svn rev #22210: trunk/src/kdc/
hartmans@MIT.EDU
hartmans at MIT.EDU
Tue Apr 14 11:35:13 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22210
Commit By: hartmans
Log Message:
ticket: 6461
Subject: Require fast_req checksum to be keyed
Target_Version: 1.7
Tags: pullup
Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.
Changed Files:
U trunk/src/kdc/fast_util.c
Modified: trunk/src/kdc/fast_util.c
===================================================================
--- trunk/src/kdc/fast_util.c 2009-04-14 15:05:21 UTC (rev 22209)
+++ trunk/src/kdc/fast_util.c 2009-04-14 15:35:12 UTC (rev 22210)
@@ -133,9 +133,11 @@
krb5_kdc_req *request = *requestptr;
krb5_fast_armored_req *fast_armored_req = NULL;
krb5_boolean cksum_valid;
+ krb5_keyblock empty_keyblock;
scratch.data = NULL;
krb5_clear_error_message(kdc_context);
+ memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
fast_padata = find_pa_data(request->padata,
KRB5_PADATA_FX_FAST);
if (fast_padata != NULL){
@@ -192,7 +194,23 @@
krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED,
"FAST req_checksum invalid; request modified");
}
- if (retval == 0) {
+ if (retval == 0) {
+ krb5_error_code ret;
+ /* We need to confirm that a keyed checksum is used for the
+ * fast_req checksum. In April 2009, the best way to do this is
+ * to try verifying the checksum with a keyblock with an zero
+ * length; if it succeeds, then an unkeyed checksum is used.*/
+ ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
+ KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
+ checksummed_data, &fast_armored_req->req_checksum,
+ &cksum_valid);
+ if (ret == 0) {
+ retval = KRB5KDC_ERR_POLICY;
+ krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+ "Unkeyed checksum used in fast_req");
+ }
+ }
+ if (retval == 0) {
if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0)
retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
}
More information about the cvs-krb5
mailing list