Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3827 From willf@alton.central.sun.com Wed Nov 21 15:21:35 2001 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA01465 for ; Wed, 21 Nov 2001 15:21:34 -0500 (EST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA16680 for ; Wed, 21 Nov 2001 15:21:34 -0500 (EST) Received: from engmail1.Eng.Sun.COM ([129.146.1.13]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id NAA25022 for ; Wed, 21 Nov 2001 13:21:16 -0700 (MST) Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101]) by engmail1.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA28768 for ; Wed, 21 Nov 2001 12:21:32 -0800 (PST) Received: (from willf@localhost) by alton.central.sun.com (8.10.2+Sun/8.10.2) id fALKLVh24332; Wed, 21 Nov 2001 14:21:31 -0600 (CST) Message-Id: <200111212021.fALKLVh24332@alton.central.sun.com> Date: Wed, 21 Nov 2001 14:21:31 -0600 (CST) From: william.fiveash@sun.com Reply-To: william.fiveash@sun.com To: krb5-bugs@mit.edu Subject: fix for decrypt_as_reply() enctype checking X-Send-Pr-Version: 3.99 >Number: 1017 >Category: krb5-libs >Synopsis: decrypt_as_reply() should check enctype in as_reply >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Nov 21 15:22:00 EST 2001 >Last-Modified: >Originator: William Fiveash >Organization: Sun Microsystems, Inc. >Release: krb5-current-20011119 >Environment: System: SunOS alton 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10 Architecture: sun4 >Description: decrypt_as_reply() should verify that as_reply->enc_part.enctype is found in request->ktype. This have the effect of verifying that the KDC used one of the enctypes in the original AS-REQ. >How-To-Repeat: N/A >Fix: Note this patch assumes that the decrypt_key's enctype is being set to as_reply->enc_part.enctype in krb5_ktfile_get_entry() as proposed in a patch by Tom Yu. Here's a gnudiff -u patch: --- src/include/krb5.h.orig Wed Nov 21 13:16:00 2001 +++ src/include/krb5.h Wed Nov 21 13:18:37 2001 @@ -536,6 +536,9 @@ (krb5_cksumtype ctype); krb5_boolean KRB5_CALLCONV is_keyed_cksum (krb5_cksumtype ctype); +krb5_boolean KRB5_CALLCONV is_in_keytype + (krb5_const krb5_enctype *keytype, int numkeytypes, + krb5_enctype enctype); #ifdef KRB5_OLD_CRYPTO /* --- src/lib/krb5/krb/get_in_tkt.c.orig Wed Nov 21 13:11:29 2001 +++ src/lib/krb5/krb/get_in_tkt.c Wed Nov 21 13:12:51 2001 @@ -205,6 +205,15 @@ if (as_reply->enc_part2) return 0; + /* Verify that the enctype in the as_reply is one of those originally + * requested. + */ + if (!is_in_keytype(request->ktype, request->nktypes, + as_reply->enc_part.enctype)) { + + return (KRB5_BAD_ENCTYPE); + } + if (key) decrypt_key = key; else { --- src/lib/crypto/valid_enctype.c.orig Wed Nov 21 13:07:30 2001 +++ src/lib/crypto/valid_enctype.c Wed Nov 21 13:20:11 2001 @@ -40,3 +40,29 @@ return(0); } + +/* + * is_in_keytype(): returns 1 if enctype == one of the enctypes in keytype + * otherwise 0 is returned. + */ +krb5_boolean KRB5_CALLCONV +is_in_keytype(keytype, numkeytypes, enctype) + krb5_const krb5_enctype *keytype; + int numkeytypes; + krb5_enctype enctype; +{ + int i; + + if (keytype == NULL || numkeytypes <= 0) { + return(0); + } + + for (i = 0; i < numkeytypes; i++) { + + if (keytype[i] == enctype) { + return(1); + } + } + + return(0); +} >Audit-Trail: >Unformatted: