* preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic salt length

and generate a salt from the principal name if found; use the password and salt
to generate a key.  Provide timestamp if nonce is zero, regardless of preauth
mode.  (Patch from Chas Williams.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12045 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 19c8af7996ca8c081871060feb10fa192a9d9faa..4315b8b5c264459c5700788a387518105fcef9bb 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,11 @@
+2000-02-16  Ken Raeburn  <raeburn@mit.edu>
+
+       * preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic
+       salt length and generate a salt from the principal name if found;
+       use the password and salt to generate a key.  Provide timestamp if
+       nonce is zero, regardless of preauth mode.  (Patch from Chas
+       Williams.)
+
 2000-02-07  Ken Raeburn  <raeburn@mit.edu>
 
        * gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is

diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index a942601a132878733ec0452cc12f96dcfff61239..c9d361d8c4fe2fc3ceba0b24de001f7e7fe6815d 100644 (file)
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -271,21 +271,57 @@ krb5_error_code pa_sam(krb5_context context,
     }
 
     enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
+    if (sam_challenge->sam_nonce == 0) {
+       if (ret = krb5_us_timeofday(context, 
+                               &enc_sam_response_enc.sam_timestamp,
+                               &enc_sam_response_enc.sam_usec)) {
+               krb5_xfree(sam_challenge);
+               return(ret);
+       }
+
+       sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
+    }
+
     /* XXX What if more than one flag is set?  */
     if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
-       enc_sam_response_enc.sam_sad = response_data;
-    } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
-       if (sam_challenge->sam_nonce == 0) {
-           if (ret = krb5_us_timeofday(context, 
-                                       &enc_sam_response_enc.sam_timestamp,
-                                       &enc_sam_response_enc.sam_usec)) {
+
+       if (as_key->length) {
+           krb5_free_keyblock_contents(context, as_key);
+           as_key->length = 0;
+       }
+
+       /* generate a salt using the requested principal */
+
+       if ((salt->length == -1) && (salt->data == NULL)) {
+           if (ret = krb5_principal2salt(context, request->client,
+                                         &defsalt)) {
                krb5_xfree(sam_challenge);
                return(ret);
            }
 
-           sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
+           salt = &defsalt;
+       } else {
+           defsalt.length = 0;
+       }
+
+       /* generate a key using the supplied password */
+
+       ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5,
+                                  (krb5_data *)gak_data, salt, as_key);
+
+       if (defsalt.length)
+           krb5_xfree(defsalt.data);
+
+       if (ret) {
+           krb5_xfree(sam_challenge);
+           return(ret);
        }
 
+       /* encrypt the passcode with the key from above */
+
+       enc_sam_response_enc.sam_sad = response_data;
+    } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
+
        /* process the key as password */
 
        if (as_key->length) {