When generating etype_info2 for DES style keys, use s2kparams to

communicate the type if the key has afs3 salt.

If such s2kparams are received by the client, use the afs string2key
function to process the key.

Ticket: 1512
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15489 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 097fe7c9e37e102cdda54595bb23d86fb4a1fb0f..0b3ea7f83703cfcc6224818fb6c57eb6ce4370a6 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,11 @@
+2003-05-23  Sam Hartman  <hartmans@mit.edu>
+
+       * kdc_preauth.c (_make_etype_info_entry): Add flag to know if we
+       are producing etype_info2 so we know whether filling in s2kparams
+       is allowed.    In the etype_info2 case support afs3 salts.
+       (etype_info_helper): Pass in flag
+       (return_etype_info2): And here
+
 2003-05-23  Ezra Peisach  <epeisach@mit.edu>
 
        * kdc_preauth.c (return_etype_info2): After encoding the

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 3dcced412c4c742e4024f24bdc6e322246ed18c6..342f05021842c5d0e6a9da45dd282fea6b04761a 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -572,12 +572,10 @@ cleanup:
 }
 
 static krb5_error_code
-_make_etype_info_entry(context, request, client_key, etype, entry)
-    krb5_context               context;
-    krb5_kdc_req *             request;
-    krb5_key_data *            client_key;
-    const krb5_enctype         etype;
-    krb5_etype_info_entry **   entry;
+_make_etype_info_entry(krb5_context context,
+                      krb5_kdc_req *request, krb5_key_data *client_key,
+                      krb5_enctype etype, krb5_etype_info_entry **entry,
+                      int etype_info2)
 {
     krb5_data                  salt;
     krb5_etype_info_entry *    tmp_entry; 
@@ -598,6 +596,24 @@ _make_etype_info_entry(context, request, client_key, etype, entry)
                               client_key, &salt);
     if (retval)
        goto fail;
+    if (etype_info2 && client_key->key_data_ver > 1 &&
+       client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_AFS3) {
+       switch (etype) {
+       case ENCTYPE_DES_CBC_CRC:
+       case ENCTYPE_DES_CBC_MD4:
+       case ENCTYPE_DES_CBC_MD5:
+           tmp_entry->s2kparams.data = malloc(1);
+           if (tmp_entry->s2kparams.data == NULL) {
+               retval = ENOMEM;
+               goto fail;
+           }
+           tmp_entry->s2kparams.length = 1;
+           tmp_entry->s2kparams.data[0] = 1;
+           break;
+       default:
+           break;
+       }
+    }
 
     if (salt.length >= 0) {
        tmp_entry->length = salt.length;
@@ -608,8 +624,11 @@ _make_etype_info_entry(context, request, client_key, etype, entry)
     return 0;
 
 fail:
-    if (tmp_entry)
+    if (tmp_entry) {
+       if (tmp_entry->s2kparams.data)
+           free(tmp_entry->s2kparams.data);
        free(tmp_entry);
+    }
     if (salt.data)
        free(salt.data);
     return retval;
@@ -654,7 +673,7 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
            assert(etype_info2 ||
                   !enctype_requires_etype_info_2(db_etype));
            if ((retval = _make_etype_info_entry(context, request, client_key,
-                           db_etype, &entry[i])) != 0) {
+                           db_etype, &entry[i], etype_info2)) != 0) {
                goto cleanup;
            }
            entry[i+1] = 0;
@@ -679,7 +698,7 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
            }
            if (request_contains_enctype(context, request, db_etype)) {
                if ((retval = _make_etype_info_entry(context, request,
-                               client_key, db_etype, &entry[i])) != 0) {
+                               client_key, db_etype, &entry[i], etype_info2)) != 0) {
                    goto cleanup;
                }
                entry[i+1] = 0;
@@ -754,7 +773,7 @@ return_etype_info2(krb5_context context, krb5_pa_data * padata,
     entry[0] = NULL;
     entry[1] = NULL;
     retval = _make_etype_info_entry(context, request, client_key, client_key->key_data_type[0],
-                                   entry);
+                                   entry, 1);
     if (retval)
        goto cleanup;
     retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch);

diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog
index c23b403716fa28095c2247f717a6a23b4eab3f56..bab270489d69eefce22967aa57cffb2b8d7027b6 100644 (file)
--- a/src/lib/crypto/old/ChangeLog
+++ b/src/lib/crypto/old/ChangeLog
@@ -1,3 +1,9 @@
+2003-05-23  Sam Hartman  <hartmans@mit.edu>
+
+       * des_stringtokey.c (krb5int_des_string_to_key): If param has  one
+       byte, treat it as a type.   Type 0 is normal, type 1 is AFS
+       string2key. 
+
 2003-03-04  Ken Raeburn  <raeburn@mit.edu>
 
        * des_stringtokey.c (krb5int_des_string_to_key): Renamed from

diff --git a/src/lib/crypto/old/des_stringtokey.c b/src/lib/crypto/old/des_stringtokey.c
index fd3440bda0c64c08f82eae63b34f1324331a4849..20f2f053a544715a66faeb59a84e5abb5e02eb0a 100644 (file)
--- a/src/lib/crypto/old/des_stringtokey.c
+++ b/src/lib/crypto/old/des_stringtokey.c
@@ -26,6 +26,7 @@
 
 #include "k5-int.h"
 #include "old.h"
+#include <des_int.h>
 
 /* XXX */
 extern krb5_error_code mit_des_string_to_key_int
@@ -41,7 +42,19 @@ krb5int_des_string_to_key(enc, string, salt, parm, key)
      const krb5_data *parm;
      krb5_keyblock *key;
 {
-    if (parm != NULL)
-       return KRB5_ERR_BAD_S2K_PARAMS;
+    int type;
+    if (parm ) {
+       if (parm->length != 1)
+           return KRB5_ERR_BAD_S2K_PARAMS;
+       type = parm->data[0];
+    }
+    else type = 0;
+    switch(type) {
+    case 0:
     return(mit_des_string_to_key_int(key, string, salt));
+    case 1:
+       return mit_afs_string_to_key(key, string, salt);
+    default:
+       return KRB5_ERR_BAD_S2K_PARAMS;
+    }
 }