From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 11 Dec 2021 06:25:34 +0000 (-0500)
Subject: Use 14 instead of 9 for unkeyed SHA-1 checksum
X-Git-Tag: krb5-1.20-beta1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2463149c88628a5107ec53a6b98d685cd756473;p=thirdparty%2Fkrb5.git

Use 14 instead of 9 for unkeyed SHA-1 checksum

Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1.  Heimdal and Microsoft use the value 14.  Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).

Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA.  Continue to allow the value 9
for ABI compatibility.  Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.

ticket: 9040 (new)
---

diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 5542d98504..21619b92fe 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -43,6 +43,7 @@ Public
    CKSUMTYPE_RSA_MD4_DES.rst
    CKSUMTYPE_RSA_MD5.rst
    CKSUMTYPE_RSA_MD5_DES.rst
+   CKSUMTYPE_SHA1.rst
    ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst
    ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst
    ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index d083b92726..5ebf5a7a89 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -443,6 +443,11 @@ typedef struct _krb5_crypto_iov {
 #define ENCTYPE_CAMELLIA256_CTS_CMAC        0x001a /**< RFC 6803 */
 #define ENCTYPE_UNKNOWN                     0x01ff
 
+/*
+ * Historically we used the value 9 for unkeyed SHA-1.  RFC 3961 assigns this
+ * value to rsa-md5-des3, which fortunately is unused.  For ABI compatibility
+ * we allow either 9 or 14 for SHA-1.
+ */
 #define CKSUMTYPE_CRC32         0x0001
 #define CKSUMTYPE_RSA_MD4       0x0002
 #define CKSUMTYPE_RSA_MD4_DES   0x0003
@@ -453,6 +458,7 @@ typedef struct _krb5_crypto_iov {
 #define CKSUMTYPE_RSA_MD5_DES   0x0008
 #define CKSUMTYPE_NIST_SHA      0x0009
 #define CKSUMTYPE_HMAC_SHA1_DES3      0x000c
+#define CKSUMTYPE_SHA1          0x000d /**< RFC 3962 */
 #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f /**< RFC 3962. Used with
                                                 ENCTYPE_AES128_CTS_HMAC_SHA1_96 */
 #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 /**< RFC 3962. Used with
diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c
index 8297fcbf5c..557340ec5e 100644
--- a/src/lib/crypto/crypto_tests/t_cksums.c
+++ b/src/lib/crypto/crypto_tests/t_cksums.c
@@ -54,7 +54,7 @@ struct test {
     },
     {
         { KV5M_DATA, 0, "" },
-        CKSUMTYPE_NIST_SHA, 0, 0, { KV5M_DATA, 0, "" },
+        CKSUMTYPE_SHA1, 0, 0, { KV5M_DATA, 0, "" },
         { KV5M_DATA, 20,
           "\xDA\x39\xA3\xEE\x5E\x6B\x4B\x0D\x32\x55\xBF\xEF\x95\x60\x18\x90"
           "\xAF\xD8\x07\x09" }
diff --git a/src/lib/crypto/krb/cksumtypes.c b/src/lib/crypto/krb/cksumtypes.c
index ecc2e08c90..f7ba322f24 100644
--- a/src/lib/crypto/krb/cksumtypes.c
+++ b/src/lib/crypto/krb/cksumtypes.c
@@ -46,6 +46,12 @@ const struct krb5_cksumtypes krb5int_cksumtypes_list[] = {
       krb5int_unkeyed_checksum, NULL,
       20, 20, CKSUM_UNKEYED },
 
+    { CKSUMTYPE_SHA1,
+      "sha", { 0 }, "SHA-1",
+      NULL, &krb5int_hash_sha1,
+      krb5int_unkeyed_checksum, NULL,
+      20, 20, CKSUM_UNKEYED },
+
     { CKSUMTYPE_HMAC_SHA1_DES3,
       "hmac-sha1-des3", { "hmac-sha1-des3-kd" }, "HMAC-SHA1 DES3 key",
       &krb5int_enc_des3, &krb5int_hash_sha1,
diff --git a/src/lib/gssapi/mechglue/g_saslname.c b/src/lib/gssapi/mechglue/g_saslname.c
index e25f9e0a53..2be0c8a69a 100644
--- a/src/lib/gssapi/mechglue/g_saslname.c
+++ b/src/lib/gssapi/mechglue/g_saslname.c
@@ -58,8 +58,7 @@ oidToSaslName(OM_uint32 *minor, const gss_OID mech,
     iov[2].data.length = sizeof(cksumBuf);
     iov[2].data.data = (char *)cksumBuf;
 
-    *minor = krb5_k_make_checksum_iov(NULL, CKSUMTYPE_NIST_SHA,
-                                      NULL, 0, iov, 3);
+    *minor = krb5_k_make_checksum_iov(NULL, CKSUMTYPE_SHA1, NULL, 0, iov, 3);
     if (*minor != 0)
         return GSS_S_FAILURE;
 
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 7073459f0f..59df4500ec 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -93,7 +93,7 @@ hash_bytes(krb5_context context, const void *ptr, size_t len)
     krb5_data d = make_data((void *) ptr, len);
     char *s = NULL;
 
-    if (krb5_k_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, &d,
+    if (krb5_k_make_checksum(context, CKSUMTYPE_SHA1, NULL, 0, &d,
                              &cksum) != 0)
         return NULL;
     if (cksum.length >= 2)
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c
index 2138abc767..2e02e2141f 100644
--- a/src/plugins/kdb/test/kdb_test.c
+++ b/src/plugins/kdb/test/kdb_test.c
@@ -205,7 +205,7 @@ make_keyblock(krb5_kvno kvno, krb5_enctype etype, int32_t salttype,
                  (int)salttype, princstr, (int)realm->length, realm->data) < 0)
         abort();
     d = string2data(hashstr);
-    check(krb5_c_make_checksum(NULL, CKSUMTYPE_NIST_SHA, NULL, 0, &d, &cksum));
+    check(krb5_c_make_checksum(NULL, CKSUMTYPE_SHA1, NULL, 0, &d, &cksum));
 
     /* Make the appropriate number of input bytes from the hash result. */
     for (pos = 0; pos < keybytes; pos += n) {
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 83fef63a2c..8c4d81bbc1 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -118,8 +118,8 @@ pa_pkinit_gen_req(krb5_context context,
         goto cleanup;
     }
 
-    retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0,
-                                  der_req, &cksum);
+    retval = krb5_c_make_checksum(context, CKSUMTYPE_SHA1, NULL, 0, der_req,
+                                  &cksum);
     if (retval)
         goto cleanup;
     TRACE_PKINIT_CLIENT_REQ_CHECKSUM(context, &cksum);
@@ -698,13 +698,6 @@ pkinit_as_rep_parse(krb5_context context,
             pkiDebug("failed to decode reply_key_pack\n");
             goto cleanup;
         }
-        /*
-         * This is hack but Windows sends back SHA1 checksum
-         * with checksum type of 14. There is currently no
-         * checksum type of 14 defined.
-         */
-        if (key_pack->asChecksum.checksum_type == 14)
-            key_pack->asChecksum.checksum_type = CKSUMTYPE_NIST_SHA;
         retval = krb5_c_make_checksum(context,
                                       key_pack->asChecksum.checksum_type,
                                       &key_pack->replyKey,
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 0df0767652..81e9656537 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -548,8 +548,8 @@ pkinit_server_verify_padata(krb5_context context,
         goto cleanup;
     }
     der_req = cb->request_body(context, rock);
-    retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0,
-                                  der_req, &cksum);
+    retval = krb5_c_make_checksum(context, CKSUMTYPE_SHA1, NULL, 0, der_req,
+                                  &cksum);
     if (retval) {
         pkiDebug("unable to calculate AS REQ checksum\n");
         goto cleanup;