From: Tom Yu Date: Thu, 2 Apr 2009 23:30:28 +0000 (+0000) Subject: Fix krshd and krlogind to use krb5_c_verify_checksum X-Git-Tag: krb5-1.8-alpha1~572 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=d44144bc3c86cd2e0b9dbe74f0241905201ddd23;p=krb5.git Fix krshd and krlogind to use krb5_c_verify_checksum ticket: 1624 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22159 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 705285640..09aeaad21 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -1358,21 +1358,26 @@ recvauth(valid_checksum) if (authenticator->checksum) { struct sockaddr_in adr; socklen_t adr_length = sizeof(adr); - char * chksumbuf = NULL; + krb5_data chksumbuf; + krb5_boolean valid = 0; + + chksumbuf.data = NULL; if (getsockname(netf, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; - if (asprintf(&chksumbuf, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) + if (asprintf(&chksumbuf.data, "%u:%s%s", ntohs(adr.sin_port), term, lusername) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; + error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status; diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 76c0ca1fc..59a088ef1 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -1810,8 +1810,11 @@ recvauth(netfd, peersin, valid_checksum) struct sockaddr_storage adr; unsigned int adr_length = sizeof(adr); int e; - char namebuf[32], *chksumbuf = NULL; + char namebuf[32]; + krb5_boolean valid = 0; + krb5_data chksumbuf; + chksumbuf.data = NULL; if (getsockname(netfd, (struct sockaddr *) &adr, &adr_length) != 0) goto error_cleanup; @@ -1819,19 +1822,20 @@ recvauth(netfd, peersin, valid_checksum) namebuf, sizeof(namebuf), NI_NUMERICSERV); if (e) fatal(netfd, "local error: can't examine port number"); - if (asprintf(&chksumbuf, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) + if (asprintf(&chksumbuf.data, "%s:%s%s", namebuf, cmdbuf, locuser) < 0) goto error_cleanup; - status = krb5_verify_checksum(bsd_context, - authenticator->checksum->checksum_type, - authenticator->checksum, - chksumbuf, strlen(chksumbuf), - ticket->enc_part2->session->contents, - ticket->enc_part2->session->length); + chksumbuf.length = strlen(chksumbuf.data); + status = krb5_c_verify_checksum(bsd_context, + ticket->enc_part2->session, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + &chksumbuf, authenticator->checksum, + &valid); + if (status == 0 && !valid) status = KRB5KRB_AP_ERR_BAD_INTEGRITY; error_cleanup: - if (chksumbuf) - free(chksumbuf); + if (chksumbuf.data) + free(chksumbuf.data); if (status) { krb5_free_authenticator(bsd_context, authenticator); return status;