oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make KRB5SignedPath less fragile, only sign trivial parts of the encTicketPart

Browse Source 
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
This commit is contained in:
Love Hornquist Astrand
2009-08-12 23:05:36 +02:00
parent 1011050f65
commit c1a54a5e37
3 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kdc/kerberos5.c
View File

@@ -1747,6 +1747,7 @@ _kdc_as_rep(krb5_context context,
config, config,
server, server,
setype, setype,
client->entry.principal,
NULL, NULL,
NULL, NULL,
&et); &et);

25
kdc/krb5tgs.c
View File

@@ -106,6 +106,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_enctype enctype, krb5_enctype enctype,
krb5_principal client,
krb5_const_principal server, krb5_const_principal server,
krb5_principals principals, krb5_principals principals,
EncTicketPart *tkt) EncTicketPart *tkt)
@@ -125,8 +126,10 @@ _kdc_add_KRB5SignedPath(krb5_context context,
{ {
KRB5SignedPathData spd; KRB5SignedPathData spd;
spd.encticket = *tkt; spd.client = client;
spd.authtime = tkt->authtime;
spd.delegated = principals; spd.delegated = principals;
spd.method_data = NULL;
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret); &spd, &size, ret);
@@ -153,6 +156,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
sp.etype = enctype; sp.etype = enctype;
sp.delegated = principals; sp.delegated = principals;
sp.method_data = NULL;
ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0, ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,
data.data, data.length, &sp.cksum); data.data, data.length, &sp.cksum);
@@ -185,6 +189,7 @@ static krb5_error_code
check_KRB5SignedPath(krb5_context context, check_KRB5SignedPath(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
hdb_entry_ex *krbtgt, hdb_entry_ex *krbtgt,
krb5_principal cp,
EncTicketPart *tkt, EncTicketPart *tkt,
krb5_principals *delegated, krb5_principals *delegated,
int *signedpath) int *signedpath)
@@ -200,7 +205,6 @@ check_KRB5SignedPath(krb5_context context,
if (ret == 0) { if (ret == 0) {
KRB5SignedPathData spd; KRB5SignedPathData spd;
KRB5SignedPath sp; KRB5SignedPath sp;
AuthorizationData *ad;
size_t size; size_t size;
ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL); ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
@@ -208,17 +212,13 @@ check_KRB5SignedPath(krb5_context context,
if (ret) if (ret)
return ret; return ret;
spd.encticket = *tkt; spd.client = cp;
/* the KRB5SignedPath is the last entry */ spd.authtime = tkt->authtime;
ad = spd.encticket.authorization_data;
if (--ad->len == 0)
spd.encticket.authorization_data = NULL;
spd.delegated = sp.delegated; spd.delegated = sp.delegated;
spd.method_data = sp.method_data;
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret); &spd, &size, ret);
ad->len++;
spd.encticket.authorization_data = ad;
if (ret) { if (ret) {
free_KRB5SignedPath(&sp); free_KRB5SignedPath(&sp);
return ret; return ret;
@@ -244,7 +244,9 @@ check_KRB5SignedPath(krb5_context context,
free(data.data); free(data.data);
if (ret) { if (ret) {
free_KRB5SignedPath(&sp); free_KRB5SignedPath(&sp);
return ret; kdc_log(context, config, 5,
"KRB5SignedPath not signed correctly, not marking as signed");
return 0;
} }
if (delegated && sp.delegated) { if (delegated && sp.delegated) {
@@ -884,6 +886,7 @@ tgs_make_reply(krb5_context context,
config, config,
krbtgt, krbtgt,
krbtgt_etype, krbtgt_etype,
client_principal,
NULL, NULL,
spp, spp,
&et); &et);
@@ -1663,6 +1666,7 @@ server_lookup:
ret = check_KRB5SignedPath(context, ret = check_KRB5SignedPath(context,
config, config,
krbtgt, krbtgt,
cp,
tgt, tgt,
&spp, &spp,
&signedpath); &signedpath);
@@ -1855,6 +1859,7 @@ server_lookup:
ret = check_KRB5SignedPath(context, ret = check_KRB5SignedPath(context,
config, config,
krbtgt, krbtgt,
cp,
&adtkt, &adtkt,
NULL, NULL,
&ad_signedpath); &ad_signedpath);

9
lib/asn1/krb5.asn1
View File

@@ -645,8 +645,10 @@ PA-S4U2Self ::= SEQUENCE {
-- never encoded on the wire, just used to checksum over -- never encoded on the wire, just used to checksum over
KRB5SignedPathData ::= SEQUENCE { KRB5SignedPathData ::= SEQUENCE {
encticket[0] EncTicketPart, client[0] Principal OPTIONAL,
delegated[1] Principals OPTIONAL authtime[1] KerberosTime,
delegated[2] Principals OPTIONAL,
method_data[3] METHOD-DATA OPTIONAL
} }
KRB5SignedPath ::= SEQUENCE { KRB5SignedPath ::= SEQUENCE {
@@ -655,7 +657,8 @@ KRB5SignedPath ::= SEQUENCE {
etype[0] ENCTYPE, etype[0] ENCTYPE,
cksum[1] Checksum, cksum[1] Checksum,
-- srvs delegated though -- srvs delegated though
delegated[2] Principals OPTIONAL delegated[2] Principals OPTIONAL,
method_data[3] METHOD-DATA OPTIONAL
} }
PA-ClientCanonicalizedNames ::= SEQUENCE{ PA-ClientCanonicalizedNames ::= SEQUENCE{