[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: KRB_AUTH_CONTEXT_* flags
Thomas Anders <thomas.anders@blue-cable.de> writes:
> Are they deprecated?
More likely just never implemented. You can try this patch. There may
be some fallout, because of the somewhat unclear semantics of these
flags.
Remove krb5-protos.h and krb5-private.h from lib/krb5, and run make
(requires perl).
/Johan
--- build_auth.c 2002/09/04 16:26:04 1.38
+++ build_auth.c 2003/04/25 18:27:38
@@ -75,6 +75,7 @@
goto fail;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+ if(auth_context->local_seqnumber == 0)
krb5_generate_seq_number (context,
&cred->session,
&auth_context->local_seqnumber);
--- mk_priv.c 2002/09/04 16:26:04 1.31
+++ mk_priv.c 2003/04/25 18:27:38
@@ -41,7 +41,7 @@
krb5_auth_context auth_context,
const krb5_data *userdata,
krb5_data *outbuf,
- /*krb5_replay_data*/ void *outdata)
+ krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_PRIV s;
@@ -49,13 +49,16 @@
u_char *buf;
size_t buf_size;
size_t len;
- u_int32_t tmp_seq;
krb5_keyblock *key;
int32_t sec, usec;
- KerberosTime sec2;
- int usec2;
krb5_crypto crypto;
+ krb5_replay_data rdata;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+ outdata == NULL)
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
if (auth_context->local_subkey)
key = auth_context->local_subkey;
else if (auth_context->remote_subkey)
@@ -63,20 +66,36 @@
else
key = auth_context->keyblock;
- krb5_us_timeofday (context, &sec, &usec);
+ memset(&rdata, 0, sizeof(rdata));
part.user_data = *userdata;
- sec2 = sec;
- part.timestamp = &sec2;
- usec2 = usec;
- part.usec = &usec2;
- if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- tmp_seq = auth_context->local_seqnumber;
- part.seq_number = &tmp_seq;
+
+ krb5_us_timeofday (context, &sec, &usec);
+ rdata.timestamp = sec;
+ rdata.usec = usec;
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+ part.timestamp = &rdata.timestamp;
+ part.usec = &rdata.usec;
} else {
- part.seq_number = NULL;
+ part.timestamp = NULL;
+ part.usec = NULL;
}
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+ outdata->timestamp = rdata.timestamp;
+ outdata->usec = rdata.usec;
+ }
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+ rdata.seq = auth_context->local_seqnumber;
+ part.seq_number = &rdata.seq;
+ } else
+ part.seq_number = NULL;
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+ outdata->seq = auth_context->local_seqnumber;
+
part.s_address = auth_context->local_address;
part.r_address = auth_context->remote_address;
--- mk_rep.c 2003/03/17 06:54:37 1.20.2.1
+++ mk_rep.c 2003/04/25 18:27:38
@@ -57,6 +57,7 @@
body.cusec = auth_context->authenticator->cusec;
body.subkey = NULL;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+ if(auth_context->local_seqnumber == 0)
krb5_generate_seq_number (context,
auth_context->keyblock,
&auth_context->local_seqnumber);
--- mk_safe.c 2002/09/04 16:26:05 1.28
+++ mk_safe.c 2003/04/25 18:27:38
@@ -40,20 +40,23 @@
krb5_auth_context auth_context,
const krb5_data *userdata,
krb5_data *outbuf,
- /*krb5_replay_data*/ void *outdata)
+ krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_SAFE s;
int32_t sec, usec;
- KerberosTime sec2;
- int usec2;
u_char *buf = NULL;
size_t buf_size;
size_t len;
- u_int32_t tmp_seq;
krb5_crypto crypto;
krb5_keyblock *key;
+ krb5_replay_data rdata;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+ outdata == NULL)
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
if (auth_context->local_subkey)
key = auth_context->local_subkey;
else if (auth_context->remote_subkey)
@@ -64,19 +67,36 @@
s.pvno = 5;
s.msg_type = krb_safe;
+ memset(&rdata, 0, sizeof(rdata));
+
s.safe_body.user_data = *userdata;
+
krb5_us_timeofday (context, &sec, &usec);
+ rdata.timestamp = sec;
+ rdata.usec = usec;
- sec2 = sec;
- s.safe_body.timestamp = &sec2;
- usec2 = usec2;
- s.safe_body.usec = &usec2;
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+ s.safe_body.timestamp = &rdata.timestamp;
+ s.safe_body.usec = &rdata.usec;
+ } else {
+ s.safe_body.timestamp = NULL;
+ s.safe_body.usec = NULL;
+ }
+
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+ outdata->timestamp = rdata.timestamp;
+ outdata->usec = rdata.usec;
+ }
+
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
- tmp_seq = auth_context->local_seqnumber;
- s.safe_body.seq_number = &tmp_seq;
+ rdata.seq = auth_context->local_seqnumber;
+ s.safe_body.seq_number = &rdata.seq;
} else
s.safe_body.seq_number = NULL;
+ if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+ outdata->seq = auth_context->local_seqnumber;
+
s.safe_body.s_address = auth_context->local_address;
s.safe_body.r_address = auth_context->remote_address;
--- rd_cred.c 2002/09/04 16:26:05 1.18
+++ rd_cred.c 2003/04/25 18:27:38
@@ -40,7 +40,7 @@
krb5_auth_context auth_context,
krb5_data *in_data,
krb5_creds ***ret_creds,
- krb5_replay_data *out_data)
+ krb5_replay_data *outdata)
{
krb5_error_code ret;
size_t len;
@@ -50,6 +50,11 @@
krb5_crypto crypto;
int i;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+ outdata == NULL)
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
*ret_creds = NULL;
ret = decode_KRB_CRED(in_data->data, in_data->length,
@@ -185,19 +190,17 @@
}
}
- if(out_data != NULL) {
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+ /* if these fields are not present in the cred-part, silently
+ return zero */
+ memset(outdata, 0, sizeof(*outdata));
if(enc_krb_cred_part.timestamp)
- out_data->timestamp = *enc_krb_cred_part.timestamp;
- else
- out_data->timestamp = 0;
+ outdata->timestamp = *enc_krb_cred_part.timestamp;
if(enc_krb_cred_part.usec)
- out_data->usec = *enc_krb_cred_part.usec;
- else
- out_data->usec = 0;
+ outdata->usec = *enc_krb_cred_part.usec;
if(enc_krb_cred_part.nonce)
- out_data->seq = *enc_krb_cred_part.nonce;
- else
- out_data->seq = 0;
+ outdata->seq = *enc_krb_cred_part.nonce;
}
/* Convert to NULL terminated list of creds */
--- rd_priv.c 2001/06/18 02:46:15 1.29
+++ rd_priv.c 2003/04/25 18:27:38
@@ -40,7 +40,7 @@
krb5_auth_context auth_context,
const krb5_data *inbuf,
krb5_data *outbuf,
- /*krb5_replay_data*/ void *outdata)
+ krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_PRIV priv;
@@ -50,6 +50,11 @@
krb5_keyblock *key;
krb5_crypto crypto;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+ outdata == NULL)
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
memset(&priv, 0, sizeof(priv));
ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
if (ret)
@@ -149,9 +154,18 @@
if (ret)
goto failure_part;
- free_EncKrbPrivPart (&part);
- free_KRB_PRIV (&priv);
- return 0;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+ /* if these fields are not present in the priv-part, silently
+ return zero */
+ memset(outdata, 0, sizeof(*outdata));
+ if(part.timestamp)
+ outdata->timestamp = *part.timestamp;
+ if(part.usec)
+ outdata->usec = *part.usec;
+ if(part.seq_number)
+ outdata->seq = *part.seq_number;
+ }
failure_part:
free_EncKrbPrivPart (&part);
--- rd_safe.c 2002/09/04 16:26:05 1.27
+++ rd_safe.c 2003/04/25 18:27:38
@@ -87,12 +87,19 @@
krb5_auth_context auth_context,
const krb5_data *inbuf,
krb5_data *outbuf,
- /*krb5_replay_data*/ void *outdata)
+ krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_SAFE safe;
size_t len;
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+ outdata == NULL) {
+ krb5_set_error_string(context, "rd_safe: need outdata to return data");
+ return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+ }
+
ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
if (ret)
return ret;
@@ -182,8 +189,20 @@
goto failure;
}
memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
- free_KRB_SAFE (&safe);
- return 0;
+
+ if ((auth_context->flags &
+ (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+ /* if these fields are not present in the safe-part, silently
+ return zero */
+ memset(outdata, 0, sizeof(*outdata));
+ if(safe.safe_body.timestamp)
+ outdata->timestamp = *safe.safe_body.timestamp;
+ if(safe.safe_body.usec)
+ outdata->usec = *safe.safe_body.usec;
+ if(safe.safe_body.seq_number)
+ outdata->seq = *safe.safe_body.seq_number;
+ }
+
failure:
free_KRB_SAFE (&safe);
return ret;