krb5 commit: Allow null keyblocks in IOV checksum functions

ghudson at mit.edu ghudson at mit.edu
Tue Oct 22 14:44:23 EDT 2024 

https://github.com/krb5/krb5/commit/6217454323b39cedb1b03ac161ecb0ade3ad84e6
commit 6217454323b39cedb1b03ac161ecb0ade3ad84e6
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Oct 20 02:09:26 2024 -0400

    Allow null keyblocks in IOV checksum functions
    
    Null keyblocks are allowed by the libk5crypto checksum functions when
    the checksum type is not keyed.  However, krb5_c_make_checksum_iov()
    and krb5_c_verify_checksum_iov() crash on null keyblock inputs because
    they do not check before converting to krb5_key as their non-IOV
    variants do.  Add the missing null checks.
    
    ticket: 9146 (new)

 src/lib/crypto/krb/make_checksum_iov.c   | 10 ++++++----
 src/lib/crypto/krb/verify_checksum_iov.c | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/lib/crypto/krb/make_checksum_iov.c b/src/lib/crypto/krb/make_checksum_iov.c
index 549180df5..84e98b141 100644
--- a/src/lib/crypto/krb/make_checksum_iov.c
+++ b/src/lib/crypto/krb/make_checksum_iov.c
@@ -81,12 +81,14 @@ krb5_c_make_checksum_iov(krb5_context context,
                          krb5_crypto_iov *data,
                          size_t num_data)
 {
-    krb5_key key;
+    krb5_key key = NULL;
     krb5_error_code ret;
 
-    ret = krb5_k_create_key(context, keyblock, &key);
-    if (ret != 0)
-        return ret;
+    if (keyblock != NULL) {
+        ret = krb5_k_create_key(context, keyblock, &key);
+        if (ret != 0)
+            return ret;
+    }
     ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage,
                                    data, num_data);
     krb5_k_free_key(context, key);
diff --git a/src/lib/crypto/krb/verify_checksum_iov.c b/src/lib/crypto/krb/verify_checksum_iov.c
index fc76c0e26..47a25a93b 100644
--- a/src/lib/crypto/krb/verify_checksum_iov.c
+++ b/src/lib/crypto/krb/verify_checksum_iov.c
@@ -88,12 +88,14 @@ krb5_c_verify_checksum_iov(krb5_context context,
                            size_t num_data,
                            krb5_boolean *valid)
 {
-    krb5_key key;
+    krb5_key key = NULL;
     krb5_error_code ret;
 
-    ret = krb5_k_create_key(context, keyblock, &key);
-    if (ret != 0)
-        return ret;
+    if (keyblock != NULL) {
+        ret = krb5_k_create_key(context, keyblock, &key);
+        if (ret != 0)
+            return ret;
+    }
     ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data,
                                      num_data, valid);
     krb5_k_free_key(context, key);

More information about the cvs-krb5 mailing list