diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-07-26 21:57:20 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-07-26 21:57:20 +0000 |
| commit | 9e1e72a26c692717c87e55675cfaa69f3979e5c6 (patch) | |
| tree | 2522434cb65186fa070132ed0de193f8859b80d2 /src/lib/crypto | |
| parent | 9f206a2c4664f7936e0648c944d462ce31fe2a5e (diff) | |
| download | krb5-9e1e72a26c692717c87e55675cfaa69f3979e5c6.tar.gz krb5-9e1e72a26c692717c87e55675cfaa69f3979e5c6.tar.xz krb5-9e1e72a26c692717c87e55675cfaa69f3979e5c6.zip | |
Legacy checksum APIs usually fail
krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
construct invalid keyblocks and pass them to the real functions, which
used to work but now doesn't. Try harder to construct valid keyblocks
or pass NULL if there's no key.
ticket: 6939
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25059 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/crypto')
| -rw-r--r-- | src/lib/crypto/krb/old_api_glue.c | 44 |
1 files changed, 35 insertions, 9 deletions
diff --git a/src/lib/crypto/krb/old_api_glue.c b/src/lib/crypto/krb/old_api_glue.c index 585ed11a3..b5bb28083 100644 --- a/src/lib/crypto/krb/old_api_glue.c +++ b/src/lib/crypto/krb/old_api_glue.c @@ -211,6 +211,25 @@ krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) return ret; } +/* Guess the enctype for an untyped key used with checksum type ctype. */ +static krb5_enctype +guess_enctype(krb5_cksumtype ctype) +{ + const struct krb5_cksumtypes *ctp; + int i; + + if (ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) + return ENCTYPE_ARCFOUR_HMAC; + ctp = find_cksumtype(ctype); + if (ctp == NULL || ctp->enc == NULL) + return 0; + for (i = 0; i < krb5int_enctypes_length; i++) { + if (krb5int_enctypes_list[i].enc == ctp->enc) + return i; + } + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, @@ -218,15 +237,18 @@ krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_checksum *outcksum) { krb5_data input = make_data((void *) in, in_length); - krb5_keyblock key; + krb5_keyblock keyblock, *kptr = NULL; krb5_error_code ret; krb5_checksum cksum; - key.enctype = ENCTYPE_NULL; - key.length = seed_length; - key.contents = (unsigned char *) seed; + if (seed != NULL) { + keyblock.enctype = guess_enctype(ctype); + keyblock.length = seed_length; + keyblock.contents = (unsigned char *) seed; + kptr = &keyblock; + } - ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum); + ret = krb5_c_make_checksum(context, ctype, kptr, 0, &input, &cksum); if (ret) return ret; @@ -253,14 +275,18 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, size_t seed_length) { krb5_data input = make_data((void *) in, in_length); - krb5_keyblock key; + krb5_keyblock keyblock, *kptr = NULL; krb5_error_code ret; krb5_boolean valid; - key.length = seed_length; - key.contents = (unsigned char *) seed; + if (seed != NULL) { + keyblock.enctype = guess_enctype(ctype); + keyblock.length = seed_length; + keyblock.contents = (unsigned char *) seed; + kptr = &keyblock; + } - ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid); + ret = krb5_c_verify_checksum(context, kptr, 0, &input, cksum, &valid); if (ret) return ret; |