pull up r24929 from trunk

 ------------------------------------------------------------------------
 r24929 | ghudson | 2011-05-14 10:49:00 -0400 (Sat, 14 May 2011) | 11 lines

 ticket: 6912
 subject: Use hmac-md5 checksum for PA-FOR-USER padata
 target_version: 1.9.2
 tags: pullup

 The MS-S4U documentation specifies that hmac-md5 be used for
 PA-FOR-USER checksums; we were using the mandatory checksum type for
 the key.  Although some other checksum types appear to be allowed by
 Active Directory KDCs, Richard Silverman reports that md5-des is not
 one of them, causing S4U2Self requests to fail for DES keys.

ticket: 6912
version_fixed: 1.9.2
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24954 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index da6dd0c99045fd114cd942d5b85816f58e61d6ea..7c1b0e130f33941a9c9e22c8e963b1535678f2b3 100644 (file)
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -143,7 +143,6 @@ make_pa_for_user_checksum(krb5_context context,
     krb5_int32 name_type;
     char *p;
     krb5_data data;
-    krb5_cksumtype cksumtype;
 
     data.length = 4;
     for (i = 0; i < krb5_princ_size(context, req->user); i++) {
@@ -175,13 +174,8 @@ make_pa_for_user_checksum(krb5_context context,
 
     memcpy(p, req->auth_package.data, req->auth_package.length);
 
-    code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype);
-    if (code != 0) {
-        free(data.data);
-        return code;
-    }
-
-    code = krb5_c_make_checksum(context, cksumtype, key,
+    /* Per spec, use hmac-md5 checksum regardless of key type. */
+    code = krb5_c_make_checksum(context, CKSUMTYPE_HMAC_MD5_ARCFOUR, key,
                                 KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
                                 cksum);