Some support for KRB5_AUTH_CONTEXT_DO_SEQUENCE

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@1807 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/build_auth.c

@@ -15,6 +15,7 @@ krb5_build_authenticator (krb5_context context,
   char buf[1024];
   int len;
   krb5_error_code ret;
+  int32_t seq_number;
 
   auth->authenticator_vno = 5;
   auth->crealm = malloc(cred->client->realm.length + 1);
@@ -26,6 +27,13 @@ krb5_build_authenticator (krb5_context context,
   auth->cusec = tv.tv_usec;
   auth->ctime = tv.tv_sec;
   auth->subkey = NULL;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      &cred->session, 
+			      &auth_context->local_seqnumber);
+    auth->seq_number = malloc(sizeof(*auth->seq_number));
+    *(auth->seq_number) = auth_context->local_seqnumber;
+  } else
     auth->seq_number = NULL;
   auth->authorization_data = NULL;
   auth->cksum = cksum;
@@ -39,13 +47,15 @@ krb5_build_authenticator (krb5_context context,
 
   memset (buf, 0, sizeof(buf));
   len = encode_Authenticator (buf + sizeof(buf) - 1, sizeof(buf), auth);
-  free (auth->crealm);
 
   ret = krb5_encrypt (context, buf + sizeof(buf) - len, len, &cred->session, result);
 
   if (auth_result)
     *auth_result = auth;
-  else
+  else {
+    free (auth->crealm);
+    free (auth->seq_number);
     free (auth);
+  }
   return ret;
 }

lib/krb5/mk_priv.c

@@ -27,12 +27,17 @@ krb5_mk_priv(krb5_context context,
   usec = tv.tv_usec;
   part.timestamp  = &tv.tv_sec;
   part.usec       = &usec;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    part.seq_number = malloc(sizeof(*part.seq_number));
+    *(part.seq_number) = ++auth_context->local_seqnumber;
+  } else 
     part.seq_number = NULL;
   part.s_address.addr_type = addr.addrs[0].type;
   part.s_address.address   = addr.addrs[0].address;
   part.r_address = NULL;
 
   len = encode_EncKrbPrivPart (buf + sizeof(buf) - 1, sizeof(buf), &part);
+  free (part.seq_number);
   if (len < 0)
     return ASN1_PARSE_ERROR;
 

lib/krb5/mk_rep.c

@@ -21,6 +21,13 @@ krb5_mk_rep(krb5_context context,
   body.ctime = (*auth_context)->authenticator->ctime;
   body.cusec = (*auth_context)->authenticator->cusec;
   body.subkey = NULL;
+  if ((*auth_context)->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    krb5_generate_seq_number (context,
+			      &(*auth_context)->key,
+			      &(*auth_context)->local_seqnumber);
+    body.seq_number = malloc (sizeof(*body.seq_number));
+    *(body.seq_number) = (*auth_context)->local_seqnumber;
+  } else
     body.seq_number = NULL;
 
   ap.enc_part.etype = (*auth_context)->key.keytype;

lib/krb5/mk_safe.c

@@ -37,12 +37,17 @@ krb5_mk_safe(krb5_context context,
   usec = tv.tv_usec;
   s.safe_body.timestamp  = &tv.tv_sec;
   s.safe_body.usec       = &usec;
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    s.safe_body.seq_number = malloc(sizeof(*s.safe_body.seq_number));
+    *(s.safe_body.seq_number) = ++auth_context->local_seqnumber;
+  } else 
     s.safe_body.seq_number = NULL;
   s.safe_body.s_address.addr_type = addr.addrs[0].type;
   s.safe_body.s_address.address   = addr.addrs[0].address;
   s.safe_body.r_address = NULL;
 
   len = encode_KRB_SAFE (buf + sizeof(buf) - 1, sizeof(buf), &s);
+  free(s.safe_body.seq_number);
   if (len < 0)
     return ASN1_PARSE_ERROR;
   outbuf->length = len;

lib/krb5/rd_priv.c

@@ -35,11 +35,29 @@ krb5_rd_priv(krb5_context context,
   if (len < 0)
     return ASN1_PARSE_ERROR;
 
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+    struct timeval tv;
+
+    gettimeofday (&tv, NULL);
+    if (part.timestamp == NULL ||
+	part.usec      == NULL ||
+	*part.timestamp - tv.tv_sec > 600)
+      return KRB5KRB_AP_ERR_SKEW;
+  }
+
+  /* XXX - check replay cache */
+
+  /* check sequence number */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    if (part.seq_number == NULL ||
+	*part.seq_number != ++auth_context->remote_seqnumber)
+      return KRB5KRB_AP_ERR_BADORDER;
+  }
+
   r = krb5_data_copy (outbuf, part.user_data.data, part.user_data.length);
   if (r)
     return r;
 
-  /* XXX */
-
   return 0;
 }

lib/krb5/rd_rep.c

@@ -51,6 +51,8 @@ krb5_rd_rep(krb5_context context,
     return KRB5KRB_AP_ERR_MUT_FAIL;
 #endif
   }
+  if ((*repl)->seq_number)
+    auth_context->remote_seqnumber = *((*repl)->seq_number);
   
   return 0;
 }

lib/krb5/rd_req.c

@@ -126,6 +126,13 @@ krb5_rd_req_with_keyblock(krb5_context context,
     (*auth_context)->authenticator->cusec = authenticator.cusec;
     (*auth_context)->authenticator->ctime = authenticator.ctime;
 
+    if (authenticator.seq_number)
+      (*auth_context)->remote_seqnumber = *(authenticator.seq_number);
+
+    /* XXX - Xor sequence numbers */
+
+    /* XXX - check addresses */
+
     if (ap_req_options) {
       *ap_req_options = 0;
       if (ap_req.ap_options.use_session_key)

lib/krb5/rd_safe.c

@@ -22,7 +22,25 @@ krb5_rd_safe(krb5_context context,
     return KRB5KRB_AP_ERR_MSG_TYPE;
   if (safe.cksum.cksumtype != CKSUMTYPE_RSA_MD4)
     return KRB5KRB_AP_ERR_INAPP_CKSUM;
-  /* XXX */
+  /* check timestamp */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+    struct timeval tv;
+
+    gettimeofday (&tv, NULL);
+    if (safe.safe_body.timestamp == NULL ||
+	safe.safe_body.usec      == NULL ||
+	*(safe.safe_body.timestamp) - tv.tv_sec > 600)
+      return KRB5KRB_AP_ERR_SKEW;
+  }
+  /* XXX - check replay cache */
+
+  /* check sequence number */
+  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+    if (safe.safe_body.seq_number == NULL ||
+	*safe.safe_body.seq_number != ++auth_context->remote_seqnumber)
+      return KRB5KRB_AP_ERR_BADORDER;
+  }
+
   r = krb5_verify_checksum (context,
 			    safe.safe_body.user_data.data,
 			    safe.safe_body.user_data.length,