[19585] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: krb5 commit: Modernize UTF-8/UCS-2 conversion code

daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Wed Apr 26 02:27:30 2017

To: Simo Sorce <simo@redhat.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <c1b529f9-9bb4-fad3-6c4f-a9066b010540@samba.org>
Date: Wed, 26 Apr 2017 08:27:02 +0200
MIME-Version: 1.0
In-Reply-To: <1493141485.5572.23.camel@redhat.com>
Cc: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============1146287828411117358=="
Errors-To: krbdev-bounces@mit.edu

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1146287828411117358==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="Xh8IUD0KRpInkOfM1aitn7nUUkT6EODd1"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Xh8IUD0KRpInkOfM1aitn7nUUkT6EODd1
Content-Type: multipart/mixed; boundary="SHx8CMAkD4fRbeahdUVR8xWbdkF320IBQ";
	protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Simo Sorce <simo@redhat.com>
Cc: Greg Hudson <ghudson@mit.edu>, Robbie Harwood <rharwood@redhat.com>,
	krbdev@mit.edu
Message-ID: <c1b529f9-9bb4-fad3-6c4f-a9066b010540@samba.org>
Subject: Re: krb5 commit: Modernize UTF-8/UCS-2 conversion code
References: <201704171858.v3HIwVhW013893@drugstore.mit.edu>
	<c294c45e-6d55-063c-be21-0316e07bf81c@samba.org>
	<e81f8b54-8eff-3aaf-599a-5d86804a07db@mit.edu>
	<4fc839eb-c47b-5762-6c8a-5c88e94f00e4@samba.org>
	<1493141485.5572.23.camel@redhat.com>
In-Reply-To: <1493141485.5572.23.camel@redhat.com>

--SHx8CMAkD4fRbeahdUVR8xWbdkF320IBQ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Am 25.04.2017 um 19:31 schrieb Simo Sorce:
> On Tue, 2017-04-18 at 10:32 +0200, Stefan Metzmacher wrote:
>> Am 17.04.2017 um 21:53 schrieb Greg Hudson:
>>> On 04/17/2017 03:24 PM, Stefan Metzmacher wrote:
>>>> is there a reson why you still limit this to USC-2 and not use full =
UTF16
>>>> support?
>>>
>>> This commit was just trying to eliminate warnings, not change the
>>> functionality.
>>
>> Ok, "Modernize UTF-8/UCS-2 conversion code" indicated a more or less
>> rewrite of the code to me. As it's not you may just ignore this topic
>> for now.
>>
>>> This code originally came from OpenLDAP's utf-8-conv.c, and was
>>> incorporated with the goal of Windows compatibility (for PACs and RC4=

>>> string-to-key).  If Windows now supports UTF-16 then we could conside=
r
>>> extending it, but I wouldn't want to do so without confirmation of th=
at.
>>
>> I think Windows always supported UTF-16 instead of USC-2, at least it
>> did for the last 10 years (at least for passwords).
>>
>>>> We had a lot of trouble with the limited unicode support of krb5 lib=
raries
>>>> in Samba recently, see https://bugzilla.samba.org/show_bug.cgi?id=3D=
12262
>>
>> The core of the problem is that Windows uses an random buffer as machi=
ne
>> password,
>> and interprets it as UTF16 (which is not always valid UTF-16).
>> The MD4 of the raw buffer is the NTHASH/RC4-key.
>=20
> Would it make sense to provide an alternative interface to calculate th=
e
> RC4-key that takes a random buffer instead of utf-8, so we do not have
> to deal with awkward conversions or restricting how we generate this
> buffer ?

I think using a client side keytab is the way to avoid the conversation.

metze


--SHx8CMAkD4fRbeahdUVR8xWbdkF320IBQ--

--Xh8IUD0KRpInkOfM1aitn7nUUkT6EODd1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJZAD24AAoJEA219WEoab1WDhwP/A+0gI2yuxjfAG5zqmwwkFRE
UnnD+MyakmuAqw2qDNWckMjWKoUS5mPa5kNohHAVW9PCJ/Ug2OQamrr4Fwfs0RbJ
Iq0cLjVnjFERGF8xjLc8xnqjIvDEqaj1kPDk+C7eFnKl7mWJ4Lnet7rFz4zHUNEc
rQdq3jvH3yGM/v+PyMDeR8Lt4xziYOCdUj18zrzkpYEKZUVSRLvhuP0sjVdKj4vi
c+Ck/FFwa7oFcr02Og1gOGMO9xCFWM31xDlgBUwyiGudiniyBJ1k0fadtiSVezUo
9sXYHwN7PjlSmjIvz99IqQzr90aKvOzApusuElATdNs48p3I7PKcex/22f6bAHnE
XCnh8dD6ZyLQsfV9A+J9VO3kUkAERXJXsSFRoJvkADc1Q0l79PT8CEC0iBav0R2S
Vl+sy1BHO113xeJvZdFrae084tpra/42DiPTvQAd1cyGb3rTwqEI7eKdeljmF2nk
DiBoLsWQTZwf6QyLaRCabvVn/RhfzdoOnif+dH13Br76O3CznkNQc98EnSlFF65R
SpEKPAR5oGOrvfbeEpvSBftFcJ06kGRl06ar2OhESCW1Rgh/Btg8Jw6kUcR9QLDh
UwJasWjRN6sV1zPnSgG7WhMerwpT3B/mOCfM63qz3fdRQdzNivsQWwCbE9HIRs49
bVB5wzEvM6zR4KfMmnaf
=5djR
-----END PGP SIGNATURE-----

--Xh8IUD0KRpInkOfM1aitn7nUUkT6EODd1--

--===============1146287828411117358==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============1146287828411117358==--

home help back first fref pref prev next nref lref last post