svn rev #22262: branches/krb5-1-7/src/kdc/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Apr 15 17:00:34 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22262
Commit By: tlyu
Log Message:
ticket: 6461
version_fixed: 1.7

pull up r22210 from trunk

 ------------------------------------------------------------------------
 r22210 | hartmans | 2009-04-14 11:35:12 -0400 (Tue, 14 Apr 2009) | 6 lines
 Changed paths:
    M /trunk/src/kdc/fast_util.c

 ticket: 6461
 Subject: Require fast_req checksum to be keyed
 Target_Version: 1.7
 Tags: pullup

 Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used.


Changed Files:
U   branches/krb5-1-7/src/kdc/fast_util.c
Modified: branches/krb5-1-7/src/kdc/fast_util.c
===================================================================
--- branches/krb5-1-7/src/kdc/fast_util.c	2009-04-15 21:00:31 UTC (rev 22261)
+++ branches/krb5-1-7/src/kdc/fast_util.c	2009-04-15 21:00:34 UTC (rev 22262)
@@ -133,9 +133,11 @@
     krb5_kdc_req *request = *requestptr;
     krb5_fast_armored_req *fast_armored_req = NULL;
     krb5_boolean cksum_valid;
+    krb5_keyblock empty_keyblock;
 
     scratch.data = NULL;
     krb5_clear_error_message(kdc_context);
+    memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
     fast_padata = find_pa_data(request->padata,
 			       KRB5_PADATA_FX_FAST);
     if (fast_padata !=  NULL){
@@ -192,7 +194,23 @@
       krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED,
 			     "FAST req_checksum invalid; request modified");
     }
-	    if (retval == 0) {
+    if (retval == 0) {
+	krb5_error_code ret;
+	/* We need to confirm that a keyed checksum is used for the
+	 * fast_req checksum.  In April 2009, the best way to do this is
+	 * to try verifying the checksum with a keyblock with an zero
+	 * length; if it succeeds, then an unkeyed checksum is used.*/
+	ret  = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
+				      KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
+				      checksummed_data, &fast_armored_req->req_checksum,
+				      &cksum_valid);
+	if (ret == 0) {
+	    retval = KRB5KDC_ERR_POLICY;
+	    krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+				   "Unkeyed checksum used in fast_req");
+	}
+    }
+    if (retval == 0) {
 	if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0)
 	    retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
     }

More information about the cvs-krb5 mailing list