Skip Menu |
 

From: Nicolas Pouvesle <nico.pou@fnac.net>
To: krb5-bugs@mit.edu
Subject: old_api_glue bug
Date: Tue, 2 Sep 2003 22:38:04 +0200
From my previous mail on krbdev@mit.edu :

1)

When rshd/rlogind (and telnet too i think) call the function
krb5_verify_checksum (in lib/crypto/old_api_glue.c) key params are just key
value and key length. A krb5_keyblock is created but the key enctype is
undefined.
So if the original checksum type was for example sha1-hmac (like it is done in
shishi) the function will failed with bad_enc_type (in a sub call it looks if
enctype is ok, but like i said it was not initialised so in fact random).

Like in your code the checksum type is always to RSA-MD5 this function won't
failed, but for some other types it will.

2)

In the same function keyusage is set to 0, but for others types than RSA-MD5
it should not . For exemple i have put it to KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM
like all calls are made to verify AP_REQ. However keyusage in params seems to
be a better idea.

It seems it is a bug, not a something for compatibility.


Bye and thanks,

Nicolas Pouvesle