oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

implement RET_SEQUENCE and RET_TIME

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12133 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
2003-04-25 16:59:52 +00:00
parent 6538b13e17
commit 4297f56e60
6 changed files with 439 additions and 362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
lib/krb5/krb5_auth_context.3
View File

@@ -181,12 +181,20 @@ gets and modifies the flags for a
.Nm krb5_auth_context
structure. Possible flags to set are:
.Bl -tag -width Ds
.It Dv KRB5_AUTH_CONTEXT_DO_TIME
check timestamp on incoming packets.
.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME
.It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE
Generate and check sequence-number on each packet.
.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE
.It Dv KRB5_AUTH_CONTEXT_DO_TIME
Check timestamp on incoming packets.
.It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE , Dv KRB5_AUTH_CONTEXT_RET_TIME
Return sequence numbers and time stamps in the outdata parameter of
.Xr krb5_rd_cred 3 ,
.Xr krb5_rd_priv 3 ,
.Xr krb5_rd_safe 3 ,
.Xr krb5_mk_priv 3
and
.Xr krb5_mk_safe 3 .
Setting this flag requires that parameter to be passed to these
functions.
.\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL
.El
.Pp

52
lib/krb5/mk_priv.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -41,20 +41,22 @@ krb5_mk_priv(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *userdata,
krb5_data *outbuf,
/*krb5_replay_data*/ void *outdata)
krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_PRIV s;
EncKrbPrivPart part;
u_char *buf;
u_char *buf = NULL;
size_t buf_size;
size_t len;
u_int32_t tmp_seq;
krb5_keyblock *key;
int32_t sec, usec;
KerberosTime sec2;
int usec2;
krb5_crypto crypto;
krb5_keyblock *key;
krb5_replay_data rdata;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
outdata == NULL)
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
if (auth_context->local_subkey)
key = auth_context->local_subkey;
@@ -63,20 +65,34 @@ krb5_mk_priv(krb5_context context,
else
key = auth_context->keyblock;
krb5_us_timeofday (context, &sec, &usec);
memset(&rdata, 0, sizeof(rdata));
part.user_data = *userdata;
sec2 = sec;
part.timestamp = &sec2;
usec2 = usec;
part.usec = &usec2;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
tmp_seq = auth_context->local_seqnumber;
part.seq_number = &tmp_seq;
krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
part.timestamp = &rdata.timestamp;
part.usec = &rdata.usec;
} else {
part.seq_number = NULL;
part.timestamp = NULL;
part.usec = NULL;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
outdata->timestamp = rdata.timestamp;
outdata->usec = rdata.usec;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
rdata.seq = auth_context->local_seqnumber;
part.seq_number = &rdata.seq;
} else
part.seq_number = NULL;
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
outdata->seq = auth_context->local_seqnumber;
part.s_address = auth_context->local_address;
part.r_address = auth_context->remote_address;
@@ -128,7 +144,7 @@ krb5_mk_priv(krb5_context context,
(auth_context->local_seqnumber + 1) & 0xFFFFFFFF;
return 0;
fail:
fail:
free (buf);
krb5_data_free (&s.enc_part.cipher);
return ret;

45
lib/krb5/mk_safe.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -40,19 +40,21 @@ krb5_mk_safe(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *userdata,
krb5_data *outbuf,
/*krb5_replay_data*/ void *outdata)
krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_SAFE s;
int32_t sec, usec;
KerberosTime sec2;
int usec2;
u_char *buf = NULL;
size_t buf_size;
size_t len;
u_int32_t tmp_seq;
krb5_crypto crypto;
krb5_keyblock *key;
krb5_replay_data rdata;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
outdata == NULL)
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
if (auth_context->local_subkey)
key = auth_context->local_subkey;
@@ -64,19 +66,34 @@ krb5_mk_safe(krb5_context context,
s.pvno = 5;
s.msg_type = krb_safe;
s.safe_body.user_data = *userdata;
krb5_us_timeofday (context, &sec, &usec);
memset(&rdata, 0, sizeof(rdata));
s.safe_body.user_data = *userdata;
krb5_us_timeofday (context, &rdata.timestamp, &rdata.usec);
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
s.safe_body.timestamp = &rdata.timestamp;
s.safe_body.usec = &rdata.usec;
} else {
s.safe_body.timestamp = NULL;
s.safe_body.usec = NULL;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
outdata->timestamp = rdata.timestamp;
outdata->usec = rdata.usec;
}
sec2 = sec;
s.safe_body.timestamp = &sec2;
usec2 = usec2;
s.safe_body.usec = &usec2;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
tmp_seq = auth_context->local_seqnumber;
s.safe_body.seq_number = &tmp_seq;
rdata.seq = auth_context->local_seqnumber;
s.safe_body.seq_number = &rdata.seq;
} else
s.safe_body.seq_number = NULL;
if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
outdata->seq = auth_context->local_seqnumber;
s.safe_body.s_address = auth_context->local_address;
s.safe_body.r_address = auth_context->remote_address;

