[1570] in Kerberos-V5-bugs
Bug in beta5 port of gssapi
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Jul 26 11:39:43 1995
To: krb5-bugs@MIT.EDU
Cc: secure@cam.ov.com
Date: Wed, 26 Jul 1995 11:40:14 -0400
From: Marc Horowitz <marc@cam.ov.com>
If you've been following the kerberos list, this will sound familiar
to you. In krb5b4, there is the following code in
lib/gssapi/krb5/accept_sec_context.c:
/* construct the sender_addr */
if ((input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) &&
(input_chan_bindings->initiator_addrtype == GSS_C_AF_INET)) {
/* XXX is this right? */
addr.addrtype = ADDRTYPE_INET;
addr.length = input_chan_bindings->initiator_address.length;
addr.contents = input_chan_bindings->initiator_address.value;
paddr = &addr;
} else {
paddr = NULL;
}
/* ... */
/* decode the message */
if (code = krb5_rd_req(&ap_req, cred->princ, paddr, NULL, &rd_req_keyproc,
(krb5_pointer) cred->keytab, rcache, &authdat)) {
(void) krb5_rc_close(rcache);
*minor_status = code;
return(GSS_S_FAILURE);
}
This code extracts the initiator address from the channel bindings,
and passes it into krb5_rd_req so that it can be compared to the
address in the authenticator.
In krb5b5, the addr struct is filled in, and the paddr pointer is set
to point to it, but neither paddr nor addr is ever used. It looks
like krb5_gss_accept_sec_context() should be creating an auth_context,
and filling in the remote_addr component, but I'm not sure of the
right way to go about this with the new API. The result is that the
ip address in the authenticator is never checked with the beta5 gssapi
code as is. Good thing I'm still using b4 over here :-)
Marc
