implement RET_SEQUENCE and RET_TIME
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12133 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -181,12 +181,20 @@ gets and modifies the flags for a
|
|||||||
.Nm krb5_auth_context
|
.Nm krb5_auth_context
|
||||||
structure. Possible flags to set are:
|
structure. Possible flags to set are:
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Dv KRB5_AUTH_CONTEXT_DO_TIME
|
|
||||||
check timestamp on incoming packets.
|
|
||||||
.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
|
|
||||||
.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
|
.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
|
||||||
Generate and check sequence-number on each packet.
|
Generate and check sequence-number on each packet.
|
||||||
.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
|
.It Dv KRB5_AUTH_CONTEXT_DO_TIME
|
||||||
|
Check timestamp on incoming packets.
|
||||||
|
.It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE , Dv KRB5_AUTH_CONTEXT_RET_TIME
|
||||||
|
Return sequence numbers and time stamps in the outdata parameter of
|
||||||
|
.Xr krb5_rd_cred 3 ,
|
||||||
|
.Xr krb5_rd_priv 3 ,
|
||||||
|
.Xr krb5_rd_safe 3 ,
|
||||||
|
.Xr krb5_mk_priv 3
|
||||||
|
and
|
||||||
|
.Xr krb5_mk_safe 3 .
|
||||||
|
Setting this flag requires that parameter to be passed to these
|
||||||
|
functions.
|
||||||
.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
|
.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -41,20 +41,22 @@ krb5_mk_priv(krb5_context context,
|
|||||||
krb5_auth_context auth_context,
|
krb5_auth_context auth_context,
|
||||||
const krb5_data *userdata,
|
const krb5_data *userdata,
|
||||||
krb5_data *outbuf,
|
krb5_data *outbuf,
|
||||||
/*krb5_replay_data*/ void *outdata)
|
krb5_replay_data *outdata)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
KRB_PRIV s;
|
KRB_PRIV s;
|
||||||
EncKrbPrivPart part;
|
EncKrbPrivPart part;
|
||||||
u_char *buf;
|
u_char *buf = NULL;
|
||||||
size_t buf_size;
|
size_t buf_size;
|
||||||
size_t len;
|
size_t len;
|
||||||
u_int32_t tmp_seq;
|
|
||||||
krb5_keyblock *key;
|
|
||||||
int32_t sec, usec;
|
|
||||||
KerberosTime sec2;
|
|
||||||
int usec2;
|
|
||||||
krb5_crypto crypto;
|
krb5_crypto crypto;
|
||||||
|
krb5_keyblock *key;
|
||||||
|
krb5_replay_data rdata;
|
||||||
|
|
||||||
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||||
|
outdata == NULL)
|
||||||
|
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||||
|
|
||||||
if (auth_context->local_subkey)
|
if (auth_context->local_subkey)
|
||||||
key = auth_context->local_subkey;
|
key = auth_context->local_subkey;
|
||||||
@@ -63,20 +65,34 @@ krb5_mk_priv(krb5_context context,
|
|||||||
else
|
else
|
||||||
key = auth_context->keyblock;
|
key = auth_context->keyblock;
|
||||||
|
|
||||||
krb5_us_timeofday (context, &sec, &usec);
|
memset(&rdata, 0, sizeof(rdata));
|
||||||
|
|
||||||
part.user_data = *userdata;
|
part.user_data = *userdata;
|
||||||
sec2 = sec;
|
|
||||||
part.timestamp = &sec2;
|
krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
|
||||||
usec2 = usec;
|
|
||||||
part.usec = &usec2;
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
|
||||||
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
|
part.timestamp = &rdata.timestamp;
|
||||||
tmp_seq = auth_context->local_seqnumber;
|
part.usec = &rdata.usec;
|
||||||
part.seq_number = &tmp_seq;
