From looney@babar.isc-net.upenn.edu Wed Sep 6 11:46:47 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id LAA28522
for <bugs@RT-11.MIT.EDU>; Wed, 6 Sep 2000 11:46:46 -0400 (EDT)
Received: from BABAR.ISC-NET.UPENN.EDU by MIT.EDU with SMTP
id AA01398; Wed, 6 Sep 00 11:47:13 EDT
Received: (from looney@localhost)
by babar.isc-net.upenn.edu (8.9.3/8.8.7) id LAA05669;
Wed, 6 Sep 2000 11:46:46 -0400
Message-Id: <200009061546.LAA05669@babar.isc-net.upenn.edu>
Date: Wed, 6 Sep 2000 11:46:46 -0400
From: looney@isc.upenn.edu
Reply-To: looney@isc.upenn.edu
To: krb5-bugs@MIT.EDU
Cc: looney@isc.upenn.edu
Subject: kadmin cli subcmds "-e" flg: wrong keysalt seps?
X-Send-Pr-Version: 3.99
University of Pennsylvania Fax: (215)898-9348
3401 Walnut Street, Suite 221A E-mail: looney@isc.upenn.edu
Philadelphia, PA 19104-6228
System: Linux babar.isc-net.upenn.edu 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown
Architecture: i686
As distributed, the kadmin code supports specifying encyption key and
salt types with a -e option for several commands. The documentation
specifies a colon to separate key encryption types from salt types
(ex: "des-cbc-crc:none"). However, the code supports ":", ".", and "-".
Supporting the dash ("-") breaks the optionality of specifying a salt
type if you are using a key type which includes a dash in its string
representation.
I have written a patch which brings the code in conformance to the
documentation by removing support for the "." and "-" to separate
key encryption types from salt types.
separate the key encryption type from the salt type with a colon.
Reason: The code looks for matches to one of the charachters defined as
a separator between the encryption type and salt type in the order they
are listed in the code (":", then ".", then "-"). So, if a colon is found
to separate a valid key encryption type and salt type, the code will never
look for a "-" as a separator.
2. patch: This patch brings the code in compliance with the documentation in
this area by only looking for a colon as a separator between key encryption
type and salt type. This allows the code to correctly specify the default
salt type if none is specified. The patch should be run from the src/
directory.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id LAA28522
for <bugs@RT-11.MIT.EDU>; Wed, 6 Sep 2000 11:46:46 -0400 (EDT)
Received: from BABAR.ISC-NET.UPENN.EDU by MIT.EDU with SMTP
id AA01398; Wed, 6 Sep 00 11:47:13 EDT
Received: (from looney@localhost)
by babar.isc-net.upenn.edu (8.9.3/8.8.7) id LAA05669;
Wed, 6 Sep 2000 11:46:46 -0400
Message-Id: <200009061546.LAA05669@babar.isc-net.upenn.edu>
Date: Wed, 6 Sep 2000 11:46:46 -0400
From: looney@isc.upenn.edu
Reply-To: looney@isc.upenn.edu
To: krb5-bugs@MIT.EDU
Cc: looney@isc.upenn.edu
Subject: kadmin cli subcmds "-e" flg: wrong keysalt seps?
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 884
>Category: krb5-admin
>Synopsis: kadmin cli subcmds "-e" flg: wrong keysalt seps?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: tlyu
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Sep 6 11:47:00 EDT 2000
>Last-Modified: Wed Jan 24 18:27:01 EST 2001
>Originator: Jon Looney
>Organization:
Jonathan Looney Phone: (215)898-3121>Category: krb5-admin
>Synopsis: kadmin cli subcmds "-e" flg: wrong keysalt seps?
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: tlyu
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Sep 6 11:47:00 EDT 2000
>Last-Modified: Wed Jan 24 18:27:01 EST 2001
>Originator: Jon Looney
>Organization:
University of Pennsylvania Fax: (215)898-9348
3401 Walnut Street, Suite 221A E-mail: looney@isc.upenn.edu
Philadelphia, PA 19104-6228
Show quoted text
>Release: krb5-1.2.1
>Environment:
>Environment:
System: Linux babar.isc-net.upenn.edu 2.2.5-22 #1 Wed Jun 2 09:17:03 EDT 1999 i686 unknown
Architecture: i686
Show quoted text
>Description:
As distributed, the kadmin code supports specifying encyption key and
salt types with a -e option for several commands. The documentation
specifies a colon to separate key encryption types from salt types
(ex: "des-cbc-crc:none"). However, the code supports ":", ".", and "-".
Supporting the dash ("-") breaks the optionality of specifying a salt
type if you are using a key type which includes a dash in its string
representation.
I have written a patch which brings the code in conformance to the
documentation by removing support for the "." and "-" to separate
key encryption types from salt types.
Show quoted text
>How-To-Repeat:
$ kadmin -e "des-cbc-crc"Show quoted text
kadmin> ktadd -e "des-cbc-crc" princ/instance@REALM
kadmin> addprinc -e "des-cbc-crc" princ/instance@REALM
kadmin> cpw -e "des-cbc-crc" princ/instance@REALM
kadmin> ktadd -e "des3-hmac-sha1" princ/instance@REALM
etc.kadmin> addprinc -e "des-cbc-crc" princ/instance@REALM
kadmin> cpw -e "des-cbc-crc" princ/instance@REALM
kadmin> ktadd -e "des3-hmac-sha1" princ/instance@REALM
Show quoted text
>Fix:
1. workaround: Always specify a salt type (even if its "none") andseparate the key encryption type from the salt type with a colon.
