[2908] in Kerberos-V5-bugs
krb5-kdc/576: krb524d address selection
daemon@ATHENA.MIT.EDU (ghudson@MIT.EDU)
Wed Mar 25 12:21:08 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, ghudson@MIT.EDU
Date: Wed, 25 Mar 1998 12:20:23 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 576
>Category: krb5-kdc
>Synopsis: krb524d should prefer requesting address
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 25 12:21:00 EST 1998
>Last-Modified:
>Originator: Greg Hudson
>Organization:
MIT
>Release: 1.0pl1
>Environment:
System: SunOS small-gods 5.5.1 Generic_103640-12 sun4u sparc SUNW,Ultra-1
Architecture: sun4
>Description:
Right now krb524d picks an address for the krb4 ticket by grabbing the
first address from the krb5 ticket and erroring out if it's not an IPv4
address. This is not a very good heuristic.
>How-To-Repeat:
>Fix:
This patch should make krb524 pick:
* The address the request was sent from, if it's an IPv4 address
listed in the krb5 ticket.
* The first IPv4 address in the krb5 ticket.
Unfortunately, I don't have any good way of testing a krb524d, so this
patch has not been tested (other than making sure it compiles). I'm
submitting it in the hopes that someone else can test it.
Index: cnv_tkt_skey.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/cnv_tkt_skey.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 cnv_tkt_skey.c
*** cnv_tkt_skey.c 1997/01/21 09:24:01 1.1.1.2
--- cnv_tkt_skey.c 1998/03/23 17:40:55
***************
*** 56,72 ****
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime;
krb5_timestamp server_time;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
--- 56,74 ----
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, saddr)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
+ struct sockaddr *saddr;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime, i, have_addr;
krb5_timestamp server_time;
+ struct in_addr tkt_addr;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
***************
*** 133,143 ****
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* XXX perhaps we should use the addr of the client host if */
! /* v5creds contains more than one addr. Q: Does V4 support */
! /* non-INET addresses? */
! if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
! v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
--- 135,174 ----
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* Look for the address the request came from (assuming it's an IP
! * address) in the list of addresses in v5etkt. If we find it,
! * prefer that address over others. */
! have_addr = 0;
! if (saddr->sa_family == AF_INET && v5etkt->caddrs) {
! memcpy(&tkt_addr, &((struct sockaddr_in *)saddr)->sin_addr,
! sizeof(tkt_addr));
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype != ADDRTYPE_INET)
! continue;
! if (*((unsigned long *)v5etkt->caddrs[i]->contents)
! == tkt_addr.s_addr) {
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If we didn't find the request address in v5etkt->caddrs, just
! * pick the first IP address. */
! if (!have_addr && v5etkt->caddrs) {
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype == ADDRTYPE_INET) {
! memcpy(&tkt_addr, v5etkt->caddrs[i]->contents,
! sizeof(tkt_addr));
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If there aren't any IP addresses listed in the ticket, we
! * can't make a krb5 ticket. */
! if (!have_addr) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
***************
*** 157,163 ****
pname,
pinst,
prealm,
! *((unsigned long *)v5etkt->caddrs[0]->contents),
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
--- 188,194 ----
pname,
pinst,
prealm,
! tkt_addr.s_addr,
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
Index: krb524.h
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524.h,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524.h
*** krb524.h 1996/09/12 04:43:50 1.1.1.1
--- krb524.h 1998/03/23 17:37:58
***************
*** 28,38 ****
#include "krb524_err.h"
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));
/* conv_princ.c */
--- 28,41 ----
#include "krb524_err.h"
+ struct sockaddr;
+
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
! struct sockaddr *saddr));
/* conv_princ.c */
Index: krb524d.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 krb524d.c
*** krb524d.c 1997/01/21 09:24:06 1.1.1.2
--- krb524d.c 1998/03/23 17:14:53
***************
*** 292,298 ****
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key);
if (ret)
goto error;
--- 292,298 ----
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key, &saddr);
if (ret)
goto error;
>Audit-Trail:
>Unformatted:
