diff options
author | Sam Hartman <hartmans@mit.edu> | 2003-05-12 02:59:06 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2003-05-12 02:59:06 +0000 |
commit | b7d2f686d8c563ab64636974d64b5fae92ad1766 (patch) | |
tree | f4e69e6922c7ffa87a633a5caf3ef8c018ae23a7 /src/lib/krb5 | |
parent | 57a21011ff605a03c3ae5d021c4a0c2ef8361b4c (diff) | |
download | krb5-b7d2f686d8c563ab64636974d64b5fae92ad1766.tar.gz krb5-b7d2f686d8c563ab64636974d64b5fae92ad1766.tar.xz krb5-b7d2f686d8c563ab64636974d64b5fae92ad1766.zip |
* IMplement etype_info in KDC. If the request contains any new
enctypes (currently AES but anything not explicitly listed as old)
then only etype_info2 is sent back in response. Send back etype_info2
all the time. Also send back etype_info2 to provide salt and
s2kparams with AS reply not just for preauth errors.
* Expose interface for getting string2key with parameters (previously
implemented but not exported)
* IN the client (at least for get_init_creds interface) prfer
etype_info2 to etype_info and pw_salt. Pass s2kparams and use
string2key_with_params.
Ticket: 1454
Status: open
Target_Version: 1.3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15412 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
-rw-r--r-- | src/lib/krb5/krb/ChangeLog | 18 | ||||
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 11 | ||||
-rw-r--r-- | src/lib/krb5/krb/gic_keytab.c | 1 | ||||
-rw-r--r-- | src/lib/krb5/krb/gic_pwd.c | 4 | ||||
-rw-r--r-- | src/lib/krb5/krb/preauth2.c | 142 |
5 files changed, 88 insertions, 88 deletions
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 46c4754d61..b6e2480e1e 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,21 @@ +2003-05-09 Sam Hartman <hartmans@mit.edu> + + * preauth2.c: Patch from Sun to reorganize code for handling + etype_info requests. More efficient and easier to implement etype_info2 + (krb5_do_preauth): Support enctype_info2 + +2003-05-08 Sam Hartman <hartmans@mit.edu> + + * preauth2.c: Add s2kparams to the declaration of a preauth + function, to every instance of a preauth function and to every + call to gak_fct + + * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support + + * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams + + * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support + 2003-05-09 Ken Raeburn <raeburn@mit.edu> * init_ctx.c (init_common): Copy tgs_ktypes array to diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index dc06c53539..2f426d7216 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/get_in_tkt.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -734,6 +734,7 @@ krb5_get_init_creds(krb5_context context, krb5_deltat renew_life; int loopcount; krb5_data salt; + krb5_data s2kparams; krb5_keyblock as_key; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; @@ -742,6 +743,8 @@ krb5_get_init_creds(krb5_context context, /* initialize everything which will be freed at cleanup */ + s2kparams.data = NULL; + s2kparams.length = 0; request.server = NULL; request.ktype = NULL; request.addresses = NULL; @@ -927,7 +930,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, padata, &request.padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -973,7 +976,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, local_as_reply->padata, &padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -1005,7 +1008,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = ((*gak_fct)(context, request.client, local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, + prompter, prompter_data, &salt, &s2kparams, &as_key, gak_data)))) goto cleanup; diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index a7cb773a09..e7fb1aec6a 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -8,6 +8,7 @@ krb5_get_as_key_keytab( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 7b5e0bab30..54cf5f461c 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -9,6 +9,7 @@ krb5_get_as_key_password( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { @@ -74,7 +75,8 @@ krb5_get_as_key_password( defsalt.length = 0; } - ret = krb5_c_string_to_key(context, etype, password, salt, as_key); + ret = krb5_c_string_to_key_with_params(context, etype, password, salt, + params->data?params:NULL, as_key); if (defsalt.length) krb5_xfree(defsalt.data); diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index e50440e2b6..5a9c1ba9e0 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -35,7 +35,7 @@ typedef krb5_error_code (*pa_function)(krb5_context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter_fct, @@ -57,7 +57,7 @@ krb5_error_code pa_salt(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, @@ -94,6 +94,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -119,7 +120,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, if ((ret = ((*gak_fct)(context, request->client, *etype ? *etype : request->ktype[0], prompter, prompter_data, - salt, as_key, gak_data)))) + salt, s2kparams, as_key, gak_data)))) return(ret); } @@ -233,6 +234,7 @@ krb5_error_code pa_sam(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -283,7 +285,7 @@ krb5_error_code pa_sam(krb5_context context, *etype = ENCTYPE_DES_CBC_CRC; if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, as_key, gak_data))) + prompter_data, salt, s2kparams, as_key, gak_data))) return(ret); } sprintf(name, "%.*s", @@ -472,6 +474,7 @@ krb5_error_code pa_sam_2(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -542,7 +545,7 @@ krb5_error_code pa_sam_2(krb5_context context, retval = (gak_fct)(context, request->client, sc2b->sam_etype, prompter, - prompter_data, salt, as_key, gak_data); + prompter_data, salt, s2kparams, as_key, gak_data); if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); @@ -827,86 +830,18 @@ static const pa_types_t pa_types[] = { }, }; -static void -sort_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_etype_info_entry **etype_info) -{ -/* Originally adapted from a proposed solution in ticket 1006. This - * solution is not efficient, but implementing an efficient sort - * with a comparison function based on order in the kdc request would - * be difficult.*/ - krb5_etype_info_entry *tmp; - int i, j, e; - krb5_boolean similar; - - if (etype_info == NULL) - return; - - /* First, move up etype_info_entries whose enctype exactly matches a - * requested enctype. - */ - e = 0; - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (request->ktype[i] == etype_info[e]->etype) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - if (request->ktype[i] == etype_info[j]->etype) - break; - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } - - /* Then move up etype_info_entries whose enctype is similar to a - * requested enctype. - */ - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0) - continue; - - if (similar) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0) - continue; - - if (similar) - break; - } - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } -} - - krb5_error_code krb5_do_preauth(krb5_context context, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_enctype *etype, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) { int h, i, j, out_pa_list_size; + int seen_etype_info2 = 0; krb5_pa_data *out_pa, **out_pa_list; krb5_data scratch; krb5_etype_info etype_info = NULL; @@ -938,6 +873,7 @@ krb5_do_preauth(krb5_context context, for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { realdone = 0; for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; /* * This is really gross, but is necessary to prevent * lossge when talking to a 1.0.x KDC, which returns an @@ -946,8 +882,20 @@ krb5_do_preauth(krb5_context context, */ switch (in_padata[i]->pa_type) { case KRB5_PADATA_ETYPE_INFO: - if (etype_info) - continue; + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + + if (pa_type == KRB5_PADATA_ETYPE_INFO2) + seen_etype_info2++; scratch.length = in_padata[i]->length; scratch.data = (char *) in_padata[i]->contents; ret = decode_krb5_etype_info(&scratch, &etype_info); @@ -963,10 +911,37 @@ krb5_do_preauth(krb5_context context, etype_info = NULL; break; } - sort_etype_info(context, request, etype_info); - salt->data = (char *) etype_info[0]->salt; - salt->length = etype_info[0]->length; - *etype = etype_info[0]->etype; + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) + /* supported enctype but not requested */ + return KRB5_CONFIG_ETYPE_NOSUPP; + else + /* unsupported enctype */ + return KRB5_PROG_ETYPE_NOSUPP; + + } + salt->data = (char *) etype_info[l]->salt; + salt->length = etype_info[l]->length; + *etype = etype_info[l]->etype; + *s2kparams = etype_info[l]->s2kparams; #ifdef DEBUG for (j = 0; etype_info[j]; j++) { krb5_etype_info_entry *e = etype_info[j]; @@ -978,6 +953,7 @@ krb5_do_preauth(krb5_context context, } #endif break; + } case KRB5_PADATA_PW_SALT: case KRB5_PADATA_AFS3_SALT: if (etype_info) @@ -993,7 +969,7 @@ krb5_do_preauth(krb5_context context, if ((ret = ((*pa_types[j].fct)(context, request, in_padata[i], &out_pa, - salt, etype, as_key, + salt, s2kparams, etype, as_key, prompter, prompter_data, gak_fct, gak_data)))) { if (out_pa_list) { |