From: Greg Hudson Date: Sat, 15 Oct 2011 16:56:26 +0000 (+0000) Subject: Allow rd_priv/rd_safe without remote address X-Git-Tag: krb5-1.10-alpha1~20 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2b7be6fbfdc920bff5ab89213931e69bed5bfed6;p=krb5.git Allow rd_priv/rd_safe without remote address Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES flag is set (in which case we need the remote address for the replay cache name). Note that failing to set the remote address can create a vulnerability to reflection attacks in some protocols, although it is fairly easy to defend against--either use sequence numbers, or make sure that requests don't look like replies, or both. ticket: 6978 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25355 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/privsafe.c b/src/lib/krb5/krb/privsafe.c index 405a24211..264b07684 100644 --- a/src/lib/krb5/krb/privsafe.c +++ b/src/lib/krb5/krb/privsafe.c @@ -208,14 +208,17 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac, local_fulladdr.contents = remote_fulladdr.contents = NULL; /* Determine the remote comparison address. */ - if (ac->remote_port != NULL) { - ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port, - &remote_fulladdr); - if (ret) - goto cleanup; - remote_addr = &remote_fulladdr; + if (ac->remote_addr != NULL) { + if (ac->remote_port != NULL) { + ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port, + &remote_fulladdr); + if (ret) + goto cleanup; + remote_addr = &remote_fulladdr; + } else + remote_addr = ac->remote_addr; } else - remote_addr = ac->remote_addr; + remote_addr = NULL; /* Determine the local comparison address (possibly NULL). */ if (ac->local_addr != NULL) { @@ -231,7 +234,8 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac, local_addr = NULL; /* Check the remote address against the message's sender address. */ - if (!krb5_address_compare(context, remote_addr, msg_s_addr)) { + if (remote_addr != NULL && + !krb5_address_compare(context, remote_addr, msg_s_addr)) { ret = KRB5KRB_AP_ERR_BADADDR; goto cleanup; } diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 831f25807..93259680e 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -133,7 +133,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, /* Need a better error */ return KRB5_RC_REQUIRED; - if (!auth_context->remote_addr) + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && + (auth_context->remote_addr == NULL)) return KRB5_REMOTE_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index e12148911..c879f331f 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -145,13 +145,14 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, /* Need a better error */ return KRB5_RC_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && + (auth_context->remote_addr == NULL)) + return KRB5_REMOTE_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; - if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; - /* Get key */ if ((key = auth_context->recv_subkey) == NULL) key = auth_context->key;