Docs on string-to-key routines?

[Jeffrey Hutzelman]

On Friday, March 12, 2004 00:41:06 -0800 "Henry B. Hotz" 
<hotz at jpl.nasa.gov> wrote:

> At 8:54 PM -0500 3/11/04, Jeffrey Hutzelman wrote:
>> On Thursday, March 11, 2004 16:38:46 -0800 "Henry B. Hotz"
>> <hotz at jpl.nasa.gov> wrote:
>>
>>> Where is the "real" description of the string-to-key functions, V4, AFS,
>>> and V5?
>> AFS supports only the single-DES enctype.  The AFS string-to-key
>> function is not documented; you'll have to read the source.
>>
>> All of these functions support input of essentially unlimited length.
>
> Just looked at the OpenAFS code and some old KTH code.  The former has a
> loop of some kind with no obvious limit (as you said).  The latter uses a
> different algorithm for length <=8 from >8.  In the latter case they have
> an array of size 512 which might imply a limit of 511 characters.  That's
> big enough.

Ah, you noticed that.

Yes, the algorithm is different for input of length 8 or less -- once upon 
a time, passwords were simply truncated to 8 characters; this is consistent 
with what UNIX did at the time.  Today, we use a different algorithm for 
passwords longer than 8 characters; the new algorithm uses des_cbc_cksum 
and will work on an arbitrarily large input.  The OpenAFS client code uses 
buffers of size BUFSIZ to handle input and conversion of passwords, so it 
can't deal with a password larger than BUFSIZ-1 (and indeed, things close 
to that limit will get salted incorrectly, and so won't work consistently 
either).  Note that BUFSIZ is a platform-defined limit; on my RH7.1 machine 
it's 8K.


Note that it sounds like the OpenAFS code you were looking at was actually 
src/des/strng_to_key.c, which implements the DES string-to-key function, 
not the AFS one.  The AFS string-to-key code is in src/kauth/client.c.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA