Skip Menu |
 

Subject: LDAP key data encoder/decoder does not treat KrbKey salt as optional
Download (untitled) / with headers
text/plain 1.6KiB
In 1.7, we made most ASN.1 encoders table-driven, including the LDAP key
sequence encoder. In this conversion, the KrbSalt salt field
(containing the salt value) was properly treated as optional, but the
KrbKey salt field (containing the KrbSalt sequence) was not. Even if a
krb5_key_data has key_data_ver == 1, we encode a KrbSalt representation
of key_data_length[1], key_data_contents[1]/key_data_length[1].

Luckily, just about every krb5_key_data constructor in the code base
starts out with zeroed memory, so we just wind up encoding a salt type
of 0 (which corresponds to the normal salt) and no salt value. The only
constructors I could find which don't do this are kadm5_get_principal
and ulog_conv_2dbentry. The former never constructs a krb5_key_data
value which is stored in a KDB (because it is being placed in a
kadm5_principal_ent_rec, not a krb5_db_entry), and the latter is never
stored in an LDAP KDB because LDAP KDBs can't be iprop slaves.

In 1.11 we made all ASN.1 decoders table-driven, using the same tables
as the encoders. This made the KrbKey salt field mandatory when
decoding, causing us to be unable to decode most key data generated by
version 1.6. See also #7918 for a secondary bug created during this
conversion.

If we simply fix the encoder and decoder to treat the KrbKey salt field
as mandatory, we will start generating key data encodings which
unpatched 1.11 and 1.12 can't decode. So we probably want to encode a
KrbSalt containing type 0 and no value when key_data_ver is 1 (but not
by assuming that key_data_type[1] and key_data_length[1] are meaningful)
for compatibility. The decoder should go back to treating the KrbKey
salt field as optional.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Always include salt in LDAP KrbKey encoding

In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.

This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.

Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.

https://github.com/krb5/krb5/commit/1825455ede7e61ab934b16262fb5b12b78a52f1a
Author: Greg Hudson <ghudson@mit.edu>
Commit: 1825455ede7e61ab934b16262fb5b12b78a52f1a
Branch: master
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 21 +++++++++++++++++++-
src/tests/asn.1/ktest.c | 1 +
2 files changed, 21 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Treat LDAP KrbKey salt field as optional

Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.

This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.

Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.

https://github.com/krb5/krb5/commit/fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48
Author: Greg Hudson <ghudson@mit.edu>
Commit: fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48
Branch: master
src/lib/krb5/asn.1/ldap_key_seq.c | 19 ++++++++++++++++---
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 6 ++++--
src/tests/kdbtest.c | 2 +-
3 files changed, 21 insertions(+), 6 deletions(-)
From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Always include salt in LDAP KrbKey encoding

In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.

This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.

Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.

(cherry picked from commit 1825455ede7e61ab934b16262fb5b12b78a52f1a)

https://github.com/krb5/krb5/commit/5557d29762226e0d1be1f41a76c3994401e5103c
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 5557d29762226e0d1be1f41a76c3994401e5103c
Branch: krb5-1.12
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 21 +++++++++++++++++++-
src/tests/asn.1/ktest.c | 1 +
2 files changed, 21 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.5KiB

Treat LDAP KrbKey salt field as optional

Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.

This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.

Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.

(cherry picked from commit fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48)

https://github.com/krb5/krb5/commit/cd957d3f62623168bcde3d66633f3d2fd4e775ba
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: cd957d3f62623168bcde3d66633f3d2fd4e775ba
Branch: krb5-1.12
src/lib/krb5/asn.1/ldap_key_seq.c | 19 ++++++++++++++++---
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 6 ++++--
src/tests/kdbtest.c | 2 +-
3 files changed, 21 insertions(+), 6 deletions(-)