* IMplement etype_info in KDC. If the request contains any new

enctypes (currently AES but anything not explicitly listed as old)
then only etype_info2 is sent back in response.  Send back etype_info2
all the time.  Also send back etype_info2 to provide salt and
s2kparams with AS reply not just for preauth errors.

* Expose interface for getting string2key with parameters (previously
implemented but not exported)

* IN the client (at least for get_init_creds interface) prfer
etype_info2 to etype_info and pw_salt.  Pass s2kparams and use
string2key_with_params.

Ticket: 1454
Status: open
Target_Version: 1.3

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15412 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 139 insertions, 4 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index bf28f9c93..64fbb4844 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,8 @@
+2003-05-08  Sam Hartman  <hartmans@mit.edu>
+
+	* kdc_preauth.c (return_pw_salt): Don't return pw-salt if the
+	client's enctype list  mandates it supports enctype-info2
+
 2003-05-09  Tom Yu  <tlyu@mit.edu>
 
 	* kdc_util.c (kdc_process_tgs_req): Rename getremotesubkey ->
@@ -8,6 +13,14 @@
 	* kdc_preauth.c (get_etype_info): Patch from Sun to reorganize
 	code and make sure that even for md5 the database order is
 	preserved. 
+	(enctype_requires_etype_info_2): new function; determines wether a
+	particular enctype in a client request means that the client  is
+	required to support etype_info2 by Kerberos clarifications.
+	(etype_info_helper): Renamed from get_etype_info  to abstract out
+	code in common between etype_info and etype_info2
+	(get_enctype_info): Return etype info only if request contains no
+	enctypes that  require etype_info2
+	(return_etype_info2): New function.
 
 2003-04-02  Sam Hartman  <hartmans@mit.edu>
 
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 8d7a2ff56..31e6f4705 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -59,6 +59,8 @@
 #include "adm_proto.h"
 #include <syslog.h>
 
+#include <assert.h>
+
 /* XXX This is ugly and should be in a header file somewhere */
 #ifndef KRB5INT_DES_TYPES_DEFINED
 #define KRB5INT_DES_TYPES_DEFINED
@@ -104,6 +106,18 @@ static krb5_error_code get_etype_info
     (krb5_context, krb5_kdc_req *request,
 		    krb5_db_entry *client, krb5_db_entry *server,
 		    krb5_pa_data *data);
+static krb5_error_code
+get_etype_info2(krb5_context context, krb5_kdc_req *request,
+	       krb5_db_entry *client, krb5_db_entry *server,
+		  krb5_pa_data *pa_data);
+static krb5_error_code
+return_etype_info2(krb5_context, krb5_pa_data * padata, 
+		   krb5_db_entry *client,
+		   krb5_kdc_req *request, krb5_kdc_rep *reply,
+		   krb5_key_data *client_key,
+		   krb5_keyblock *encrypting_key,
+		   krb5_pa_data **send_pa);
+
 static krb5_error_code return_pw_salt
     (krb5_context, krb5_pa_data * padata, 
 		    krb5_db_entry *client,
@@ -156,6 +170,14 @@ static krb5_preauth_systems preauth_systems[] = {
 	0
     },
     {
+	"etype-info2",
+	KRB5_PADATA_ETYPE_INFO2,
+	0,
+	get_etype_info2,
+	0,
+	return_etype_info2
+    },
+    {
 	"pw-salt",
 	KRB5_PADATA_PW_SALT,
 	PA_PSEUDO,		/* Don't include this in the error list */
@@ -432,6 +454,26 @@ cleanup:
 }
 
 static krb5_boolean
+enctype_requires_etype_info_2(krb5_enctype enctype)
+{
+    switch(enctype) {
+    case ENCTYPE_DES_CBC_CRC:
+    case ENCTYPE_DES_CBC_MD4:
+    case ENCTYPE_DES_CBC_MD5:
+    case ENCTYPE_DES3_CBC_SHA1:
+    case ENCTYPE_DES3_CBC_RAW:
+    case ENCTYPE_ARCFOUR_HMAC:
+    case ENCTYPE_ARCFOUR_HMAC_EXP :
+    case ENCTYPE_LOCAL_DES3_HMAC_SHA1:
+	return 0;
+    default:
+	if (krb5_c_valid_enctype(enctype))
+	    return 1;
+	else return 0;
+    }
+}
+
+static krb5_boolean
 request_contains_enctype (krb5_context context,  const krb5_kdc_req *request,
 			  krb5_enctype enctype)
 {
@@ -574,12 +616,13 @@ fail:
 /*
  * This function returns the etype information for a particular
  * client, to be passed back in the preauth list in the KRB_ERROR
- * message.
+ * message.  It supports generating both etype_info  and etype_info2
+ *  as most of the work is the same.   
  */
 static krb5_error_code
-get_etype_info(krb5_context context, krb5_kdc_req *request,
+etype_info_helper(krb5_context context, krb5_kdc_req *request,
 	       krb5_db_entry *client, krb5_db_entry *server,
-	       krb5_pa_data *pa_data)
+	       krb5_pa_data *pa_data, int etype_info2)
 {
     krb5_etype_info_entry **	entry = 0;
     krb5_key_data		*client_key;
@@ -607,6 +650,8 @@ get_etype_info(krb5_context context, krb5_kdc_req *request,
 	    db_etype = ENCTYPE_DES_CBC_MD5;
 	
