gss_unwrap_iov crashes with stream buffers for 3des, des, rc4

Use correct key to determine enctype for KG2 tokens in
kg_unseal_stream_iov

Tested with AES for a new enctype and 3DES for an old enctype.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

ticket: 6970
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25309 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 5 insertions, 1 deletions

diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c
index ec4eae979..986ee0616 100644
--- a/src/lib/gssapi/krb5/k5unsealiov.c
+++ b/src/lib/gssapi/krb5/k5unsealiov.c
@@ -502,10 +502,14 @@ kg_unseal_stream_iov(OM_uint32 *minor_status,
     case KG2_TOK_WRAP_MSG:
     case KG2_TOK_DEL_CTX: {
         size_t ec, rrc;
-        krb5_enctype enctype = ctx->enc->keyblock.enctype;
+        krb5_enctype enctype;
         unsigned int k5_headerlen = 0;
         unsigned int k5_trailerlen = 0;
 
+        if (ctx->have_acceptor_subkey)
+            enctype = ctx->acceptor_subkey->keyblock.enctype;
+        else
+            enctype = ctx->subkey->keyblock.enctype;
         conf_req_flag = ((ptr[0] & FLAG_WRAP_CONFIDENTIAL) != 0);
         ec = conf_req_flag ? load_16_be(ptr + 2) : 0;
         rrc = load_16_be(ptr + 4);