better realm transit path checking for app server

transit path checking enforcement for kdc; supporting code, doc update
[merged from 1.2.3 release branch]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13758 dc483132-0cff-0310-8789-dd5450dbe970

12 files changed, 189 insertions, 26 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 6695c20e95..c7f210c61b 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -4,6 +4,8 @@
 	TKT_FLG_OK_AS_DELEGATE, TKT_FLG_ANONYMOUS): New macros.
 	(KDC_OPT_REQUEST_ANONYMOUS, KDC_OPT_DISABLE_TRANSITED_CHECK):
 	Likewise.
+	(krb5_check_transited_list): Pointed-to krb5_data structures are
+	now all const.
 
 2001-09-05  Ken Raeburn  <raeburn@mit.edu>
 
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index a7fe2b7125..fab9f8acb5 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -1,7 +1,7 @@
 /*
  * include/krb5.h
  *
- * Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
+ * Copyright 1989,1990,1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index 2fa911042b..a330549afb 100644
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,9 @@
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* adm.h (struct __krb5_realm_params): Added fields
+	realm_reject_bad_transit, realm_reject_bad_transit_valid; deleted
+	field realm_filler.
+
 2001-07-25  Ezra Peisach  <epeisach@mit.edu>
 
 	* kdb.h: For structs krb5_tl_data (tl_data_length), krb5_key_data
diff --git a/src/include/krb5/adm.h b/src/include/krb5/adm.h
index b3a2b6af35..820f652b9c 100644
--- a/src/include/krb5/adm.h
+++ b/src/include/krb5/adm.h
@@ -1,7 +1,7 @@
 /*
  * include/krb5/adm.h
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -208,13 +208,14 @@ typedef struct __krb5_realm_params {
     krb5_timestamp	realm_expiration;
     krb5_flags		realm_flags;
     krb5_key_salt_tuple	*realm_keysalts;
+    unsigned int	realm_reject_bad_transit:1;
     unsigned int	realm_kadmind_port_valid:1;
     unsigned int	realm_enctype_valid:1;
     unsigned int	realm_max_life_valid:1;
     unsigned int	realm_max_rlife_valid:1;
     unsigned int	realm_expiration_valid:1;
     unsigned int	realm_flags_valid:1;
-    unsigned int	realm_filler:7;
+    unsigned int	realm_reject_bad_transit_valid:1;
     krb5_int32		realm_num_keysalts;
 } krb5_realm_params;
 #endif	/* KRB5_ADM_H__ */
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 6ceb53f279..e9958da7ef 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,18 @@
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* do_tgs_req.c (process_tgs_req): If disable-transited-check
+	option isn't set, try to verify transit path.  If
+	reject_bad_transit flag is set and transit path isn't verified,
+	reject the request.  Use a temporary variable to simplify
+	references to the second ticket.
+	* extern.h (struct __kdc_realm_data): Add new field
+	realm_reject_bad_transit.
+	(find_realm_data): Declare.
+	(reject_bad_transit): New macro.
+	* main.c (find_realm_data): Delete declaration.
+	(init_realm): Copy reject-bad-transit value or use default.
+	* rtest.c (find_realm_data): Define dummy version.
+
 2001-09-24  Mitchell Berger  <mitchb@mit.edu>
 
 	* krb5kdc.M: Document the -n option.  Thanks to Dennis Davis
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 202284cbdd..439b86caad 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1,7 +1,7 @@
 /*
  * kdc/do_tgs_req.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -490,6 +490,36 @@ tgt_again:
 	}
 	newtransited = 1;
     }
+    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+	errcode = krb5_check_transited_list (kdc_context,
+					     &enc_tkt_reply.transited.tr_contents,
+					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+					     krb5_princ_realm (kdc_context, request->server));
+	if (errcode == 0) {
+	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+	    krb5_klog_syslog (LOG_INFO,
+			      "bad realm transit path from '%s' to '%s' via '%.*s'",
+			      cname ? cname : "<unknown client>",
+			      sname ? sname : "<unknown server>",
+			      enc_tkt_transited.tr_contents.length,
+			      enc_tkt_transited.tr_contents.data);
+	else
+	    krb5_klog_syslog (LOG_ERR,
+			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+			      cname ? cname : "<unknown client>",
+			      sname ? sname : "<unknown server>",
+			      enc_tkt_transited.tr_contents.length,
+			      enc_tkt_transited.tr_contents.data,
+			      error_message (errcode));
+    } else
+	krb5_klog_syslog (LOG_ERR, "not checking transit path");
+    if (reject_bad_transit
+	&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
+	errcode = KRB5KDC_ERR_POLICY;
+	status = "BAD_TRANSIT";
+	goto cleanup;
+    }
 
     ticket_reply.enc_part2 = &enc_tkt_reply;
 
