diff options
-rw-r--r-- | src/kdc/ChangeLog | 13 | ||||
-rw-r--r-- | src/kdc/do_as_req.c | 30 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 51 |
3 files changed, 77 insertions, 17 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 69d55104db..01bf1a1316 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,16 @@ +Mon Nov 21 17:23:50 1994 Theodore Y. Ts'o (tytso@dcl) + + * do_tgs_req.c (process_tgs_req): + * do_as_req.c (process_as_req): Use the list of encryption types + passed as part of the KDC request to determine which + encryption to use for encrypting the ticket. The + encryption must be one that is supported by the KDC, as + well as being one which is marked as being supported by + the server of the ticket. In a AS request, also use this + encryption for encrypting the KDC response. In a TGS + request, use the encryption type of the TGT authenticator + to determine how to encrypt the KDC response. + Tue Nov 8 17:51:30 1994 Theodore Y. Ts'o (tytso@dcl) * do_tgs_req.c (process_tgs_req): Use published interface to call diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 12fea7aa57..62fb0eb250 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -237,9 +237,23 @@ krb5_data **response; /* filled in with a response packet */ goto errout; } - for (i = 0; i < request->netypes; i++) - if (valid_etype(request->etype[i])) + for (i = 0; i < request->netypes; i++) { + krb5_keytype ok_keytype; + + if (!valid_etype(request->etype[i])) + continue; + + if (request->etype[i] == ETYPE_DES_CBC_MD5 && + !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) + continue; + + ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; + + if (server.key.keytype == ok_keytype || + server.alt_key.keytype == ok_keytype) break; + } + if (i == request->netypes) { /* unsupported etype */ @@ -261,8 +275,6 @@ krb5_data **response; /* filled in with a response packet */ } ticket_reply.server = request->server; - ticket_reply.enc_part.etype = useetype; - ticket_reply.enc_part.kvno = server.kvno; enc_tkt_reply.flags = 0; setflag(enc_tkt_reply.flags, TKT_FLG_INITIAL); @@ -404,11 +416,12 @@ krb5_data **response; /* filled in with a response packet */ in the database) */ if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) goto errout; - retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + retval = krb5_encrypt_tkt_part(&eblock, &encrypting_key, &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); if (retval) goto errout; + ticket_reply.enc_part.kvno = server.kvno; /* Start assembling the response */ reply.msg_type = KRB5_AS_REP; @@ -451,9 +464,7 @@ krb5_data **response; /* filled in with a response packet */ } reply.client = request->client; - /* XXX need separate etypes for ticket encryption and kdc_rep encryption */ - reply.enc_part.etype = useetype; - reply.enc_part.kvno = client.kvno; + reply.ticket = &ticket_reply; reply_encpart.session = session_key; @@ -479,7 +490,8 @@ krb5_data **response; /* filled in with a response packet */ if (retval = KDB_CONVERT_KEY_OUTOF_DB(&client.key, &encrypting_key)) goto errout; - retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply_encpart, + reply.enc_part.kvno = client.kvno; + retval = krb5_encode_kdc_rep(KRB5_AS_REP, &reply_encpart, &eblock, &encrypting_key, &reply, response); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 62d810bfc0..46407185c9 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -67,6 +67,7 @@ int is_secondary; krb5_data **response; /* filled in with a response packet */ { krb5_encrypt_block eblock; + krb5_keytype second_ticket_etype = ETYPE_UNKNOWN; krb5_kdc_req *request = 0; krb5_db_entry server; krb5_kdc_rep reply; @@ -199,9 +200,37 @@ tgt_again: goto cleanup; } - for (i = 0; i < request->netypes; i++) - if (valid_etype(request->etype[i])) + /* + * If we are using user-to-user authentication, then the resulting + * ticket has to use the same encryption system as was used to + * encrypt the ticket, since that's the same encryption system + * that's used for the ticket session key --- and that's what we + * use to encrypt the ticket! + */ + if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) + second_ticket_etype = request->second_ticket[st_idx]->enc_part.etype; + + for (i = 0; i < request->netypes; i++) { + krb5_keytype ok_keytype; + + if (!valid_etype(request->etype[i])) + continue; + + if (second_ticket_etype != ETYPE_UNKNOWN && + second_ticket_etype != request->etype[i]) + continue; + + if (request->etype[i] == ETYPE_DES_CBC_MD5 && + !isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)) + continue; + + ok_keytype = krb5_csarray[request->etype[i]]->system->proto_keytype; + + if (server.key.keytype == ok_keytype || + server.alt_key.keytype == ok_keytype) break; + } + if (i == request->netypes) { /* unsupported etype */ status = "BAD_ENCRYPTION_TYPE"; @@ -220,8 +249,6 @@ tgt_again: } ticket_reply.server = request->server; /* XXX careful for realm... */ - ticket_reply.enc_part.etype = useetype; - ticket_reply.enc_part.kvno = server.kvno; enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; @@ -466,6 +493,12 @@ tgt_again: ticket_reply.enc_part2 = &enc_tkt_reply; + /* + * If we are doing user-to-user authentication, then make sure + * that the client for the second ticket matches the request + * server, and then encrypt the ticket using the session key of + * the second ticket. + */ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { krb5_keyblock *st_sealing_key; krb5_kvno st_srv_kvno; @@ -500,7 +533,9 @@ tgt_again: goto cleanup; } - if (retval = krb5_encrypt_tkt_part(request->second_ticket[st_idx]->enc_part2->session, + ticket_reply.enc_part.kvno = 0; + if (retval = krb5_encrypt_tkt_part(&eblock, + request->second_ticket[st_idx]->enc_part2->session, &ticket_reply)) { status = "2ND_TKT_ENCRYPT"; goto cleanup; @@ -514,7 +549,8 @@ tgt_again: goto cleanup; } - retval = krb5_encrypt_tkt_part(&encrypting_key, &ticket_reply); + ticket_reply.enc_part.kvno = server.kvno; + retval = krb5_encrypt_tkt_part(&eblock, &encrypting_key, &ticket_reply); memset((char *)encrypting_key.contents, 0, encrypting_key.length); krb5_xfree(encrypting_key.contents); @@ -529,7 +565,6 @@ tgt_again: reply.msg_type = KRB5_TGS_REP; reply.padata = 0; /* always */ reply.client = header_ticket->enc_part2->client; - reply.enc_part.etype = useetype; reply.enc_part.kvno = 0; /* We are using the session key */ reply.ticket = &ticket_reply; @@ -558,7 +593,7 @@ tgt_again: /* use the session key in the ticket, unless there's a subsession key in the AP_REQ */ - retval = krb5_encode_kdc_rep(KRB5_TGS_REP, &reply_encpart, + retval = krb5_encode_kdc_rep(KRB5_TGS_REP, &reply_encpart, &eblock, req_authdat->authenticator->subkey ? req_authdat->authenticator->subkey : header_ticket->enc_part2->session, |