oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Only send etype-info{,2} for the enctype we selected.

Browse Source 
Process pkinit anon requests.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24569 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-02-04 22:02:34 +00:00
parent 59232b3083
commit c1bfc5bd1d
1 changed files with 115 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
kdc/kerberos5.c
View File

@@ -394,18 +394,6 @@ older_enctype(krb5_enctype enctype)
} }
} }
static int
only_older_enctype_p(const KDC_REQ *req)
{
int i;
for(i = 0; i < req->req_body.etype.len; i++) {
if (!older_enctype(req->req_body.etype.val[i]))
return 0;
}
return 1;
}
/* /*
* *
*/ */
@@ -461,73 +449,24 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
static krb5_error_code static krb5_error_code
get_pa_etype_info(krb5_context context, get_pa_etype_info(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
METHOD_DATA *md, hdb_entry *client, METHOD_DATA *md, Key *ckey)
ENCTYPE *etypes, unsigned int etypes_len)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
int i, j;
unsigned int n = 0;
ETYPE_INFO pa; ETYPE_INFO pa;
unsigned char *buf; unsigned char *buf;
size_t len; size_t len;
pa.len = client->keys.len; pa.len = 1;
if(pa.len > UINT_MAX/sizeof(*pa.val)) pa.val = calloc(1, sizeof(pa.val[0]));
return ERANGE;
pa.val = malloc(pa.len * sizeof(*pa.val));
if(pa.val == NULL) if(pa.val == NULL)
return ENOMEM; return ENOMEM;
memset(pa.val, 0, pa.len * sizeof(*pa.val));
for(i = 0; i < client->keys.len; i++) { ret = make_etype_info_entry(context, &pa.val[0], ckey);
for (j = 0; j < n; j++) if (ret) {
if (pa.val[j].etype == client->keys.val[i].key.keytype)
goto skip1;
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j]) {
if (krb5_enctype_valid(context, etypes[j]) != 0)
continue;
if (!older_enctype(etypes[j]))
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info_entry(context,
&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO(&pa); free_ETYPE_INFO(&pa);
return ret; return ret;
} }
break;
}
}
skip1:;
}
for(i = 0; i < client->keys.len; i++) {
/* already added? */
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j])
goto skip2;
}
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
continue;
if (!older_enctype(etypes[j]))
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info_entry(context,
&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO(&pa);
return ret;
}
skip2:;
}
if(n < pa.len) {
/* stripped out dups, newer enctypes, and not valid enctypes */
pa.len = n;
}
ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret); ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);
free_ETYPE_INFO(&pa); free_ETYPE_INFO(&pa);
@@ -623,67 +562,23 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
static krb5_error_code static krb5_error_code
get_pa_etype_info2(krb5_context context, get_pa_etype_info2(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
METHOD_DATA *md, hdb_entry *client, METHOD_DATA *md, Key *ckey)
ENCTYPE *etypes, unsigned int etypes_len)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
int i, j;
unsigned int n = 0;
ETYPE_INFO2 pa; ETYPE_INFO2 pa;
unsigned char *buf; unsigned char *buf;
size_t len; size_t len;
pa.len = client->keys.len; pa.len = 1;
if(pa.len > UINT_MAX/sizeof(*pa.val)) pa.val = calloc(1, sizeof(pa.val[0]));
return ERANGE;
pa.val = malloc(pa.len * sizeof(*pa.val));
if(pa.val == NULL) if(pa.val == NULL)
return ENOMEM; return ENOMEM;
memset(pa.val, 0, pa.len * sizeof(*pa.val));
for(i = 0; i < client->keys.len; i++) { ret = make_etype_info2_entry(&pa.val[0], ckey);
for (j = 0; j < n; j++) if (ret) {
if (pa.val[j].etype == client->keys.val[i].key.keytype)
goto skip1;
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j]) {
if (krb5_enctype_valid(context, etypes[j]) != 0)
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa); free_ETYPE_INFO2(&pa);
return ret; return ret;
} }
break;
}
}
skip1:;
}
/* send enctypes that the client doesn't know about too */
for(i = 0; i < client->keys.len; i++) {
/* already added? */
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j])
goto skip2;
}
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa);
return ret;
}
skip2:;
}
if(n < pa.len) {
/* stripped out dups, and not valid enctypes */
pa.len = n;
}
ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret); ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret);
free_ETYPE_INFO2(&pa); free_ETYPE_INFO2(&pa);
@@ -959,6 +854,17 @@ send_pac_p(krb5_context context, KDC_REQ *req)
return TRUE; return TRUE;
} }
static krb5_boolean
is_anonymous(krb5_context context, krb5_principal principal)
{
if (principal->name.name_type != KRB5_NT_WELLKNOWN ||
principal->name.name_string.len != 2 ||
strcmp(principal->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
strcmp(principal->name.name_string.val[1], KRB5_ANON_NAME) != 0)
return 0;
return 1;
}
/* /*
* *
*/ */
@@ -1042,6 +948,7 @@ _kdc_as_rep(krb5_context context,
if (ret) if (ret)
goto out; goto out;
} }
ret = krb5_unparse_name(context, client_princ, &client_name); ret = krb5_unparse_name(context, client_princ, &client_name);
} }
if (ret) { if (ret) {
@@ -1053,6 +960,28 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 0, "AS-REQ %s from %s for %s", kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name); client_name, from, server_name);
/*
*
*/
if (is_anonymous(context, client_princ)) {
if (!b->kdc_options.request_anonymous) {
kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
} else if (b->kdc_options.request_anonymous) {
kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
/*
*
*/
ret = _kdc_db_fetch(context, config, client_princ, ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT | flags, NULL, &client); HDB_F_GET_CLIENT | flags, NULL, &client);
if(ret){ if(ret){
@@ -1075,6 +1004,25 @@ _kdc_as_rep(krb5_context context,
memset(&et, 0, sizeof(et)); memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek)); memset(&ek, 0, sizeof(ek));
/*
* Find the client key for reply encryption and pa-type salt, Pick
* the client key upfront before the other keys because that is
* going to affect what enctypes we are going to use in
* ETYPE-INFO{,2}.
*/
ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
&ckey, &cetype);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) has no support for etypes", client_name);
goto out;
}
/*
* Pre-auth processing
*/
if(req->padata){ if(req->padata){
int i; int i;
const PA_DATA *pa; const PA_DATA *pa;
@@ -1110,6 +1058,7 @@ _kdc_as_rep(krb5_context context,
if (ret == 0 && pkp == NULL) if (ret == 0 && pkp == NULL)
goto ts_enc; goto ts_enc;
if (!b->kdc_options.request_anonymous) {
ret = _kdc_pk_check_client(context, ret = _kdc_pk_check_client(context,
config, config,
client, client,
@@ -1124,6 +1073,14 @@ _kdc_as_rep(krb5_context context,
pkp = NULL; pkp = NULL;
goto out; goto out;
} }
} else {
client_cert = strdup("anonymous client client");
if (client_cert == NULL) {
ret = ENOMEM;
goto out;
}
}
found_pa = 1; found_pa = 1;
et.flags.pre_authent = 1; et.flags.pre_authent = 1;
kdc_log(context, config, 0, kdc_log(context, config, 0,
@@ -1150,6 +1107,12 @@ _kdc_as_rep(krb5_context context,
found_pa = 1; found_pa = 1;
if (b->kdc_options.request_anonymous) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 0, "ENC-TS doesn't support anon");
goto out;
}
ret = decode_EncryptedData(pa->padata_value.data, ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length, pa->padata_value.length,
&enc_data, &enc_data,
@@ -1290,6 +1253,7 @@ _kdc_as_rep(krb5_context context,
goto out; goto out;
} }
}else if (config->require_preauth }else if (config->require_preauth
|| b->kdc_options.request_anonymous /* hack to force anon */
|| client->entry.flags.require_preauth || client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) { || server->entry.flags.require_preauth) {
METHOD_DATA method_data; METHOD_DATA method_data;
@@ -1327,17 +1291,26 @@ _kdc_as_rep(krb5_context context,
* both info replies (we send 'info' first in the list). * both info replies (we send 'info' first in the list).
* - If the client is 'modern', because it knows about 'new' * - If the client is 'modern', because it knows about 'new'
* enctype types, then only send the 'info2' reply. * enctype types, then only send the 'info2' reply.
*
* Before we send the full list of etype-info data, we pick
* the client key we would have used anyway below, just pick
* that instead.
*/ */
/* XXX check ret */ if (older_enctype(ckey->key.keytype)) {
if (only_older_enctype_p(req))
ret = get_pa_etype_info(context, config, ret = get_pa_etype_info(context, config,
&method_data, &client->entry, &method_data, ckey);
b->etype.val, b->etype.len); if (ret) {
/* XXX check ret */ free_METHOD_DATA(&method_data);
ret = get_pa_etype_info2(context, config, &method_data, goto out;
&client->entry, b->etype.val, b->etype.len); }
}
ret = get_pa_etype_info2(context, config,
&method_data, ckey);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data); free_METHOD_DATA(&method_data);
@@ -1371,20 +1344,10 @@ _kdc_as_rep(krb5_context context,
goto out; goto out;
/* /*
* Find the client key (for preauth ENC-TS verification and reply * Selelct the best encryption type for the KDC with out regard to
* encryption). Then the best encryption type for the KDC and * the client since the client never needs to read that data.
* last the best session key that shared between the client and
* KDC runtime enctypes.
*/ */
ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
&ckey, &cetype);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) has no support for etypes", client_name);
goto out;
}
ret = _kdc_get_preferred_key(context, config, ret = _kdc_get_preferred_key(context, config,
server, server_name, server, server_name,
&setype, &skey); &setype, &skey);