diff options
3 files changed, 26 insertions, 15 deletions
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c index 96e692cec4..4232c16861 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c +++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c @@ -1,9 +1,8 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ - /* * lib/crypto/keyhash_provider/hmac_md5.c * @@ -59,8 +58,15 @@ k5_hmac_md5_hash (krb5_context context, CK_ULONG hashlen; bzero(&ks, sizeof(krb5_keyblock)); - ds.length = key->length; - ks.length = key->length; + + /* + * Solaris Kerberos: The digest length is that of MD5_CKSUM_LENGTH not the key + * length, as keys can be of varying lengths but should not affect the digest + * length. The signing key is the digest and therefore is also the same + * length, MD5_CKSUM_LENGTH. + */ + ds.length = MD5_CKSUM_LENGTH; + ks.length = MD5_CKSUM_LENGTH; ds.data = malloc(ds.length); if (ds.data == NULL) return ENOMEM; diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c index d776c3b18a..4eda66bbf3 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c @@ -1,10 +1,8 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * lib/crypto/keyhash_provider/hmac_md5.c * @@ -75,13 +73,19 @@ k5_hmac_md5_hash (krb5_context context, } bzero(&ks, sizeof(krb5_keyblock)); - ds.length = key->length; + /* + * Solaris Kerberos: The digest length is that of MD5_CKSUM_LENGTH not the key + * length, as keys can be of varying lengths but should not affect the digest + * length. The signing key is the digest and therefore is also the same + * length, MD5_CKSUM_LENGTH. + */ + ds.length = MD5_CKSUM_LENGTH; ds.data = MALLOC(ds.length); if (ds.data == NULL) return (ENOMEM); - ks.contents = (void *) ds.data; - ks.length = key->length; + ks.length = MD5_CKSUM_LENGTH; + #ifdef _KERNEL if (key->kef_key.ck_data == NULL) { ret = init_key_kef(krb5_enctypes_list[i].kef_cipher_mt, diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c index 7a448bab08..834c35a63f 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c @@ -1,9 +1,8 @@ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ - /* * Copyright (C) 1998 by the FundsXpress, INC. * @@ -84,9 +83,11 @@ krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, if (krb5_enctypes_list[e2].etype == key->enctype) break; - if ((e1 == krb5_enctypes_length) || - (e2 == krb5_enctypes_length) || - (krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) { + /* + * Solaris Kerberos: The actual key encryption type could be + * arbitrary, so the checksum enc type doesn't need to be the same. + */ + if ((e1 == krb5_enctypes_length) || (e2 == krb5_enctypes_length)) { ret = KRB5_BAD_ENCTYPE; goto cleanup; } |