svn rev #24670: branches/krb5-1-8/src/lib/crypto/krb/checksum/

[tlyu@MIT.EDU]

http://src.mit.edu/fisheye/changelog/krb5/?cs=24670
Commit By: tlyu
Log Message:
ticket: 6876
version_fixed: 1.8.4
subject: hmac-md5 checksum doesn't work with DES keys
status: resolved

pull up r24639, r24641 from trunk

 ------------------------------------------------------------------------
 r24641 | ghudson | 2011-02-18 10:06:57 -0500 (Fri, 18 Feb 2011) | 7 lines

 ticket: 6869

 Fix a conceptual bug in r24639: the intermediate key container length
 should be the hash's output size, not its block size.  (The bug did
 not show up in testing because it is harmless in practice; MD5 has a
 larger block size than output size.)
 ------------------------------------------------------------------------
 r24639 | ghudson | 2011-02-16 17:52:41 -0500 (Wed, 16 Feb 2011) | 11 lines

 ticket: 6869
 subject: hmac-md5 checksum doesn't work with DES keys
 target_version: 1.9
 tags: pullup

 krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC.
 The container for this key should be allocated using the HMAC output
 size (which is the hash blocksize), not the original key size.  This
 bug was causing the function to fail with DES keys, which can be used
 with hmac-md5 in PAC signatures.


Changed Files:
U   branches/krb5-1-8/src/lib/crypto/krb/checksum/hmac_md5.c
Modified: branches/krb5-1-8/src/lib/crypto/krb/checksum/hmac_md5.c
===================================================================
--- branches/krb5-1-8/src/lib/crypto/krb/checksum/hmac_md5.c	2011-02-27 19:08:14 UTC (rev 24669)
+++ branches/krb5-1-8/src/lib/crypto/krb/checksum/hmac_md5.c	2011-02-28 17:42:28 UTC (rev 24670)
@@ -52,7 +52,7 @@
         return KRB5_BAD_ENCTYPE;
     if (ctp->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) {
 	/* Compute HMAC(key, "signaturekey\0") to get the signing key ks. */
-	ret = alloc_data(&ds, key->keyblock.length);
+        ret = alloc_data(&ds, ctp->hash->hashsize);
 	if (ret != 0)
 	    goto cleanup;