libkafs: derivation from non-DES key (rxkad-kdf)
Add support for the "rxkad-kdf" protocol for deriving rxkad session keys from non-DES Kerberos session keys. This allows rxkad to be used in realms where the KDC is unwilling or unable to issue tickets with single-DES session keys.
This commit is contained in:
Jeffrey Hutzelman
@@ -51,10 +51,6 @@ v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524)
|
||||
|
||||
kt->ticket = NULL;
|
||||
|
||||
/* check if des key */
|
||||
if (cred->session.keyvalue.length != 8)
|
||||
return EINVAL;
|
||||
|
||||
if (local524) {
|
||||
Ticket t;
|
||||
unsigned char *buf;
|
||||
@@ -98,8 +94,16 @@ v5_to_kt(krb5_creds *cred, uid_t uid, struct kafs_token *kt, int local524)
|
||||
* Build a struct ClearToken
|
||||
*/
|
||||
|
||||
ret = _kafs_derive_des_key(cred->session.keytype,
|
||||
cred->session.keyvalue.data,
|
||||
cred->session.keyvalue.length,
|
||||
kt->ct.HandShakeKey);
|
||||
if (ret) {
|
||||
free(kt->ticket);
|
||||
kt->ticket = NULL;
|
||||
return ret;
|
||||
}
|
||||
kt->ct.AuthHandle = kvno;
|
||||
memcpy(kt->ct.HandShakeKey, cred->session.keyvalue.data, 8);
|
||||
kt->ct.ViceId = uid;
|
||||
kt->ct.BeginTimestamp = cred->times.starttime;
|
||||
kt->ct.EndTimestamp = cred->times.endtime;
|
||||
@@ -163,21 +167,15 @@ get_cred(struct kafs_data *data, const char *name, const char *inst,
|
||||
return ret;
|
||||
}
|
||||
|
||||
in_creds.session.keytype = ETYPE_DES_CBC_CRC;
|
||||
|
||||
/* check if des is disable, and in that case enable it for afs */
|
||||
invalid = krb5_enctype_valid(d->context, in_creds.session.keytype);
|
||||
invalid = krb5_enctype_valid(d->context, ETYPE_DES_CBC_CRC);
|
||||
if (invalid)
|
||||
krb5_enctype_enable(d->context, in_creds.session.keytype);
|
||||
krb5_enctype_enable(d->context, ETYPE_DES_CBC_CRC);
|
||||
|
||||
ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
|
||||
if (ret) {
|
||||
in_creds.session.keytype = ETYPE_DES_CBC_MD5;
|
||||
ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
|
||||
}
|
||||
|
||||
if (invalid)
|
||||
krb5_enctype_disable(d->context, in_creds.session.keytype);
|
||||
krb5_enctype_disable(d->context, ETYPE_DES_CBC_CRC);
|
||||
|
||||
krb5_free_principal(d->context, in_creds.server);
|
||||
krb5_free_principal(d->context, in_creds.client);
|
||||
|
||||
Reference in New Issue
Block a user