From: Tom Yu Date: Mon, 28 Feb 2011 17:42:28 +0000 (+0000) Subject: hmac-md5 checksum doesn't work with DES keys X-Git-Tag: krb5-1.8.4-final~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d39271f7efc15d1777185bec99b6f039c7c27f55;p=thirdparty%2Fkrb5.git hmac-md5 checksum doesn't work with DES keys pull up r24639, r24641 from trunk ------------------------------------------------------------------------ r24641 | ghudson | 2011-02-18 10:06:57 -0500 (Fri, 18 Feb 2011) | 7 lines ticket: 6869 Fix a conceptual bug in r24639: the intermediate key container length should be the hash's output size, not its block size. (The bug did not show up in testing because it is harmless in practice; MD5 has a larger block size than output size.) ------------------------------------------------------------------------ r24639 | ghudson | 2011-02-16 17:52:41 -0500 (Wed, 16 Feb 2011) | 11 lines ticket: 6869 subject: hmac-md5 checksum doesn't work with DES keys target_version: 1.9 tags: pullup krb5int_hmacmd5_checksum calculates an intermediate key using an HMAC. The container for this key should be allocated using the HMAC output size (which is the hash blocksize), not the original key size. This bug was causing the function to fail with DES keys, which can be used with hmac-md5 in PAC signatures. ticket: 6876 version_fixed: 1.8.4 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@24670 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/crypto/krb/checksum/hmac_md5.c b/src/lib/crypto/krb/checksum/hmac_md5.c index 48129075d0..784b746f52 100644 --- a/src/lib/crypto/krb/checksum/hmac_md5.c +++ b/src/lib/crypto/krb/checksum/hmac_md5.c @@ -52,7 +52,7 @@ krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp, return KRB5_BAD_ENCTYPE; if (ctp->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) { /* Compute HMAC(key, "signaturekey\0") to get the signing key ks. */ - ret = alloc_data(&ds, key->keyblock.length); + ret = alloc_data(&ds, ctp->hash->hashsize); if (ret != 0) goto cleanup;