Make kprop/kpropd work with RC4 session key

In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state.  Instead,
make and discard a cipher state to get the size.

ticket: 7561
target_version: 1.11.1
tags: pullup

3 files changed, 19 insertions, 20 deletions

diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 0a2c5a98bd..54a579fa99 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -315,18 +315,18 @@ krb5_error_code KRB5_CALLCONV
 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)
 {
     krb5_error_code ret;
-    krb5_enctype enctype;
+    krb5_data cstate;
 
     if (auth_context->key) {
-        size_t blocksize;
-
-        enctype = krb5_k_key_enctype(context, auth_context->key);
-        if ((ret = krb5_c_block_size(context, enctype, &blocksize)))
-            return(ret);
-        if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) {
-            return 0;
-        }
-        return ENOMEM;
+        ret = krb5_c_init_state(context, &auth_context->key->keyblock, 0,
+                                &cstate);
+        if (ret)
+            return ret;
+        auth_context->i_vector = (krb5_pointer)calloc(1,cstate.length);
+        krb5_c_free_state(context, &auth_context->key->keyblock, &cstate);
+        if (auth_context->i_vector == NULL)
+            return ENOMEM;
+        return 0;
     }
     return EINVAL; /* XXX need an error for no keyblock */
 }
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 62c99340ff..4b63f25a4f 100644
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -38,8 +38,8 @@ mk_priv_basic(krb5_context context, const krb5_data *userdata,
     krb5_error_code     retval;
     krb5_priv           privmsg;
     krb5_priv_enc_part  privmsg_enc_part;
-    krb5_data           *scratch1, *scratch2, ivdata;
-    size_t              blocksize, enclen;
+    krb5_data           *scratch1, *scratch2, cstate, ivdata;
+    size_t              enclen;
 
     privmsg.enc_part.kvno = 0;  /* XXX allow user-set? */
     privmsg.enc_part.enctype = enctype;
@@ -71,11 +71,12 @@ mk_priv_basic(krb5_context context, const krb5_data *userdata,
 
     /* call the encryption routine */
     if (i_vector) {
-        if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
+        if ((retval = krb5_c_init_state(context, &key->keyblock, 0, &cstate)))
             goto clean_encpart;
 
-        ivdata.length = blocksize;
+        ivdata.length = cstate.length;
         ivdata.data = i_vector;
+        krb5_c_free_state(context, &key->keyblock, &cstate);
     }
 
     if ((retval = krb5_k_encrypt(context, key,
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 6724586a92..94f6a66a6c 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -51,9 +51,7 @@ rd_priv_basic(krb5_context context, krb5_auth_context ac,
     krb5_priv           * privmsg;
     krb5_data             scratch;
     krb5_priv_enc_part  * privmsg_enc_part;
-    size_t                blocksize;
-    krb5_data             ivdata, *iv = NULL;
-    krb5_enctype          enctype;
+    krb5_data             cstate, ivdata, *iv = NULL;
 
     if (!krb5_is_krb_priv(inbuf))
         return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -63,11 +61,11 @@ rd_priv_basic(krb5_context context, krb5_auth_context ac,
         return retval;
 
     if (ac->i_vector != NULL) {
-        enctype = krb5_k_key_enctype(context, key);
-        if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
+        if ((retval = krb5_c_init_state(context, &key->keyblock, 0, &cstate)))
             goto cleanup_privmsg;
-        ivdata = make_data(ac->i_vector, blocksize);
+        ivdata = make_data(ac->i_vector, cstate.length);
         iv = &ivdata;
+        krb5_c_free_state(context, &key->keyblock, &cstate);
     }
 
     scratch.length = privmsg->enc_part.ciphertext.length;