From: Ken Raeburn Date: Wed, 16 Feb 2000 18:29:50 +0000 (+0000) Subject: * preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic salt length X-Git-Tag: krb5-1.2-beta1~78 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f06921749014e39975e2a53b7324c75379ff9ea6;p=krb5.git * preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic salt length and generate a salt from the principal name if found; use the password and salt to generate a key. Provide timestamp if nonce is zero, regardless of preauth mode. (Patch from Chas Williams.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12045 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 19c8af799..4315b8b5c 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,11 @@ +2000-02-16 Ken Raeburn + + * preauth2.c (pa_sam): In send-encrypted-sad mode, check for magic + salt length and generate a salt from the principal name if found; + use the password and salt to generate a key. Provide timestamp if + nonce is zero, regardless of preauth mode. (Patch from Chas + Williams.) + 2000-02-07 Ken Raeburn * gic_pwd.c (krb5_get_as_key_password): If the as_key enctype is diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index a942601a1..c9d361d8c 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -271,21 +271,57 @@ krb5_error_code pa_sam(krb5_context context, } enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; + if (sam_challenge->sam_nonce == 0) { + if (ret = krb5_us_timeofday(context, + &enc_sam_response_enc.sam_timestamp, + &enc_sam_response_enc.sam_usec)) { + krb5_xfree(sam_challenge); + return(ret); + } + + sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; + } + /* XXX What if more than one flag is set? */ if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - enc_sam_response_enc.sam_sad = response_data; - } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { - if (sam_challenge->sam_nonce == 0) { - if (ret = krb5_us_timeofday(context, - &enc_sam_response_enc.sam_timestamp, - &enc_sam_response_enc.sam_usec)) { + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a salt using the requested principal */ + + if ((salt->length == -1) && (salt->data == NULL)) { + if (ret = krb5_principal2salt(context, request->client, + &defsalt)) { krb5_xfree(sam_challenge); return(ret); } - sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; + salt = &defsalt; + } else { + defsalt.length = 0; + } + + /* generate a key using the supplied password */ + + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + (krb5_data *)gak_data, salt, as_key); + + if (defsalt.length) + krb5_xfree(defsalt.data); + + if (ret) { + krb5_xfree(sam_challenge); + return(ret); } + /* encrypt the passcode with the key from above */ + + enc_sam_response_enc.sam_sad = response_data; + } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { + /* process the key as password */ if (as_key->length) {