non-ascii password in kerberos authentication

Tue Sep 18 04:41:55 EDT 2007

Just understand why the password [êéFair123] is reduced to one char [ê]. 
After conversion to UCS-2LE, the byte sequence of password is:
==========================================================
[0xFFFFFFEA 0x0 0xFFFFFFE9 0x0 0x46 0x0 0x61 0x0 0x69 0x0 0x72 0x0 0x31 0x0 0x32 0x0 0x33 0x0]
==========================================================
The system uses 4 bytes for a char type.

However, the code treat it as a pointer to character array and returns the pointer:
==========================================================
static char * character_converter(char *fromCode, char *toCode, const char *infield)
{
  	char outbuf[MAX_ATTRIBUTE_LENGTH*2+1];
  	static char convertedBuf[MAX_ATTRIBUTE_LENGTH*2+1];
  	char* outptr = outbuf;
    	size_t outsize = sizeof(outbuf);
  	size_t result = 0;
  	const char *inptr = infield;
  	size_t insize = strlen(infield);
	int saved_errno = 0;
	iconv_t cd;
  ......	

    	if (outptr != outbuf) {
    		int saved_errno = errno;

	    	/*
    		** save off the result into the convertedBuf.
	    	*/
	        memset(convertedBuf, '\0', (MAX_ATTRIBUTE_LENGTH*2+1));
	        strncpy(convertedBuf, outbuf, outptr-outbuf);
	        errno = saved_errno;
    	}

  ...... 

  	return (convertedBuf);
}
==========================================================
So when the password pointer is returned and used/read, it will stop at the 2nd char 0x00, then we will only get the first char [0xFFFFFFEA] which is [ê]. 

The defect is inborn with the feature that UCS-2LE uses fixed-length encoding that always encodes characters into a single 16-bit value. So if the password is encoded in UCS-2LE, how can we submit it to krb5 functions which does the real authentication job?

TIA,
Xu Qiang

> -----Original Message-----
> From: krbdev-bounces at mit.edu 
> [mailto:krbdev-bounces at mit.edu]On Behalf Of Xu Qiang
> Sent: Monday, September 17, 2007 4:26 PM
> To: Ken Raeburn
> Cc: krbdev at mit.edu
> Subject: RE: non-ascii password in kerberos authentication
>
> =========================================================
> #define	UCS_2LE			"UCS-2LE"
> #define	UTF_8				"UTF-8"
> #define ISO_8859			"ISO-8859-1"
> #define AUTH_PASSWORD_SIZE              (256)
> #define MAX_ATTRIBUTE_LENGTH            (AUTH_PASSWORD_SIZE * 2)
> char tmpPassword[AUTH_PASSWORD_SIZE];
> char *tmpUcs2Password = NULL;
> char *password;
> ......
> 				fprintf(stderr, "before 
> convert, password is [%s]\n", tmpPassword);
> 				if ((tmpUcs2Password = 
> character_converter(ISO_8859, UCS_2LE, tmpPassword)) != NULL)
> 				{
> 					password = tmpUcs2Password;
> 				}
> 				else
> 				{
> 					fprintf(stderr, "Fail 
> to convert character!\n");
> 				}
> 				fprintf(stderr, "after convert, 
> password is [%s]\n", password);
> =========================================================
> Look quite straightforward.
> 
> But although my passed in password is [êéFair123], the 
> converted password is cut into only one char - [ê]. It seems 
> UCS-2LE is not supported by the system library function "iconv()"?