@@ -504,27 +534,26 @@ tgt_again:
 	 * Make sure the client for the second ticket matches
 	 * requested server.
 	 */
-	if (!krb5_principal_compare(kdc_context, request->server,
-				    request->second_ticket[st_idx]->enc_part2->client)) {
-		if ((errcode = krb5_unparse_name(kdc_context,
-						request->second_ticket[st_idx]->enc_part2->client,
-						&tmp)))
+	krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+	krb5_principal client2 = t2enc->client;
+	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
 			tmp = 0;
-		krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: authtime %d, %s for %s, 2nd tkt client %s",
-		       fromstring, portnum, authtime,
-		       cname ? cname : "<unknown client>",
-		       sname ? sname : "<unknown server>",
-		       tmp ? tmp : "<unknown>");
+		krb5_klog_syslog(LOG_INFO,
+				 "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: "
+				 "authtime %d, %s for %s, 2nd tkt client %s",
+				 fromstring, portnum, authtime,
+				 cname ? cname : "<unknown client>",
+				 sname ? sname : "<unknown server>",
+				 tmp ? tmp : "<unknown>");
 		errcode = KRB5KDC_ERR_SERVER_NOMATCH;
 		goto cleanup;
 	}
 	    
 	ticket_reply.enc_part.kvno = 0;
-	ticket_reply.enc_part.enctype =
-		request->second_ticket[st_idx]->enc_part2->session->enctype;
-	if ((errcode = krb5_encrypt_tkt_part(kdc_context, 
-					    request->second_ticket[st_idx]->enc_part2->session,
-					    &ticket_reply))) {
+	ticket_reply.enc_part.enctype = t2enc->session->enctype;
+	if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
+					     &ticket_reply))) {
 	    status = "2ND_TKT_ENCRYPT";
 	    goto cleanup;
 	}
diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 01a267d271..556cc5710f 100644
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -1,7 +1,7 @@
 /*
  * kdc/extern.h
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -67,12 +67,15 @@ typedef struct __kdc_realm_data {
     krb5_deltat		realm_maxrlife;	/* Maximum renewable life for realm */
     void		*realm_kstypes;	/* Key/Salts supported for realm    */
     krb5_int32		realm_nkstypes;	/* Number of key/salts		    */
+    krb5_boolean	realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
 } kdc_realm_t;
 
 extern kdc_realm_t	**kdc_realmlist;
 extern int		kdc_numrealms;
 extern kdc_realm_t	*kdc_active_realm;
 
+kdc_realm_t *find_realm_data (char *, krb5_ui_4);
+
 /*
  * Replace previously used global variables with the active (e.g. request's)
  * realm data.  This allows us to support multiple realms with minimal logic
@@ -89,6 +92,7 @@ extern kdc_realm_t	*kdc_active_realm;
 #define	tgs_server			kdc_active_realm->realm_tgsprinc
 #define	dbm_db_name			kdc_active_realm->realm_dbname
 #define	primary_port			kdc_active_realm->realm_pport
+#define reject_bad_transit		kdc_active_realm->realm_reject_bad_transit
 
 /* various externs for KDC */
 extern krb5_data 	empty_string;	/* an empty string */
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 77340723ad..f487cf89fe 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -1,7 +1,7 @@
 /*
  * kdc/main.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -52,8 +52,6 @@
 extern int daemon(int, int);
 #endif
 
-kdc_realm_t *find_realm_data (char *, krb5_ui_4);
-
 void usage (char *);
 
 krb5_sigtype request_exit (int);
@@ -238,6 +236,12 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     else
 	rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN;
 
