diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-01-08 02:43:21 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-01-08 02:43:21 +0000 |
| commit | f6b381170552b311793a593e10e2108a10b0397b (patch) | |
| tree | 79db3c89983e964c75471017935562c9b2e64ce5 /src/lib/kadm5 | |
| parent | f1ac7570002acc490b0f7a535435c1076779812c (diff) | |
| download | krb5-f6b381170552b311793a593e10e2108a10b0397b.zip krb5-f6b381170552b311793a593e10e2108a10b0397b.tar.gz krb5-f6b381170552b311793a593e10e2108a10b0397b.tar.bz2 | |
Restore interoperability with 1.6 addprinc -randkey
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees
with the dummy password used by the addprinc -randkey operation in
krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the
1.6 dummy password and use a random password instead.
ticket: 6626
tags: pullup
target_version: 1.8
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23610 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5')
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index a58c798..2f2faaa 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -186,6 +186,32 @@ static void cleanup_key_data(context, count, data) krb5_db_free(context, data); } +/* + * Set *passptr to NULL if the request looks like the first part of a krb5 1.6 + * addprinc -randkey operation. The krb5 1.6 dummy password for these requests + * was invalid UTF-8, which runs afoul of the arcfour string-to-key. + */ +static void +check_1_6_dummy(kadm5_principal_ent_t entry, long mask, + int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char **passptr) +{ + int i; + char *password = *passptr; + + /* Old-style randkey operations disallowed tickets to start. */ + if (!(mask & KADM5_ATTRIBUTES) || + !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX)) + return; + + /* The 1.6 dummy password was the octets 1..255. */ + for (i = 0; (unsigned char) password[i] == i + 1; i++); + if (password[i] != '\0' || i != 255) + return; + + /* This will make the caller use a random password instead. */ + *passptr = NULL; +} + kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t entry, long mask, @@ -215,6 +241,8 @@ kadm5_create_principal_3(void *server_handle, krb5_clear_error_message(handle->context); + check_1_6_dummy(entry, mask, n_ks_tuple, ks_tuple, &password); + /* * Argument sanity checking, and opening up the DB */ |