Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 7267

From kwc@citi.umich.edu  Tue Jun 23 10:32:13 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id KAA13632 for <bugs@RT-11.MIT.EDU>; Tue, 23 Jun 1998 10:32:12 -0400
Received: from citi.umich.edu by MIT.EDU with SMTP
	id AA21327; Tue, 23 Jun 98 10:32:10 EDT
Received: from buffalo.citi.umich.edu [141.211.92.191] by citi.umich.edu for kwc@citi.umich.edu krb5-bugs@mit.edu with SMTP; Tue, 23 Jun 98 10:31:46 -0400
Message-Id: <9806231432.AA21327@MIT.EDU>
Date: Tue, 23 Jun 98 10:31:46 -0400
From: Kevin Coffman <kwc@citi.umich.edu>
To: krb5-bugs@MIT.EDU
Cc: kwc@citi.umich.edu
Subject: AFS key incorrect with passwords longer than eight characters

>Number:         613
>Category:       krb5-libs
>Synopsis:       AFS key incorrect with passwords longer than eight characters
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    kenh
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Tue Jun 23 10:33:00 EDT 1998
>Last-Modified:  Mon Apr  8 13:34:48 EDT 2002
>Originator:     Operator
>Organization:
        University of Michigan
        Center for Information Technology Integration
>Release:        krb5-1.0.5
>Environment:
        Using K5 and fakeka as AFS authentication.
System: SunOS babble.citi.umich.edu 4.1.2 4 sun4c
Architecture: sun4

>Description:
        The mit_afs_string_to_key() routine expects salt data (realm
        name) to be null-terminated when passwords are longer than
        eight characters.  Routine add_key_pwd() in lib/kdb/kdb_cpw.c
        does not pass in a null-terminated string.  Garbage at the
        end of the salt is used to produce the AFS key.
>How-To-Repeat:
        Change a user's password with K4 kpasswd, K5 kpasswd, or kadmin.
        User cannot authenticate using klog/fakeka because the AFS key
        in the database is incorrect.
>Fix:
        I applied the following change to lib/kdb/kdb_cpw.c to terminate
        the realm name passed in as the salt value for AFS keys:

Index: kdb_cpw.c
===================================================================
RCS file: /usr/um/src/krb5/krb5-1.0.5UM/src/lib/kdb/kdb_cpw.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -r1.1.1.1 -r1.2
395a396,397
>           char * terminated_string;
>
399d400
<
400a402,417
>           /*
>            * The krb5_string_to_key function expects a null-terminated realm
>            * name.  Re-allocate storage with room for a terminator and
>            * terminate the string.
>            */
>           if ((terminated_string = malloc(key_salt.data.length + 1)) == NULL)
>           {
>               if (key_salt.data.data)
>                   free(key_salt.data.data);
>               krb5_xfree(saltdata);
>               return(ENOMEM);
>           }
>           memcpy(terminated_string, key_salt.data.data, key_salt.data.length);
>           terminated_string[key_salt.data.length] = '\0';
>           free(key_salt.data.data);
>           key_salt.data.data = terminated_string;

>Audit-Trail:

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, Kevin Coffman <kwc@citi.umich.edu>
Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/613: AFS key incorrect with passwords longer than eight characters
Date: Tue, 23 Jun 1998 14:56:19 -0400

 Kevin,
 
 	Could you resubmit your patch using a context diff ("diff -c")
 or preferably if your diff supports it, a unified diff ("diff -u")?  A
 normal ed-style diff is usually almost useless unless the source file is
 identical with the one you used to generate the patch, which is rarely
 the case.  Most maintainers generally are much more appriciative if you
 send either a context diff or a unified diff.
 
 	Thanks!!
 
 							- Ted

From: Kevin Coffman <kwc@citi.umich.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, Kevin Coffman <kwc@citi.umich.edu>,
        gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/613: AFS key incorrect with passwords longer than 
 eight characters
Date: Tue, 23 Jun 98 15:21:32 -0400

 Sorry, I shoulda known better.  Here is a context diff, unified not available.
   
 > Kevin,
 > 
 > 	Could you resubmit your patch using a context diff ("diff -c")
 > or preferably if your diff supports it, a unified diff ("diff -u")?  A
 > normal ed-style diff is usually almost useless unless the source file is
 > identical with the one you used to generate the patch, which is rarely
 > the case.  Most maintainers generally are much more appriciative if you
 > send either a context diff or a unified diff.
 > 
 > 	Thanks!!
 > 
 >						- Ted
 
 Index: kdb_cpw.c
 ===================================================================
 RCS file: /usr/um/src/krb5/krb5-1.0.5UM/src/lib/kdb/kdb_cpw.c,v
 retrieving revision 1.1.1.1
 retrieving revision 1.2
 diff -c -r1.1.1.1 -r1.2
 *** /tmp/T0_8vwya       Tue Jun 23 15:11:26 1998
 --- /tmp/T1_Avwyb       Tue Jun 23 15:11:26 1998
 ***************
 *** 393,403 ****
               break;
         case KRB5_KDB_SALTTYPE_AFS3: {
               krb5_data * saltdata;
               if (retval = krb5_copy_data(context, krb5_princ_realm(context,
                                         db_entry->princ), &saltdata))
                 return(retval);
 - 
             key_salt.data = *saltdata;
             key_salt.data.length = -1; /*length actually used below...*/
             krb5_xfree(saltdata);
         }
 --- 393,420 ----
               break;
         case KRB5_KDB_SALTTYPE_AFS3: {
             krb5_data * saltdata;
 +           char * terminated_string;
 + 
             if (retval = krb5_copy_data(context, krb5_princ_realm(context,
                                         db_entry->princ), &saltdata))
                 return(retval);
             key_salt.data = *saltdata;
 +           /*
 +            * The krb5_string_to_key function expects a null-terminated realm
 +            * name.  Re-allocate storage with room for a terminator and
 +            * terminate the string.
 +            */
 +           if ((terminated_string = malloc(key_salt.data.length + 1)) == NULL)
 +           {
 +               if (key_salt.data.data)
 +                   free(key_salt.data.data);
 +               krb5_xfree(saltdata);
 +               return(ENOMEM);
 +           }
 +           memcpy(terminated_string, key_salt.data.data, key_salt.data.length);
 +           terminated_string[key_salt.data.length] = '\0';
 +           free(key_salt.data.data);
 +           key_salt.data.data = terminated_string;
             key_salt.data.length = -1; /*length actually used below...*/
             krb5_xfree(saltdata);
         }

Responsible-Changed-From-To: gnats-admin->kenh
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Apr  4 16:49:00 2002
Responsible-Changed-Why:
Hey, Ken,  could you look at this bug and tell me if it still exists?

State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Mon Apr  8 13:34:29 2002
State-Changed-Why:
Fixed in 1997.



 
 
>Unformatted:
        no
        AFS key incorrect with passwords longer than eight characters
        serious
        high
        krb5-libs
        sw-bug