[72] in Kerberos-V5-bugs
Diffs to implement KDC-supplied pre-seeding of the string-to-key alg.
jtkohl@ATHENA.MIT.EDU (jtkohl@ATHENA.MIT.EDU)
Fri Dec 7 10:57:41 1990
Here are the diffs; some of them may look funny because a couple of
files got inadvertantly detabified.
I made some fairly radical changes to a couple of places which force a
full source rebuild and require a database rebuild, so you may want to
wait for an appropriate time to integrate these.
In order to give a real name to the "sequence of PA_DATA", I changed
the ASN.1 definition that you gave me slightly; you may have to tweak
some of the asn.1 changes slightly.
There is one extra module: lib/krb/pr_to_salt.c; the changes in asn.1
should probably also go in separate modules, but I was lazy.
I made a related change which wasn't strictly necessary: the type
krb5_kdc_rep now contains a msg_type field; the irregularities in the
asn1 glue with respect to the lack of a msg_type field in the
krb5_kdc_rep are removed (albeit not as cleanly as possible; there are
a few "stubs" which are still in there), and the higher level code now
checks for the correct values of said field.
The signature of the string2key operation changed: it now takes a
krb5_data instead of a krb5_principal.
There is a new function, krb5_principal2salt(), which returns a
krb5_data containing the "flattened" principal (all components
concatenated together).
The PA_DATA of type 2 contains a flattened principal, which is
concatenated to the password; if no PA_DATA type 2 is provided, (or if
it is of length zero),
The PA_DATA is passed all the way up to the user-supplied callback (in
in_tkt_pwd.c) so that alternate string_to_key algorithms (possibly
seeded, for example, with a smartcard-derived value) can be used.
The format of the database changed slightly to store the salt; it is
now set appropriatly by kdb5_edit (using the ank and av4k commands).
There is one relatively change that could be made to kdb_dbm.c: if the
"salt" to be stored is the "default" salt, a more compact encoding
should be used (e.g., store "-2" in the length field and don't store
the actual bytes); I haven't gotten around to doing this yet.
Also, the database does not use or store the salt for the master key.
If you have any questions about the following, just ask; the diffs are
relative to krb5_alpha2 as checked in here..
*** /prgy/krb5/admin/create/kdb5_create.c/[krb5_alpha2] Mon Oct 29 14:22:26 1990
--- /prgy/krb5/admin/create/kdb5_create.c/pa_seed Wed Dec 5 17:09:48 1990
***************
*** 275,280 ****
--- 275,281 ----
entry.mkvno = 0;
entry.expiration = pblock->expiration;
entry.mod_name = db_create_princ;
+ entry.key_salt.length = 0;
if (retval = krb5_timeofday(&entry.mod_date))
return retval;
No differences encountered
*** /prgy/krb5/admin/edit/kdb5_edit.c/[krb5_alpha2] Fri Nov 2 10:37:20 1990
--- /prgy/krb5/admin/edit/kdb5_edit.c/pa_seed Tue Dec 4 18:39:33 1990
***************
*** 47,57 ****
0
};
! void add_key PROTOTYPE((char * const *, krb5_const_principal,
! const krb5_keyblock *, krb5_kvno));
! void enter_rnd_key PROTOTYPE((char **, const krb5_principal, krb5_kvno));
! void enter_pwd_key PROTOTYPE((char **, krb5_const_principal,
! krb5_const_principal, krb5_kvno));
int set_dbname_help PROTOTYPE((char *, char *));
--- 47,56 ----
0
};
! void add_key PROTOTYPE((char * const *, krb5_principal,
! const krb5_keyblock *, krb5_kvno, krb5_data *));
! void enter_rnd_key PROTOTYPE((char **, krb5_principal, krb5_kvno));
! void enter_pwd_key PROTOTYPE((char **, krb5_principal, krb5_principal, krb5_kvno));
int set_dbname_help PROTOTYPE((char *, char *));
***************
*** 321,333 ****
void
add_key(DECLARG(char * const *, argv),
! DECLARG(krb5_const_principal, principal),
DECLARG(const krb5_keyblock *, key),
! DECLARG(krb5_kvno, vno))
OLDDECLARG(char * const *, argv)
! OLDDECLARG(krb5_const_principal, principal)
OLDDECLARG(const krb5_keyblock *, key)
OLDDECLARG(krb5_kvno, vno)
{
krb5_error_code retval;
krb5_db_entry newentry;
--- 320,334 ----
void
add_key(DECLARG(char * const *, argv),
! DECLARG(krb5_principal, principal),
DECLARG(const krb5_keyblock *, key),
! DECLARG(krb5_kvno, vno),
! DECLARG(krb5_data *, salt))
OLDDECLARG(char * const *, argv)
! OLDDECLARG(krb5_principal, principal)
OLDDECLARG(const krb5_keyblock *, key)
OLDDECLARG(krb5_kvno, vno)
+ OLDDECLARG(krb5_data *, salt)
{
krb5_error_code retval;
krb5_db_entry newentry;
***************
*** 348,353 ****
--- 349,361 ----
newentry.mkvno = mblock.mkvno;
newentry.expiration = mblock.expiration;
newentry.mod_name = master_princ;
+ if (salt) {
+ newentry.key_salt = *salt;
+ } else {
+ newentry.key_salt.length = 0;
+ newentry.key_salt.data = 0;
+ }
+
if (retval = krb5_timeofday(&newentry.mod_date)) {
