Remove ENCTYPE_LOCAL_DES3_HMAC_SHA1

Previously, MIT had support for a version of the des3 enctype with a
32-bit length prepended to encrypted data.  Remove that support.  This
is non-standard and is no longer needed even at MIT.

Ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16122 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index fdfcce86d1fd13fee1757b4c5420e24106f2b11f..1e5b3e90bbd5edade64ae970f1f639a1b282adf8 100644 (file)
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,7 @@
+2004-02-24  Sam Hartman  <hartmans@avalanche-breakdown.mit.edu>
+
+       * krb5.hin: Remove des3 with 32-bit length
+
 2004-01-04 Jeffrey Altman <jaltman@mit.edu>
 
     * win-mac.h: conditionally define strcasecmp/strncasecmp macros 

diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index a397cb74a17915ef6f39133df4db69986aa5705f..676cf22ea5899b43871138e33d9195674e2ccc01 100644 (file)
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -356,9 +356,6 @@ typedef struct _krb5_enc_data {
 #define ENCTYPE_ARCFOUR_HMAC   0x0017
 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
 #define ENCTYPE_UNKNOWN                0x01ff
-/* local crud */
-/* marc's DES-3 with 32-bit length */
-#define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
 
 #define        CKSUMTYPE_CRC32         0x0001
 #define        CKSUMTYPE_RSA_MD4       0x0002
@@ -2413,6 +2410,8 @@ krb5_get_init_creds_opt_set_salt
 (krb5_get_init_creds_opt *opt,
                krb5_data *salt);
 
+
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password
 (krb5_context context,

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index ccc42d629a0ab2dd173b3a46aa67a1fa2e54d13b..b95a6ac7eda138ea3811c6fdd74c6cd5ce6948d5 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,11 @@
+2004-02-24  Sam Hartman  <hartmans@avalanche-breakdown.mit.edu>
+
+       * kerberos_v4.c (compat_decrypt_key): As below.
+
+       * kdc_preauth.c (enctype_requires_etype_info_2): As below.
+
+       * main.c (initialize_realms): Remove support for marc 3des with length
+
 2004-02-24  Ken Raeburn  <raeburn@mit.edu>
 
        * Makefile.in (OBJS, krb5kdc, fakeka): Link against apputils lib

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 342f05021842c5d0e6a9da45dd282fea6b04761a..a8d9216ba10625984af5f3ef93ff2ccaeb9cb0f9 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -465,7 +465,6 @@ enctype_requires_etype_info_2(krb5_enctype enctype)
     case ENCTYPE_DES3_CBC_RAW:
     case ENCTYPE_ARCFOUR_HMAC:
     case ENCTYPE_ARCFOUR_HMAC_EXP :
-    case ENCTYPE_LOCAL_DES3_HMAC_SHA1:
        return 0;
     default:
        if (krb5_c_valid_enctype(enctype))

diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index 1d1ca702ebd478a55d50b249cba4ad753e747dbe..ffa5bdd2b0bbc40de6950a40303466f7a2a62eaa 100644 (file)
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -378,8 +378,7 @@ compat_decrypt_key (krb5_key_data *in5, unsigned char *out4,
            retval = -1;
        } else {
            /* KLUDGE! If it's a non-raw des3 key, bash its enctype */
-           if (out5->enctype == ENCTYPE_DES3_CBC_SHA1 ||
-               out5->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
+           if (out5->enctype == ENCTYPE_DES3_CBC_SHA1 )
                out5->enctype = ENCTYPE_DES3_CBC_RAW;
        }
     }
@@ -500,9 +499,6 @@ kerb_get_principal(char *name, char *inst, /* could have wild cards */
        if (krb5_dbe_find_enctype(kdc_context, &entries,
                                  ENCTYPE_DES3_CBC_RAW,
                                  -1, kvno, &pkey) &&
-           krb5_dbe_find_enctype(kdc_context, &entries,
-                                 ENCTYPE_LOCAL_DES3_HMAC_SHA1,
-                                 -1, kvno, &pkey) &&
            krb5_dbe_find_enctype(kdc_context, &entries,
                                  ENCTYPE_DES3_CBC_SHA1,
                                  -1, kvno, &pkey) &&

