svn rev #25355: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Oct 15 12:56:26 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25355
Commit By: ghudson
Log Message:
ticket: 6978
subject: Allow rd_priv/rd_safe without remote address
Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name). Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.
Changed Files:
U trunk/src/lib/krb5/krb/privsafe.c
U trunk/src/lib/krb5/krb/rd_priv.c
U trunk/src/lib/krb5/krb/rd_safe.c
Modified: trunk/src/lib/krb5/krb/privsafe.c
===================================================================
--- trunk/src/lib/krb5/krb/privsafe.c 2011-10-15 16:31:00 UTC (rev 25354)
+++ trunk/src/lib/krb5/krb/privsafe.c 2011-10-15 16:56:26 UTC (rev 25355)
@@ -208,14 +208,17 @@
local_fulladdr.contents = remote_fulladdr.contents = NULL;
/* Determine the remote comparison address. */
- if (ac->remote_port != NULL) {
- ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
- &remote_fulladdr);
- if (ret)
- goto cleanup;
- remote_addr = &remote_fulladdr;
+ if (ac->remote_addr != NULL) {
+ if (ac->remote_port != NULL) {
+ ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
+ &remote_fulladdr);
+ if (ret)
+ goto cleanup;
+ remote_addr = &remote_fulladdr;
+ } else
+ remote_addr = ac->remote_addr;
} else
- remote_addr = ac->remote_addr;
+ remote_addr = NULL;
/* Determine the local comparison address (possibly NULL). */
if (ac->local_addr != NULL) {
@@ -231,7 +234,8 @@
local_addr = NULL;
/* Check the remote address against the message's sender address. */
- if (!krb5_address_compare(context, remote_addr, msg_s_addr)) {
+ if (remote_addr != NULL &&
+ !krb5_address_compare(context, remote_addr, msg_s_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
goto cleanup;
}
Modified: trunk/src/lib/krb5/krb/rd_priv.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_priv.c 2011-10-15 16:31:00 UTC (rev 25354)
+++ trunk/src/lib/krb5/krb/rd_priv.c 2011-10-15 16:56:26 UTC (rev 25355)
@@ -133,7 +133,8 @@
/* Need a better error */
return KRB5_RC_REQUIRED;
- if (!auth_context->remote_addr)
+ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+ (auth_context->remote_addr == NULL))
return KRB5_REMOTE_ADDR_REQUIRED;
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
Modified: trunk/src/lib/krb5/krb/rd_safe.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_safe.c 2011-10-15 16:31:00 UTC (rev 25354)
+++ trunk/src/lib/krb5/krb/rd_safe.c 2011-10-15 16:56:26 UTC (rev 25355)
@@ -146,12 +146,13 @@
return KRB5_RC_REQUIRED;
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+ (auth_context->remote_addr == NULL))
+ return KRB5_REMOTE_ADDR_REQUIRED;
+
+ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
(auth_context->rcache == NULL))
return KRB5_RC_REQUIRED;
- if (!auth_context->remote_addr)
- return KRB5_REMOTE_ADDR_REQUIRED;
-
/* Get key */
if ((key = auth_context->recv_subkey) == NULL)
key = auth_context->key;
More information about the cvs-krb5
mailing list