Add a new option to disable krb4 cross-realm authentication, disabled by

default. This works around a recently found vulnerability in the krb4
protocol, see

	http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

Patch created by adopting the changes in heimdal-0.5.2, with invaluable help
provided by lha@stacken.kth.se and janj@stacken.kth.se.

ok beck@ miod@

5 files changed, 62 insertions, 24 deletions

diff --git a/kerberosV/src/kdc/524.c b/kerberosV/src/kdc/524.c
index c727bf22f03..02330ff5971 100644
--- a/kerberosV/src/kdc/524.c
+++ b/kerberosV/src/kdc/524.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$KTH: 524.c,v 1.19 2001/01/30 01:44:07 assar Exp $");
+RCSID("$KTH: 524.c,v 1.23 2001/08/17 07:48:49 joda Exp $");
 
 #ifdef KRB4
 
@@ -136,7 +136,7 @@ set_address (EncTicketPart *et,
     if (v4_addr == NULL)
 	return ENOMEM;
 
-    ret = krb5_sockaddr2address(addr, v4_addr);
+    ret = krb5_sockaddr2address(context, addr, v4_addr);
     if(ret) {
 	free (v4_addr);
 	kdc_log(0, "Failed to convert address (%s)", from);
@@ -251,6 +251,14 @@ do_524(const Ticket *t, krb5_data *reply,
 	free_EncTicketPart(&et);
 	goto out;
     }
+    if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+	kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+		t->realm);
+	free_EncTicketPart(&et);
+	ret = KRB5KDC_ERR_POLICY;
+	goto out;
+    }
+
     ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
 			   &et, &t->sname, &len);
     free_EncTicketPart(&et);
@@ -258,9 +266,9 @@ do_524(const Ticket *t, krb5_data *reply,
 	kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
 	goto out;
     }
-    ret = get_des_key(server, FALSE, &skey);
+    ret = get_des_key(server, TRUE, FALSE, &skey);
     if(ret){
-	kdc_log(0, "No DES key for server (%s)", spn);
+	kdc_log(0, "no suitable DES key for server (%s)", spn);
 	goto out;
     }
     ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
@@ -283,6 +291,7 @@ out:
 	free_EncryptedData(&ticket);
     }
     ret = krb5_storage_to_data(sp, reply);
+    reply->length = (*sp->seek)(sp, 0, SEEK_CUR);
     krb5_storage_free(sp);
     
     if(spn)
diff --git a/kerberosV/src/kdc/config.c b/kerberosV/src/kdc/config.c
index 5b02571fd35..6be59d73985 100644
--- a/kerberosV/src/kdc/config.c
+++ b/kerberosV/src/kdc/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,7 +35,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$KTH: config.c,v 1.33 2000/09/10 19:27:17 joda Exp $");
+RCSID("$KTH: config.c,v 1.38 2001/08/10 14:02:57 joda Exp $");
 
 static char *config_file;	/* location of kdc config file */
 
@@ -67,9 +67,8 @@ krb5_addresses explicit_addresses;
 char *v4_realm;
 int enable_v4 = -1;
 int enable_524 = -1;
-#endif
-#ifdef KASERVER
-krb5_boolean enable_kaserver = -1;
+int enable_v4_cross_realm = -1;
+int enable_kaserver = -1;
 #endif
 
 static int help_flag;
@@ -102,19 +101,21 @@ static struct getargs args[] = {
     {	"524",		0, 	arg_negative_flag, &enable_524,
 	"don't respond to 524 requests" 
     },
+    {	"kerberos4-cross-realm",	0, 	arg_flag,
+	&enable_v4_cross_realm,
+	"respond to kerberos 4 requests from foreign realms" 
+    },
     { 
 	"v4-realm",	'r',	arg_string, &v4_realm, 
 	"realm to serve v4-requests for"
     },
-#endif
-#ifdef KASERVER
     {
-	"kaserver", 'K', arg_negative_flag,   &enable_kaserver,
-	"turn off kaserver support"
+	"kaserver", 'K', arg_flag,   &enable_kaserver,
+	"enable kaserver support"
     },
 #endif
     {	"ports",	'P', 	arg_string, &port_str,
-	"ports to listen to" 
+	"ports to listen to", "portspec"
     },
     {	"addresses",	0,	arg_strings, &addresses_str,
 	"addresses to listen on", "list of addresses" },
@@ -198,8 +199,11 @@ get_dbinfo(krb5_config_section *cf)
 	if(di->mkey_file == NULL) {
 	    p = strrchr(di->dbname, '.');
 	    if(p == NULL || strchr(p, '/') != NULL)
+		/* final pathname component does not contain a . */
 		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
 	    else
+		/* the filename is something.else, replace .else with
+                   .mkey */
 		asprintf(&di->mkey_file, "%.*s.mkey", 
 			 (int)(p - di->dbname), di->dbname);
 	}
@@ -250,7 +254,7 @@ configure(int argc, char **argv)
     if(config_file == NULL)
 	config_file = _PATH_KDC_CONF;
     
-    if(krb5_config_parse_file(config_file, &cf))
+    if(krb5_config_parse_file(context, config_file, &cf))
 	cf = NULL;
     
     get_dbinfo(cf);
@@ -286,6 +290,7 @@ configure(int argc, char **argv)
 
 	for (i = 0; i < addresses_str.num_strings; ++i)
 	    add_one_address (addresses_str.strings[i], i == 0);
+	free_getarg_strings (&addresses_str);
     } else {
 	char **foo = krb5_config_get_strings (context, cf,
 					      "kdc", "addresses", NULL);
@@ -301,6 +306,12 @@ configure(int argc, char **argv)
     if(enable_v4 == -1)
 	enable_v4 = krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
 					 "enable-kerberos4", NULL);
+    if(enable_v4_cross_realm == -1)
+	enable_v4_cross_realm =
+	    krb5_config_get_bool_default(context, NULL,
+					 FALSE, "kdc",
+					 "enable-kerberos4-cross-realm",
+					 NULL);
     if(enable_524 == -1)
 	enable_524 = krb5_config_get_bool_default(context, cf, enable_v4, 
 						  "kdc", "enable-524", NULL);
@@ -310,11 +321,11 @@ configure(int argc, char **argv)
 	enable_http = krb5_config_get_bool(context, cf, "kdc", 
 					   "enable-http", NULL);
     check_ticket_addresses = 
-	krb5_config_get_bool(context, cf, "kdc", 
-			     "check-ticket-addresses", NULL);
+	krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+				     "check-ticket-addresses", NULL);
     allow_null_ticket_addresses = 
-	krb5_config_get_bool(context, cf, "kdc", 
-			     "allow-null-ticket-addresses", NULL);
+	krb5_config_get_bool_default(context, cf, TRUE, "kdc", 
+				     "allow-null-ticket-addresses", NULL);
 
     allow_anonymous = 
 	krb5_config_get_bool(context, cf, "kdc", 
@@ -325,13 +336,14 @@ configure(int argc, char **argv)
 				    "kdc",
 				    "v4-realm",
 				    NULL);
-	if(p)
+	if(p != NULL) {
 	    v4_realm = strdup(p);
+	    if (v4_realm == NULL)
+		krb5_errx(context, 1, "out of memory");
+	}
     }
-#endif
-#ifdef KASERVER
     if (enable_kaserver == -1)
-	enable_kaserver = krb5_config_get_bool_default(context, cf, TRUE,
+	enable_kaserver = krb5_config_get_bool_default(context, cf, FALSE,
 						       "kdc",
 						       "enable-kaserver",
 						       NULL);
@@ -357,6 +369,8 @@ configure(int argc, char **argv)
 #ifdef KRB4
     if(v4_realm == NULL){
 	v4_realm = malloc(40); /* REALM_SZ */
+	if (v4_realm == NULL)
+	    krb5_errx(context, 1, "out of memory");
 	krb_get_lrealm(v4_realm, 1);
     }
 #endif
diff --git a/kerberosV/src/kdc/kdc.8 b/kerberosV/src/kdc/kdc.8
index 1110ad978b0..0c1263a3727 100644
--- a/kerberosV/src/kdc/kdc.8
+++ b/kerberosV/src/kdc/kdc.8
@@ -1,4 +1,4 @@
-.\" $KTH: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $
+.\" $Id: kdc.8,v 1.4 2003/03/21 09:50:07 hin Exp $
 .\"
 .Dd July 27, 1997
 .Dt KDC 8
@@ -20,6 +20,7 @@
 .Fl -v4-realm= Ns Ar string
 .Xc
 .Oc
+.Op Fl -kerberos4-cross-realm
 .Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
@@ -59,6 +60,12 @@ flexible way of handling this.
 Gives an upper limit on the size of the requests that the kdc is
 willing to handle.
 .It Xo
+.Fl -kerberos4-cross-realm
+.Xc
+respond to kerberos 4 requests from foreign realms.
+This is a known security hole and should not be enabled unless you
+understand the consequences and are willing to live with them.
+.It Xo
 .Fl H Ns ,
 .Fl -enable-http
 .Xc
diff --git a/kerberosV/src/kdc/kdc_locl.h b/kerberosV/src/kdc/kdc_locl.h
index 64f1ebd3896..043d862b141 100644
--- a/kerberosV/src/kdc/kdc_locl.h
+++ b/kerberosV/src/kdc/kdc_locl.h
@@ -67,6 +67,7 @@ extern krb5_boolean allow_anonymous;
 extern char *v4_realm;
 extern int enable_v4;
 extern int enable_524;
+extern int enable_v4_cross_realm;
 extern krb5_boolean enable_kaserver;
 #endif
 
diff --git a/kerberosV/src/kdc/kerberos4.c b/kerberosV/src/kdc/kerberos4.c
index 2da37685ab7..11f117d6ecc 100644
--- a/kerberosV/src/kdc/kerberos4.c
+++ b/kerberosV/src/kdc/kerberos4.c
@@ -430,6 +430,13 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}
 
+	if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
+	    kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't hop realms");
+	    goto out2;
+	}
+
 	if(strcmp(sname, "changepw") == 0){
 	    kdc_log(0, "Bad request for changepw ticket");
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,