mirror of
https://github.com/Ponce/slackbuilds
synced 2024-10-01 06:32:51 +02:00
network/krb5: Updated for version 1.7.1.
This commit is contained in:
parent
e51901af75
commit
f13bd928de
5 changed files with 17 additions and 434 deletions
|
@ -3,13 +3,3 @@ provide strong authentication for client/server applications by using
|
|||
secret-key cryptography. A free implementation of this protocol is
|
||||
available from the Massachusetts Institute of Technology. Kerberos is
|
||||
available in many commercial products as well.
|
||||
|
||||
This package includes patches for security advisories:
|
||||
|
||||
MITKRB5-SA-2009-004
|
||||
integer underflow in AES and RC4 decryption
|
||||
MITKRB5-SA-2009-003
|
||||
KDC denial of service in cross-realm referral processing
|
||||
|
||||
For further information about these advisories, please see
|
||||
http://web.mit.edu/kerberos/advisories/
|
||||
|
|
|
@ -6,13 +6,13 @@
|
|||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# * Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# * Redistributions in binary form must reproduce the above
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials
|
||||
# copyright notice, this list of conditions and the following
|
||||
# disclaimer in the documentation and/or other materials
|
||||
# provided with the distribution.
|
||||
# * Neither the name of Tom Canich nor the names of other contributors
|
||||
# may be used to endorse or promote products derived from this
|
||||
|
@ -20,18 +20,18 @@
|
|||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY Tom Canich ''AS IS'' AND ANY
|
||||
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR
|
||||
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
|
||||
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
|
||||
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
|
||||
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
|
||||
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
||||
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
PRGNAM=krb5
|
||||
VERSION=${VERSION:-1.7}
|
||||
VERSION=${VERSION:-1.7.1}
|
||||
ARCH=${ARCH:-i486}
|
||||
BUILD=${BUILD:-2}
|
||||
TAG=${TAG:-_SBo}
|
||||
|
@ -63,9 +63,6 @@ tar xvf $CWD/$PRGNAM-$VERSION-signed.tar -C $TMP
|
|||
tar xvf $TMP/$PRGNAM-$VERSION.tar.gz
|
||||
cd $PRGNAM-$VERSION/src
|
||||
|
||||
patch -p2 -i $CWD/patches/2009-003-patch.txt
|
||||
patch -p1 -i $CWD/patches/2009-004-patch_1.7.txt
|
||||
|
||||
CFLAGS="$SLKCFLAGS" \
|
||||
CXXFLAGS="$SLKCFLAGS" \
|
||||
./configure \
|
||||
|
@ -90,7 +87,7 @@ chmod 0755 $PKG/etc/profile.d/*
|
|||
find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
|
||||
xargs strip --strip-unneeded 2> /dev/null || true
|
||||
find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
|
||||
xargs strip --strip-unneeded 2> /dev/null
|
||||
xargs strip --strip-unneeded 2> /dev/null || true
|
||||
)
|
||||
|
||||
( cd $PKG/usr/kerberos/man
|
||||
|
@ -100,7 +97,7 @@ chmod 0755 $PKG/etc/profile.d/*
|
|||
|
||||
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cp -a \
|
||||
$CWD/README $CWD/README.krb5 $CWD/EXPORT $CWD/patches \
|
||||
$CWD/README $CWD/README.krb5 $CWD/EXPORT \
|
||||
$PKG/usr/doc/$PRGNAM-$VERSION
|
||||
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
|
||||
chown -R root:root $PKG/usr/doc
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
PRGNAM="krb5"
|
||||
VERSION="1.7"
|
||||
VERSION="1.7.1"
|
||||
HOMEPAGE="http://web.mit.edu/kerberos/"
|
||||
DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar"
|
||||
MD5SUM="9f7b3402b4731a7fa543db193bf1b564"
|
||||
DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar"
|
||||
MD5SUM="4206991cb65e0d0ab69748e63ca67388"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
MAINTAINER="Tom Canich"
|
