* where random-to-key and prf are defined in RFC 3961.
*/
OM_uint32
-gssEapDeriveRFC3961Key(OM_uint32 *minor,
+gssEapDeriveRfc3961Key(OM_uint32 *minor,
const unsigned char *key,
size_t keyLength,
krb5_enctype enctype,
GSSEAP_KRB_INIT(&context);
- kd.contents = NULL;
- kd.length = 0;
- KRB_KEYTYPE(&kd) = enctype;
+ KRB_KEY_INIT(&kd);
+ KRB_KEY_TYPE(&kd) = enctype;
prf.data = NULL;
prf.length = 0;
data.length = keybytes;
data.data = (char *)key;
- kd.contents = GSSEAP_MALLOC(keylength);
- if (kd.contents == NULL) {
+ KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keylength);
+ if (KRB_KEY_DATA(&kd) == NULL) {
code = ENOMEM;
goto cleanup;
}
- kd.length = keylength;
+ KRB_KEY_LENGTH(&kd) = keylength;
/* Convert MSK into a Kerberos key */
code = krb5_c_random_to_key(context, enctype, &data, &kd);
goto cleanup;
*pKey = kd;
- kd.contents = NULL;
+ KRB_KEY_DATA(&kd) = NULL;
cleanup:
- if (kd.contents != NULL) {
- memset(kd.contents, 0, kd.length);
- GSSEAP_FREE(kd.contents);
+ if (KRB_KEY_DATA(&kd) != NULL) {
+ memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
+ GSSEAP_FREE(KRB_KEY_DATA(&kd));
}
if (prf.data != NULL) {
memset(prf.data, 0, prf.length);
*minor = code;
return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
}
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+#endif
+
+OM_uint32
+rfc3961ChecksumTypeForKey(OM_uint32 *minor,
+ krb5_keyblock *key,
+ krb5_cksumtype *cksumtype)
+{
+ krb5_context krbContext;
+#ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+ krb5_data data;
+ krb5_checksum cksum;
+#endif
+
+ GSSEAP_KRB_INIT(&krbContext);
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+ *minor = krb5int_c_mandatory_cksumtype(krbContext, KRB_KEY_TYPE(key),
+ cksumtype);
+ if (*minor != 0)
+ return GSS_S_FAILURE;
+#else
+ data.length = 0;
+ data.data = NULL;
+
+ memset(&cksum, 0, sizeof(cksum));
+
+ /*
+ * This is a complete hack but it's the only way to work with
+ * MIT Kerberos pre-1.9 without using private API, as it does
+ * not support passing in zero as the checksum type.
+ */
+ *minor = krb5_c_make_checksum(krbContext, 0, key, 0, &data, &cksum);
+ if (*minor != 0)
+ return GSS_S_FAILURE;
+
+ *cksumtype = cksum.checksum_type;
+
+ krb5_free_checksum_contents(krbContext, &cksum);
+#endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
+
+ return GSS_S_COMPLETE;
+}