[krbdev.mit.edu #1802] old_api_glue bug
Nicolas Pouvesle via RT
rt-comment at krbdev.mit.edu
Tue Sep 2 16:38:10 EDT 2003
>From my previous mail on krbdev at mit.edu :
1)
When rshd/rlogind (and telnet too i think) call the function
krb5_verify_checksum (in lib/crypto/old_api_glue.c) key params are just key
value and key length. A krb5_keyblock is created but the key enctype is
undefined.
So if the original checksum type was for example sha1-hmac (like it is done in
shishi) the function will failed with bad_enc_type (in a sub call it looks if
enctype is ok, but like i said it was not initialised so in fact random).
Like in your code the checksum type is always to RSA-MD5 this function won't
failed, but for some other types it will.
2)
In the same function keyusage is set to 0, but for others types than RSA-MD5
it should not . For exemple i have put it to KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM
like all calls are made to verify AP_REQ. However keyusage in params seems to
be a better idea.
It seems it is a bug, not a something for compatibility.
Bye and thanks,
Nicolas Pouvesle
More information about the krb5-bugs
mailing list