com_err(argv[0], retval, "while fetching date");
bzero((char *)newentry.key.contents, newentry.key.length);
***************
*** 718,724 ****
com_err(argv[0], retval, "while generating random key");
return;
}
! add_key(argv, princ, tempkey, ++vno);
bzero((char *)tempkey->contents, tempkey->length);
krb5_free_keyblock(tempkey);
return;
--- 726,732 ----
com_err(argv[0], retval, "while generating random key");
return;
}
! add_key(argv, princ, tempkey, ++vno, 0);
bzero((char *)tempkey->contents, tempkey->length);
krb5_free_keyblock(tempkey);
return;
***************
*** 782,793 ****
void
enter_pwd_key(DECLARG(char **, argv),
! DECLARG(krb5_const_principal, princ),
! DECLARG(krb5_const_principal, string_princ),
DECLARG(krb5_kvno, vno))
OLDDECLARG(char **, argv)
! OLDDECLARG(krb5_const_principal, princ)
! OLDDECLARG(krb5_const_principal, string_princ)
OLDDECLARG(krb5_kvno, vno)
{
krb5_error_code retval;
--- 790,801 ----
void
enter_pwd_key(DECLARG(char **, argv),
! DECLARG(krb5_principal, princ),
! DECLARG(krb5_principal, string_princ),
DECLARG(krb5_kvno, vno))
OLDDECLARG(char **, argv)
! OLDDECLARG(krb5_principal, princ)
! OLDDECLARG(krb5_principal, string_princ)
OLDDECLARG(krb5_kvno, vno)
{
krb5_error_code retval;
***************
*** 795,800 ****
--- 803,809 ----
int pwsize = sizeof(password);
krb5_keyblock tempkey;
krb5_data pwd;
+ krb5_data salt;
if (retval = krb5_read_password(krb5_default_pwd_prompt1,
krb5_default_pwd_prompt2,
***************
*** 805,820 ****
pwd.data = password;
pwd.length = pwsize;
retval = krb5_string_to_key(&master_encblock, master_keyblock.keytype,
&tempkey,
&pwd,
! string_princ);
bzero(password, sizeof(password)); /* erase it */
if (retval) {
com_err(argv[0], retval, "while converting password to key for '%s'", argv[1]);
return;
}
! add_key(argv, princ, &tempkey, ++vno);
bzero((char *)tempkey.contents, tempkey.length);
free((char *)tempkey.contents);
return;
--- 814,831 ----
pwd.data = password;
pwd.length = pwsize;
+ salt = krb5_principal2salt(string_princ);
+
retval = krb5_string_to_key(&master_encblock, master_keyblock.keytype,
&tempkey,
&pwd,
! &salt);
bzero(password, sizeof(password)); /* erase it */
if (retval) {
com_err(argv[0], retval, "while converting password to key for '%s'", argv[1]);
return;
}
! add_key(argv, princ, &tempkey, ++vno, &salt);
bzero((char *)tempkey.contents, tempkey.length);
free((char *)tempkey.contents);
return;
*** /prgy/krb5/asn.1/KRB5-asn.py/[krb5_alpha2] Thu Oct 25 13:23:53 1990
--- /prgy/krb5/asn.1/KRB5-asn.py/pa_seed Mon Dec 3 21:47:06 1990
***************
*** 184,206 ****
additional-tickets[12] SEQUENCE OF Ticket OPTIONAL
}
-- the following two sequences MUST be the same except for the
-- APPLICATION identifier
AS-REP ::= [APPLICATION 11] SEQUENCE {
pvno[0] INTEGER,
! msg-type[1] INTEGER, -- MessageType
! crealm[2] Realm,
! cname[3] PrincipalName,
! ticket[4] Ticket, -- Ticket
! enc-part[5] EncryptedData -- EncKDCRepPart
}
TGS-REP ::= [APPLICATION 13] SEQUENCE {
pvno[0] INTEGER,
! msg-type[1] INTEGER, -- MessageType
! crealm[2] Realm,
! cname[3] PrincipalName,
! ticket[4] Ticket, -- Ticket
! enc-part[5] EncryptedData -- EncKDCRepPart
}
-- the preceding two sequences MUST be the same except for the
-- APPLICATION identifier
--- 184,213 ----
additional-tickets[12] SEQUENCE OF Ticket OPTIONAL
}
+ PA-DATA ::= SEQUENCE OF SEQUENCE {
+ padata-type[1] INTEGER,
+ data[2] OCTET STRING -- might be encoded AP-REQ
+ }
+
-- the following two sequences MUST be the same except for the
-- APPLICATION identifier
AS-REP ::= [APPLICATION 11] SEQUENCE {
pvno[0] INTEGER,
! msg-type[1] INTEGER,
! padata[2] PA-DATA OPTIONAL,
! crealm[3] Realm,
! cname[4] PrincipalName,
! ticket[5] Ticket, -- Ticket
! enc-part[6] EncryptedData -- EncKDCRepPart
}
TGS-REP ::= [APPLICATION 13] SEQUENCE {
pvno[0] INTEGER,
! msg-type[1] INTEGER,
! padata[2] PA-DATA OPTIONAL,
! crealm[3] Realm,
! cname[4] PrincipalName,
! ticket[5] Ticket, -- Ticket
! enc-part[6] EncryptedData -- EncKDCRepPart
}
-- the preceding two sequences MUST be the same except for the
-- APPLICATION identifier
*** /prgy/krb5/asn.1/kasrp2kdcr.c/[krb5_alpha2] Thu Oct 25 13:24:09 1990
--- /prgy/krb5/asn.1/kasrp2kdcr.c/pa_seed Thu Dec 6 20:22:09 1990
***************
*** 33,37 ****
register int *error;
{
return (struct type_KRB5_AS__REP *)
! krb5_kdc_rep2KRB5_KDC__REP(val, KRB5_AS_REP, error);
}
--- 33,38 ----
register int *error;
{
return (struct type_KRB5_AS__REP *)
! krb5_kdc_rep2KRB5_KDC__REP(val, error);
}
+
*** /prgy/krb5/asn.1/kdcr2kasrp.c/[krb5_alpha2] Thu Oct 25 13:24:12 1990
--- /prgy/krb5/asn.1/kdcr2kasrp.c/pa_seed Thu Dec 6 20:00:05 1990
***************
*** 32,46 ****
const register struct type_KRB5_AS__REP *val;
register int *error;
{
! krb5_msgtype type;
! register krb5_kdc_rep *retval;
!
! retval = KRB5_KDC__REP2krb5_kdc_rep((const struct type_KRB5_TGS__REP *)val,
! &type, error);
! if (retval && (type != KRB5_AS_REP)) {
! krb5_free_kdc_rep(retval);
! *error = ISODE_50_LOCAL_ERR_BADMSGTYPE;
! return 0;
! }
! return retval;
}
--- 32,36 ----
const register struct type_KRB5_AS__REP *val;
register int *error;
{
! return KRB5_KDC__REP2krb5_kdc_rep((const struct type_KRB5_TGS__REP *)val, error);
}
*** /prgy/krb5/asn.1/kdcr2kkdcr.c/[krb5_alpha2] Thu Oct 25 13:24:13 1990
--- /prgy/krb5/asn.1/kdcr2kkdcr.c/pa_seed Thu Dec 6 19:58:49 1990
***************
*** 27,36 ****
/* ISODE defines max(a,b) */
krb5_kdc_rep *
! KRB5_KDC__REP2krb5_kdc_rep(val, type, error)
const register struct type_KRB5_TGS__REP *val;
- krb5_msgtype *type;
register int *error;
{
register krb5_kdc_rep *retval;
--- 27,76 ----
/* ISODE defines max(a,b) */
+ krb5_pa_data **
+ KRB5_PA__DATA2krb5_pa_data(val, error)
+ struct type_KRB5_PA__DATA *val;
+ register int *error;
+ {
+ int i;
+ krb5_pa_data **retval;
+
+ *error = 0;
+
+ if (val == NULL)
+ return 0;
+
+ retval = (krb5_pa_data **) malloc ((val->nelem + 1) * sizeof (krb5_pa_data *));
+ if (retval == 0) {
+ nomem:
+ if (retval != 0)
+ free(retval);
+ *error = ENOMEM;
+ return 0;
+ }
+
+ for (i=0; i < val->nelem; i++) {
+ retval[i] = (krb5_pa_data *) malloc (sizeof (krb5_pa_data));
+ if (retval[i] == 0)
+ goto nomem;
+ retval[i]->pa_type = val->element_KRB5_7[i]->padata__type;
+ if (qb_pullup(val->element_KRB5_7[i]->data) != OK)
+ goto nomem;
+ retval[i]->contents = (unsigned char *)xmalloc (val->element_KRB5_7[i]->data->qb_forw->qb_len);
+ retval[i]->length = val->element_KRB5_7[i]->data->qb_forw->qb_len;
+ xbcopy (val->element_KRB5_7[i]->data->qb_forw->qb_data,
+ retval[i]->contents, retval[i]->length);
+ }
+ retval[i] = 0;
+ return retval;
+
+ }
+
+
+
krb5_kdc_rep *
! KRB5_KDC__REP2krb5_kdc_rep(val, error)
const register struct type_KRB5_TGS__REP *val;
register int *error;
{
register krb5_kdc_rep *retval;
***************
*** 43,55 ****
}
xbzero(retval, sizeof(*retval));
! *type = val->msg__type;
retval->client = KRB5_PrincipalName2krb5_principal(val->cname,
val->crealm,
error);
if (!retval->client) {
! xfree(retval);
return(0);
}
--- 83,99 ----
}
xbzero(retval, sizeof(*retval));
! retval->msg_type = val->msg__type;
+ retval->padata = KRB5_PA__DATA2krb5_pa_data(val->padata, error);
+ if (*error)
+ return 0;
+
retval->client = KRB5_PrincipalName2krb5_principal(val->cname,
val->crealm,
error);
if (!retval->client) {
! krb5_free_kdc_rep(retval);
return(0);
}
*** /prgy/krb5/asn.1/kdcr2ktgsr.c/[krb5_alpha2] Thu Oct 25 13:24:14 1990
--- /prgy/krb5/asn.1/kdcr2ktgsr.c/pa_seed Thu Dec 6 20:00:08 1990
***************
*** 32,45 ****
const register struct type_KRB5_TGS__REP *val;
register int *error;
{
! krb5_msgtype type;
! register krb5_kdc_rep *retval;
!
! retval = KRB5_KDC__REP2krb5_kdc_rep(val, &type, error);
! if (retval && (type != KRB5_TGS_REP)) {
! krb5_free_kdc_rep(retval);
! *error = ISODE_50_LOCAL_ERR_BADMSGTYPE;
! return 0;
! }
! return retval;
}
--- 32,36 ----
const register struct type_KRB5_TGS__REP *val;
register int *error;
{
! return KRB5_KDC__REP2krb5_kdc_rep(val, error);
}
*** /prgy/krb5/asn.1/kkdcr2kdcr.c/[krb5_alpha2] Thu Oct 25 13:24:16 1990
--- /prgy/krb5/asn.1/kkdcr2kdcr.c/pa_seed Thu Dec 6 20:00:36 1990
***************
*** 25,37 ****
#include <krb5/ext-proto.h>
/* ISODE defines max(a,b) */
struct type_KRB5_TGS__REP *
krb5_kdc_rep2KRB5_KDC__REP(DECLARG(const register krb5_kdc_rep *,val),
- DECLARG(const krb5_msgtype, type),
DECLARG(register int *,error))
OLDDECLARG(const register krb5_kdc_rep *,val)
- OLDDECLARG(const krb5_msgtype, type)
OLDDECLARG(register int *,error)
{
register struct type_KRB5_TGS__REP *retval;
--- 25,82 ----
#include <krb5/ext-proto.h>
/* ISODE defines max(a,b) */
+ struct type_KRB5_PA__DATA *krb5_pa_data2KRB5_PA__DATA(val, error)
+ krb5_pa_data **val;
+ int *error;
+ {
+ register struct type_KRB5_PA__DATA *retval;
+ register int i;
+ register krb5_pa_data **temp;
+ *error = 0;
+
+ if (val == 0)
+ return 0;
+
+ /* count elements */
+ for (i=0, temp=val; *temp; temp++,i++) ;
+
+ retval = (struct type_KRB5_PA__DATA *)
+ xmalloc (sizeof (*retval) + max(0,i-1)*sizeof(retval->element_KRB5_7[0]));
+ if (!retval) {
+ *error = ENOMEM;
+ return 0;
+ }
+ xbzero(retval, sizeof(*retval));
+ retval->nelem = i;
+ for (i=0; i < retval->nelem; i++) {
+ retval->element_KRB5_7[i] = (struct element_KRB5_8 *)
+ xmalloc (sizeof (*(retval->element_KRB5_7[i])));
+ if (!retval->element_KRB5_7[i]) {
+ errout:
+ retval->nelem = i;
+ free_KRB5_PA__DATA(retval);
+ *error = ENOMEM;
+ return 0;
+ }
+ retval->element_KRB5_7[i]->padata__type = val[i]->pa_type;
+ retval->element_KRB5_7[i]->data = str2qb((char *)(val[i])->contents,
+ (val[i])->length, 1);
+ if (!retval->element_KRB5_7[i]->data) {
+ xfree(retval->element_KRB5_7[i]);
+ goto errout;
+ }
+ }
+ return retval;
+ }
+
+
+
+
struct type_KRB5_TGS__REP *
krb5_kdc_rep2KRB5_KDC__REP(DECLARG(const register krb5_kdc_rep *,val),
DECLARG(register int *,error))
OLDDECLARG(const register krb5_kdc_rep *,val)
OLDDECLARG(register int *,error)
{
register struct type_KRB5_TGS__REP *retval;
***************
*** 44,50 ****
xbzero(retval, sizeof(*retval));
retval->pvno = KRB5_PVNO;
! retval->msg__type = type;
retval->crealm = krb5_data2qbuf(val->client[0]);
if (!retval->crealm) {
--- 89,100 ----
xbzero(retval, sizeof(*retval));
retval->pvno = KRB5_PVNO;
! retval->msg__type = val->msg_type;
!
! retval->padata = krb5_pa_data2KRB5_PA__DATA(val->padata, error);
! if (*error) {
! goto errout;
! }
retval->crealm = krb5_data2qbuf(val->client[0]);
if (!retval->crealm) {
*** /prgy/krb5/asn.1/ktgsr2kdcr.c/[krb5_alpha2] Thu Oct 25 13:24:20 1990
--- /prgy/krb5/asn.1/ktgsr2kdcr.c/pa_seed Thu Dec 6 20:22:23 1990
***************
*** 33,37 ****
register int *error;
{
return (struct type_KRB5_TGS__REP *)
! krb5_kdc_rep2KRB5_KDC__REP(val, KRB5_TGS_REP, error);
}
--- 33,37 ----
register int *error;
{
return (struct type_KRB5_TGS__REP *)
! krb5_kdc_rep2KRB5_KDC__REP(val, error);
}
*** /prgy/krb5/include/krb5/encryption.h/[krb5_alpha2] Fri Oct 19 10:28:31 1990
--- /prgy/krb5/include/krb5/encryption.h/pa_seed Tue Dec 4 17:30:08 1990
***************
*** 59,65 ****
krb5_error_code (*string_to_key) PROTOTYPE((const krb5_keytype,
krb5_keyblock *,
const krb5_data *,
! krb5_const_principal));
krb5_error_code (*init_random_key) PROTOTYPE((const krb5_keyblock *,
krb5_pointer *));
krb5_error_code (*finish_random_key) PROTOTYPE((krb5_pointer *));
--- 59,65 ----
krb5_error_code (*string_to_key) PROTOTYPE((const krb5_keytype,
krb5_keyblock *,
const krb5_data *,
! const krb5_data *));
krb5_error_code (*init_random_key) PROTOTYPE((const krb5_keyblock *,
krb5_pointer *));
krb5_error_code (*finish_random_key) PROTOTYPE((krb5_pointer *));
*** /prgy/krb5/include/krb5/func-proto.h/[krb5_alpha2] Fri Oct 19 11:14:37 1990
--- /prgy/krb5/include/krb5/func-proto.h/pa_seed Thu Dec 6 20:20:23 1990
***************
*** 71,78 ****
const krb5_keytype,
krb5_error_code (* )(const krb5_keytype,
krb5_keyblock **,
- krb5_const_pointer ),
krb5_const_pointer,
krb5_error_code (* )(const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ),
--- 71,79 ----
const krb5_keytype,
krb5_error_code (* )(const krb5_keytype,
krb5_keyblock **,
krb5_const_pointer,
+ krb5_pa_data **),
+ krb5_const_pointer,
krb5_error_code (* )(const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ),
***************
*** 79,84 ****
--- 80,87 ----
krb5_const_pointer,
krb5_creds *,
krb5_ccache ));
+ krb5_data krb5_principal2salt
+ PROTOTYPE((krb5_principal));
krb5_error_code krb5_get_in_tkt_with_password
PROTOTYPE((const krb5_flags,
krb5_address * const *,
*** /prgy/krb5/include/krb5/kdb.h/[krb5_alpha2] Thu Nov 1 17:49:40 1990
--- /prgy/krb5/include/krb5/kdb.h/pa_seed Tue Dec 4 18:18:52 1990
***************
*** 27,32 ****
--- 27,33 ----
krb5_principal mod_name;
krb5_timestamp mod_date;
krb5_flags attributes;
+ krb5_data key_salt; /* character string used to salt keys. */
} krb5_db_entry;
#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001
*** /prgy/krb5/include/krb5/krb5.h/[krb5_alpha2] Mon Oct 29 15:28:19 1990
--- /prgy/krb5/include/krb5/krb5.h/pa_seed Mon Dec 3 15:58:11 1990
***************
*** 105,110 ****
--- 105,117 ----
krb5_timestamp value;
} krb5_last_req_entry;
+ /* pre-authentication data. */
+ typedef struct _krb5_pa_data {
+ krb5_ui_2 pa_type;
+ int length;
+ krb5_octet *contents;
+ } krb5_pa_data;
+
typedef struct _krb5_kdc_req {
krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
krb5_octet padata_type;
***************
*** 139,144 ****
--- 146,153 ----
typedef struct _krb5_kdc_rep {
/* cleartext part: */
+ krb5_msgtype msg_type; /* AS_REP or KDC_REP? */
+ krb5_pa_data **padata; /* preauthentication data from KDC */
krb5_principal client; /* client's principal identifier */
krb5_ticket *ticket; /* ticket */
krb5_enc_data enc_part; /* encryption type, kvno, encrypted
*** /prgy/krb5/include/krb5/proto.h/[krb5_alpha2] Wed Oct 10 14:59:53 1990
--- /prgy/krb5/include/krb5/proto.h/pa_seed Tue Dec 4 15:29:25 1990
***************
*** 33,37 ****
--- 33,38 ----
/* PADATA types */
#define KRB5_PADATA_AP_REQ ((krb5_octet)1)
+ #define KRB5_PADATA_PW_SALT ((krb5_octet)2)
#endif /* KRB5_PROTO__ */
*** /prgy/krb5/kdc/do_as_req.c/[krb5_alpha2] Thu Nov 1 17:23:00 1990
--- /prgy/krb5/kdc/do_as_req.c/pa_seed Tue Dec 4 18:25:20 1990
***************
*** 258,263 ****
--- 258,281 ----
free(ticket_reply.enc_part.ciphertext.data);}
/* Start assembling the response */
+ reply.msg_type = KRB5_AS_REP;
+
+ reply.padata = 0;
+ if (client.key_salt.length != 0)
+ {
+ krb5_pa_data **pa;
+
+ pa = (krb5_pa_data **)malloc (sizeof (*pa) * 2);
+ pa[0] = (krb5_pa_data *)malloc (sizeof (*pa[0]));
+ pa[1] = 0;
+
+ pa[0]->pa_type = KRB5_PADATA_PW_SALT;
+ pa[0]->contents = malloc (client.key_salt.length);
+ pa[0]->length = client.key_salt.length;
+ memcpy(pa[0]->contents, client.key_salt.data, client.key_salt.length);
+ reply.padata = pa;
+ }
+
reply.client = request->client;
/* XXX need separate etypes for ticket encryption and kdc_rep encryption */
reply.enc_part.etype = request->etype;
*** /prgy/krb5/kdc/do_tgs_req.c/[krb5_alpha2] Thu Nov 1 17:23:06 1990
--- /prgy/krb5/kdc/do_tgs_req.c/pa_seed Tue Dec 4 17:09:13 1990
***************
*** 420,425 ****
--- 420,427 ----
#undef cleanup
/* Start assembling the response */
+ reply.msg_type = KRB5_TGS_REP;
+ reply.padata = 0; /* always */
reply.client = header_ticket->enc_part2->client;
reply.enc_part.etype = request->etype;
reply.enc_part.kvno = 0; /* We are using the session key */
*** /prgy/krb5/lib/des/des_int.h/[krb5_alpha2] Fri Oct 19 10:30:05 1990
--- /prgy/krb5/lib/des/des_int.h/pa_seed Tue Dec 4 19:19:56 1990
***************
*** 157,163 ****
/* string2key.c */
extern krb5_error_code mit_des_string_to_key
PROTOTYPE((const krb5_keytype, krb5_keyblock *, const krb5_data *,
! krb5_const_principal ));
/* weak_key.c */
extern int mit_des_is_weak_key PROTOTYPE((mit_des_cblock ));
--- 157,163 ----
/* string2key.c */
extern krb5_error_code mit_des_string_to_key
PROTOTYPE((const krb5_keytype, krb5_keyblock *, const krb5_data *,
! const krb5_data *));
/* weak_key.c */
extern int mit_des_is_weak_key PROTOTYPE((mit_des_cblock ));
*** /prgy/krb5/lib/des/string2key.c/[krb5_alpha2] Fri Oct 19 10:05:17 1990
--- /prgy/krb5/lib/des/string2key.c/pa_seed Tue Dec 4 19:17:30 1990
***************
*** 34,40 ****
It is the responsibility of the caller to release this storage
when the generated key no longer needed.
! The routine may use "princ" to seed or alter the conversion
algorithm.
If the particular function called does not know how to make a
--- 34,40 ----
It is the responsibility of the caller to release this storage
when the generated key no longer needed.
! The routine may use "salt" to seed or alter the conversion
algorithm.
If the particular function called does not know how to make a
***************
*** 46,56 ****
krb5_error_code mit_des_string_to_key (DECLARG(const krb5_keytype, keytype),
DECLARG(krb5_keyblock *,keyblock),
DECLARG(const krb5_data *,data),
! DECLARG(krb5_const_principal, princ))
OLDDECLARG(const krb5_keytype, keytype)
OLDDECLARG(krb5_keyblock *,keyblock)
OLDDECLARG(const krb5_data *,data)
! OLDDECLARG(krb5_const_principal, princ)
{
char copystr[512];
--- 46,56 ----
krb5_error_code mit_des_string_to_key (DECLARG(const krb5_keytype, keytype),
DECLARG(krb5_keyblock *,keyblock),
DECLARG(const krb5_data *,data),
! DECLARG(const krb5_data *,salt))
OLDDECLARG(const krb5_keytype, keytype)
OLDDECLARG(krb5_keyblock *,keyblock)
OLDDECLARG(const krb5_data *,data)
! OLDDECLARG(const krb5_data *,salt)
{
char copystr[512];
***************
*** 84,94 ****
bzero(copystr, sizeof(copystr));
j = min(data->length, 511);
(void) strncpy(copystr, data->data, j);
! if ( princ != 0 )
! for (i=0; princ[i] != 0 && j < 511; i++) {
! (void) strncpy(copystr+j, princ[i]->data,
! min(princ[i]->length, 511-j));
! j += min(princ[i]->length, 511-j);
}
/* convert copystr to des key */
--- 84,91 ----
bzero(copystr, sizeof(copystr));
j = min(data->length, 511);
(void) strncpy(copystr, data->data, j);
! if (salt != 0) {
! strncpy (copystr + j, salt->data, min(salt->length, 511-j));
}
/* convert copystr to des key */
*** /prgy/krb5/lib/kdb/fetch_mkey.c/[krb5_alpha2] Tue Sep 25 10:46:12 1990
--- /prgy/krb5/lib/kdb/fetch_mkey.c/pa_seed Wed Dec 5 16:58:44 1990
***************
*** 62,68 ****
{
krb5_error_code retval;
char password[BUFSIZ];
! krb5_data pwd;
int size = sizeof(password);
--- 62,68 ----
{
krb5_error_code retval;
char password[BUFSIZ];
! krb5_data pwd, salt;
int size = sizeof(password);
***************
*** 75,81 ****
pwd.data = password;
pwd.length = size;
! retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, mname);
bzero(password, sizeof(password)); /* erase it */
return retval;
--- 75,82 ----
pwd.data = password;
pwd.length = size;
! salt = krb5_principal2salt(mname);
! retval = krb5_string_to_key(eblock, key->keytype, key, &pwd, &salt);
bzero(password, sizeof(password)); /* erase it */
return retval;
*** /prgy/krb5/lib/kdb/kdb_dbm.c/[krb5_alpha2] Fri Nov 2 10:36:03 1990
--- /prgy/krb5/lib/kdb/kdb_dbm.c/pa_seed Tue Dec 4 18:21:56 1990
***************
*** 407,415 ****
krb5_db_entry *entry;
{
krb5_db_entry copy_princ;
! char *unparse_princ, *unparse_mod_princ;
register char *nextloc;
! int princ_size, mod_size;
krb5_error_code retval;
--- 407,415 ----
krb5_db_entry *entry;
{
krb5_db_entry copy_princ;
! char *unparse_princ, *unparse_mod_princ, *unparse_key_salt;
register char *nextloc;
! int princ_size, mod_size, salt_size;
krb5_error_code retval;
***************
*** 423,444 ****
copy_princ.mod_name = 0;
if (retval = krb5_unparse_name(entry->principal, &unparse_princ))
! return(retval);
! if (retval = krb5_unparse_name(entry->mod_name, &unparse_mod_princ)) {
! free(unparse_princ);
! return(retval);
! }
princ_size = strlen(unparse_princ)+1;
mod_size = strlen(unparse_mod_princ)+1;
! contents->dsize = sizeof(copy_princ)+ princ_size + mod_size
+ entry->key.length;
contents->dptr = malloc(contents->dsize);
if (!contents->dptr) {
! free(unparse_princ);
! free(unparse_mod_princ);
! contents->dsize = 0;
! contents->dptr = 0;
! return(ENOMEM);
}
(void) bcopy((char *)©_princ, contents->dptr, sizeof(copy_princ));
nextloc = contents->dptr + sizeof(copy_princ);
--- 423,443 ----
copy_princ.mod_name = 0;
if (retval = krb5_unparse_name(entry->principal, &unparse_princ))
! goto out;
!
! if (retval = krb5_unparse_name(entry->mod_name, &unparse_mod_princ))
! goto out;
!
princ_size = strlen(unparse_princ)+1;
mod_size = strlen(unparse_mod_princ)+1;
! salt_size = entry->key_salt.length;
!
! contents->dsize = sizeof(copy_princ)+ princ_size + mod_size + salt_size
+ entry->key.length;
contents->dptr = malloc(contents->dsize);
if (!contents->dptr) {
! retval = ENOMEM;
! goto out;
}
(void) bcopy((char *)©_princ, contents->dptr, sizeof(copy_princ));
nextloc = contents->dptr + sizeof(copy_princ);
***************
*** 448,456 ****
(void) bcopy(unparse_mod_princ, nextloc, mod_size);
nextloc += mod_size;
(void) bcopy((char *)entry->key.contents, nextloc, entry->key.length);
free(unparse_princ);
free(unparse_mod_princ);
! return 0;
}
static void
--- 447,460 ----
(void) bcopy(unparse_mod_princ, nextloc, mod_size);
nextloc += mod_size;
(void) bcopy((char *)entry->key.contents, nextloc, entry->key.length);
+ nextloc += entry->key.length;
+ (void) bcopy(entry->key_salt.data, nextloc, salt_size);
+ out:
+ if (unparse_princ)
free(unparse_princ);
+ if (unparse_mod_princ)
free(unparse_mod_princ);
! return retval;
}
static void
***************
*** 471,477 ****
register char *nextloc;
krb5_principal princ, mod_princ;
krb5_error_code retval;
! int keysize;
/* undo the effects of encode_princ_contents.
*/
--- 475,481 ----
register char *nextloc;
krb5_principal princ, mod_princ;
krb5_error_code retval;
! int space_left;
/* undo the effects of encode_princ_contents.
*/
***************
*** 498,523 ****
}
entry->mod_name = mod_princ;
nextloc += strlen(nextloc)+1; /* advance past 2nd string */
! keysize = contents->dsize - (nextloc - contents->dptr);
! if (keysize <= 0) {
krb5_free_principal(princ);
krb5_free_principal(mod_princ);
(void) bzero((char *) entry, sizeof(*entry));
! return KRB5_KDB_TRUNCATED_RECORD;
}
! if (!(entry->key.contents = (unsigned char *)malloc(keysize))) {
krb5_free_principal(princ);
krb5_free_principal(mod_princ);
(void) bzero((char *) entry, sizeof(*entry));
return ENOMEM;
}
! (void) bcopy(nextloc, (char *)entry->key.contents, keysize);
! if (keysize != entry->key.length) {
! krb5_free_principal(princ);
! krb5_free_principal(mod_princ);
! free((char *)entry->key.contents);
! (void) bzero((char *) entry, sizeof(*entry));
! return KRB5_KDB_TRUNCATED_RECORD;
}
return 0;
}
--- 502,528 ----
}
entry->mod_name = mod_princ;
nextloc += strlen(nextloc)+1; /* advance past 2nd string */
! space_left = contents->dsize - (nextloc - contents->dptr);
! if (space_left < entry->key.length) {
krb5_free_principal(princ);
krb5_free_principal(mod_princ);
(void) bzero((char *) entry, sizeof(*entry));
! return ENOMEM;
}
! if (!(entry->key.contents = (unsigned char *)malloc(entry->key.length))) {
krb5_free_principal(princ);
krb5_free_principal(mod_princ);
(void) bzero((char *) entry, sizeof(*entry));
return ENOMEM;
}
! (void) bcopy(nextloc, (char *)entry->key.contents, entry->key.length);
! nextloc += entry->key.length;
! if (nextloc != contents->dptr + contents->dsize) {
! entry->key_salt.data = malloc (entry->key_salt.length);
! memcpy(entry->key_salt.data, nextloc, entry->key_salt.length);
! } else {
! entry->key_salt.length = 0;
! entry->key_salt.data = 0;
}
return 0;
}
***************
*** 532,537 ****
--- 537,544 ----
krb5_free_principal(entry->principal);
krb5_free_principal(entry->mod_name);
+ if (entry->key_salt.data)
+ free(entry->key_salt.data);
(void) bzero((char *)entry, sizeof(*entry));
return;
}
***************
*** 836,842 ****
if (db == NULL) {
retval = errno;
(void) krb5_dbm_db_unlock();
! errout(errno);
}
#undef errout
--- 843,849 ----
if (db == NULL) {
retval = errno;
(void) krb5_dbm_db_unlock();
! errout(retval);
}
#undef errout
***************
*** 971,978 ****
}
krb5_boolean
! krb5_dbm_db_set_lockmode(mode)
! krb5_boolean mode;
{
krb5_boolean old = non_blocking;
non_blocking = mode;
--- 978,985 ----
}
krb5_boolean
! krb5_dbm_db_set_lockmode(DECLARG(int,mode))
! OLDDECLARG(int,mode)
{
krb5_boolean old = non_blocking;
non_blocking = mode;
diff: /prgy/krb5/lib/krb/gc_frm_kdc.c/pa_seed: No such file or directory
*** /prgy/krb5/lib/krb/gc_via_tgt.c/[krb5_alpha2] Fri Oct 19 11:13:52 1990
--- /prgy/krb5/lib/krb/gc_via_tgt.c/pa_seed Thu Dec 6 19:48:45 1990
***************
*** 116,121 ****
--- 116,127 ----
dec_rep->enc_part2->session->length);\
krb5_free_kdc_rep(dec_rep); }
+ if (dec_rep->msg_type != KRB5_TGS_REP) {
+ retval = KRB5KRB_AP_ERR_MSG_TYPE;
+ cleanup();
+ return retval;
+ }
+
/* now it's decrypted and ready for prime time */
if (!krb5_principal_compare(dec_rep->client, tgt->client)) {
*** /prgy/krb5/lib/krb/get_in_tkt.c/[krb5_alpha2] Fri Oct 19 11:13:43 1990
--- /prgy/krb5/lib/krb/get_in_tkt.c/pa_seed Thu Dec 6 20:23:35 1990
***************
*** 58,64 ****
typedef krb5_error_code (*git_key_proc) PROTOTYPE((const krb5_keytype,
krb5_keyblock **,
! krb5_const_pointer ));
typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ));
--- 58,65 ----
typedef krb5_error_code (*git_key_proc) PROTOTYPE((const krb5_keytype,
krb5_keyblock **,
! krb5_const_pointer,
! krb5_pa_data **));
typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ));
***************
*** 91,96 ****
--- 92,98 ----
krb5_data *packet;
krb5_data reply;
krb5_keyblock *decrypt_key;
+ krb5_data kdc_seed;
request.msg_type = KRB5_AS_REQ;
***************
*** 125,133 ****
/* now decode the reply...could be error or as_rep */
! if (!krb5_is_as_rep(&reply) && !krb5_is_krb_error(&reply))
! return KRB5KRB_AP_ERR_MSG_TYPE;
! if (retval = decode_krb5_as_rep(&reply, &as_reply)) {
if (decode_krb5_error(&reply, &err_reply))
return retval; /* some other reply--??? */
/* it was an error */
--- 127,133 ----
/* now decode the reply...could be error or as_rep */
! if (krb5_is_krb_error(&reply)) {
if (decode_krb5_error(&reply, &err_reply))
return retval; /* some other reply--??? */
/* it was an error */
***************
*** 145,154 ****
return retval;
}
/* it was a kdc_rep--decrypt & check */
/* generate the key */
! if (retval = (*key_proc)(keytype, &decrypt_key, keyseed)) {
krb5_free_kdc_rep(as_reply);
return retval;
}
--- 145,162 ----
return retval;
}
+ if (!krb5_is_as_rep(&reply))
+ return KRB5KRB_AP_ERR_MSG_TYPE;
+ if (retval = decode_krb5_as_rep(&reply, &as_reply))
+ return retval;
+
+ if (as_reply->msg_type != KRB5_AS_REP)
+ return KRB5KRB_AP_ERR_MSG_TYPE;
+
/* it was a kdc_rep--decrypt & check */
/* generate the key */
! if (retval = (*key_proc)(keytype, &decrypt_key, keyseed, as_reply->padata)) {
krb5_free_kdc_rep(as_reply);
return retval;
}
*** /prgy/krb5/lib/krb/in_tkt_pwd.c/[krb5_alpha2] Fri Oct 19 11:13:18 1990
--- /prgy/krb5/lib/krb/in_tkt_pwd.c/pa_seed Thu Dec 6 20:25:54 1990
***************
*** 34,53 ****
static krb5_error_code
pwd_keyproc(DECLARG(const krb5_keytype, type),
DECLARG(krb5_keyblock **, key),
! DECLARG(krb5_const_pointer, keyseed))
OLDDECLARG(const krb5_keytype, type)
OLDDECLARG(krb5_keyblock **, key)
OLDDECLARG(krb5_const_pointer, keyseed)
{
krb5_error_code retval;
! struct pwd_keyproc_arg *arg, arg2;
char pwdbuf[BUFSIZ];
int pwsize = sizeof(pwdbuf);
if (!valid_keytype(type))
return KRB5_PROG_KEYTYPE_NOSUPP;
! arg = (struct pwd_keyproc_arg *)keyseed;
if (!arg->password.length) {
if (retval = krb5_read_password(krb5_default_pwd_prompt1,
0,
--- 34,74 ----
static krb5_error_code
pwd_keyproc(DECLARG(const krb5_keytype, type),
DECLARG(krb5_keyblock **, key),
! DECLARG(krb5_const_pointer, keyseed),
! DECLARG(krb5_pa_data **,padata))
OLDDECLARG(const krb5_keytype, type)
OLDDECLARG(krb5_keyblock **, key)
OLDDECLARG(krb5_const_pointer, keyseed)
+ OLDDECLARG(krb5_pa_data **,padata)
{
+ krb5_data salt;
krb5_error_code retval;
! const struct pwd_keyproc_arg *arg;
! struct pwd_keyproc_arg arg2;
char pwdbuf[BUFSIZ];
int pwsize = sizeof(pwdbuf);
+ salt.length = 0;
+
+ if (padata) {
+ krb5_pa_data **ptr;
+
+ for (ptr = padata; *ptr; ptr++)
+ {
+ if ((*ptr)->pa_type == KRB5_PADATA_PW_SALT)
+ {
+ /* use KDC-supplied salt, instead of default */
+ salt.length = (*ptr)->length;
+ salt.data = (char *)(*ptr)->contents;
+ break;
+ }
+ }
+ }
+
if (!valid_keytype(type))
return KRB5_PROG_KEYTYPE_NOSUPP;
! arg = (const struct pwd_keyproc_arg *)keyseed;
if (!arg->password.length) {
if (retval = krb5_read_password(krb5_default_pwd_prompt1,
0,
***************
*** 54,62 ****
pwdbuf, &pwsize))
return retval;
arg2 = *arg;
arg = &arg2;
- arg->password.length = pwsize;
- arg->password.data = pwdbuf;
}
*key = (krb5_keyblock *)malloc(sizeof(**key));
if (!*key)
--- 75,83 ----
pwdbuf, &pwsize))
return retval;
arg2 = *arg;
+ arg2.password.length = pwsize;
+ arg2.password.data = pwdbuf;
arg = &arg2;
}
*key = (krb5_keyblock *)malloc(sizeof(**key));
if (!*key)
***************
*** 66,72 ****
string_to_key)(type,
*key,
&arg->password,
! arg->who)) {
free((char *) *key);
return(retval);
}
--- 87,93 ----
string_to_key)(type,
*key,
&arg->password,
! &salt)) {
free((char *) *key);
return(retval);
}
***************
*** 113,119 ****
struct pwd_keyproc_arg keyseed;
! keyseed.password.data = (char *)password;
if (password)
keyseed.password.length = strlen(password);
else
--- 134,140 ----
struct pwd_keyproc_arg keyseed;
! keyseed.password.data = password;
if (password)
keyseed.password.length = strlen(password);
else
*** /prgy/krb5/lib/krb/in_tkt_sky.c/[krb5_alpha2] Fri Oct 19 11:13:24 1990
--- /prgy/krb5/lib/krb/in_tkt_sky.c/pa_seed Thu Dec 6 20:23:06 1990
***************
*** 22,28 ****
#include <krb5/ext-proto.h>
struct skey_keyproc_arg {
! krb5_keyblock *key;
krb5_principal server; /* it's a pointer, really! */
};
--- 22,28 ----
#include <krb5/ext-proto.h>
struct skey_keyproc_arg {
! const krb5_keyblock *key;
krb5_principal server; /* it's a pointer, really! */
};
***************
*** 34,43 ****
static krb5_error_code
skey_keyproc(DECLARG(const krb5_keytype, type),
DECLARG(krb5_keyblock **, key),
! DECLARG(krb5_const_pointer, keyseed))
OLDDECLARG(const krb5_keytype, type)
OLDDECLARG(krb5_keyblock **, key)
OLDDECLARG(krb5_const_pointer, keyseed)
{
krb5_keyblock *realkey;
const struct skey_keyproc_arg *arg;
--- 34,45 ----
static krb5_error_code
skey_keyproc(DECLARG(const krb5_keytype, type),
DECLARG(krb5_keyblock **, key),
! DECLARG(krb5_const_pointer, keyseed),
! DECLARG(krb5_pa_data **, padata))
OLDDECLARG(const krb5_keytype, type)
OLDDECLARG(krb5_keyblock **, key)
OLDDECLARG(krb5_const_pointer, keyseed)
+ OLDDECLARG(krb5_pa_data **,padata)
{
krb5_keyblock *realkey;
const struct skey_keyproc_arg *arg;
***************
*** 129,135 ****
krb5_keytype keytype;
if (key) {
! arg.key = (krb5_keyblock *)key;
arg.server = 0;
keytype = key->keytype;
} else {
--- 131,137 ----
krb5_keytype keytype;
if (key) {
! arg.key = key;
arg.server = 0;
keytype = key->keytype;
} else {
*** /dev/null Fri Apr 1 10:32:33 1988
--- /prgy/krb5/lib/krb/pr_to_salt.c Wed Dec 5 16:23:17 1990
***************
*** 0 ****
--- 1,46 ----
+ /*
+ * $Source$
+ * $Author$
+ *
+ * krb5_principal2salt()
+ */
+
+ #if !defined(lint) && !defined(SABER)
+ static char rcsid_pr_to_salt_c[] =
+ "$Id$";
+ #endif /* !lint & !SABER */
+
+ #include <krb5/krb5.h>
+ #include <krb5/ext-proto.h>
+
+ /*
+ * Convert a krb5_principal into the default salt for that principal.
+ */
+
+ krb5_data
+ krb5_principal2salt(pr)
+ krb5_principal pr;
+ {
+ int size, offset;
+ krb5_data **prp;
+
+ krb5_data ret;
+
+ if (pr == 0) {
+ ret.length = 0;
+ ret.data = 0;
+ } else {
+ for (size = 0, prp = pr; *prp; prp++)
+ size += (*prp)->length;
+
+ ret.length = size;
+ ret.data = malloc (size+1);
+
+ for (offset=0, prp=pr; *prp; prp++)
+ {
+ memcpy(&ret.data[offset],(*prp)->data, (*prp)->length);
+ offset += (*prp)->length;
+ }
+ }
+ return ret;
+ }
