diff options
author | Tom Yu <tlyu@mit.edu> | 2010-01-12 05:03:49 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2010-01-12 05:03:49 +0000 |
commit | c9c39297fa607166fd96d705ba59b0a00ae0c403 (patch) | |
tree | 61f82d985db5334f8bcf3e8a3763acad301ce80e | |
parent | d23b893dc65057c7b54ef7ef2f707caf0e1757b3 (diff) | |
download | krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.zip krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.gz krb5-c9c39297fa607166fd96d705ba59b0a00ae0c403.tar.bz2 |
pull up r23628 from trunk
------------------------------------------------------------------------
r23628 | ghudson | 2010-01-11 20:05:37 -0500 (Mon, 11 Jan 2010) | 9 lines
ticket: 6632
subject: Simplify and fix FAST check for keyed checksum type
target_version: 1.8
tags: pullup
Use krb5_c_is_keyed_checksum to detect unkeyed checksums when handling
FAST requests. The old check was broken for 1.8 because
krb5_c_verify_checksum got pickier about invalid keyblocks.
ticket: 6632
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23649 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/kdc/fast_util.c | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index e6503cf..06b1e2b 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -133,6 +133,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, krb5_fast_req * fast_req = NULL; krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; + krb5_checksum *cksum; krb5_boolean cksum_valid; krb5_keyblock empty_keyblock; @@ -191,11 +192,11 @@ kdc_find_fast(krb5_kdc_req **requestptr, if (plaintext.data) free(plaintext.data); } + cksum = &fast_armored_req->req_checksum; if (retval == 0) retval = krb5_c_verify_checksum(kdc_context, state->armor_key, KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, - &fast_armored_req->req_checksum, + checksummed_data, cksum, &cksum_valid); if (retval == 0 && !cksum_valid) { retval = KRB5KRB_AP_ERR_MODIFIED; @@ -203,19 +204,7 @@ kdc_find_fast(krb5_kdc_req **requestptr, "FAST req_checksum invalid; request modified"); } if (retval == 0) { - krb5_error_code ret; - /* - * We need to confirm that a keyed checksum is used for the - * fast_req checksum. In April 2009, the best way to do this is - * to try verifying the checksum with a keyblock with an zero - * length; if it succeeds, then an unkeyed checksum is used. - */ - ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, - checksummed_data, - &fast_armored_req->req_checksum, - &cksum_valid); - if (ret == 0) { + if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) { retval = KRB5KDC_ERR_POLICY; krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, "Unkeyed checksum used in fast_req"); |