oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Optionally compare client address to addresses in ticket.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4970 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1998-05-28 19:29:43 +00:00
parent 7c0ea4a0e3
commit beeb25cdac
1 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
kdc/kerberos5.c
View File

@@ -376,10 +376,30 @@ check_flags(hdb_entry *client, const char *client_name,
return 0; return 0;
} }
static krb5_boolean
check_addresses(HostAddresses *addresses, struct sockaddr *from)
{
krb5_error_code ret;
krb5_address addr;
if(check_ticket_addresses == 0)
return TRUE;
if(addresses == NULL)
return allow_null_ticket_addresses;
ret = krb5_sockaddr2address (from, &addr);
if(ret)
return FALSE;
return krb5_address_search(context, &addr, addresses);
}
krb5_error_code krb5_error_code
as_rep(KDC_REQ *req, as_rep(KDC_REQ *req,
krb5_data *reply, krb5_data *reply,
const char *from) const char *from,
struct sockaddr *from_addr)
{ {
KDC_REQ_BODY *b = &req->req_body; KDC_REQ_BODY *b = &req->req_body;
AS_REP rep; AS_REP rep;
@@ -647,6 +667,13 @@ as_rep(KDC_REQ *req,
goto out; goto out;
} }
/* check for valid set of addresses */
if(!check_addresses(b->addresses, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(0, "Bad address list requested -- %s", client_name);
goto out;
}
if(context->ktype_is_etype) { if(context->ktype_is_etype) {
krb5_keytype kt; krb5_keytype kt;
ret = krb5_etype_to_keytype(context, sess_ktype, &kt); ret = krb5_etype_to_keytype(context, sess_ktype, &kt);
@@ -709,7 +736,7 @@ as_rep(KDC_REQ *req,
ALLOC(et.caddr); ALLOC(et.caddr);
copy_HostAddresses(b->addresses, et.caddr); copy_HostAddresses(b->addresses, et.caddr);
} }
copy_EncryptionKey(&et.key, &ek.key); copy_EncryptionKey(&et.key, &ek.key);
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
@@ -1239,7 +1266,8 @@ static krb5_error_code
tgs_rep2(KDC_REQ_BODY *b, tgs_rep2(KDC_REQ_BODY *b,
PA_DATA *tgs_req, PA_DATA *tgs_req,
krb5_data *reply, krb5_data *reply,
const char *from) const char *from,
struct sockaddr *from_addr)
{ {
krb5_ap_req ap_req; krb5_ap_req ap_req;
krb5_error_code ret; krb5_error_code ret;
@@ -1488,6 +1516,13 @@ tgs_rep2(KDC_REQ_BODY *b,
ret = KRB5KDC_ERR_SERVER_NOMATCH; ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out; goto out;
} }
/* check for valid set of addresses */
if(!check_addresses(tgt->caddr, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(0, "Request from wrong address");
goto out;
}
ret = tgs_make_reply(b, ret = tgs_make_reply(b,
tgt, tgt,
@@ -1547,7 +1582,8 @@ out2:
krb5_error_code krb5_error_code
tgs_rep(KDC_REQ *req, tgs_rep(KDC_REQ *req,
krb5_data *data, krb5_data *data,
const char *from) const char *from,
struct sockaddr *from_addr)
{ {
krb5_error_code ret; krb5_error_code ret;
int i = 0; int i = 0;
@@ -1567,7 +1603,7 @@ tgs_rep(KDC_REQ *req,
kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from); kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
goto out; goto out;
} }
ret = tgs_rep2(&req->req_body, tgs_req, data, from); ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr);
out: out:
if(ret && data->data == NULL){ if(ret && data->data == NULL){
krb5_mk_error(context, krb5_mk_error(context,