summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
diff options
context:
space:
mode:
authorKen Raeburn <raeburn@mit.edu>2000-03-13 07:30:40 +0000
committerKen Raeburn <raeburn@mit.edu>2000-03-13 07:30:40 +0000
commit803595cb0d67ccea3a759ded7325655be01d5403 (patch)
tree54eabb098e41a65656b8642acaa4931a26f35635 /src/lib/krb5
parentb590623a65ecb096cc003bbcde78dbb62dcf703c (diff)
downloadkrb5-803595cb0d67ccea3a759ded7325655be01d5403.tar.gz
krb5-803595cb0d67ccea3a759ded7325655be01d5403.tar.xz
krb5-803595cb0d67ccea3a759ded7325655be01d5403.zip
Fix one of the bugs discovered at Connectathon: etype specified in preauth
data is ignored under get_in_tkt interface. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12104 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
-rw-r--r--src/lib/krb5/krb/ChangeLog16
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c5
-rw-r--r--src/lib/krb5/krb/preauth2.c52
3 files changed, 68 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 7d436c7c40..97265206f7 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,19 @@
+2000-03-13 Ken Raeburn <raeburn@mit.edu>
+
+ * preauth2.c (pa_function): Called function now takes new
+ krb5_enctype pointer argument.
+ (pa_salt, pa_sam): Accept new arg, ignore it.
+ (pa_enc_timestamp): Accept new arg. If value pointed to is
+ nonzero, pass it to get-AS-key fn instead of first requested
+ enctype. Added some debugging fprintf calls, conditionally
+ compiled.
+ (krb5_do_preauth): Accept new arg, and pass it through to the
+ specific preauth functions. Added some debugging fprintf calls,
+ conditionally compiled.
+
+ * get_in_tkt.c (krb5_get_init_creds): Pass etype pointer to
+ krb5_do_preauth.
+
2000-03-12 Ezra Peisach <epeisach@mit.edu>
* addr_comp.c, addr_order.c, addr_srch.c, bld_pr_ext.c,
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 4ca50e2091..c1c6df1606 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -722,6 +722,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
krb5_error *err_reply;
krb5_kdc_rep *local_as_reply;
krb5_timestamp time_now;
+ krb5_enctype etype = 0;
/* initialize everything which will be freed at cleanup */
@@ -910,7 +911,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
if (ret = krb5_do_preauth(context, &request,
padata, &request.padata,
- &salt, &as_key, prompter,
+ &salt, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data))
goto cleanup;
@@ -955,7 +956,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
if (ret = krb5_do_preauth(context, &request,
local_as_reply->padata, &padata,
- &salt, &as_key, prompter,
+ &salt, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data))
goto cleanup;
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index e2cb32b4af..ec80c6520a 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -36,6 +36,7 @@ typedef krb5_error_code (*pa_function)(krb5_context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter_fct,
void *prompter_data,
@@ -57,6 +58,7 @@ krb5_error_code pa_salt(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
krb5_gic_get_as_key_fct gak_fct, void *gak_data)
@@ -92,6 +94,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
void *prompter_data,
@@ -105,8 +108,17 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
krb5_pa_data *pa;
if (as_key->length == 0) {
+#ifdef DEBUG
+ fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__,
+ salt->length);
+ if (salt->length > 0)
+ fprintf (stderr, " '%*s'", salt->length, salt->data);
+ fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n",
+ *etype, request->ktype[0]);
+#endif
if (ret = ((*gak_fct)(context, request->client,
- request->ktype[0], prompter, prompter_data,
+ *etype ? *etype : request->ktype[0],
+ prompter, prompter_data,
salt, as_key, gak_data)))
return(ret);
}
@@ -119,9 +131,20 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
if (ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp))
return(ret);
+#ifdef DEBUG
+ fprintf (stderr, "key type %d bytes %02x %02x ...\n",
+ as_key->enctype,
+ as_key->contents[0], as_key->contents[1]);
+#endif
ret = krb5_encrypt_helper(context, as_key,
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
tmp, &enc_data);
+#ifdef DEBUG
+ fprintf (stderr, "enc data { type=%d kvno=%d data=%02x %02x ... }\n",
+ enc_data.enctype, enc_data.kvno,
+ 0xff & enc_data.ciphertext.data[0],
+ 0xff & enc_data.ciphertext.data[1]);
+#endif
krb5_free_data(context, tmp);
@@ -211,6 +234,7 @@ krb5_error_code pa_sam(krb5_context context,
krb5_pa_data *in_padata,
krb5_pa_data **out_padata,
krb5_data *salt,
+ krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter,
void *prompter_data,
@@ -443,7 +467,7 @@ krb5_error_code
krb5_do_preauth(krb5_context context,
krb5_kdc_req *request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_data *salt,
+ krb5_data *salt, krb5_enctype *etype,
krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
krb5_gic_get_as_key_fct gak_fct, void *gak_data)
@@ -461,6 +485,17 @@ krb5_do_preauth(krb5_context context,
return(0);
}
+#ifdef DEBUG
+ fprintf (stderr, "salt len=%d", salt->length);
+ if (salt->length > 0)
+ fprintf (stderr, " '%*s'", salt->length, salt->data);
+ fprintf (stderr, "; preauth data types:");
+ for (i = 0; in_padata[i]; i++) {
+ fprintf (stderr, " %d", in_padata[i]->pa_type);
+ }
+ fprintf (stderr, "\n");
+#endif
+
out_pa_list = NULL;
out_pa_list_size = 0;
@@ -491,6 +526,17 @@ krb5_do_preauth(krb5_context context,
}
salt->data = (char *) etype_info[0]->salt;
salt->length = etype_info[0]->length;
+ *etype = etype_info[0]->etype;
+#ifdef DEBUG
+ for (j = 0; etype_info[j]; j++) {
+ krb5_etype_info_entry *e = etype_info[j];
+ fprintf (stderr, "etype info %d: etype %d salt len=%d",
+ j, e->etype, e->length);
+ if (e->length > 0)
+ fprintf (stderr, " '%*s'", e->length, e->salt);
+ fprintf (stderr, "\n");
+ }
+#endif
break;
case KRB5_PADATA_PW_SALT:
case KRB5_PADATA_AFS3_SALT:
@@ -507,7 +553,7 @@ krb5_do_preauth(krb5_context context,
if (ret = ((*pa_types[j].fct)(context, request,
in_padata[i], &out_pa,
- salt, as_key,
+ salt, etype, as_key,
prompter, prompter_data,
gak_fct, gak_data))) {
if (out_pa_list) {