pull up r22283, r22288 from trunk. r22283 was not originally part of

this ticket but is a prereq for the mk_cred.c change.

 ------------------------------------------------------------------------
 r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c
    M /trunk/src/lib/krb5/krb/mk_priv.c
    M /trunk/src/lib/krb5/krb/mk_safe.c

 ticket: 6478
 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred

 Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in
 krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as
 a baseline.  RET_SEQUENCE now implies DO_SEQUENCE for all three
 functions, the sequence number is always incremented if it is used,
 and outdata->seq is always set if RET_SEQUENCE is passed.

 Note that in the corresponding rd_ functions, RET_SEQUENCE and
 DO_SEQUENCE are independent flags, which is not consistent with the
 above.  This compromise is intended to preserve compatibility with
 any working code which might exist using the RET_SEQUENCE flag.
 ------------------------------------------------------------------------
 r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines
 Changed paths:
    M /trunk/src/lib/krb5/krb/mk_cred.c

 Fix a few memory leaks in krb5_mk_ncred.  Also tighten up the error
 handling of the sequence number, only decreasing it if it was
 increased.  The handling of DO_SEQUENCE and RET_SEQUENCE may still be
 flawed in some cases.

ticket: 6478
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22331 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index 5618868255eecd5a87f175d924bb04ba520e8573..f17a1485830a1bf8ec2d9347554661d9d9e87553 100644 (file)
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -162,14 +162,14 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     krb5_replay_data    replaydata;
     krb5_cred           * pcred;
     krb5_int32         ncred;
+    krb5_boolean increased_sequence = FALSE;
 
     local_fulladdr.contents = 0;
     remote_fulladdr.contents = 0;
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
-    if (ppcreds == NULL) {
+    if (ppcreds == NULL)
        return KRB5KRB_AP_ERR_BADADDR;
-    }
 
     /*
      * Allocate memory for a NULL terminated list of tickets.
@@ -183,8 +183,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     if ((pcred->tickets 
         = (krb5_ticket **)calloc((size_t)ncred+1,
                                  sizeof(krb5_ticket *))) == NULL) {
-       free(pcred);
-       return ENOMEM;
+       retval = ENOMEM;
+       goto error;
     }
 
     /* Get keyblock */
@@ -193,30 +193,32 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
-      (auth_context->rcache == NULL))
-        return KRB5_RC_REQUIRED;
+       (auth_context->rcache == NULL)) {
+       retval = KRB5_RC_REQUIRED;
+       goto error;
+    }
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
-      (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
-      (outdata == NULL))
+        (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
+       && (outdata == NULL)) {
         /* Need a better error */
-        return KRB5_RC_REQUIRED;
+       retval = KRB5_RC_REQUIRED;
+       goto error;
+    }
 
     if ((retval = krb5_us_timeofday(context, &replaydata.timestamp,
                                    &replaydata.usec)))
-       return retval;
+       goto error;
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) {
        outdata->timestamp = replaydata.timestamp;
        outdata->usec = replaydata.usec;
     }
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
         (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
-        replaydata.seq = auth_context->local_seq_number;
-        if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-            auth_context->local_seq_number++;
-        } else {
+        replaydata.seq = auth_context->local_seq_number++;
+       increased_sequence = TRUE;
+        if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
             outdata->seq = replaydata.seq;
-        }
     }
 
     if (auth_context->local_addr) {
@@ -273,15 +275,12 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
     retval = encode_krb5_cred(pcred, ppdata);
 
 error:
-    if (local_fulladdr.contents)
-       free(local_fulladdr.contents);
-    if (remote_fulladdr.contents)
-       free(remote_fulladdr.contents);
+    free(local_fulladdr.contents);
+    free(remote_fulladdr.contents);
     krb5_free_cred(context, pcred);
 
     if (retval) {
-       if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) 
-        || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
+       if (increased_sequence)
             auth_context->local_seq_number--;
     }
     return retval;

diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 5ac8306959a78e14fb178a3a5183510aaf63a2fb..727262cbeca429c6840c912111bbc7f8dee43779 100644 (file)
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -151,12 +151,9 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
     }
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
        (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
-       replaydata.seq = auth_context->local_seq_number;
-       if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-           auth_context->local_seq_number++;
-       } else {
+       replaydata.seq = auth_context->local_seq_number++;
+       if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
            outdata->seq = replaydata.seq;
-       }
     }
 
 {

diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 9dac932450663bc0858b395c8914f272aedb665e..0afa61e856835dd4f36344fc0e092d9a3b58b8d7 100644 (file)
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -152,9 +152,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
        (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
        replaydata.seq = auth_context->local_seq_number++;
-       if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) {
+       if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
            outdata->seq = replaydata.seq;
-       }
     } 
 
 {