git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 23 May 2014 23:58:41 +0000 (19:58 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Fri, 27 Jun 2014 17:12:07 +0000 (13:12 -0400)
commit	cd957d3f62623168bcde3d66633f3d2fd4e775ba
tree	4c4630f31cea60886879d512cd5d1fc481cabee1	tree \| snapshot
parent	5557d29762226e0d1be1f41a76c3994401e5103c	commit \| diff

Treat LDAP KrbKey salt field as optional

Per the ASN.1 definition, the KrbKey salt field is optional.  Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder.  Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation.  Treat the salt field as optional in the encoder
and decoder.  Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.

This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present.  It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.

Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.

(cherry picked from commit fb5cd8df0dbd04dac4f610e68cba5b80a3cb8d48)

ticket: 7919
version_fixed: 1.12.2
status: resolved

src/lib/krb5/asn.1/ldap_key_seq.c		diff \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c		diff \| blob \| blame \| history
src/tests/kdbtest.c		diff \| blob \| blame \| history