summaryrefslogtreecommitdiffstats
path: root/src/kdc
diff options
context:
space:
mode:
authorSam Hartman <hartmans@mit.edu>2009-04-14 15:35:12 +0000
committerSam Hartman <hartmans@mit.edu>2009-04-14 15:35:12 +0000
commit08b04a0676438f84696f504f8b19f873ce598209 (patch)
treea32c29f58e71ae0f4827c1770b247bb04dcb9195 /src/kdc
parent2e6de997360ecefbe42d58af88f275939c4b5266 (diff)
downloadkrb5-08b04a0676438f84696f504f8b19f873ce598209.tar.gz
krb5-08b04a0676438f84696f504f8b19f873ce598209.tar.xz
krb5-08b04a0676438f84696f504f8b19f873ce598209.zip
Require fast_req checksum to be keyed
Since the fast_req checksum is unencrypted, a keyed checksum type needs to be used. ticket: 6461 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22210 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
-rw-r--r--src/kdc/fast_util.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 6ced4c7e67..f02410b967 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -133,9 +133,11 @@ krb5_error_code kdc_find_fast
krb5_kdc_req *request = *requestptr;
krb5_fast_armored_req *fast_armored_req = NULL;
krb5_boolean cksum_valid;
+ krb5_keyblock empty_keyblock;
scratch.data = NULL;
krb5_clear_error_message(kdc_context);
+ memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
fast_padata = find_pa_data(request->padata,
KRB5_PADATA_FX_FAST);
if (fast_padata != NULL){
@@ -192,7 +194,23 @@ krb5_error_code kdc_find_fast
krb5_set_error_message(kdc_context, KRB5KRB_AP_ERR_MODIFIED,
"FAST req_checksum invalid; request modified");
}
- if (retval == 0) {
+ if (retval == 0) {
+ krb5_error_code ret;
+ /* We need to confirm that a keyed checksum is used for the
+ * fast_req checksum. In April 2009, the best way to do this is
+ * to try verifying the checksum with a keyblock with an zero
+ * length; if it succeeds, then an unkeyed checksum is used.*/
+ ret = krb5_c_verify_checksum(kdc_context, &empty_keyblock,
+ KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
+ checksummed_data, &fast_armored_req->req_checksum,
+ &cksum_valid);
+ if (ret == 0) {
+ retval = KRB5KDC_ERR_POLICY;
+ krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
+ "Unkeyed checksum used in fast_req");
+ }
+ }
+ if (retval == 0) {
if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) !=0)
retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
}