From: Theodore Tso Date: Thu, 4 Jan 1996 02:44:21 +0000 (+0000) Subject: * rd_cred.c (krb5_rd_cred_basic): When the keyblock is NULL, assume X-Git-Tag: krb5-1.0-beta6~668 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ccfc9a62a43de47fb236c36935bab8d1967b1f54;p=krb5.git * rd_cred.c (krb5_rd_cred_basic): When the keyblock is NULL, assume we're being called from the gssapi code, which doesn't have access to the sender or receive address information, don't check the sender address, since it won't be available. * rd_cred.c (decrypt_credencdata): When calling krb5_rd_credd(), if the keyblock is null, just copy the encoded structure from the "ciphertext" part of the structure and decode it. * mk_cred.c (encrypt_credencpart): When calling krb5_mk_cred(), if the keyblock is NULL, don't encrypt it; just encode it and leave it in the ciphertext area of the structure. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7264 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index c3c12e150..3e60282f1 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,19 @@ +Wed Jan 3 21:32:59 1996 Theodore Y. Ts'o + + * rd_cred.c (krb5_rd_cred_basic): When the keyblock is NULL, + assume we're being called from the gssapi code, which + doesn't have access to the sender or receive address + information, don't check the sender address, since it + won't be available. + + * rd_cred.c (decrypt_credencdata): When calling krb5_rd_credd(), + if the keyblock is null, just copy the encoded structure + from the "ciphertext" part of the structure and decode it. + + * mk_cred.c (encrypt_credencpart): When calling krb5_mk_cred(), if + the keyblock is NULL, don't encrypt it; just encode it and + leave it in the ciphertext area of the structure. + Thu Dec 21 18:47:54 1995 Theodore Y. Ts'o * rd_rep.c (krb5_rd_rep): Change use of diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 5e399a106..6c0162dda 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -31,13 +31,24 @@ encrypt_credencpart(context, pcredpart, pkeyblock, pencdata) krb5_encrypt_block eblock; krb5_data * scratch; - if (!valid_enctype(pkeyblock->enctype)) + if (pkeyblock && !valid_enctype(pkeyblock->enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch))) return retval; + /* + * If the keyblock is NULL, just copy the data from the encoded + * data to the ciphertext area. + */ + if (pkeyblock == NULL) { + pencdata->ciphertext.data = scratch->data; + pencdata->ciphertext.length = scratch->length; + krb5_xfree(scratch); + return 0; + } + /* put together an eblock for this encryption */ pencdata->kvno = 0; @@ -169,7 +180,9 @@ krb5_mk_ncred_basic(context, ppcreds, nppcreds, keyblock, credenc.ticket_info[i] = NULL; pcred->tickets[i] = NULL; - retval = encrypt_credencpart(context, &credenc, keyblock, &pcred->enc_part); + /* encrypt the credential encrypted part */ + retval = encrypt_credencpart(context, &credenc, keyblock, + &pcred->enc_part); cleanup_info_ptrs: free(tmp); diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index a1775f141..d515b7b60 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -23,31 +23,37 @@ decrypt_credencdata(context, pcred, pkeyblock, pcredenc) krb5_error_code retval; krb5_data scratch; - if (!valid_enctype(pcred->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; - - /* put together an eblock for this decryption */ - krb5_use_enctype(context, &eblock, pcred->enc_part.enctype); scratch.length = pcred->enc_part.ciphertext.length; - if (!(scratch.data = (char *)malloc(scratch.length))) - return ENOMEM; + return ENOMEM; + + if (pkeyblock != NULL) { + if (!valid_enctype(pcred->enc_part.enctype)) { + free(scratch.data); + return KRB5_PROG_ETYPE_NOSUPP; + } - /* do any necessary key pre-processing */ - if ((retval = krb5_process_key(context, &eblock, pkeyblock))) - goto cleanup; + /* put together an eblock for this decryption */ + krb5_use_enctype(context, &eblock, pcred->enc_part.enctype); - /* call the decryption routine */ - if ((retval = krb5_decrypt(context, - (krb5_pointer) pcred->enc_part.ciphertext.data, - (krb5_pointer) scratch.data, - scratch.length, &eblock, 0))) { - (void)krb5_finish_key(context, &eblock); - goto cleanup; - } + /* do any necessary key pre-processing */ + if ((retval = krb5_process_key(context, &eblock, pkeyblock))) + goto cleanup; + + /* call the decryption routine */ + if ((retval = krb5_decrypt(context, + (krb5_pointer) pcred->enc_part.ciphertext.data, + (krb5_pointer) scratch.data, + scratch.length, &eblock, 0))) { + (void)krb5_finish_key(context, &eblock); + goto cleanup; + } - if ((retval = krb5_finish_key(context, &eblock))) - goto cleanup; + if ((retval = krb5_finish_key(context, &eblock))) + goto cleanup; + } else { + memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); + } /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) @@ -92,9 +98,16 @@ krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr, if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart))) goto cleanup_cred; - if (!krb5_address_compare(context, remote_addr, encpart.s_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_cred; + /* + * Only check the remote address if the KRB_CRED message was + * protected by encryption. If it came in the checksum field of + * an init_sec_context message, skip over this check. + */ + if (pkeyblock != NULL) { + if (!krb5_address_compare(context, remote_addr, encpart.s_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_cred; + } } if (encpart.r_address) {