diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-05-23 19:58:41 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-06-05 11:34:28 -0400 |
commit | fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48 (patch) | |
tree | baff1e52e2262cc50df2d85a20f96a93abb3c2ee /src | |
parent | 1825455ede7e61ab934b16262fb5b12b78a52f1a (diff) | |
download | krb5-fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48.tar.gz krb5-fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48.tar.xz krb5-fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48.zip |
Treat LDAP KrbKey salt field as optional
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
ticket: 7919
target_version: 1.12.2
tags: pullup
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/krb5/asn.1/ldap_key_seq.c | 19 | ||||
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 6 | ||||
-rw-r--r-- | src/tests/kdbtest.c | 2 |
3 files changed, 21 insertions, 6 deletions
diff --git a/src/lib/krb5/asn.1/ldap_key_seq.c b/src/lib/krb5/asn.1/ldap_key_seq.c index 69ad847c2..deb47058d 100644 --- a/src/lib/krb5/asn.1/ldap_key_seq.c +++ b/src/lib/krb5/asn.1/ldap_key_seq.c @@ -57,14 +57,14 @@ DEFCOUNTEDSTRINGTYPE(ui2_octetstring, unsigned char *, krb5_ui_2, ASN1_OCTETSTRING); static int -is_salt_present(const void *p) +is_value_present(const void *p) { const krb5_key_data *val = p; return (val->key_data_length[1] != 0); } DEFCOUNTEDTYPE(krbsalt_salt, krb5_key_data, key_data_contents[1], key_data_length[1], ui2_octetstring); -DEFOPTIONALTYPE(krbsalt_salt_if_present, is_salt_present, NULL, krbsalt_salt); +DEFOPTIONALTYPE(krbsalt_salt_if_present, is_value_present, NULL, krbsalt_salt); DEFFIELD(krbsalt_0, krb5_key_data, key_data_type[1], 0, int16); DEFCTAGGEDTYPE(krbsalt_1, 1, krbsalt_salt_if_present); static const struct atype_info *krbsalt_fields[] = { @@ -80,7 +80,20 @@ static const struct atype_info *encryptionkey_fields[] = { }; DEFSEQTYPE(encryptionkey, krb5_key_data, encryptionkey_fields); -DEFCTAGGEDTYPE(key_data_0, 0, krbsalt); +static int +is_salt_present(const void *p) +{ + const krb5_key_data *val = p; + return val->key_data_ver > 1; +} +static void +no_salt(void *p) +{ + krb5_key_data *val = p; + val->key_data_ver = 1; +} +DEFOPTIONALTYPE(key_data_salt_if_present, is_salt_present, no_salt, krbsalt); +DEFCTAGGEDTYPE(key_data_0, 0, key_data_salt_if_present); DEFCTAGGEDTYPE(key_data_1, 1, encryptionkey); #if 0 /* We don't support this field currently. */ DEFCTAGGEDTYPE(key_data_2, 2, s2kparams), diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 482066fa2..b9bd05905 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -383,8 +383,10 @@ asn1_decode_sequence_of_keys(krb5_data *in, krb5_key_data **out, /* Set kvno and key_data_ver in each key_data element. */ for (i = 0; i < p->n_key_data; i++) { p->key_data[i].key_data_kvno = p->kvno; - p->key_data[i].key_data_ver = - (p->key_data[i].key_data_length[1] == 0) ? 1 : 2; + /* The decoder sets key_data_ver to 1 if no salt is present, but leaves + * it at 0 if salt is present. */ + if (p->key_data[i].key_data_ver == 0) + p->key_data[i].key_data_ver = 2; } *out = p->key_data; diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c index 64f28bbca..d21126558 100644 --- a/src/tests/kdbtest.c +++ b/src/tests/kdbtest.c @@ -120,7 +120,7 @@ static krb5_key_data keys[] = { U("expsalt") } }, { - 1, /* key_data_ver */ + 2, /* key_data_ver */ 2, /* key_data_kvno */ { ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 }, { 16, 0 }, |