From 158468507bb723aa62196846749c23c121d4b298 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Mon, 8 Apr 2019 10:55:39 +0200

Subject: [PATCH] Do not use arcfour-hmac-md5 when discovering the salt

Since the arcfour-hmac-md5 encryption types does not use salts it cannot

be used to discover the right salt.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1683745

---

 library/adkrb5.c | 21 ++++++++++++++++++++-

 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/library/adkrb5.c b/library/adkrb5.c

index da835d7..be3ede5 100644

--- a/library/adkrb5.c

+++ b/library/adkrb5.c

@@ -395,15 +395,33 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,

 	krb5_keytab scratch;

 	krb5_error_code code;

 	int i;

+	krb5_enctype *salt_enctypes = NULL;

+	size_t c;

+	size_t s;

 	/* TODO: This should be a unique name */

 	code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);

 	return_val_if_fail (code == 0, code);

+	for (c = 0; enctypes[c] != 0; c++); /* count enctypes */

+	salt_enctypes = calloc (c + 1, sizeof (krb5_enctype));

+	return_val_if_fail (salt_enctypes != NULL, ENOMEM);

+

+	/* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to

+	 * discover the right salt. */

+	s = 0;

+	for (c = 0; enctypes[c] != 0; c++) {

+		if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) {

+			continue;

+		}

+

+		salt_enctypes[s++] = enctypes[c];

+	}

+

 	for (i = 0; salts[i].data != NULL; i++) {

 		code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,

-		                                     password, enctypes, &salts[i]);

+		                                     password, salt_enctypes, &salts[i]);

 		if (code == 0) {

 			*discovered = i;

 			break;

@@ -412,6 +430,7 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5,

 		}

 	}

+	free (salt_enctypes);

 	krb5_kt_close (k5, scratch);

 	return code;

 }

-- 

2.21.0