From ac95879c428c3db6d8172b106ed54f8e8abdfda1 Mon Sep 17 00:00:00 2001 From: John Carr Date: Thu, 12 Mar 1992 02:27:21 +0000 Subject: [PATCH] Make sure the ticket in the TGS request is for the ticket granting service. Add local variable for encrypted ticket pointer. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2255 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_util.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a000a2acb..19dd720f0 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -58,9 +58,11 @@ krb5_authdata ***output; /* count up the entries */ i = 0; if (first) - for (ptr = first; *ptr; ptr++,i++); + for (ptr = first; *ptr; ptr++) + i++; if (second) - for (ptr = second; *ptr; ptr++,i++); + for (ptr = second; *ptr; ptr++) + i++; retdata = (krb5_authdata **)malloc((i+1)*sizeof(*retdata)); if (!retdata) @@ -148,6 +150,7 @@ krb5_tkt_authent **ret_authdat; krb5_data *scratch, scratch2; krb5_pa_data **tmppa; krb5_boolean local_client = TRUE; + krb5_enc_tkt_part *ticket_enc; if (!request->padata) return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; @@ -175,6 +178,13 @@ krb5_tkt_authent **ret_authdat; authdat->ticket = apreq->ticket; *ret_authdat = authdat; + /* Verify that the server principal in authdat->ticket is + the ticket granting service. */ + if (! krb5_principal_compare (authdat->ticket->server, tgs_server)) { + cleanup_apreq(); + return KRB5KRB_AP_ERR_NOT_US; + } + if (isflagset(apreq->ap_options, AP_OPTS_USE_SESSION_KEY) || isflagset(apreq->ap_options, AP_OPTS_MUTUAL_REQUIRED)) { cleanup_apreq(); @@ -224,14 +234,14 @@ krb5_tkt_authent **ret_authdat; #undef cleanup_apreq authdat = nauthdat; *ret_authdat = authdat; + ticket_enc = authdat->ticket->enc_part2; /* now rearrange output from rd_req_decoded */ /* make sure the client is of proper lineage (see above) */ if (!local_client && - (authdat->ticket->enc_part2->client[0]->length == - tgs_server[0]->length) && - !memcmp(authdat->ticket->enc_part2->client[0]->data, + (ticket_enc->client[0]->length == tgs_server[0]->length) && + !memcmp(ticket_enc->client[0]->data, tgs_server[0]->data, tgs_server[0]->length)) { /* someone in a foreign realm claiming to be local */ @@ -265,8 +275,8 @@ krb5_tkt_authent **ret_authdat; if (retval = krb5_calculate_checksum(our_cksum.checksum_type, scratch->data, scratch->length, - authdat->ticket->enc_part2->session->contents, /* seed */ - authdat->ticket->enc_part2->session->length, /* seed length */ + ticket_enc->session->contents, /* seed */ + ticket_enc->session->length, /* seed length */ &our_cksum)) { xfree(our_cksum.contents); krb5_free_data(scratch); -- 2.26.2