From: Sam Hartman Date: Tue, 10 Oct 1995 03:11:08 +0000 (+0000) Subject: Fix handling of session key for Kerberos5. I don't think this should X-Git-Tag: krb5-1.0-beta6~914 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2c3df8f5da068eef7d515b6c3d38f767824a1cd5;p=krb5.git Fix handling of session key for Kerberos5. I don't think this should fix the mutual authentication bug with beta 4, but this should help forwarding credentials and should also help if someone actually defines ENCRYPTION. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6954 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 112652159..041bed8a2 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,14 @@ +Mon Oct 9 23:03:48 1995 Sam Hartman + + * kerberos5.c: make session_key a pointer, and use + krb5_copy_keyblock not krb5_copy_keyblock_contents; there was no + reason to violate this abstraction. + +Sun Sep 24 12:33:03 1995 Sam Hartman + + * kerberos5.c: Initialize session key from the subsession key we get from krb5_mk_req_extended, using ticket key as a fallback. + (kerberos5_send): Use appropriate enctypes when encryption defined. + Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu) * encrypt.h, kerberos5.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index dbc9c7f80..1488edf0c 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -31,7 +31,7 @@ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * OUT OF THE USE OF THIS SOFTWARE, EVEN Ikeyblock.enctype == ENCTYPE_DES) - /* use the session key in credentials instead */ - krb5_copy_keyblock_contents(telnet_context, - &new_creds->keyblock, - &session_key); - else - /* XXX ? */; - } else { - krb5_copy_keyblock_contents(telnet_context, newkey, &session_key); + if (session_key) { +krb5_free_keyblock(telnet_context, session_key); +session_key = 0; } - if (newkey) + + if (newkey) { + /* keep the key in our private storage, but don't use it + yet---see kerberos5_reply() below */ + if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) && (newkey-> enctype != ENCTYPE_DES_CBC_MD5)) { + if ((new_creds->keyblock.enctype == ENCTYPE_DES_CBC_CRC)||( new_creds->keyblock.enctype == ENCTYPE_DES_CBC_MD5)) + /* use the session key in credentials instead */ + krb5_copy_keyblock(telnet_context,&new_creds->keyblock, &session_key); + else + /* XXX ? */; + } else { + krb5_copy_keyblock(telnet_context, newkey, &session_key); + } krb5_free_keyblock(telnet_context, newkey); + } #endif /* ENCRYPTION */ krb5_free_cred_contents(telnet_context, &creds); krb5_free_creds(telnet_context, new_creds); @@ -403,15 +401,20 @@ kerberos5_is(ap, data, cnt) krb5_auth_con_getremotesubkey(telnet_context, auth_context, &newkey); if (newkey) { - if (session_key.contents) - free(session_key.contents); - krb5_copy_keyblock_contents(telnet_context, newkey, + if (session_key) { + krb5_free_keyblock(telnet_context, session_key); + session_key = 0; + } + + krb5_copy_keyblock(telnet_context, newkey, &session_key); krb5_free_keyblock(telnet_context, newkey); } else { - if (session_key.contents) - free(session_key.contents); - krb5_copy_keyblock_contents(telnet_context, + if (session_key){ + krb5_free_keyblock(telnet_context, session_key); +session_key = 0; + } + krb5_copy_keyblock(telnet_context, ticket->enc_part2->session, &session_key); } @@ -419,7 +422,7 @@ kerberos5_is(ap, data, cnt) #ifdef ENCRYPTION skey.type = SK_DES; skey.length = 8; - skey.data = session_key.contents; + skey.data = session_key->contents; encrypt_session_key(&skey, 1); #endif break; @@ -512,10 +515,10 @@ kerberos5_reply(ap, data, cnt) } krb5_free_ap_rep_enc_part(telnet_context, reply); #ifdef ENCRYPTION - if (!session_key.contents) { + if (session_key) { skey.type = SK_DES; skey.length = 8; - skey.data = session_key.contents; + skey.data = session_key->contents; encrypt_session_key(&skey, 0); } #endif /* ENCRYPTION */