diff options
author | Ken Raeburn <raeburn@mit.edu> | 2000-03-13 07:30:40 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2000-03-13 07:30:40 +0000 |
commit | 803595cb0d67ccea3a759ded7325655be01d5403 (patch) | |
tree | 54eabb098e41a65656b8642acaa4931a26f35635 /src/lib/krb5 | |
parent | b590623a65ecb096cc003bbcde78dbb62dcf703c (diff) | |
download | krb5-803595cb0d67ccea3a759ded7325655be01d5403.tar.gz krb5-803595cb0d67ccea3a759ded7325655be01d5403.tar.xz krb5-803595cb0d67ccea3a759ded7325655be01d5403.zip |
Fix one of the bugs discovered at Connectathon: etype specified in preauth
data is ignored under get_in_tkt interface.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12104 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
-rw-r--r-- | src/lib/krb5/krb/ChangeLog | 16 | ||||
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 5 | ||||
-rw-r--r-- | src/lib/krb5/krb/preauth2.c | 52 |
3 files changed, 68 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 7d436c7c40..97265206f7 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,19 @@ +2000-03-13 Ken Raeburn <raeburn@mit.edu> + + * preauth2.c (pa_function): Called function now takes new + krb5_enctype pointer argument. + (pa_salt, pa_sam): Accept new arg, ignore it. + (pa_enc_timestamp): Accept new arg. If value pointed to is + nonzero, pass it to get-AS-key fn instead of first requested + enctype. Added some debugging fprintf calls, conditionally + compiled. + (krb5_do_preauth): Accept new arg, and pass it through to the + specific preauth functions. Added some debugging fprintf calls, + conditionally compiled. + + * get_in_tkt.c (krb5_get_init_creds): Pass etype pointer to + krb5_do_preauth. + 2000-03-12 Ezra Peisach <epeisach@mit.edu> * addr_comp.c, addr_order.c, addr_srch.c, bld_pr_ext.c, diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 4ca50e2091..c1c6df1606 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -722,6 +722,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data, krb5_error *err_reply; krb5_kdc_rep *local_as_reply; krb5_timestamp time_now; + krb5_enctype etype = 0; /* initialize everything which will be freed at cleanup */ @@ -910,7 +911,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data, if (ret = krb5_do_preauth(context, &request, padata, &request.padata, - &salt, &as_key, prompter, + &salt, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data)) goto cleanup; @@ -955,7 +956,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data, if (ret = krb5_do_preauth(context, &request, local_as_reply->padata, &padata, - &salt, &as_key, prompter, + &salt, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data)) goto cleanup; diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index e2cb32b4af..ec80c6520a 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -36,6 +36,7 @@ typedef krb5_error_code (*pa_function)(krb5_context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter_fct, void *prompter_data, @@ -57,6 +58,7 @@ krb5_error_code pa_salt(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) @@ -92,6 +94,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, @@ -105,8 +108,17 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_pa_data *pa; if (as_key->length == 0) { +#ifdef DEBUG + fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, + salt->length); + if (salt->length > 0) + fprintf (stderr, " '%*s'", salt->length, salt->data); + fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", + *etype, request->ktype[0]); +#endif if (ret = ((*gak_fct)(context, request->client, - request->ktype[0], prompter, prompter_data, + *etype ? *etype : request->ktype[0], + prompter, prompter_data, salt, as_key, gak_data))) return(ret); } @@ -119,9 +131,20 @@ krb5_error_code pa_enc_timestamp(krb5_context context, if (ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp)) return(ret); +#ifdef DEBUG + fprintf (stderr, "key type %d bytes %02x %02x ...\n", + as_key->enctype, + as_key->contents[0], as_key->contents[1]); +#endif ret = krb5_encrypt_helper(context, as_key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, tmp, &enc_data); +#ifdef DEBUG + fprintf (stderr, "enc data { type=%d kvno=%d data=%02x %02x ... }\n", + enc_data.enctype, enc_data.kvno, + 0xff & enc_data.ciphertext.data[0], + 0xff & enc_data.ciphertext.data[1]); +#endif krb5_free_data(context, tmp); @@ -211,6 +234,7 @@ krb5_error_code pa_sam(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, @@ -443,7 +467,7 @@ krb5_error_code krb5_do_preauth(krb5_context context, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, + krb5_data *salt, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) @@ -461,6 +485,17 @@ krb5_do_preauth(krb5_context context, return(0); } +#ifdef DEBUG + fprintf (stderr, "salt len=%d", salt->length); + if (salt->length > 0) + fprintf (stderr, " '%*s'", salt->length, salt->data); + fprintf (stderr, "; preauth data types:"); + for (i = 0; in_padata[i]; i++) { + fprintf (stderr, " %d", in_padata[i]->pa_type); + } + fprintf (stderr, "\n"); +#endif + out_pa_list = NULL; out_pa_list_size = 0; @@ -491,6 +526,17 @@ krb5_do_preauth(krb5_context context, } salt->data = (char *) etype_info[0]->salt; salt->length = etype_info[0]->length; + *etype = etype_info[0]->etype; +#ifdef DEBUG + for (j = 0; etype_info[j]; j++) { + krb5_etype_info_entry *e = etype_info[j]; + fprintf (stderr, "etype info %d: etype %d salt len=%d", + j, e->etype, e->length); + if (e->length > 0) + fprintf (stderr, " '%*s'", e->length, e->salt); + fprintf (stderr, "\n"); + } +#endif break; case KRB5_PADATA_PW_SALT: case KRB5_PADATA_AFS3_SALT: @@ -507,7 +553,7 @@ krb5_do_preauth(krb5_context context, if (ret = ((*pa_types[j].fct)(context, request, in_padata[i], &out_pa, - salt, as_key, + salt, etype, as_key, prompter, prompter_data, gak_fct, gak_data))) { if (out_pa_list) { |