Apply old patch from me that handles client's behind NAT
Tested by Harald Barth and bugfix by Ragnar Sundblad
This commit is contained in:
Love Hornquist Astrand
@@ -445,7 +445,8 @@ verify (krb5_auth_context *auth_context,
|
|||||||
struct sockaddr *sa,
|
struct sockaddr *sa,
|
||||||
int sa_size,
|
int sa_size,
|
||||||
u_char *msg,
|
u_char *msg,
|
||||||
size_t len)
|
size_t len,
|
||||||
|
krb5_address *client_addr)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
uint16_t pkt_len, pkt_ver, ap_req_len;
|
uint16_t pkt_len, pkt_ver, ap_req_len;
|
||||||
@@ -546,6 +547,21 @@ verify (krb5_auth_context *auth_context,
|
|||||||
krb_priv_data.data = msg + 6 + ap_req_len;
|
krb_priv_data.data = msg + 6 + ap_req_len;
|
||||||
krb_priv_data.length = len - 6 - ap_req_len;
|
krb_priv_data.length = len - 6 - ap_req_len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Only enforce client addresses on on tickets with addresses. If
|
||||||
|
* its addressless, we are guessing its behind NAT and really
|
||||||
|
* can't know this information.
|
||||||
|
*/
|
||||||
|
|
||||||
|
if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
|
||||||
|
ret = krb5_auth_con_setaddrs (context, *auth_context,
|
||||||
|
NULL, client_addr);
|
||||||
|
if (ret) {
|
||||||
|
krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ret = krb5_rd_priv (context,
|
ret = krb5_rd_priv (context,
|
||||||
*auth_context,
|
*auth_context,
|
||||||
&krb_priv_data,
|
&krb_priv_data,
|
||||||
@@ -582,7 +598,7 @@ process (krb5_realm *realms,
|
|||||||
krb5_address other_addr;
|
krb5_address other_addr;
|
||||||
uint16_t version;
|
uint16_t version;
|
||||||
|
|
||||||
|
memset(&other_addr, 0, sizeof(other_addr));
|
||||||
krb5_data_zero (&out_data);
|
krb5_data_zero (&out_data);
|
||||||
|
|
||||||
ret = krb5_auth_con_init (context, &auth_context);
|
ret = krb5_auth_con_init (context, &auth_context);
|
||||||
@@ -600,18 +616,27 @@ process (krb5_realm *realms,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = krb5_auth_con_setaddrs (context,
|
ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
|
||||||
auth_context,
|
|
||||||
this_addr,
|
|
||||||
&other_addr);
|
|
||||||
krb5_free_address (context, &other_addr);
|
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_warn (context, ret, "krb5_auth_con_setaddr");
|
krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (verify (&auth_context, realms, keytab, &ticket, &out_data,
|
if (verify (&auth_context, realms, keytab, &ticket, &out_data,
|
||||||
&version, s, sa, sa_size, msg, len) == 0) {
|
&version, s, sa, sa_size, msg, len, &other_addr) == 0)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* We always set the client_addr, to assume that the client
|
||||||
|
* can ignore it if it choose to do so (just the server does
|
||||||
|
* so for addressless tickets).
|
||||||
|
*/
|
||||||
|
ret = krb5_auth_con_setaddrs (context, auth_context,
|
||||||
|
this_addr, &other_addr);
|
||||||
|
if (ret) {
|
||||||
|
krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
change (auth_context,
|
change (auth_context,
|
||||||
ticket->client,
|
ticket->client,
|
||||||
version,
|
version,
|
||||||
@@ -623,8 +648,9 @@ process (krb5_realm *realms,
|
|||||||
}
|
}
|
||||||
|
|
||||||
out:
|
out:
|
||||||
krb5_data_free (&out_data);
|
krb5_free_address(context, &other_addr);
|
||||||
krb5_auth_con_free (context, auth_context);
|
krb5_data_free(&out_data);
|
||||||
|
krb5_auth_con_free(context, auth_context);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
|||||||
Reference in New Issue
Block a user