force single-des session keys until we've got multiple-cryptosystem stuff working...
authorKen Raeburn <raeburn@mit.edu>
Wed, 1 Sep 1999 19:57:12 +0000 (19:57 +0000)
committerKen Raeburn <raeburn@mit.edu>
Wed, 1 Sep 1999 19:57:12 +0000 (19:57 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11761 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_util.c

index 20281392da8eac41ec102343d9de3a086475a278..980faf7c01885e5198f6d3026ad6e330686961f0 100644 (file)
@@ -1,3 +1,8 @@
+1999-09-01  Ken Raeburn  <raeburn@mit.edu>
+
+       * kdc_util.c (select_session_keytype): If none of the requested
+       ktypes are NULL or single-DES, force des-cbc-crc.
+
 1999-08-18  Tom Yu  <tlyu@mit.edu>
 
        * kerberos_v4.c (compat_decrypt_key): Align DES3 enctypes with
index 51d4d7807e6e6fcb928ab0e7186ef8031adcbe02..cb18e50288e92f992843f8a89f5216c550e0d414 100644 (file)
@@ -1389,15 +1389,39 @@ select_session_keytype(context, server, nktypes, ktype)
     krb5_enctype       *ktype;
 {
     int                i;
+    krb5_enctype dfl = 0;
     
     for (i = 0; i < nktypes; i++) {
        if (!valid_enctype(ktype[i]))
            continue;
 
-       if (dbentry_supports_enctype(context, server, ktype[i]))
-           return (ktype[i]);
+       if (dbentry_supports_enctype(context, server, ktype[i])) {
+           switch (ktype[i]) {
+           case ENCTYPE_NULL:
+           case ENCTYPE_DES_CBC_CRC:
+           case ENCTYPE_DES_CBC_MD4:
+           case ENCTYPE_DES_CBC_MD5:
+           case ENCTYPE_DES_CBC_RAW:
+           case ENCTYPE_DES_HMAC_SHA1:
+               return ktype[i];
+
+           default:
+               /* For now, too much of our code supports only
+                  single-DES.  For example, the GSSAPI Kerberos
+                  mechanism needs to be modified.  If someone tries
+                  using other key types, force single-DES for the
+                  session key.
+
+                  This weird way of setting it here is so that a
+                  requested single-DES enctype listed after DES3 can
+                  be used, and this fallback enctype will be used
+                  only if *no* single-DES enctypes were requested.  */
+               dfl = ENCTYPE_DES_CBC_CRC;
+               break;
+           }
+       }
     }
-    return 0;
+    return dfl;
 }
 
 /*