RENEWABLE) && - (request.rtime != 0) && - (dec_rep->enc_part2->times.renew_till > request.rtime)) - || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request.till != 0) && - (dec_rep->enc_part2->times.renew_till > request.till)) - ) - retval = KRB5_KDCREP_MODIFIED; - - if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) { + if (!in_cred->times.starttime && + !in_clock_skew(dec_rep->enc_part2->times.starttime, + tgsrep.request_time)) { retval = KRB5_KDCREP_SKEW; goto error_3; } -#endif - retval = krb5_kdcrep2creds(context, dec_rep, address, &in_cred->second_ticket, out_cred); diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index f6e5c3248..78be610b0 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -97,6 +97,7 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, krb5_keyblock *decrypt_key = 0; krb5_timestamp time_now; /* krb5_pa_data *padata; */ + krb5_pa_data **preauth_to_use = 0; int f_salt = 0, use_salt = 0; krb5_data salt; char k4_version; /* same type as *(krb5_data::data) */ @@ -158,11 +159,6 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, request.from = creds->times.starttime; request.till = creds->times.endtime; request.rtime = creds->times.renew_till; - if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; - - /* XXX we know they are the same size... */ - request.nonce = (krb5_int32) time_now; if (etypes) request.etype = etypes; @@ -174,6 +170,12 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, request.unenc_authdata = 0; request.second_ticket = 0; + if ((retval = krb5_timeofday(context, &time_now))) + goto cleanup; + + /* XXX we know they are the same size... */ + request.nonce = (krb5_int32) time_now; + /* encode & send to KDC */ retval = encode_krb5_as_req(&request, &packet); if (!etypes) @@ -195,14 +197,15 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, /* some other error code--??? */ goto cleanup; - /* it was an error */ + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + err_reply->e_data.length > 0) { + retval = decode_krb5_padata_sequence(&err_reply->e_data, + &preauth_to_use); + /* XXX we need to actually do something with the info */ + krb5_free_pa_data(context, preauth_to_use); + } - if ((err_reply->ctime != request.nonce) || - !krb5_principal_compare(context, err_reply->server, request.server) || - !krb5_principal_compare(context, err_reply->client, request.client)) - retval = KRB5_KDCREP_MODIFIED; - else - retval = err_reply->error + ERROR_TABLE_BASE_krb5; + retval = err_reply->error + ERROR_TABLE_BASE_krb5; /* XXX somehow make error msg text available to application? */ @@ -310,7 +313,11 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, retval = KRB5_KDCREP_SKEW; goto cleanup; } - + + if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) + krb5_set_time_offsets(context, + as_reply->enc_part2->times.authtime - time_now, + 0); /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */ diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 00bf2d528..077cfdd34 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -31,6 +31,7 @@ krb5_init_context(context) { krb5_context ctx; krb5_error_code retval; + int tmp; *context = 0; @@ -46,9 +47,18 @@ krb5_init_context(context) if ((retval = krb5_os_init_context(ctx))) goto cleanup; - ctx->default_realm = 0; + profile_get_integer(ctx->profile, "libdefaults", + "clockskew", 0, 5 * 60, + &tmp); + ctx->clockskew = tmp; + ctx->kdc_req_sumtype = CKSUMTYPE_RSA_MD5; + ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK; + profile_get_integer(ctx->profile, "libdefaults", + "kdc_timesync", 0, 0, + &tmp); + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; *context = ctx; return 0; diff --git a/src/lib/krb5/krb/krbconfig.c b/src/lib/krb5/krb/krbconfig.c index f0ae06d5c..7401bd38f 100644 --- a/src/lib/krb5/krb/krbconfig.c +++ b/src/lib/krb5/krb/krbconfig.c @@ -27,5 +27,5 @@ #include "k5-int.h" krb5_deltat krb5_clockskew = 5 * 60; /* five minutes */ -krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD4; +krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD5; krb5_flags krb5_kdc_default_options = KDC_OPT_RENEWABLE_OK; diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 64331d8d6..cad41582a 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -206,7 +206,8 @@ krb5_send_tgs(context, kdcoptions, timestruct, etypes, sname, addrs, if ((retval = krb5_timeofday(context, &time_now))) return(retval); /* XXX we know they are the same size... */ - tgsreq.nonce = (krb5_int32) time_now; + rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; + rep->request_time = time_now; tgsreq.addresses = (krb5_address **) addrs; -- 2.26.2