From looney@babar.isc-net.upenn.edu Wed Sep 6 11:46:47 2000 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id LAA28522 for ; Wed, 6 Sep 2000 11:46:46 -0400 (EDT) Received: from BABAR.ISC-NET.UPENN.EDU by MIT.EDU with SMTP id AA01398; Wed, 6 Sep 00 11:47:13 EDT Received: (from looney@localhost) by babar.isc-net.upenn.edu (8.9.3/8.8.7) id LAA05669; Wed, 6 Sep 2000 11:46:46 -0400 Message-Id: <200009061546.LAA05669@babar.isc-net.upenn.edu> Date: Wed, 6 Sep 2000 11:46:46 -0400 From: looney@isc.upenn.edu Reply-To: looney@isc.upenn.edu To: krb5-bugs@MIT.EDU Cc: looney@isc.upenn.edu Subject: kadmin cli subcmds "-e" flg: wrong keysalt seps? X-Send-Pr-Version: 3.99 >Number: 884 >Category: krb5-admin >Synopsis: kadmin cli subcmds "-e" flg: wrong keysalt seps? >Confidential: no >Severity: non-critical >Priority: low >Responsible: tlyu >State: analyzed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Sep 6 11:47:00 EDT 2000 >Last-Modified: Wed Jan 24 18:27:01 EST 2001 >Originator: Jon Looney >Organization: Jonathan Looney Phone: (215)898-3121 University of Pennsylvania Fax: (215)898-9348 3401 Walnut Street, Suite 221A E-mail: looney@isc.upenn.edu Philadelphia, PA 19104-6228 >Release: krb5-1.2.1 >Environment: System: Linux babar.isc-net.upenn.edu 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown Architecture: i686 >Description: As distributed, the kadmin code supports specifying encyption key and salt types with a -e option for several commands. The documentation specifies a colon to separate key encryption types from salt types (ex: "des-cbc-crc:none"). However, the code supports ":", ".", and "-". Supporting the dash ("-") breaks the optionality of specifying a salt type if you are using a key type which includes a dash in its string representation. I have written a patch which brings the code in conformance to the documentation by removing support for the "." and "-" to separate key encryption types from salt types. >How-To-Repeat: $ kadmin -e "des-cbc-crc" kadmin> ktadd -e "des-cbc-crc" princ/instance@REALM kadmin> addprinc -e "des-cbc-crc" princ/instance@REALM kadmin> cpw -e "des-cbc-crc" princ/instance@REALM kadmin> ktadd -e "des3-hmac-sha1" princ/instance@REALM etc. >Fix: 1. workaround: Always specify a salt type (even if its "none") and separate the key encryption type from the salt type with a colon. Reason: The code looks for matches to one of the charachters defined as a separator between the encryption type and salt type in the order they are listed in the code (":", then ".", then "-"). So, if a colon is found to separate a valid key encryption type and salt type, the code will never look for a "-" as a separator. 2. patch: This patch brings the code in compliance with the documentation in this area by only looking for a colon as a separator between key encryption type and salt type. This allows the code to correctly specify the default salt type if none is specified. The patch should be run from the src/ directory. ----begin patch---- diff -ru old/kadmin.c kadmin/cli/kadmin.c --- old/kadmin.c Wed Sep 6 02:48:23 2000 +++ kadmin/cli/kadmin.c Wed Sep 6 02:13:33 2000 @@ -221,7 +221,7 @@ case 'e': retval = krb5_string_to_keysalts(optarg, ", \t", - ":.-", + ":", 0, ¶ms.keysalts, ¶ms.num_keysalts); @@ -553,7 +553,7 @@ "change_password: missing keysaltlist arg\n"); goto usage; } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0, &ks_tuple, &n_ks_tuple); if (retval) { com_err("change_password", retval, @@ -804,7 +804,7 @@ if (++i > argc - 2) return -1; else { - retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0, + retval = krb5_string_to_keysalts(argv[i], ", \t", ":", 0, ks_tuple, n_ks_tuple); if (retval) { com_err(caller, retval, diff -ru old/keytab.c kadmin/cli/keytab.c --- old/keytab.c Wed Sep 6 02:48:37 2000 +++ kadmin/cli/keytab.c Wed Sep 6 01:38:19 2000 @@ -143,7 +143,7 @@ add_usage(); return; } - retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0, + retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0, &ks_tuple, &n_ks_tuple); if (retval) { com_err("ktadd", retval, "while parsing keysalts %s", ----end patch---- >Audit-Trail: Responsible-Changed-From-To: krb5-unassigned->tlyu Responsible-Changed-By: tlyu Responsible-Changed-When: Wed Jan 24 18:24:02 2001 Responsible-Changed-Why: refiled State-Changed-From-To: open-analyzed State-Changed-By: tlyu State-Changed-When: Wed Jan 24 18:26:44 2001 State-Changed-Why: From: Tom Yu To: looney@isc.upenn.edu Cc: krb5-bugs@MIT.EDU, looney@isc.upenn.edu Subject: Re: krb5-admin/884: kadmin cli subcmds "-e" flg: wrong keysalt seps? Date: Wed, 24 Jan 2001 18:26:35 -0500 (EST) >>>>> "looney" == looney writes: looney> As distributed, the kadmin code supports specifying encyption looney> key and salt types with a -e option for several commands. The looney> documentation specifies a colon to separate key encryption looney> types from salt types (ex: "des-cbc-crc:none"). However, the looney> code supports ":", ".", and "-". Supporting the dash ("-") looney> breaks the optionality of specifying a salt type if you are looney> using a key type which includes a dash in its string looney> representation. I'm not sure whether I'd describe this as a doc bug or as a software bug. Certainly all other code that parses keysalt tuples uses ":.-" as keysalt separators, including the code that reads the config files. I copied that usage for consistency. It may be best to make all the usages of string_to_keysalts() use only a ":" a separator. This may need some more analysis. ---Tom >Unformatted: