diff options
author | Tom Yu <tlyu@mit.edu> | 2003-05-10 00:01:04 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2003-05-10 00:01:04 +0000 |
commit | 508e90e51619c79d2680eaeca754d516c7f88fdf (patch) | |
tree | 99bed617bdb438c95c55d7c265f9ef4beb9e23f3 /src/lib/krb5/krb/chpw.c | |
parent | 919b3a91b573c746a62a704fc5cdf883605d6aa9 (diff) | |
download | krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.tar.gz krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.tar.xz krb5-508e90e51619c79d2680eaeca754d516c7f88fdf.zip |
Rename the local_subkey and remote_subkey fields in the auth_context
to send_subkey and recv_subkey, respectively. Add new APIs to query
and set these fields. Change the behavior of mk_req_ext, rd_req_dec,
and rd_rep to set both subkeys. Applications wanting to set
unidirectional subkeys may still do so by saving the values of subkeys
and doing overrides. Cause mk_cred, mk_priv, and mk_safe to never use
the recv_subkey. Cause rd_cred, rd_priv, and rd_safe to never use the
send_subkey.
ticket: 1415
status: open
tags: pullup
target_version: 1.3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15407 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb/chpw.c')
-rw-r--r-- | src/lib/krb5/krb/chpw.c | 61 |
1 files changed, 39 insertions, 22 deletions
diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index 248c4c88c3..f640ce66c6 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -120,8 +120,18 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_d ap_rep.data = ptr; ptr += ap_rep.length; - if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); @@ -130,18 +140,17 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_d cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - /* XXX there's no api to do this right. The problem is that - if there's a remote subkey, it will be used. This is - not what the spec requires */ - - tmp = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, &replay); - auth_context->remote_subkey = tmp; - if (ret) return(ret); } else { @@ -310,6 +319,7 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 krb5_data cipherresult; krb5_data clearresult; krb5_replay_data replay; + krb5_keyblock *tmpkey; /* ** validate the packet length - */ @@ -381,8 +391,18 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 ap_rep.data = ptr; ptr += ap_rep.length; - if (ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc)) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); /* @@ -391,19 +411,16 @@ krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5 cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - { - krb5_keyblock *saved_remote_subkey; -/* -** save the remote_subkey, so it doesn't get used when decoding -*/ - saved_remote_subkey = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - NULL); - auth_context->remote_subkey = saved_remote_subkey; - } + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); if (ret) return(ret); } /*We got an ap_rep*/ |