When NULL is passed into krb_get_in_pw_tkt, we only want to prompt once

for the password rather than passing NULL along to each string to key
function causing each to prompt independently.  Modify krb_get_in_pw_tkt
to call des_read_pw_string directly and then pass the resulting password
into each string to key function as needed.  Add a prototype of
des_read_pw_string to krb4int.h since it's an exported function of
libdes425 but isn't prototyped in des.h.

Ticket: 2648
Version_Reported: 1.3.3
Component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18129 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c
index 58a91b00df92591227a85bee218449f3773a2b93..cf4ebd15dfcbf979eaaf4d44faddc62d412e0779 100644 (file)
--- a/src/lib/krb4/g_in_tkt.c
+++ b/src/lib/krb4/g_in_tkt.c
@@ -406,6 +406,8 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life,
     CREDENTIALS *creds;
     KRB_UINT32 *laddrp;
 {
+    int ok;
+    char key_string[BUFSIZ];
     KTEXT_ST cip_st;
     KTEXT cip = &cip_st;       /* Returned Ciphertext */
     int kerror;
@@ -420,6 +422,23 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life,
                                   cip, &byteorder, &local_addr);
     if (kerror)
        return kerror;
+
+    /* If arg is null, we have to prompt for the password.  decrypt_tkt, by
+       way of the *_passwd_to_key functions, will prompt if the password is
+       NULL, but that means that each separate encryption type will prompt
+       separately.  Obtain the password first so that we can try multiple
+       encryption types without re-prompting.
+
+       Don't, however, prompt on a Windows or Macintosh environment, since
+       that's harder.  Rely on our caller to do it. */
+#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
+    if (arg == NULL) {
+        ok = des_read_pw_string(key_string, sizeof(key_string), "Password", 0);
+        if (ok != 0)
+            return ok;
+        arg = key_string;
+    }
+#endif
     
     /* Attempt to decrypt the reply.  Loop trying password_to_key algorithms 
        until we succeed or we get an error other than "bad password" */
@@ -443,6 +462,7 @@ krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life,
     }
 
     /* stomp stomp stomp */
+    memset(key_string, 0, sizeof(key_string));
     memset(cip->dat, 0, (size_t)cip->length);
     return kerror;
 }

diff --git a/src/lib/krb4/krb4int.h b/src/lib/krb4/krb4int.h
index 7125435f9e2ecc328bd94b097691bb9f119a2ec7..15ea14564775d7313cb9ba0f3eb7318b102c5b8f 100644 (file)
--- a/src/lib/krb4/krb4int.h
+++ b/src/lib/krb4/krb4int.h
@@ -117,3 +117,9 @@ int krb4int_save_credentials_addr(
 
 int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *,
                             struct sockaddr *, socklen_t *);
+
+/* 
+ * Exported by libdes425 and called by krb_get_in_pw_tkt, but not part of
+ * the standard DES interface and therefore not prototyped in des.h.
+ */
+int KRB5_CALLCONV des_read_pw_string(char *, int, char *, int);