svn rev #22264: trunk/src/kdc/
ghudson@MIT.EDU
ghudson at MIT.EDU
Thu Apr 16 12:46:35 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22264
Commit By: ghudson
Log Message:
ticket: 6470
subject: Send explicit salt for SALTTYPE_NORMAL keys
target_version: 1.7
tags: pullup
Change the signature of _make_etype_info_entry to take the canonical
client principal instead of the request structure. Also fixes the salt
we compute for SALTTYPE_NOREALM keys.
Sending an explicit salt for SALTTYPE_NORMAL keys is believed to be
necessary for some preauth scenarios involving aliases.
Changed Files:
U trunk/src/kdc/kdc_preauth.c
U trunk/src/kdc/kdc_util.c
Modified: trunk/src/kdc/kdc_preauth.c
===================================================================
--- trunk/src/kdc/kdc_preauth.c 2009-04-15 21:07:09 UTC (rev 22263)
+++ trunk/src/kdc/kdc_preauth.c 2009-04-16 16:46:33 UTC (rev 22264)
@@ -1510,7 +1510,7 @@
static krb5_error_code
_make_etype_info_entry(krb5_context context,
- krb5_kdc_req *request, krb5_key_data *client_key,
+ krb5_principal client_princ, krb5_key_data *client_key,
krb5_enctype etype, krb5_etype_info_entry **entry,
int etype_info2)
{
@@ -1529,8 +1529,7 @@
tmp_entry->salt = 0;
tmp_entry->s2kparams.data = NULL;
tmp_entry->s2kparams.length = 0;
- retval = get_salt_from_key(context, request->client,
- client_key, &salt);
+ retval = get_salt_from_key(context, client_princ, client_key, &salt);
if (retval)
goto fail;
if (etype_info2 && client_key->key_data_ver > 1 &&
@@ -1609,10 +1608,10 @@
if (request_contains_enctype(context, request, db_etype)) {
assert(etype_info2 ||
!enctype_requires_etype_info_2(db_etype));
- if ((retval = _make_etype_info_entry(context, request, client_key,
- db_etype, &entry[i], etype_info2)) != 0) {
+ retval = _make_etype_info_entry(context, client->princ, client_key,
+ db_etype, &entry[i], etype_info2);
+ if (retval != 0)
goto cleanup;
- }
entry[i+1] = 0;
i++;
}
@@ -1634,10 +1633,11 @@
}
if (request_contains_enctype(context, request, db_etype)) {
- if ((retval = _make_etype_info_entry(context, request,
- client_key, db_etype, &entry[i], etype_info2)) != 0) {
+ retval = _make_etype_info_entry(context, client->princ,
+ client_key, db_etype,
+ &entry[i], etype_info2);
+ if (retval != 0)
goto cleanup;
- }
entry[i+1] = 0;
i++;
}
@@ -1732,9 +1732,9 @@
}
entry[0] = NULL;
entry[1] = NULL;
- retval = _make_etype_info_entry(context, request,
- client_key, encrypting_key->enctype,
- entry, etype_info2);
+ retval = _make_etype_info_entry(context, client->princ, client_key,
+ encrypting_key->enctype, entry,
+ etype_info2);
if (retval)
goto cleanup;
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2009-04-15 21:07:09 UTC (rev 22263)
+++ trunk/src/kdc/kdc_util.c 2009-04-16 16:46:33 UTC (rev 22264)
@@ -1566,6 +1566,13 @@
switch (client_key->key_data_type[1]) {
case KRB5_KDB_SALTTYPE_NORMAL:
+ /*
+ * The client could infer the salt from the principal, but
+ * might use the wrong principal name if this is an alias. So
+ * it's more reliable to send an explicit salt.
+ */
+ if ((retval = krb5_principal2salt(context, client, salt)))
+ return retval;
break;
case KRB5_KDB_SALTTYPE_V4:
/* send an empty (V4) salt */
More information about the cvs-krb5
mailing list