heimdal Add handling for PAC signatures over all encryption types

There are exceptions from the expected behaviour of 'checksum type
matches key type' that we must deal with here, or else we can't serve
DES-only servers.

Andrew Bartlett

1 files changed, 32 insertions, 0 deletions

diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 2502cc672f..006028b601 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -1496,6 +1496,8 @@ SP_HMAC_SHA1_checksum(krb5_context context,
 
 /*
  * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt
+ *
+ * This function made available to PAC routines
  */
 
 static krb5_error_code
@@ -1547,6 +1549,36 @@ HMAC_MD5_checksum(krb5_context context,
     return 0;
 }
 
+/* HMAC-MD5 checksum over any key (needed for the PAC routines) */
+krb5_error_code
+HMAC_MD5_any_checksum(krb5_context context,
+		      const krb5_keyblock *key,
+		      const void *data,
+		      size_t len,
+		      unsigned usage,
+		      Checksum *result)
+{
+	krb5_error_code ret;
+	struct key_data local_key;
+	ret = krb5_copy_keyblock(context, key, &local_key.key);
+	if (ret)
+	    return ret;
+
+	local_key.schedule = NULL;
+	ret = krb5_data_alloc (&result->checksum, 16);
+	if (ret)
+	    return ret;
+
+	result->cksumtype = CKSUMTYPE_HMAC_MD5;
+	ret = HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
+
+	if (ret)
+		krb5_data_free(&result->checksum);
+
+	krb5_free_keyblock(context, local_key.key);
+	return ret;
+}
+
 static struct checksum_type checksum_none = {
     CKSUMTYPE_NONE,
     "none",