diff options
| author | Theodore Tso <tytso@mit.edu> | 1995-09-14 02:54:13 +0000 |
|---|---|---|
| committer | Theodore Tso <tytso@mit.edu> | 1995-09-14 02:54:13 +0000 |
| commit | b102c57ee3c0c5355bfd3e49481352ad1fecb23a (patch) | |
| tree | 5f603ef3acfce27710045f9b492fa4bb722d47c2 | |
| parent | 8de94b3ee0fde840d468a71e8b29d8c4b8c7a6b3 (diff) | |
| download | krb5-b102c57ee3c0c5355bfd3e49481352ad1fecb23a.tar.gz krb5-b102c57ee3c0c5355bfd3e49481352ad1fecb23a.tar.xz krb5-b102c57ee3c0c5355bfd3e49481352ad1fecb23a.zip | |
(key_encrypt_keys): Remove equally errneous krb5_use_enctype() call
from key_encrypt_keys().
(key_string2key_keysalt and key_randomkey_keysalt): Install really
ugly hack to prevent these routines from munging the master_encblock.
This is not the correct fix. Proven will be making the correct fix
which will involve removing these routines and using the corect
libkdb functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6786 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kadmin/v5server/ChangeLog | 9 | ||||
| -rw-r--r-- | src/kadmin/v5server/srv_key.c | 32 |
2 files changed, 38 insertions, 3 deletions
diff --git a/src/kadmin/v5server/ChangeLog b/src/kadmin/v5server/ChangeLog index d7896a706..52a4fb7d7 100644 --- a/src/kadmin/v5server/ChangeLog +++ b/src/kadmin/v5server/ChangeLog @@ -1,5 +1,14 @@ Wed Sep 13 22:08:56 1995 Theodore Y. Ts'o (tytso@dcl) + * srv_key.c (key_string2key_keysalt and key_randomkey_keysalt): + Install really ugly hack to prevent these routines from munging + the master_encblock. This is not the correct fix. Proven + will be making the correct fix which will involve removing + these routines and using the corect libkdb functions. + + * srv_key.c (key_encrypt_keys): Remove equally errneous + krb5_use_enctype() call from key_encrypt_keys(). + * srv_key.c (key_decrypt_keys): Keys are encrypted in the key of the master key encryption type, not in the keytype of the key!!! Removed erroneous krb5_use_enctype() call. diff --git a/src/kadmin/v5server/srv_key.c b/src/kadmin/v5server/srv_key.c index 3cf8af9c7..25e709833 100644 --- a/src/kadmin/v5server/srv_key.c +++ b/src/kadmin/v5server/srv_key.c @@ -641,6 +641,7 @@ key_string2key_keysalt(ksent, ptr) krb5_data salt; krb5_keyblock key; krb5_key_data *okeyp; + krb5_enctype old_enctype; argp = (struct keysalt_iterate_args *) ptr; kret = 0; @@ -648,6 +649,17 @@ key_string2key_keysalt(ksent, ptr) * Determine if this key/salt pair is salted. */ salted = 0; + /* + * XXXXX this is totally, totally wrong. We should never be using + * krb5_use_enctype on master_encblock. In particular, it won't + * work once we start having non-DES encryption systems. + * + * For now, we're going to do ths ugly kludge where we save the + * master_encblock's old encryption system, and restore it at the + * end of this routine. This is wrong, and it *will* break in the + * future. We need to fix this before we let this code go out.... + */ + old_enctype = master_encblock.crypto_entry->proto_enctype; krb5_use_enctype(argp->context, &master_encblock, ksent->ks_enctype); if (!krb5_dbe_find_enctype(argp->context, argp->dbentry, @@ -749,6 +761,7 @@ key_string2key_keysalt(ksent, ptr) okeyp->key_data_contents[1] = (krb5_octet *) salt.data; } done: + krb5_use_enctype(argp->context, &master_encblock, old_enctype); return(kret); } @@ -831,10 +844,22 @@ key_randomkey_keysalt(ksent, ptr) krb5_error_code kret; krb5_keyblock *key; krb5_key_data *okeyp; + krb5_enctype old_enctype; argp = (struct keysalt_iterate_args *) ptr; kret = 0; + /* + * XXXXX this is totally, totally wrong. We should never be using + * krb5_use_enctype on master_encblock. In particular, it won't + * work once we start having non-DES encryption systems. + * + * For now, we're going to do ths ugly kludge where we save the + * master_encblock's old encryption system, and restore it at the + * end of this routine. This is wrong, and it *will* break in the + * future. We need to fix this before we let this code go out.... + */ + old_enctype = master_encblock.crypto_entry->proto_enctype; krb5_use_enctype(argp->context, &master_encblock, ksent->ks_enctype); if (krb5_dbe_find_enctype(argp->context, argp->dbentry, @@ -879,6 +904,10 @@ key_randomkey_keysalt(ksent, ptr) krb5_xfree(key); } } + /* + * XXXX This is a kludge!!! See above. + */ + krb5_use_enctype(argp->context, &master_encblock, old_enctype); return(kret); } @@ -960,9 +989,6 @@ key_encrypt_keys(kcontext, dbentp, nkeysp, inkeys, outkeysp) ndone = 0; nkeys = *nkeysp; for (i=0; i<nkeys; i++) { - krb5_use_enctype(kcontext, - &master_encblock, - (krb5_enctype) inkeys[i].key_data_type[0]); if (!(kret = krb5_dbe_create_key_data(kcontext, &loser))) { tmpkey.enctype = inkeys[i].key_data_type[0]; tmpkey.length = inkeys[i].key_data_length[0]; |