From ghudson@MIT.EDU  Wed Mar 25 12:20:28 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU
(8.7.5/8.7.3) with SMTP id MAA05709 for <bugs@RT-11.MIT.EDU>; Wed, 25 Mar 1998
12:20:28 -0500
Received: from SMALL-GODS.MIT.EDU by MIT.EDU with SMTP
	id AA12016; Wed, 25 Mar 98 12:21:01 EST
Received: by small-gods.MIT.EDU (SMI-8.6/4.7) id MAA21275; Wed, 25 Mar 1998 12:20:23
-0500
Message-Id: <199803251720.MAA21275@small-gods.MIT.EDU>
Date: Wed, 25 Mar 1998 12:20:23 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: krb524d address selection
X-Send-Pr-Version: 3.99

>Number:         576
>Category:       krb5-kdc
>Synopsis:       krb524d should prefer requesting address
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    krb5-unassigned
>State:          open
>Class:          change-request
>Submitter-Id:   unknown
>Arrival-Date:   Wed Mar 25 12:21:00 EST 1998
>Last-Modified:
>Originator:     Greg Hudson
>Organization:
MIT
>Release:        1.0pl1
>Environment:

System: SunOS small-gods 5.5.1 Generic_103640-12 sun4u sparc SUNW,Ultra-1
Architecture: sun4

>Description:
Right now krb524d picks an address for the krb4 ticket by grabbing the
first address from the krb5 ticket and erroring out if it's not an IPv4
address.  This is not a very good heuristic.
>How-To-Repeat:
>Fix:
This patch should make krb524 pick:

	* The address the request was sent from, if it's an IPv4 address
	  listed in the krb5 ticket.
	* The first IPv4 address in the krb5 ticket.

Unfortunately, I don't have any good way of testing a krb524d, so this
patch has not been tested (other than making sure it compiles).  I'm
submitting it in the hopes that someone else can test it.

Index: cnv_tkt_skey.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/cnv_tkt_skey.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 cnv_tkt_skey.c
*** cnv_tkt_skey.c	1997/01/21 09:24:01	1.1.1.2
--- cnv_tkt_skey.c	1998/03/23 17:40:55
***************
*** 56,72 ****
   * Convert a v5 ticket for server to a v4 ticket, using service key
   * skey for both.
   */
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
       krb5_context context;
       krb5_ticket *v5tkt;
       KTEXT_ST *v4tkt;
       krb5_keyblock *v5_skey, *v4_skey;
  {
       char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
       char sname[ANAME_SZ], sinst[INST_SZ];
       krb5_enc_tkt_part *v5etkt;
!      int ret, lifetime, deltatime;
       krb5_timestamp server_time;

       v5tkt->enc_part2 = NULL;
       if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
--- 56,74 ----
   * Convert a v5 ticket for server to a v4 ticket, using service key
   * skey for both.
   */
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, saddr)
       krb5_context context;
       krb5_ticket *v5tkt;
       KTEXT_ST *v4tkt;
       krb5_keyblock *v5_skey, *v4_skey;
+      struct sockaddr *saddr;
  {
       char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
       char sname[ANAME_SZ], sinst[INST_SZ];
       krb5_enc_tkt_part *v5etkt;
!      int ret, lifetime, deltatime, i, have_addr;
       krb5_timestamp server_time;
+      struct in_addr tkt_addr;

       v5tkt->enc_part2 = NULL;
       if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
***************
*** 133,143 ****
  	    return KRB5KRB_AP_ERR_TKT_NYV;
       }

!      /* XXX perhaps we should use the addr of the client host if */
!      /* v5creds contains more than one addr.  Q: Does V4 support */
!      /* non-INET addresses? */
!      if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
! 	 v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
  	  if (krb524_debug)
  	       fprintf(stderr, "Invalid v5creds address information.\n");
  	  krb5_free_enc_tkt_part(context, v5etkt);
--- 135,174 ----
  	    return KRB5KRB_AP_ERR_TKT_NYV;
       }

!      /* Look for the address the request came from (assuming it's an IP
!       * address) in the list of addresses in v5etkt.  If we find it,
!       * prefer that address over others. */
!      have_addr = 0;
!      if (saddr->sa_family == AF_INET && v5etkt->caddrs) {
! 	  memcpy(&tkt_addr, &((struct sockaddr_in *)saddr)->sin_addr,
! 		 sizeof(tkt_addr));
! 	  for (i = 0; v5etkt->caddrs[i]; i++) {
! 	       if (v5etkt->caddrs[i]->addrtype != ADDRTYPE_INET)
! 		    continue;
! 	       if (*((unsigned long *)v5etkt->caddrs[i]->contents)
! 		   == tkt_addr.s_addr) {
! 		    have_addr = 1;
! 		    break;
! 	       }
! 	  }
!      }
!
!      /* If we didn't find the request address in v5etkt->caddrs, just
!       * pick the first IP address. */
!      if (!have_addr && v5etkt->caddrs) {
! 	  for (i = 0; v5etkt->caddrs[i]; i++) {
! 	       if (v5etkt->caddrs[i]->addrtype == ADDRTYPE_INET) {
! 		    memcpy(&tkt_addr, v5etkt->caddrs[i]->contents,
! 			   sizeof(tkt_addr));
! 		    have_addr = 1;
! 		    break;
! 	       }
! 	  }
!      }
!
!      /* If there aren't any IP addresses listed in the ticket, we
!       * can't make a krb5 ticket. */
!      if (!have_addr) {
  	  if (krb524_debug)
  	       fprintf(stderr, "Invalid v5creds address information.\n");
  	  krb5_free_enc_tkt_part(context, v5etkt);
***************
*** 157,163 ****
  			     pname,
  			     pinst,
  			     prealm,
! 			     *((unsigned long *)v5etkt->caddrs[0]->contents),
  			     (char *) v5etkt->session->contents,
  			     lifetime,
  			     /* issue_data */
--- 188,194 ----
  			     pname,
  			     pinst,
  			     prealm,
! 			     tkt_addr.s_addr,
  			     (char *) v5etkt->session->contents,
  			     lifetime,
  			     /* issue_data */
Index: krb524.h
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524.h,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524.h
*** krb524.h	1996/09/12 04:43:50	1.1.1.1
--- krb524.h	1998/03/23 17:37:58
***************
*** 28,38 ****

  #include "krb524_err.h"

  extern int krb524_debug;

  int krb524_convert_tkt_skey
  	KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! 		   krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));

  /* conv_princ.c */

--- 28,41 ----

  #include "krb524_err.h"

+ struct sockaddr;
+
  extern int krb524_debug;

  int krb524_convert_tkt_skey
  	KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! 		   krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
! 		   struct sockaddr *saddr));

  /* conv_princ.c */

Index: krb524d.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 krb524d.c
*** krb524d.c	1997/01/21 09:24:06	1.1.1.2
--- krb524d.c	1998/03/23 17:14:53
***************
*** 292,298 ****
  	  printf("service key retrieved\n");

       ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! 				   &v4_service_key);
       if (ret)
  	  goto error;

--- 292,298 ----
  	  printf("service key retrieved\n");

       ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! 				   &v4_service_key, &saddr);
       if (ret)
  	  goto error;

>Audit-Trail:
>Unformatted: