In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25837
dc483132-0cff-0310-8789-
dd5450dbe970
krb5_keyblock *as_key;
krb5_gic_get_as_key_fct *gak_fct;
void **gak_data;
krb5_keyblock *as_key;
krb5_gic_get_as_key_fct *gak_fct;
void **gak_data;
+ krb5_boolean *default_salt;
krb5_data *salt;
krb5_data *s2kparams;
krb5_principal client;
krb5_data *salt;
krb5_data *s2kparams;
krb5_principal client;
krb5_octet *data;
} krb5_octet_data;
krb5_octet *data;
} krb5_octet_data;
-/*
- * Hack length for crypto library to use the afs_string_to_key It is
- * equivalent to -1 without possible sign extension
- * We also overload for an unset salt type length - which is also -1, but
- * hey, why not....
- */
+/* Originally used to recognize AFS and default salts. No longer used. */
#define SALT_TYPE_AFS_LENGTH UINT_MAX
#define SALT_TYPE_NO_LENGTH UINT_MAX
#define SALT_TYPE_AFS_LENGTH UINT_MAX
#define SALT_TYPE_NO_LENGTH UINT_MAX
const krb5_data *parm, krb5_keyblock *keyblock)
{
int type;
const krb5_data *parm, krb5_keyblock *keyblock)
{
int type;
if (parm != NULL) {
if (parm->length != 1)
if (parm != NULL) {
if (parm->length != 1)
if (type == 1)
return afs_s2k(string, salt, keyblock->contents);
if (type == 1)
return afs_s2k(string, salt, keyblock->contents);
- /* Also use AFS string to key if the salt indicates it. */
- if (salt != NULL && (salt->length == SALT_TYPE_AFS_LENGTH
- || salt->length == (unsigned)-1)) {
- afssalt = make_data(salt->data, strcspn(salt->data, "@"));
- return afs_s2k(string, &afssalt, keyblock->contents);
- }
-
return des_s2k(string, salt, keyblock->contents);
}
return des_s2k(string, salt, keyblock->contents);
}
return KRB5_BAD_ENCTYPE;
keylength = ktp->enc->keylength;
return KRB5_BAD_ENCTYPE;
keylength = ktp->enc->keylength;
- /*
- * xxx AFS string2key function is indicated by a special length in
- * the salt in much of the code. However only the DES enctypes can
- * deal with this. Using s2kparams would be a much better solution.
- */
- if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
- switch (enctype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD4:
- case ENCTYPE_DES_CBC_MD5:
- break;
- default:
- return KRB5_CRYPTO_INTERNAL;
- }
- }
+ /* Fail gracefully if someone is using the old AFS string-to-key hack. */
+ if (salt != NULL && salt->length == SALT_TYPE_AFS_LENGTH)
+ return EINVAL;
key->contents = malloc(keylength);
if (key->contents == NULL)
key->contents = malloc(keylength);
if (key->contents == NULL)
krb5_keysalt key_salt;
krb5_keyblock key;
krb5_data pwd;
krb5_keysalt key_salt;
krb5_keyblock key;
krb5_data pwd;
+ krb5_data afs_params = string2data("\1"), *s2k_params = NULL;
int i, j, k;
krb5_key_data tmp_key_data;
krb5_key_data *tptr;
int i, j, k;
krb5_key_data tmp_key_data;
krb5_key_data *tptr;
key_salt.data.data = 0;
break;
case KRB5_KDB_SALTTYPE_AFS3:
key_salt.data.data = 0;
break;
case KRB5_KDB_SALTTYPE_AFS3:
- /* The afs_mit_string_to_key needs to use strlen, and the
- realm field is not (necessarily) NULL terminated. */
- retval = krb5int_copy_data_contents_add0(context,
- krb5_princ_realm(context,
- db_entry->princ),
- &key_salt.data);
+ retval = krb5int_copy_data_contents(context,
+ &db_entry->princ->realm,
+ &key_salt.data);
if (retval)
return retval;
if (retval)
return retval;
- key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
+ s2k_params = &afs_params;
break;
case KRB5_KDB_SALTTYPE_SPECIAL:
retval = make_random_salt(context, &key_salt);
break;
case KRB5_KDB_SALTTYPE_SPECIAL:
retval = make_random_salt(context, &key_salt);
pwd.data = passwd;
pwd.length = strlen(passwd);
pwd.data = passwd;
pwd.length = strlen(passwd);
- /* AFS string to key will happen here */
- if ((retval = krb5_c_string_to_key(context, ks_tuple[i].ks_enctype,
- &pwd, &key_salt.data, &key))) {
- if (key_salt.data.data)
- free(key_salt.data.data);
- return(retval);
+ retval = krb5_c_string_to_key_with_params(context,
+ ks_tuple[i].ks_enctype,
+ &pwd, &key_salt.data,
+ s2k_params, &key);
+ if (retval) {
+ free(key_salt.data.data);
+ return retval;
- if (key_salt.data.length == SALT_TYPE_AFS_LENGTH)
- key_salt.data.length =
- krb5_princ_realm(context, db_entry->princ)->length;
-
/* memory allocation to be done by db. So, use temporary block and later copy
it to the memory allocated by db */
retval = krb5_dbe_encrypt_key_data(context, master_key, &key,
/* memory allocation to be done by db. So, use temporary block and later copy
it to the memory allocated by db */
retval = krb5_dbe_encrypt_key_data(context, master_key, &key,
ctx->preauth_rock.as_key = &ctx->as_key;
ctx->preauth_rock.gak_fct = &ctx->gak_fct;
ctx->preauth_rock.gak_data = &ctx->gak_data;
ctx->preauth_rock.as_key = &ctx->as_key;
ctx->preauth_rock.gak_fct = &ctx->gak_fct;
ctx->preauth_rock.gak_data = &ctx->gak_data;
+ ctx->preauth_rock.default_salt = &ctx->default_salt;
ctx->preauth_rock.salt = &ctx->salt;
ctx->preauth_rock.s2kparams = &ctx->s2kparams;
ctx->preauth_rock.client = client;
ctx->preauth_rock.salt = &ctx->salt;
ctx->preauth_rock.s2kparams = &ctx->s2kparams;
ctx->preauth_rock.client = client;
code = krb5int_copy_data_contents(context, opte->salt, &ctx->salt);
if (code != 0)
goto cleanup;
code = krb5int_copy_data_contents(context, opte->salt, &ctx->salt);
if (code != 0)
goto cleanup;
+ ctx->default_salt = FALSE;
- ctx->salt.length = SALT_TYPE_AFS_LENGTH;
- ctx->salt.data = NULL;
+ ctx->salt = empty_data();
+ ctx->default_salt = TRUE;
* salt. local_as_reply->client will be checked later on in
* verify_as_reply.
*/
* salt. local_as_reply->client will be checked later on in
* verify_as_reply.
