diff options
author | Sam Hartman <hartmans@mit.edu> | 1995-10-10 03:11:08 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 1995-10-10 03:11:08 +0000 |
commit | 2c3df8f5da068eef7d515b6c3d38f767824a1cd5 (patch) | |
tree | 78f2fc1ad13059cc16347a779deb510f334f4887 /src/appl | |
parent | 995ef6259b3f58d88dbec6487df3baef74d1da74 (diff) | |
download | krb5-2c3df8f5da068eef7d515b6c3d38f767824a1cd5.tar.gz krb5-2c3df8f5da068eef7d515b6c3d38f767824a1cd5.tar.xz krb5-2c3df8f5da068eef7d515b6c3d38f767824a1cd5.zip |
Fix handling of session key for Kerberos5. I don't think this should
fix the mutual authentication bug with beta 4, but this should help
forwarding credentials and should also help if someone actually
defines ENCRYPTION.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6954 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl')
-rw-r--r-- | src/appl/telnet/libtelnet/ChangeLog | 11 | ||||
-rw-r--r-- | src/appl/telnet/libtelnet/kerberos5.c | 63 |
2 files changed, 44 insertions, 30 deletions
diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 112652159..041bed8a2 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,14 @@ +Mon Oct 9 23:03:48 1995 Sam Hartman <hartmans@tertius.mit.edu> + + * kerberos5.c: make session_key a pointer, and use + krb5_copy_keyblock not krb5_copy_keyblock_contents; there was no + reason to violate this abstraction. + +Sun Sep 24 12:33:03 1995 Sam Hartman <hartmans@tertius.mit.edu> + + * kerberos5.c: Initialize session key from the subsession key we get from krb5_mk_req_extended, using ticket key as a fallback. + (kerberos5_send): Use appropriate enctypes when encryption defined. + Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu) * encrypt.h, kerberos5.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index dbc9c7f80..1488edf0c 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -31,7 +31,7 @@ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * OUT OF THE USE OF THIS SOFTWARE, EVEN I<F ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ @@ -124,7 +124,7 @@ static krb5_ticket * ticket = NULL; #define Voidptr krb5_pointer -krb5_keyblock session_key; +krb5_keyblock *session_key = 0; char * telnet_srvtab = NULL; char * telnet_krb5_realm = NULL; @@ -173,8 +173,6 @@ kerberos5_init(ap, server) str_data[3] = TELQUAL_REPLY; else str_data[3] = TELQUAL_IS; - memset(&session_key, 0, sizeof(session_key)); - session_key.magic = KV5M_KEYBLOCK; if (telnet_context == 0) krb5_init_context(&telnet_context); krb5_init_ets(telnet_context); @@ -275,25 +273,25 @@ kerberos5_send(ap) #ifdef ENCRYPTION krb5_auth_con_getlocalsubkey(telnet_context, auth_context, &newkey); - if (session_key.contents) - free(session_key.contents); - /* - * keep the key in our private storage, but don't use it yet - * ---see kerberos5_reply() below - */ - if (newkey) { - if (new_creds->keyblock.enctype == ENCTYPE_DES) - /* use the session key in credentials instead */ - krb5_copy_keyblock_contents(telnet_context, - &new_creds->keyblock, - &session_key); - else - /* XXX ? */; - } else { - krb5_copy_keyblock_contents(telnet_context, newkey, &session_key); + if (session_key) { +krb5_free_keyblock(telnet_context, session_key); +session_key = 0; } - if (newkey) + + if (newkey) { + /* keep the key in our private storage, but don't use it + yet---see kerberos5_reply() below */ + if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) && (newkey-> enctype != ENCTYPE_DES_CBC_MD5)) { + if ((new_creds->keyblock.enctype == ENCTYPE_DES_CBC_CRC)||( new_creds->keyblock.enctype == ENCTYPE_DES_CBC_MD5)) + /* use the session key in credentials instead */ + krb5_copy_keyblock(telnet_context,&new_creds->keyblock, &session_key); + else + /* XXX ? */; + } else { + krb5_copy_keyblock(telnet_context, newkey, &session_key); + } krb5_free_keyblock(telnet_context, newkey); + } #endif /* ENCRYPTION */ krb5_free_cred_contents(telnet_context, &creds); krb5_free_creds(telnet_context, new_creds); @@ -403,15 +401,20 @@ kerberos5_is(ap, data, cnt) krb5_auth_con_getremotesubkey(telnet_context, auth_context, &newkey); if (newkey) { - if (session_key.contents) - free(session_key.contents); - krb5_copy_keyblock_contents(telnet_context, newkey, + if (session_key) { + krb5_free_keyblock(telnet_context, session_key); + session_key = 0; + } + + krb5_copy_keyblock(telnet_context, newkey, &session_key); krb5_free_keyblock(telnet_context, newkey); } else { - if (session_key.contents) - free(session_key.contents); - krb5_copy_keyblock_contents(telnet_context, + if (session_key){ + krb5_free_keyblock(telnet_context, session_key); +session_key = 0; + } + krb5_copy_keyblock(telnet_context, ticket->enc_part2->session, &session_key); } @@ -419,7 +422,7 @@ kerberos5_is(ap, data, cnt) #ifdef ENCRYPTION skey.type = SK_DES; skey.length = 8; - skey.data = session_key.contents; + skey.data = session_key->contents; encrypt_session_key(&skey, 1); #endif break; @@ -512,10 +515,10 @@ kerberos5_reply(ap, data, cnt) } krb5_free_ap_rep_enc_part(telnet_context, reply); #ifdef ENCRYPTION - if (!session_key.contents) { + if (session_key) { skey.type = SK_DES; skey.length = 8; - skey.data = session_key.contents; + skey.data = session_key->contents; encrypt_session_key(&skey, 0); } #endif /* ENCRYPTION */ |