From: Sam Hartman Date: Tue, 14 Apr 2009 15:35:12 +0000 (+0000) Subject: Require fast_req checksum to be keyed X-Git-Tag: krb5-1.8-alpha1~538 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=08b04a0676438f84696f504f8b19f873ce598209;p=krb5.git Require fast_req checksum to be keyed Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. ticket: 6461 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22210 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 6ced4c7e6..f02410b96 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -133,9 +133,11 @@ krb5_error_code kdc_find_fast krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; krb5_boolean cksum_valid; + krb5_keyblock empty_keyblock; scratch.data = NULL; krb5_clear_error_message(kdc_context); + memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ @@ -192,7 +194,23 @@ krb5_error_code kdc_find_fast krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, "FAST req_checksum invalid; request modified"); } - if (retval == 0) { + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; }