From 28aad739b9e64427265dff10d8f08fad26184eb7 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 15 Apr 2009 21:00:34 +0000 Subject: [PATCH] pull up r22210 from trunk ------------------------------------------------------------------------ r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines Changed paths: M /trunk/src/kdc/fast_util.c ticket: 6461 Subject: Require fast_req checksum to be keyed Target_Version: 1.7 Tags: pullup Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. ticket: 6461 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22262 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/fast_util.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 6ced4c7e6..f02410b96 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -133,9 +133,11 @@ krb5_error_code kdc_find_fast krb5_kdc_req *request = *requestptr; krb5_fast_armored_req *fast_armored_req = NULL; krb5_boolean cksum_valid; + krb5_keyblock empty_keyblock; scratch.data = NULL; krb5_clear_error_message(kdc_context); + memset(&empty_keyblock, 0, sizeof(krb5_keyblock)); fast_padata = find_pa_data(request->padata, KRB5_PADATA_FX_FAST); if (fast_padata != NULL){ @@ -192,7 +194,23 @@ krb5_error_code kdc_find_fast krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED, "FAST req_checksum invalid; request modified"); } - if (retval == 0) { + if (retval == 0) { + krb5_error_code ret; + /* We need to confirm that a keyed checksum is used for the + * fast_req checksum. In April 2009, the best way to do this is + * to try verifying the checksum with a keyblock with an zero + * length; if it succeeds, then an unkeyed checksum is used.*/ + ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, + checksummed_data, &fast_armored_req->req_checksum, + &cksum_valid); + if (ret == 0) { + retval = KRB5KDC_ERR_POLICY; + krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, + "Unkeyed checksum used in fast_req"); + } + } + if (retval == 0) { if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0) retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION; } -- 2.26.2