Fix krb5 GSS MIC verification
Commit
7ae0adcdf16687810f747e284c9fb571a561c5bd contains a pair of
bugs that, in combination, result in the acceptance of MIC tokens with
invalid checksums.
In kg_verify_checksum_v3(), properly set bytes 4..7 to 0xFF in the
composed token header for MIC tokens. In verify_mic_v3(), properly
check the return value of kg_verify_checksum_v3(). In t_invalid.c,
test invalid MIC tokens by altering the bytes of a valid MIC.
Reported by Francis Dupont.
CVE-2025-57736:
MIT krb5 release 1.22 incorrectly accepts krb5 GSS-API MIC tokens with
invalid checksums.
ticket: 9181
tags: pullup
target_version: 1.22-next