*/
- if (ctx->salt.length == SALT_TYPE_AFS_LENGTH && ctx->salt.data == NULL) {
+ if (ctx->default_salt) {
code = krb5_principal2salt(context, ctx->reply->client, &ctx->salt);
TRACE_INIT_CREDS_SALT_PRINC(context, &ctx->salt);
if (code != 0)
code = krb5_principal2salt(context, ctx->reply->client, &ctx->salt);
TRACE_INIT_CREDS_SALT_PRINC(context, &ctx->salt);
if (code != 0)
- if (salt->length == SALT_TYPE_AFS_LENGTH && salt->data == NULL) {
if ((ret = krb5_principal2salt(context, client, &defsalt)))
return(ret);
if ((ret = krb5_principal2salt(context, client, &defsalt)))
return(ret);
krb5_data *encoded_previous_request;
struct krb5int_fast_request_state *fast_state;
krb5_pa_data **preauth_to_use;
krb5_data *encoded_previous_request;
struct krb5int_fast_request_state *fast_state;
krb5_pa_data **preauth_to_use;
+ krb5_boolean default_salt;
krb5_data salt;
krb5_data s2kparams;
krb5_keyblock as_key;
krb5_data salt;
krb5_data s2kparams;
krb5_keyblock as_key;
krb5_keyblock **keyblock)
{
krb5_error_code ret;
krb5_keyblock **keyblock)
{
krb5_error_code ret;
if (rock->as_key->length == 0) {
if (rock->as_key->length == 0) {
+ salt = (*rock->default_salt) ? NULL : rock->salt;
ret = (*rock->gak_fct)(context, rock->client, *rock->etype,
ret = (*rock->gak_fct)(context, rock->client, *rock->etype,
- rock->prompter, rock->prompter_data, rock->salt,
+ rock->prompter, rock->prompter_data, salt,
rock->s2kparams, rock->as_key, *rock->gak_data);
if (ret)
return ret;
rock->s2kparams, rock->as_key, *rock->gak_data);
if (ret)
return ret;
krb5_etype_info etype_info = NULL, e;
krb5_etype_info_entry *entry;
krb5_boolean valid_found;
krb5_etype_info etype_info = NULL, e;
krb5_etype_info_entry *entry;
krb5_boolean valid_found;
int i;
/* Find an etype-info2 or etype-info element in padata. */
int i;
/* Find an etype-info2 or etype-info element in padata. */
if (entry->length != KRB5_ETYPE_NO_SALT) {
*rock->salt = make_data(entry->salt, entry->length);
entry->salt = NULL;
if (entry->length != KRB5_ETYPE_NO_SALT) {
*rock->salt = make_data(entry->salt, entry->length);
entry->salt = NULL;
+ *rock->default_salt = FALSE;
+ } else {
+ *rock->salt = empty_data();
+ *rock->default_salt = TRUE;
}
krb5_free_data_contents(context, rock->s2kparams);
*rock->s2kparams = entry->s2kparams;
}
krb5_free_data_contents(context, rock->s2kparams);
*rock->s2kparams = entry->s2kparams;
/* Set rock->salt based on the element we found. */
krb5_free_data_contents(context, rock->salt);
d = padata2data(*pa);
/* Set rock->salt based on the element we found. */
krb5_free_data_contents(context, rock->salt);
d = padata2data(*pa);
- ret = krb5int_copy_data_contents_add0(context, &d, rock->salt);
+ ret = krb5int_copy_data_contents(context, &d, rock->salt);
+ if (pa->pa_type == KRB5_PADATA_AFS3_SALT) {
+ /* Work around a (possible) old Heimdal KDC foible. */
+ p = memchr(rock->salt->data, '@', rock->salt->length);
+ if (p != NULL)
+ rock->salt->length = p - rock->salt->data;
+ /* Tolerate extra null in MIT KDC afs3-salt value. */
+ if (rock->salt->length > 0 &&
+ rock->salt->data[rock->salt->length - 1] == '\0')
+ rock->salt->length--;
+ /* Set an s2kparams value to indicate AFS string-to-key. */
+ krb5_free_data_contents(context, rock->s2kparams);
+ ret = alloc_data(rock->s2kparams, 1);
+ if (ret)
+ goto cleanup;
+ rock->s2kparams->data[0] = '\1';
+ }
+ *rock->default_salt = FALSE;
TRACE_PREAUTH_SALT(context, rock->salt, pa->pa_type);
TRACE_PREAUTH_SALT(context, rock->salt, pa->pa_type);
- if (pa->pa_type == KRB5_PADATA_AFS3_SALT)
- rock->salt->length = SALT_TYPE_AFS_LENGTH;
krb5int_cleanup_library
krb5int_clean_hostname
krb5int_cm_call_select
krb5int_cleanup_library
krb5int_clean_hostname
krb5int_cm_call_select
+krb5int_copy_data_contents
krb5int_copy_data_contents_add0
krb5int_find_pa_data
krb5int_foreach_localaddr
krb5int_copy_data_contents_add0
krb5int_find_pa_data
krb5int_foreach_localaddr
projects / krb5.git / commitdiff