#2038 Change salt creation to maintain interoperability with Windows clients
Closed: Fixed None Opened 12 years ago by simo.

Windows clients seem to have some reasonable limitations to what they consider a valid salt:

  • the salt is considered a string so it shouldn't contain embedded NULLs
  • Because they consider it a string and do internal conversions from UTF-8 to UTF-16 and back then any non valid UTF-8 string can cause the salt to not be applied properly.

So we should change our randomization code to restrict byte values to be between the values 1 and 127 for maximum compatibility.
Perhaps even restricting to printable ASCII chars only might be a good idea.


Another minor but good reason is that MIT kerberos debugging also treats the salt as a string so having just printable chars is a plus to get non-mangled output.

Calculations were not correct, they fail for negative values and krb5_data is not defined as unsigned.

Thank to Nalin for finding out.

Amended master tree with commit: 0813783
Pushed a corrected patch to ipa-2-1 too: afece97

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 3.0 Core Effort - 2011/11

7 years ago

Login to comment on this ticket.

Metadata