svn rev #22331: branches/krb5-1-7/src/lib/krb5/krb/

Mon May 11 16:55:45 EDT 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=22331
Commit By: tlyu
Log Message:
ticket: 6478
version_fixed: 1.7

pull up r22283, r22288 from trunk.  r22283 was not originally part of
this ticket but is a prereq for the mk_cred.c change.

 ------------------------------------------------------------------------
 r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c
    M /trunk/src/lib/krb5/krb/mk_priv.c
    M /trunk/src/lib/krb5/krb/mk_safe.c

 ticket: 6478
 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred

 Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in
 krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as
 a baseline.  RET_SEQUENCE now implies DO_SEQUENCE for all three
 functions, the sequence number is always incremented if it is used,
 and outdata->seq is always set if RET_SEQUENCE is passed.

 Note that in the corresponding rd_ functions, RET_SEQUENCE and
 DO_SEQUENCE are independent flags, which is not consistent with the
 above.  This compromise is intended to preserve compatibility with
 any working code which might exist using the RET_SEQUENCE flag.
 ------------------------------------------------------------------------
 r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c

 Fix a few memory leaks in krb5_mk_ncred.  Also tighten up the error
 handling of the sequence number, only decreasing it if it was
 increased.  The handling of DO_SEQUENCE and RET_SEQUENCE may still be
 flawed in some cases.


Changed Files:
U   branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c
U   branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c
U   branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c
Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c
===================================================================

--- branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c	2009-05-11 20:55:28 UTC (rev 22330)
+++ branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c	2009-05-11 20:55:45 UTC (rev 22331)
@@ -162,14 +162,14 @@
     krb5_replay_data    replaydata;
     krb5_cred 		 * pcred;
     krb5_int32		ncred;
+    krb5_boolean increased_sequence = FALSE;
 
     local_fulladdr.contents = 0;
     remote_fulladdr.contents = 0;
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
-    if (ppcreds == NULL) {
+    if (ppcreds == NULL)
     	return KRB5KRB_AP_ERR_BADADDR;
-    }
 
     /*
      * Allocate memory for a NULL terminated list of tickets.
@@ -183,8 +183,8 @@
     if ((pcred->tickets 
 	 = (krb5_ticket **)calloc((size_t)ncred+1,
 				  sizeof(krb5_ticket *))) == NULL) {
-	free(pcred);
-	return ENOMEM;
+	retval = ENOMEM;
+	goto error;
     }
 
     /* Get keyblock */
@@ -193,30 +193,32 @@
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
-      (auth_context->rcache == NULL))
-        return KRB5_RC_REQUIRED;
+	(auth_context->rcache == NULL)) {
+	retval = KRB5_RC_REQUIRED;
+	goto error;
+    }
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
-      (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
-      (outdata == NULL))
+	 (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
+	&& (outdata == NULL)) {
         /* Need a better error */
-        return KRB5_RC_REQUIRED;
+	retval = KRB5_RC_REQUIRED;
+	goto error;
+    }
 
     if ((retval = krb5_us_timeofday(context, &replaydata.timestamp,
 				    &replaydata.usec)))
-	return retval;
+	goto error;
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) {
 	outdata->timestamp = replaydata.timestamp;
 	outdata->usec = replaydata.usec;
     }
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
         (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
-        replaydata.seq = auth_context->local_seq_number;
-        if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-            auth_context->local_seq_number++;
-        } else {
+        replaydata.seq = auth_context->local_seq_number++;
+	increased_sequence = TRUE;
+        if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
             outdata->seq = replaydata.seq;
-        }
     }
 
     if (auth_context->local_addr) {
@@ -273,15 +275,12 @@
     retval = encode_krb5_cred(pcred, ppdata);
 
 error:
-    if (local_fulladdr.contents)
-	free(local_fulladdr.contents);
-    if (remote_fulladdr.contents)
-	free(remote_fulladdr.contents);
+    free(local_fulladdr.contents);
+    free(remote_fulladdr.contents);
     krb5_free_cred(context, pcred);
 
     if (retval) {
-	if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) 
-	 || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
+	if (increased_sequence)
             auth_context->local_seq_number--;
     }
     return retval;

Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c	2009-05-11 20:55:28 UTC (rev 22330)
+++ branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c	2009-05-11 20:55:45 UTC (rev 22331)
@@ -151,12 +151,9 @@
     }
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
 	(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
-	replaydata.seq = auth_context->local_seq_number;
-	if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-	    auth_context->local_seq_number++;
-	} else {
+	replaydata.seq = auth_context->local_seq_number++;
+	if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
     	    outdata->seq = replaydata.seq;
-	}
     }
 
 {

Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c
===================================================================
--- branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c	2009-05-11 20:55:28 UTC (rev 22330)
+++ branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c	2009-05-11 20:55:45 UTC (rev 22331)
@@ -152,9 +152,8 @@
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
 	(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
 	replaydata.seq = auth_context->local_seq_number++;
-	if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) {
+	if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
     	    outdata->seq = replaydata.seq;
-	}
     } 
 
 {


