From 956f42b7d4176ffaa1779c13e61d68d923a941cb Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 22 Apr 1995 00:12:37 +0000 Subject: [PATCH] Fix BACKWARD_BITMASK_COMPAT so that it doesn't break user-to-user authentication. Unfortunately, this breaks proxy tickets (and renewable tickets continue to be broken if BACKWARD_BITMASK_COMPAT is defined; nothing can be done by this.) Sites should only define BACKWARD_BITMASK_COMPAT if they have an installed base of broken implementations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5431 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/asn.1/ChangeLog | 11 +++ src/lib/krb5/asn.1/asn1_k_decode.c | 104 ++++++++++++++++++++++++++--- 2 files changed, 106 insertions(+), 9 deletions(-) diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index 6cbd87aa7..0e4e522cb 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,14 @@ +Fri Apr 21 09:45:00 1995 Theodore Y. Ts'o + + * asn1_k_decode.c (asn1_decode_kdc_options): Fix + BACKWARD_BITMASK_COMPAT so that it doesn't break + user-to-user authentication. Unfortunately, this breaks + proxy tickets (and renewable tickets continue to be + broken if BACKWARD_BITMASK_COMPAT is defined; nothing + can be done by this.) Sites should only define + BACKWARD_BITMASK_COMPAT if they have an installed base + of broken implementations. + Thu Apr 20 17:41:24 1995 Theodore Y. Ts'o (tytso@dcl) * asn1_k_decode.c, krbasn1.h: Move the define of diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 4a7e668c6..b087c982b 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -23,11 +23,20 @@ /* * The hand-coded parser used in the Beta 4 distribution didn't - * reverse the order of the bit string fields. This define allows partial + * reverse the order of the bit string fields. These define allows partial * interoperability with the Beta 4 distribution by doing a bit reversal * on bitfields which have bits set in the high 16 bits. + * + * Warning: defining this will cause proxiable tickets and renewable + * tickets to break. Fortunately, these aren't in common use yet.... + * Vendors shipping product probably should NOT define this #define, + * unless there is an explicit need for backwards compatibility with + * Beta 4 implementations. (Which hopefully will be relatively rare.) */ #define BACKWARD_BITMASK_COMPAT +#ifdef BACKWARD_BITMASK_COMPAT +int asn1_always_reverse = 0; +#endif #include "asn1_k_decode.h" #include "asn1_decode.h" @@ -352,8 +361,23 @@ asn1_error_code asn1_decode_krb5_flags(buf, val) if(retval) return retval; f = (f<<8) | ((krb5_flags)o&asn1_pad_mask[pad]); + *val = f; + return 0; +} + +asn1_error_code asn1_decode_ticket_flags(buf, val) + asn1buf * buf; + krb5_flags * val; +{ + asn1_error_code retval; + krb5_flags f; + + retval = asn1_decode_krb5_flags(buf, &f); + if (retval) + return retval; + #ifdef BACKWARD_BITMASK_COMPAT - if (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0)) + if (asn1_always_reverse || (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0))) #endif f = (asn1_swbits[(f & 0xff)] << 24) | (asn1_swbits[(f >> 8) & 0xff] << 16) | (asn1_swbits[(f >> 16) & 0xff] << 8) | asn1_swbits[(f >> 24) & 0xff]; @@ -362,20 +386,82 @@ asn1_error_code asn1_decode_krb5_flags(buf, val) return 0; } -asn1_error_code asn1_decode_ticket_flags(buf, val) - asn1buf * buf; - krb5_flags * val; -{ return asn1_decode_krb5_flags(buf,val); } - asn1_error_code asn1_decode_ap_options(buf, val) asn1buf * buf; krb5_flags * val; -{ return asn1_decode_krb5_flags(buf,val); } +{ + asn1_error_code retval; + krb5_flags f; + + retval = asn1_decode_krb5_flags(buf, &f); + if (retval) + return retval; + +#ifdef BACKWARD_BITMASK_COMPAT + if (asn1_always_reverse || (((f & 0xFFFF0000) == 0) && ((f & 0xFFFF) != 0))) +#endif + f = (asn1_swbits[(f & 0xff)] << 24) | (asn1_swbits[(f >> 8) & 0xff] << 16) | + (asn1_swbits[(f >> 16) & 0xff] << 8) | asn1_swbits[(f >> 24) & 0xff]; + + *val = f; + return 0; +} + + +#ifdef BACKWARD_BITMASK_COMPAT +#define VALID_KDC_FLAGS (KDC_OPT_FORWARDABLE | KDC_OPT_FORWARDED | \ + KDC_OPT_PROXIABLE | KDC_OPT_PROXY | \ + KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ + KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK | \ + KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_RENEW | \ + KDC_OPT_VALIDATE) +#endif asn1_error_code asn1_decode_kdc_options(buf, val) asn1buf * buf; krb5_flags * val; -{ return asn1_decode_krb5_flags(buf,val); } +{ + asn1_error_code retval; + krb5_flags f; +#ifdef BACKWARD_BITMASK_COMPAT + krb5_flags r; +#endif + + retval = asn1_decode_krb5_flags(buf, &f); + if (retval) + return retval; + +#ifdef BACKWARD_BITMASK_COMPAT + + r = ((asn1_swbits[(f & 0xff)] << 24) | + (asn1_swbits[(f >> 8) & 0xff] << 16) | + (asn1_swbits[(f >> 16) & 0xff] << 8) | + asn1_swbits[(f >> 24) & 0xff]); + + if (asn1_always_reverse) + *val = r; + else if (((f & ~VALID_KDC_FLAGS) == 0) && + ((r & ~VALID_KDC_FLAGS) != 0)) + *val = f; + else if (((r & ~VALID_KDC_FLAGS) == 0) && + ((f & ~VALID_KDC_FLAGS) != 0)) + *val = r; + else if (f & (KDC_OPT_FORWARDABLE| + KDC_OPT_FORWARDED| + KDC_OPT_ENC_TKT_IN_SKEY)) + *val = f; + else + *val = r; +#else + f = ((asn1_swbits[(f & 0xff)] << 24) | + (asn1_swbits[(f >> 8) & 0xff] << 16) | + (asn1_swbits[(f >> 16) & 0xff] << 8) | + asn1_swbits[(f >> 24) & 0xff]); + + *val = f; +#endif + return 0; +} asn1_error_code asn1_decode_transited_encoding(buf, val) asn1buf * buf; -- 2.26.2