From jik@cam.ov.com Wed Dec 4 22:00:56 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA03355 for <bugs@RT-11.MIT.EDU>; Wed, 4 Dec 1996 22:00:55 -0500
Received: from pad-thai.cam.ov.com by MIT.EDU with SMTP
id AB18756; Wed, 4 Dec 96 22:00:53 EST
Received: from gza-client1.cam.ov.com by pad-thai.cam.ov.com (8.7.5/) with SMTP
id <DAA22855@pad-thai.cam.ov.com>; Thu, 5 Dec 1996 03:00:51 GMT
Received: by gza-client1.cam.ov.com (8.6.10/4.7) id WAA28662; Wed, 4 Dec 1996 22:00:51 -0500
Message-Id: <199612050300.WAA28662@gza-client1.cam.ov.com>
Date: Wed, 4 Dec 1996 22:00:51 -0500
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Reply-To: jik@cam.ov.com
To: mit-gnats@cam.ov.com
Subject: krb524d needs to put actual client address in V4 ticket
X-Send-Pr-Version: 3.99
System: SunOS gza-clien 4.1.3C 3 sun4m
Architecture: sun4
address it puts into the converted ticket should be the address that
the client used to connect to it, if that address is one of the ones
listed in the V5 ticket.
This is necessary for multi-homed hosts which have one address
for an internal network and another address for talking to the outside
world (e.g., to the Kerberos server that krb524d is running on).
The patch below is against an older version of krb524, so it
probably won't apply cleanly to the current source tree. However,
it's pretty straightforward, so you should be able to fold it in with
little trouble.
+++ krb524d.c 1996/12/05 02:50:04
@@ -284,7 +284,8 @@
if (debug)
printf("service key retrieved\n");
- ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key);
+ ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key,
+ (struct sockaddr_in *)&saddr);
if (ret)
goto error;
krb5_free_keyblock_contents(&service_key);
--- conv_tkt_skey.c 1994/09/05 03:14:24 1.6
+++ conv_tkt_skey.c 1996/12/05 02:49:50
@@ -26,5 +26,7 @@
#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
#include <krb5/krb5.h>
#include <krb.h>
@@ -35,7 +37,7 @@
* skey for both.
*/
int krb524_convert_tkt_skey(krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *skey)
+ krb5_keyblock *skey, struct sockaddr_in *saddr)
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
@@ -42,6 +44,7 @@
krb5_enc_tkt_part *v5etkt;
krb5_data *comp;
int ret, lifetime;
+ krb5_address **caddr, *good_addr = 0;
v5tkt->enc_part2 = NULL;
if (ret = krb5_decrypt_tkt_part(skey, v5tkt)) {
@@ -78,16 +81,25 @@
if (lifetime > 0xff)
lifetime = 0xff;
- /* XXX perhaps we should use the addr of the client host if */
- /* v5creds contains more than one addr. Q: Does V4 support */
- /* non-INET addresses? */
- if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
- v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
- if (krb524_debug)
- fprintf(stderr, "Invalid v5creds address information.\n");
- krb5_free_enc_tkt_part(v5etkt);
- v5tkt->enc_part2 = NULL;
- return KRB524_BADADDR;
+ for (caddr = v5etkt->caddrs; *caddr; caddr++) {
+ if (v5etkt->caddrs[0]->addrtype == ADDRTYPE_INET) {
+ if (! memcmp((*caddr)->contents, &saddr->sin_addr,
+ sizeof(saddr->sin_addr))) {
+ good_addr = *caddr;
+ break;
+ }
+ else if (! good_addr) {
+ good_addr = *caddr;
+ }
+ }
+ }
+
+ if (! good_addr) {
+ if (krb524_debug)
+ fprintf(stderr, "Invalid v5creds address information.\n");
+ krb5_free_enc_tkt_part(v5etkt);
+ v5tkt->enc_part2 = NULL;
