From e2ae7095158c1e77655826152bbfa6f5259bfe08 Mon Sep 17 00:00:00 2001 From: Chris Provenzano Date: Mon, 1 May 1995 20:49:56 +0000 Subject: [PATCH] * auth_con.c (krb5_auth_con_free()) : Free all the data associated with the auth_context. * auth_con.c (krb5_auth_con_setkey()) : Removed. * mk_rep.c (mk_rep()), The krb5_mk_rep() routine must always encode the data in the keyblock of the ticket, not the subkey. * cleanup.h, auth_con.c (krb5_auth_con_setports()) : Added. * auth_con.h, mk_cred.c (mk_cred()), mk_priv.c (mk_priv()), * mk_safe.c (mk_safe()), rd_cred.c (rd_cred()), * rd_priv.c (rd_priv()), rd_safe.c (rd_safe()) : Changes to auth_context to better support full addresses. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5677 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 16 ++++++++++ src/lib/krb5/krb/auth_con.c | 56 ++++++++++++++++++++++++++++++---- src/lib/krb5/krb/auth_con.h | 2 ++ src/lib/krb5/krb/cleanup.h | 29 ++++++++++++++++++ src/lib/krb5/krb/mk_cred.c | 61 +++++++++++++++++++++++++++++++++---- src/lib/krb5/krb/mk_priv.c | 39 ++++++++++++++++++++++-- src/lib/krb5/krb/mk_rep.c | 12 ++------ src/lib/krb5/krb/mk_safe.c | 42 ++++++++++++++++++++++--- src/lib/krb5/krb/rd_cred.c | 39 ++++++++++++++++++++++-- src/lib/krb5/krb/rd_priv.c | 42 ++++++++++++++++++++++--- src/lib/krb5/krb/rd_rep.c | 8 +---- src/lib/krb5/krb/rd_safe.c | 42 ++++++++++++++++++++++--- 12 files changed, 343 insertions(+), 45 deletions(-) create mode 100644 src/lib/krb5/krb/cleanup.h diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 665724bea..b800ef32c 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,19 @@ +Mon May 01 15:56:32 1995 Chris Provenzano (proven@mit.edu) + + * auth_con.c (krb5_auth_con_free()) : + Free all the data associated with the auth_context. + + * auth_con.c (krb5_auth_con_setkey()) : Removed. + * mk_rep.c (mk_rep()), + The krb5_mk_rep() routine must always encode the data in + the keyblock of the ticket, not the subkey. + + * cleanup.h, auth_con.c (krb5_auth_con_setports()) : Added. + * auth_con.h, mk_cred.c (mk_cred()), mk_priv.c (mk_priv()), + * mk_safe.c (mk_safe()), rd_cred.c (rd_cred()), + * rd_priv.c (rd_priv()), rd_safe.c (rd_safe()) : + Changes to auth_context to better support full addresses. + Sat Apr 29 00:09:40 1995 Theodore Y. Ts'o * srv_rcache.c (krb5_get_server_rcache): Fix fencepost error which diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index bcde9c2a8..f96052560 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -26,6 +26,14 @@ krb5_auth_con_free(context, auth_context) krb5_context context; krb5_auth_context * auth_context; { + if (auth_context->local_addr) + free(auth_context->local_addr); + if (auth_context->remote_addr) + free(auth_context->remote_addr); + if (auth_context->local_port) + free(auth_context->local_port); + if (auth_context->remote_port) + free(auth_context->remote_port); if (auth_context->authentp) krb5_free_authenticator(context, auth_context->authentp); if (auth_context->keyblock) @@ -132,18 +140,54 @@ krb5_auth_con_getaddrs(context, auth_context, local_addr, remote_addr) return 0 ; } -/* XXX this call is a hack. Fixed when I do the servers. */ krb5_error_code -krb5_auth_con_setkey(context, auth_context, keyblock) +krb5_auth_con_setports(context, auth_context, local_port, remote_port) krb5_context context; krb5_auth_context * auth_context; - krb5_keyblock * keyblock; + krb5_address * local_port; + krb5_address * remote_port; { - if (auth_context->keyblock) - krb5_free_keyblock(context, auth_context->keyblock); - return(krb5_copy_keyblock(context, keyblock, &(auth_context->keyblock))); + /* Free old addresses */ + if (auth_context->local_port) + free(auth_context->local_port); + if (auth_context->remote_port) + free(auth_context->remote_port); + + if (local_port) { + if ((auth_context->local_port = (krb5_address *) + malloc(sizeof(krb5_address) + local_port->length)) == NULL) { + return ENOMEM; + } + auth_context->local_port->addrtype = local_port->addrtype; + auth_context->local_port->length = local_port->length; + auth_context->local_port->contents = (krb5_octet *) + auth_context->local_port + sizeof(krb5_address); + memcpy(auth_context->local_port->contents, + local_port->contents, local_port->length); + } else { + auth_context->local_port = NULL; + } + + if (remote_port) { + if ((auth_context->remote_port = (krb5_address *) + malloc(sizeof(krb5_address) + remote_port->length)) == NULL) { + if (auth_context->local_port) + free(auth_context->local_port); + return ENOMEM; + } + auth_context->remote_port->addrtype = remote_port->addrtype; + auth_context->remote_port->length = remote_port->length; + auth_context->remote_port->contents = (krb5_octet *) + auth_context->remote_port + sizeof(krb5_address); + memcpy(auth_context->remote_port->contents, + remote_port->contents, remote_port->length); + } else { + auth_context->remote_port = NULL; + } + return 0; } + /* * This function overloads the keyblock field. It is only useful prior to * a krb5_rd_req_decode() call for user to user authentication where the diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index 2188f742d..b1e596051 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -4,7 +4,9 @@ struct _krb5_auth_context { krb5_address * remote_addr; + krb5_address * remote_port; krb5_address * local_addr; + krb5_address * local_port; krb5_keyblock * keyblock; krb5_keyblock * local_subkey; krb5_keyblock * remote_subkey; diff --git a/src/lib/krb5/krb/cleanup.h b/src/lib/krb5/krb/cleanup.h new file mode 100644 index 000000000..953649712 --- /dev/null +++ b/src/lib/krb5/krb/cleanup.h @@ -0,0 +1,29 @@ + +#ifndef KRB5_CLEANUP +#define KRB5_CLEANUP + +struct cleanup { + void * arg; + void (*func)(); +}; + +#define CLEANUP_INIT(x) \ + struct cleanup cleanup_data[x]; \ + int cleanup_count = 0; + +#define CLEANUP_PUSH(x, y) \ + cleanup_data[cleanup_count].arg = x; \ + cleanup_data[cleanup_count].func = y; \ + cleanup_count++; + +#define CLEANUP_POP(x) \ + if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + +#define CLEANUP_DONE() \ + while(cleanup_count--) \ + if (cleanup_data[cleanup_count].func) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + + +#endif diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 5fbd63f39..3970ddb5e 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -8,6 +8,21 @@ * * MODIFIED * $Log$ + * Revision 5.10 1995/05/01 20:49:45 proven + * * auth_con.c (krb5_auth_con_free()) : + * Free all the data associated with the auth_context. + * + * * auth_con.c (krb5_auth_con_setkey()) : Removed. + * * mk_rep.c (mk_rep()), + * The krb5_mk_rep() routine must always encode the data in + * the keyblock of the ticket, not the subkey. + * + * * cleanup.h, auth_con.c (krb5_auth_con_setports()) : Added. + * * auth_con.h, mk_cred.c (mk_cred()), mk_priv.c (mk_priv()), + * * mk_safe.c (mk_safe()), rd_cred.c (rd_cred()), + * * rd_priv.c (rd_priv()), rd_safe.c (rd_safe()) : + * Changes to auth_context to better support full addresses. + * * Revision 5.9 1995/04/28 01:18:18 keithv * Fixes so that the Unix changes no longer breaks on the PC. * @@ -36,6 +51,7 @@ * */ #include +#include "cleanup.h" #include "auth_con.h" #include /* NULL */ @@ -285,18 +301,51 @@ krb5_mk_ncred(context, auth_context, ppcreds, ppdata, outdata) } } +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))) { + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } + /* Setup creds structure */ if (retval = krb5_mk_ncred_basic(context, ppcreds, ncred, keyblock, - &replaydata, auth_context->local_addr, - auth_context->remote_addr, pcred)) - goto cleanup_tickets; + &replaydata, plocal_fulladdr, + premote_fulladdr, pcred)) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); +} if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; if (retval = krb5_gen_replay_name(context, auth_context->local_addr, "_forw", &replay.client)) - goto cleanup_tickets; + goto error; replay.server = ""; /* XXX */ replay.cusec = replaydata.usec; @@ -304,7 +353,7 @@ krb5_mk_ncred(context, auth_context, ppcreds, ppdata, outdata) if (retval = krb5_rc_store(context, auth_context->rcache, &replay)) { /* should we really error out here? XXX */ krb5_xfree(replay.client); - goto cleanup_tickets; + goto error; } krb5_xfree(replay.client); } @@ -312,7 +361,7 @@ krb5_mk_ncred(context, auth_context, ppcreds, ppdata, outdata) /* Encode creds structure */ retval = encode_krb5_cred(pcred, ppdata); -cleanup_tickets: +error: if (retval) { if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 9effca0e8..003644768 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -25,6 +25,7 @@ */ #include "k5-int.h" +#include "cleanup.h" #include "auth_con.h" static krb5_error_code @@ -184,11 +185,43 @@ krb5_mk_priv(context, auth_context, userdata, outbuf, outdata) } } +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))){ + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } + if (retval = krb5_mk_priv_basic(context, userdata, keyblock, &replaydata, - auth_context->local_addr, - auth_context->remote_addr, - auth_context->i_vector, outbuf)) + plocal_fulladdr, premote_fulladdr, + auth_context->i_vector, outbuf)) { + CLEANUP_DONE(); goto error; + } + + CLEANUP_DONE(); +} if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index 9d5e81e2e..fcd231e63 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -43,7 +43,6 @@ krb5_mk_rep(context, auth_context, outbuf) krb5_data * outbuf; { krb5_error_code retval; - krb5_keyblock * keyblock; krb5_keytype keytype; krb5_enctype etype; krb5_ap_rep_enc_part repl; @@ -52,13 +51,8 @@ krb5_mk_rep(context, auth_context, outbuf) krb5_data * scratch; krb5_data * toutbuf; - if (auth_context->remote_subkey) - keyblock = auth_context->remote_subkey; - else - keyblock = auth_context->keyblock; - /* verify a valid etype is available */ - if (!valid_keytype(keytype = keyblock->keytype)) + if (!valid_keytype(keytype = auth_context->keyblock->keytype)) return KRB5_PROG_KEYTYPE_NOSUPP; etype = krb5_keytype_array[keytype]->system->proto_enctype; @@ -70,7 +64,7 @@ krb5_mk_rep(context, auth_context, outbuf) if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && (auth_context->local_seq_number == 0)) { - if (retval = krb5_generate_seq_number(context, keyblock, + if (retval = krb5_generate_seq_number(context, auth_context->keyblock, &auth_context->local_seq_number)) return(retval); } @@ -107,7 +101,7 @@ krb5_mk_rep(context, auth_context, outbuf) } /* do any necessary key pre-processing */ - if (retval = krb5_process_key(context, &eblock, keyblock)) + if (retval = krb5_process_key(context, &eblock, auth_context->keyblock)) goto cleanup_encpart; /* call the encryption routine */ diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 29eac3ee3..06c002209 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -24,7 +24,8 @@ * krb5_mk_safe() */ -#include "k5-int.h" +#include +#include "cleanup.h" #include "auth_con.h" /* @@ -166,11 +167,44 @@ krb5_mk_safe(context, auth_context, userdata, outbuf, outdata) } } +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))){ + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } + if (retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, - auth_context->local_addr, - auth_context->remote_addr, - auth_context->cksumtype, outbuf)) + plocal_fulladdr, premote_fulladdr, + auth_context->cksumtype, outbuf)) { + CLEANUP_DONE(); goto error; + } + + CLEANUP_DONE(); +} if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index f221d9a2e..8e18a30a2 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -1,4 +1,5 @@ #include +#include "cleanup.h" #include "auth_con.h" #include /* NULL */ @@ -232,10 +233,44 @@ krb5_rd_cred(context, auth_context, pcreddata, pppcreds, outdata) (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))){ + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + return retval; + } + } + if (retval = krb5_rd_cred_basic(context, pcreddata, keyblock, - auth_context->local_addr, auth_context->remote_addr, - &replaydata, pppcreds)) + plocal_fulladdr, premote_fulladdr, + &replaydata, pppcreds)) { + CLEANUP_DONE(); return retval; + } + + CLEANUP_DONE(); +} + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index ad221c845..4c73bf827 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -24,7 +24,8 @@ * krb5_rd_priv() */ -#include "k5-int.h" +#include +#include "cleanup.h" #include "auth_con.h" extern krb5_deltat krb5_clockskew; @@ -197,10 +198,43 @@ krb5_rd_priv(context, auth_context, inbuf, outbuf, outdata) (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; - if (retval = krb5_rd_priv_basic(context, inbuf, keyblock, - auth_context->local_addr, auth_context->remote_addr, - auth_context->i_vector, &replaydata, outbuf)) +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))){ + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + return retval; + } + } + + if (retval = krb5_rd_priv_basic(context, inbuf, keyblock, plocal_fulladdr, + premote_fulladdr, auth_context->i_vector, + &replaydata, outbuf)) { + CLEANUP_DONE(); return retval; + } + + CLEANUP_DONE(); +} if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 8ae69eb02..bc253e2d9 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -47,7 +47,6 @@ krb5_rd_rep(context, auth_context, inbuf, repl) { krb5_error_code retval; krb5_ap_rep * reply; - krb5_keyblock * keyblock; krb5_encrypt_block eblock; krb5_data scratch; @@ -73,13 +72,8 @@ krb5_rd_rep(context, auth_context, inbuf, repl) return(ENOMEM); } - if (auth_context->local_subkey) - keyblock = auth_context->local_subkey; - else - keyblock = auth_context->keyblock; - /* do any necessary key pre-processing */ - if (retval = krb5_process_key(context, &eblock, keyblock)) { + if (retval = krb5_process_key(context, &eblock, auth_context->keyblock)) { goto errout; } diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 2f3f54471..196f05be2 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -24,7 +24,8 @@ * krb5_rd_safe() */ -#include "k5-int.h" +#include +#include "cleanup.h" #include "auth_con.h" extern krb5_deltat krb5_clockskew; @@ -188,10 +189,43 @@ krb5_rd_safe(context, auth_context, inbuf, outbuf, outdata) if ((keyblock = auth_context->remote_subkey) == NULL) keyblock = auth_context->keyblock; - if (retval = krb5_rd_safe_basic(context, inbuf, keyblock, - auth_context->local_addr, auth_context->remote_addr, - &replaydata, outbuf)) +{ + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, &local_fulladdr))){ + CLEANUP_PUSH(&local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } + + if (auth_context->remote_addr) { + if (!(retval = krb5_make_fulladdr(context, auth_context->remote_addr, + auth_context->remote_port, &remote_fulladdr))){ + CLEANUP_PUSH(&remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + return retval; + } + } + + if (retval = krb5_rd_safe_basic(context, inbuf, keyblock, plocal_fulladdr, + premote_fulladdr, &replaydata, outbuf)) { + CLEANUP_DONE(); return retval; + } + + CLEANUP_DONE(); +} + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; -- 2.26.2