ticket: 6939

version_fixed: 1.9.2 status: resolved pull up r25059 from trunk ------------------------------------------------------------------------ r25059 | ghudson | 2011-07-26 17:57:20 -0400 (Tue, 26 Jul 2011) | 10 lines ticket: 6939 subject: Legacy checksum APIs usually fail target_version: 1.9.2 tags: pullup krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated, construct invalid keyblocks and pass them to the real functions, which used to work but now doesn't. Try harder to construct valid keyblocks or pass NULL if there's no key. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@25390 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Oct 20, 2011 · a630852 · a630852
1 parent 80d93a7
commit a630852
Showing 1 changed file with 37 additions and 9 deletions.
diff --git a/src/lib/crypto/krb/old_api_glue.c b/src/lib/crypto/krb/old_api_glue.c
@@ -26,6 +26,8 @@
  */
 
 #include "k5-int.h"
+#include "cksumtypes.h"
+#include "etypes.h"
 
 /*
  * The following functions were removed from the API in krb5 1.3 but
@@ -211,22 +213,44 @@ krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)
     return ret;
 }
 
+/* Guess the enctype for an untyped key used with checksum type ctype. */
+static krb5_enctype
+guess_enctype(krb5_cksumtype ctype)
+{
+    const struct krb5_cksumtypes *ctp;
+    int i;
+
+    if (ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+        return ENCTYPE_ARCFOUR_HMAC;
+    ctp = find_cksumtype(ctype);
+    if (ctp == NULL || ctp->enc == NULL)
+        return 0;
+    for (i = 0; i < krb5int_enctypes_length; i++) {
+        if (krb5int_enctypes_list[i].enc == ctp->enc)
+            return i;
+    }
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
                         krb5_const_pointer in, size_t in_length,
                         krb5_const_pointer seed, size_t seed_length,
                         krb5_checksum *outcksum)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_checksum cksum;
 
-    key.enctype = ENCTYPE_NULL;
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum);
+    ret = krb5_c_make_checksum(context, ctype, kptr, 0, &input, &cksum);
     if (ret)
         return ret;
 
@@ -253,14 +277,18 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
                      size_t seed_length)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_boolean valid;
 
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid);
+    ret = krb5_c_verify_checksum(context, kptr, 0, &input, cksum, &valid);
     if (ret)
         return ret;