From de3dc2e43ee4313d44399a65b837eab84ccc7949 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Tue, 22 Jul 2003 22:27:34 +0000 Subject: [PATCH] Send generalstring not octetstring in etype_info2. Accept either form. Also, if a etype_info fails to decode, skip it rather than failing to process the AS reply. Ticket: 1681 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15723 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/asn.1/ChangeLog | 11 ++++++++ src/lib/krb5/asn.1/asn1_k_decode.c | 39 ++++++++++++++++++++++++++-- src/lib/krb5/asn.1/asn1_k_decode.h | 2 +- src/lib/krb5/asn.1/asn1_k_encode.c | 10 ++++--- src/lib/krb5/asn.1/krb5_decode.c | 15 +++++++---- src/lib/krb5/krb/ChangeLog | 6 +++++ src/lib/krb5/krb/preauth2.c | 13 +++++++--- src/tests/asn.1/reference_encode.out | 4 +-- src/tests/asn.1/trval_reference.out | 6 ++--- 9 files changed, 86 insertions(+), 20 deletions(-) diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index 21822c9c9..578352bdb 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,14 @@ +2003-07-22 Sam Hartman + + * asn1_k_decode.c (asn1_decode_etype_info2_entry_1_3): Decoder for + the broken 1.3 ASN.1 behavior for etype_info2; see bug 1681. + + * asn1_k_decode.h (asn1_decode_etype_info2): Add v1_3_behavior + flag for parsing the broken 1.3 behavior of using an octetString + instead of generalString + + * asn1_k_decode.c (asn1_decode_etype_info2_entry): Expect etype_info2 as generalstring not octetstring + 2003-07-17 Ken Raeburn * Makefile.in (LIBNAME) [##WIN16##]: Don't define. diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 147c455bd..3ffb701fe 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -808,6 +808,32 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum *** } static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val ) +{ + setup(); + { begin_structure(); + get_field(val->etype,0,asn1_decode_enctype); + if (tagnum == 1) { + get_lenfield(val->length,val->salt,1,asn1_decode_generalstring); + } else { + val->length = KRB5_ETYPE_NO_SALT; + val->salt = 0; + } + if ( tagnum ==2) { + krb5_octet *params ; + get_lenfield( val->s2kparams.length, params, + 2, asn1_decode_octetstring); + val->s2kparams.data = ( char *) params; + } else { + val->s2kparams.data = NULL; + val->s2kparams.length = 0; + } + end_structure(); + val->magic = KV5M_ETYPE_INFO_ENTRY; + } + cleanup(); +} + +static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); { begin_structure(); @@ -832,6 +858,8 @@ static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_in } cleanup(); } + + static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); @@ -857,9 +885,16 @@ asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***va decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry); } -asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val ) +asn1_error_code asn1_decode_etype_info2(asn1buf *buf, krb5_etype_info_entry ***val , + krb5_boolean v1_3_behavior) { - decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info2_entry); + if (v1_3_behavior) { + decode_array_body(krb5_etype_info_entry, + asn1_decode_etype_info2_entry_1_3); + } else { + decode_array_body(krb5_etype_info_entry, + asn1_decode_etype_info2_entry); + } } asn1_error_code asn1_decode_passwdsequence(asn1buf *buf, passwd_phrase_element *val) diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index ebcbe935b..22e43fd73 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -186,7 +186,7 @@ asn1_error_code asn1_decode_sequence_of_passwdsequence asn1_error_code asn1_decode_etype_info (asn1buf *buf, krb5_etype_info_entry ***val); asn1_error_code asn1_decode_etype_info2 - (asn1buf *buf, krb5_etype_info_entry ***val); + (asn1buf *buf, krb5_etype_info_entry ***val, krb5_boolean v1_3_behavior); #endif diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index d4ace7818..325a6ce77 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -721,10 +721,14 @@ asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info if(val->s2kparams.data != NULL) asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2, asn1_encode_octetstring); - if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT) + if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT){ + if (etype_info2) asn1_addlenfield(val->length,val->salt,1, - asn1_encode_octetstring); - asn1_addfield(val->etype,0,asn1_encode_integer); + asn1_encode_generalstring) + else asn1_addlenfield(val->length,val->salt,1, + asn1_encode_octetstring); + } +asn1_addfield(val->etype,0,asn1_encode_integer); asn1_makeseq(); asn1_cleanup(); diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 3d2a6a709..4172c882b 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -746,11 +746,16 @@ krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_en krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep) { - setup_buf_only(); - *rep = 0; - retval = asn1_decode_etype_info2(&buf,rep); - if(retval) clean_return(retval); - cleanup_none(); /* we're not allocating anything here */ + setup_buf_only(); + *rep = 0; + retval = asn1_decode_etype_info2(&buf,rep, 0); + if (retval == ASN1_BAD_ID) { + retval = asn1buf_wrap_data(&buf,code); + if(retval) clean_return(retval); + retval = asn1_decode_etype_info2(&buf, rep, 1); + } + if(retval) clean_return(retval); + cleanup_none(); /* we're not allocating anything here */ } diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 834169c91..cd27b18ec 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,9 @@ +2003-07-22 Sam Hartman + + * preauth2.c (krb5_do_preauth): Use the etype_info2 decoder for decoding etype_info2 + (krb5_do_preauth): If an invalid encoding of etype_info or + etype_info2 is received, ignore it rather than failing the request + 2003-07-17 Ken Raeburn * Makefile.in (LIBNAME) [##WIN16##]: Don't define. diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index cdce093b8..6238a8276 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -883,13 +883,18 @@ krb5_do_preauth(krb5_context context, } } - if (pa_type == KRB5_PADATA_ETYPE_INFO2) - seen_etype_info2++; scratch.length = in_padata[i]->length; scratch.data = (char *) in_padata[i]->contents; - ret = decode_krb5_etype_info(&scratch, &etype_info); + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + seen_etype_info2++; + ret = decode_krb5_etype_info2(&scratch, &etype_info); + } + else ret = decode_krb5_etype_info(&scratch, &etype_info); if (ret) { - goto cleanup; + ret = 0; /*Ignore error and etype_info element*/ + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + continue; } if (etype_info[0] == NULL) { krb5_free_etype_info(context, etype_info); diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out index 0d449d232..a118c050d 100644 --- a/src/tests/asn.1/reference_encode.out +++ b/src/tests/asn.1/reference_encode.out @@ -44,8 +44,8 @@ encode_krb5_alt_method (no data): 30 05 A0 03 02 01 2A encode_krb5_etype_info: 30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 encode_krb5_etype_info (only 1): 30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 encode_krb5_etype_info (no info): 30 00 -encode_krb5_etype_info2: 30 51 30 1E A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32 -encode_krb5_etype_info2 (only 1): 30 20 30 1E A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 +encode_krb5_etype_info2: 30 51 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32 +encode_krb5_etype_info2 (only 1): 30 20 30 1E A0 03 02 01 00 A1 0D 1B 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 encode_krb5_pa_enc_ts: 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 encode_krb5_pa_enc_ts (no usec): 30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out index 4422ad4cb..95311d3fe 100644 --- a/src/tests/asn.1/trval_reference.out +++ b/src/tests/asn.1/trval_reference.out @@ -1129,14 +1129,14 @@ encode_krb5_etype_info2: [Sequence/Sequence Of] . [Sequence/Sequence Of] . . [0] [Integer] 0 -. . [1] [Octet String] "Morton's #0" +. . [1] [General string] "Morton's #0" . . [2] [Octet String] "s2k: 0" . [Sequence/Sequence Of] . . [0] [Integer] 1 . . [2] [Octet String] "s2k: 1" . [Sequence/Sequence Of] . . [0] [Integer] 2 -. . [1] [Octet String] "Morton's #2" +. . [1] [General string] "Morton's #2" . . [2] [Octet String] "s2k: 2" encode_krb5_etype_info2 (only 1): @@ -1144,7 +1144,7 @@ encode_krb5_etype_info2 (only 1): [Sequence/Sequence Of] . [Sequence/Sequence Of] . . [0] [Integer] 0 -. . [1] [Octet String] "Morton's #0" +. . [1] [General string] "Morton's #0" . . [2] [Octet String] "s2k: 0" encode_krb5_pa_enc_ts: -- 2.26.2