|
|
||||||
} else {
|
} else {
|
||||||
part.seq_number = NULL;
|
part.timestamp = NULL;
|
||||||
|
part.usec = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
|
||||||
|
outdata->timestamp = rdata.timestamp;
|
||||||
|
outdata->usec = rdata.usec;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
|
||||||
|
rdata.seq = auth_context->local_seqnumber;
|
||||||
|
part.seq_number = &rdata.seq;
|
||||||
|
} else
|
||||||
|
part.seq_number = NULL;
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
|
||||||
|
outdata->seq = auth_context->local_seqnumber;
|
||||||
|
|
||||||
part.s_address = auth_context->local_address;
|
part.s_address = auth_context->local_address;
|
||||||
part.r_address = auth_context->remote_address;
|
part.r_address = auth_context->remote_address;
|
||||||
|
|
||||||
@@ -128,7 +144,7 @@ krb5_mk_priv(krb5_context context,
|
|||||||
(auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
|
(auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
free (buf);
|
free (buf);
|
||||||
krb5_data_free (&s.enc_part.cipher);
|
krb5_data_free (&s.enc_part.cipher);
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -40,19 +40,21 @@ krb5_mk_safe(krb5_context context,
|
|||||||
krb5_auth_context auth_context,
|
krb5_auth_context auth_context,
|
||||||
const krb5_data *userdata,
|
const krb5_data *userdata,
|
||||||
krb5_data *outbuf,
|
krb5_data *outbuf,
|
||||||
/*krb5_replay_data*/ void *outdata)
|
krb5_replay_data *outdata)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
KRB_SAFE s;
|
KRB_SAFE s;
|
||||||
int32_t sec, usec;
|
|
||||||
KerberosTime sec2;
|
|
||||||
int usec2;
|
|
||||||
u_char *buf = NULL;
|
u_char *buf = NULL;
|
||||||
size_t buf_size;
|
size_t buf_size;
|
||||||
size_t len;
|
size_t len;
|
||||||
u_int32_t tmp_seq;
|
|
||||||
krb5_crypto crypto;
|
krb5_crypto crypto;
|
||||||
krb5_keyblock *key;
|
krb5_keyblock *key;
|
||||||
|
krb5_replay_data rdata;
|
||||||
|
|
||||||
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||||
|
outdata == NULL)
|
||||||
|
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||||
|
|
||||||
if (auth_context->local_subkey)
|
if (auth_context->local_subkey)
|
||||||
key = auth_context->local_subkey;
|
key = auth_context->local_subkey;
|
||||||
@@ -64,19 +66,34 @@ krb5_mk_safe(krb5_context context,
|
|||||||
s.pvno = 5;
|
s.pvno = 5;
|
||||||
s.msg_type = krb_safe;
|
s.msg_type = krb_safe;
|
||||||
|
|
||||||
s.safe_body.user_data = *userdata;
|
memset(&rdata, 0, sizeof(rdata));
|
||||||
krb5_us_timeofday (context, &sec, &usec);
|
|
||||||
|
s.safe_body.user_data = *userdata;
|
||||||
|
|
||||||
|
krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
|
||||||
|
s.safe_body.timestamp = &rdata.timestamp;
|
||||||
|
s.safe_body.usec = &rdata.usec;
|
||||||
|
} else {
|
||||||
|
s.safe_body.timestamp = NULL;
|
||||||
|
s.safe_body.usec = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
|
||||||
|
outdata->timestamp = rdata.timestamp;
|
||||||
|
outdata->usec = rdata.usec;
|
||||||
|
}
|
||||||
|
|
||||||
sec2 = sec;
|
|
||||||
s.safe_body.timestamp = &sec2;
|
|
||||||
usec2 = usec2;
|
|
||||||
s.safe_body.usec = &usec2;
|
|
||||||
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
|
||||||
tmp_seq = auth_context->local_seqnumber;
|
rdata.seq = auth_context->local_seqnumber;
|
||||||
s.safe_body.seq_number = &tmp_seq;
|
s.safe_body.seq_number = &rdata.seq;
|
||||||
} else
|
} else
|
||||||
s.safe_body.seq_number = NULL;
|
s.safe_body.seq_number = NULL;
|
||||||
|
|
||||||
|
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
|
||||||
|
outdata->seq = auth_context->local_seqnumber;
|
||||||
|
|
||||||
s.safe_body.s_address = auth_context->local_address;
|
s.safe_body.s_address = auth_context->local_address;
|
||||||
s.safe_body.r_address = auth_context->remote_address;
|
s.safe_body.r_address = auth_context->remote_address;
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -40,7 +40,7 @@ krb5_rd_cred(krb5_context context,
|
|||||||
krb5_auth_context auth_context,
|
krb5_auth_context auth_context,
|
||||||
krb5_data *in_data,
|
krb5_data *in_data,
|
||||||
krb5_creds ***ret_creds,
|
krb5_creds ***ret_creds,
|
||||||
krb5_replay_data *out_data)
|
krb5_replay_data *outdata)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
size_t len;
|
size_t len;
|
||||||
@@ -50,6 +50,11 @@ krb5_rd_cred(krb5_context context,
|
|||||||
krb5_crypto crypto;
|
krb5_crypto crypto;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||||
|
outdata == NULL)
|
||||||
|
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||||
|
|
||||||
*ret_creds = NULL;
|
*ret_creds = NULL;
|
||||||
|
|
||||||
ret = decode_KRB_CRED(in_data->data, in_data->length,
|
ret = decode_KRB_CRED(in_data->data, in_data->length,
|
||||||
@@ -185,19 +190,17 @@ krb5_rd_cred(krb5_context context,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(out_data != NULL) {
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
|
||||||
|
/* if these fields are not present in the cred-part, silently
|
||||||
|
return zero */
|
||||||
|
memset(outdata, 0, sizeof(*outdata));
|
||||||
if(enc_krb_cred_part.timestamp)
|
if(enc_krb_cred_part.timestamp)
|
||||||
out_data->timestamp = *enc_krb_cred_part.timestamp;
|
outdata->timestamp = *enc_krb_cred_part.timestamp;
|
||||||
else
|
|
||||||
out_data->timestamp = 0;
|
|
||||||
if(enc_krb_cred_part.usec)
|
if(enc_krb_cred_part.usec)
|
||||||
out_data->usec = *enc_krb_cred_part.usec;
|
outdata->usec = *enc_krb_cred_part.usec;
|
||||||
else
|
|
||||||
out_data->usec = 0;
|
|
||||||
if(enc_krb_cred_part.nonce)
|
if(enc_krb_cred_part.nonce)
|
||||||
out_data->seq = *enc_krb_cred_part.nonce;
|
outdata->seq = *enc_krb_cred_part.nonce;
|
||||||
else
|
|
||||||
out_data->seq = 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Convert to NULL terminated list of creds */
|
/* Convert to NULL terminated list of creds */
|
||||||
@@ -259,7 +262,7 @@ krb5_rd_cred(krb5_context context,
|
|||||||
(*ret_creds)[i] = NULL;
|
(*ret_creds)[i] = NULL;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
out:
|
out:
|
||||||
free_KRB_CRED (&cred);
|
free_KRB_CRED (&cred);
|
||||||
if(*ret_creds) {
|
if(*ret_creds) {
|
||||||
for(i = 0; (*ret_creds)[i]; i++)
|
for(i = 0; (*ret_creds)[i]; i++)
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 - 2001 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -40,7 +40,7 @@ krb5_rd_priv(krb5_context context,
|
|||||||
krb5_auth_context auth_context,
|
krb5_auth_context auth_context,
|
||||||
const krb5_data *inbuf,
|
const krb5_data *inbuf,
|
||||||
krb5_data *outbuf,
|
krb5_data *outbuf,
|
||||||
/*krb5_replay_data*/ void *outdata)
|
krb5_replay_data *outdata)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
KRB_PRIV priv;
|
KRB_PRIV priv;
|
||||||
@@ -50,6 +50,11 @@ krb5_rd_priv(krb5_context context,
