diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-01-08 23:43:12 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-01-08 23:43:12 +0000 |
| commit | 0ba8c570c81f95a8061b39e1268a00d89d2c691e (patch) | |
| tree | 9432dbde50de7d4cc643165fd5e41f17bc0b3ca1 | |
| parent | 0671701f0bcdbb5ec556a1ccdfede0536fc3f7da (diff) | |
| download | krb5-0ba8c570c81f95a8061b39e1268a00d89d2c691e.zip krb5-0ba8c570c81f95a8061b39e1268a00d89d2c691e.tar.gz krb5-0ba8c570c81f95a8061b39e1268a00d89d2c691e.tar.bz2 | |
pull up r23610 from trunk
------------------------------------------------------------------------
r23610 | ghudson | 2010-01-07 21:43:21 -0500 (Thu, 07 Jan 2010) | 10 lines
ticket: 6626
subject: Restore interoperability with 1.6 addprinc -randkey
tags: pullup
target_version: 1.8
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
ticket: 6626
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23619 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index a58c798..2f2faaa 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -186,6 +186,32 @@ static void cleanup_key_data(context, count, data) krb5_db_free(context, data); } +/* + * Set *passptr to NULL if the request looks like the first part of a krb5 1.6 + * addprinc -randkey operation. The krb5 1.6 dummy password for these requests + * was invalid UTF-8, which runs afoul of the arcfour string-to-key. + */ +static void +check_1_6_dummy(kadm5_principal_ent_t entry, long mask, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char **passptr) +{ + int i; + char *password = *passptr; + + /* Old-style randkey operations disallowed tickets to start. */ + if (!(mask & KADM5_ATTRIBUTES) || + !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)) + return; + + /* The 1.6 dummy password was the octets 1..255. */ + for (i = 0; (unsigned char) password[i] == i + 1; i++); + if (password[i] != '\0' || i != 255) + return; + + /* This will make the caller use a random password instead. */ + *passptr = NULL; +} + kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t entry, long mask, @@ -215,6 +241,8 @@ kadm5_create_principal_3(void *server_handle, krb5_clear_error_message(handle->context); + check_1_6_dummy(entry, mask, n_ks_tuple, ks_tuple, &password); + /* * Argument sanity checking, and opening up the DB */ |