From 5773846f71dd639af6ea8894fc73d733004082f4 Mon Sep 17 00:00:00 2001 From: "Jacques A. Vidrine" Date: Mon, 28 Apr 2003 15:19:12 +0000 Subject: [PATCH] verify_mic_des3: If MIC verification fails, retry using the `old' MIC computation (with zero IV). git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12168 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/krb5/verify_mic.c | 31 +++++++++++++++++++++---------- lib/gssapi/verify_mic.c | 31 +++++++++++++++++++++---------- 2 files changed, 42 insertions(+), 20 deletions(-) diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c index 875d47b76..fda4b0797 100644 --- a/lib/gssapi/krb5/verify_mic.c +++ b/lib/gssapi/krb5/verify_mic.c @@ -143,7 +143,7 @@ verify_mic_des3 OM_uint32 ret; krb5_crypto crypto; krb5_data seq_data; - int cmp; + int cmp, docompat; Checksum csum; char *tmp; char ivec[8]; @@ -173,7 +173,9 @@ verify_mic_des3 } /* verify sequence number */ - if (context_handle->more_flags & COMPAT_OLD_DES3) + docompat = (context_handle->more_flags & COMPAT_OLD_DES3); +retry: + if (docompat) memset(ivec, 0, 8); else memcpy(ivec, p + 8, 8); @@ -183,16 +185,22 @@ verify_mic_des3 KRB5_KU_USAGE_SEQ, p, 8, &seq_data, ivec); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; + if (docompat++) { + gssapi_krb5_set_error_string (); + krb5_crypto_destroy (gssapi_krb5_context, crypto); + *minor_status = ret; + return GSS_S_FAILURE; + } else + goto retry; } if (seq_data.length != 8) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } krb5_auth_getremoteseqnumber (gssapi_krb5_context, @@ -208,8 +216,11 @@ verify_mic_des3 cmp = memcmp (seq, seq_data.data, seq_data.length); krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } /* verify checksum */ diff --git a/lib/gssapi/verify_mic.c b/lib/gssapi/verify_mic.c index 875d47b76..fda4b0797 100644 --- a/lib/gssapi/verify_mic.c +++ b/lib/gssapi/verify_mic.c @@ -143,7 +143,7 @@ verify_mic_des3 OM_uint32 ret; krb5_crypto crypto; krb5_data seq_data; - int cmp; + int cmp, docompat; Checksum csum; char *tmp; char ivec[8]; @@ -173,7 +173,9 @@ verify_mic_des3 } /* verify sequence number */ - if (context_handle->more_flags & COMPAT_OLD_DES3) + docompat = (context_handle->more_flags & COMPAT_OLD_DES3); +retry: + if (docompat) memset(ivec, 0, 8); else memcpy(ivec, p + 8, 8); @@ -183,16 +185,22 @@ verify_mic_des3 KRB5_KU_USAGE_SEQ, p, 8, &seq_data, ivec); if (ret) { - gssapi_krb5_set_error_string (); - krb5_crypto_destroy (gssapi_krb5_context, crypto); - *minor_status = ret; - return GSS_S_FAILURE; + if (docompat++) { + gssapi_krb5_set_error_string (); + krb5_crypto_destroy (gssapi_krb5_context, crypto); + *minor_status = ret; + return GSS_S_FAILURE; + } else + goto retry; } if (seq_data.length != 8) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); krb5_data_free (&seq_data); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } krb5_auth_getremoteseqnumber (gssapi_krb5_context, @@ -208,8 +216,11 @@ verify_mic_des3 cmp = memcmp (seq, seq_data.data, seq_data.length); krb5_data_free (&seq_data); if (cmp != 0) { - krb5_crypto_destroy (gssapi_krb5_context, crypto); - return GSS_S_BAD_MIC; + if (docompat++) { + krb5_crypto_destroy (gssapi_krb5_context, crypto); + return GSS_S_BAD_MIC; + } else + goto retry; } /* verify checksum */