svn rev #25226: trunk/src/lib/kdb/

ghudson@MIT.EDU ghudson at MIT.EDU
Thu Sep 22 14:09:45 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25226
Commit By: ghudson
Log Message:
ticket: 6964
subject: Support special salt type in default krb5_dbe_cpw.

This change allows the "special" salt type to be used in
supported_enctypes or in the argument to kadmin's cpw -e.  If used,
kadmind will pick a salt consisting of 64 random bits represented as
16 printable ASCII characters.  The use of random explicit salts
creates some interoperability issues and is not generally recommended,
but can be useful for interop testing, as a workaround for obscure
bugs, or to increase the difficulty of brute-force password searches
in situations where none of the interoperability issues apply.


Changed Files:
U   trunk/src/lib/kdb/kdb_cpw.c
Modified: trunk/src/lib/kdb/kdb_cpw.c
===================================================================
--- trunk/src/lib/kdb/kdb_cpw.c	2011-09-22 16:20:13 UTC (rev 25225)
+++ trunk/src/lib/kdb/kdb_cpw.c	2011-09-22 18:09:45 UTC (rev 25226)
@@ -339,6 +339,37 @@
     return(retval);
 }
 
+/* Construct a random explicit salt. */
+static krb5_error_code
+make_random_salt(krb5_context context, krb5_keysalt *salt_out)
+{
+    krb5_error_code retval;
+    unsigned char rndbuf[8];
+    krb5_data salt, rnd = make_data(rndbuf, sizeof(rndbuf));
+    unsigned int i;
+
+    /*
+     * Salts are limited by RFC 4120 to 7-bit ASCII.  For ease of examination
+     * and to avoid certain folding issues for older enctypes, we use printable
+     * characters with four fixed bits and four random bits, encoding 64
+     * psuedo-random bits into 16 bytes.
+     */
+    retval = krb5_c_random_make_octets(context, &rnd);
+    if (retval)
+        return retval;
+    retval = alloc_data(&salt, sizeof(rndbuf) * 2);
+    if (retval)
+        return retval;
+    for (i = 0; i < sizeof(rndbuf); i++) {
+        salt.data[i * 2] = 0x40 | (rndbuf[i] >> 4);
+        salt.data[i * 2 + 1] = 0x40 | (rndbuf[i] & 0xf);
+    }
+
+    salt_out->type = KRB5_KDB_SALTTYPE_SPECIAL;
+    salt_out->data = salt;
+    return 0;
+}
+
 /*
  * Add key_data for a krb5_db_entry
  * If passwd is NULL the assumes that the caller wants a random password.
@@ -431,6 +462,11 @@
                 return retval;
             key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
             break;
+        case KRB5_KDB_SALTTYPE_SPECIAL:
+            retval = make_random_salt(context, &key_salt);
+            if (retval)
+                return retval;
+            break;
         default:
             return(KRB5_KDB_BAD_SALTTYPE);
         }

More information about the cvs-krb5 mailing list