[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple krb5 salted des keys

To: heimdal-discuss@sics.se
Subject: Re: multiple krb5 salted des keys
From: Derrick J Brashear <shadow@dementia.org>
Date: Wed, 19 Jul 2000 15:01:41 -0400 (EDT)
In-Reply-To: <Pine.LNX.3.96L.1000719132243.25696U-100000@boombox.andrew.cmu.edu>
Sender: owner-heimdal-discuss@sics.se

On Wed, 19 Jul 2000, Derrick J Brashear wrote:

> Now get_des_key seems to work correctly, but v5 authentication sometimes
> gets a v4 salted key, which doesn't work for win2k machines, because
> you're not applying the same care in getting des keys for v5 as for v4. 
> 
> I'd guess the right answer to this is to duplicate the code in
> get_des_key, modify so keys of only the desired enctype can get retrieved,
> and call it for des etypes.

For things which aren't des this is a wrapper around hdb_enctype2key.
For things which are, it gives a v5 key if one exists, a v4 key if not. I
suppose it should also give an afs key if neither of the first 2 exist so
a conversion from a kaserver database has working service keys, but the v4
key needs to be given if no v5 key exists for the same reason: services
which have an unsalted, v4 key, but we don't care since nothing's typing a
password.

Since find_this_etype is the same idea as get_des_key, adding afs key
support if it's appropriate is easy enough. Maybe I'll just do it, and
send another patch.

*** sandbox/heimdal/kdc/kerberos5.c	Wed Jul 12 00:49:13 2000
--- ./kerberos5.c	Wed Jul 19 14:55:31 2000
***************
*** 33,39 ****
  
  #include "kdc_locl.h"
  
! RCSID("$Id: kerberos5.c,v 1.115 2000/07/11 23:37:17 assar Exp $");
  
  #define MAX_TIME ((time_t)((1U << 31) - 1))
  
--- 33,39 ----
  
  #include "kdc_locl.h"
  
! RCSID("$Id: kerberos5.c,v 1.114 2000/07/06 22:43:04 assar Exp $");
  
  #define MAX_TIME ((time_t)((1U << 31) - 1))
  
***************
*** 105,110 ****
--- 105,144 ----
  
  #else
  
+ krb5_error_code
+ find_this_etype(hdb_entry *principal, krb5_enctype etype, Key **ret_key)
+ {
+     Key *v5_key = NULL, *v4_key = NULL;
+     int i, j;
+     krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
+                               ETYPE_DES_CBC_MD4, 
+                               ETYPE_DES_CBC_CRC };
+     for(i = 0; i < sizeof(etypes)/sizeof(etypes[0]); ++i) {
+ 	if (etype == etypes[i]) {
+ 	    Key *key = NULL;
+ 	    while((j = hdb_next_enctype2key(context, principal, etype, &key)) 
+ 		  == 0) {
+ 		if(key->salt == NULL) {
+ 		    if(v5_key == NULL)
+ 			v5_key = key;
+ 		} else if(key->salt->type == hdb_pw_salt && 
+ 			  key->salt->salt.length == 0) {
+ 		    if(v4_key == NULL)
+ 			v4_key = key;
+ 		}
+ 	    }
+ 	    if(v5_key)
+ 		*ret_key = v5_key;
+ 	    else if (v4_key)
+ 		*ret_key = v4_key;
+ 	    if(!*ret_key || (*ret_key)->key.keyvalue.length == 0)
+ 		return KERB_ERR_NULL_KEY;
+ 	    return 0;
+ 	}
+     }
+     return hdb_enctype2key(context, principal, etype, ret_key);
+ }
+ 
  static krb5_error_code
  find_etype(hdb_entry *princ, unsigned *etypes, unsigned len, 
  	   Key **key, int *index)
***************
*** 115,121 ****
      for(i = 0; i < len ; i++) {
  	krb5_error_code tmp;
  
! 	tmp = hdb_enctype2key(context, princ, etypes[i], key);
  	if (tmp == 0) {
  	    if ((*key)->key.keyvalue.length != 0) {
  		ret = 0;
--- 149,155 ----
      for(i = 0; i < len ; i++) {
  	krb5_error_code tmp;
  
! 	tmp = find_this_etype(princ, etypes[i], key);
  	if (tmp == 0) {
  	    if ((*key)->key.keyvalue.length != 0) {
  		ret = 0;

References:
- Re: multiple krb5 salted des keys
  - From: Derrick J Brashear <shadow@dementia.org>

Prev by Date: Re: multiple krb5 salted des keys
Next by Date: Re: multiple krb5 salted des keys
Prev by thread: Re: multiple krb5 salted des keys
Next by thread: Re: multiple krb5 salted des keys
Index(es):
- Date
- Thread