diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-27 21:11:04 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-27 21:11:04 +0000 |
| commit | bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41 (patch) | |
| tree | 9921ea248714b444781e3cb25e12842f55b3d2a8 /src/lib/krb5/krb | |
| parent | b886919f6478e8c55811c5b790cb5a4a69f9c341 (diff) | |
| download | krb5-bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41.tar.gz krb5-bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41.tar.xz krb5-bc096a77ffdab283d77c2e0fc1fdd15b9f77eb41.zip | |
Stop using SALT_TYPE_AFS_LENGTH
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb')
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 8 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gic_pwd.c | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/init_creds_ctx.h | 1 | ||||
| -rw-r--r-- | src/lib/krb5/krb/preauth2.c | 30 |
4 files changed, 33 insertions, 8 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 471834611a..738bd9c377 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -822,6 +822,7 @@ krb5_init_creds_init(krb5_context context, ctx->preauth_rock.as_key = &ctx->as_key; ctx->preauth_rock.gak_fct = &ctx->gak_fct; ctx->preauth_rock.gak_data = &ctx->gak_data; + ctx->preauth_rock.default_salt = &ctx->default_salt; ctx->preauth_rock.salt = &ctx->salt; ctx->preauth_rock.s2kparams = &ctx->s2kparams; ctx->preauth_rock.client = client; @@ -944,9 +945,10 @@ krb5_init_creds_init(krb5_context context, code = krb5int_copy_data_contents(context, opte->salt, &ctx->salt); if (code != 0) goto cleanup; + ctx->default_salt = FALSE; } else { - ctx->salt.length = SALT_TYPE_AFS_LENGTH; - ctx->salt.data = NULL; + ctx->salt = empty_data(); + ctx->default_salt = TRUE; } /* Anonymous. */ @@ -1416,7 +1418,7 @@ init_creds_step_reply(krb5_context context, * salt. local_as_reply->client will be checked later on in * verify_as_reply. */ - if (ctx->salt.length == SALT_TYPE_AFS_LENGTH && ctx->salt.data == NULL) { + if (ctx->default_salt) { code = krb5_principal2salt(context, ctx->reply->client, &ctx->salt); TRACE_INIT_CREDS_SALT_PRINC(context, &ctx->salt); if (code != 0) diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 40b448d150..68d28fe9d3 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -63,7 +63,7 @@ krb5_get_as_key_password(krb5_context context, return(ret); } - if (salt->length == SALT_TYPE_AFS_LENGTH && salt->data == NULL) { + if (salt == NULL) { if ((ret = krb5_principal2salt(context, client, &defsalt))) return(ret); diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h index 48376fccd4..2653ee1613 100644 --- a/src/lib/krb5/krb/init_creds_ctx.h +++ b/src/lib/krb5/krb/init_creds_ctx.h @@ -36,6 +36,7 @@ struct _krb5_init_creds_context { krb5_data *encoded_previous_request; struct krb5int_fast_request_state *fast_state; krb5_pa_data **preauth_to_use; + krb5_boolean default_salt; krb5_data salt; krb5_data s2kparams; krb5_keyblock as_key; diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 2ff862409e..7c54527902 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -391,10 +391,12 @@ get_as_key(krb5_context context, krb5_clpreauth_rock rock, krb5_keyblock **keyblock) { krb5_error_code ret; + krb5_data *salt; if (rock->as_key->length == 0) { + salt = (*rock->default_salt) ? NULL : rock->salt; ret = (*rock->gak_fct)(context, rock->client, *rock->etype, - rock->prompter, rock->prompter_data, rock->salt, + rock->prompter, rock->prompter_data, salt, rock->s2kparams, rock->as_key, *rock->gak_data); if (ret) return ret; @@ -565,6 +567,7 @@ get_etype_info(krb5_context context, krb5_pa_data **padata, krb5_etype_info etype_info = NULL, e; krb5_etype_info_entry *entry; krb5_boolean valid_found; + const char *p; int i; /* Find an etype-info2 or etype-info element in padata. */ @@ -604,6 +607,10 @@ get_etype_info(krb5_context context, krb5_pa_data **padata, if (entry->length != KRB5_ETYPE_NO_SALT) { *rock->salt = make_data(entry->salt, entry->length); entry->salt = NULL; + *rock->default_salt = FALSE; + } else { + *rock->salt = empty_data(); + *rock->default_salt = TRUE; } krb5_free_data_contents(context, rock->s2kparams); *rock->s2kparams = entry->s2kparams; @@ -619,12 +626,27 @@ get_etype_info(krb5_context context, krb5_pa_data **padata, /* Set rock->salt based on the element we found. */ krb5_free_data_contents(context, rock->salt); d = padata2data(*pa); - ret = krb5int_copy_data_contents_add0(context, &d, rock->salt); + ret = krb5int_copy_data_contents(context, &d, rock->salt); if (ret) goto cleanup; + if (pa->pa_type == KRB5_PADATA_AFS3_SALT) { + /* Work around a (possible) old Heimdal KDC foible. */ + p = memchr(rock->salt->data, '@', rock->salt->length); + if (p != NULL) + rock->salt->length = p - rock->salt->data; + /* Tolerate extra null in MIT KDC afs3-salt value. */ + if (rock->salt->length > 0 && + rock->salt->data[rock->salt->length - 1] == '\0') + rock->salt->length--; + /* Set an s2kparams value to indicate AFS string-to-key. */ + krb5_free_data_contents(context, rock->s2kparams); + ret = alloc_data(rock->s2kparams, 1); + if (ret) + goto cleanup; + rock->s2kparams->data[0] = '\1'; + } + *rock->default_salt = FALSE; TRACE_PREAUTH_SALT(context, rock->salt, pa->pa_type); - if (pa->pa_type == KRB5_PADATA_AFS3_SALT) - rock->salt->length = SALT_TYPE_AFS_LENGTH; } } |