pull up r25059 from trunk

 ------------------------------------------------------------------------
 r25059 | ghudson | 2011-07-26 17:57:20 -0400 (Tue, 26 Jul 2011) | 10 lines

 ticket: 6939
 subject: Legacy checksum APIs usually fail
 target_version: 1.9.2
 tags: pullup

 krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
 construct invalid keyblocks and pass them to the real functions, which
 used to work but now doesn't.  Try harder to construct valid keyblocks
 or pass NULL if there's no key.

ticket: 6939
version_fixed: 1.9.2
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25390 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/crypto/krb/old_api_glue.c b/src/lib/crypto/krb/old_api_glue.c
index 49f554dd283b8b11edc13db194f39e88dda77c61..d2a5295c95f58dcba5cd9dcd895aef14582bece7 100644 (file)
--- a/src/lib/crypto/krb/old_api_glue.c
+++ b/src/lib/crypto/krb/old_api_glue.c
@@ -26,6 +26,8 @@
  */
 
 #include "k5-int.h"
+#include "cksumtypes.h"
+#include "etypes.h"
 
 /*
  * The following functions were removed from the API in krb5 1.3 but
@@ -211,6 +213,25 @@ krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)
     return ret;
 }
 
+/* Guess the enctype for an untyped key used with checksum type ctype. */
+static krb5_enctype
+guess_enctype(krb5_cksumtype ctype)
+{
+    const struct krb5_cksumtypes *ctp;
+    int i;
+
+    if (ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+        return ENCTYPE_ARCFOUR_HMAC;
+    ctp = find_cksumtype(ctype);
+    if (ctp == NULL || ctp->enc == NULL)
+        return 0;
+    for (i = 0; i < krb5int_enctypes_length; i++) {
+        if (krb5int_enctypes_list[i].enc == ctp->enc)
+            return i;
+    }
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
                         krb5_const_pointer in, size_t in_length,
@@ -218,15 +239,18 @@ krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
                         krb5_checksum *outcksum)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_checksum cksum;
 
-    key.enctype = ENCTYPE_NULL;
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum);
+    ret = krb5_c_make_checksum(context, ctype, kptr, 0, &input, &cksum);
     if (ret)
         return ret;
 
@@ -253,14 +277,18 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
                      size_t seed_length)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_boolean valid;
 
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid);
+    ret = krb5_c_verify_checksum(context, kptr, 0, &input, cksum, &valid);
     if (ret)
         return ret;