On Fri, 2011-11-04 at 08:03 -0400, Simo Sorce wrote:
> On Fri, 2011-11-04 at 12:55 +0100, Martin Kosek wrote:
> > On Fri, 2011-11-04 at 07:41 -0400, Simo Sorce wrote:
> > > On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote:
> > > > On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote:
> > > > > On Thu, 03 Nov 2011, Simo Sorce wrote:
> > > > > > As stated in the bug in order to attain better interoperability with
> > > > > > Windows clients we need to change the way we generate the random 
> > > > > > salt.
> > > > > ACK.
> > > > > 
> > > > 
> > > > Pushed to master.
> > > 
> > > Should we backport this to 2.x as well ?
> > > 
> > > Simo.
> > > 
> > 
> > Hm, looks important enough to do it. You are talking about
> > 
> > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
> 
> Yes
> 
> > right? It should be pretty straightforward to backport it there.
> 
> Yes

Patch against ipa-2-1 attached.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From a94cc05c563240b2ad4058aeac918790065ac886 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability

port to ipa-2-1

See:
https://fedorahosted.org/freeipa/ticket/2038
---
 .../ipa-pwd-extop/ipapwd_encoding.c                |   38 +++++++++++++++----
 1 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..4cd2451a4ebaae0a8dd642ca2fb88aeea37cebdb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -47,6 +47,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <errno.h>
 
 #include <dirsrv/slapi-plugin.h>
 #include <lber.h>
@@ -249,6 +250,34 @@ void encode_int16(unsigned int val, unsigned char *p)
     p[0] = (val      ) & 0xff;
 }
 
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+                                           krb5_data *salt)
+{
+    krb5_error_code kerr;
+    int i;
+
+    /* make random salt */
+    salt->length = KRB5P_SALT_SIZE;
+    salt->data = malloc(KRB5P_SALT_SIZE);
+    if (!salt->data) {
+        return ENOMEM;
+    }
+    kerr = krb5_c_random_make_octets(krbctx, salt);
+    if (kerr) {
+        return kerr;
+    }
+
+    /* Windows treats the salt as a string.
+     * To avoid any compatibility issue, limits octects only to
+     * the ASCII printable range, or 0x20 <= val <= 0x7E */
+    for (i = 0; i < salt->length; i++) {
+        salt->data[i] %= 0x5E; /* 7E - 20 */
+        salt->data[i] += 0x20; /* add base */
+    }
+
+    return 0;
+}
+
 static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
                                         struct ipapwd_data *data,
                                         char **errMesg)
@@ -376,14 +405,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
 
         case KRB5_KDB_SALTTYPE_SPECIAL:
 
-            /* make random salt */
-            salt.length = KRB5P_SALT_SIZE;
-            salt.data = malloc(KRB5P_SALT_SIZE);
-            if (!salt.data) {
-                LOG_OOM();
-                goto enc_error;
-            }
-            krberr = krb5_c_random_make_octets(krbctx, &salt);
+            krberr = ipa_get_random_salt(krbctx, &salt);
             if (krberr) {
                 LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
                           krb5_get_error_message(krbctx, krberr));
-- 
1.7.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to