Restore compatibility with KDCs using key usage 8 to encrypt TGS

replies in a subkey, by implementing a fallback in
krb5_arcfour_decrypt.

ticket: 6490

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22357 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 48 insertions, 31 deletions

diff --git a/src/lib/crypto/arcfour/arcfour.c b/src/lib/crypto/arcfour/arcfour.c
index 4999982c3..7e527cf89 100644
--- a/src/lib/crypto/arcfour/arcfour.c
+++ b/src/lib/crypto/arcfour/arcfour.c
@@ -252,40 +252,57 @@ krb5_arcfour_decrypt(const struct krb5_enc_provider *enc,
   checksum.length=hashsize;
   checksum.data=input->data;
 
-  /* compute the salt */
   ms_usage=krb5int_arcfour_translate_usage(usage);
-  if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
-    strncpy(salt.data, krb5int_arcfour_l40, salt.length);
-    store_32_le(ms_usage, salt.data+10);
-  } else {
-    salt.length=4;
-    store_32_le(ms_usage, salt.data);
-  }
-  ret=krb5_hmac(hash, key, 1, &salt, &d1);
-  if (ret)
-    goto cleanup;
 
-  memcpy(k2.contents, k1.contents, k2.length);
-
-  if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
-    memset(k1.contents+7, 0xab, 9);
+  /* We may have to try two ms_usage values; see below. */
+  do {
+      /* compute the salt */
+      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+	  strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+	  store_32_le(ms_usage, salt.data + 10);
+      } else {
+	  salt.length = 4;
+	  store_32_le(ms_usage, salt.data);
+      }
+      ret = krb5_hmac(hash, key, 1, &salt, &d1);
+      if (ret)
+	  goto cleanup;
+
+      memcpy(k2.contents, k1.contents, k2.length);
+
+      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+	  memset(k1.contents + 7, 0xab, 9);
   
-  ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
-  if (ret)
-    goto cleanup;
-
-  ret=(*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
-  if (ret)
-    goto cleanup;
-
-  ret=krb5_hmac(hash, &k2, 1, &plaintext, &d1);
-  if (ret)
-    goto cleanup;
-
-  if (memcmp(checksum.data, d1.data, hashsize) != 0) {
-    ret=KRB5KRB_AP_ERR_BAD_INTEGRITY;
-    goto cleanup;
-  }
+      ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+      if (ret)
+	  goto cleanup;
+
+      ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
+      if (ret)
+	  goto cleanup;
+
+      ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1);
+      if (ret)
+	  goto cleanup;
+
+      if (memcmp(checksum.data, d1.data, hashsize) != 0) {
+	  if (ms_usage == 9) {
+	      /*
+	       * RFC 4757 specifies usage 8 for TGS-REP encrypted
+	       * parts encrypted in a subkey, but the value used by MS
+	       * is actually 9.  We now use 9 to start with, but fall
+	       * back to 8 on failure in case we are communicating
+	       * with a KDC using the value from the RFC.
+	       */
+	      ms_usage = 8;
+	      continue;
+	  }
+	  ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	  goto cleanup;
+      }
+
+      break;
+  } while (1);
 
   memcpy(output->data, plaintext.data+CONFOUNDERLENGTH,
 	 (plaintext.length-CONFOUNDERLENGTH));