29
lib/krb5/rd_cred.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -40,7 +40,7 @@ krb5_rd_cred(krb5_context context,
krb5_auth_context auth_context,
krb5_data *in_data,
krb5_creds ***ret_creds,
krb5_replay_data *out_data)
krb5_replay_data *outdata)
{
krb5_error_code ret;
size_t len;
@@ -50,6 +50,11 @@ krb5_rd_cred(krb5_context context,
krb5_crypto crypto;
int i;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
outdata == NULL)
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
*ret_creds = NULL;
ret = decode_KRB_CRED(in_data->data, in_data->length,
@@ -185,19 +190,17 @@ krb5_rd_cred(krb5_context context,
}
}
if(out_data != NULL) {
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
/* if these fields are not present in the cred-part, silently
return zero */
memset(outdata, 0, sizeof(*outdata));
if(enc_krb_cred_part.timestamp)
out_data->timestamp = *enc_krb_cred_part.timestamp;
else
out_data->timestamp = 0;
outdata->timestamp = *enc_krb_cred_part.timestamp;
if(enc_krb_cred_part.usec)
out_data->usec = *enc_krb_cred_part.usec;
else
out_data->usec = 0;
outdata->usec = *enc_krb_cred_part.usec;
if(enc_krb_cred_part.nonce)
out_data->seq = *enc_krb_cred_part.nonce;
else
out_data->seq = 0;
outdata->seq = *enc_krb_cred_part.nonce;
}
/* Convert to NULL terminated list of creds */
@@ -259,7 +262,7 @@ krb5_rd_cred(krb5_context context,
(*ret_creds)[i] = NULL;
return 0;
out:
out:
free_KRB_CRED (&cred);
if(*ret_creds) {
for(i = 0; (*ret_creds)[i]; i++)

28
lib/krb5/rd_priv.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2001 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997-2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -40,7 +40,7 @@ krb5_rd_priv(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *inbuf,
krb5_data *outbuf,
/*krb5_replay_data*/ void *outdata)
krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_PRIV priv;
@@ -50,6 +50,11 @@ krb5_rd_priv(krb5_context context,
krb5_keyblock *key;
krb5_crypto crypto;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
outdata == NULL)
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
memset(&priv, 0, sizeof(priv));
ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
if (ret)
@@ -149,14 +154,23 @@ krb5_rd_priv(krb5_context context,
if (ret)
goto failure_part;
free_EncKrbPrivPart (&part);
free_KRB_PRIV (&priv);
return 0;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
/* if these fields are not present in the priv-part, silently
return zero */
memset(outdata, 0, sizeof(*outdata));
if(part.timestamp)
outdata->timestamp = *part.timestamp;
if(part.usec)
outdata->usec = *part.usec;
if(part.seq_number)
outdata->seq = *part.seq_number;
}
failure_part:
failure_part:
free_EncKrbPrivPart (&part);
failure:
failure:
free_KRB_PRIV (&priv);
return ret;
}

29
lib/krb5/rd_safe.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2003 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -87,12 +87,19 @@ krb5_rd_safe(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *inbuf,
krb5_data *outbuf,
/*krb5_replay_data*/ void *outdata)
krb5_replay_data *outdata)
{
krb5_error_code ret;
KRB_SAFE safe;
size_t len;
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
outdata == NULL) {
krb5_set_error_string(context, "rd_safe: need outdata to return data");
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
}
ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
if (ret)
return ret;
@@ -182,9 +189,21 @@ krb5_rd_safe(krb5_context context,
goto failure;
}
memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
free_KRB_SAFE (&safe);
return 0;
failure:
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
/* if these fields are not present in the safe-part, silently
return zero */
memset(outdata, 0, sizeof(*outdata));
if(safe.safe_body.timestamp)
outdata->timestamp = *safe.safe_body.timestamp;
if(safe.safe_body.usec)
outdata->usec = *safe.safe_body.usec;
if(safe.safe_body.seq_number)
outdata->seq = *safe.safe_body.seq_number;
}
failure:
free_KRB_SAFE (&safe);
return ret;
}