From c1a54a5e3713fd760d0994dbdb2dee97d353f906 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 12 Aug 2009 23:05:36 +0200 Subject: [PATCH] Make KRB5SignedPath less fragile, only sign trivial parts of the encTicketPart Sign the client and auth time (like its done in the PAC) and let that be ehough for now. Add a Typed hole so that we don't break wireprotocol next time. --- kdc/kerberos5.c | 1 + kdc/krb5tgs.c | 25 +++++++++++++++---------- lib/asn1/krb5.asn1 | 9 ++++++--- 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 8edc07a49..0a9d4a5ca 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1747,6 +1747,7 @@ _kdc_as_rep(krb5_context context, config, server, setype, + client->entry.principal, NULL, NULL, &et); diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 635eb27e7..c3b0aaa89 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -106,6 +106,7 @@ _kdc_add_KRB5SignedPath(krb5_context context, krb5_kdc_configuration *config, hdb_entry_ex *krbtgt, krb5_enctype enctype, + krb5_principal client, krb5_const_principal server, krb5_principals principals, EncTicketPart *tkt) @@ -125,8 +126,10 @@ _kdc_add_KRB5SignedPath(krb5_context context, { KRB5SignedPathData spd; - spd.encticket = *tkt; + spd.client = client; + spd.authtime = tkt->authtime; spd.delegated = principals; + spd.method_data = NULL; ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, &spd, &size, ret); @@ -153,6 +156,7 @@ _kdc_add_KRB5SignedPath(krb5_context context, sp.etype = enctype; sp.delegated = principals; + sp.method_data = NULL; ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0, data.data, data.length, &sp.cksum); @@ -185,6 +189,7 @@ static krb5_error_code check_KRB5SignedPath(krb5_context context, krb5_kdc_configuration *config, hdb_entry_ex *krbtgt, + krb5_principal cp, EncTicketPart *tkt, krb5_principals *delegated, int *signedpath) @@ -200,7 +205,6 @@ check_KRB5SignedPath(krb5_context context, if (ret == 0) { KRB5SignedPathData spd; KRB5SignedPath sp; - AuthorizationData *ad; size_t size; ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL); @@ -208,17 +212,13 @@ check_KRB5SignedPath(krb5_context context, if (ret) return ret; - spd.encticket = *tkt; - /* the KRB5SignedPath is the last entry */ - ad = spd.encticket.authorization_data; - if (--ad->len == 0) - spd.encticket.authorization_data = NULL; + spd.client = cp; + spd.authtime = tkt->authtime; spd.delegated = sp.delegated; + spd.method_data = sp.method_data; ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length, &spd, &size, ret); - ad->len++; - spd.encticket.authorization_data = ad; if (ret) { free_KRB5SignedPath(&sp); return ret; @@ -244,7 +244,9 @@ check_KRB5SignedPath(krb5_context context, free(data.data); if (ret) { free_KRB5SignedPath(&sp); - return ret; + kdc_log(context, config, 5, + "KRB5SignedPath not signed correctly, not marking as signed"); + return 0; } if (delegated && sp.delegated) { @@ -884,6 +886,7 @@ tgs_make_reply(krb5_context context, config, krbtgt, krbtgt_etype, + client_principal, NULL, spp, &et); @@ -1663,6 +1666,7 @@ server_lookup: ret = check_KRB5SignedPath(context, config, krbtgt, + cp, tgt, &spp, &signedpath); @@ -1855,6 +1859,7 @@ server_lookup: ret = check_KRB5SignedPath(context, config, krbtgt, + cp, &adtkt, NULL, &ad_signedpath); diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index 7080b095f..adc09ac68 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -645,8 +645,10 @@ PA-S4U2Self ::= SEQUENCE { -- never encoded on the wire, just used to checksum over KRB5SignedPathData ::= SEQUENCE { - encticket[0] EncTicketPart, - delegated[1] Principals OPTIONAL + client[0] Principal OPTIONAL, + authtime[1] KerberosTime, + delegated[2] Principals OPTIONAL, + method_data[3] METHOD-DATA OPTIONAL } KRB5SignedPath ::= SEQUENCE { @@ -655,7 +657,8 @@ KRB5SignedPath ::= SEQUENCE { etype[0] ENCTYPE, cksum[1] Checksum, -- srvs delegated though - delegated[2] Principals OPTIONAL + delegated[2] Principals OPTIONAL, + method_data[3] METHOD-DATA OPTIONAL } PA-ClientCanonicalizedNames ::= SEQUENCE{ -- 2.11.4.GIT