diff options
author | Nicolas Williams <nico@cryptonector.com> | 2012-06-04 17:17:31 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-06-06 13:46:17 -0400 |
commit | 0e9bf73d2b8da55aedd25061faefe6a22d9613d3 (patch) | |
tree | d39c9bf38401f5fec0c88f81dfc6945486f470d3 /src/kdc/kdc_util.c | |
parent | dacb62f899329496f84e8b4bbc4c4dc94e585bd1 (diff) | |
download | krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.gz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.tar.xz krb5-0e9bf73d2b8da55aedd25061faefe6a22d9613d3.zip |
Add control over session key enctype negotiation
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
Diffstat (limited to 'src/kdc/kdc_util.c')
-rw-r--r-- | src/kdc/kdc_util.c | 84 |
1 files changed, 37 insertions, 47 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 2f4af733d1..3f3b406807 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1516,60 +1516,50 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, return 0; } -/* - * This function returns 1 if the dbentry has a key for a specified - * keytype, and 0 if not. - */ -int -dbentry_has_key_for_enctype(krb5_context context, krb5_db_entry *client, - krb5_enctype enctype) +/* Return true if we believe server can support enctype as a session key. */ +krb5_boolean +dbentry_supports_enctype(krb5_context context, krb5_db_entry *server, + krb5_enctype enctype) { krb5_error_code retval; krb5_key_data *datap; + char *etypes_str = NULL; + krb5_enctype default_enctypes[1] = { 0 }; + krb5_enctype *etypes; + size_t i; + + /* Look up the supported session key enctypes list in the KDB. */ + retval = krb5_dbe_get_string(context, server, KRB5_KDB_SK_SESSION_ENCTYPES, + &etypes_str); + if (retval == 0 && etypes_str != NULL && *etypes_str != '\0') { + /* Pass a fake profile key for tracing of unrecognized tokens. */ + retval = krb5int_parse_enctype_list(context, "KDB-session_etypes", + etypes_str, default_enctypes, + &etypes); + free(etypes_str); + if (retval == 0 && etypes != NULL && etypes[0]) { + for (i = 0; etypes[i]; i++) + if (enctype == etypes[i]) + return TRUE; + return FALSE; + } + /* Fall through on error or empty list */ + } else { + free(etypes_str); + } - retval = krb5_dbe_find_enctype(context, client, enctype, - -1, 0, &datap); - if (retval) - return 0; - else - return 1; -} + /* If configured to, assume every server without a session_enctypes + * attribute supports DES_CBC_CRC. */ + if (assume_des_crc_sess && enctype == ENCTYPE_DES_CBC_CRC) + return TRUE; -/* - * This function returns 1 if the entity referenced by this - * structure can support the a particular encryption system, and 0 if - * not. - * - * XXX eventually this information should be looked up in the - * database. Since it isn't, we use some hueristics and attribute - * options bits for now. - */ -int -dbentry_supports_enctype(krb5_context context, krb5_db_entry *client, - krb5_enctype enctype) -{ - /* - * If it's DES_CBC_MD5, there's a bit in the attribute mask which - * checks to see if we support it. For now, treat it as always - * clear. - * - * In theory everything's supposed to support DES_CBC_MD5, but - * that's not the reality.... - */ + /* Due to an ancient interop problem, assume nothing supports des-cbc-md5 + * unless there's a session_enctypes explicitly saying that it does. */ if (enctype == ENCTYPE_DES_CBC_MD5) - return 0; + return FALSE; - /* - * XXX we assume everything can understand DES_CBC_CRC - */ - if (enctype == ENCTYPE_DES_CBC_CRC) - return 1; - - /* - * If we have a key for the encryption system, we assume it's - * supported. - */ - return dbentry_has_key_for_enctype(context, client, enctype); + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(context, server, enctype, -1, 0, &datap); } /* |