Re: [Freeipa-devel] [PATCH] #2038 modify salt creation

Fri, 04 Nov 2011 13:15:31 -0700 

On Fri, 2011-11-04 at 15:59 -0400, Simo Sorce wrote:
> On Fri, 2011-11-04 at 15:15 -0400, Nalin Dahyabhai wrote:
> > On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote:
> > > As stated in the bug in order to attain better interoperability with
> > > Windows clients we need to change the way we generate the random salt.
> > 
> > Nack.  The data in a krb5_data is of type 'char', and if it's signed,
> > the math used here doesn't produce a printable result.  Might also want
> > to increase KRB5P_SALT_SIZE.
> 
> Ah crap, right.
> 
> I initially used a safe construct: data[i] &= 0x5F
> Then realized that one of the possible values (5F + 20 = 7F) is
> unprintable, so I switched to this unsafe one.
> 
> Will get a revised patch for ipa-2-1 and an amendment for master.
> 
> Thanks a lot for spotting this one!

Attached amendment patch for master and an already amended new patch for
ipa-2-1.


-- 
Simo Sorce * Red Hat, Inc * New York

>From 40034df9def29b1a649a5b3d1586966eb186c97e Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Fri, 4 Nov 2011 16:04:19 -0400
Subject: [PATCH] Amend #2038 fix

The math was unsafe, thanks to Nalin for spotting it.
---
 util/ipa_krb5.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index ba9d3cefce0944d790715c3249f158b9f0ae232d..0d487fb8aa1df47295c76e09f841f475a6d0e3de 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -30,8 +30,13 @@ static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
      * To avoid any compatibility issue, limits octects only to
      * the ASCII printable range, or 0x20 <= val <= 0x7E */
     for (i = 0; i < salt->length; i++) {
-        salt->data[i] %= 0x5E; /* 7E - 20 */
+        /* math must be sign-safe as krb5_data octets use signed chars */
+        salt->data[i] &= 0x5F; /* Cut down and ... */
         salt->data[i] += 0x20; /* add base */
+        /* add a pseudo random substitute for unprintable DEL */
+        if (salt->data[i] == 0x7F) {
+            salt->data[i] = 0x30 + i;
+        }
     }
 
     return 0;
-- 
1.7.7


>From d07db98f70759c98a046042100828d3debc4cdcb Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Thu, 3 Nov 2011 16:15:10 -0400
Subject: [PATCH] Modify random salt creation for interoperability

port to ipa-2-1
ameneded math safety issue

See:
https://fedorahosted.org/freeipa/ticket/2038
---
 .../ipa-pwd-extop/ipapwd_encoding.c                |   43 ++++++++++++++++----
 1 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..6f61e92be54018d0f3d2c35b2879716d16d96512 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -47,6 +47,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <errno.h>
 
 #include <dirsrv/slapi-plugin.h>
 #include <lber.h>
@@ -249,6 +250,39 @@ void encode_int16(unsigned int val, unsigned char *p)
     p[0] = (val      ) & 0xff;
 }
 
+static krb5_error_code ipa_get_random_salt(krb5_context krbctx,
+                                           krb5_data *salt)
+{
+    krb5_error_code kerr;
+    int i;
+
+    /* make random salt */
+    salt->length = KRB5P_SALT_SIZE;
+    salt->data = malloc(KRB5P_SALT_SIZE);
+    if (!salt->data) {
+        return ENOMEM;
+    }
+    kerr = krb5_c_random_make_octets(krbctx, salt);
+    if (kerr) {
+        return kerr;
+    }
+
+    /* Windows treats the salt as a string.
+     * To avoid any compatibility issue, limits octects only to
+     * the ASCII printable range, or 0x20 <= val <= 0x7E */
+    for (i = 0; i < salt->length; i++) {
+        /* math must be sign-safe as krb5_data octets use signed chars */
+        salt->data[i] &= 0x5F; /* Cut down and ... */
+        salt->data[i] += 0x20; /* add base */
+        /* add a pseudo random substitute for unprintable DEL */
+        if (salt->data[i] == 0x7F) {
+            salt->data[i] = 0x30 + i;
+        }
+    }
+
+    return 0;
+}
+
 static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
                                         struct ipapwd_data *data,
                                         char **errMesg)
@@ -376,14 +410,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
 
         case KRB5_KDB_SALTTYPE_SPECIAL:
 
-            /* make random salt */
-            salt.length = KRB5P_SALT_SIZE;
-            salt.data = malloc(KRB5P_SALT_SIZE);
-            if (!salt.data) {
-                LOG_OOM();
-                goto enc_error;
-            }
-            krberr = krb5_c_random_make_octets(krbctx, &salt);
+            krberr = ipa_get_random_salt(krbctx, &salt);
             if (krberr) {
                 LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
                           krb5_get_error_message(krbctx, krberr));
-- 
1.7.7


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to