On Fri, 2011-11-04 at 08:03 -0400, Simo Sorce wrote: > On Fri, 2011-11-04 at 12:55 +0100, Martin Kosek wrote: > > On Fri, 2011-11-04 at 07:41 -0400, Simo Sorce wrote: > > > On Fri, 2011-11-04 at 11:14 +0100, Martin Kosek wrote: > > > > On Fri, 2011-11-04 at 10:04 +0200, Alexander Bokovoy wrote: > > > > > On Thu, 03 Nov 2011, Simo Sorce wrote: > > > > > > As stated in the bug in order to attain better interoperability with > > > > > > Windows clients we need to change the way we generate the random > > > > > > salt. > > > > > ACK. > > > > > > > > > > > > > Pushed to master. > > > > > > Should we backport this to 2.x as well ? > > > > > > Simo. > > > > > > > Hm, looks important enough to do it. You are talking about > > > > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c > > Yes > > > right? It should be pretty straightforward to backport it there. > > Yes
Patch against ipa-2-1 attached. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From a94cc05c563240b2ad4058aeac918790065ac886 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Thu, 3 Nov 2011 16:15:10 -0400 Subject: [PATCH] Modify random salt creation for interoperability port to ipa-2-1 See: https://fedorahosted.org/freeipa/ticket/2038 --- .../ipa-pwd-extop/ipapwd_encoding.c | 38 +++++++++++++++---- 1 files changed, 30 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index cd4610c6ffd6f1b4eae61521335a7e26d319fa9d..4cd2451a4ebaae0a8dd642ca2fb88aeea37cebdb 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -47,6 +47,7 @@ #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> +#include <errno.h> #include <dirsrv/slapi-plugin.h> #include <lber.h> @@ -249,6 +250,34 @@ void encode_int16(unsigned int val, unsigned char *p) p[0] = (val ) & 0xff; } +static krb5_error_code ipa_get_random_salt(krb5_context krbctx, + krb5_data *salt) +{ + krb5_error_code kerr; + int i; + + /* make random salt */ + salt->length = KRB5P_SALT_SIZE; + salt->data = malloc(KRB5P_SALT_SIZE); + if (!salt->data) { + return ENOMEM; + } + kerr = krb5_c_random_make_octets(krbctx, salt); + if (kerr) { + return kerr; + } + + /* Windows treats the salt as a string. + * To avoid any compatibility issue, limits octects only to + * the ASCII printable range, or 0x20 <= val <= 0x7E */ + for (i = 0; i < salt->length; i++) { + salt->data[i] %= 0x5E; /* 7E - 20 */ + salt->data[i] += 0x20; /* add base */ + } + + return 0; +} + static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char **errMesg) @@ -376,14 +405,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, case KRB5_KDB_SALTTYPE_SPECIAL: - /* make random salt */ - salt.length = KRB5P_SALT_SIZE; - salt.data = malloc(KRB5P_SALT_SIZE); - if (!salt.data) { - LOG_OOM(); - goto enc_error; - } - krberr = krb5_c_random_make_octets(krbctx, &salt); + krberr = ipa_get_random_salt(krbctx, &salt); if (krberr) { LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", krb5_get_error_message(krbctx, krberr)); -- 1.7.7
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
