+Wed Jan 3 21:32:59 1996 Theodore Y. Ts'o <tytso@dcl>
+
+ * rd_cred.c (krb5_rd_cred_basic): When the keyblock is NULL,
+ assume we're being called from the gssapi code, which
+ doesn't have access to the sender or receive address
+ information, don't check the sender address, since it
+ won't be available.
+
+ * rd_cred.c (decrypt_credencdata): When calling krb5_rd_credd(),
+ if the keyblock is null, just copy the encoded structure
+ from the "ciphertext" part of the structure and decode it.
+
+ * mk_cred.c (encrypt_credencpart): When calling krb5_mk_cred(), if
+ the keyblock is NULL, don't encrypt it; just encode it and
+ leave it in the ciphertext area of the structure.
+
Thu Dec 21 18:47:54 1995 Theodore Y. Ts'o <tytso@dcl>
* rd_rep.c (krb5_rd_rep): Change use of
krb5_encrypt_block eblock;
krb5_data * scratch;
- if (!valid_enctype(pkeyblock->enctype))
+ if (pkeyblock && !valid_enctype(pkeyblock->enctype))
return KRB5_PROG_ETYPE_NOSUPP;
/* start by encoding to-be-encrypted part of the message */
if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch)))
return retval;
+ /*
+ * If the keyblock is NULL, just copy the data from the encoded
+ * data to the ciphertext area.
+ */
+ if (pkeyblock == NULL) {
+ pencdata->ciphertext.data = scratch->data;
+ pencdata->ciphertext.length = scratch->length;
+ krb5_xfree(scratch);
+ return 0;
+ }
+
/* put together an eblock for this encryption */
pencdata->kvno = 0;
credenc.ticket_info[i] = NULL;
pcred->tickets[i] = NULL;
- retval = encrypt_credencpart(context, &credenc, keyblock, &pcred->enc_part);
+ /* encrypt the credential encrypted part */
+ retval = encrypt_credencpart(context, &credenc, keyblock,
+ &pcred->enc_part);
cleanup_info_ptrs:
free(tmp);
krb5_error_code retval;
krb5_data scratch;
- if (!valid_enctype(pcred->enc_part.enctype))
- return KRB5_PROG_ETYPE_NOSUPP;
-
- /* put together an eblock for this decryption */
- krb5_use_enctype(context, &eblock, pcred->enc_part.enctype);
scratch.length = pcred->enc_part.ciphertext.length;
-
if (!(scratch.data = (char *)malloc(scratch.length)))
- return ENOMEM;
+ return ENOMEM;
+
+ if (pkeyblock != NULL) {
+ if (!valid_enctype(pcred->enc_part.enctype)) {
+ free(scratch.data);
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
- /* do any necessary key pre-processing */
- if ((retval = krb5_process_key(context, &eblock, pkeyblock)))
- goto cleanup;
+ /* put together an eblock for this decryption */
+ krb5_use_enctype(context, &eblock, pcred->enc_part.enctype);
- /* call the decryption routine */
- if ((retval = krb5_decrypt(context,
- (krb5_pointer) pcred->enc_part.ciphertext.data,
- (krb5_pointer) scratch.data,
- scratch.length, &eblock, 0))) {
- (void)krb5_finish_key(context, &eblock);
- goto cleanup;
- }
+ /* do any necessary key pre-processing */
+ if ((retval = krb5_process_key(context, &eblock, pkeyblock)))
+ goto cleanup;
+
+ /* call the decryption routine */
+ if ((retval = krb5_decrypt(context,
+ (krb5_pointer) pcred->enc_part.ciphertext.data,
+ (krb5_pointer) scratch.data,
+ scratch.length, &eblock, 0))) {
+ (void)krb5_finish_key(context, &eblock);
+ goto cleanup;
+ }
- if ((retval = krb5_finish_key(context, &eblock)))
- goto cleanup;
+ if ((retval = krb5_finish_key(context, &eblock)))
+ goto cleanup;
+ } else {
+ memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length);
+ }
/* now decode the decrypted stuff */
if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
goto cleanup_cred;
- if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
- retval = KRB5KRB_AP_ERR_BADADDR;
- goto cleanup_cred;
+ /*
+ * Only check the remote address if the KRB_CRED message was
+ * protected by encryption. If it came in the checksum field of
+ * an init_sec_context message, skip over this check.
+ */
+ if (pkeyblock != NULL) {
+ if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
+ retval = KRB5KRB_AP_ERR_BADADDR;
+ goto cleanup_cred;
+ }
}
if (encpart.r_address) {
projects / krb5.git / commitdiff