||||
EMAIL="tcanich@canich.net"
|
||||
APPROVED="Erik Hanson"
|
||||
APPROVED="dsomero"
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index 298e132..12180ff 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
|
||||
free(temp_buf);
|
||||
if (retval) {
|
||||
/* no match found */
|
||||
- kdc_err(kdc_context, retval, 0);
|
||||
+ kdc_err(kdc_context, retval, "unable to find realm of host");
|
||||
goto cleanup;
|
||||
}
|
||||
if (realms == 0) {
|
||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||
index efff818..ef3735a 100644
|
||||
--- a/src/lib/kadm5/logger.c
|
||||
+++ b/src/lib/kadm5/logger.c
|
||||
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
|
||||
char *cp;
|
||||
char *syslogp;
|
||||
|
||||
+ if (whoami == NULL || format == NULL)
|
||||
+ return;
|
||||
+
|
||||
/* Make the header */
|
||||
snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
|
||||
/*
|
|
@ -1,377 +0,0 @@
|
|||
Index: src/lib/crypto/Makefile.in
|
||||
===================================================================
|
||||
--- src/lib/crypto/Makefile.in (revision 23398)
|
||||
+++ src/lib/crypto/Makefile.in (working copy)
|
||||
@@ -18,6 +18,7 @@
|
||||
$(srcdir)/t_nfold.c \
|
||||
$(srcdir)/t_cf2.c \
|
||||
$(srcdir)/t_encrypt.c \
|
||||
+ $(srcdir)/t_short.c \
|
||||
$(srcdir)/t_prf.c \
|
||||
$(srcdir)/t_prng.c \
|
||||
$(srcdir)/t_hmac.c \
|
||||
@@ -206,7 +207,7 @@
|
||||
|
||||
clean-unix:: clean-liblinks clean-libs clean-libobjs
|
||||
|
||||
-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2
|
||||
+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_nfold
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
|
||||
@@ -216,6 +217,7 @@
|
||||
diff t_prf.output $(srcdir)/t_prf.expected
|
||||
$(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
|
||||
diff t_cf2.output $(srcdir)/t_cf2.expected
|
||||
+ $(RUN_SETUP) $(VALGRIND) ./t_short
|
||||
|
||||
|
||||
# $(RUN_SETUP) $(VALGRIND) ./t_pkcs5
|
||||
@@ -249,10 +251,15 @@
|
||||
$(CC_LINK) -o $@ t_cts.$(OBJEXT) \
|
||||
$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
|
||||
|
||||
+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB)
|
||||
+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \
|
||||
+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
|
||||
|
||||
+
|
||||
clean::
|
||||
$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
|
||||
- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o
|
||||
+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
|
||||
+ t_cf2 t_cf2.o t_short t_short.o
|
||||
-$(RM) t_prng.output
|
||||
|
||||
all-windows::
|
||||
Index: src/lib/crypto/arcfour/arcfour.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/arcfour/arcfour.c (revision 23398)
|
||||
+++ src/lib/crypto/arcfour/arcfour.c (working copy)
|
||||
@@ -199,6 +199,12 @@
|
||||
keylength = enc->keylength;
|
||||
hashsize = hash->hashsize;
|
||||
|
||||
+ /* Verify input and output lengths. */
|
||||
+ if (input->length < hashsize + CONFOUNDERLENGTH)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
+
|
||||
d1.length=keybytes;
|
||||
d1.data=malloc(d1.length);
|
||||
if (d1.data == NULL)
|
||||
Index: src/lib/crypto/enc_provider/aes.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/enc_provider/aes.c (revision 23398)
|
||||
+++ src/lib/crypto/enc_provider/aes.c (working copy)
|
||||
@@ -105,9 +105,11 @@
|
||||
nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
|
||||
|
||||
if (nblocks == 1) {
|
||||
- /* XXX Used for DK function. */
|
||||
+ /* Used when deriving keys. */
|
||||
+ if (input->length < BLOCK_SIZE)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
enc(output->data, input->data, &ctx);
|
||||
- } else {
|
||||
+ } else if (nblocks > 1) {
|
||||
unsigned int nleft;
|
||||
|
||||
for (blockno = 0; blockno < nblocks - 2; blockno++) {
|
||||
@@ -160,9 +162,9 @@
|
||||
|
||||
if (nblocks == 1) {
|
||||
if (input->length < BLOCK_SIZE)
|
||||
- abort();
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
dec(output->data, input->data, &ctx);
|
||||
- } else {
|
||||
+ } else if (nblocks > 1) {
|
||||
|
||||
for (blockno = 0; blockno < nblocks - 2; blockno++) {
|
||||
dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
|
||||
@@ -208,6 +210,7 @@
|
||||
char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
|
||||
int nblocks = 0, blockno;
|
||||
size_t input_length, i;
|
||||
+ struct iov_block_state input_pos, output_pos;
|
||||
|
||||
if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
|
||||
abort();
|
||||
@@ -224,18 +227,20 @@
|
||||
input_length += iov->data.length;
|
||||
}
|
||||
|
||||
+ IOV_BLOCK_STATE_INIT(&input_pos);
|
||||
+ IOV_BLOCK_STATE_INIT(&output_pos);
|
||||
+
|
||||
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
|
||||
-
|
||||
- assert(nblocks > 1);
|
||||
-
|
||||
- {
|
||||
+ if (nblocks == 1) {
|
||||
+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
|
||||
+ data, num_data, &input_pos);
|
||||
+ enc(tmp2, tmp, &ctx);
|
||||
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
|
||||
+ BLOCK_SIZE, &output_pos);
|
||||
+ } else if (nblocks > 1) {
|
||||
char blockN2[BLOCK_SIZE]; /* second last */
|
||||
char blockN1[BLOCK_SIZE]; /* last block */
|
||||
- struct iov_block_state input_pos, output_pos;
|
||||
|
||||
- IOV_BLOCK_STATE_INIT(&input_pos);
|
||||
- IOV_BLOCK_STATE_INIT(&output_pos);
|
||||
-
|
||||
for (blockno = 0; blockno < nblocks - 2; blockno++) {
|
||||
char blockN[BLOCK_SIZE];
|
||||
|
||||
@@ -288,6 +293,7 @@
|
||||
char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
|
||||
int nblocks = 0, blockno, i;
|
||||
size_t input_length;
|
||||
+ struct iov_block_state input_pos, output_pos;
|
||||
|
||||
CHECK_SIZES;
|
||||
|
||||
@@ -306,18 +312,20 @@
|
||||
input_length += iov->data.length;
|
||||
}
|
||||
|
||||
+ IOV_BLOCK_STATE_INIT(&input_pos);
|
||||
+ IOV_BLOCK_STATE_INIT(&output_pos);
|
||||
+
|
||||
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
|
||||
-
|
||||
- assert(nblocks > 1);
|
||||
-
|
||||
- {
|
||||
+ if (nblocks == 1) {
|
||||
+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
|
||||
+ data, num_data, &input_pos);
|
||||
+ dec(tmp2, tmp, &ctx);
|
||||
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
|
||||
+ BLOCK_SIZE, &output_pos);
|
||||
+ } else if (nblocks > 1) {
|
||||
char blockN2[BLOCK_SIZE]; /* second last */
|
||||
char blockN1[BLOCK_SIZE]; /* last block */
|
||||
- struct iov_block_state input_pos, output_pos;
|
||||
|
||||
- IOV_BLOCK_STATE_INIT(&input_pos);
|
||||
- IOV_BLOCK_STATE_INIT(&output_pos);
|
||||
-
|
||||
for (blockno = 0; blockno < nblocks - 2; blockno++) {
|
||||
char blockN[BLOCK_SIZE];
|
||||
|
||||
Index: src/lib/crypto/dk/dk_aead.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/dk/dk_aead.c (revision 23398)
|
||||
+++ src/lib/crypto/dk/dk_aead.c (working copy)
|
||||
@@ -248,7 +248,7 @@
|
||||
for (i = 0; i < num_data; i++) {
|
||||
const krb5_crypto_iov *iov = &data[i];
|
||||
|
||||
- if (ENCRYPT_DATA_IOV(iov))
|
||||
+ if (ENCRYPT_IOV(iov))
|
||||
cipherlen += iov->data.length;
|
||||
}
|
||||
|
||||
Index: src/lib/crypto/dk/dk_decrypt.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/dk/dk_decrypt.c (revision 23398)
|
||||
+++ src/lib/crypto/dk/dk_decrypt.c (working copy)
|
||||
@@ -89,6 +89,12 @@
|
||||
else if (hmacsize > hashsize)
|
||||
return KRB5KRB_AP_ERR_BAD_INTEGRITY;
|
||||
|
||||
+ /* Verify input and output lengths. */
|
||||
+ if (input->length < blocksize + hmacsize)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
+ if (output->length < input->length - blocksize - hmacsize)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
+
|
||||
enclen = input->length - hmacsize;
|
||||
|
||||
if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
|
||||
Index: src/lib/crypto/raw/raw_decrypt.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/raw/raw_decrypt.c (revision 23398)
|
||||
+++ src/lib/crypto/raw/raw_decrypt.c (working copy)
|
||||
@@ -34,5 +34,7 @@
|
||||
const krb5_data *ivec, const krb5_data *input,
|
||||
krb5_data *output)
|
||||
{
|
||||
+ if (output->length < input->length)
|
||||
+ return KRB5_BAD_MSIZE;
|
||||
return((*(enc->decrypt))(key, ivec, input, output));
|
||||
}
|
||||
Index: src/lib/crypto/deps
|
||||
===================================================================
|
||||
--- src/lib/crypto/deps (revision 23398)
|
||||
+++ src/lib/crypto/deps (working copy)
|
||||
@@ -463,6 +463,16 @@
|
||||
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
|
||||
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
|
||||
$(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c
|
||||
+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
||||
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
||||
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
|
||||
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
|
||||
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
|
||||
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
|
||||
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
|
||||
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
|
||||
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
|
||||
+ t_short.c
|
||||
t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
|
||||
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
|
||||
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
|
||||
Index: src/lib/crypto/t_short.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/t_short.c (revision 0)
|
||||
+++ src/lib/crypto/t_short.c (revision 0)
|
||||
@@ -0,0 +1,126 @@
|
||||
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
||||
+/*
|
||||
+ * lib/crypto/crypto_tests/t_short.c
|
||||
+ *
|
||||
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
|
||||
+ * All rights reserved.
|
||||
+ *
|
||||
+ * Export of this software from the United States of America may
|
||||
+ * require a specific license from the United States Government.
|
||||
+ * It is the responsibility of any person or organization contemplating
|
||||
+ * export to obtain such a license before exporting.
|
||||
+ *
|
||||
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
||||
+ * distribute this software and its documentation for any purpose and
|
||||
+ * without fee is hereby granted, provided that the above copyright
|
||||
+ * notice appear in all copies and that both that copyright notice and
|
||||
+ * this permission notice appear in supporting documentation, and that
|
||||
+ * the name of M.I.T. not be used in advertising or publicity pertaining
|
||||
+ * to distribution of the software without specific, written prior
|
||||
+ * permission. Furthermore if you modify this software you must label
|
||||
+ * your software as modified software and not distribute it in such a
|
||||
+ * fashion that it might be confused with the original M.I.T. software.
|
||||
+ * M.I.T. makes no representations about the suitability of
|
||||
+ * this software for any purpose. It is provided "as is" without express
|
||||
+ * or implied warranty.
|
||||
+ *
|
||||
+ * Tests the outcome of decrypting overly short tokens. This program can be
|
||||
+ * run under a tool like valgrind to detect bad memory accesses; when run
|
||||
+ * normally by the test suite, it verifies that each operation returns
|
||||
+ * KRB5_BAD_MSIZE.
|
||||
+ */
|
||||
+
|
||||
+#include "k5-int.h"
|
||||
+
|
||||
+krb5_enctype interesting_enctypes[] = {
|
||||
+ ENCTYPE_DES_CBC_CRC,
|
||||
+ ENCTYPE_DES_CBC_MD4,
|
||||
+ ENCTYPE_DES_CBC_MD5,
|
||||
+ ENCTYPE_DES3_CBC_SHA1,
|
||||
+ ENCTYPE_ARCFOUR_HMAC,
|
||||
+ ENCTYPE_ARCFOUR_HMAC_EXP,
|
||||
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
||||
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
||||
+ 0
|
||||
+};
|
||||
+
|
||||
+/* Abort if an operation unexpectedly fails. */
|
||||
+static void
|
||||
+x(krb5_error_code code)
|
||||
+{
|
||||
+ if (code != 0)
|
||||
+ abort();
|
||||
+}
|
||||
+
|
||||
+/* Abort if a decrypt operation doesn't have the expected result. */
|
||||
+static void
|
||||
+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
|
||||
+{
|
||||
+ if (len < min_len) {
|
||||
+ /* Undersized tokens should always result in BAD_MSIZE. */
|
||||
+ if (code != KRB5_BAD_MSIZE)
|
||||
+ abort();
|
||||
+ } else {
|
||||
+ /* Min-size tokens should succeed or fail the integrity check. */
|
||||
+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
||||
+ abort();
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+test_enctype(krb5_enctype enctype)
|
||||
+{
|
||||
+ krb5_error_code ret;
|
||||
+ krb5_keyblock keyblock;
|
||||
+ krb5_enc_data input;
|
||||
+ krb5_data output;
|
||||
+ krb5_crypto_iov iov[2];
|
||||
+ unsigned int dummy;
|
||||
+ size_t min_len, len;
|
||||
+
|
||||
+ printf("Testing enctype %d\n", (int) enctype);
|
||||
+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
|
||||
+ x(krb5_c_make_random_key(NULL, enctype, &keyblock));
|
||||
+ input.enctype = enctype;
|
||||
+
|
||||
+ /* Try each length up to the minimum length. */
|
||||
+ for (len = 0; len <= min_len; len++) {
|
||||
+ input.ciphertext.data = calloc(len, 1);
|
||||
+ input.ciphertext.length = len;
|
||||
+ output.data = calloc(len, 1);
|
||||
+ output.length = len;
|
||||
+
|
||||
+ /* Attempt a normal decryption. */
|
||||
+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
|
||||
+ check_decrypt_result(ret, len, min_len);
|
||||
+
|
||||
+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER,
|
||||
+ &dummy) == 0) {
|
||||
+ /* Attempt an IOV stream decryption. */
|
||||
+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
|
||||
+ iov[0].data = input.ciphertext;
|
||||
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
|
||||
+ iov[1].data.data = NULL;
|
||||
+ iov[1].data.length = 0;
|
||||
+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2);
|
||||
+ check_decrypt_result(ret, len, min_len);
|
||||
+ }
|
||||
+
|
||||
+ free(input.ciphertext.data);
|
||||
+ free(output.data);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ int i;
|
||||
+ krb5_data notrandom;
|
||||
+
|
||||
+ notrandom.data = "notrandom";
|
||||
+ notrandom.length = 9;
|
||||
+ krb5_c_random_seed(NULL, ¬random);
|
||||
+ for (i = 0; interesting_enctypes[i]; i++)
|
||||
+ test_enctype(interesting_enctypes[i]);
|
||||
+ return 0;
|
||||
+}
|
||||
Index: src/lib/crypto/old/old_decrypt.c
|
||||
===================================================================
|
||||
--- src/lib/crypto/old/old_decrypt.c (revision 23398)
|
||||
+++ src/lib/crypto/old/old_decrypt.c (working copy)
|
||||
@@ -45,8 +45,10 @@
|
||||
blocksize = enc->block_size;
|
||||
hashsize = hash->hashsize;
|
||||
|
||||
+ /* Verify input and output lengths. */
|
||||
+ if (input->length < blocksize + hashsize || input->length % blocksize != 0)
|
||||
+ return(KRB5_BAD_MSIZE);
|
||||
plainsize = input->length - blocksize - hashsize;
|
||||
-
|
||||
if (arg_output->length < plainsize)
|
||||
return(KRB5_BAD_MSIZE);
|
||||
|
Loading…
Reference in a new issue