+    /* Handle reject-bad-transit flag */
+    if (rparams && rparams->realm_reject_bad_transit_valid)
+	rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
+    else
+	rdp->realm_reject_bad_transit = 1;
+
     /* Handle ticket maximum life */
     rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
 	rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
diff --git a/src/kdc/rtest.c b/src/kdc/rtest.c
index 9450bf2a50..23e88f6c11 100644
--- a/src/kdc/rtest.c
+++ b/src/kdc/rtest.c
@@ -114,3 +114,4 @@ main(argc,argv)
     }
 
 void krb5_klog_syslog() {}
+kdc_realm_t *find_realm_data (char *rname, krb5_ui_4 rsize) { return 0; }
diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog
index 4a1184156a..aef4853714 100644
--- a/src/lib/kadm5/ChangeLog
+++ b/src/lib/kadm5/ChangeLog
@@ -1,3 +1,12 @@
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.h (krb5_realm_params): Add fields realm_reject_bad_transit
+	and realm_reject_bad_transit_valid; delete field realm_filler.
+	* alt_prof.c (string_to_boolean, krb5_aprof_get_boolean): New
+	functions.
+	(krb5_read_realm_params): Parse "reject_bad_transit" value as
+	boolean and save it.
+
 2001-07-25  Ezra Peisach  <epeisach@mit.edu>
 
 	* kadm_rpc_xdr.c: Add xdr_krb5_ui_2. 
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 5df8f8ef9e..c3242c0350 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -1,4 +1,30 @@
 /*
+ * lib/kadm5/admin.h
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
  *
  * $Header$
@@ -234,13 +260,14 @@ typedef struct __krb5_realm_params {
     krb5_timestamp	realm_expiration;
     krb5_flags		realm_flags;
     krb5_key_salt_tuple	*realm_keysalts;
+    unsigned int	realm_reject_bad_transit:1;
     unsigned int	realm_kadmind_port_valid:1;
     unsigned int	realm_enctype_valid:1;
     unsigned int	realm_max_life_valid:1;
     unsigned int	realm_max_rlife_valid:1;
     unsigned int	realm_expiration_valid:1;
     unsigned int	realm_flags_valid:1;
-    unsigned int	realm_filler:7;
+    unsigned int	realm_reject_bad_transit_valid:1;
     krb5_int32		realm_num_keysalts;
 } krb5_realm_params;
 
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index c6156f6985..2d729e938f 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -1,7 +1,7 @@
 /*
  * lib/kadm/alt_prof.c
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -116,6 +116,64 @@ krb5_aprof_getvals(acontext, hierarchy, retdata)
 }
 
 /*
+ * krb5_aprof_get_boolean()
+ *
+ * Parameters:
+ *	acontext	- opaque context for alternate profile
+ *	hierarchy	- hierarchy of value to retrieve
+ *	retdata		- Returned data value
+ * Returns:
+ *	error codes
+ */
+
+static krb5_error_code
+string_to_boolean (const char *string, krb5_boolean *out)
+{
+    static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" };
+    static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" };
+    int i;
+
+    for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
+	if (!strcasecmp(string, yes[i])) {
+	    *out = 1;
+	    return 0;
+	}
+    for (i = 0; i < sizeof(no)/sizeof(no[0]); i++)
+	if (!strcasecmp(string, no[i])) {
+	    *out = 0;
+	    return 0;
+	}
+    return PROF_BAD_BOOLEAN;
+}
+
+krb5_error_code
+krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy,
+		       int uselast, int *retdata)
+{
+    krb5_error_code kret;
+    char **values;
+    char *valp;
+    int idx;
+    krb5_boolean val;
+
+    kret = krb5_aprof_getvals (acontext, hierarchy, &values);
+    if (kret)
+	return kret;
+    idx = 0;
+    if (uselast) {
+	while (values[idx])
+	    idx++;
+	idx--;
+    }
+    valp = values[idx];
+    kret = string_to_boolean (valp, &val);
+    if (kret)
+	return kret;
+    *retdata = val;
+    return 0;
+}
+
+/*
  * krb5_aprof_get_deltat()	- Get a delta time value from the alternate
  *				  profile.
  *
@@ -736,6 +794,7 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp)
     const char		*hierarchy[4];
     char		*svalue;
     krb5_int32		ivalue;
+    krb5_boolean	bvalue;
     krb5_deltat		dtvalue;
 
     krb5_error_code	kret;
@@ -832,7 +891,13 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp)
 	    rparams->realm_expiration_valid = 1;
 	krb5_xfree(svalue);
     }
-	    
+
+    hierarchy[2] = "reject_bad_transit";
+    if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
+	rparams->realm_reject_bad_transit = bvalue;
+	rparams->realm_reject_bad_transit_valid = 1;
+    }
+
     /* Get the value for the default principal flags */
     hierarchy[2] = "default_principal_flags";
     if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {