Fix Kerberos 4 procotocol problem mentioned in

[MIT krb5 Security Advisory 2003-004]/[heimdal-0.5.2 release notes]
by disable support for it.

crypto/dist/heimdal/kdc/524.c

@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 
 __RCSID("$Heimdal: 524.c,v 1.25 2002/07/31 09:43:20 joda Exp $"
-        "$NetBSD: 524.c,v 1.7 2002/09/12 13:19:00 joda Exp $");
+        "$NetBSD: 524.c,v 1.8 2003/03/20 19:20:59 lha Exp $");
 
 #ifdef KRB4
 
@@ -252,6 +252,14 @@ do_524(const Ticket *t, krb5_data *reply,
 	free_EncTicketPart(&et);
 	goto out;
     }
+    if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+	kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+		t->realm);
+	free_EncTicketPart(&et);
+	ret = KRB5KDC_ERR_POLICY;
+	goto out;
+    }
+
     ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
 			   &et, &t->sname, &len);
     free_EncTicketPart(&et);

crypto/dist/heimdal/kdc/config.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -36,7 +36,7 @@
 #include <parse_bytes.h>
 
 __RCSID("$Heimdal: config.c,v 1.43 2002/08/29 01:51:07 assar Exp $"
-        "$NetBSD: config.c,v 1.8 2002/09/12 17:16:38 joda Exp $");
+        "$NetBSD: config.c,v 1.9 2003/03/20 19:20:59 lha Exp $");
 
 static const char *config_file;	/* location of kdc config file */
 
@@ -74,6 +74,7 @@ krb5_addresses explicit_addresses;
 char *v4_realm;
 int enable_v4 = -1;
 int enable_524 = -1;
+int enable_v4_cross_realm = -1;
 int enable_kaserver = -1;
 #endif
 
@@ -108,6 +109,10 @@ static struct getargs args[] = {
     {	"524",		0, 	arg_negative_flag, &enable_524,
 	"don't respond to 524 requests" 
     },
+    {	"kerberos4-cross-realm",	0, 	arg_flag,
+	&enable_v4_cross_realm,
+	"respond to kerberos 4 requests from foreign realms" 
+    },
     { 
 	"v4-realm",	'r',	arg_string, &v4_realm, 
 	"realm to serve v4-requests for"
@@ -337,9 +342,17 @@ configure(int argc, char **argv)
     if(enable_v4 == -1)
 	enable_v4 = krb5_config_get_bool_default(context, NULL, TRUE, "kdc", 
 					 "enable-kerberos4", NULL);
+    if(enable_v4_cross_realm == -1)
+	enable_v4_cross_realm =
+	    krb5_config_get_bool_default(context, NULL,
+					 FALSE, "kdc", 
+					 "enable-kerberos4-cross-realm",
+					 NULL);
     if(enable_524 == -1)
 	enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4, 
 						  "kdc", "enable-524", NULL);
+#else
+#define enable_v4 0
 #endif
 
     if(enable_http == -1)
@@ -361,8 +374,11 @@ configure(int argc, char **argv)
 				    "kdc",
 				    "v4-realm",
 				    NULL);
-	if(p)
+	if(p != NULL) {
 	    v4_realm = strdup(p);
+	    if (v4_realm == NULL)
+		krb5_errx(context, 1, "out of memory");
+	}
     }
     if (enable_kaserver == -1)
 	enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
@@ -397,6 +413,8 @@ configure(int argc, char **argv)
 #ifdef KRB4
     if(v4_realm == NULL){
 	v4_realm = malloc(40); /* REALM_SZ */
+	if (v4_realm == NULL)
+	    krb5_errx(context, 1, "out of memory");
 	krb_get_lrealm(v4_realm, 1);
     }
 #endif

crypto/dist/heimdal/kdc/connect.c

@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 
 __RCSID("$Heimdal: connect.c,v 1.86 2002/08/12 13:29:48 joda Exp $"
-        "$NetBSD: connect.c,v 1.8 2002/09/12 13:19:00 joda Exp $");
+        "$NetBSD: connect.c,v 1.9 2003/03/20 19:20:59 lha Exp $");
 
 /*
  * a tuple describing on what to listen
@@ -237,7 +237,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
     krb5_error_code ret;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    int sa_size;
+    int sa_size = sizeof(__ss);
 
     init_descr (d);
 

crypto/dist/heimdal/kdc/kdc.8

@@ -1,5 +1,5 @@
 .\" $Heimdal: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
-.\" $NetBSD: kdc.8,v 1.9 2002/12/21 12:22:12 wiz Exp $
+.\" $NetBSD: kdc.8,v 1.10 2003/03/20 19:21:00 lha Exp $
 .\"
 .Dd August 22, 2002
 .Dt KDC 8
@@ -16,11 +16,19 @@
 .Op Fl p | Fl -no-require-preauth
 .Op Fl -max-request= Ns Ar size
 .Op Fl H | Fl -enable-http
-.Op Fl D | Fl -no-detach
+.Op Fl -no-524
+.Op Fl -kerberos4
+.Op Fl -kerberos4-cross-realm
 .Oo Fl r Ar string \*(Ba Xo
 .Fl -v4-realm= Ns Ar string
 .Xc
 .Oc
+.Op Fl K | Fl -kaserver
+.Oo Fl P Ar portspec \*(Ba Xo
+.Fl -ports= Ns Ar portspec
+.Xc
+.Oc
+.Op Fl -detach
 .Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
@@ -73,13 +81,22 @@ Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
 .Xc
 Makes the kdc not detach from the tty.  Useful for debugging.
 .It Xo
-.Fl K ,
-.Fl -no-kaserver
+.Fl -no-524
 .Xc
-Disables kaserver emulation (in case it's compiled in).
+don't respond to 524 requests
 .It Xo
-.Fl r Ar realm ,
-.Fl -v4-realm= Ns Ar realm
+.Fl -kerberos4
+.Xc
+respond to kerberos 4 requests
+.It Xo
+.Fl -kerberos4-cross-realm
+.Xc
+respond to kerberos 4 requests from foreign realms.
+This is a known security hole and should not be enabled unless you
+understand the consequences and are willing to live with them.
+.It Xo
+.Fl r Ar string ,
+.Fl -v4-realm= Ns Ar string
 .Xc
 What realm this server should act as when dealing with version 4
 requests. The database can contain any number of realms, but since the
@@ -89,10 +106,16 @@ explicitly specified. The default is whatever is returned by
 This option is only available if the KDC has been compiled with version
 4 support.
 .It Xo
-.Fl P Ar string ,
-.Fl -ports= Ns Ar string
+.Fl K ,
+.Fl -kaserver
 .Xc
-Specifies the set of ports the KDC should listen on.  It is given as a
+Enable kaserver emulation (in case it's compiled in).
+.It Xo
+.Fl P Ar portspec ,
+.Fl -ports= Ns Ar portspec
+.Xc
+Specifies the set of ports the KDC should listen on.
+It is given as a
 white-space separated list of services or port numbers.
 .It Fl -addresses= Ns Ar list of addresses
 The list of addresses to listen for requests on.  By default, the kdc

crypto/dist/heimdal/kdc/kdc_locl.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.7 2002/09/12 13:19:01 joda Exp $ 
+ * $Id: kdc_locl.h,v 1.8 2003/03/20 19:21:00 lha Exp $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -68,6 +68,7 @@ extern krb5_boolean allow_anonymous;
 extern char *v4_realm;
 extern int enable_v4;
 extern int enable_524;
+extern int enable_v4_cross_realm;
 extern krb5_boolean enable_kaserver;
 #endif
 

crypto/dist/heimdal/kdc/kerberos4.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 
 __RCSID("$Heimdal: kerberos4.c,v 1.41 2002/04/18 16:08:24 joda Exp $"
-        "$NetBSD: kerberos4.c,v 1.1.1.5 2002/09/12 12:41:39 joda Exp $");
+        "$NetBSD: kerberos4.c,v 1.2 2003/03/20 19:21:00 lha Exp $");
 
 #ifdef KRB4
 
@@ -431,6 +431,13 @@ do_version4(unsigned char *buf,
 	    goto out2;
 	}
 
+	if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
+	    kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't hop realms");
+	    goto out2;
+	}
+
 	if(strcmp(sname, "changepw") == 0){
 	    kdc_log(0, "Bad request for changepw ticket");
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,