krb5 commit: Always include salt in LDAP KrbKey encoding

Greg Hudson ghudson at MIT.EDU
Thu Jun 5 11:43:05 EDT 2014


https://github.com/krb5/krb5/commit/1825455ede7e61ab934b16262fb5b12b78a52f1a
commit 1825455ede7e61ab934b16262fb5b12b78a52f1a
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat May 24 22:58:26 2014 -0400

    Always include salt in LDAP KrbKey encoding
    
    In the LDAP KDB module, ensure that every krb5_key_data we pass to
    asn1_encode_sequence_of_keys includes a salt type, for compatibility
    with the decoder in unpatched krb5 1.11 and 1.12.
    
    This is not a behavior change by itself; since 1.7 the encoder has
    always included a KrbKey salt field because it erroneously treats that
    field as non-optional.  (Luckily, the encoded salt always happens to
    have salt type 0 because krb5_key_data constructors start with zeroed
    memory.)  The next commit will fix the encoder and decoder to properly
    treat the KrbKey salt field as optional, so we need this change to
    ensure that our encodings remain compatible.
    
    Also fix the ASN.1 tests to set key_data_ver correctly for the sample
    test key data.
    
    ticket: 7919

 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |   21 +++++++++++++++++++-
 src/tests/asn.1/ktest.c                            |    1 +
 2 files changed, 21 insertions(+), 1 deletions(-)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 0070273..482066f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -397,17 +397,35 @@ asn1_decode_sequence_of_keys(krb5_data *in, krb5_key_data **out,
 
 /* Decoding ASN.1 encoded key */
 static struct berval **
-krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data,
+krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
                          krb5_kvno mkvno) {
     struct berval **ret = NULL;
     int currkvno;
     int num_versions = 1;
     int i, j, last;
     krb5_error_code err = 0;
+    krb5_key_data *key_data;
 
     if (n_key_data <= 0)
         return NULL;
 
+    /* Make a shallow copy of the key data so we can alter it. */
+    key_data = k5calloc(n_key_data, sizeof(*key_data), &err);
+    if (key_data_in == NULL)
+        goto cleanup;
+    memcpy(key_data, key_data_in, n_key_data * sizeof(*key_data));
+
+    /* Unpatched krb5 1.11 and 1.12 cannot decode KrbKey sequences with no salt
+     * field.  For compatibility, always encode a salt field. */
+    for (i = 0; i < n_key_data; i++) {
+        if (key_data[i].key_data_ver == 1) {
+            key_data[i].key_data_ver = 2;
+            key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_NORMAL;
+            key_data[i].key_data_length[1] = 0;
+            key_data[i].key_data_contents[1] = NULL;
+        }
+    }
+
     /* Find the number of key versions */
     for (i = 0; i < n_key_data - 1; i++)
         if (key_data[i].key_data_kvno != key_data[i + 1].key_data_kvno)
@@ -443,6 +461,7 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data, int n_key_data,
 
 cleanup:
 
+    free(key_data);
     if (err != 0) {
         if (ret != NULL) {
             for (i = 0; i <= num_versions; i++)
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 4ce9f70..e4b3764 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -908,6 +908,7 @@ ktest_make_sample_key_data(krb5_key_data *p, int i)
     len = asprintf(&str, "key%d", i);
     if (len < 0)
         abort();
+    p->key_data_ver = 2;
     p->key_data_type[0] = 2;
     p->key_data_length[0] = (unsigned int) len;
     p->key_data_contents[0] = (krb5_octet *)str;


More information about the cvs-krb5 mailing list