krb5 commit: Avoid using internal APIs in sim_client
ghudson at mit.edu
ghudson at mit.edu
Mon Feb 27 23:29:19 EST 2023
https://github.com/krb5/krb5/commit/9139a60c94c24e41109574e84e7cda9c2dc3fb38
commit 9139a60c94c24e41109574e84e7cda9c2dc3fb38
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Feb 24 14:15:14 2023 -0500
Avoid using internal APIs in sim_client
In sim_client.c, remove the calls to krb5_gen_portaddr() and
krb5_gen_replay_name() as they don't do anything after commit
dcb853ac32779b173f39e19c0f24b0087de85771. Remove them, and include
krb5.h plus appropriate system headers rather than k5-int.h.
Also use a subkey when negotiating the auth context. Kerberos
application protocols should generally use subkeys to prevent
cross-connection replay attacks.
src/appl/simple/client/sim_client.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c
index 08f06abe5..ea1379e60 100644
--- a/src/appl/simple/client/sim_client.c
+++ b/src/appl/simple/client/sim_client.c
@@ -29,14 +29,17 @@
* This program performs no useful function.
*/
-#include <k5-int.h>
+#include <krb5.h>
#include "com_err.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
#include <netdb.h>
-#include <ctype.h>
+#include <getopt.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
@@ -66,7 +69,6 @@ main(int argc, char *argv[])
int flags = 0; /* flags for sendto() */
struct servent *serv;
struct hostent *host;
- char *cp;
#ifdef BROKEN_STREAMS_SOCKETS
char my_hostname[MAXHOSTNAMELEN];
#endif
@@ -85,7 +87,7 @@ main(int argc, char *argv[])
krb5_error_code retval;
krb5_data packet, inbuf;
krb5_ccache ccdef;
- krb5_address addr, *portlocal_addr;
+ krb5_address addr;
krb5_context context;
krb5_auth_context auth_context = NULL;
@@ -202,8 +204,9 @@ main(int argc, char *argv[])
exit(1);
}
- if ((retval = krb5_mk_req(context, &auth_context, 0, service, hostname,
- &inbuf, ccdef, &packet))) {
+ retval = krb5_mk_req(context, &auth_context, AP_OPTS_USE_SUBKEY, service,
+ hostname, &inbuf, ccdef, &packet);
+ if (retval) {
com_err(progname, retval, "while preparing AP_REQ");
exit(1);
}
@@ -251,20 +254,6 @@ main(int argc, char *argv[])
exit(1);
}
- /* THIS IS UGLY */
- if ((retval = krb5_gen_portaddr(context, &addr,
- (krb5_pointer) &c_sock.sin_port,
- &portlocal_addr))) {
- com_err(progname, retval, "while generating port address");
- exit(1);
- }
-
- if ((retval = krb5_gen_replay_name(context,portlocal_addr,
- "_sim_clt",&cp))) {
- com_err(progname, retval, "while generating replay cache name");
- exit(1);
- }
-
/* Make the safe message */
inbuf.data = message;
inbuf.length = strlen(message);
More information about the cvs-krb5
mailing list