|
|||||||
krb5_keyblock *key;
|
krb5_keyblock *key;
|
||||||
krb5_crypto crypto;
|
krb5_crypto crypto;
|
||||||
|
|
||||||
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||||
|
outdata == NULL)
|
||||||
|
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||||
|
|
||||||
memset(&priv, 0, sizeof(priv));
|
memset(&priv, 0, sizeof(priv));
|
||||||
ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
|
ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -149,14 +154,23 @@ krb5_rd_priv(krb5_context context,
|
|||||||
if (ret)
|
if (ret)
|
||||||
goto failure_part;
|
goto failure_part;
|
||||||
|
|
||||||
free_EncKrbPrivPart (&part);
|
if ((auth_context->flags &
|
||||||
free_KRB_PRIV (&priv);
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
|
||||||
return 0;
|
/* if these fields are not present in the priv-part, silently
|
||||||
|
return zero */
|
||||||
|
memset(outdata, 0, sizeof(*outdata));
|
||||||
|
if(part.timestamp)
|
||||||
|
outdata->timestamp = *part.timestamp;
|
||||||
|
if(part.usec)
|
||||||
|
outdata->usec = *part.usec;
|
||||||
|
if(part.seq_number)
|
||||||
|
outdata->seq = *part.seq_number;
|
||||||
|
}
|
||||||
|
|
||||||
failure_part:
|
failure_part:
|
||||||
free_EncKrbPrivPart (&part);
|
free_EncKrbPrivPart (&part);
|
||||||
|
|
||||||
failure:
|
failure:
|
||||||
free_KRB_PRIV (&priv);
|
free_KRB_PRIV (&priv);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
|
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
|
||||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
*
|
*
|
||||||
@@ -87,12 +87,19 @@ krb5_rd_safe(krb5_context context,
|
|||||||
krb5_auth_context auth_context,
|
krb5_auth_context auth_context,
|
||||||
const krb5_data *inbuf,
|
const krb5_data *inbuf,
|
||||||
krb5_data *outbuf,
|
krb5_data *outbuf,
|
||||||
/*krb5_replay_data*/ void *outdata)
|
krb5_replay_data *outdata)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
KRB_SAFE safe;
|
KRB_SAFE safe;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
|
||||||
|
if ((auth_context->flags &
|
||||||
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||||
|
outdata == NULL) {
|
||||||
|
krb5_set_error_string(context, "rd_safe: need outdata to return data");
|
||||||
|
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||||
|
}
|
||||||
|
|
||||||
ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
|
ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
@@ -182,9 +189,21 @@ krb5_rd_safe(krb5_context context,
|
|||||||
goto failure;
|
goto failure;
|
||||||
}
|
}
|
||||||
memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
|
memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
|
||||||
free_KRB_SAFE (&safe);
|
|
||||||
return 0;
|
if ((auth_context->flags &
|
||||||
failure:
|
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
|
||||||
|
/* if these fields are not present in the safe-part, silently
|
||||||
|
return zero */
|
||||||
|
memset(outdata, 0, sizeof(*outdata));
|
||||||
|
if(safe.safe_body.timestamp)
|
||||||
|
outdata->timestamp = *safe.safe_body.timestamp;
|
||||||
|
if(safe.safe_body.usec)
|
||||||
|
outdata->usec = *safe.safe_body.usec;
|
||||||
|
if(safe.safe_body.seq_number)
|
||||||
|
outdata->seq = *safe.safe_body.seq_number;
|
||||||
|
}
|
||||||
|
|
||||||
|
failure:
|
||||||
free_KRB_SAFE (&safe);
|
free_KRB_SAFE (&safe);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user