- /* verify checksum, compose clear text as layout:
- * ------------------------------------------------------
- * | confounder | gss header | clear msgs | krb5 header |
- * ------------------------------------------------------
- */
- hash_objs[0].len = ke->ke_conf_size;
- hash_objs[0].data = plain_out.data;
- hash_objs[1].len = gsshdr->len;
- hash_objs[1].data = gsshdr->data;
- hash_objs[2].len = plain_out.len - ke->ke_conf_size - sizeof(*khdr);
- hash_objs[2].data = plain_out.data + ke->ke_conf_size;
- if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
- khdr, 3, hash_objs, 0, NULL, &cksum))
- goto out_free;
-
- LASSERT(cksum.len >= ke->ke_hash_size);
- if (memcmp((char *)(khdr + 1) + bodysize,
- cksum.data + cksum.len - ke->ke_hash_size,
- ke->ke_hash_size)) {
- CERROR("checksum mismatch\n");
- goto out_free;
- }
+ /* expected clear text layout:
+ * -----------------------------------------
+ * | confounder | clear msgs | krb5 header |
+ * -----------------------------------------
+ */
+
+ /* verify krb5 header in token is not modified */
+ if (memcmp(khdr, plain_out.data + plain_out.len - sizeof(*khdr),
+ sizeof(*khdr))) {
+ CERROR("decrypted krb5 header mismatch\n");
+ goto out_free;
+ }
+
+ /* verify checksum, compose clear text as layout:
+ * ------------------------------------------------------
+ * | confounder | gss header | clear msgs | krb5 header |
+ * ------------------------------------------------------
+ */
+ hash_objs[0].len = ke->ke_conf_size;
+ hash_objs[0].data = plain_out.data;
+ hash_objs[1].len = gsshdr->len;
+ hash_objs[1].data = gsshdr->data;
+ hash_objs[2].len = plain_out.len - ke->ke_conf_size - sizeof(*khdr);
+ hash_objs[2].data = plain_out.data + ke->ke_conf_size;
+ if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
+ khdr, 3, hash_objs, 0, NULL, &cksum,
+ gctx->hash_func))
+ goto out_free;
+
+ LASSERT(cksum.len >= ke->ke_hash_size);
+ if (memcmp((char *)(khdr + 1) + bodysize,
+ cksum.data + cksum.len - ke->ke_hash_size,
+ ke->ke_hash_size)) {
+ CERROR("checksum mismatch\n");
+ goto out_free;
+ }