Allow rd_priv/rd_safe without remote address

Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name).  Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.

ticket: 6978

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25355 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 18 insertions, 12 deletions

diff --git a/src/lib/krb5/krb/privsafe.c b/src/lib/krb5/krb/privsafe.c
index 405a24211f..264b07684e 100644
--- a/src/lib/krb5/krb/privsafe.c
+++ b/src/lib/krb5/krb/privsafe.c
@@ -208,14 +208,17 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac,
     local_fulladdr.contents = remote_fulladdr.contents = NULL;
 
     /* Determine the remote comparison address. */
-    if (ac->remote_port != NULL) {
-        ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
-                                 &remote_fulladdr);
-        if (ret)
-            goto cleanup;
-        remote_addr = &remote_fulladdr;
+    if (ac->remote_addr != NULL) {
+        if (ac->remote_port != NULL) {
+            ret = krb5_make_fulladdr(context, ac->remote_addr, ac->remote_port,
+                                     &remote_fulladdr);
+            if (ret)
+                goto cleanup;
+            remote_addr = &remote_fulladdr;
+        } else
+            remote_addr = ac->remote_addr;
     } else
-        remote_addr = ac->remote_addr;
+        remote_addr = NULL;
 
     /* Determine the local comparison address (possibly NULL). */
     if (ac->local_addr != NULL) {
@@ -231,7 +234,8 @@ k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac,
         local_addr = NULL;
 
     /* Check the remote address against the message's sender address. */
-    if (!krb5_address_compare(context, remote_addr, msg_s_addr)) {
+    if (remote_addr != NULL &&
+        !krb5_address_compare(context, remote_addr, msg_s_addr)) {
         ret = KRB5KRB_AP_ERR_BADADDR;
         goto cleanup;
     }
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 831f258075..93259680e8 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -133,7 +133,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
         /* Need a better error */
         return KRB5_RC_REQUIRED;
 
-    if (!auth_context->remote_addr)
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+        (auth_context->remote_addr == NULL))
         return KRB5_REMOTE_ADDR_REQUIRED;
 
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index e12148911b..c879f331f6 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -146,12 +146,13 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
         return KRB5_RC_REQUIRED;
 
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+        (auth_context->remote_addr == NULL))
+        return KRB5_REMOTE_ADDR_REQUIRED;
+
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
         (auth_context->rcache == NULL))
         return KRB5_RC_REQUIRED;
 
-    if (!auth_context->remote_addr)
-        return KRB5_REMOTE_ADDR_REQUIRED;
-
     /* Get key */
     if ((key = auth_context->recv_subkey) == NULL)
         key = auth_context->key;