From 4f8e4482b316cc5996986bdfae12cc27be27df5e Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 27 Oct 2010 15:05:56 -0400
Subject: pwd-plugin: Always use a special salt by default.

This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
---
 .../ipa-pwd-extop/ipapwd_encoding.c                | 50 ++++++++++------------
 1 file changed, 22 insertions(+), 28 deletions(-)

(limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop')

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 462622a51..527e178fe 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
 
         case KRB5_KDB_SALTTYPE_NORMAL:
 
-            /* If pre auth is required we can set a random salt, otherwise
-             * we have to use a more conservative approach and set the salt
-             * to be REALMprincipal (the concatenation of REALM and principal
-             * name without any separator) */
-#if 0
-            if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) {
-                salt.length = KRB5P_SALT_SIZE;
-                salt.data = malloc(KRB5P_SALT_SIZE);
-                if (!salt.data) {
-                    LOG_OOM();
-                    goto enc_error;
-                }
-                krberr = krb5_c_random_make_octets(krbctx, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-            } else {
-#endif
-                krberr = krb5_principal2salt(krbctx, princ, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_principal2salt failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-#if 0
+            krberr = krb5_principal2salt(krbctx, princ, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_principal2salt failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
+            }
+            break;
+
+        case KRB5_KDB_SALTTYPE_SPECIAL:
+
+            /* make random salt */
+            salt.length = KRB5P_SALT_SIZE;
+            salt.data = malloc(KRB5P_SALT_SIZE);
+            if (!salt.data) {
+                LOG_OOM();
+                goto enc_error;
+            }
+            krberr = krb5_c_random_make_octets(krbctx, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
             }
-#endif
             break;
 
         case KRB5_KDB_SALTTYPE_V4:
-- 
cgit