Blame SOURCES/0001-Do-not-use-arcfour-hmac-md5-when-discovering-the-sal.patch

bfd5b6
From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001
bfd5b6
From: Sumit Bose <sbose@redhat.com>
bfd5b6
Date: Mon, 8 Apr 2019 10:55:39 +0200
bfd5b6
Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt
bfd5b6
bfd5b6
Since the arcfour-hmac-md5 encryption types does not use salts it cannot
bfd5b6
be used to discover the right salt.
bfd5b6
bfd5b6
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745
bfd5b6
bfd5b6
diff --git a/library/adkrb5.c b/library/adkrb5.c
bfd5b6
index da835d7..be3ede5 100644
bfd5b6
--- a/library/adkrb5.c
bfd5b6
+++ b/library/adkrb5.c
bfd5b6
@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
bfd5b6
 	krb5_keytab scratch;
bfd5b6
 	krb5_error_code code;
bfd5b6
 	int i;
bfd5b6
+	krb5_enctype *salt_enctypes = NULL;
bfd5b6
+	size_t c;
bfd5b6
+	size_t s;
bfd5b6
 
bfd5b6
 	/* TODO: This should be a unique name */
bfd5b6
 
bfd5b6
 	code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
bfd5b6
 	return_val_if_fail (code == 0, code);
bfd5b6
 
bfd5b6
+	for (c = 0; enctypes[c] != 0; c++); /* count enctypes */
bfd5b6
+	salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));
bfd5b6
+	return_val_if_fail (salt_enctypes != NULL, ENOMEM);
bfd5b6
+
bfd5b6
+	/* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to
bfd5b6
+	 * discover the right salt. */
bfd5b6
+	s = 0;
bfd5b6
+	for (c = 0; enctypes[c] != 0; c++) {
bfd5b6
+		if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {
bfd5b6
+			continue;
bfd5b6
+		}
bfd5b6
+
bfd5b6
+		salt_enctypes[s++] = enctypes[c];
bfd5b6
+	}
bfd5b6
+
bfd5b6
 	for (i = 0; salts[i].data != NULL; i++) {
bfd5b6
 		code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
bfd5b6
-		                                     password, enctypes, &salts[i]);
bfd5b6
+		                                     password, salt_enctypes, &salts[i]);
bfd5b6
 		if (code == 0) {
bfd5b6
 			*discovered = i;
bfd5b6
 			break;
bfd5b6
@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,
bfd5b6
 		}
bfd5b6
 	}
bfd5b6
 
bfd5b6
+	free (salt_enctypes);
bfd5b6
 	krb5_kt_close (k5, scratch);
bfd5b6
 	return code;
bfd5b6
 }
bfd5b6
-- 
bfd5b6
2.21.0
bfd5b6