From 40e425b53b10f753fb62caff577d2679cdd6325b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 8 Apr 2009 15:58:24 +0000 Subject: [PATCH] mk_safe and mk_priv require the local address to be set in the auth context; rd_safe and rd_priv require the remote address to be set. Create error codes for both kinds of missing addresses and stop trying futilely to handle the cases where they are not set. ticket: 1165 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22184 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/error_tables/krb5_err.et | 3 +++ src/lib/krb5/krb/mk_priv.c | 27 +++++++++++++------------ src/lib/krb5/krb/mk_safe.c | 28 +++++++++++++------------- src/lib/krb5/krb/rd_priv.c | 29 ++++++++++++++------------- src/lib/krb5/krb/rd_safe.c | 27 +++++++++++++------------ 5 files changed, 60 insertions(+), 54 deletions(-) diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et index 5698f1e4a..c7c91dff9 100644 --- a/src/lib/krb5/error_tables/krb5_err.et +++ b/src/lib/krb5/error_tables/krb5_err.et @@ -348,4 +348,7 @@ error_code KRB5_PLUGIN_OP_NOTSUPP, "Plugin does not support the operaton" error_code KRB5_ERR_INVALID_UTF8, "Invalid UTF-8 string" error_code KRB5_ERR_FAST_REQUIRED, "FAST protected pre-authentication required but not supported by KDC" + +error_code KRB5_LOCAL_ADDR_REQUIRED, "Auth context must contain local address" +error_code KRB5_REMOTE_ADDR_REQUIRED, "Auth context must contain remote address" end diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 1acffd5b4..5c8774b12 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -136,6 +136,9 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -154,28 +157,26 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, } else { outdata->seq = replaydata.seq; } - } + } { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; + goto error; } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index d99b1a3d7..689eef203 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -136,6 +136,9 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->local_addr) + return KRB5_LOCAL_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, @@ -156,27 +159,24 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, { krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr = NULL; + krb5_address * plocal_fulladdr; krb5_address remote_fulladdr; krb5_address local_fulladdr; krb5_cksumtype sumtype; CLEANUP_INIT(2); - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - plocal_fulladdr = auth_context->local_addr; - } - + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; } if (auth_context->remote_addr) { diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 7d1dbc3ca..eaeaed894 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -169,12 +169,15 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, /* Need a better error */ return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -195,20 +198,18 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + CLEANUP_DONE(); + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index a79ef7fdf..989c22242 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -177,12 +177,15 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; + if (!auth_context->remote_addr) + return KRB5_REMOTE_ADDR_REQUIRED; + /* Get keyblock */ if ((keyblock = auth_context->recv_subkey) == NULL) keyblock = auth_context->keyblock; { - krb5_address * premote_fulladdr = NULL; + krb5_address * premote_fulladdr; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; @@ -203,19 +206,17 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, } } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - premote_fulladdr = auth_context->remote_addr; - } + return retval; + } + } else { + premote_fulladdr = auth_context->remote_addr; } memset(&replaydata, 0, sizeof(replaydata)); -- 2.26.2