Applied Cybersafe's changes to do transited realm path checking

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4328 dc483132-0cff-0310-8789-dd5450dbe970
author: Theodore Tso <tytso@mit.edu> 1994-09-22 16:39:53 +0000
committer: Theodore Tso <tytso@mit.edu> 1994-09-22 16:39:53 +0000
commit: 85292848ff3c750868fb86b3c213a0ca2c22b003 (patch)
tree: 2773f6ade12d0051482084aff948044618121844 /src/lib
parent: 787858e0528df604a6e88abe19f7b3fff76f3502 (diff)
6 files changed, 170 insertions, 2 deletions
diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog
index cf1076271..f0740c3a4 100644
--- a/src/lib/krb5/error_tables/ChangeLog
+++ b/src/lib/krb5/error_tables/ChangeLog
@@ -1,3 +1,7 @@
+Wed Sep 21 18:00:25 1994  Theodore Y. Ts'o  (tytso@dcl)
+
+	* krb5_err.et (KRB5KRB_AP_ERR_ILL_CR_TKT): Added new error code.
+
 Sat Jul 16 05:59:53 1994  Tom Yu  (tlyu at dragons-lair)
 
 	* krb5_err.et: missing space between comma and doublequote
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 1201b7e3b..133814c3a 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -74,7 +74,7 @@ error_code KRB5KRB_AP_ERR_BADVERSION,	"Protocol version mismatch"
 error_code KRB5KRB_AP_ERR_MSG_TYPE,	"Invalid message type"
 error_code KRB5KRB_AP_ERR_MODIFIED,	"Message stream modified"
 error_code KRB5KRB_AP_ERR_BADORDER,	"Message out of order"
-error_code KRB5PLACEHOLD_43,		"KRB5 error code 43"
+error_code KRB5KRB_AP_ERR_ILL_CR_TKT, "Illegal cross-realm ticket"
 error_code KRB5KRB_AP_ERR_BADKEYVER,	"Key version is not available"
 error_code KRB5KRB_AP_ERR_NOKEY,	"Service key not available"
 error_code KRB5KRB_AP_ERR_MUT_FAIL,	"Mutual authentication failed"
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 9afcfe98d..665d800e2 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,11 @@
+Wed Sep 21 17:57:35 1994  Theodore Y. Ts'o  (tytso@dcl)
+
+	* rd_req_dec.c (krb5_rd_req_decoded): Added Changes from Cybersafe
+		to do transited realm path checking.
+
+	* chk_trans.c: Added donated module from CyberSafe.  It checks to
+		see if a transited path is a legal one between two realms.
+
 Thu Sep 15 11:08:39 1994  Theodore Y. Ts'o  (tytso@dcl)
 
 	* rd_req_sim.c (krb5_rd_req_simple): Use krb5_rd_req instead of
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 2570abcb4..d647f1e12 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -10,6 +10,7 @@ OBJS=	addr_comp.o	\
 	addr_srch.o	\
 	bld_pr_ext.o	\
 	bld_princ.o	\
+	chk_trans.o	\
 	compat_recv.o	\
 	conv_princ.o	\
 	copy_addrs.o	\
@@ -69,6 +70,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/addr_srch.c	\
 	$(srcdir)/bld_pr_ext.c	\
 	$(srcdir)/bld_princ.c	\
+	$(srcdir/chk_trans.c	\
 	$(srcdir)/compat_recv.c	\
 	$(srcdir)/conv_princ.c	\
 	$(srcdir)/copy_addrs.c	\
diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c
new file mode 100644
index 000000000..e4c06dd1d
--- /dev/null
+++ b/src/lib/krb5/krb/chk_trans.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1994 CyberSAFE Corporation.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Neither M.I.T., the Open Computing Security Group, nor
+ * CyberSAFE Corporation make any representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include <stdio.h>
+#include <krb5/krb5.h>
+
+#define MAX_REALM_LN 500
+
+krb5_error_code krb5_check_transited_list(trans, realm1, realm2)
+krb5_data      *trans;
+krb5_data      *realm1;
+krb5_data      *realm2;
+{
+  char            prev[MAX_REALM_LN+1];
+  char            next[MAX_REALM_LN+1];
+  char            *nextp;
+  int             i, j;
+  int             trans_length;
+  krb5_error_code retval = 0;
+  krb5_principal  *tgs_list;
+
+  if (!trans || !trans->data)  return(0);
+  trans_length = trans->data[trans->length-1] ?
+                 trans->length : trans->length - 1;
+
+  if (retval = krb5_walk_realm_tree(realm1, realm2, &tgs_list,
+                                    KRB5_REALM_BRANCH_CHAR)) {
+    return(retval);
+  }
+
+  memset(prev, 0, MAX_REALM_LN + 1);
+  memset(next, 0, MAX_REALM_LN + 1), nextp = next;
+  for (i = 0; i <= trans_length; i++) {
+    if (i < trans_length-1 && trans->data[i] == '\\') {
+      i++;
+      *nextp++ = trans->data[i];
+      continue;
+    }
+    if (i < trans_length && trans->data[i] != ',') {
+      *nextp++ = trans->data[i];
+      continue;
+    }
+    if (strlen(next) > 0) {
+      if (next[0] != '/') {
+        if (*(nextp-1) == '.')  strcat(next, prev);
+        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+        for (j = 0; tgs_list[j]; j++) {
+          if (strlen(next) == krb5_princ_realm(tgs_list[j])->length &&
+              !memcmp(next, krb5_princ_realm(tgs_list[j])->data,
+                      strlen(next))) {
+            retval = 0;
+            break; 
+          }
+        }
+        if (retval)  goto finish;
+      }
+      if (i+1 < trans_length && trans->data[i+1] == ' ') {
+        i++;
+        memset(next, 0, MAX_REALM_LN + 1), nextp = next;
+        continue;
+      }
+      if (i+1 < trans_length && trans->data[i+1] != '/') {
+        strcpy(prev, next);
+        memset(next, 0, MAX_REALM_LN + 1), nextp = next;
+        continue;
+      }
+    }
+  }
+
+finish:
+  krb5_free_realm_tree(tgs_list);
+  return(retval);
+}
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 694a48dbc..12a47742e 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -1,6 +1,7 @@
 /*
  * lib/krb5/krb/rd_req_dec.c
  *
+ * Copyright (c) 1994 CyberSAFE Corporation.
  * Copyright 1990,1991 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
@@ -16,7 +17,8 @@
  * this permission notice appear in supporting documentation, and that
  * the name of M.I.T. not be used in advertising or publicity pertaining
  * to distribution of the software without specific, written prior
- * permission.  M.I.T. makes no representations about the suitability of
+ * permission.  Neither M.I.T., the Open Computing Security Group, nor
+ * CyberSAFE Corporation make any representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  * 
@@ -164,6 +166,66 @@ krb5_tkt_authent **authdat;
 	goto cleanup;
     }
 
+    /* okay, now check cross-realm policy */
+
+#if defined(_SINGLE_HOP_ONLY)
+
+    /* Single hop cross-realm tickets only */
+
+    { krb5_transited *trans = &(req->ticket->enc_part2->transited);
+
+      /* If the transited list is empty, then we have at most one hop */
+
+      if (trans->tr_contents.data && trans->tr_contents.data[0]) {
+        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+      }
+    }
+
+#elif defined(_NO_CROSS_REALM)
+
+    /* No cross-realm tickets */
+
+    { char           *lrealm;
+      krb5_data      *realm = krb5_princ_realm(req->ticket->enc_part2->client);
+      krb5_transited *trans = &(req->ticket->enc_part2->transited);
+
+      /* If the transited list is empty, then we have at most one hop      */
+      /* So we also have to check that the client's realm is the local one */
+
+      krb5_get_default_realm(&lrealm);
+      if ((trans->tr_contents.data && trans->tr_contents.data[0]) ||
+          strlen(lrealm) != realm->length ||
+          memcmp(lrealm, realm->data, strlen(lrealm))) {
+        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+      }
+      free(lrealm);
+    }
+
+#else
+
+    /* Hierarchical Cross-Realm */
+  
+    { int            i;
+      krb5_data      lrealm;
+      krb5_data      *realm = krb5_princ_realm(req->ticket->enc_part2->client);
+      krb5_transited *trans = &(req->ticket->enc_part2->transited);
+  
+      /* If the transited list is not empty, then check that all realms */
+      /* transited are within the hierarchy between the client's realm  */
+      /* and the local realm.                                           */
+  
+      if (trans->tr_contents.data && trans->tr_contents.data[0]) {
+        krb5_get_default_realm(&(lrealm.data));
+        lrealm.length = strlen(lrealm.data);
+        retval = krb5_check_transited_list(&(trans->tr_contents), realm,
+                                           &lrealm);
+        free(lrealm.data);
+      }
+    }
+
+#endif
+
+    if (retval)  goto cleanup;
 
     /* only check rcache if sender has provided one---some services
        may not be able to use replay caches (such as datagram servers) */
author	Theodore Tso <tytso@mit.edu>	1994-09-22 16:39:53 +0000
committer	Theodore Tso <tytso@mit.edu>	1994-09-22 16:39:53 +0000
commit	85292848ff3c750868fb86b3c213a0ca2c22b003 (patch)
tree	2773f6ade12d0051482084aff948044618121844 /src/lib
parent	787858e0528df604a6e88abe19f7b3fff76f3502 (diff)