[481] in Kerberos-V5-bugs
Re: krb5_rd_safe only checks sender address when NOTIME isn't set
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue May 24 17:43:13 1994
Date: Tue, 24 May 94 17:42:52 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Jonathan I. Kamens" <jik@security.ov.com>
Cc: krb5-bugs@MIT.EDU
In-Reply-To: "[429] in Kerberos-V5-bugs"
[0429] daemon@ATHENA.MIT.EDU (Jonathan I. Kamens) Kerberos-V5-bugs 03/04/94 13:34 (20 lines)
Date: Fri, 4 Mar 1994 13:34:10 -0500
From: "Jonathan I. Kamens" <jik@security.ov.com>
When safe_flags & KRB5_SAFE_NOTIME is false in a call to
krb5_rd_safe, it checks three things:
1. That the message is within the allowable clock skew.
2. That the sender address in the message matches the sender address
passed in.
3. That the message does not appear in the replay cache.
It seems to me that although clock skew and replays are reasonable
things to only check if NOTIME is false, there's no reason for the
sender address to be checked only in that situation, i.e., I believe
that the sender address should always be checked.
I've made the following changes to krb5_rd_safe and krb5_rd_priv:
The sender address is now always checked against sender_addr. The
receiver address is checker checked against recv_addr if recv_addr is
non-NULL, or against the list of local addresses as returned by
krb5_os_localaddr().
The API document will be updated to reflect these changes.
- Ted
