>>>>> "Jose" == Jose Marques <[EMAIL PROTECTED]> writes:

    Jose> On Fri, 14 Feb 2003, Sam Hartman wrote:
    >> The reason this security decrease is necessary is a rather
    >> unfortunate bug in both the MIT KDC and the MIT client
    >> codebase. It's bug 1006 in our database.
    >> 
    >> The only good news about this issue is that once the bug is
    >> fixed, upgrading either the KDC or the client should be
    >> sufficient to work around the problem.

    Jose> Can you tell me which version to update to?  At work we've


I thought my statement was fairly clear that the bug was still open.

Since then I have committed a patch to resolve the issue and this
patch should appear in Kerberos 1.3.  And before you ask, we have no
public statement on 1.3 release timelines.

I have enclosed the patch; please let us know if you find any
problems.

Index: lib/krb5/krb/ChangeLog
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/ChangeLog,v
retrieving revision 5.371
diff -u -r5.371 ChangeLog
--- lib/krb5/krb/ChangeLog      2003/02/13 20:09:21     5.371
+++ lib/krb5/krb/ChangeLog      2003/02/15 00:10:27
@@ -1,3 +1,8 @@
+2003-02-14  Sam Hartman  <[EMAIL PROTECTED]>
+
+       * preauth2.c (krb5_do_preauth): Sort incoming etype info based on
+       preference order in request  
+
 2003-02-13  Sam Hartman  <[EMAIL PROTECTED]>
 
        * gic_keytab.c (krb5_get_as_key_keytab): Nathan Neulinger points
Index: lib/krb5/krb/preauth2.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/preauth2.c,v
retrieving revision 5.20
diff -u -r5.20 preauth2.c
--- lib/krb5/krb/preauth2.c     2002/11/07 20:14:19     5.20
+++ lib/krb5/krb/preauth2.c     2003/02/15 00:10:27
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995 by the Massachusetts Institute of Technology.  All
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.  All
  * Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -825,6 +825,76 @@
     },
 };
 
+static void
+sort_etype_info(krb5_context  context, krb5_kdc_req *request,
+                krb5_etype_info_entry **etype_info)
+{
+/* Originally adapted from a proposed solution in ticket 1006.  This
+ * solution  is  not efficient, but implementing an efficient sort
+ * with a comparison function based on order in the kdc request would
+ * be difficult.*/
+    krb5_etype_info_entry *tmp;
+    int i, j, e;
+    krb5_boolean similar;
+
+    if (etype_info == NULL)
+       return;
+
+    /* First, move up etype_info_entries whose enctype exactly matches a
+     * requested enctype.
+     */
+    e = 0;
+    for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+    {
+       if (request->ktype[i] == etype_info[e]->etype)
+       {
+           e++;
+           continue;
+       }
+       for ( j = e+1 ; etype_info[j] ; j++ )
+           if (request->ktype[i] == etype_info[j]->etype)
+               break;
+       if (etype_info[j] == NULL)
+           continue;
+
+       tmp = etype_info[j];
+       etype_info[j] = etype_info[e];
+       etype_info[e] = tmp;
+       e++;
+    }
+
+    /* Then move up etype_info_entries whose enctype is similar to a
+     * requested enctype.
+     */
+    for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+    {
+       if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, 
+&similar) != 0)
+           continue;
+
+       if (similar)
+       {
+           e++;
+           continue;
+       }
+       for ( j = e+1 ; etype_info[j] ; j++ )
+       {
+           if (krb5_c_enctype_compare(context, request->ktype[i], 
+etype_info[j]->etype, &similar) != 0)
+               continue;
+
+           if (similar)
+               break;
+       }
+       if (etype_info[j] == NULL)
+           continue;
+
+       tmp = etype_info[j];
+       etype_info[j] = etype_info[e];
+       etype_info[e] = tmp;
+       e++;
+    }
+}
+
+
 krb5_error_code
 krb5_do_preauth(krb5_context context,
                krb5_kdc_req *request,
@@ -891,6 +961,7 @@
                    etype_info = NULL;
                    break;
                }
+                sort_etype_info(context, request, etype_info);
                salt->data = (char *) etype_info[0]->salt;
                salt->length = etype_info[0]->length;
                *etype = etype_info[0]->etype;
Index: kdc/ChangeLog
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/ChangeLog,v
retrieving revision 5.247
diff -u -r5.247 ChangeLog
--- kdc/ChangeLog       2003/02/06 23:45:55     5.247
+++ kdc/ChangeLog       2003/02/15 00:10:27
@@ -1,3 +1,9 @@
+2003-02-14  Sam Hartman  <[EMAIL PROTECTED]>
+
+       * kdc_preauth.c (request_contains_enctype): New function
+       (get_etype_info): Use it to filter out enctypes not requested by
+       the client 
+
 2003-02-08  Ken Hornstein  <[EMAIL PROTECTED]>
 
        * Makefile.in, configure.in, fakeka.c: New file to implement
Index: kdc/kdc_preauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/kdc_preauth.c,v
retrieving revision 5.33
diff -u -r5.33 kdc_preauth.c
--- kdc/kdc_preauth.c   2003/01/21 19:02:58     5.33
+++ kdc/kdc_preauth.c   2003/02/15 00:10:27
@@ -1,7 +1,7 @@
 /*
  * kdc/kdc_preauth.c
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -431,6 +431,18 @@
     return (retval);
 }
 
+static krb5_boolean
+request_contains_enctype (krb5_context context,  const krb5_kdc_req *request,
+                         krb5_enctype enctype)
+{
+    int i;
+    for (i =0; i < request->nktypes; i++)
+       if (request->ktype[i] == enctype)
+           return 1;
+    return 0;
+}
+
+
 static krb5_error_code
 verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
                     krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
@@ -542,6 +554,13 @@
            db_etype = ENCTYPE_DES_CBC_CRC;
        
        while (1) {
+           if (!request_contains_enctype(context,
+                                         request, db_etype)) {
+               if (db_etype = ENCTYPE_DES_CBC_CRC)
+                    continue;
+                else break;
+            }
+
            if ((entry[i] = malloc(sizeof(krb5_etype_info_entry))) == NULL) {
                retval = ENOMEM;
                goto cleanup;

Attachment: msg03541/pgp00000.pgp
Description: PGP signature

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to