 	if (request_contains_enctype(context, request, db_etype)) {
+	    assert(etype_info2 ||
+		   !enctype_requires_etype_info_2(db_etype));
 	    if ((retval = _make_etype_info_entry(context, request, client_key,
 			    db_etype, &entry[i])) != 0) {
 		goto cleanup;
@@ -642,7 +687,10 @@ get_etype_info(krb5_context context, krb5_kdc_req *request,
 	    seen_des++;
 	}
     }
-    retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
+    if (etype_info2)
+	retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry,
+				    &scratch);
+    else 	retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
 				    &scratch);
     if (retval)
 	goto cleanup;
@@ -659,6 +707,75 @@ cleanup:
 }
 
 static krb5_error_code
+get_etype_info(krb5_context context, krb5_kdc_req *request,
+	       krb5_db_entry *client, krb5_db_entry *server,
+	       krb5_pa_data *pa_data)
+{
+  int i;
+    for (i=0;  i < request->nktypes; i++) {
+	if (enctype_requires_etype_info_2(request->ktype[i])) 
+	    return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will
+							* skip this
+							* type*/
+    }
+    return etype_info_helper(context, request, client, server, pa_data, 0);
+}
+
+static krb5_error_code
+get_etype_info2(krb5_context context, krb5_kdc_req *request,
+	       krb5_db_entry *client, krb5_db_entry *server,
+	       krb5_pa_data *pa_data)
+{
+    return etype_info_helper( context, request, client, server, pa_data, 1);
+}
+
+static krb5_error_code
+return_etype_info2(krb5_context context, krb5_pa_data * padata, 
+		   krb5_db_entry *client,
+		   krb5_kdc_req *request, krb5_kdc_rep *reply,
+		   krb5_key_data *client_key,
+		   krb5_keyblock *encrypting_key,
+		   krb5_pa_data **send_pa)
+{
+    krb5_error_code retval;
+    krb5_pa_data *tmp_padata;
+    krb5_etype_info_entry **entry = NULL;
+    krb5_data *scratch = NULL;
+    tmp_padata = malloc( sizeof(krb5_pa_data));
+    if (tmp_padata == NULL)
+	return ENOMEM;
+    tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2;
+    entry = malloc(2 * sizeof(krb5_etype_info_entry *));
+    if (entry == NULL) {
+	retval = ENOMEM;
+	goto cleanup;
+    }
+    entry[0] = NULL;
+    entry[1] = NULL;
+    retval = _make_etype_info_entry(context, request, client_key, client_key->key_data_type[0],
+				    entry);
+    if (retval)
+	goto cleanup;
+    retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);
+    if (retval)
+	goto cleanup;
+    tmp_padata->contents = scratch->data;
+    tmp_padata->length = scratch->length;
+    *send_pa = tmp_padata;
+ cleanup:
+    if (entry)
+	krb5_free_etype_info(context, entry);
+    if (retval) {
+	if (tmp_padata)
+	    free(tmp_padata);
+	if (scratch)
+	    krb5_free_data(context, scratch);
+    }
+    return retval;
+}
+
+
+static krb5_error_code
 return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
 	       krb5_db_entry *client, krb5_kdc_req *request,
 	       krb5_kdc_rep *reply, krb5_key_data *client_key,
@@ -668,7 +785,12 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
     krb5_pa_data *	padata;
     krb5_data *		scratch;
     krb5_data		salt_data;
+    int i;
     
+    for (i = 0; i < request->nktypes; i++) {
+	if (enctype_requires_etype_info_2(request->ktype[i]))
+	    return 0;
+    }
     if (client_key->key_data_ver == 1 ||
 	client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL)
 	return 0;