Reason: The code looks for matches to one of the charachters defined as
a separator between the encryption type and salt type in the order they
are listed in the code (":", then ".", then "-"). So, if a colon is found
to separate a valid key encryption type and salt type, the code will never
look for a "-" as a separator.
2. patch: This patch brings the code in compliance with the documentation in
this area by only looking for a colon as a separator between key encryption
type and salt type. This allows the code to correctly specify the default
salt type if none is specified. The patch should be run from the src/
directory.
Show quoted text
----begin patch----
diff -ru old/kadmin.c kadmin/cli/kadmin.c
--- old/kadmin.c Wed Sep 6 02:48:23 2000
+++ kadmin/cli/kadmin.c Wed Sep 6 02:13:33 2000
@@ -221,7 +221,7 @@
case 'e':
retval = krb5_string_to_keysalts(optarg,
", \t",
- ":.-",
+ ":",
0,
¶ms.keysalts,
¶ms.num_keysalts);
@@ -553,7 +553,7 @@
"change_password: missing keysaltlist arg\n");
goto usage;
}
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0,
&ks_tuple, &n_ks_tuple);
if (retval) {
com_err("change_password", retval,
@@ -804,7 +804,7 @@
if (++i > argc - 2)
return -1;
else {
- retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(argv[i], ", \t", ":", 0,
ks_tuple, n_ks_tuple);
if (retval) {
com_err(caller, retval,
diff -ru old/keytab.c kadmin/cli/keytab.c
--- old/keytab.c Wed Sep 6 02:48:37 2000
+++ kadmin/cli/keytab.c Wed Sep 6 01:38:19 2000
@@ -143,7 +143,7 @@
add_usage();
return;
}
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0,
&ks_tuple, &n_ks_tuple);
if (retval) {
com_err("ktadd", retval, "while parsing keysalts %s",
----end patch----
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Jan 24 18:24:02 2001
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Wed Jan 24 18:26:44 2001
State-Changed-Why:
From: Tom Yu <tlyu@MIT.EDU>
To: looney@isc.upenn.edu
Cc: krb5-bugs@MIT.EDU, looney@isc.upenn.edu
Subject: Re: krb5-admin/884: kadmin cli subcmds "-e" flg: wrong keysalt seps?
Date: Wed, 24 Jan 2001 18:26:35 -0500 (EST)
I'm not sure whether I'd describe this as a doc bug or as a software
bug. Certainly all other code that parses keysalt tuples uses ":.-"
as keysalt separators, including the code that reads the config files.
I copied that usage for consistency. It may be best to make all the
usages of string_to_keysalts() use only a ":" a separator. This may
need some more analysis.
---Tom
diff -ru old/kadmin.c kadmin/cli/kadmin.c
--- old/kadmin.c Wed Sep 6 02:48:23 2000
+++ kadmin/cli/kadmin.c Wed Sep 6 02:13:33 2000
@@ -221,7 +221,7 @@
case 'e':
retval = krb5_string_to_keysalts(optarg,
", \t",
- ":.-",
+ ":",
0,
¶ms.keysalts,
¶ms.num_keysalts);
@@ -553,7 +553,7 @@
"change_password: missing keysaltlist arg\n");
goto usage;
}
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0,
&ks_tuple, &n_ks_tuple);
if (retval) {
com_err("change_password", retval,
@@ -804,7 +804,7 @@
if (++i > argc - 2)
return -1;
else {
- retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(argv[i], ", \t", ":", 0,
ks_tuple, n_ks_tuple);
if (retval) {
com_err(caller, retval,
diff -ru old/keytab.c kadmin/cli/keytab.c
--- old/keytab.c Wed Sep 6 02:48:37 2000
+++ kadmin/cli/keytab.c Wed Sep 6 01:38:19 2000
@@ -143,7 +143,7 @@
add_usage();
return;
}
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":", 0,
&ks_tuple, &n_ks_tuple);
if (retval) {
com_err("ktadd", retval, "while parsing keysalts %s",
----end patch----
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Jan 24 18:24:02 2001
Responsible-Changed-Why:
refiled
State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Wed Jan 24 18:26:44 2001
State-Changed-Why:
From: Tom Yu <tlyu@MIT.EDU>
To: looney@isc.upenn.edu
Cc: krb5-bugs@MIT.EDU, looney@isc.upenn.edu
Subject: Re: krb5-admin/884: kadmin cli subcmds "-e" flg: wrong keysalt seps?
Date: Wed, 24 Jan 2001 18:26:35 -0500 (EST)
>>>>> "looney" == looney <looney@isc.upenn.edu> writes:
looney> As distributed, the kadmin code supports specifying encyption
looney> key and salt types with a -e option for several commands. The
looney> documentation specifies a colon to separate key encryption
looney> types from salt types (ex: "des-cbc-crc:none"). However, the
looney> code supports ":", ".", and "-". Supporting the dash ("-")
looney> breaks the optionality of specifying a salt type if you are
looney> using a key type which includes a dash in its string
looney> representation.
looney> key and salt types with a -e option for several commands. The
looney> documentation specifies a colon to separate key encryption
looney> types from salt types (ex: "des-cbc-crc:none"). However, the
looney> code supports ":", ".", and "-". Supporting the dash ("-")
looney> breaks the optionality of specifying a salt type if you are
looney> using a key type which includes a dash in its string
looney> representation.
I'm not sure whether I'd describe this as a doc bug or as a software
bug. Certainly all other code that parses keysalt tuples uses ":.-"
as keysalt separators, including the code that reads the config files.
I copied that usage for consistency. It may be best to make all the
usages of string_to_keysalts() use only a ":" a separator. This may
need some more analysis.
---Tom
>Unformatted: