Bugzilla – Attachment 18169 Details for
Bug 52079
VUL-0: CVE-2004-0371: cross realm bug in heimdal
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
diff between 0.5.2 and 0.5.3, .c and .h files only
heimdal-0.5.2-0.5.3.patch (text/x-diff), 36.10 KB, created by
Vladimir Nadvornik
on 2004-04-08 21:10:55 UTC
(
hide
)
Description:
diff between 0.5.2 and 0.5.3, .c and .h files only
Filename:
MIME Type:
Creator:
Vladimir Nadvornik
Created:
2004-04-08 21:10:55 UTC
Size:
36.10 KB
patch
obsolete
>diff -ruN heimdal-0.5.2/include/make_crypto.c heimdal-0.5.3/include/make_crypto.c >--- heimdal-0.5.2/include/make_crypto.c 2003-03-17 07:58:18.000000000 +0100 >+++ heimdal-0.5.3/include/make_crypto.c 2004-02-16 19:32:49.000000000 +0100 >@@ -33,7 +33,7 @@ > > #ifdef HAVE_CONFIG_H > #include <config.h> >-RCSID("$Id: make_crypto.c,v 1.2.2.2 2003/03/17 06:58:18 assar Exp $"); >+RCSID("$Id: make_crypto.c,v 1.2.2.3 2004/02/16 18:32:49 lha Exp $"); > #endif > #include <stdio.h> > #include <string.h> >@@ -60,7 +60,9 @@ > fprintf(f, "#ifndef __%s__\n", argv[1]); > fprintf(f, "#define __%s__\n", argv[1]); > #ifdef HAVE_OPENSSL >+ fputs("#ifndef OPENSSL_DES_LIBDES_COMPATIBILITY\n", f); > fputs("#define OPENSSL_DES_LIBDES_COMPATIBILITY\n", f); >+ fputs("#endif\n", f); > fputs("#include <openssl/des.h>\n", f); > fputs("#include <openssl/rc4.h>\n", f); > fputs("#include <openssl/md4.h>\n", f); >diff -ruN heimdal-0.5.2/kdc/config.c heimdal-0.5.3/kdc/config.c >--- heimdal-0.5.2/kdc/config.c 2003-03-17 07:46:55.000000000 +0100 >+++ heimdal-0.5.3/kdc/config.c 2004-02-16 20:08:49.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -35,7 +35,7 @@ > #include <getarg.h> > #include <parse_bytes.h> > >-RCSID("$Id: config.c,v 1.43.2.1 2003/03/17 06:46:55 assar Exp $"); >+RCSID("$Id: config.c,v 1.43.2.2 2004/02/16 19:08:49 lha Exp $"); > > static const char *config_file; /* location of kdc config file */ > >@@ -64,6 +64,8 @@ > krb5_boolean check_ticket_addresses; > krb5_boolean allow_null_ticket_addresses; > krb5_boolean allow_anonymous; >+int trpolicy; >+static const char *trpolicy_str; > > static struct getarg_strings addresses_str; /* addresses to listen on */ > krb5_addresses explicit_addresses; >@@ -292,9 +294,8 @@ > > get_dbinfo(); > >- if(max_request_str){ >+ if(max_request_str) > max_request = parse_bytes(max_request_str, NULL); >- } > > if(max_request == 0){ > p = krb5_config_get_string (context, >@@ -365,6 +366,23 @@ > allow_anonymous = > krb5_config_get_bool(context, NULL, "kdc", > "allow-anonymous", NULL); >+ trpolicy_str = >+ krb5_config_get_string_default(context, NULL, "always-check", "kdc", >+ "transited-policy", NULL); >+ if(strcasecmp(trpolicy_str, "always-check") == 0) >+ trpolicy = TRPOLICY_ALWAYS_CHECK; >+ else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) >+ trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; >+ else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) >+ trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; >+ else { >+ kdc_log(0, "unknown transited-policy: %s, reverting to always-check", >+ trpolicy_str); >+ trpolicy = TRPOLICY_ALWAYS_CHECK; >+ } >+ >+ krb5_config_get_bool_default(context, NULL, TRUE, "kdc", >+ "enforce-transited-policy", NULL); > #ifdef KRB4 > if(v4_realm == NULL){ > p = krb5_config_get_string (context, NULL, >diff -ruN heimdal-0.5.2/kdc/kaserver.c heimdal-0.5.3/kdc/kaserver.c >--- heimdal-0.5.2/kdc/kaserver.c 2002-10-21 16:30:51.000000000 +0200 >+++ heimdal-0.5.3/kdc/kaserver.c 2004-02-16 19:26:52.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "kdc_locl.h" > >-RCSID("$Id: kaserver.c,v 1.20.2.1 2002/10/21 14:30:51 joda Exp $"); >+RCSID("$Id: kaserver.c,v 1.20.2.2 2004/02/16 18:26:52 lha Exp $"); > > > #include <rx.h> >@@ -402,6 +402,10 @@ > > unparse_auth_args (sp, &name, &instance, &start_time, &end_time, > &request, &max_seq_len); >+ if (request.length < 8) { >+ make_error_reply (hdr, KABADREQUEST, reply); >+ goto out; >+ } > > snprintf (client_name, sizeof(client_name), "%s.%s@%s", > name, instance, v4_realm); >@@ -600,6 +604,11 @@ > > unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, > &name, &instance, ×, &max_seq_len); >+ if (times.length < 8) { >+ make_error_reply (hdr, KABADREQUEST, reply); >+ goto out; >+ >+ } > > snprintf (server_name, sizeof(server_name), > "%s.%s@%s", name, instance, v4_realm); >diff -ruN heimdal-0.5.2/kdc/kdc_locl.h heimdal-0.5.3/kdc/kdc_locl.h >--- heimdal-0.5.2/kdc/kdc_locl.h 2003-03-17 07:47:23.000000000 +0100 >+++ heimdal-0.5.3/kdc/kdc_locl.h 2004-02-16 19:24:43.000000000 +0100 >@@ -32,7 +32,7 @@ > */ > > /* >- * $Id: kdc_locl.h,v 1.54.2.1 2003/03/17 06:47:23 assar Exp $ >+ * $Id: kdc_locl.h,v 1.54.2.2 2004/02/16 18:24:43 lha Exp $ > */ > > #ifndef __KDC_LOCL_H__ >@@ -62,6 +62,11 @@ > extern krb5_boolean check_ticket_addresses; > extern krb5_boolean allow_null_ticket_addresses; > extern krb5_boolean allow_anonymous; >+enum { TRPOLICY_ALWAYS_CHECK, >+ TRPOLICY_ALLOW_PER_PRINCIPAL, >+ TRPOLICY_ALWAYS_HONOUR_REQUEST }; >+extern int trpolicy; >+extern int enable_v4_cross_realm; > > #ifdef KRB4 > extern char *v4_realm; >diff -ruN heimdal-0.5.2/kdc/kerberos4.c heimdal-0.5.3/kdc/kerberos4.c >--- heimdal-0.5.2/kdc/kerberos4.c 2003-03-17 07:47:31.000000000 +0100 >+++ heimdal-0.5.3/kdc/kerberos4.c 2004-03-31 11:02:10.000000000 +0200 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,7 +33,7 @@ > > #include "kdc_locl.h" > >-RCSID("$Id: kerberos4.c,v 1.41.4.1 2003/03/17 06:47:31 assar Exp $"); >+RCSID("$Id: kerberos4.c,v 1.41.4.2 2004/03/31 09:02:10 lha Exp $"); > > #ifdef KRB4 > >@@ -194,7 +194,7 @@ > char *name = NULL, *inst = NULL, *realm = NULL; > char *sname = NULL, *sinst = NULL; > int32_t req_time; >- time_t max_life; >+ time_t max_life, max_end, actual_end, issue_time; > u_int8_t life; > char client_name[256]; > char server_name[256]; >@@ -485,30 +485,36 @@ > goto out2; > } > >- max_life = krb_life_to_time(ad.time_sec, ad.life); >- max_life = min(max_life, krb_life_to_time(kdc_time, life)); >- life = min(life, krb_time_to_life(kdc_time, max_life)); >- max_life = krb_life_to_time(0, life); >-#if 0 >- if(client->max_life) >- max_life = min(max_life, *client->max_life); >-#endif >- if(server->max_life) >- max_life = min(max_life, *server->max_life); >- >+ max_end = krb_life_to_time(ad.time_sec, ad.life); >+ max_end = min(max_end, krb_life_to_time(kdc_time, life)); >+ life = min(life, krb_time_to_life(kdc_time, max_end)); >+ >+ issue_time = kdc_time; >+ actual_end = krb_life_to_time(issue_time, life); >+ while (actual_end > max_end && life > 1) { >+ /* move them into the next earlier lifetime bracket */ >+ life--; >+ actual_end = krb_life_to_time(issue_time, life); >+ } >+ if (actual_end > max_end) { >+ /* if life <= 1 and it's still too long, backdate the ticket */ >+ issue_time -= actual_end - max_end; >+ } >+ > { > KTEXT_ST cipher, ticket; > KTEXT r; > des_cblock session; > des_new_random_key(&session); > krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, >- addr->sin_addr.s_addr, &session, life, kdc_time, >+ addr->sin_addr.s_addr, &session, life, >+ issue_time, > sname, sinst, skey->key.keyvalue.data); > > create_ciph(&cipher, session, sname, sinst, v4_realm, > life, server->kvno % 256, &ticket, >- kdc_time, &ad.session); >- >+ issue_time, &ad.session); >+ > memset(&session, 0, sizeof(session)); > memset(ad.session, 0, sizeof(ad.session)); > >diff -ruN heimdal-0.5.2/kdc/kerberos5.c heimdal-0.5.3/kdc/kerberos5.c >--- heimdal-0.5.2/kdc/kerberos5.c 2002-09-09 16:03:02.000000000 +0200 >+++ heimdal-0.5.3/kdc/kerberos5.c 2004-02-16 19:23:20.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "kdc_locl.h" > >-RCSID("$Id: kerberos5.c,v 1.143 2002/09/09 14:03:02 nectar Exp $"); >+RCSID("$Id: kerberos5.c,v 1.143.2.1 2004/02/16 18:23:20 lha Exp $"); > > #define MAX_TIME ((time_t)((1U << 31) - 1)) > >@@ -355,10 +355,13 @@ > > if(n != pa.len) { > char *name; >- krb5_unparse_name(context, client->principal, &name); >+ ret = krb5_unparse_name(context, client->principal, &name); >+ if (ret) >+ name = "<unparse_name failed>"; > kdc_log(0, "internal error in get_pa_etype_info(%s): %d != %d", > name, n, pa.len); >- free(name); >+ if (ret == 0) >+ free(name); > pa.len = n; > } > >@@ -496,8 +499,8 @@ > krb5_enctype cetype, setype; > EncTicketPart et; > EncKDCRepPart ek; >- krb5_principal client_princ, server_princ; >- char *client_name, *server_name; >+ krb5_principal client_princ = NULL, server_princ = NULL; >+ char *client_name = NULL, *server_name = NULL; > krb5_error_code ret = 0; > const char *e_text = NULL; > krb5_crypto crypto; >@@ -506,28 +509,32 @@ > memset(&rep, 0, sizeof(rep)); > > if(b->sname == NULL){ >- server_name = "<unknown server>"; > ret = KRB5KRB_ERR_GENERIC; > e_text = "No server in request"; > } else{ > principalname2krb5_principal (&server_princ, *(b->sname), b->realm); >- krb5_unparse_name(context, server_princ, &server_name); >+ ret = krb5_unparse_name(context, server_princ, &server_name); >+ } >+ if (ret) { >+ kdc_log(0, "AS-REQ malformed server name from %s", from); >+ goto out; > } > > if(b->cname == NULL){ >- client_name = "<unknown client>"; > ret = KRB5KRB_ERR_GENERIC; > e_text = "No client in request"; > } else { > principalname2krb5_principal (&client_princ, *(b->cname), b->realm); >- krb5_unparse_name(context, client_princ, &client_name); >+ ret = krb5_unparse_name(context, client_princ, &client_name); > } >+ if (ret) { >+ kdc_log(0, "AS-REQ malformed client name from %s", from); >+ goto out; >+ } >+ > kdc_log(0, "AS-REQ %s from %s for %s", > client_name, from, server_name); > >- if(ret) >- goto out; >- > ret = db_fetch(client_princ, &client); > if(ret){ > kdc_log(0, "UNKNOWN -- %s: %s", client_name, >@@ -559,7 +566,6 @@ > while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){ > krb5_data ts_data; > PA_ENC_TS_ENC p; >- time_t patime; > size_t len; > EncryptedData enc_data; > Key *pa_key; >@@ -635,7 +641,6 @@ > client_name); > continue; > } >- patime = p.patimestamp; > free_PA_ENC_TS_ENC(&p); > if (abs(kdc_time - p.patimestamp) > context->max_skew) { > ret = KRB5KDC_ERR_PREAUTH_FAILED; >@@ -716,9 +721,10 @@ > if (ret == 0) { > kdc_log(5, "Using %s/%s", cet, set); > free(set); >- } else >- free(cet); >- } else >+ } >+ free(cet); >+ } >+ if (ret != 0) > kdc_log(5, "Using e-types %d/%d", cetype, setype); > } > >@@ -841,13 +847,8 @@ > copy_HostAddresses(b->addresses, et.caddr); > } > >- { >- krb5_data empty_string; >- >- krb5_data_zero(&empty_string); >- et.transited.tr_type = DOMAIN_X500_COMPRESS; >- et.transited.contents = empty_string; >- } >+ et.transited.tr_type = DOMAIN_X500_COMPRESS; >+ krb5_data_zero(&et.transited.contents); > > copy_EncryptionKey(&et.key, &ek.key); > >@@ -914,8 +915,8 @@ > client->kvno, &ckey->key, &e_text, reply); > free_EncTicketPart(&et); > free_EncKDCRepPart(&ek); >- free_AS_REP(&rep); > out: >+ free_AS_REP(&rep); > if(ret){ > krb5_mk_error(context, > ret, >@@ -929,9 +930,11 @@ > ret = 0; > } > out2: >- krb5_free_principal(context, client_princ); >+ if (client_princ) >+ krb5_free_principal(context, client_princ); > free(client_name); >- krb5_free_principal(context, server_princ); >+ if (server_princ) >+ krb5_free_principal(context, server_princ); > free(server_name); > if(client) > free_ent(client); >@@ -1054,33 +1057,35 @@ > } > > static krb5_error_code >-fix_transited_encoding(TransitedEncoding *tr, >+fix_transited_encoding(krb5_boolean check_policy, >+ TransitedEncoding *tr, >+ EncTicketPart *et, > const char *client_realm, > const char *server_realm, > const char *tgt_realm) > { > krb5_error_code ret = 0; >- if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){ >- char **realms = NULL, **tmp; >- int num_realms = 0; >- int i; >- if(tr->tr_type && tr->contents.length != 0) { >- if(tr->tr_type != DOMAIN_X500_COMPRESS){ >- kdc_log(0, "Unknown transited type: %u", >- tr->tr_type); >- return KRB5KDC_ERR_TRTYPE_NOSUPP; >- } >- ret = krb5_domain_x500_decode(context, >- tr->contents, >- &realms, >- &num_realms, >- client_realm, >- server_realm); >- if(ret){ >- krb5_warn(context, ret, "Decoding transited encoding"); >- return ret; >- } >- } >+ char **realms, **tmp; >+ int num_realms; >+ int i; >+ >+ if(tr->tr_type != DOMAIN_X500_COMPRESS) { >+ kdc_log(0, "Unknown transited type: %u", tr->tr_type); >+ return KRB5KDC_ERR_TRTYPE_NOSUPP; >+ } >+ >+ ret = krb5_domain_x500_decode(context, >+ tr->contents, >+ &realms, >+ &num_realms, >+ client_realm, >+ server_realm); >+ if(ret){ >+ krb5_warn(context, ret, "Decoding transited encoding"); >+ return ret; >+ } >+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { >+ /* not us, so add the previous realm to transited set */ > if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) { > ret = ERANGE; > goto free_realms; >@@ -1097,16 +1102,46 @@ > goto free_realms; > } > num_realms++; >- free_TransitedEncoding(tr); >- tr->tr_type = DOMAIN_X500_COMPRESS; >- ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents); >- if(ret) >- krb5_warn(context, ret, "Encoding transited encoding"); >- free_realms: >+ } >+ if(num_realms == 0) { >+ if(strcmp(client_realm, server_realm)) >+ kdc_log(0, "cross-realm %s -> %s", client_realm, server_realm); >+ } else { >+ size_t l = 0; >+ char *rs; > for(i = 0; i < num_realms; i++) >- free(realms[i]); >- free(realms); >+ l += strlen(realms[i]) + 2; >+ rs = malloc(l); >+ if(rs != NULL) { >+ *rs = '\0'; >+ for(i = 0; i < num_realms; i++) { >+ if(i > 0) >+ strlcat(rs, ", ", l); >+ strlcat(rs, realms[i], l); >+ } >+ kdc_log(0, "cross-realm %s -> %s via [%s]", client_realm, server_realm, rs); >+ free(rs); >+ } > } >+ if(check_policy) { >+ ret = krb5_check_transited(context, client_realm, >+ server_realm, >+ realms, num_realms, NULL); >+ if(ret) { >+ krb5_warn(context, ret, "cross-realm %s -> %s", >+ client_realm, server_realm); >+ goto free_realms; >+ } >+ et->flags.transited_policy_checked = 1; >+ } >+ et->transited.tr_type = DOMAIN_X500_COMPRESS; >+ ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); >+ if(ret) >+ krb5_warn(context, ret, "Encoding transited encoding"); >+ free_realms: >+ for(i = 0; i < num_realms; i++) >+ free(realms[i]); >+ free(realms); > return ret; > } > >@@ -1172,18 +1207,35 @@ > > ret = check_tgs_flags(b, tgt, &et); > if(ret) >- return ret; >+ goto out; > >- copy_TransitedEncoding(&tgt->transited, &et.transited); >- ret = fix_transited_encoding(&et.transited, >+ /* We should check the transited encoding if: >+ 1) the request doesn't ask not to be checked >+ 2) globally enforcing a check >+ 3) principal requires checking >+ 4) we allow non-check per-principal, but principal isn't marked as allowing this >+ 5) we don't globally allow this >+ */ >+ >+#define GLOBAL_FORCE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_CHECK) >+#define GLOBAL_ALLOW_PER_PRINCIPAL (trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL) >+#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK (trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST) >+/* these will consult the database in future release */ >+#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0 >+#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0 >+ >+ ret = fix_transited_encoding(!f.disable_transited_check || >+ GLOBAL_FORCE_TRANSITED_CHECK || >+ PRINCIPAL_FORCE_TRANSITED_CHECK(server) || >+ !((GLOBAL_ALLOW_PER_PRINCIPAL && >+ PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) || >+ GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK), >+ &tgt->transited, &et, > *krb5_princ_realm(context, client_principal), > *krb5_princ_realm(context, server->principal), > *krb5_princ_realm(context, krbtgt->principal)); >- if(ret){ >- free_TransitedEncoding(&et.transited); >- return ret; >- } >- >+ if(ret) >+ goto out; > > copy_Realm(krb5_princ_realm(context, server->principal), > &rep.ticket.realm); >@@ -1278,7 +1330,7 @@ > DES3? */ > ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey, > 0, &tgt->key, e_text, reply); >-out: >+ out: > free_TGS_REP(&rep); > free_TransitedEncoding(&et.transited); > if(et.starttime) >@@ -1380,13 +1432,13 @@ > } > > static Realm >-find_rpath(Realm r) >+find_rpath(Realm crealm, Realm srealm) > { > const char *new_realm = krb5_config_get_string(context, > NULL, >- "libdefaults", >- "capath", >- r, >+ "capaths", >+ crealm, >+ srealm, > NULL); > return (Realm)new_realm; > } >@@ -1456,10 +1508,14 @@ > > if(ret) { > char *p; >- krb5_unparse_name(context, princ, &p); >+ ret = krb5_unparse_name(context, princ, &p); >+ if (ret != 0) >+ p = "<unparse_name failed>"; >+ krb5_free_principal(context, princ); > kdc_log(0, "Ticket-granting ticket not found in database: %s: %s", > p, krb5_get_err_text(context, ret)); >- free(p); >+ if (ret == 0) >+ free(p); > ret = KRB5KRB_AP_ERR_NOT_US; > goto out2; > } >@@ -1468,12 +1524,16 @@ > *ap_req.ticket.enc_part.kvno != krbtgt->kvno){ > char *p; > >- krb5_unparse_name (context, princ, &p); >+ ret = krb5_unparse_name (context, princ, &p); >+ krb5_free_principal(context, princ); >+ if (ret != 0) >+ p = "<unparse_name failed>"; > kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", > *ap_req.ticket.enc_part.kvno, > krbtgt->kvno, > p); >- free (p); >+ if (ret == 0) >+ free (p); > ret = KRB5KRB_AP_ERR_BADKEYVER; > goto out2; > } >@@ -1657,9 +1717,13 @@ > } > > principalname2krb5_principal(&sp, *s, r); >- krb5_unparse_name(context, sp, &spn); >+ ret = krb5_unparse_name(context, sp, &spn); >+ if (ret) >+ goto out; > principalname2krb5_principal(&cp, tgt->cname, tgt->crealm); >- krb5_unparse_name(context, cp, &cpn); >+ ret = krb5_unparse_name(context, cp, &cpn); >+ if (ret) >+ goto out; > unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units, > opt_str, sizeof(opt_str)); > if(*opt_str) >@@ -1676,7 +1740,7 @@ > > if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { > if(loop++ < 2) { >- new_rlm = find_rpath(req_rlm); >+ new_rlm = find_rpath(tgt->crealm, req_rlm); > if(new_rlm) { > kdc_log(5, "krbtgt for realm %s not found, trying %s", > req_rlm, new_rlm); >@@ -1684,7 +1748,9 @@ > free(spn); > krb5_make_principal(context, &sp, r, > KRB5_TGS_NAME, new_rlm, NULL); >- krb5_unparse_name(context, sp, &spn); >+ ret = krb5_unparse_name(context, sp, &spn); >+ if (ret) >+ goto out; > goto server_lookup; > } > } >@@ -1697,7 +1763,9 @@ > free(spn); > krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, > realms[0], NULL); >- krb5_unparse_name(context, sp, &spn); >+ ret = krb5_unparse_name(context, sp, &spn); >+ if (ret) >+ goto out; > krb5_free_host_realm(context, realms); > goto server_lookup; > } >@@ -1725,6 +1793,18 @@ > } > #endif > >+ if(strcmp(krb5_principal_get_realm(context, sp), >+ krb5_principal_get_comp_string(context, krbtgt->principal, 1)) != 0) { >+ char *tpn; >+ ret = krb5_unparse_name(context, krbtgt->principal, &tpn); >+ kdc_log(0, "Request with wrong krbtgt: %s", (ret == 0) ? tpn : "<unknown>"); >+ if(ret == 0) >+ free(tpn); >+ ret = KRB5KRB_AP_ERR_NOT_US; >+ goto out; >+ >+ } >+ > ret = check_flags(client, cpn, server, spn, FALSE); > if(ret) > goto out; >diff -ruN heimdal-0.5.2/kdc/524.c heimdal-0.5.3/kdc/524.c >--- heimdal-0.5.2/kdc/524.c 2003-03-17 07:46:44.000000000 +0100 >+++ heimdal-0.5.3/kdc/524.c 2003-03-18 16:05:27.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,7 +33,7 @@ > > #include "kdc_locl.h" > >-RCSID("$Id: 524.c,v 1.25.4.1 2003/03/17 06:46:44 assar Exp $"); >+RCSID("$Id: 524.c,v 1.25.4.3 2003/03/18 15:05:27 joda Exp $"); > > #ifdef KRB4 > >@@ -254,7 +254,9 @@ > if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { > kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, > t->realm); >- return KRB5KDC_ERR_POLICY; >+ free_EncTicketPart(&et); >+ ret = KRB5KDC_ERR_POLICY; >+ goto out; > } > > ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), >diff -ruN heimdal-0.5.2/lib/asn1/der_free.c heimdal-0.5.3/lib/asn1/der_free.c >--- heimdal-0.5.2/lib/asn1/der_free.c 2001-09-25 15:39:26.000000000 +0200 >+++ heimdal-0.5.3/lib/asn1/der_free.c 2004-02-16 19:36:48.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,22 +33,25 @@ > > #include "der_locl.h" > >-RCSID("$Id: der_free.c,v 1.8 2001/09/25 13:39:26 assar Exp $"); >+RCSID("$Id: der_free.c,v 1.8.4.1 2004/02/16 18:36:48 lha Exp $"); > > void > free_general_string (general_string *str) > { > free(*str); >+ *str = NULL; > } > > void > free_octet_string (octet_string *k) > { > free(k->data); >+ k->data = NULL; > } > > void > free_oid (oid *k) > { > free(k->components); >+ k->components = NULL; > } >diff -ruN heimdal-0.5.2/lib/asn1/der_length.c heimdal-0.5.3/lib/asn1/der_length.c >--- heimdal-0.5.2/lib/asn1/der_length.c 2001-09-25 15:39:26.000000000 +0200 >+++ heimdal-0.5.3/lib/asn1/der_length.c 2004-02-16 19:40:13.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "der_locl.h" > >-RCSID("$Id: der_length.c,v 1.12 2001/09/25 13:39:26 assar Exp $"); >+RCSID("$Id: der_length.c,v 1.12.4.1 2004/02/16 18:40:13 lha Exp $"); > > static size_t > len_unsigned (unsigned val) >@@ -50,21 +50,28 @@ > static size_t > len_int (int val) > { >- size_t ret = 0; >- >- if (val == 0) >- return 1; >- while (val > 255 || val < -255) { >- ++ret; >- val /= 256; >- } >- if (val != 0) { >- ++ret; >- if ((signed char)val != val) >- ++ret; >- val /= 256; >- } >- return ret; >+ unsigned char q; >+ size_t ret = 0; >+ >+ if (val >= 0) { >+ do { >+ q = val % 256; >+ ret++; >+ val /= 256; >+ } while(val); >+ if(q >= 128) >+ ret++; >+ } else { >+ val = ~val; >+ do { >+ q = ~(val % 256); >+ ret++; >+ val /= 256; >+ } while(val); >+ if(q < 128) >+ ret++; >+ } >+ return ret; > } > > static size_t >diff -ruN heimdal-0.5.2/lib/asn1/gen_free.c heimdal-0.5.3/lib/asn1/gen_free.c >--- heimdal-0.5.2/lib/asn1/gen_free.c 2001-09-25 15:39:26.000000000 +0200 >+++ heimdal-0.5.3/lib/asn1/gen_free.c 2004-02-16 19:41:55.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,7 +33,7 @@ > > #include "gen_locl.h" > >-RCSID("$Id: gen_free.c,v 1.9 2001/09/25 13:39:26 assar Exp $"); >+RCSID("$Id: gen_free.c,v 1.9.4.1 2004/02/16 18:41:55 lha Exp $"); > > static void > free_primitive (const char *typename, const char *name) >@@ -82,7 +82,8 @@ > if(m->optional) > fprintf(codefile, > "free(%s);\n" >- "}\n",s); >+ "%s = NULL;\n" >+ "}\n", s, s); > if (tag == -1) > tag = m->val; > free (s); >@@ -100,7 +101,8 @@ > "}\n", > name); > fprintf(codefile, >- "free((%s)->val);\n", name); >+ "free((%s)->val);\n" >+ "(%s)->val = NULL;\n", name, name); > free(n); > break; > } >diff -ruN heimdal-0.5.2/lib/kadm5/chpass_s.c heimdal-0.5.3/lib/kadm5/chpass_s.c >--- heimdal-0.5.2/lib/kadm5/chpass_s.c 2001-01-30 02:24:28.000000000 +0100 >+++ heimdal-0.5.3/lib/kadm5/chpass_s.c 2004-02-16 19:47:01.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "kadm5_locl.h" > >-RCSID("$Id: chpass_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $"); >+RCSID("$Id: chpass_s.c,v 1.13.6.1 2004/02/16 18:47:01 lha Exp $"); > > static kadm5_ret_t > change(void *server_handle, >@@ -53,7 +53,7 @@ > if(ret) > return ret; > ret = context->db->fetch(context->context, context->db, >- 0, &ent); >+ HDB_F_DECRYPT, &ent); > if(ret == HDB_ERR_NOENTRY) > goto out; > >@@ -73,8 +73,11 @@ > keys, num_keys); > _kadm5_free_keys (server_handle, num_keys, keys); > >- if (cmp == 0) >+ if (cmp == 0) { >+ krb5_set_error_string(context->context, "Password reuse forbidden"); >+ ret = KADM5_PASS_REUSE; > goto out2; >+ } > > ret = _kadm5_set_modifier(context, &ent); > if(ret) >diff -ruN heimdal-0.5.2/lib/kadm5/ipropd_slave.c heimdal-0.5.3/lib/kadm5/ipropd_slave.c >--- heimdal-0.5.2/lib/kadm5/ipropd_slave.c 2002-10-21 18:06:25.000000000 +0200 >+++ heimdal-0.5.3/lib/kadm5/ipropd_slave.c 2004-02-16 19:49:05.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "iprop.h" > >-RCSID("$Id: ipropd_slave.c,v 1.26.2.1 2002/10/21 16:06:25 joda Exp $"); >+RCSID("$Id: ipropd_slave.c,v 1.26.2.2 2004/02/16 18:49:05 lha Exp $"); > > static krb5_log_facility *log_facility; > >@@ -301,12 +301,14 @@ > > krb5_data_free (&data); > >- ret = mydb->close (context, mydb); >- if (ret) >- krb5_err (context, 1, ret, "db->close"); > ret = mydb->rename (context, mydb, server_context->db->name); > if (ret) > krb5_err (context, 1, ret, "db->rename"); >+ >+ ret = mydb->close (context, mydb); >+ if (ret) >+ krb5_err (context, 1, ret, "db->close"); >+ > ret = mydb->destroy (context, mydb); > if (ret) > krb5_err (context, 1, ret, "db->destroy"); >diff -ruN heimdal-0.5.2/lib/krb5/crypto.c heimdal-0.5.3/lib/krb5/crypto.c >--- heimdal-0.5.2/lib/krb5/crypto.c 2002-09-03 21:58:15.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/crypto.c 2004-02-16 19:54:49.000000000 +0100 >@@ -32,7 +32,7 @@ > */ > > #include "krb5_locl.h" >-RCSID("$Id: crypto.c,v 1.66 2002/09/03 19:58:15 joda Exp $"); >+RCSID("$Id: crypto.c,v 1.66.2.1 2004/02/16 18:54:49 lha Exp $"); > > #undef CRYPTO_DEBUG > #ifdef CRYPTO_DEBUG >@@ -2449,6 +2449,11 @@ > return EINVAL; /* XXX - better error code? */ > } > >+ if (((len - checksum_sz) % et->blocksize) != 0) { >+ krb5_clear_error_string(context); >+ return KRB5_BAD_MSIZE; >+ } >+ > p = malloc(len); > if(len != 0 && p == NULL) { > krb5_set_error_string(context, "malloc: out of memory"); >@@ -2517,6 +2522,11 @@ > size_t checksum_sz, l; > struct encryption_type *et = crypto->et; > >+ if ((len % et->blocksize) != 0) { >+ krb5_clear_error_string(context); >+ return KRB5_BAD_MSIZE; >+ } >+ > checksum_sz = CHECKSUMSIZE(et->checksum); > p = malloc(len); > if(len != 0 && p == NULL) { >@@ -2579,6 +2589,11 @@ > char *tmp; > krb5_error_code ret; > >+ if ((len % et->blocksize) != 0) { >+ krb5_clear_error_string(context); >+ return KRB5_BAD_MSIZE; >+ } >+ > tmp = malloc (sz); > if (tmp == NULL) { > krb5_set_error_string(context, "malloc: out of memory"); >diff -ruN heimdal-0.5.2/lib/krb5/krb5-protos.h heimdal-0.5.3/lib/krb5/krb5-protos.h >--- heimdal-0.5.2/lib/krb5/krb5-protos.h 2003-03-17 11:27:40.000000000 +0100 >+++ heimdal-0.5.3/lib/krb5/krb5-protos.h 2004-04-01 16:16:33.000000000 +0200 >@@ -521,6 +521,15 @@ > krb5_data */*result_string*/); > > krb5_error_code >+krb5_check_transited ( >+ krb5_context /*context*/, >+ krb5_const_realm /*client_realm*/, >+ krb5_const_realm /*server_realm*/, >+ krb5_realm */*realms*/, >+ int /*num_realms*/, >+ int */*bad_realm*/); >+ >+krb5_error_code > krb5_check_transited_realms ( > krb5_context /*context*/, > const char *const */*realms*/, >diff -ruN heimdal-0.5.2/lib/krb5/principal.c heimdal-0.5.3/lib/krb5/principal.c >--- heimdal-0.5.2/lib/krb5/principal.c 2002-10-21 18:08:25.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/principal.c 2004-02-16 19:59:25.000000000 +0100 >@@ -41,7 +41,7 @@ > #include <fnmatch.h> > #include "resolve.h" > >-RCSID("$Id: principal.c,v 1.81.2.1 2002/10/21 16:08:25 joda Exp $"); >+RCSID("$Id: principal.c,v 1.81.2.2 2004/02/16 18:59:25 lha Exp $"); > > #define princ_num_comp(P) ((P)->name.name_string.len) > #define princ_type(P) ((P)->name.name_type) >@@ -321,14 +321,17 @@ > len += 2*plen; > len++; > } >+ len++; > *name = malloc(len); >- if(len != 0 && *name == NULL) { >+ if(*name == NULL) { > krb5_set_error_string (context, "malloc: out of memory"); > return ENOMEM; > } > ret = unparse_name_fixed(context, principal, *name, len, short_flag); >- if(ret) >+ if(ret) { > free(*name); >+ *name = NULL; >+ } > return ret; > } > >diff -ruN heimdal-0.5.2/lib/krb5/rd_req.c heimdal-0.5.3/lib/krb5/rd_req.c >--- heimdal-0.5.2/lib/krb5/rd_req.c 2001-06-18 04:48:18.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/rd_req.c 2004-02-16 19:17:47.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include <krb5_locl.h> > >-RCSID("$Id: rd_req.c,v 1.47 2001/06/18 02:48:18 assar Exp $"); >+RCSID("$Id: rd_req.c,v 1.47.6.1 2004/02/16 18:17:47 lha Exp $"); > > static krb5_error_code > decrypt_tkt_enc_part (krb5_context context, >@@ -129,6 +129,32 @@ > return 0; > } > >+static krb5_error_code >+check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) >+{ >+ char **realms; >+ int num_realms; >+ krb5_error_code ret; >+ >+ if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) >+ return KRB5KDC_ERR_TRTYPE_NOSUPP; >+ >+ if(enc->transited.contents.length == 0) >+ return 0; >+ >+ ret = krb5_domain_x500_decode(context, enc->transited.contents, >+ &realms, &num_realms, >+ enc->crealm, >+ ticket->realm); >+ if(ret) >+ return ret; >+ ret = krb5_check_transited(context, enc->crealm, >+ ticket->realm, >+ realms, num_realms, NULL); >+ free(realms); >+ return ret; >+} >+ > krb5_error_code > krb5_decrypt_ticket(krb5_context context, > Ticket *ticket, >@@ -161,6 +187,14 @@ > krb5_clear_error_string (context); > return KRB5KRB_AP_ERR_TKT_EXPIRED; > } >+ >+ if(!t.flags.transited_policy_checked) { >+ ret = check_transited(context, ticket, &t); >+ if(ret) { >+ free_EncTicketPart(&t); >+ return ret; >+ } >+ } > } > > if(out) >@@ -209,29 +243,6 @@ > return ret; > } > >-#if 0 >-static krb5_error_code >-check_transited(krb5_context context, >- krb5_ticket *ticket) >-{ >- char **realms; >- int num_realms; >- krb5_error_code ret; >- >- if(ticket->ticket.transited.tr_type != DOMAIN_X500_COMPRESS) >- return KRB5KDC_ERR_TRTYPE_NOSUPP; >- >- ret = krb5_domain_x500_decode(ticket->ticket.transited.contents, >- &realms, &num_realms, >- ticket->client->realm, >- ticket->server->realm); >- if(ret) >- return ret; >- ret = krb5_check_transited_realms(context, realms, num_realms, NULL); >- free(realms); >- return ret; >-} >-#endif > > krb5_error_code > krb5_verify_ap_req(krb5_context context, >diff -ruN heimdal-0.5.2/lib/krb5/ticket.c heimdal-0.5.3/lib/krb5/ticket.c >--- heimdal-0.5.2/lib/krb5/ticket.c 2001-05-14 08:14:51.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/ticket.c 2004-02-16 20:02:53.000000000 +0100 >@@ -33,7 +33,7 @@ > > #include "krb5_locl.h" > >-RCSID("$Id: ticket.c,v 1.5 2001/05/14 06:14:51 assar Exp $"); >+RCSID("$Id: ticket.c,v 1.5.6.2 2004/02/16 19:02:53 lha Exp $"); > > krb5_error_code > krb5_free_ticket(krb5_context context, >@@ -51,7 +51,10 @@ > krb5_ticket **to) > { > krb5_error_code ret; >- krb5_ticket *tmp = malloc(sizeof(*tmp)); >+ krb5_ticket *tmp; >+ >+ *to = NULL; >+ tmp = malloc(sizeof(*tmp)); > if(tmp == NULL) { > krb5_set_error_string (context, "malloc: out of memory"); > return ENOMEM; >@@ -63,12 +66,14 @@ > ret = krb5_copy_principal(context, from->client, &tmp->client); > if(ret){ > free_EncTicketPart(&tmp->ticket); >+ free(tmp); > return ret; > } >- ret = krb5_copy_principal(context, from->server, &(*to)->server); >+ ret = krb5_copy_principal(context, from->server, &tmp->server); > if(ret){ > krb5_free_principal(context, tmp->client); > free_EncTicketPart(&tmp->ticket); >+ free(tmp); > return ret; > } > *to = tmp; >diff -ruN heimdal-0.5.2/lib/krb5/transited.c heimdal-0.5.3/lib/krb5/transited.c >--- heimdal-0.5.2/lib/krb5/transited.c 2002-09-09 16:03:03.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/transited.c 2004-02-16 19:20:52.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan >+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,7 +33,7 @@ > > #include "krb5_locl.h" > >-RCSID("$Id: transited.c,v 1.9 2002/09/09 14:03:03 nectar Exp $"); >+RCSID("$Id: transited.c,v 1.9.2.1 2004/02/16 18:20:52 lha Exp $"); > > /* this is an attempt at one of the most horrible `compression' > schemes that has ever been invented; it's so amazingly brain-dead >@@ -304,6 +304,12 @@ > struct tr_realm *p, **q; > int ret; > >+ if(tr.length == 0) { >+ *realms = NULL; >+ *num_realms = 0; >+ return 0; >+ } >+ > /* split string in components */ > ret = decode_realms(context, tr.data, tr.length, &r); > if(ret) >@@ -358,6 +364,9 @@ > char *s = NULL; > int len = 0; > int i; >+ krb5_data_zero(encoding); >+ if (num_realms == 0) >+ return 0; > for(i = 0; i < num_realms; i++){ > len += strlen(realms[i]); > if(realms[i][0] == '/') >@@ -365,6 +374,8 @@ > } > len += num_realms - 1; > s = malloc(len + 1); >+ if (s == NULL) >+ return ENOMEM; > *s = '\0'; > for(i = 0; i < num_realms; i++){ > if(i && i < num_realms - 1) >@@ -379,6 +390,44 @@ > } > > krb5_error_code >+krb5_check_transited(krb5_context context, >+ krb5_const_realm client_realm, >+ krb5_const_realm server_realm, >+ krb5_realm *realms, >+ int num_realms, >+ int *bad_realm) >+{ >+ char **tr_realms; >+ char **p; >+ int i; >+ >+ if(num_realms == 0) >+ return 0; >+ >+ tr_realms = krb5_config_get_strings(context, NULL, >+ "capaths", >+ client_realm, >+ server_realm, >+ NULL); >+ for(i = 0; i < num_realms; i++) { >+ for(p = tr_realms; p && *p; p++) { >+ if(strcmp(*p, realms[i]) == 0) >+ break; >+ } >+ if(p == NULL || *p == NULL) { >+ krb5_config_free_strings(tr_realms); >+ krb5_set_error_string (context, "no transit through realm %s", >+ realms[i]); >+ if(bad_realm) >+ *bad_realm = i; >+ return KRB5KRB_AP_ERR_ILL_CR_TKT; >+ } >+ } >+ krb5_config_free_strings(tr_realms); >+ return 0; >+} >+ >+krb5_error_code > krb5_check_transited_realms(krb5_context context, > const char *const *realms, > int num_realms, >diff -ruN heimdal-0.5.2/lib/krb5/verify_krb5_conf.c heimdal-0.5.3/lib/krb5/verify_krb5_conf.c >--- heimdal-0.5.2/lib/krb5/verify_krb5_conf.c 2002-08-28 17:27:19.000000000 +0200 >+++ heimdal-0.5.3/lib/krb5/verify_krb5_conf.c 2004-02-16 18:56:02.000000000 +0100 >@@ -35,7 +35,7 @@ > #include <getarg.h> > #include <parse_bytes.h> > #include <err.h> >-RCSID("$Id: verify_krb5_conf.c,v 1.14 2002/08/28 15:27:19 nectar Exp $"); >+RCSID("$Id: verify_krb5_conf.c,v 1.14.2.1 2004/02/16 17:56:02 lha Exp $"); > > /* verify krb5.conf */ > >@@ -263,12 +263,12 @@ > strlcpy(severity, "ERR", sizeof(severity)); > if(*facility == '\0') > strlcpy(facility, "AUTH", sizeof(facility)); >- if(find_value(severity, syslogvals) == NULL) { >+ if(find_value(severity, syslogvals) == -1) { > krb5_warnx(context, "%s: unknown syslog facility \"%s\"", > path, facility); > ret++; > } >- if(find_value(severity, syslogvals) == NULL) { >+ if(find_value(severity, syslogvals) == -1) { > krb5_warnx(context, "%s: unknown syslog severity \"%s\"", > path, severity); > ret++; >@@ -432,8 +432,8 @@ > > #if 0 > struct entry kdcdefaults_entries[] = { >- { "kdc_ports, krb5_config_string, mit_entry }, >- { "v4_mode, krb5_config_string, mit_entry }, >+ { "kdc_ports", krb5_config_string, mit_entry }, >+ { "v4_mode", krb5_config_string, mit_entry }, > { NULL } > }; > #endif >diff -ruN heimdal-0.5.2/lib/vers/print_version.c heimdal-0.5.3/lib/vers/print_version.c >--- heimdal-0.5.2/lib/vers/print_version.c 2002-08-19 17:57:49.000000000 +0200 >+++ heimdal-0.5.3/lib/vers/print_version.c 2004-02-16 20:05:53.000000000 +0100 >@@ -1,5 +1,5 @@ > /* >- * Copyright (c) 1998 - 2002 Kungliga Tekniska Högskolan >+ * Copyright (c) 1998 - 2004 Kungliga Tekniska Högskolan > * (Royal Institute of Technology, Stockholm, Sweden). > * All rights reserved. > * >@@ -33,7 +33,7 @@ > > #ifdef HAVE_CONFIG_H > #include <config.h> >-RCSID("$Id: print_version.c,v 1.5 2002/08/19 15:57:49 joda Exp $"); >+RCSID("$Id: print_version.c,v 1.5.4.1 2004/02/16 19:05:53 lha Exp $"); > #endif > #include "roken.h" > >@@ -72,7 +72,7 @@ > } > } > fprintf(stderr, "%s (%s)\n", progname, msg); >- fprintf(stderr, "Copyright (c) 1999-2002 Kungliga Tekniska Högskolan\n"); >+ fprintf(stderr, "Copyright (c) 1999-2004 Kungliga Tekniska Högskolan\n"); > fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); > if(num_args != 0) > free(msg);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18169">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 52079
: 18169 |
18354
|
18355