From 28de60a9bc957a78df647e812a470abc9dec2ffc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 15 Dec 2008 04:32:59 +0000 Subject: [PATCH] stricter check that enctype matches checksum type when using keyed checksum git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24205 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/krb5/crypto.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index c8f25124b..284ed6734 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -1853,12 +1853,24 @@ verify_checksum(krb5_context context, return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */ } keyed_checksum = (ct->flags & F_KEYED) != 0; - if(keyed_checksum && crypto == NULL) { - krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, - N_("Checksum type %s is keyed but no " - "crypto context (key) was passed in", ""), - ct->name); - return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ + if(keyed_checksum) { + struct checksum_type *kct; + if (crypto == NULL) { + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("Checksum type %s is keyed but no " + "crypto context (key) was passed in", ""), + ct->name); + return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ + } + kct = crypto->et->keyed_checksum; + if (kct == NULL || kct->type != ct->type) { + krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP, + N_("Checksum type %s is keyed, but " + "the key type %s passed didnt have that checksum " + "type as the keyed type", ""), + ct->name, crypto->et->name); + return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ + } } if(keyed_checksum) { ret = get_checksum_key(context, crypto, usage, ct, &dkey);