* do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as if it were

	always cleared.

	* do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it
	were always cleared.

	* kdc_util.c (select_session_keytype): Don't issue session key
	enctype that is not in permitted_enctypes.
	(dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5
	as if it were cleared.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13857 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 77eed4abf242b5ecef5b28172f199fda9b1d4029..b411e1dc944b8f84c401948d3063dc47c2b744a2 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,18 @@
+2001-10-25  Tom Yu  <tlyu@mit.edu>
+
+       * do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as if it were
+       always cleared.
+
+       * do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it
+       were always cleared.
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+       * kdc_util.c (select_session_keytype): Don't issue session key
+       enctype that is not in permitted_enctypes.
+       (dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5
+       as if it were cleared.
+
 2001-10-12  Tom Yu  <tlyu@mit.edu>
 
        * kdc_util.c (ktypes2str, rep_etypes2str): Clean up somewhat.

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 32263d541a154b6121948e743acf4bf66abfd3c1..8ccada4c70b0a71531cbc7c582e48eef94bc66c1 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -321,9 +321,6 @@ krb5_data **response;                       /* filled in with a response packet */
        status = "DECRYPT_SERVER_KEY";
        goto errout;
     }
-    if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-       (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-       encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
        
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
     krb5_free_keyblock_contents(kdc_context, &encrypting_key);

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2a1490255ba5a5d71eae263b9938d90a5e6bf990..2da823cbe1143e388eccb84aa9502bd002ed5a72 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -579,9 +579,6 @@ tgt_again:
            status = "DECRYPT_SERVER_KEY";
            goto cleanup;
        }
-       if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-           (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-           encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
        errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
                                        &ticket_reply);
        krb5_free_keyblock_contents(kdc_context, &encrypting_key);

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a5111f358a2d735ee73400d4ebbd8cc34b8083e2..5c23e349abe596304fa121f7dd14ea7af48a49f4 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1419,13 +1419,14 @@ dbentry_supports_enctype(context, client, enctype)
 {
     /*
      * If it's DES_CBC_MD5, there's a bit in the attribute mask which
-     * checks to see if we support it.
+     * checks to see if we support it.  For now, treat it as always
+     * clear.
      *
      * In theory everything's supposed to support DES_CBC_MD5, but
      * that's not the reality....
      */
     if (enctype == ENCTYPE_DES_CBC_MD5)
-       return isflagset(client->attributes, KRB5_KDB_SUPPORT_DESMD5);
+       return 0;
 
     /*
      * XXX we assume everything can understand DES_CBC_CRC
@@ -1458,6 +1459,9 @@ select_session_keytype(context, server, nktypes, ktype)
        if (!valid_enctype(ktype[i]))
            continue;
 
+       if (!krb5_is_permitted_enctype(context, ktype[i]))
+           continue;
+
        if (dbentry_supports_enctype(context, server, ktype[i]))
            return ktype[i];
     }