From ea623363f2e8c181271a6ad6880f2e0e4021bc5e Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 20 Oct 2011 20:02:04 +0000 Subject: [PATCH] pull up r25059 from trunk ------------------------------------------------------------------------ r25059 | ghudson | 2011-07-26 17:57:20 -0400 (Tue, 26 Jul 2011) | 10 lines ticket: 6939 subject: Legacy checksum APIs usually fail target_version: 1.9.2 tags: pullup krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated, construct invalid keyblocks and pass them to the real functions, which used to work but now doesn't. Try harder to construct valid keyblocks or pass NULL if there's no key. ticket: 6939 version_fixed: 1.9.2 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25390 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/crypto/krb/old_api_glue.c | 46 +++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/src/lib/crypto/krb/old_api_glue.c b/src/lib/crypto/krb/old_api_glue.c index 49f554dd2..d2a5295c9 100644 --- a/src/lib/crypto/krb/old_api_glue.c +++ b/src/lib/crypto/krb/old_api_glue.c @@ -26,6 +26,8 @@ */ #include "k5-int.h" +#include "cksumtypes.h" +#include "etypes.h" /* * The following functions were removed from the API in krb5 1.3 but @@ -211,6 +213,25 @@ krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) return ret; } +/* Guess the enctype for an untyped key used with checksum type ctype. */ +static krb5_enctype +guess_enctype(krb5_cksumtype ctype) +{ + const struct krb5_cksumtypes *ctp; + int i; + + if (ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) + return ENCTYPE_ARCFOUR_HMAC; + ctp = find_cksumtype(ctype); + if (ctp == NULL || ctp->enc == NULL) + return 0; + for (i = 0; i < krb5int_enctypes_length; i++) { + if (krb5int_enctypes_list[i].enc == ctp->enc) + return i; + } + return 0; +} + krb5_error_code KRB5_CALLCONV krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, @@ -218,15 +239,18 @@ krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_checksum *outcksum) { krb5_data input = make_data((void *) in, in_length); - krb5_keyblock key; + krb5_keyblock keyblock, *kptr = NULL; krb5_error_code ret; krb5_checksum cksum; - key.enctype = ENCTYPE_NULL; - key.length = seed_length; - key.contents = (unsigned char *) seed; + if (seed != NULL) { + keyblock.enctype = guess_enctype(ctype); + keyblock.length = seed_length; + keyblock.contents = (unsigned char *) seed; + kptr = &keyblock; + } - ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum); + ret = krb5_c_make_checksum(context, ctype, kptr, 0, &input, &cksum); if (ret) return ret; @@ -253,14 +277,18 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, size_t seed_length) { krb5_data input = make_data((void *) in, in_length); - krb5_keyblock key; + krb5_keyblock keyblock, *kptr = NULL; krb5_error_code ret; krb5_boolean valid; - key.length = seed_length; - key.contents = (unsigned char *) seed; + if (seed != NULL) { + keyblock.enctype = guess_enctype(ctype); + keyblock.length = seed_length; + keyblock.contents = (unsigned char *) seed; + kptr = &keyblock; + } - ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid); + ret = krb5_c_verify_checksum(context, kptr, 0, &input, cksum, &valid); if (ret) return ret; -- 2.26.2