+ return KRB524_BADADDR;
}
if (krb524_debug)
@@ -102,7 +114,7 @@
pname,
pinst,
prealm,
- *((unsigned long *)v5etkt->caddrs[0]->contents),
+ *((unsigned long *)good_addr->contents),
v5etkt->session->contents,
lifetime,
/* issue_data */
From: "Jonathan I. Kamens" <jik@cam.ov.com>
To: krb5-bugs@MIT.EDU
Cc: Subject: Re: krb5-misc/275: krb524d needs to deal with multi-homed hosts
Date: Wed, 30 Jul 1997 10:14:42 -0400
I see that my changes to krb524d to make it deal properly with
multi-homed hosts have not been incorporated into the current MIT
release. This is unfortunate. Here's a new patch against the current
release:
--- krb524.h@@/main/jik-mit10-changes/0 Wed Jul 30 09:55:10 1997
+++ krb524.h@@/main/jik-mit10-changes/1 Wed Jul 30 10:00:02 1997
@@ -32,7 +32,8 @@
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));
+ krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
+ struct sockaddr_in *saddr));
/* conv_princ.c */
--- cnv_tkt_skey.c@@/main/jik-mit10-changes/0 Wed Jul 30 09:50:07 1997
+++ cnv_tkt_skey.c@@/main/jik-mit10-changes/1 Wed Jul 30 09:59:43 1997
@@ -56,17 +56,20 @@
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
-int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
+int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
+ saddr)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
+ struct sockaddr_in *saddr;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
int ret, lifetime, deltatime;
krb5_timestamp server_time;
+ krb5_address **caddr, *good_addr = 0;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
@@ -133,16 +136,25 @@
return KRB5KRB_AP_ERR_TKT_NYV;
}
- /* XXX perhaps we should use the addr of the client host if */
- /* v5creds contains more than one addr. Q: Does V4 support */
- /* non-INET addresses? */
- if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
- v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
- if (krb524_debug)
- fprintf(stderr, "Invalid v5creds address information.\n");
- krb5_free_enc_tkt_part(context, v5etkt);
- v5tkt->enc_part2 = NULL;
- return KRB524_BADADDR;
+ for (caddr = v5etkt->caddrs; *caddr; caddr++) {
+ if (v5etkt->caddrs[0]->addrtype == ADDRTYPE_INET) {
+ if (! memcmp((*caddr)->contents, &saddr->sin_addr,
+ sizeof(saddr->sin_addr))) {
+ good_addr = *caddr;
+ break;
+ }
+ else if (! good_addr) {
+ good_addr = *caddr;
+ }
+ }
+ }
+
+ if (! good_addr) {
+ if (krb524_debug)
+ fprintf(stderr, "Invalid v5creds address information.\n");
+ krb5_free_enc_tkt_part(context, v5etkt);
+ v5tkt->enc_part2 = NULL;
+ return KRB524_BADADDR;
}
if (krb524_debug)
@@ -157,7 +169,7 @@
pname,
pinst,
prealm,
- *((unsigned long *)v5etkt->caddrs[0]->contents),
+ *((unsigned long *)good_addr->contents),
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
--- krb524d.c@@/main/jik-mit10-changes/0 Wed Jul 30 09:47:16 1997
+++ krb524d.c@@/main/jik-mit10-changes/1 Wed Jul 30 10:00:37 1997
@@ -292,7 +292,8 @@
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
- &v4_service_key);
+ &v4_service_key,
+ (struct sockaddr_in *)&saddr);
if (ret)
goto error;
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Thu Aug 7 17:36:47 1997
Responsible-Changed-Why:
Mine now.
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Thu Aug 7 17:36:55 1997
State-Changed-Why:
Patch applied.
