From ghudson@MIT.EDU Wed Mar 25 12:20:28 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA05709 for <bugs@RT-11.MIT.EDU>; Wed, 25 Mar 1998 12:20:28 -0500
Received: from SMALL-GODS.MIT.EDU by MIT.EDU with SMTP
id AA12016; Wed, 25 Mar 98 12:21:01 EST
Received: by small-gods.MIT.EDU (SMI-8.6/4.7) id MAA21275; Wed, 25 Mar 1998 12:20:23 -0500
Message-Id: <199803251720.MAA21275@small-gods.MIT.EDU>
Date: Wed, 25 Mar 1998 12:20:23 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: krb524d address selection
X-Send-Pr-Version: 3.99
System: SunOS small-gods 5.5.1 Generic_103640-12 sun4u sparc SUNW,Ultra-1
Architecture: sun4
first address from the krb5 ticket and erroring out if it's not an IPv4
address. This is not a very good heuristic.
* The address the request was sent from, if it's an IPv4 address
listed in the krb5 ticket.
* The first IPv4 address in the krb5 ticket.
Unfortunately, I don't have any good way of testing a krb524d, so this
patch has not been tested (other than making sure it compiles). I'm
submitting it in the hopes that someone else can test it.
Index: cnv_tkt_skey.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/cnv_tkt_skey.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 cnv_tkt_skey.c
*** cnv_tkt_skey.c 1997/01/21 09:24:01 1.1.1.2
--- cnv_tkt_skey.c 1998/03/23 17:40:55
***************
*** 56,72 ****
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime;
krb5_timestamp server_time;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
--- 56,74 ----
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, saddr)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
+ struct sockaddr *saddr;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime, i, have_addr;
krb5_timestamp server_time;
+ struct in_addr tkt_addr;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
***************
*** 133,143 ****
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* XXX perhaps we should use the addr of the client host if */
! /* v5creds contains more than one addr. Q: Does V4 support */
! /* non-INET addresses? */
! if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
! v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
--- 135,174 ----
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* Look for the address the request came from (assuming it's an IP
! * address) in the list of addresses in v5etkt. If we find it,
! * prefer that address over others. */
! have_addr = 0;
! if (saddr->sa_family == AF_INET && v5etkt->caddrs) {
! memcpy(&tkt_addr, &((struct sockaddr_in *)saddr)->sin_addr,
! sizeof(tkt_addr));
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype != ADDRTYPE_INET)
! continue;
! if (*((unsigned long *)v5etkt->caddrs[i]->contents)
! == tkt_addr.s_addr) {
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If we didn't find the request address in v5etkt->caddrs, just
! * pick the first IP address. */
! if (!have_addr && v5etkt->caddrs) {
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype == ADDRTYPE_INET) {
! memcpy(&tkt_addr, v5etkt->caddrs[i]->contents,
! sizeof(tkt_addr));
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If there aren't any IP addresses listed in the ticket, we
! * can't make a krb5 ticket. */
! if (!have_addr) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
***************
*** 157,163 ****
pname,
pinst,
prealm,
! *((unsigned long *)v5etkt->caddrs[0]->contents),
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
--- 188,194 ----
pname,
pinst,
prealm,
! tkt_addr.s_addr,
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
Index: krb524.h
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524.h,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524.h
*** krb524.h 1996/09/12 04:43:50 1.1.1.1
--- krb524.h 1998/03/23 17:37:58
***************
*** 28,38 ****
#include "krb524_err.h"
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));
/* conv_princ.c */
--- 28,41 ----
#include "krb524_err.h"
+ struct sockaddr;
+
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
! struct sockaddr *saddr));
/* conv_princ.c */
Index: krb524d.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 krb524d.c
*** krb524d.c 1997/01/21 09:24:06 1.1.1.2
--- krb524d.c 1998/03/23 17:14:53
***************
*** 292,298 ****
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key);
if (ret)
goto error;
--- 292,298 ----
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key, &saddr);
if (ret)
goto error;
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA05709 for <bugs@RT-11.MIT.EDU>; Wed, 25 Mar 1998 12:20:28 -0500
Received: from SMALL-GODS.MIT.EDU by MIT.EDU with SMTP
id AA12016; Wed, 25 Mar 98 12:21:01 EST
Received: by small-gods.MIT.EDU (SMI-8.6/4.7) id MAA21275; Wed, 25 Mar 1998 12:20:23 -0500
Message-Id: <199803251720.MAA21275@small-gods.MIT.EDU>
Date: Wed, 25 Mar 1998 12:20:23 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: krb524d address selection
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 576
>Category: krb5-kdc
>Synopsis: krb524d should prefer requesting address
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 25 12:21:00 EST 1998
>Last-Modified:
>Originator: Greg Hudson
>Organization:
MIT>Category: krb5-kdc
>Synopsis: krb524d should prefer requesting address
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 25 12:21:00 EST 1998
>Last-Modified:
>Originator: Greg Hudson
>Organization:
Show quoted text
>Release: 1.0pl1
>Environment:
>Environment:
System: SunOS small-gods 5.5.1 Generic_103640-12 sun4u sparc SUNW,Ultra-1
Architecture: sun4
Show quoted text
>Description:
Right now krb524d picks an address for the krb4 ticket by grabbing thefirst address from the krb5 ticket and erroring out if it's not an IPv4
address. This is not a very good heuristic.
Show quoted text
>How-To-Repeat:
>Fix:
This patch should make krb524 pick:>Fix:
* The address the request was sent from, if it's an IPv4 address
listed in the krb5 ticket.
* The first IPv4 address in the krb5 ticket.
Unfortunately, I don't have any good way of testing a krb524d, so this
patch has not been tested (other than making sure it compiles). I'm
submitting it in the hopes that someone else can test it.
Index: cnv_tkt_skey.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/cnv_tkt_skey.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 cnv_tkt_skey.c
*** cnv_tkt_skey.c 1997/01/21 09:24:01 1.1.1.2
--- cnv_tkt_skey.c 1998/03/23 17:40:55
***************
*** 56,72 ****
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime;
krb5_timestamp server_time;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
--- 56,74 ----
* Convert a v5 ticket for server to a v4 ticket, using service key
* skey for both.
*/
! int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, saddr)
krb5_context context;
krb5_ticket *v5tkt;
KTEXT_ST *v4tkt;
krb5_keyblock *v5_skey, *v4_skey;
+ struct sockaddr *saddr;
{
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
char sname[ANAME_SZ], sinst[INST_SZ];
krb5_enc_tkt_part *v5etkt;
! int ret, lifetime, deltatime, i, have_addr;
krb5_timestamp server_time;
+ struct in_addr tkt_addr;
v5tkt->enc_part2 = NULL;
if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
***************
*** 133,143 ****
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* XXX perhaps we should use the addr of the client host if */
! /* v5creds contains more than one addr. Q: Does V4 support */
! /* non-INET addresses? */
! if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
! v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
--- 135,174 ----
return KRB5KRB_AP_ERR_TKT_NYV;
}
! /* Look for the address the request came from (assuming it's an IP
! * address) in the list of addresses in v5etkt. If we find it,
! * prefer that address over others. */
! have_addr = 0;
! if (saddr->sa_family == AF_INET && v5etkt->caddrs) {
! memcpy(&tkt_addr, &((struct sockaddr_in *)saddr)->sin_addr,
! sizeof(tkt_addr));
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype != ADDRTYPE_INET)
! continue;
! if (*((unsigned long *)v5etkt->caddrs[i]->contents)
! == tkt_addr.s_addr) {
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If we didn't find the request address in v5etkt->caddrs, just
! * pick the first IP address. */
! if (!have_addr && v5etkt->caddrs) {
! for (i = 0; v5etkt->caddrs[i]; i++) {
! if (v5etkt->caddrs[i]->addrtype == ADDRTYPE_INET) {
! memcpy(&tkt_addr, v5etkt->caddrs[i]->contents,
! sizeof(tkt_addr));
! have_addr = 1;
! break;
! }
! }
! }
!
! /* If there aren't any IP addresses listed in the ticket, we
! * can't make a krb5 ticket. */
! if (!have_addr) {
if (krb524_debug)
fprintf(stderr, "Invalid v5creds address information.\n");
krb5_free_enc_tkt_part(context, v5etkt);
***************
*** 157,163 ****
pname,
pinst,
prealm,
! *((unsigned long *)v5etkt->caddrs[0]->contents),
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
--- 188,194 ----
pname,
pinst,
prealm,
! tkt_addr.s_addr,
(char *) v5etkt->session->contents,
lifetime,
/* issue_data */
Index: krb524.h
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524.h,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb524.h
*** krb524.h 1996/09/12 04:43:50 1.1.1.1
--- krb524.h 1998/03/23 17:37:58
***************
*** 28,38 ****
#include "krb524_err.h"
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey));
/* conv_princ.c */
--- 28,41 ----
#include "krb524_err.h"
+ struct sockaddr;
+
extern int krb524_debug;
int krb524_convert_tkt_skey
KRB5_PROTOTYPE((krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt,
! krb5_keyblock *v5_skey, krb5_keyblock *v4_skey,
! struct sockaddr *saddr));
/* conv_princ.c */
Index: krb524d.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/krb524/krb524d.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 krb524d.c
*** krb524d.c 1997/01/21 09:24:06 1.1.1.2
--- krb524d.c 1998/03/23 17:14:53
***************
*** 292,298 ****
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key);
if (ret)
goto error;
--- 292,298 ----
printf("service key retrieved\n");
ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
! &v4_service_key, &saddr);
if (ret)
goto error;
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: