projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: d44144b)
Unfortunately, pre-1.7 krshd fails to support keyed checksums because
authorSam Hartman <hartmans@mit.edu>
Fri, 3 Apr 2009 03:33:01 +0000 (03:33 +0000)
committerSam Hartman <hartmans@mit.edu>
Fri, 3 Apr 2009 03:33:01 +0000 (03:33 +0000)
it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override

ticket: 1624

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970

doc/admin.texinfo patch | blob | history
src/appl/bsd/kcmd.c patch | blob | history
src/config-files/krb5.conf.M patch | blob | history
src/lib/krb5/krb/init_ctx.c patch | blob | history
src/lib/krb5/krb/mk_req_ext.c patch | blob | history

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index f106e2e347a0a71ab43e05df2ca0d0e554d0acb4..9a198375766d7ad8e211df68b81aeec62ebc0e0b 100644 (file)
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -462,8 +462,8 @@ Kerberos library.  The default is @value{DefaultKDCTimesync}.
 An integer which specifies the type of checksum to use.  Used for
 compatability with DCE security servers which do not support the
 default @value{DefaultChecksumType} used by this version of Kerberos.
-Note that the ap_req_checksum_type variable's value is ignored.  The
-kdc_req_checksum_type is only used for DES keys.   The possible values and their meanings are as follows.
+The
+kdc_req_checksum_type is only used for DES keys.   The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset.  If set, then the selected checksum is used regardless of the type of key being used.  The possible values and their meanings are as follows.
 
 @comment taken from krb5/src/include/krb5.h[in]
 @table @b
diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c
index c4212b302fc8ef210675e5640b6b934ec3591c4b..1990569446b2f00ba44ae377f4810f735d34527e 100644 (file)
--- a/src/appl/bsd/kcmd.c
+++ b/src/appl/bsd/kcmd.c
@@ -473,6 +473,8 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
     if (krb5_auth_con_init(bsd_context, &auth_context)) 
        goto bad2;
 
+    if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 )
+       goto bad2;
     if (krb5_auth_con_setflags(bsd_context, auth_context, 
                               KRB5_AUTH_CONTEXT_RET_TIME))
        goto bad2;
diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
index 10b1792e874dfc4c58be6c84660fe60acc2ca6ce..2f2fbb23922daeac48169a2dcb44ea48a7c5cf87 100644 (file)
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -147,7 +147,7 @@ earlier.  This value is only used for DES keys; other keys use the
 preferred checksum type for those keys.
 
 .IP ap_req_checksum_type 
-This obsolete variable is not used.
+If set  this variable  controls what ap-req checksum will be used in  authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used.   This can be set if backward compatibility requires a specific checksum type.
 
 .IP safe_checksum_type 
 This allows you to set the preferred keyed-checksum type for use in KRB_SAFE
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 7e0159aa22433b3930a573ed9bac72bb736aea23..67dad8cb21d70ae56caa921727c746e2bd35e2fd 100644 (file)
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -208,7 +208,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
        ctx->kdc_req_sumtype = tmp;
 
        profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
-                           KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5,
+                           KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0,
                            &tmp);
        ctx->default_ap_req_sumtype = tmp;
 
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 3f12763fd50f1af5662781f57551fb8f6ab437aa..64eafe3628503361a9ea9b8843cbe02d572a7aeb 100644 (file)
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -210,6 +210,8 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
                                                   &cksumtype);
            if (retval)
                goto cleanup_cksum;
+           if ((*auth_context)->req_cksumtype)
+               cksumtype = (*auth_context)->req_cksumtype;
            if ((retval = krb5_c_make_checksum(context, 
                                               cksumtype,
                                               (*auth_context)->keyblock,
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.