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 9ddcaaa9e56b1247cb786269236a5e321ee394c5..961f3bbee4816f3ffeef0e4572053a82cc81f8af 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -432,10 +432,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
     char                *v4mode = 0;
 #endif
     extern char *optarg;
-#ifdef ATHENA_DES3_KLUDGE
-    extern struct krb5_keytypes krb5_enctypes_list[];
-    extern int krb5_enctypes_length;
-#endif
 
     if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
        hierarchy[0] = "kdcdefaults";
@@ -524,19 +520,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
                enable_v4_crossrealm(argv[0]);
 #endif
                break;
-       case '3':
-#ifdef ATHENA_DES3_KLUDGE
-           if (krb5_enctypes_list[krb5_enctypes_length-1].etype
-               != ENCTYPE_LOCAL_DES3_HMAC_SHA1) {
-               fprintf(stderr,
-                       "internal inconsistency in enctypes_list"
-                       " while disabling\n"
-                       "des3-marc-hmac-sha1 enctype\n");
-               exit(1);
-           }
-           krb5_enctypes_length--;
-           break;
-#endif
        case '?':
        default:
            usage(argv[0]);

diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index 4bd14efbd07c07661784321d580ae1f70cd9eb3b..9ec0fe2ff570ae4db5c6e6eba8ca258ee10bb69d 100644 (file)
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,7 @@
+2004-02-24  Sam Hartman  <hartmans@avalanche-breakdown.mit.edu>
+
+       * etypes.c: Remove ENCTYPE_LOCAL_DES3_HMAC_SHA1
+
 2004-02-18  Ken Raeburn  <raeburn@mit.edu>
 
        * block_size.c, checksum_length.c, cksumtype_to_string.c,

diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog
index af7d148da915e773ef9a3ccbc917e69065ed2365..fb32bfdc3ff89290bd23268b005873ae347ad66c 100644 (file)
--- a/src/lib/crypto/dk/ChangeLog
+++ b/src/lib/crypto/dk/ChangeLog
@@ -1,3 +1,9 @@
+2004-02-24  Sam Hartman  <hartmans@avalanche-breakdown.mit.edu>
+
+       * dk.h: As below.
+
+       * checksum.c dk_decrypt.c dk_encrypt.c: Remove ENCTYPE_LOCAL_DES3_HMAC_SHA1
+
 2004-02-18  Ken Raeburn  <raeburn@mit.edu>
 
        * checksum.c, derive.c, dk_decrypt.c, dk_encrypt.c: Use ANSI C

diff --git a/src/lib/crypto/dk/checksum.c b/src/lib/crypto/dk/checksum.c
index 4cd540d398134d16dd860a9079ea9f38a012988f..2f30cb740d9957c4e678e4f02baefc06b0d9c578 100644 (file)
--- a/src/lib/crypto/dk/checksum.c
+++ b/src/lib/crypto/dk/checksum.c
@@ -101,81 +101,3 @@ cleanup:
     return(ret);
 }
 
-#ifdef ATHENA_DES3_KLUDGE
-krb5_error_code
-krb5_marc_dk_make_checksum(const struct krb5_hash_provider *hash,
-                          const krb5_keyblock *key, krb5_keyusage usage,
-                          const krb5_data *input, krb5_data *output)
-{
-    int i;
-    struct krb5_enc_provider *enc;
-    size_t blocksize, keybytes, keylength;
-    krb5_error_code ret;
-    unsigned char constantdata[K5CLENGTH];
-    krb5_data datain[2];
-    unsigned char *kcdata;
-    krb5_keyblock kc;
-
-    for (i=0; i<krb5_enctypes_length; i++) {
-       if (krb5_enctypes_list[i].etype == key->enctype)
-           break;
-    }
-
-    if (i == krb5_enctypes_length)
-       return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
-    /* allocate and set to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
-    keylength = enc->keylength;
-
-    /* key->length will be tested in enc->encrypt
-       output->length will be tested in krb5_hmac */
-
-    if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
-       return(ENOMEM);
-
-    kc.contents = kcdata;
-    kc.length = keylength;
-
-    /* derive the key */
- 
-    datain[0].data = constantdata;
-    datain[0].length = K5CLENGTH;
-
-    datain[0].data[0] = (usage>>24)&0xff;
-    datain[0].data[1] = (usage>>16)&0xff;
-    datain[0].data[2] = (usage>>8)&0xff;
-    datain[0].data[3] = usage&0xff;
-
-    datain[0].data[4] = 0x99;
-
-    if ((ret = krb5_derive_key(enc, key, &kc, &datain[0])) != 0)
-       goto cleanup;
-
-    /* hash the data */
-
-    datain[0].length = 4;
-    datain[0].data[0] = (input->length>>24)&0xff;
-    datain[0].data[1] = (input->length>>16)&0xff;
-    datain[0].data[2] = (input->length>>8)&0xff;
-    datain[0].data[3] = input->length&0xff;
-
-    datain[1] = *input;
-
-    if ((ret = krb5_hmac(hash, &kc, 2, datain, output)) != 0)
-       memset(output->data, 0, output->length);
-
-    /* ret is set correctly by the prior call */
-
-cleanup:
-    memset(kcdata, 0, keylength);
-
-    free(kcdata);
-
-    return(ret);
-}
-#endif /* ATHENA_DES3_KLUDGE */

diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h
index a224167ea1a49f0fc0b18dfd4146c68f10a7b403..b9c7f700701eebed924f322a24d89f367ccdd944 100644 (file)
--- a/src/lib/crypto/dk/dk.h
+++ b/src/lib/crypto/dk/dk.h
@@ -79,28 +79,3 @@ krb5_error_code krb5_dk_make_checksum
                const krb5_keyblock *key, krb5_keyusage usage,
                const krb5_data *input, krb5_data *output);
 
-#ifdef ATHENA_DES3_KLUDGE
-void krb5_marc_dk_encrypt_length
-(const struct krb5_enc_provider *enc,
-               const struct krb5_hash_provider *hash,
-               size_t input, size_t *length);
-
-krb5_error_code krb5_marc_dk_encrypt
-(const struct krb5_enc_provider *enc,
-               const struct krb5_hash_provider *hash,
-               const krb5_keyblock *key, krb5_keyusage usage,
-               const krb5_data *ivec,
-               const krb5_data *input, krb5_data *output);
-
-krb5_error_code krb5_marc_dk_decrypt
-(const struct krb5_enc_provider *enc,
-               const struct krb5_hash_provider *hash,
-               const krb5_keyblock *key, krb5_keyusage usage,
-               const krb5_data *ivec, const krb5_data *input,
-               krb5_data *arg_output);
-
-krb5_error_code krb5_marc_dk_make_checksum
-(const struct krb5_hash_provider *hash,
-               const krb5_keyblock *key, krb5_keyusage usage,
-               const krb5_data *input, krb5_data *output);
-#endif /* ATHENA_DES3_KLUDGE */

diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c
index bebd2665ebdfbb20766931ddf0bd595af0a57996..c4397382a78180666f0a2c8764e5d7000e080924 100644 (file)
--- a/src/lib/crypto/dk/dk_decrypt.c
+++ b/src/lib/crypto/dk/dk_decrypt.c
@@ -201,142 +201,3 @@ cleanup:
     return(ret);
 }
 
