Only allow combine_keys to work on des and 3des enctypes. It is not

supported for rc4 or AES until we implement the crypto framework PRF.

Ticket: 1248
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15448 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 26 insertions, 0 deletions

diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index 05d7023be1..d963e5fdb2 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,7 @@
+2003-05-15  Sam Hartman  <hartmans@mit.edu>
+
+	* combine_keys.c (enctype_ok): new function to determine if we support combine_keys for a particular enctype
+
 2003-05-13  Ken Raeburn  <raeburn@mit.edu>
 
 	* etypes.c (krb5_enctypes_list): Add names aes128-cts and
diff --git a/src/lib/crypto/combine_keys.c b/src/lib/crypto/combine_keys.c
index 6466a95f30..9aad8f5432 100644
--- a/src/lib/crypto/combine_keys.c
+++ b/src/lib/crypto/combine_keys.c
@@ -50,6 +50,25 @@ static krb5_error_code dr
 (const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
 		unsigned char *outdata, const krb5_data *in_constant);
 
+/*
+ * We only support this combine_keys algorithm for des and 3des keys.
+ * Everything else should use the PRF defined in the crypto framework.
+ * We don't implement that yet.
+ */
+
+static krb5_boolean  enctype_ok (krb5_enctype e) 
+{
+    switch (e) {
+    case ENCTYPE_DES_CBC_CRC:
+    case ENCTYPE_DES_CBC_MD4:
+    case ENCTYPE_DES_CBC_MD5:
+    case ENCTYPE_DES3_CBC_SHA1:
+	return 1;
+    default:
+	return 0;
+    }
+}
+
 krb5_error_code krb5int_c_combine_keys
 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey)
 {
@@ -60,6 +79,9 @@ krb5_error_code krb5int_c_combine_keys
     krb5_keyblock tkey;
     krb5_error_code ret;
     int i, myalloc = 0;
+    if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype)))
+	return (KRB5_CRYPTO_INTERNAL);
+    
 
     if (key1->length != key2->length || key1->enctype != key2->enctype)
 	return (KRB5_CRYPTO_INTERNAL);