From: Sam Hartman Date: Wed, 1 Apr 2009 18:25:02 +0000 (+0000) Subject: Use the preferred checksum for non-DES keys in the kdc_req path and X-Git-Tag: krb5-1.8-alpha1~573 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=56108ac2b7c7b747951614b9da99a5df1d57be6d;p=krb5.git Use the preferred checksum for non-DES keys in the kdc_req path and all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. ticket: 1624 Target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 8f5e69e8f..f106e2e34 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -462,7 +462,8 @@ Kerberos library. The default is @value{DefaultKDCTimesync}. An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -The possible values and their meanings are as follows. +Note that the ap_req_checksum_type variable's value is ignored. The +kdc_req_checksum_type is only used for DES keys. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 9115e32c9..10b1792e8 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -143,15 +143,11 @@ clock. This corrective factor is only used by the Kerberos library. For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +This obsolete variable is not used. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 2cf1ddf13..3f12763fd 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -205,8 +205,13 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 66a2422ea..73980f2cf 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -51,6 +51,7 @@ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) {