From 6c2375adcfd9d87ce6dbd4ef7ce44c457a630040 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 12 Jan 2009 19:59:16 +0000 Subject: [PATCH] Patch from Luke Howard: Previously when using the kdb keytab, there was a check to confirm that the server was supported as a server and that attackers could not force an enctype downgrade. Add these to kdc_get_server_key git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21727 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/do_tgs_req.c | 1 + src/kdc/kdc_util.c | 35 ++++++++++++++++++++++++++++------- src/kdc/kdc_util.h | 1 + 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 381269880..17c7f1534 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -282,6 +282,7 @@ tgt_again: */ if ((errcode = kdc_get_server_key(request->second_ticket[st_idx], c_flags, + TRUE, /* match_enctype */ &st_client, &st_nprincs, &st_sealing_key, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 987c61cac..549fb9758 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -292,7 +292,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, goto cleanup_auth_context; #endif - if ((retval = kdc_get_server_key(apreq->ticket, 0, krbtgt, nprincs, &key, &kvno))) + if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server, + krbtgt, nprincs, &key, &kvno))) goto cleanup_auth_context; /* * We do not use the KDB keytab because other parts of the TGS need the TGT key. @@ -408,11 +409,11 @@ cleanup: */ krb5_error_code kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, - krb5_db_entry *server, + krb5_boolean match_enctype, krb5_db_entry *server, int *nprincs, krb5_keyblock **key, krb5_kvno *kvno) { krb5_error_code retval; - krb5_boolean more; + krb5_boolean more, similar; krb5_key_data * server_key; *nprincs = 1; @@ -438,23 +439,43 @@ kdc_get_server_key(krb5_ticket *ticket, unsigned int flags, } return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); } + if (server->attributes & KRB5_KDB_DISALLOW_SVR || + server->attributes & KRB5_KDB_DISALLOW_ALL_TIX) { + retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto errout; + } retval = krb5_dbe_find_enctype(kdc_context, server, - ticket->enc_part.enctype, -1, - (krb5_int32)ticket->enc_part.kvno, &server_key); + match_enctype ? ticket->enc_part.enctype : -1, + -1, (krb5_int32)ticket->enc_part.kvno, + &server_key); if (retval) goto errout; if (!server_key) { retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto errout; } - *kvno = server_key->key_data_kvno; if ((*key = (krb5_keyblock *)malloc(sizeof **key))) { retval = krb5_dbekd_decrypt_key_data(kdc_context, &master_keyblock, server_key, *key, NULL); } else retval = ENOMEM; + retval = krb5_c_enctype_compare(kdc_context, ticket->enc_part.enctype, + (*key)->enctype, &similar); + if (retval) + goto errout; + if (!similar) { + retval = KRB5_KDB_NO_PERMITTED_KEY; + goto errout; + } + (*key)->enctype = ticket->enc_part.enctype; + *kvno = server_key->key_data_kvno; errout: + if (retval != 0) { + krb5_db_free_principal(kdc_context, server, *nprincs); + *nprincs = 0; + } + return retval; } @@ -1985,7 +2006,7 @@ check_allowed_to_delegate_to(krb5_context context, /* Must be in same realm */ if (!krb5_realm_compare(context, server->princ, proxy)) { - return KRB5_IN_TKT_REALM_MISMATCH; /* XXX */ + return KRB5KDC_ERR_BADOPTION; } req.server = server; diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 0d8e36bfd..d17b0b7f8 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -69,6 +69,7 @@ krb5_error_code kdc_process_tgs_req krb5_keyblock **); krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int, + krb5_boolean match_enctype, krb5_db_entry *, int *, krb5_keyblock **, krb5_kvno *); -- 2.26.2