As stated in the bug in order to attain better interoperability with
Windows clients we need to change the way we generate the random salt.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 350fdbfeab1cd04ba1ef576f7de075dbb91b6dfc Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability

See:
https://fedorahosted.org/freeipa/ticket/2038
---
 util/ipa_krb5.c |   37 +++++++++++++++++++++++++++++--------
 1 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 5b6fc5821a04614030353a376f33d2ca89bc86b2..ba9d3cefce0944d790715c3249f158b9f0ae232d 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -9,6 +9,34 @@
 /* Salt types */
 #define KRB5P_SALT_SIZE 16
 
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+                                           krb5_data *salt)
+{
+    krb5_error_code kerr;
+    int i;
+
+    /* make random salt */
+    salt->length = KRB5P_SALT_SIZE;
+    salt->data = malloc(KRB5P_SALT_SIZE);
+    if (!salt->data) {
+        return ENOMEM;
+    }
+    kerr = krb5_c_random_make_octets(krbctx, salt);
+    if (kerr) {
+        return kerr;
+    }
+
+    /* Windows treats the salt as a string.
+     * To avoid any compatibility issue, limits octects only to
+     * the ASCII printable range, or 0x20 <= val <= 0x7E */
+    for (i = 0; i < salt->length; i++) {
+        salt->data[i] %= 0x5E; /* 7E - 20 */
+        salt->data[i] += 0x20; /* add base */
+    }
+
+    return 0;
+}
+
 void
 ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val)
 {
@@ -125,14 +153,7 @@ krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx,
 
         case KRB5_KDB_SALTTYPE_SPECIAL:
 
-            /* make random salt */
-            salt.length = KRB5P_SALT_SIZE;
-            salt.data = malloc(KRB5P_SALT_SIZE);
-            if (!salt.data) {
-                kerr = ENOMEM;
-                goto done;
-            }
-            kerr = krb5_c_random_make_octets(krbctx, &salt);
+            kerr = ipa_get_random_salt(krbctx, &salt);
             if (kerr) {
                 goto done;
             }
-- 
1.7.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to