Skip Menu |
 

From kwc@citi.umich.edu Tue Jun 23 10:32:13 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id KAA13632 for <bugs@RT-11.MIT.EDU>; Tue, 23 Jun 1998 10:32:12 -0400
Received: from citi.umich.edu by MIT.EDU with SMTP
id AA21327; Tue, 23 Jun 98 10:32:10 EDT
Received: from buffalo.citi.umich.edu [141.211.92.191] by citi.umich.edu for kwc@citi.umich.edu krb5-bugs@mit.edu with SMTP; Tue, 23 Jun 98 10:31:46 -0400
Message-Id: <9806231432.AA21327@MIT.EDU>
Date: Tue, 23 Jun 98 10:31:46 -0400
From: Kevin Coffman <kwc@citi.umich.edu>
To: krb5-bugs@MIT.EDU
Cc: kwc@citi.umich.edu
Subject: AFS key incorrect with passwords longer than eight characters

Show quoted text
>Number: 613
>Category: krb5-libs
>Synopsis: AFS key incorrect with passwords longer than eight characters
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: kenh
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jun 23 10:33:00 EDT 1998
>Last-Modified: Mon Apr 8 13:34:48 EDT 2002
>Originator: Operator
>Organization:
University of Michigan
Center for Information Technology Integration
Show quoted text
>Release: krb5-1.0.5
>Environment:
Using K5 and fakeka as AFS authentication.
System: SunOS babble.citi.umich.edu 4.1.2 4 sun4c
Architecture: sun4

Show quoted text
>Description:
The mit_afs_string_to_key() routine expects salt data (realm
name) to be null-terminated when passwords are longer than
eight characters. Routine add_key_pwd() in lib/kdb/kdb_cpw.c
does not pass in a null-terminated string. Garbage at the
end of the salt is used to produce the AFS key.
Show quoted text
>How-To-Repeat:
Change a user's password with K4 kpasswd, K5 kpasswd, or kadmin.
User cannot authenticate using klog/fakeka because the AFS key
in the database is incorrect.
Show quoted text
>Fix:
I applied the following change to lib/kdb/kdb_cpw.c to terminate
the realm name passed in as the salt value for AFS keys:

Index: kdb_cpw.c
===================================================================
RCS file: /usr/um/src/krb5/krb5-1.0.5UM/src/lib/kdb/kdb_cpw.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -r1.1.1.1 -r1.2
395a396,397
Show quoted text
> char * terminated_string;
>
399d400
<
400a402,417
Show quoted text
> /*
> * The krb5_string_to_key function expects a null-terminated realm
> * name. Re-allocate storage with room for a terminator and
> * terminate the string.
> */
> if ((terminated_string = malloc(key_salt.data.length + 1)) == NULL)
> {
> if (key_salt.data.data)
> free(key_salt.data.data);
> krb5_xfree(saltdata);
> return(ENOMEM);
> }
> memcpy(terminated_string, key_salt.data.data, key_salt.data.length);
> terminated_string[key_salt.data.length] = '\0';
> free(key_salt.data.data);
> key_salt.data.data = terminated_string;

Show quoted text
>Audit-Trail:

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, Kevin Coffman <kwc@citi.umich.edu>
Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/613: AFS key incorrect with passwords longer than eight characters
Date: Tue, 23 Jun 1998 14:56:19 -0400

Kevin,

Could you resubmit your patch using a context diff ("diff -c")
or preferably if your diff supports it, a unified diff ("diff -u")? A
normal ed-style diff is usually almost useless unless the source file is
identical with the one you used to generate the patch, which is rarely
the case. Most maintainers generally are much more appriciative if you
send either a context diff or a unified diff.

Thanks!!

- Ted

From: Kevin Coffman <kwc@citi.umich.edu>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, Kevin Coffman <kwc@citi.umich.edu>,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/613: AFS key incorrect with passwords longer than
eight characters
Date: Tue, 23 Jun 98 15:21:32 -0400

Sorry, I shoulda known better. Here is a context diff, unified not available.

Show quoted text
> Kevin,
>
> Could you resubmit your patch using a context diff ("diff -c")
> or preferably if your diff supports it, a unified diff ("diff -u")? A
> normal ed-style diff is usually almost useless unless the source file is
> identical with the one you used to generate the patch, which is rarely
> the case. Most maintainers generally are much more appriciative if you
> send either a context diff or a unified diff.
>
> Thanks!!
>
> - Ted

Index: kdb_cpw.c
===================================================================
RCS file: /usr/um/src/krb5/krb5-1.0.5UM/src/lib/kdb/kdb_cpw.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -c -r1.1.1.1 -r1.2
*** /tmp/T0_8vwya Tue Jun 23 15:11:26 1998
--- /tmp/T1_Avwyb Tue Jun 23 15:11:26 1998
***************
*** 393,403 ****
break;
case KRB5_KDB_SALTTYPE_AFS3: {
krb5_data * saltdata;
if (retval = krb5_copy_data(context, krb5_princ_realm(context,
db_entry->princ), &saltdata))
return(retval);
-
key_salt.data = *saltdata;
key_salt.data.length = -1; /*length actually used below...*/
krb5_xfree(saltdata);
}
--- 393,420 ----
break;
case KRB5_KDB_SALTTYPE_AFS3: {
krb5_data * saltdata;
+ char * terminated_string;
+
if (retval = krb5_copy_data(context, krb5_princ_realm(context,
db_entry->princ), &saltdata))
return(retval);
key_salt.data = *saltdata;
+ /*
+ * The krb5_string_to_key function expects a null-terminated realm
+ * name. Re-allocate storage with room for a terminator and
+ * terminate the string.
+ */
+ if ((terminated_string = malloc(key_salt.data.length + 1)) == NULL)
+ {
+ if (key_salt.data.data)
+ free(key_salt.data.data);
+ krb5_xfree(saltdata);
+ return(ENOMEM);
+ }
+ memcpy(terminated_string, key_salt.data.data, key_salt.data.length);
+ terminated_string[key_salt.data.length] = '\0';
+ free(key_salt.data.data);
+ key_salt.data.data = terminated_string;
key_salt.data.length = -1; /*length actually used below...*/
krb5_xfree(saltdata);
}

Responsible-Changed-From-To: gnats-admin->kenh
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Apr 4 16:49:00 2002
Responsible-Changed-Why:
Hey, Ken, could you look at this bug and tell me if it still exists?

State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Mon Apr 8 13:34:29 2002
State-Changed-Why:
Fixed in 1997.





Show quoted text
>Unformatted:
no
AFS key incorrect with passwords longer than eight characters
serious
high
krb5-libs
sw-bug