-#ifdef ATHENA_DES3_KLUDGE
-krb5_error_code
-krb5_marc_dk_decrypt(enc, hash, key, usage, ivec, input, output)
-     const struct krb5_enc_provider *enc;
-     const struct krb5_hash_provider *hash;
-     const krb5_keyblock *key;
-     krb5_keyusage usage;
-     const krb5_data *ivec;
-     const krb5_data *input;
-     krb5_data *output;
-{
-    krb5_error_code ret;
-    size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
-    unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
-    krb5_keyblock ke, ki;
-    krb5_data d1, d2;
-    unsigned char constantdata[K5CLENGTH];
-
-    /* allocate and set up ciphertext and to-be-derived keys */
-
-    hashsize = hash->hashsize;
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
-    keylength = enc->keylength;
-
-    enclen = input->length - hashsize;
-
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-       return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-       free(kedata);
-       return(ENOMEM);
-    }
-    if ((plaindata = (unsigned char *) malloc(enclen)) == NULL) {
-       free(kidata);
-       free(kedata);
-       return(ENOMEM);
-    }
-    if ((cksum = (unsigned char *) malloc(hashsize)) == NULL) {
-       free(plaindata);
-       free(kidata);
-       free(kedata);
-       return(ENOMEM);
-    }
-
-    ke.contents = kedata;
-    ke.length = keylength;
-    ki.contents = kidata;
-    ki.length = keylength;
-
-    /* derive the keys */
-
-    d1.data = constantdata;
-    d1.length = K5CLENGTH;
-
-    d1.data[0] = (usage>>24)&0xff;
-    d1.data[1] = (usage>>16)&0xff;
-    d1.data[2] = (usage>>8)&0xff;
-    d1.data[3] = usage&0xff;
-
-    d1.data[4] = 0xAA;
-
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0)
-       goto cleanup;
-
-    d1.data[4] = 0x55;
-
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)) != 0)
-       goto cleanup;
-
-    /* decrypt the ciphertext */
-
-    d1.length = enclen;
-    d1.data = input->data;
-
-    d2.length = enclen;
-    d2.data = plaindata;
-
-    if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
-       goto cleanup;
-
-    if (ivec != NULL && ivec->length == blocksize)
-       cn = d1.data + d1.length - blocksize;
-    else
-       cn = NULL;
-
-    /* verify the hash */
-
-    d1.length = hashsize;
-    d1.data = cksum;
-
-    if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0)
-       goto cleanup;
-
-    if (memcmp(cksum, input->data+enclen, hashsize) != 0) {
-       ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-       goto cleanup;
-    }
-
-    /* because this encoding isn't self-describing wrt length, the
-       best we can do here is to compute the length minus the
-       confounder. */
-
-    /* get the real plaintext length and copy the data into the output */
-
-    plainlen = ((((plaindata+blocksize)[0])<<24) |
-               (((plaindata+blocksize)[1])<<16) |
-               (((plaindata+blocksize)[2])<<8) |
-               ((plaindata+blocksize)[3]));
-
-    if (plainlen > (enclen - blocksize - 4))
-       return(KRB5_BAD_MSIZE);
-
-    if (output->length < plainlen)
-       return(KRB5_BAD_MSIZE);
-
-    output->length = plainlen;
-
-    memcpy(output->data, d2.data+4+blocksize, output->length);
-
-    if (cn != NULL)
-       memcpy(ivec->data, cn, blocksize);
-
-    ret = 0;
-
-cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaindata, 0, enclen);
-    memset(cksum, 0, hashsize);
-
-    free(cksum);
-    free(plaindata);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
-}
-#endif /* ATHENA_DES3_KLUDGE */

diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c
index 08d26856c949af0b4136cf256e63525af596a17d..2431e61c89ea0b94bc4d5ed7be793368af907729 100644 (file)
--- a/src/lib/crypto/dk/dk_encrypt.c
+++ b/src/lib/crypto/dk/dk_encrypt.c
@@ -360,150 +360,3 @@ cleanup:
     return(ret);
 }
 
