Use SHA-256 instead of MD5 for audit ticket IDs

author Greg Hudson <ghudson@mit.edu>

Tue, 10 Jul 2018 20:17:15 +0000 (16:17 -0400)

committer Greg Hudson <ghudson@mit.edu>

Thu, 12 Jul 2018 16:01:27 +0000 (12:01 -0400)
author Greg Hudson <ghudson@mit.edu>
Tue, 10 Jul 2018 20:17:15 +0000 (16:17 -0400)
committer Greg Hudson <ghudson@mit.edu>
Thu, 12 Jul 2018 16:01:27 +0000 (12:01 -0400)
diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c

index c9a7f9f9d439e70950c0e92f22adff0c584076e2..f40913dc83df701c7001bdad14c3c25e2f1d68a8 100644 (file)
--- a/src/kdc/kdc_audit.c
+++ b/src/kdc/kdc_audit.c
@@ -146,7 +146,7 @@ kau_make_tkt_id(krb5_context context,
  {
      krb5_error_code ret = 0;
      char *hash = NULL, *ptr;
-    krb5_checksum cksum;
+    uint8_t hashbytes[K5_SHA256_HASHLEN];
      unsigned int i;
  
      *out = NULL;
@@ -154,19 +154,18 @@ kau_make_tkt_id(krb5_context context,
      if (ticket == NULL)
          return EINVAL;
  
-    ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0,
-                               &ticket->enc_part.ciphertext, &cksum);
+    ret = k5_sha256(&ticket->enc_part.ciphertext, 1, hashbytes);
      if (ret)
          return ret;
  
-    hash = k5alloc(cksum.length * 2 + 1, &ret);
-    if (hash != NULL) {
-        for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2)
-            snprintf(ptr, 3, "%02X", cksum.contents[i]);
-        *ptr = '\0';
-        *out = hash;
-    }
-    krb5_free_checksum_contents(context, &cksum);
+    hash = k5alloc(sizeof(hashbytes) * 2 + 1, &ret);
+    if (hash == NULL)
+        return ret;
+
+    for (i = 0, ptr = hash; i < sizeof(hashbytes); i++, ptr += 2)
+        snprintf(ptr, 3, "%02X", hashbytes[i]);
+    *ptr = '\0';
+    *out = hash;
  
      return 0;
  }
author	Greg Hudson <ghudson@mit.edu>
	Tue, 10 Jul 2018 20:17:15 +0000 (16:17 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 12 Jul 2018 16:01:27 +0000 (12:01 -0400)