diff options
| author | Sam Hartman <hartmans@mit.edu> | 2003-05-24 01:03:30 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2003-05-24 01:03:30 +0000 |
| commit | 7f7fbec7637a8c1c1ee2f9afd5decf5fda230335 (patch) | |
| tree | c8dff2a4bfcfe08acac31c75bec019eaa56d594d | |
| parent | fd14217c0335db3591078911d49d6e5094f2606e (diff) | |
| download | krb5-7f7fbec7637a8c1c1ee2f9afd5decf5fda230335.tar.gz krb5-7f7fbec7637a8c1c1ee2f9afd5decf5fda230335.tar.xz krb5-7f7fbec7637a8c1c1ee2f9afd5decf5fda230335.zip | |
When generating etype_info2 for DES style keys, use s2kparams to
communicate the type if the key has afs3 salt.
If such s2kparams are received by the client, use the afs string2key
function to process the key.
Ticket: 1512
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15489 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/ChangeLog | 8 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 39 | ||||
| -rw-r--r-- | src/lib/crypto/old/ChangeLog | 6 | ||||
| -rw-r--r-- | src/lib/crypto/old/des_stringtokey.c | 17 |
4 files changed, 58 insertions, 12 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 097fe7c9e3..0b3ea7f837 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,11 @@ +2003-05-23 Sam Hartman <hartmans@mit.edu> + + * kdc_preauth.c (_make_etype_info_entry): Add flag to know if we + are producing etype_info2 so we know whether filling in s2kparams + is allowed. In the etype_info2 case support afs3 salts. + (etype_info_helper): Pass in flag + (return_etype_info2): And here + 2003-05-23 Ezra Peisach <epeisach@mit.edu> * kdc_preauth.c (return_etype_info2): After encoding the diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 3dcced412c..342f050218 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -572,12 +572,10 @@ cleanup: } static krb5_error_code -_make_etype_info_entry(context, request, client_key, etype, entry) - krb5_context context; - krb5_kdc_req * request; - krb5_key_data * client_key; - const krb5_enctype etype; - krb5_etype_info_entry ** entry; +_make_etype_info_entry(krb5_context context, + krb5_kdc_req *request, krb5_key_data *client_key, + krb5_enctype etype, krb5_etype_info_entry **entry, + int etype_info2) { krb5_data salt; krb5_etype_info_entry * tmp_entry; @@ -598,6 +596,24 @@ _make_etype_info_entry(context, request, client_key, etype, entry) client_key, &salt); if (retval) goto fail; + if (etype_info2 && client_key->key_data_ver > 1 && + client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) { + switch (etype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + tmp_entry->s2kparams.data = malloc(1); + if (tmp_entry->s2kparams.data == NULL) { + retval = ENOMEM; + goto fail; + } + tmp_entry->s2kparams.length = 1; + tmp_entry->s2kparams.data[0] = 1; + break; + default: + break; + } + } if (salt.length >= 0) { tmp_entry->length = salt.length; @@ -608,8 +624,11 @@ _make_etype_info_entry(context, request, client_key, etype, entry) return 0; fail: - if (tmp_entry) + if (tmp_entry) { + if (tmp_entry->s2kparams.data) + free(tmp_entry->s2kparams.data); free(tmp_entry); + } if (salt.data) free(salt.data); return retval; @@ -654,7 +673,7 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, assert(etype_info2 || !enctype_requires_etype_info_2(db_etype)); if ((retval = _make_etype_info_entry(context, request, client_key, - db_etype, &entry[i])) != 0) { + db_etype, &entry[i], etype_info2)) != 0) { goto cleanup; } entry[i+1] = 0; @@ -679,7 +698,7 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, } if (request_contains_enctype(context, request, db_etype)) { if ((retval = _make_etype_info_entry(context, request, - client_key, db_etype, &entry[i])) != 0) { + client_key, db_etype, &entry[i], etype_info2)) != 0) { goto cleanup; } entry[i+1] = 0; @@ -754,7 +773,7 @@ return_etype_info2(krb5_context context, krb5_pa_data * padata, entry[0] = NULL; entry[1] = NULL; retval = _make_etype_info_entry(context, request, client_key, client_key->key_data_type[0], - entry); + entry, 1); if (retval) goto cleanup; retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch); diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog index c23b403716..bab270489d 100644 --- a/src/lib/crypto/old/ChangeLog +++ b/src/lib/crypto/old/ChangeLog @@ -1,3 +1,9 @@ +2003-05-23 Sam Hartman <hartmans@mit.edu> + + * des_stringtokey.c (krb5int_des_string_to_key): If param has one + byte, treat it as a type. Type 0 is normal, type 1 is AFS + string2key. + 2003-03-04 Ken Raeburn <raeburn@mit.edu> * des_stringtokey.c (krb5int_des_string_to_key): Renamed from diff --git a/src/lib/crypto/old/des_stringtokey.c b/src/lib/crypto/old/des_stringtokey.c index fd3440bda0..20f2f053a5 100644 --- a/src/lib/crypto/old/des_stringtokey.c +++ b/src/lib/crypto/old/des_stringtokey.c @@ -26,6 +26,7 @@ #include "k5-int.h" #include "old.h" +#include <des_int.h> /* XXX */ extern krb5_error_code mit_des_string_to_key_int @@ -41,7 +42,19 @@ krb5int_des_string_to_key(enc, string, salt, parm, key) const krb5_data *parm; krb5_keyblock *key; { - if (parm != NULL) - return KRB5_ERR_BAD_S2K_PARAMS; + int type; + if (parm ) { + if (parm->length != 1) + return KRB5_ERR_BAD_S2K_PARAMS; + type = parm->data[0]; + } + else type = 0; + switch(type) { + case 0: return(mit_des_string_to_key_int(key, string, salt)); + case 1: + return mit_afs_string_to_key(key, string, salt); + default: + return KRB5_ERR_BAD_S2K_PARAMS; + } } |