return(retval);
}
+/* Construct a random explicit salt. */
+static krb5_error_code
+make_random_salt(krb5_context context, krb5_keysalt *salt_out)
+{
+ krb5_error_code retval;
+ unsigned char rndbuf[8];
+ krb5_data salt, rnd = make_data(rndbuf, sizeof(rndbuf));
+ unsigned int i;
+
+ /*
+ * Salts are limited by RFC 4120 to 7-bit ASCII. For ease of examination
+ * and to avoid certain folding issues for older enctypes, we use printable
+ * characters with four fixed bits and four random bits, encoding 64
+ * psuedo-random bits into 16 bytes.
+ */
+ retval = krb5_c_random_make_octets(context, &rnd);
+ if (retval)
+ return retval;
+ retval = alloc_data(&salt, sizeof(rndbuf) * 2);
+ if (retval)
+ return retval;
+ for (i = 0; i < sizeof(rndbuf); i++) {
+ salt.data[i * 2] = 0x40 | (rndbuf[i] >> 4);
+ salt.data[i * 2 + 1] = 0x40 | (rndbuf[i] & 0xf);
+ }
+
+ salt_out->type = KRB5_KDB_SALTTYPE_SPECIAL;
+ salt_out->data = salt;
+ return 0;
+}
+
/*
* Add key_data for a krb5_db_entry
* If passwd is NULL the assumes that the caller wants a random password.
return retval;
key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
break;
+ case KRB5_KDB_SALTTYPE_SPECIAL:
+ retval = make_random_salt(context, &key_salt);
+ if (retval)
+ return retval;
+ break;
default:
return(KRB5_KDB_BAD_SALTTYPE);
}