krb524/cnv_tkt_skey.c 1.13
krb524/krb524.h 1.9
krb524/krb524d.c 1.34
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA03355 for <bugs@RT-11.MIT.EDU>; Wed, 4 Dec 1996 22:00:55 -0500
Received: from pad-thai.cam.ov.com by MIT.EDU with SMTP
id AB18756; Wed, 4 Dec 96 22:00:53 EST
Received: from gza-client1.cam.ov.com by pad-thai.cam.ov.com (8.7.5/) with SMTP
id <DAA22855@pad-thai.cam.ov.com>; Thu, 5 Dec 1996 03:00:51 GMT
Received: by gza-client1.cam.ov.com (8.6.10/4.7) id WAA28662; Wed, 4 Dec 1996 22:00:51 -0500
Message-Id: <199612050300.WAA28662@gza-client1.cam.ov.com>
Date: Wed, 4 Dec 1996 22:00:51 -0500
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Reply-To: jik@cam.ov.com
To: mit-gnats@cam.ov.com
Subject: krb524d needs to put actual client address in V4 ticket
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 275
>Category: krb5-misc
>Synopsis: krb524d needs to put actual client address in V4 ticket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 04 22:01:01 EST 1996
>Last-Modified: Thu Aug 07 17:38:10 EDT 1997
>Originator: Jonathan I. Kamens
>Organization:
OpenVision Technologies, Inc.>Category: krb5-misc
>Synopsis: krb524d needs to put actual client address in V4 ticket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 04 22:01:01 EST 1996
>Last-Modified: Thu Aug 07 17:38:10 EDT 1997
>Originator: Jonathan I. Kamens
>Organization:
Show quoted text
>Release:
>Environment:
>Environment:
System: SunOS gza-clien 4.1.3C 3 sun4m
Architecture: sun4
Show quoted text
>Description:
When krb524d receives a request to convert a ticket, theaddress it puts into the converted ticket should be the address that
the client used to connect to it, if that address is one of the ones
listed in the V5 ticket.
This is necessary for multi-homed hosts which have one address
for an internal network and another address for talking to the outside
world (e.g., to the Kerberos server that krb524d is running on).
The patch below is against an older version of krb524, so it
probably won't apply cleanly to the current source tree. However,
it's pretty straightforward, so you should be able to fold it in with
little trouble.
Show quoted text
>How-To-Repeat:
Show quoted text
>Fix:
--- krb524d.c 1996/07/30 23:35:19 1.10+++ krb524d.c 1996/12/05 02:50:04
@@ -284,7 +284,8 @@
if (debug)
printf("service key retrieved\n");
- ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key);
+ ret = krb524_convert_tkt_skey(v5tkt, &v4tkt, &service_key,
+ (struct sockaddr_in *)&saddr);
if (ret)
goto error;
krb5_free_keyblock_contents(&service_key);
--- conv_tkt_skey.c 1994/09/05 03:14:24 1.6
+++ conv_tkt_skey.c 1996/12/05 02:49:50
@@ -26,5 +26,7 @@
#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
#include <krb5/krb5.h>
#include <krb.h>
@@ -35,7 +37,7 @@
* skey for both.
*/
int krb524_convert_tkt_skey(krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *skey)
+ krb5_keyblock *skey, struct sockaddr_in *saddr)
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
@@ -42,6 +44,7 @@
krb5_enc_tkt_part *v5etkt;
krb5_data *comp;
int ret, lifetime;
+ krb5_address **caddr, *good_addr = 0;
v5tkt->enc_part2 = NULL;
if (ret = krb5_decrypt_tkt_part(skey, v5tkt)) {
@@ -78,16 +81,25 @@
if (lifetime > 0xff)
lifetime = 0xff;
- /* XXX perhaps we should use the addr of the client host if */
- /* v5creds contains more than one addr. Q: Does V4 support */
- /* non-INET addresses? */
- if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
- v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
- if (krb524_debug)
- fprintf(stderr, "Invalid v5creds address information.\n");
- krb5_free_enc_tkt_part(v5etkt);
- v5tkt->enc_part2 = NULL;
- return KRB524_BADADDR;
+ for (caddr = v5etkt->caddrs; *caddr; caddr++) {
+ if (v5etkt->caddrs[0]->addrtype == ADDRTYPE_INET) {
+ if (! memcmp((*caddr)->contents, &saddr->sin_addr,
+ sizeof(saddr->sin_addr))) {
+ good_addr = *caddr;
+ break;
+ }
+ else if (! good_addr) {
+ good_addr = *caddr;
+ }
+ }
+ }
+
+ if (! good_addr) {
+ if (krb524_debug)
+ fprintf(stderr, "Invalid v5creds address information.\n");
+ krb5_free_enc_tkt_part(v5etkt);
+ v5tkt->enc_part2 = NULL;
+ return KRB524_BADADDR;
}
if (krb524_debug)
@@ -102,7 +114,7 @@
pname,
pinst,
prealm,
- *((unsigned long *)v5etkt->caddrs[0]->contents),
+ *((unsigned long *)good_addr->contents),
v5etkt->session->contents,
lifetime,
/* issue_data */
Show quoted text
>Audit-Trail:
From: "Jonathan I. Kamens" <jik@cam.ov.com>
To: krb5-bugs@MIT.EDU
Cc: Subject: Re: krb5-misc/275: krb524d needs to deal with multi-homed hosts
Date: Wed, 30 Jul 1997 10:14:42 -0400
I see that my changes to krb524d to make it deal properly with
multi-homed hosts have not been incorporated into the current MIT
release. This is unfortunate. Here's a new patch against the current
release:
--- krb524.h@@/main/jik-mit10-changes/0 Wed Jul 30 09:55:10 1997
+++ krb524.h@@/main/jik-mit10-changes/1 Wed Jul 30 10:00:02 1997
@@ -32,7 +32,8 @@
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
- krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));
+ krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
+ struct sockaddr_in *saddr));
/* conv_princ.c */
--- cnv_tkt_skey.c@@/main/jik-mit10-changes/0 Wed Jul 30 09:50:07 1997
+++ cnv_tkt_skey.c@@/main/jik-mit10-changes/1 Wed Jul 30 09:59:43 1997
@@ -56,17 +56,20 @@
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
-int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
+int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
+ saddr)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
+ struct sockaddr_in *saddr;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
int ret, lifetime, deltatime;
krb5_timestamp server_time;
+ krb5_address **caddr, *good_addr = 0;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
@@ -133,16 +136,25 @@
return KRB5KRB_AP_ERR_TKT_NYV;
}
- /* XXX perhaps we should use the addr of the client host if */
- /* v5creds contains more than one addr. Q: Does V4 support */
- /* non-INET addresses? */
- if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
- v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
- if (krb524_debug)
- fprintf(stderr, "Invalid v5creds address information.\n");
- krb5_free_enc_tkt_part(context, v5etkt);
- v5tkt->enc_part2 = NULL;
- return KRB524_BADADDR;
+ for (caddr = v5etkt->caddrs; *caddr; caddr++) {
+ if (v5etkt->caddrs[0]->addrtype == ADDRTYPE_INET) {
+ if (! memcmp((*caddr)->contents, &saddr->sin_addr,
+ sizeof(saddr->sin_addr))) {
+ good_addr = *caddr;
+ break;
+ }
+ else if (! good_addr) {
+ good_addr = *caddr;
+ }
+ }
+ }
+
+ if (! good_addr) {
+ if (krb524_debug)
+ fprintf(stderr, "Invalid v5creds address information.\n");
+ krb5_free_enc_tkt_part(context, v5etkt);
+ v5tkt->enc_part2 = NULL;
+ return KRB524_BADADDR;
}
if (krb524_debug)
@@ -157,7 +169,7 @@
pname,
pinst,
prealm,
- *((unsigned long *)v5etkt->caddrs[0]->contents),
+ *((unsigned long *)good_addr->contents),
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
--- krb524d.c@@/main/jik-mit10-changes/0 Wed Jul 30 09:47:16 1997
+++ krb524d.c@@/main/jik-mit10-changes/1 Wed Jul 30 10:00:37 1997
@@ -292,7 +292,8 @@
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
- &v4_service_key);
+ &v4_service_key,
+ (struct sockaddr_in *)&saddr);
if (ret)
goto error;
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Thu Aug 7 17:36:47 1997
Responsible-Changed-Why:
Mine now.
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Thu Aug 7 17:36:55 1997
State-Changed-Why:
Patch applied.
krb524/cnv_tkt_skey.c 1.13
krb524/krb524.h 1.9
krb524/krb524d.c 1.34
Show quoted text
>Unformatted: