[2557] in Kerberos-V5-bugs
krb5-misc/275: krb524d needs to put actual client address in V4 ticket
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Dec 4 22:01:31 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, jik@cam.ov.com
Date: Wed, 4 Dec 1996 22:00:51 -0500
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Reply-To: jik@cam.ov.com
To: mit-gnats@cam.ov.com
>Number: 275
>Category: krb5-misc
>Synopsis: krb524d needs to put actual client address in V4 ticket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 04 22:01:01 EST 1996
>Last-Modified:
>Originator: Jonathan I. Kamens
>Organization:
OpenVision Technologies, Inc.
>Release:
>Environment:
System: SunOS gza-clien 4.1.3C 3 sun4m
Architecture: sun4
>Description:
When krb524d receives a request to convert a ticket, the
address it puts into the converted ticket should be the address that
the client used to connect to it, if that address is one of the ones
listed in the V5 ticket.
This is necessary for multi-homed hosts which have one address
for an internal network and another address for talking to the outside
world (e.g., to the Kerberos server that krb524d is running on).
The patch below is against an older version of krb524, so it
probably won't apply cleanly to the current source tree. However,
it's pretty straightforward, so you should be able to fold it in with
little trouble.
>How-To-Repeat:
>Fix:
--- krb524d.c 1996/07/30 23:35:19 1.10
+++ krb524d.c 1996/12/05 02:50:04
@@ -284,7 +284,8 @@
if (debug)
printf("service key retrieved\n");
- ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key);
+ ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key,
+ (struct sockaddr_in *)&saddr);
if (ret)
goto error;
krb5_free_keyblock_contents(&service_key);
--- conv_tkt_skey.c 1994/09/05 03:14:24 1.6
+++ conv_tkt_skey.c 1996/12/05 02:49:50
@@ -26,5 +26,7 @@
#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
#include <krb5/krb5.h>
#include <krb.h>
@@ -35,7 +37,7 @@
* skey for both.
*/
int krb524_convert_tkt_skey(krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *skey)
+ krb5_keyblock *skey, struct sockaddr_in *saddr)
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
@@ -42,6 +44,7 @@
krb5_enc_tkt_part *v5etkt;
krb5_data *comp;
int ret, lifetime;
+ krb5_address **caddr, *good_addr = 0;
v5tkt->enc_part2 = NULL;
if (ret = krb5_decrypt_tkt_part(skey, v5tkt)) {
@@ -78,16 +81,25 @@
if (lifetime > 0xff)
lifetime = 0xff;
- /* XXX perhaps we should use the addr of the client host if */
- /* v5creds contains more than one addr. Q: Does V4 support */
- /* non-INET addresses? */
- if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
- v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
- if (krb524_debug)
- fprintf(stderr, "Invalid v5creds address information.\n");
- krb5_free_enc_tkt_part(v5etkt);
- v5tkt->enc_part2 = NULL;
- return KRB524_BADADDR;
+ for (caddr = v5etkt->caddrs; *caddr; caddr++) {
+ if (v5etkt->caddrs[0]->addrtype == ADDRTYPE_INET) {
+ if (! memcmp((*caddr)->contents, &saddr->sin_addr,
+ sizeof(saddr->sin_addr))) {
+ good_addr = *caddr;
+ break;
+ }
+ else if (! good_addr) {
+ good_addr = *caddr;
+ }
+ }
+ }
+
+ if (! good_addr) {
+ if (krb524_debug)
+ fprintf(stderr, "Invalid v5creds address information.\n");
+ krb5_free_enc_tkt_part(v5etkt);
+ v5tkt->enc_part2 = NULL;
+ return KRB524_BADADDR;
}
if (krb524_debug)
@@ -102,7 +114,7 @@
pname,
pinst,
prealm,
- *((unsigned long *)v5etkt->caddrs[0]->contents),
+ *((unsigned long *)good_addr->contents),
v5etkt->session->contents,
lifetime,
/* issue_data */
>Audit-Trail:
>Unformatted: