[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KRB_AUTH_CONTEXT_* flags



Thomas Anders <thomas.anders@blue-cable.de> writes:

> Are they deprecated?

More likely just never implemented. You can try this patch. There may
be some fallout, because of the somewhat unclear semantics of these
flags.

Remove krb5-protos.h and krb5-private.h from lib/krb5, and run make
(requires perl).

/Johan

--- build_auth.c	2002/09/04 16:26:04	1.38
+++ build_auth.c	2003/04/25 18:27:38
@@ -75,6 +75,7 @@
       goto fail;
 
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+      if(auth_context->local_seqnumber == 0)
     krb5_generate_seq_number (context,
 			      &cred->session, 
 			      &auth_context->local_seqnumber);
--- mk_priv.c	2002/09/04 16:26:04	1.31
+++ mk_priv.c	2003/04/25 18:27:38
@@ -41,7 +41,7 @@
 	     krb5_auth_context auth_context,
 	     const krb5_data *userdata,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
   krb5_error_code ret;
   KRB_PRIV s;
@@ -49,13 +49,16 @@
   u_char *buf;
   size_t buf_size;
   size_t len;
-  u_int32_t tmp_seq;
   krb5_keyblock *key;
   int32_t sec, usec;
-  KerberosTime sec2;
-  int usec2;
   krb5_crypto crypto;
+  krb5_replay_data rdata;
 
+  if ((auth_context->flags & 
+       (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+      outdata == NULL)
+      return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
   if (auth_context->local_subkey)
       key = auth_context->local_subkey;
   else if (auth_context->remote_subkey)
@@ -63,20 +66,36 @@
   else
       key = auth_context->keyblock;
 
-  krb5_us_timeofday (context, &sec, &usec);
+    memset(&rdata, 0, sizeof(rdata));
 
   part.user_data = *userdata;
-  sec2           = sec;
-  part.timestamp = &sec2;
-  usec2          = usec;
-  part.usec      = &usec2;
-  if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-    tmp_seq = auth_context->local_seqnumber;
-    part.seq_number = &tmp_seq;
+
+  krb5_us_timeofday (context, &sec, &usec);
+  rdata.timestamp = sec;
+  rdata.usec = usec;
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	part.timestamp = &rdata.timestamp;
+	part.usec      = &rdata.usec;
   } else {
-    part.seq_number = NULL;
+	part.timestamp = NULL;
+	part.usec      = NULL;
   }
 
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+	outdata->timestamp = rdata.timestamp;
+	outdata->usec = rdata.usec;
+    }
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	rdata.seq = auth_context->local_seqnumber;
+	part.seq_number = &rdata.seq;
+    } else
+	part.seq_number = NULL;
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+	outdata->seq = auth_context->local_seqnumber;
+    
   part.s_address = auth_context->local_address;
   part.r_address = auth_context->remote_address;
 
--- mk_rep.c	2003/03/17 06:54:37	1.20.2.1
+++ mk_rep.c	2003/04/25 18:27:38
@@ -57,6 +57,7 @@
     body.cusec = auth_context->authenticator->cusec;
     body.subkey = NULL;
     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	if(auth_context->local_seqnumber == 0) 
 	krb5_generate_seq_number (context,
 				  auth_context->keyblock,
 				  &auth_context->local_seqnumber);
--- mk_safe.c	2002/09/04 16:26:05	1.28
+++ mk_safe.c	2003/04/25 18:27:38
@@ -40,20 +40,23 @@
 	     krb5_auth_context auth_context,
 	     const krb5_data *userdata,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
   krb5_error_code ret;
   KRB_SAFE s;
   int32_t sec, usec;
-  KerberosTime sec2;
-  int usec2;
   u_char *buf = NULL;
   size_t buf_size;
   size_t len;
-  u_int32_t tmp_seq;
   krb5_crypto crypto;
   krb5_keyblock *key;
+  krb5_replay_data rdata;
 
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
   if (auth_context->local_subkey)
       key = auth_context->local_subkey;
   else if (auth_context->remote_subkey)
@@ -64,19 +67,36 @@
   s.pvno = 5;
   s.msg_type = krb_safe;
 
+  memset(&rdata, 0, sizeof(rdata));
+
   s.safe_body.user_data = *userdata;
+
   krb5_us_timeofday (context, &sec, &usec);
+  rdata.timestamp = sec;
+  rdata.usec = usec;
 
