Revert "make paranoia check less paranoid" - check that key types strictly match
authorAndrew Bartlett <abartlet@samba.org>
Thu, 15 Dec 2011 01:29:01 +0000 (12:29 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 12 Jan 2012 08:43:07 +0000 (09:43 +0100)
This reverts commit c25af51232616061bb08eea86aae595b4f029490 because
otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Jan 12 09:43:07 CET 2012 on sn-devel-104

source4/heimdal/lib/krb5/crypto.c

index 732311bec9f49825189b41d0713aeefa0e91a301..75d0a099d483e43fa5d495862af71ccd93132c1f 100644 (file)
@@ -454,7 +454,7 @@ verify_checksum(krb5_context context,
            return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
        }
        kct = crypto->et->keyed_checksum;
            return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
        }
        kct = crypto->et->keyed_checksum;
-       if (kct != NULL && kct->type != ct->type) {
+       if (kct == NULL || kct->type != ct->type) {
            krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
                                   N_("Checksum type %s is keyed, but "
                                      "the key type %s passed didnt have that checksum "
            krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
                                   N_("Checksum type %s is keyed, but "
                                      "the key type %s passed didnt have that checksum "