Allow rd_priv/rd_safe without remote address

Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name).  Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.

ticket: 6978

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25355 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/privsafe.c b/src/lib/krb5/krb/privsafe.c
index 405a24211f94cba22b89602f67b0dbe16518abe5..264b07684eed842d695ef75ca3ff88b9f2fd73db 100644 (file)
--- a/src/lib/krb5/krb/privsafe.c
+++ b/src/lib/krb5/krb/privsafe.c
@@ -208,14 +208,17 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac,
     local_fulladdr.contents = remote_fulladdr.contents = NULL;
 
     /* Determine the remote comparison address. */
-    if (ac->remote_port != NULL) {
-        ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
-                                 &remote_fulladdr);
-        if (ret)
-            goto cleanup;
-        remote_addr = &remote_fulladdr;
+    if (ac->remote_addr != NULL) {
+        if (ac->remote_port != NULL) {
+            ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
+                                     &remote_fulladdr);
+            if (ret)
+                goto cleanup;
+            remote_addr = &remote_fulladdr;
+        } else
+            remote_addr = ac->remote_addr;
     } else
-        remote_addr = ac->remote_addr;
+        remote_addr = NULL;
 
     /* Determine the local comparison address (possibly NULL). */
     if (ac->local_addr != NULL) {
@@ -231,7 +234,8 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac,
         local_addr = NULL;
 
     /* Check the remote address against the message's sender address. */
-    if (!krb5_address_compare(context, remote_addr, msg_s_addr)) {
+    if (remote_addr != NULL &&
+        !krb5_address_compare(context, remote_addr, msg_s_addr)) {
         ret = KRB5KRB_AP_ERR_BADADDR;
         goto cleanup;
     }

diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 831f25807577c13ae4afdbaf0dccfb97c3fb5cc4..93259680e83c0995652f951a58d640da2d649466 100644 (file)
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -133,7 +133,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
         /* Need a better error */
         return KRB5_RC_REQUIRED;
 
-    if (!auth_context->remote_addr)
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+        (auth_context->remote_addr == NULL))
         return KRB5_REMOTE_ADDR_REQUIRED;
 
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&

diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index e12148911bb27aadddc96f2858b6c14b824cdb41..c879f331f6224941fe3a9f5e8e38082348a50f11 100644 (file)
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -145,13 +145,14 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
         /* Need a better error */
         return KRB5_RC_REQUIRED;
 
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+        (auth_context->remote_addr == NULL))
+        return KRB5_REMOTE_ADDR_REQUIRED;
+
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
         (auth_context->rcache == NULL))
         return KRB5_RC_REQUIRED;
 
-    if (!auth_context->remote_addr)
-        return KRB5_REMOTE_ADDR_REQUIRED;
-
     /* Get key */
     if ((key = auth_context->recv_subkey) == NULL)
         key = auth_context->key;