-  sec2                   = sec;
-  s.safe_body.timestamp  = &sec2;
-  usec2                  = usec2;
-  s.safe_body.usec       = &usec2;
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	s.safe_body.timestamp  = &rdata.timestamp;
+	s.safe_body.usec       = &rdata.usec;
+    } else {
+	s.safe_body.timestamp  = NULL;
+	s.safe_body.usec       = NULL;
+    }
+    
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_TIME) {
+	outdata->timestamp = rdata.timestamp;
+	outdata->usec = rdata.usec;
+    }
+
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      tmp_seq = auth_context->local_seqnumber;
-      s.safe_body.seq_number = &tmp_seq;
+	rdata.seq = auth_context->local_seqnumber;
+	s.safe_body.seq_number = &rdata.seq;
   } else 
       s.safe_body.seq_number = NULL;
 
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
+	outdata->seq = auth_context->local_seqnumber;
+    
   s.safe_body.s_address = auth_context->local_address;
   s.safe_body.r_address = auth_context->remote_address;
 
--- rd_cred.c	2002/09/04 16:26:05	1.18
+++ rd_cred.c	2003/04/25 18:27:38
@@ -40,7 +40,7 @@
 	     krb5_auth_context auth_context,
 	     krb5_data *in_data,
 	     krb5_creds ***ret_creds,
-	     krb5_replay_data *out_data)
+	     krb5_replay_data *outdata)
 {
     krb5_error_code ret;
     size_t len;
@@ -50,6 +50,11 @@
     krb5_crypto crypto;
     int i;
 
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
     *ret_creds = NULL;
 
     ret = decode_KRB_CRED(in_data->data, in_data->length, 
@@ -185,19 +190,17 @@
 	}
     }
 
-    if(out_data != NULL) {
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the cred-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
 	if(enc_krb_cred_part.timestamp)
-	    out_data->timestamp = *enc_krb_cred_part.timestamp;
-	else 
-	    out_data->timestamp = 0;
+	    outdata->timestamp = *enc_krb_cred_part.timestamp;
 	if(enc_krb_cred_part.usec)
-	    out_data->usec = *enc_krb_cred_part.usec;
-	else 
-	    out_data->usec = 0;
+	    outdata->usec = *enc_krb_cred_part.usec;
 	if(enc_krb_cred_part.nonce)
-	    out_data->seq = *enc_krb_cred_part.nonce;
-	else 
-	    out_data->seq = 0;
+	    outdata->seq = *enc_krb_cred_part.nonce;
     }
     
     /* Convert to NULL terminated list of creds */
--- rd_priv.c	2001/06/18 02:46:15	1.29
+++ rd_priv.c	2003/04/25 18:27:38
@@ -40,7 +40,7 @@
 	     krb5_auth_context auth_context,
 	     const krb5_data *inbuf,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
   krb5_error_code ret;
   KRB_PRIV priv;
@@ -50,6 +50,11 @@
   krb5_keyblock *key;
   krb5_crypto crypto;
 
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL)
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+
   memset(&priv, 0, sizeof(priv));
   ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
   if (ret) 
@@ -149,9 +154,18 @@
   if (ret)
       goto failure_part;
 
-  free_EncKrbPrivPart (&part);
-  free_KRB_PRIV (&priv);
-  return 0;
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the priv-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
+	if(part.timestamp)
+	    outdata->timestamp = *part.timestamp;
+	if(part.usec)
+	    outdata->usec = *part.usec;
+	if(part.seq_number)
+	    outdata->seq = *part.seq_number;
+    }
 
 failure_part:
   free_EncKrbPrivPart (&part);
--- rd_safe.c	2002/09/04 16:26:05	1.27
+++ rd_safe.c	2003/04/25 18:27:38
@@ -87,12 +87,19 @@
 	     krb5_auth_context auth_context,
 	     const krb5_data *inbuf,
 	     krb5_data *outbuf,
-	     /*krb5_replay_data*/ void *outdata)
+	     krb5_replay_data *outdata)
 {
   krb5_error_code ret;
   KRB_SAFE safe;
   size_t len;
 
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+	outdata == NULL) {
+	krb5_set_error_string(context, "rd_safe: need outdata to return data");
+	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+    }
+
   ret = decode_KRB_SAFE (inbuf->data, inbuf->length, &safe, &len);
   if (ret) 
       return ret;
@@ -182,8 +189,20 @@
       goto failure;
   }
   memcpy (outbuf->data, safe.safe_body.user_data.data, outbuf->length);
-  free_KRB_SAFE (&safe);
-  return 0;
+
+    if ((auth_context->flags & 
+	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
+	/* if these fields are not present in the safe-part, silently
+           return zero */
+	memset(outdata, 0, sizeof(*outdata));
+	if(safe.safe_body.timestamp)
+	    outdata->timestamp = *safe.safe_body.timestamp;
+	if(safe.safe_body.usec)
+	    outdata->usec = *safe.safe_body.usec;
+	if(safe.safe_body.seq_number)
+	    outdata->seq = *safe.safe_body.seq_number;
+    }
+
 failure:
   free_KRB_SAFE (&safe);
   return ret;