Skip Menu |
 

Subject: src/windows/ms2mit inserts local addresses into MS Tickets during conversion
Given the desire to move towards the use of addressless tickets is it
appropriate to alter the behavior of the ms2mit.exe command. In this
command the function MSCredToMITCred() takes the addressless MS Ticket
and calls krb5_os_localaddr() to construct an address list. The
comments state this was done to prevent crashing in krb5_cc_store_cred()
because that function assumes the address list cannot be NULL. At the
very least there must be at least a null address.

The local address list is generated regardless of the user preferences
in the krb5 profile.

One of two proposed fixes should be applied:

(1) remove the call to krb5_os_localaddr() entirely which will result in
the addressless tickets staying that way. A null address list would
need to be constructed in its place.

(2) check the krb5 profile to see if addressless tickets are being used.
If not, call krb5_os_localaddr() otherwise construct a null address list.

I will design a patch as soon as the proper behavior is agreed to.
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1618] src/windows/ms2mit inserts local
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 18 Jun 2003 15:28:00 -0400
RT-Send-Cc:


I believe that the ticket should stay addressless. I do not believe
this is a blocker for 1.3 and as such should wait until 1.3.1.



The argument against checking the profile is that the ticket is
already adressless on the MS side of the universe.
Date: Fri, 20 Jun 2003 11:11:27 -0400 (EDT)
From: Sam Hartman <hartmans@MIT.EDU>
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #1618]Addressless tickets and ms2mit
RT-Send-Cc:

HI, Jeff. We are going to end up needing another beta for 1.3. If
you want to get this into 1.3 we probably can. We would need a fix by
Monday.


After thinking about this more, I continue to believe the ticket
should be addressless all the time in the MIT cache. My previous
reasons still apply, but I also believe that it is wrong to mark the
ticket as addressful in the ccapi cache but not to actually add
addresses to the encrypted part of the ticket.
Date: Fri, 20 Jun 2003 14:00:46 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #1618]Addressless tickets and ms2mit
RT-Send-Cc:
I agree wholeheartedly.

I will comment out the code that adds addresses and replace it with a
properly constructed null-address list.

I will add a patch to the issue this afternoon.

- Jeff



Sam Hartman via RT wrote:

Show quoted text
>HI, Jeff. We are going to end up needing another beta for 1.3. If
>you want to get this into 1.3 we probably can. We would need a fix by
>Monday.
>
>
>After thinking about this more, I continue to believe the ticket
>should be addressless all the time in the MIT cache. My previous
>reasons still apply, but I also believe that it is wrong to mark the
>ticket as addressful in the ccapi cache but not to actually add
>addresses to the encrypted part of the ticket.
>
>
>
Download smime.p7s
application/x-pkcs7-signature 3.5KiB

Message body not shown because it is not plain text.

RT-Send-CC: tlyu@mit.edu
Download (untitled) / with headers
text/plain 1.3KiB
Here is the patch. Please apply for 1.3.

Index: ms2mit.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/windows/ms2mit/ms2mit.c,v
retrieving revision 1.2
diff -r1.2 ms2mit.c
267,271c267,271
< // krb5_cc_store_cred crashes downstream if creds->addresses is NULL.
< // unfortunately, the MS interface doesn't seem to return a list of
< // addresses as part of the credentials information. for now i'll just
< // use krb5_os_localaddr to mock up the address list. is this
sufficient?
< krb5_os_localaddr(context, &creds->addresses);
---
Show quoted text
> /* MS Tickets are addressless. MIT requires an empty address
> * not a NULL list of addresses.
> */
> creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *));
> memset(creds->addresses, 0, sizeof(krb5_address *));
Index: ChangeLog
===================================================================
RCS file: /cvs/krbdev/krb5/src/windows/ms2mit/ChangeLog,v
retrieving revision 1.3
diff -r1.3 ChangeLog
0a1,7
Show quoted text
> 2003-06-20 Jeffrey Altman <jaltman@mit.edu>
>
> * ms2mit.c: Windows Credentials are addressless. Do not store
> the credentials in the MIT cache with addresses since they
> do not contain addresses in the encrypted portion of the
> credential. Instead generate a valid empty address list.
>
From: tlyu@mit.edu
Subject: CVS Commit
apply patch from jaltman:

* ms2mit.c: Windows Credentials are addressless. Do not store the
credentials in the MIT cache with addresses since they do not
contain addresses in the encrypted portion of the credential.
Instead generate a valid empty address list.


To generate a diff of this commit:



cvs diff -r1.3 -r1.4 krb5/src/windows/ms2mit/ChangeLog
cvs diff -r1.2 -r1.3 krb5/src/windows/ms2mit/ms2mit.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.3 -r1.3.2.1 krb5/src/windows/ms2mit/ChangeLog
cvs diff -r1.2 -r1.2.2.1 krb5/src/windows/ms2mit/ms2mit.c