From 9814cbf248691e1db1088f34fe648715db503574 Mon Sep 17 00:00:00 2001 From: John Kohl Date: Tue, 11 Sep 1990 16:19:16 +0000 Subject: [PATCH] add i_vector support fix direction bit support by using new style addresses git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1122 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/rd_priv.c | 81 +++++++++++++++++++++++++++++++------- 1 file changed, 66 insertions(+), 15 deletions(-) diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 00e762779..b59a90c16 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -25,16 +25,39 @@ static char rcsid_rd_priv_c[] = extern krb5_deltat krb5_clockskew; #define in_clock_skew(date) (abs((date)-currenttime) < krb5_clockskew) +/* + +Parses a KRB_PRIV message from inbuf, placing the confidential user +data in *outbuf. + +key specifies the key to be used for decryption of the message. + +sender_addr and recv_addr specify the full +addresses (host and port) of the sender and receiver. + +outbuf points to allocated storage which the caller should +free when finished. + +i_vector is used as an initialization vector for the +encryption, and if non-NULL its contents are replaced with the last +block of the encrypted data upon exit. + +Returns system errors, integrity errors. + +*/ + krb5_error_code krb5_rd_priv(DECLARG(const krb5_data *, inbuf), DECLARG(const krb5_keyblock *, key), DECLARG(const krb5_fulladdr *, sender_addr), DECLARG(const krb5_fulladdr *, recv_addr), + DECLARG(krb5_pointer, i_vector), DECLARG(krb5_data *, outbuf)) OLDDECLARG(const krb5_data *, inbuf) OLDDECLARG(const krb5_keyblock *, key) OLDDECLARG(const krb5_fulladdr *, sender_addr) OLDDECLARG(const krb5_fulladdr *, recv_addr) +OLDDECLARG(krb5_pointer, i_vector) OLDDECLARG(krb5_data *, outbuf) { krb5_error_code retval; @@ -83,13 +106,23 @@ OLDDECLARG(krb5_data *, outbuf) if (retval = (*eblock.crypto_entry->decrypt_func)((krb5_pointer) privmsg->enc_part.data, (krb5_pointer) scratch.data, - scratch.length, &eblock, 0)) { + scratch.length, &eblock, + i_vector)) { cleanup_privmsg(); cleanup_scratch(); cleanup_prockey(); return retval; } + /* if i_vector is set, fill it in with the last block of the encrypted + input */ + /* put last block into the i_vector */ + if (i_vector) + bcopy(privmsg->enc_part.data + + (privmsg->enc_part.length - eblock.crypto_entry->block_length), + i_vector, + eblock.crypto_entry->block_length); + /* private message is now decrypted -- do some cleanup */ cleanup_privmsg(); @@ -109,13 +142,6 @@ OLDDECLARG(krb5_data *, outbuf) #define cleanup_data() {(void)bzero(privmsg_enc_part->user_data.data,privmsg_enc_part->user_data.length); (void)xfree(privmsg_enc_part->user_data.data);} #define cleanup_mesg() {(void)xfree(privmsg_enc_part);} - if (sender_addr && !krb5_address_compare(sender_addr->address, - privmsg_enc_part->addresses[0])) { - cleanup_data(); - cleanup_mesg(); - return KRB5KRB_AP_ERR_BADADDR; - } - if (retval = krb5_timeofday(¤ttime)) { cleanup_data(); cleanup_mesg(); @@ -131,13 +157,38 @@ OLDDECLARG(krb5_data *, outbuf) * check with the replay cache should be inserted here !!!! */ - computed_direction = (krb5_fulladdr_order(sender_addr, recv_addr) > 0) ? - MSEC_DIRBIT : 0; - /* what if sender_addr == 0 ?????*/ - if (computed_direction != privmsg_enc_part->msec & MSEC_DIRBIT) { - cleanup_data(); - cleanup_mesg(); - return KRB5KRB_AP_ERR_REPEAT; + + if (sender_addr) { + krb5_fulladdr temp_sender; + krb5_fulladdr temp_recip; + krb5_address **our_addrs; + + if (retval = krb5_os_localaddr(&our_addrs)) { + cleanup_data(); + cleanup_mesg(); + return retval; + } + if (!krb5_address_search(privmsg_enc_part->r_address, our_addrs)) { + krb5_free_address(our_addrs); + cleanup_data(); + cleanup_mesg(); + return KRB5KRB_AP_ERR_BADADDR; + } + krb5_free_address(our_addrs); + + temp_recip = *recv_addr; + temp_recip.address = privmsg_enc_part->r_address; + + temp_sender = *sender_addr; + temp_sender.address = privmsg_enc_part->s_address; + + computed_direction = ((krb5_fulladdr_order(&temp_sender, &temp_recip) > + 0) ? MSEC_DIRBIT : 0); + if (computed_direction != (privmsg_enc_part->msec & MSEC_DIRBIT)) { + cleanup_data(); + cleanup_mesg(); + return KRB5KRB_AP_ERR_BADDIRECTION; + } } /* everything is ok - return data to the user */ -- 2.26.2