-#ifdef ATHENA_DES3_KLUDGE
-void
-krb5_marc_dk_encrypt_length(enc, hash, inputlen, length)
-     const struct krb5_enc_provider *enc;
-     const struct krb5_hash_provider *hash;
-     size_t inputlen;
-     size_t *length;
-{
-    size_t blocksize, hashsize;
-
-    blocksize = enc->block_size;
-    hashsize = hash->hashsize;
-    *length = krb5_roundup(blocksize+4+inputlen, blocksize) + hashsize;
-}
-
-krb5_error_code
-krb5_marc_dk_encrypt(enc, hash, key, usage, ivec, input, output)
-     const struct krb5_enc_provider *enc;
-     const struct krb5_hash_provider *hash;
-     const krb5_keyblock *key;
-     krb5_keyusage usage;
-     const krb5_data *ivec;
-     const krb5_data *input;
-     krb5_data *output;
-{
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
-    krb5_error_code ret;
-    unsigned char constantdata[K5CLENGTH];
-    krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata, *cn;
-    krb5_keyblock ke, ki;
-
-    /* allocate and set up plaintext and to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
-    keylength = enc->keylength;
-    plainlen = krb5_roundup(blocksize+4+input->length, blocksize);
-
-    krb5_marc_dk_encrypt_length(enc, hash, input->length, &enclen);
-
-    /* key->length, ivec will be tested in enc->encrypt */
-
-    if (output->length < enclen)
-       return(KRB5_BAD_MSIZE);
-
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-       return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-       free(kedata);
-       return(ENOMEM);
-    }
-    if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
-       free(kidata);
-       free(kedata);
-       return(ENOMEM);
-    }
-
-    ke.contents = kedata;
-    ke.length = keylength;
-    ki.contents = kidata;
-    ki.length = keylength;
-
-    /* derive the keys */
-
-    d1.data = constantdata;
-    d1.length = K5CLENGTH;
-
-    d1.data[0] = (usage>>24)&0xff;
-    d1.data[1] = (usage>>16)&0xff;
-    d1.data[2] = (usage>>8)&0xff;
-    d1.data[3] = usage&0xff;
-
-    d1.data[4] = 0xAA;
-
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
-       goto cleanup;
-
-    d1.data[4] = 0x55;
-
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
-       goto cleanup;
-
-    /* put together the plaintext */
-
-    d1.length = blocksize;
-    d1.data = plaintext;
-
-    if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
-       goto cleanup;
-
-    (plaintext+blocksize)[0] = (input->length>>24)&0xff;
-    (plaintext+blocksize)[1] = (input->length>>16)&0xff;
-    (plaintext+blocksize)[2] = (input->length>>8)&0xff;
-    (plaintext+blocksize)[3] = input->length&0xff;
-
-    memcpy(plaintext+blocksize+4, input->data, input->length);
-
-    memset(plaintext+blocksize+4+input->length, 0,
-          plainlen - (blocksize+4+input->length));
-
-    /* encrypt the plaintext */
-
-    d1.length = plainlen;
-    d1.data = plaintext;
-
-    d2.length = plainlen;
-    d2.data = output->data;
-
-    if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
-       goto cleanup;
-
-    if (ivec != NULL && ivec->length == blocksize)
-       cn = d2.data + d2.length - blocksize;
-    else
-       cn = NULL;
-
-    /* hash the plaintext */
-
-    d2.length = enclen - plainlen;
-    d2.data = output->data+plainlen;
-
-    output->length = enclen;
-
-    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2))) {
-       memset(d2.data, 0, d2.length);
-       goto cleanup;
-    }
-
-    /* update ivec */
-    if (cn != NULL)
-       memcpy(ivec->data, cn, blocksize);
-
-    /* ret is set correctly by the prior call */
-
-cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaintext, 0, plainlen);
-
-    free(plaintext);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
-}
-#endif /* ATHENA_DES3_KLUDGE */

diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c
index 6dcf02643a32ea3bf573c605118573686c82d331..0a153743ad8b4031f73252ef179d20ce37e37a51 100644 (file)
--- a/src/lib/crypto/etypes.c
+++ b/src/lib/crypto/etypes.c
@@ -148,19 +148,6 @@ const struct krb5_keytypes krb5_enctypes_list[] = {
       &krb5int_enc_aes256, &krb5int_hash_sha1,
       krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt,
       krb5int_aes_string_to_key, CKSUMTYPE_HMAC_SHA1_96_AES256 },
-
-#ifdef ATHENA_DES3_KLUDGE
-    /*
-     * If you are using this, you're almost certainly doing the
-     * Wrong Thing.
-     */
-    { ENCTYPE_LOCAL_DES3_HMAC_SHA1,
-      "des3-marc-hmac-sha1",
-      "Triple DES with HMAC/sha1 and 32-bit length code",
-      &krb5int_enc_des3, &krb5int_hash_sha1,
-      krb5_marc_dk_encrypt_length, krb5_marc_dk_encrypt, krb5_marc_dk_decrypt,
-      krb5int_dk_string_to_key, CKSUMTYPE_HMAC_SHA1_DES3 },
-#endif
 };
 
 const int krb5_enctypes_length =

diff --git a/src/lib/crypto/make_checksum.c b/src/lib/crypto/make_checksum.c
index 40a181db4b98a03fbeac2401b48c77aee49708e8..4a2f00072af6bd69c8f8aa153ec806f923d99660 100644 (file)
--- a/src/lib/crypto/make_checksum.c
+++ b/src/lib/crypto/make_checksum.c
@@ -83,16 +83,6 @@ krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
 
        ret = (*(krb5_cksumtypes_list[i].keyhash->hash))(key, usage, 0, input, &data);
     } else if (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE) {
-       /* any key is ok */
-#ifdef ATHENA_DES3_KLUDGE
-       /*
-        * XXX Punt on actually using krb5_marc_dk_make_checksum
-        * for now because we never actually use a DES3 session key
-        * anywhere on Athena, and this is temporary anyway.
-        * In any case, it's way too hairy to actually make this work
-        * properly.
-        */
-#endif
        ret = krb5_dk_make_checksum(krb5_cksumtypes_list[i].hash,
                                    key, usage, input, &data);
     } else {

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 0b8744c25cfe088119bd0f3df80817228f72e357..7ca42a356077569e77e679a9585d5ffed37df65e 100644 (file)
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,7 @@
+2004-02-24  Sam Hartman  <hartmans@avalanche-breakdown.mit.edu>
+
+       * rd_svc_key.c (krb54_get_service_keyblock): Remove ENCTYPE_LOCAL_DES3_HMAC_SHA1
+
 2003-12-11  Sam Hartman  <hartmans@mit.edu>
 
        * rd_req.c (krb_rd_req_with_key): Note that the expiration difference between krb5 and krb4 is important

diff --git a/src/lib/krb4/rd_svc_key.c b/src/lib/krb4/rd_svc_key.c
index c68c8e26629d3259d1df588c66ea8c7eb23f336d..2728f4a1c61bce63985534f38b60889418a81b19 100644 (file)
--- a/src/lib/krb4/rd_svc_key.c
+++ b/src/lib/krb4/rd_svc_key.c
@@ -195,8 +195,7 @@ krb54_get_service_keyblock(service,instance,realm,kvno,file,keyblock)
     /* Bash types */
     /* KLUDGE! If it's a non-raw des3 key, bash its enctype */
     /* See kdc/kerberos_v4.c */
-    if (keyblock->enctype == ENCTYPE_DES3_CBC_SHA1 ||
-       keyblock->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
+    if (keyblock->enctype == ENCTYPE_DES3_CBC_SHA1 )
       keyblock->enctype = ENCTYPE_DES3_CBC_RAW;
     
     krb5_kt_free_entry(krb5__krb4_context, &kt_entry);