[3272] in Kerberos-V5-bugs
krb5-libs/1017: fix for decrypt_as_reply() enctype checking
daemon@ATHENA.MIT.EDU (william.fiveash@sun.com)
Wed Nov 21 15:22:04 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, william.fiveash@sun.com
Message-Id: <200111212021.fALKLVh24332@alton.central.sun.com>
Date: Wed, 21 Nov 2001 14:21:31 -0600 (CST)
From: william.fiveash@sun.com
Reply-To: william.fiveash@sun.com
To: krb5-bugs@mit.edu
>Number: 1017
>Category: krb5-libs
>Synopsis: decrypt_as_reply() should check enctype in as_reply
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 21 15:22:00 EST 2001
>Last-Modified:
>Originator: William Fiveash
>Organization:
Sun Microsystems, Inc.
>Release: krb5-current-20011119
>Environment:
System: SunOS alton 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
decrypt_as_reply() should verify that as_reply->enc_part.enctype is found in
request->ktype. This have the effect of verifying that the KDC used one of the
enctypes in the original AS-REQ.
>How-To-Repeat:
N/A
>Fix:
Note this patch assumes that the decrypt_key's enctype is being set
to as_reply->enc_part.enctype in krb5_ktfile_get_entry() as proposed
in a patch by Tom Yu.
Here's a gnudiff -u patch:
--- src/include/krb5.h.orig Wed Nov 21 13:16:00 2001
+++ src/include/krb5.h Wed Nov 21 13:18:37 2001
@@ -536,6 +536,9 @@
(krb5_cksumtype ctype);
krb5_boolean KRB5_CALLCONV is_keyed_cksum
(krb5_cksumtype ctype);
+krb5_boolean KRB5_CALLCONV is_in_keytype
+ (krb5_const krb5_enctype *keytype, int numkeytypes,
+ krb5_enctype enctype);
#ifdef KRB5_OLD_CRYPTO
/*
--- src/lib/krb5/krb/get_in_tkt.c.orig Wed Nov 21 13:11:29 2001
+++ src/lib/krb5/krb/get_in_tkt.c Wed Nov 21 13:12:51 2001
@@ -205,6 +205,15 @@
if (as_reply->enc_part2)
return 0;
+ /* Verify that the enctype in the as_reply is one of those originally
+ * requested.
+ */
+ if (!is_in_keytype(request->ktype, request->nktypes,
+ as_reply->enc_part.enctype)) {
+
+ return (KRB5_BAD_ENCTYPE);
+ }
+
if (key)
decrypt_key = key;
else {
--- src/lib/crypto/valid_enctype.c.orig Wed Nov 21 13:07:30 2001
+++ src/lib/crypto/valid_enctype.c Wed Nov 21 13:20:11 2001
@@ -40,3 +40,29 @@
return(0);
}
+
+/*
+ * is_in_keytype(): returns 1 if enctype == one of the enctypes in keytype
+ * otherwise 0 is returned.
+ */
+krb5_boolean KRB5_CALLCONV
+is_in_keytype(keytype, numkeytypes, enctype)
+ krb5_const krb5_enctype *keytype;
+ int numkeytypes;
+ krb5_enctype enctype;
+{
+ int i;
+
+ if (keytype == NULL || numkeytypes <= 0) {
+ return(0);
+ }
+
+ for (i = 0; i < numkeytypes; i++) {
+
+ if (keytype[i] == enctype) {
+ return(1);
+ }
+ }
+
+ return(0);
+}
>Audit-Trail:
>Unformatted:
