svn rev #23610: trunk/src/lib/kadm5/srv/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Jan 7 21:43:21 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23610
Commit By: ghudson
Log Message:
ticket: 6626
subject: Restore interoperability with 1.6 addprinc -randkey
tags: pullup
target_version: 1.8

The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8.  Recognize the
1.6 dummy password and use a random password instead.



Changed Files:
U   trunk/src/lib/kadm5/srv/svr_principal.c
Modified: trunk/src/lib/kadm5/srv/svr_principal.c
===================================================================
--- trunk/src/lib/kadm5/srv/svr_principal.c	2010-01-08 02:12:24 UTC (rev 23609)
+++ trunk/src/lib/kadm5/srv/svr_principal.c	2010-01-08 02:43:21 UTC (rev 23610)
@@ -186,6 +186,32 @@
     krb5_db_free(context, data);
 }
 
+/*
+ * Set *passptr to NULL if the request looks like the first part of a krb5 1.6
+ * addprinc -randkey operation.  The krb5 1.6 dummy password for these requests
+ * was invalid UTF-8, which runs afoul of the arcfour string-to-key.
+ */
+static void
+check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+                int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char **passptr)
+{
+    int i;
+    char *password = *passptr;
+
+    /* Old-style randkey operations disallowed tickets to start. */
+    if (!(mask & KADM5_ATTRIBUTES) ||
+        !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
+        return;
+
+    /* The 1.6 dummy password was the octets 1..255. */
+    for (i = 0; (unsigned char) password[i] == i + 1; i++);
+    if (password[i] != '\0' || i != 255)
+        return;
+
+    /* This will make the caller use a random password instead. */
+    *passptr = NULL;
+}
+
 kadm5_ret_t
 kadm5_create_principal(void *server_handle,
                        kadm5_principal_ent_t entry, long mask,
@@ -215,6 +241,8 @@
 
     krb5_clear_error_message(handle->context);
 
+    check_1_6_dummy(entry, mask, n_ks_tuple, ks_tuple, &password);
+
     /*
      * Argument sanity checking, and opening up the DB
      */

More information about the cvs-krb5 mailing list