Disable address checking in krb_rd_cred. No objections raised on

krbdev; helps NAT and Heimdal interoperability.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14166 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c884dbe9d3e22cdb1424235dd64936f3f2c2462d..bbcb51f5dbef98b4a1b12787d9e1419f7ffdc806 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,14 @@
+2002-02-27  Sam Hartman  <hartmans@mit.edu>
+
+       * rd_cred.c (krb5_rd_cred_basic): Don't check IP addresses; if
+       someone knows the key and wants to give us credentials, that's OK.
+       No reflection attack is possible in most protocols since  krb_cred
+       is almost always client->server.  Address checking created
+       significant problems for NATs.    We also ran into problems
+       getting our code to work with Heimdal  and removing checking was
+       easier than a staged upgrade to fix the problems.
+       (krb5_rd_cred): Don't pass in addresses
+
 2002-02-22  Ken Raeburn  <raeburn@mit.edu>
 
        * addr_comp.c, addr_order.c, addr_srch.c, bld_pr_ext.c,

diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index dc8d44253d6c77405617f1d68763361ffd95a1d9..8d952bcb34b2f8c5ca504981896caa8b5b6bd0c0 100644 (file)
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -55,24 +55,22 @@ cleanup:
 /*----------------------- krb5_rd_cred_basic -----------------------*/
 
 static krb5_error_code 
-krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
+krb5_rd_cred_basic(context, pcreddata, pkeyblock, 
                   replaydata, pppcreds)
     krb5_context          context;
     krb5_data          * pcreddata;
     krb5_keyblock      * pkeyblock;
-    krb5_address       * local_addr;
-    krb5_address       * remote_addr;
     krb5_replay_data    * replaydata;
     krb5_creds        *** pppcreds;
 {
-    krb5_error_code       retval;
-    krb5_cred          * pcred;
+  krb5_error_code       retval;
+  krb5_cred            * pcred;
     krb5_int32                   ncreds;
     krb5_int32                   i = 0;
     krb5_cred_enc_part           encpart;
 
     /* decode cred message */
-    if ((retval = decode_krb5_cred(pcreddata, &pcred)))
+        if ((retval = decode_krb5_cred(pcreddata, &pcred)))
        return retval;
 
     memset(&encpart, 0, sizeof(encpart));
@@ -80,38 +78,6 @@ krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
     if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
        goto cleanup_cred;
 
-    /*
-     * Only check the remote address if the KRB_CRED message was
-     * protected by encryption.  If it came in the checksum field of
-     * an init_sec_context message, skip over this check.
-     */
-    if (remote_addr && encpart.s_address && pkeyblock != NULL) {
-       if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
-           retval = KRB5KRB_AP_ERR_BADADDR;
-           goto cleanup_cred;
-       }
-    }
-
-    if (encpart.r_address) {
-        if (local_addr) {
-            if (!krb5_address_compare(context, local_addr, encpart.r_address)) {
-                retval = KRB5KRB_AP_ERR_BADADDR;
-                goto cleanup_cred;
-            }
-        } else {
-            krb5_address **our_addrs;
-
-            if ((retval = krb5_os_localaddr(context, &our_addrs))) {
-                goto cleanup_cred;
-            }
-            if (!krb5_address_search(context, encpart.r_address, our_addrs)) {
-                krb5_free_addresses(context, our_addrs);
-                retval =  KRB5KRB_AP_ERR_BADADDR;
-                goto cleanup_cred;
-            }
-            krb5_free_addresses(context, our_addrs);
-        }
-    }
 
     replaydata->timestamp = encpart.timestamp;
     replaydata->usec = encpart.usec;
@@ -232,54 +198,12 @@ krb5_rd_cred(context, auth_context, pcreddata, pppcreds, outdata)
       (auth_context->rcache == NULL))
         return KRB5_RC_REQUIRED;
 
-{
-    krb5_address * premote_fulladdr = NULL;
-    krb5_address * plocal_fulladdr = NULL;
-    krb5_address remote_fulladdr;
-    krb5_address local_fulladdr;
-    CLEANUP_INIT(2);
-
-    if (auth_context->local_addr) {
-       if (auth_context->local_port) {
-            if (!(retval = krb5_make_fulladdr(context,auth_context->local_addr,
-                                             auth_context->local_port, 
-                                             &local_fulladdr))){
-                CLEANUP_PUSH(local_fulladdr.contents, free);
-               plocal_fulladdr = &local_fulladdr;
-            } else {
-               return retval;
-            }
-       } else {
-            plocal_fulladdr = auth_context->local_addr;
-        }
-    }
-
-    if (auth_context->remote_addr) {
-       if (auth_context->remote_port) {
-            if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
-                                             auth_context->remote_port, 
-                                             &remote_fulladdr))){
-                CLEANUP_PUSH(remote_fulladdr.contents, free);
-               premote_fulladdr = &remote_fulladdr;
-            } else {
-               return retval;
-            }
-       } else {
-            premote_fulladdr = auth_context->remote_addr;
-        }
-    }
 
     if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
-                                    plocal_fulladdr, premote_fulladdr,
                                     &replaydata, pppcreds))) {
-        CLEANUP_DONE();
-       return retval;
+      return retval;
     }
 
-    CLEANUP_DONE();
-}
-
-
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
         krb5_donot_replay replay;
         krb5_timestamp currenttime;
@@ -327,4 +251,3 @@ error:;
     return retval;
 }
 
-