Ticket History #6562: kinit not working if kdc is configured with numerical IPv6 address

# Mon Aug 08 06:40:08 2005 guest (Public Submitter) - Ticket #3140: - Ticket created

Subject:

kerberos client unable to parse ipv6 addresses from krb5.conf

Download (untitled) / with headers
text/plain 6.3KiB

While testing the kerberos release with a ipv6 configuration, we found
that kerberos client is not able to parse v6 addresses from the krb5.conf
configuration file.

Proposed fix:

<krb path>/lib/krb5/os/locate_kdc.c has been modified and the fix was
tested to correctly parse the ipv6 addresses.

The unified diffs is enclosed below
**************************************************************************

***************
*** 382,393 ****
cp = strchr(host, '\t');
if (cp)
*cp = 0;
! cp = strchr(host, ':');
! if (cp)
! *cp = 0;
}
}
} else {
krb5_xfree(host);
}

--- 382,423 ----
cp = strchr(host, '\t');
if (cp)
*cp = 0;
! if ( host[0] == '[' ) {
! if (cp = strchr(host,']')) { /* [ipv6]:port */
! char * tmp_host ;
! int host_len ;
! struct in6_addr in6 ;
!
! host_len = cp - host - 1 ; /* here (cp > host) */
! tmp_host = (char*) malloc(host_len+1) ;
! if (tmp_host) {
! strncpy(tmp_host, host+1 , host_len );
! tmp_host[host_len] = '\0' ;
! } else {
! profile_free_list(hostlist);
! krb5_xfree(masterlist);
! return ENOMEM ;
}
+ /* Only if the addr b/w '[' and ']' is IPV6 addr */
+ if ( inet_pton(AF_INET6, tmp_host, &in6 ) > 0 )
+ {
+ host++;/* Move to v6 addr location from '['*/
+ port = strchr(cp, ':');
+ *cp = 0 ; /* The ipv6 address ends
before ']' */
}
+
+ krb5_xfree(tmp_host);
+ } /* hostname:port or only hostname */
} else {
+ struct in6_addr in6 ;
+ if ( inet_pton(AF_INET6, host, &in6) <= 0 ) {
+ /* Its not ipv6 address */
+ port = strchr(host, ':');
+ }
+ }
+ }
+ }
+ } else {
krb5_xfree(host);
}

***************
*** 416,422 ****
--- 446,484 ----
cp = strchr(host, '\t');
if (cp)
*cp = 0;
+ if ( host[0] == '[' ) {
+ if (cp = strchr(host,']')) { /* [ipv6]:port */
+ char * tmp_host ;
+ int host_len ;
+ struct in6_addr in6 ;
+
+ host_len = cp - host - 1 ; /* here (cp > host) */
+ tmp_host = (char*) malloc(host_len+1) ;
+ if (tmp_host) {
+ strncpy(tmp_host, host+1 , host_len );
+ tmp_host[host_len] = '\0' ;
+ } else {
+ profile_free_list(hostlist);
+ krb5_xfree(masterlist);
+ return ENOMEM ;
+ }
+ /* Only if the addr b/w '[' and ']' is IPV6 addr */
+ if ( inet_pton(AF_INET6, tmp_host, &in6 ) > 0 )
+ {
+ host++;/* Move to v6 addr location from '['*/
+ port = strchr(cp, ':');
+ *cp = 0 ; /* The ipv6 address ends
before ']' */
+ }
+
+ krb5_xfree(tmp_host);
+ } /* hostname:port or only hostname */
+ } else {
+ struct in6_addr in6 ;
+ if ( inet_pton(AF_INET6, host, &in6) <= 0 ) {
+ /* Its not ipv6 address */
port = strchr(host, ':');
+ }
+ }
if (port) {
*port = 0;
port++;
***************
*** 453,467 ****
p1 = udpport;
p2 = sec_udpport;
}
-
if (socktype != 0)
! code = add_host_to_list (addrlist, hostlist[i], p1, p2,
socktype, family);
else {
! code = add_host_to_list (addrlist, hostlist[i], p1, p2,
SOCK_DGRAM, family);
if (code == 0)
! code = add_host_to_list (addrlist, hostlist[i], p1, p2,
SOCK_STREAM, family);
}
if (code) {
--- 515,528 ----
p1 = udpport;
p2 = sec_udpport;
}
if (socktype != 0)
! code = add_host_to_list (addrlist, host, p1, p2,
socktype, family);
else {
! code = add_host_to_list (addrlist, host, p1, p2,
SOCK_DGRAM, family);
if (code == 0)
! code = add_host_to_list (addrlist, host, p1, p2,
SOCK_STREAM, family);
}
if (code) {
***************
*** 481,486 ****
--- 542,548 ----
if (masterlist)
profile_free_list(masterlist);

+
return 0;
}

***************
if (code) {
--- 515,528 ----
p1 = udpport;
p2 = sec_udpport;
}
if (socktype != 0)
! code = add_host_to_list (addrlist, host, p1, p2,
socktype, family);
else {
! code = add_host_to_list (addrlist, host, p1, p2,
SOCK_DGRAM, family);
if (code == 0)
! code = add_host_to_list (addrlist, host, p1, p2,
SOCK_STREAM, family);
}
if (code) {
***************
*** 481,486 ****
--- 542,548 ----
if (masterlist)
profile_free_list(masterlist);

+
return 0;
}

***************
*** 587,593 ****

code = krb5_locate_srv_conf_1(context, realm, profname, &al,
get_masters,
socktype, dflport1, dflport2, family);
-
#ifdef KRB5_DNS_LOOKUP
if (code && dnsname != 0) {
int use_dns = _krb5_use_dns_kdc(context);
--- 649,654 ----

# Sat Sep 12 16:45:34 2009 "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com> - Ticket created

From:	"Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To:	"krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date:	Sat, 12 Sep 2009 17:23:30 +0800
Subject:	kinit not working if kdc is configured with numerical IPv6 address

Download (untitled) / with headers
text/plain 1KiB

Hi, all:

I am writing to report a bug in 1.7 release.

In /etc/krb5.conf, if kdc is configured with numerical IPv6 address, Kerberos client will not be able to locate this kdc, and kinit will fail.

Here is an example:
=============================================
/* The content of /etc/krb5.conf with IPv6 address */
[realms]
XCIPV6.COM = {
kdc = [3ffe:2000:0:1::100]:88
default_domain = xcipv6.com
}

/* Kerberos authentication result */
qxu@durian(pts/3):/etc[112]$ kinit XCTEST100@XCIPV6.COM
kinit(v5): Cannot resolve network address for KDC in realm XCIPV6.COM while getting initial credentials
=============================================
In my eyes, if numerical IPv4 address is supported for kdc entry in /etc/krb5.conf, so should be for numerical IPv6 address.

Investigation shows the defect is in the function "krb5_locate_srv_conf_1()" in the file "krb5-1.7/src/lib/krb5/os/locate_kdc.c", and a fix has been made out. Anyone would like to review?

P.S. How to send the fix to you guys? Email Attachment?

Thanks,
Xu Qiang

# Mon Sep 14 13:25:18 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 42B

An email attachment should work fine, yes.

# Tue Sep 15 01:56:16 2009 "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com> - Correspondence added

From:	"Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To:	"krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date:	Tue, 15 Sep 2009 10:59:06 +0800
Subject:	[krbdev.mit.edu #6562] kinit not working if kdc is configured with numerical IPv6 address
RT-Send-Cc:

Download (untitled) / with headers
text/plain 380B

Show quoted text

> -----Original Message-----
> From: krb5-bugs-bounces@mit.edu
> [mailto:krb5-bugs-bounces@mit.edu] On Behalf Of Greg Hudson via RT
> Sent: Tuesday, September 15, 2009 1:25 AM
> Subject: [krbdev.mit.edu #6562] kinit not working if kdc is
> configured with numerical IPv6 address
>
> An email attachment should work fine, yes.

Here is the fix. Please review.

Thanks,
Xu Qiang

Download locate_kdc.zip
application/x-zip-compressed 13.6KiB

Message body not shown because it is not plain text.

# Tue May 18 13:19:15 2010 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Tue May 18 13:19:15 2010 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Tue May 18 13:19:15 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 437B

When parsing a KDC or admin server string, allow the name or address
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)

https://github.com/krb5/krb5/commit/89621595e15af56f8e4fcf7b635c2cedd0e4043a
Commit By: ghudson
Revision: 24055
Changed Files:
U trunk/doc/admin.texinfo
U trunk/src/lib/kadm5/alt_prof.c
U trunk/src/lib/krb5/os/locate_kdc.c

# Thu May 20 16:28:48 2010 tlyu (Taylor Yu) - Target_Version 1.8.2 added

# Thu May 20 16:28:48 2010 tlyu (Taylor Yu) - Tags pullup added

# Thu May 20 16:41:17 2010 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Thu May 20 16:41:17 2010 tlyu (Taylor Yu) - Version_Fixed 1.8.2 added

# Thu May 20 16:41:17 2010 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 664B

pull up r24055 from trunk

------------------------------------------------------------------------
r24055 | ghudson | 2010-05-18 13:19:15 -0400 (Tue, 18 May 2010) | 6 lines

ticket: 6562

When parsing a KDC or admin server string, allow the name or address
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)

https://github.com/krb5/krb5/commit/8d2aeebad00392f01a768a4e2b9862f575d3783a
Commit By: tlyu
Revision: 24073
Changed Files:
U branches/krb5-1-8/doc/admin.texinfo
U branches/krb5-1-8/src/lib/kadm5/alt_prof.c
U branches/krb5-1-8/src/lib/krb5/os/locate_kdc.c

# Thu Jul 01 14:58:22 2010 ghudson@mit.edu (Greg Hudson) - Ticket #3140: - Ticket 3140 MergedInto ticket 6562.

# Wed Dec 16 18:02:54 2015 tlyu (Taylor Yu) - CustomField pullup deleted