From willf@alton.central.sun.com Wed Nov 21 15:21:35 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA01465
for <bugs@RT-11.mit.edu>; Wed, 21 Nov 2001 15:21:34 -0500 (EST)
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA16680
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 15:21:34 -0500 (EST)
Received: from engmail1.Eng.Sun.COM ([129.146.1.13])
by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id NAA25022
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 13:21:16 -0700 (MST)
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
by engmail1.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA28768
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 12:21:32 -0800 (PST)
Received: (from willf@localhost)
by alton.central.sun.com (8.10.2+Sun/8.10.2) id fALKLVh24332;
Wed, 21 Nov 2001 14:21:31 -0600 (CST)
Message-Id: <200111212021.fALKLVh24332@alton.central.sun.com>
Date: Wed, 21 Nov 2001 14:21:31 -0600 (CST)
From: william.fiveash@sun.com
Reply-To: william.fiveash@sun.com
To: krb5-bugs@mit.edu
Subject: fix for decrypt_as_reply() enctype checking
X-Send-Pr-Version: 3.99
System: SunOS alton 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
request->ktype. This have the effect of verifying that the KDC used one of the
enctypes in the original AS-REQ.
Note this patch assumes that the decrypt_key's enctype is being set
to as_reply->enc_part.enctype in krb5_ktfile_get_entry() as proposed
in a patch by Tom Yu.
Here's a gnudiff -u patch:
--- src/include/krb5.h.orig Wed Nov 21 13:16:00 2001
+++ src/include/krb5.h Wed Nov 21 13:18:37 2001
@@ -536,6 +536,9 @@
(krb5_cksumtype ctype);
krb5_boolean KRB5_CALLCONV is_keyed_cksum
(krb5_cksumtype ctype);
+krb5_boolean KRB5_CALLCONV is_in_keytype
+ (krb5_const krb5_enctype *keytype, int numkeytypes,
+ krb5_enctype enctype);
#ifdef KRB5_OLD_CRYPTO
/*
--- src/lib/krb5/krb/get_in_tkt.c.orig Wed Nov 21 13:11:29 2001
+++ src/lib/krb5/krb/get_in_tkt.c Wed Nov 21 13:12:51 2001
@@ -205,6 +205,15 @@
if (as_reply->enc_part2)
return 0;
+ /* Verify that the enctype in the as_reply is one of those originally
+ * requested.
+ */
+ if (!is_in_keytype(request->ktype, request->nktypes,
+ as_reply->enc_part.enctype)) {
+
+ return (KRB5_BAD_ENCTYPE);
+ }
+
if (key)
decrypt_key = key;
else {
--- src/lib/crypto/valid_enctype.c.orig Wed Nov 21 13:07:30 2001
+++ src/lib/crypto/valid_enctype.c Wed Nov 21 13:20:11 2001
@@ -40,3 +40,29 @@
return(0);
}
+
+/*
+ * is_in_keytype(): returns 1 if enctype == one of the enctypes in keytype
+ * otherwise 0 is returned.
+ */
+krb5_boolean KRB5_CALLCONV
+is_in_keytype(keytype, numkeytypes, enctype)
+ krb5_const krb5_enctype *keytype;
+ int numkeytypes;
+ krb5_enctype enctype;
+{
+ int i;
+
+ if (keytype == NULL || numkeytypes <= 0) {
+ return(0);
+ }
+
+ for (i = 0; i < numkeytypes; i++) {
+
+ if (keytype[i] == enctype) {
+ return(1);
+ }
+ }
+
+ return(0);
+}
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA01465
for <bugs@RT-11.mit.edu>; Wed, 21 Nov 2001 15:21:34 -0500 (EST)
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA16680
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 15:21:34 -0500 (EST)
Received: from engmail1.Eng.Sun.COM ([129.146.1.13])
by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id NAA25022
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 13:21:16 -0700 (MST)
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
by engmail1.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA28768
for <krb5-bugs@mit.edu>; Wed, 21 Nov 2001 12:21:32 -0800 (PST)
Received: (from willf@localhost)
by alton.central.sun.com (8.10.2+Sun/8.10.2) id fALKLVh24332;
Wed, 21 Nov 2001 14:21:31 -0600 (CST)
Message-Id: <200111212021.fALKLVh24332@alton.central.sun.com>
Date: Wed, 21 Nov 2001 14:21:31 -0600 (CST)
From: william.fiveash@sun.com
Reply-To: william.fiveash@sun.com
To: krb5-bugs@mit.edu
Subject: fix for decrypt_as_reply() enctype checking
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1017
>Category: krb5-libs
>Synopsis: decrypt_as_reply() should check enctype in as_reply
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 21 15:22:00 EST 2001
>Last-Modified:
>Originator: William Fiveash
>Organization:
Sun Microsystems, Inc.>Category: krb5-libs
>Synopsis: decrypt_as_reply() should check enctype in as_reply
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 21 15:22:00 EST 2001
>Last-Modified:
>Originator: William Fiveash
>Organization:
Show quoted text
>Release: krb5-current-20011119
>Environment:
>Environment:
System: SunOS alton 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
Show quoted text
>Description:
decrypt_as_reply() should verify that as_reply->enc_part.enctype is found inrequest->ktype. This have the effect of verifying that the KDC used one of the
enctypes in the original AS-REQ.
Show quoted text
>How-To-Repeat:
N/AShow quoted text
>Fix:
Note this patch assumes that the decrypt_key's enctype is being set
to as_reply->enc_part.enctype in krb5_ktfile_get_entry() as proposed
in a patch by Tom Yu.
Here's a gnudiff -u patch:
--- src/include/krb5.h.orig Wed Nov 21 13:16:00 2001
+++ src/include/krb5.h Wed Nov 21 13:18:37 2001
@@ -536,6 +536,9 @@
(krb5_cksumtype ctype);
krb5_boolean KRB5_CALLCONV is_keyed_cksum
(krb5_cksumtype ctype);
+krb5_boolean KRB5_CALLCONV is_in_keytype
+ (krb5_const krb5_enctype *keytype, int numkeytypes,
+ krb5_enctype enctype);
#ifdef KRB5_OLD_CRYPTO
/*
--- src/lib/krb5/krb/get_in_tkt.c.orig Wed Nov 21 13:11:29 2001
+++ src/lib/krb5/krb/get_in_tkt.c Wed Nov 21 13:12:51 2001
@@ -205,6 +205,15 @@
if (as_reply->enc_part2)
return 0;
+ /* Verify that the enctype in the as_reply is one of those originally
+ * requested.
+ */
+ if (!is_in_keytype(request->ktype, request->nktypes,
+ as_reply->enc_part.enctype)) {
+
+ return (KRB5_BAD_ENCTYPE);
+ }
+
if (key)
decrypt_key = key;
else {
--- src/lib/crypto/valid_enctype.c.orig Wed Nov 21 13:07:30 2001
+++ src/lib/crypto/valid_enctype.c Wed Nov 21 13:20:11 2001
@@ -40,3 +40,29 @@
return(0);
}
+
+/*
+ * is_in_keytype(): returns 1 if enctype == one of the enctypes in keytype
+ * otherwise 0 is returned.
+ */
+krb5_boolean KRB5_CALLCONV
+is_in_keytype(keytype, numkeytypes, enctype)
+ krb5_const krb5_enctype *keytype;
+ int numkeytypes;
+ krb5_enctype enctype;
+{
+ int i;
+
+ if (keytype == NULL || numkeytypes <= 0) {
+ return(0);
+ }
+
+ for (i = 0; i < numkeytypes; i++) {
+
+ if (keytype[i] == enctype) {
+ return(1);
+ }
+ }
+
+ return(0);
+}
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: