pull up r23628 from trunk

------------------------------------------------------------------------ r23628 | ghudson | 2010-01-11 20:05:37 -0500 (Mon, 11 Jan 2010) | 9 lines ticket: 6632 subject: Simplify and fix FAST check for keyed checksum type target_version: 1.8 tags: pullup Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling FAST requests. The old check was broken for 1.8 because krb5_c_verify_checksum got pickier about invalid keyblocks. ticket: 6632 version_fixed: 1.8 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23649 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2010-01-12 05:03:49 +0000
committer: Tom Yu <tlyu@mit.edu> 2010-01-12 05:03:49 +0000
commit: c9c39297fa607166fd96d705ba59b0a00ae0c403 (patch)
tree: 61f82d985db5334f8bcf3e8a3763acad301ce80e
parent: d23b893dc65057c7b54ef7ef2f707caf0e1757b3 (diff)
download: krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.zip
krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.gz
krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.bz2
1 files changed, 4 insertions, 15 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index e6503cf..06b1e2b 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -133,6 +133,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
     krb5_fast_req * fast_req = NULL;
     krb5_kdc_req *request = *requestptr;
     krb5_fast_armored_req *fast_armored_req = NULL;
+    krb5_checksum *cksum;
     krb5_boolean cksum_valid;
     krb5_keyblock empty_keyblock;
 
@@ -191,11 +192,11 @@ kdc_find_fast(krb5_kdc_req **requestptr,
             if (plaintext.data)
                 free(plaintext.data);
         }
+        cksum = &fast_armored_req->req_checksum;
         if (retval == 0)
             retval = krb5_c_verify_checksum(kdc_context, state->armor_key,
                                             KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
-                                            checksummed_data,
-                                            &fast_armored_req->req_checksum,
+                                            checksummed_data, cksum,
                                             &cksum_valid);
         if (retval == 0 && !cksum_valid) {
             retval = KRB5KRB_AP_ERR_MODIFIED;
@@ -203,19 +204,7 @@ kdc_find_fast(krb5_kdc_req **requestptr,
                                    "FAST req_checksum invalid; request modified");
         }
         if (retval == 0) {
-            krb5_error_code ret;
-            /*
-             * We need to confirm that a keyed checksum is used for the
-             * fast_req checksum.  In April 2009, the best way to do this is
-             * to try verifying the checksum with a keyblock with an zero
-             * length; if it succeeds, then an unkeyed checksum is used.
-             */
-            ret  = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
-                                          KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
-                                          checksummed_data,
-                                          &fast_armored_req->req_checksum,
-                                          &cksum_valid);
-            if (ret == 0) {
+            if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) {
                 retval = KRB5KDC_ERR_POLICY;
                 krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
                                        "Unkeyed checksum used in fast_req");
author	Tom Yu <tlyu@mit.edu>	2010-01-12 05:03:49 +0000
committer	Tom Yu <tlyu@mit.edu>	2010-01-12 05:03:49 +0000
commit	c9c39297fa607166fd96d705ba59b0a00ae0c403 (patch)
tree	61f82d985db5334f8bcf3e8a3763acad301ce80e
parent	d23b893dc65057c7b54ef7ef2f707caf0e1757b3 (diff)
download	krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.zip krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.gz krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.bz2