svn rev #25390: branches/krb5-1-9/src/lib/crypto/krb/

[tlyu@MIT.EDU]

http://src.mit.edu/fisheye/changelog/krb5/?cs=25390
Commit By: tlyu
Log Message:
ticket: 6939
version_fixed: 1.9.2
status: resolved

pull up r25059 from trunk

 ------------------------------------------------------------------------
 r25059 | ghudson | 2011-07-26 17:57:20 -0400 (Tue, 26 Jul 2011) | 10 lines

 ticket: 6939
 subject: Legacy checksum APIs usually fail
 target_version: 1.9.2
 tags: pullup

 krb5_calculate_checksum() and krb5_verify_checksum(), both deprecated,
 construct invalid keyblocks and pass them to the real functions, which
 used to work but now doesn't.  Try harder to construct valid keyblocks
 or pass NULL if there's no key.


Changed Files:
U   branches/krb5-1-9/src/lib/crypto/krb/old_api_glue.c
Modified: branches/krb5-1-9/src/lib/crypto/krb/old_api_glue.c
===================================================================
--- branches/krb5-1-9/src/lib/crypto/krb/old_api_glue.c	2011-10-20 19:27:46 UTC (rev 25389)
+++ branches/krb5-1-9/src/lib/crypto/krb/old_api_glue.c	2011-10-20 20:02:04 UTC (rev 25390)
@@ -26,6 +26,8 @@
  */
 
 #include "k5-int.h"
+#include "cksumtypes.h"
+#include "etypes.h"
 
 /*
  * The following functions were removed from the API in krb5 1.3 but
@@ -211,6 +213,25 @@
     return ret;
 }
 
+/* Guess the enctype for an untyped key used with checksum type ctype. */
+static krb5_enctype
+guess_enctype(krb5_cksumtype ctype)
+{
+    const struct krb5_cksumtypes *ctp;
+    int i;
+
+    if (ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+        return ENCTYPE_ARCFOUR_HMAC;
+    ctp = find_cksumtype(ctype);
+    if (ctp == NULL || ctp->enc == NULL)
+        return 0;
+    for (i = 0; i < krb5int_enctypes_length; i++) {
+        if (krb5int_enctypes_list[i].enc == ctp->enc)
+            return i;
+    }
+    return 0;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype,
                         krb5_const_pointer in, size_t in_length,
@@ -218,15 +239,18 @@
                         krb5_checksum *outcksum)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_checksum cksum;
 
-    key.enctype = ENCTYPE_NULL;
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum);
+    ret = krb5_c_make_checksum(context, ctype, kptr, 0, &input, &cksum);
     if (ret)
         return ret;
 
@@ -253,14 +277,18 @@
                      size_t seed_length)
 {
     krb5_data input = make_data((void *) in, in_length);
-    krb5_keyblock key;
+    krb5_keyblock keyblock, *kptr = NULL;
     krb5_error_code ret;
     krb5_boolean valid;
 
-    key.length = seed_length;
-    key.contents = (unsigned char *) seed;
+    if (seed != NULL) {
+        keyblock.enctype = guess_enctype(ctype);
+        keyblock.length = seed_length;
+        keyblock.contents = (unsigned char *) seed;
+        kptr = &keyblock;
+    }
 
-    ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid);
+    ret = krb5_c_verify_checksum(context, kptr, 0, &input, cksum, &valid);
     if (ret)
         return ret;