kdc: map KRB5_PROG_SUMTYPE_NOSUPP to KRB5KDC_ERR_SUMTYPE_NOSUPP

RFC4120 says KRB5KDC_ERR_SUMTYPE_NOSUPP should be returned if the KDC does not support a given checksum type. Return this instead of KRB5_PROG_SUMTYPE_NOSUPP by introducing a new wrapper function, _kdc_verify_checksum().
2021-09-21 18:09:25 +10:00
parent 85756bd228
commit fd3f463152
4 changed files with 27 additions and 13 deletions
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -586,9 +586,9 @@ _kdc_do_digest(krb5_context context,
 	if (ret)
 	    goto out;

-	ret = krb5_verify_checksum(context, crypto,
+	ret = _kdc_verify_checksum(context, crypto,
 				   KRB5_KU_DIGEST_OPAQUE,
-				   buf.data, buf.length, &res);
+				   &buf, &res);
 	free_Checksum(&res);
 	krb5_data_free(&buf);
 	krb5_crypto_destroy(context, crypto);
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -475,10 +475,9 @@ fast_unwrap_request(astgs_request_t r)
    krb5_free_keyblock_contents(r->context, &armorkey);

    /* verify req-checksum of the outer body */
-    ret = krb5_verify_checksum(r->context, r->armor_crypto,
+    ret = _kdc_verify_checksum(r->context, r->armor_crypto,
 			       KRB5_KU_FAST_REQ_CHKSUM,
-			       r->req.req_body._save.data,
-			       r->req.req_body._save.length,
+			       &r->req.req_body._save,
 			       &fxreq.u.armored_data.req_checksum);
    if (ret) {
 	kdc_log(r->context, r->config, 2,
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -110,8 +110,7 @@ pa_gss_verify_req_body_checksum(astgs_request_t r,
    heim_assert(ret || data.length,
                "internal asn1 encoder error");

-    ret = krb5_verify_checksum(r->context, NULL, 0,
-                               data.data, data.length, checksum);
+    ret = _kdc_verify_checksum(r->context, NULL, 0, &data, checksum);
    krb5_data_free(&data);

    return ret;
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -791,6 +791,24 @@ out:
    return ret;
 }

+krb5_error_code
+_kdc_verify_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     krb5_key_usage usage,
+		     const krb5_data *data,
+		     Checksum *cksum)
+{
+    krb5_error_code ret;
+
+    ret = krb5_verify_checksum(context, crypto, usage,
+			       data->data, data->length,
+			       cksum);
+    if (ret == KRB5_PROG_SUMTYPE_NOSUPP)
+	ret = KRB5KDC_ERR_SUMTYPE_NOSUPP;
+
+    return ret;
+}
+
 static krb5_error_code
 tgs_check_authenticator(krb5_context context,
 			krb5_kdc_configuration *config,
@@ -830,11 +848,10 @@ tgs_check_authenticator(krb5_context context,
     * not require it to be keyed (as the authenticator is encrypted).
     */
    _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
-    ret = krb5_verify_checksum(context,
+    ret = _kdc_verify_checksum(context,
 			       crypto,
 			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
-			       b->_save.data,
-			       b->_save.length,
+			       &b->_save,
 			       auth->cksum);
    krb5_crypto_destroy(context, crypto);
    if(ret){
@@ -1862,11 +1879,10 @@ server_lookup:
 		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	    }
 	    else {
-		ret = krb5_verify_checksum(context,
+		ret = _kdc_verify_checksum(context,
 					   crypto,
 					   KRB5_KU_OTHER_CKSUM,
-					   datack.data,
-					   datack.length,
+					   &datack,
 					   &self.cksum);
 	    }
 	    krb5_data_free(&datack);