Fix BACKWARD_BITMASK_COMPAT so that it doesn't break user-to-user
authorTheodore Tso <tytso@mit.edu>
Sat, 22 Apr 1995 00:12:37 +0000 (00:12 +0000)
committerTheodore Tso <tytso@mit.edu>
Sat, 22 Apr 1995 00:12:37 +0000 (00:12 +0000)
authentication.  Unfortunately, this breaks proxy tickets (and
renewable tickets continue to be broken if BACKWARD_BITMASK_COMPAT is
defined; nothing can be done by this.) Sites should only define
BACKWARD_BITMASK_COMPAT if they have an installed base of broken
implementations.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5431 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/asn.1/ChangeLog
src/lib/krb5/asn.1/asn1_k_decode.c

index 6cbd87aa7aaf163bbdefc24ed3456f5511fe6a46..0e4e522cb7a6c826e84627c9c727aa5e15acc880 100644 (file)
@@ -1,3 +1,14 @@
+Fri Apr 21 09:45:00 1995  Theodore Y. Ts'o  <tytso@lurch.mit.edu>
+
+       * asn1_k_decode.c (asn1_decode_kdc_options): Fix
+               BACKWARD_BITMASK_COMPAT so that it doesn't break
+               user-to-user authentication.  Unfortunately, this breaks 
+               proxy tickets (and renewable tickets continue to be
+               broken if BACKWARD_BITMASK_COMPAT is defined; nothing
+               can be done by this.)  Sites should only define
+               BACKWARD_BITMASK_COMPAT if they have an installed base
+               of broken implementations.
+
 Thu Apr 20 17:41:24 1995  Theodore Y. Ts'o  (tytso@dcl)
 
        * asn1_k_decode.c, krbasn1.h: Move the define of
index 4a7e668c6c4b1546ed0935ec6d6dca5639b4ecb7..b087c982bc52c609fe997a07423dec38f17beeac 100644 (file)
 
 /* 
  * The hand-coded parser used in the Beta 4 distribution didn't
- * reverse the order of the bit string fields.  This define allows partial
+ * reverse the order of the bit string fields.  These define allows partial
  * interoperability with the Beta 4 distribution by doing a bit reversal
  * on bitfields which have bits set in the high 16 bits.
+ *
+ * Warning: defining this will cause proxiable tickets and renewable
+ * tickets to break.  Fortunately, these aren't in common use yet....
+ * Vendors shipping product probably should NOT define this #define,
+ * unless there is an explicit need for backwards compatibility with
+ * Beta 4 implementations.  (Which hopefully will be relatively rare.)
  */
 #define BACKWARD_BITMASK_COMPAT
+#ifdef BACKWARD_BITMASK_COMPAT
+int asn1_always_reverse = 0;
+#endif
 
 #include "asn1_k_decode.h"
 #include "asn1_decode.h"
@@ -352,8 +361,23 @@ asn1_error_code asn1_decode_krb5_flags(buf, val)
   if(retval) return retval;
   f = (f<<8) | ((krb5_flags)o&asn1_pad_mask[pad]);
 
+  *val = f;
+  return 0;
+}
+
+asn1_error_code asn1_decode_ticket_flags(buf, val)
+     asn1buf * buf;
+     krb5_flags * val;
+{
+    asn1_error_code retval;
+    krb5_flags f;
+    
+    retval = asn1_decode_krb5_flags(buf, &f);
+    if (retval)
+       return retval;
+    
 #ifdef BACKWARD_BITMASK_COMPAT
-  if (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0))
+  if (asn1_always_reverse || (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0)))
 #endif
   f = (asn1_swbits[(f & 0xff)] << 24) | (asn1_swbits[(f >> 8) & 0xff] << 16) |
       (asn1_swbits[(f >> 16) & 0xff] << 8) | asn1_swbits[(f >> 24) & 0xff];
@@ -362,20 +386,82 @@ asn1_error_code asn1_decode_krb5_flags(buf, val)
   return 0;
 }
 
-asn1_error_code asn1_decode_ticket_flags(buf, val)
-     asn1buf * buf;
-     krb5_flags * val;
-{ return asn1_decode_krb5_flags(buf,val); }
-
 asn1_error_code asn1_decode_ap_options(buf, val)
      asn1buf * buf;
      krb5_flags * val;
-{ return asn1_decode_krb5_flags(buf,val); }
+{
+    asn1_error_code retval;
+    krb5_flags f;
+    
+    retval = asn1_decode_krb5_flags(buf, &f);
+    if (retval)
+       return retval;
+    
+#ifdef BACKWARD_BITMASK_COMPAT
+  if (asn1_always_reverse || (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0)))
+#endif
+  f = (asn1_swbits[(f & 0xff)] << 24) | (asn1_swbits[(f >> 8) & 0xff] << 16) |
+      (asn1_swbits[(f >> 16) & 0xff] << 8) | asn1_swbits[(f >> 24) & 0xff];
+
+  *val = f;
+  return 0;
+}
+
+
+#ifdef BACKWARD_BITMASK_COMPAT
+#define VALID_KDC_FLAGS (KDC_OPT_FORWARDABLE | KDC_OPT_FORWARDED | \
+                        KDC_OPT_PROXIABLE | KDC_OPT_PROXY | \
+                        KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \
+                        KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK | \
+                        KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \
+                        KDC_OPT_VALIDATE)
+#endif
 
 asn1_error_code asn1_decode_kdc_options(buf, val)
      asn1buf * buf;
      krb5_flags * val;
-{ return asn1_decode_krb5_flags(buf,val); }
+{
+    asn1_error_code retval;
+    krb5_flags f;
+#ifdef BACKWARD_BITMASK_COMPAT
+    krb5_flags r;
+#endif
+    
+    retval = asn1_decode_krb5_flags(buf, &f);
+    if (retval)
+       return retval;
+    
+#ifdef BACKWARD_BITMASK_COMPAT
+    
+    r = ((asn1_swbits[(f & 0xff)] << 24) |
+        (asn1_swbits[(f >> 8) & 0xff] << 16) |
+        (asn1_swbits[(f >> 16) & 0xff] << 8) |
+        asn1_swbits[(f >> 24) & 0xff]);
+
+    if (asn1_always_reverse)
+       *val = r;
+    else if (((f & ~VALID_KDC_FLAGS) == 0) &&
+       ((r & ~VALID_KDC_FLAGS) != 0))
+       *val = f;
+    else if (((r & ~VALID_KDC_FLAGS) == 0) &&
+            ((f & ~VALID_KDC_FLAGS) != 0))
+       *val = r;
+    else if (f & (KDC_OPT_FORWARDABLE|
+                 KDC_OPT_FORWARDED|
+                 KDC_OPT_ENC_TKT_IN_SKEY))
+       *val = f;
+    else
+       *val = r;
+#else
+    f = ((asn1_swbits[(f & 0xff)] << 24) |
+        (asn1_swbits[(f >> 8) & 0xff] << 16) |
+        (asn1_swbits[(f >> 16) & 0xff] << 8) |
+        asn1_swbits[(f >> 24) & 0xff]);
+    
+    *val = f;
+#endif
+    return 0;
+}
 
 asn1_error_code asn1_decode_transited_encoding(buf, val)
      asn1buf * buf;