Use the preferred checksum for non-DES keys in the kdc_req path and

author Sam Hartman <hartmans@mit.edu>

Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)

committer Sam Hartman <hartmans@mit.edu>

Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)
author Sam Hartman <hartmans@mit.edu>
Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)
committer Sam Hartman <hartmans@mit.edu>
Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)
diff --git a/doc/admin.texinfo b/doc/admin.texinfo

index 8f5e69e8fe00dc1e35bca32d3495e117be56dcf2..f106e2e347a0a71ab43e05df2ca0d0e554d0acb4 100644 (file)
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -462,7 +462,8 @@ Kerberos library.  The default is @value{DefaultKDCTimesync}.
  An integer which specifies the type of checksum to use.  Used for
  compatability with DCE security servers which do not support the
  default @value{DefaultChecksumType} used by this version of Kerberos.
-The possible values and their meanings are as follows.
+Note that the ap_req_checksum_type variable's value is ignored.  The
+kdc_req_checksum_type is only used for DES keys.   The possible values and their meanings are as follows.
  
  @comment taken from krb5/src/include/krb5.h[in]
  @table @b
diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M

index 9115e32c91f32f4bbef0cf13d4aa234909ca717a..10b1792e874dfc4c58be6c84660fe60acc2ca6ce 100644 (file)
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -143,15 +143,11 @@ clock.  This corrective factor is only used by the Kerberos library.
  For compatability with DCE security servers which do not support the
  default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value
  of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and
-earlier.
+earlier.  This value is only used for DES keys; other keys use the
+preferred checksum type for those keys.
  
  .IP ap_req_checksum_type 
-This allows you to set the checksum type used in the authenticator of
-KRB_AP_REQ messages.  The default value for this type is
-CKSUMTYPE_RSA_MD5.  For compatibility with applications linked against
-DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use
-the CKSUMTYPE_RSA_MD4
-instead.
+This obsolete variable is not used.
  
  .IP safe_checksum_type 
  This allows you to set the preferred keyed-checksum type for use in KRB_SAFE
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c

index 2cf1ddf13bef6fb0b12e7850f60ce5b98430729b..3f12763fd50f1af5662781f57551fb8f6ab437aa 100644 (file)
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -205,8 +205,13 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
             checksum.length = in_data->length;
             checksum.contents = (krb5_octet *) in_data->data;
         } else {
+           krb5_cksumtype cksumtype;
+           retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype,
+                                                  &cksumtype);
+           if (retval)
+               goto cleanup_cksum;
             if ((retval = krb5_c_make_checksum(context, 
-                                              (*auth_context)->req_cksumtype,
+                                              cksumtype,
                                                (*auth_context)->keyblock,
                                                KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
                                                in_data, &checksum)))
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c

index 66a2422eaa6515b8115d6209195ec54d16871d97..73980f2cf4121a7ad6016ae904ea57cb86f6816f 100644 (file)
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -51,6 +51,7 @@ static krb5_error_code
  tgs_construct_tgsreq(krb5_context context, krb5_data *in_data,
              krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey)
  {   
+    krb5_cksumtype cksumtype;
      krb5_error_code       retval;
      krb5_checksum         checksum;
      krb5_authenticator    authent;
@@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data,
      request.authenticator.kvno = 0;
      request.ap_options = 0;
      request.ticket = 0;
-
+    switch (in_cred->keyblock.enctype) {
+    case ENCTYPE_DES_CBC_CRC:
+    case ENCTYPE_DES_CBC_MD4:
+    case ENCTYPE_DES_CBC_MD5:
+       cksumtype = context->kdc_req_sumtype;
+       break;
+    default:
+       retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype);
+       if (retval)
+           goto cleanup;
+    }
+    
      /* Generate checksum */
-    if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype,
+    if ((retval = krb5_c_make_checksum(context, cksumtype,
                         &in_cred->keyblock,
                         KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
                         in_data, &checksum))) {
author	Sam Hartman <hartmans@mit.edu>
	Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)
committer	Sam Hartman <hartmans@mit.edu>
	Wed, 1 Apr 2009 18:25:02 +0000 (18:25 +0000)
doc/admin.texinfo		patch \| blob \| history
src/config-files/krb5.conf.M		patch \| blob \| history
src/lib/krb5/krb/mk_req_ext.c		patch \| blob \| history
src/lib/krb5/krb/send_tgs.c		patch \| blob \| history