diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-04-15 21:00:34 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-04-15 21:00:34 +0000 |
| commit | 28aad739b9e64427265dff10d8f08fad26184eb7 (patch) | |
| tree | d1f52f9efa4706cc8050fd719393654b6248f9ac | |
| parent | 40a4f6dd4b4c1d51197f88ac56390dc47a5a118e (diff) | |
| download | krb5-28aad739b9e64427265dff10d8f08fad26184eb7.zip krb5-28aad739b9e64427265dff10d8f08fad26184eb7.tar.gz krb5-28aad739b9e64427265dff10d8f08fad26184eb7.tar.bz2 | |
pull up r22210 from trunk
------------------------------------------------------------------------
r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines
Changed paths:
M /trunk/src/kdc/fast_util.c
ticket: 6461
Subject: Require fast_req checksum to be keyed
Target_Version: 1.7
Tags: pullup
Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.
ticket: 6461
version_fixed: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22262 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/fast_util.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 6ced4c7..f02410b 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -133,9 +133,11 @@ krb5_error_code kdc_find_fast krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; krb5_boolean cksum_valid; + krb5_keyblock empty_keyblock; scratch.data = NULL; krb5_clear_error_message(kdc_context); + memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ @@ -192,7 +194,23 @@ krb5_error_code kdc_find_fast krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, "FAST req_checksum invalid; request modified"); } - if (retval == 0) { + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } |