diff options
author | Greg Hudson <ghudson@mit.edu> | 2023-02-24 14:15:14 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-02-27 23:14:12 -0500 |
commit | 9139a60c94c24e41109574e84e7cda9c2dc3fb38 (patch) | |
tree | 9cdf92210d761dcbf6f79b7e6c5256356a4afec7 /src | |
parent | 0108d7d7fbb1111c062ac580e69e97103662fc2b (diff) | |
download | krb5-9139a60c94c24e41109574e84e7cda9c2dc3fb38.zip krb5-9139a60c94c24e41109574e84e7cda9c2dc3fb38.tar.gz krb5-9139a60c94c24e41109574e84e7cda9c2dc3fb38.tar.bz2 |
Avoid using internal APIs in sim_client
In sim_client.c, remove the calls to krb5_gen_portaddr() and
krb5_gen_replay_name() as they don't do anything after commit
dcb853ac32779b173f39e19c0f24b0087de85771. Remove them, and include
krb5.h plus appropriate system headers rather than k5-int.h.
Also use a subkey when negotiating the auth context. Kerberos
application protocols should generally use subkeys to prevent
cross-connection replay attacks.
Diffstat (limited to 'src')
-rw-r--r-- | src/appl/simple/client/sim_client.c | 29 |
1 files changed, 9 insertions, 20 deletions
diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c index 08f06ab..ea1379e 100644 --- a/src/appl/simple/client/sim_client.c +++ b/src/appl/simple/client/sim_client.c @@ -29,14 +29,17 @@ * This program performs no useful function. */ -#include <k5-int.h> +#include <krb5.h> #include "com_err.h" #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> #include <netdb.h> -#include <ctype.h> +#include <getopt.h> #ifdef HAVE_UNISTD_H #include <unistd.h> #endif @@ -66,7 +69,6 @@ main(int argc, char *argv[]) int flags = 0; /* flags for sendto() */ struct servent *serv; struct hostent *host; - char *cp; #ifdef BROKEN_STREAMS_SOCKETS char my_hostname[MAXHOSTNAMELEN]; #endif @@ -85,7 +87,7 @@ main(int argc, char *argv[]) krb5_error_code retval; krb5_data packet, inbuf; krb5_ccache ccdef; - krb5_address addr, *portlocal_addr; + krb5_address addr; krb5_context context; krb5_auth_context auth_context = NULL; @@ -202,8 +204,9 @@ main(int argc, char *argv[]) exit(1); } - if ((retval = krb5_mk_req(context, &auth_context, 0, service, hostname, - &inbuf, ccdef, &packet))) { + retval = krb5_mk_req(context, &auth_context, AP_OPTS_USE_SUBKEY, service, + hostname, &inbuf, ccdef, &packet); + if (retval) { com_err(progname, retval, "while preparing AP_REQ"); exit(1); } @@ -251,20 +254,6 @@ main(int argc, char *argv[]) exit(1); } - /* THIS IS UGLY */ - if ((retval = krb5_gen_portaddr(context, &addr, - (krb5_pointer) &c_sock.sin_port, - &portlocal_addr))) { - com_err(progname, retval, "while generating port address"); - exit(1); - } - - if ((retval = krb5_gen_replay_name(context,portlocal_addr, - "_sim_clt",&cp))) { - com_err(progname, retval, "while generating replay cache name"); - exit(1); - } - /* Make the safe message */ inbuf.data = message; inbuf.length = strlen(message); |