[krbdev.mit.edu #7919] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jun 5 11:43:08 EDT 2014
Treat LDAP KrbKey salt field as optional
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
https://github.com/krb5/krb5/commit/fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48
Author: Greg Hudson <ghudson at mit.edu>
Commit: fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48
Branch: master
src/lib/krb5/asn.1/ldap_key_seq.c | 19 ++++++++++++++++---
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 6 ++++--
src/tests/kdbtest.c | 2 +-
3 files changed, 21 insertions(+), 6 deletions(-)
More information about the krb5-bugs
mailing list