From: Sam Hartman Date: Fri, 3 Apr 2009 03:33:01 +0000 (+0000) Subject: Unfortunately, pre-1.7 krshd fails to support keyed checksums because X-Git-Tag: krb5-1.8-alpha1~571 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6d48a7deaeed3dcb5dce55d8e9730c47512a904e;p=krb5.git Unfortunately, pre-1.7 krshd fails to support keyed checksums because it uses the wrong API and wrong key usage. So, if the auth_context has an explicit checksum type set, then respect that. kcmd sets such a checksum type. Also, because other applications may have the same problem, allow the config file variable if set to override the default checksum. * kcmd.c: Force use of rsa_md5 * init_ctx.c: do not default to md5 * mk_req_ext.c: allow auth_context to override ticket: 1624 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index f106e2e34..9a1983757 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -462,8 +462,8 @@ Kerberos library. The default is @value{DefaultKDCTimesync}. An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -Note that the ap_req_checksum_type variable's value is ignored. The -kdc_req_checksum_type is only used for DES keys. The possible values and their meanings are as follows. +The +kdc_req_checksum_type is only used for DES keys. The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset. If set, then the selected checksum is used regardless of the type of key being used. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index c4212b302..199056944 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -473,6 +473,8 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; + if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) + goto bad2; if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 10b1792e8..2f2fbb239 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -147,7 +147,7 @@ earlier. This value is only used for DES keys; other keys use the preferred checksum type for those keys. .IP ap_req_checksum_type -This obsolete variable is not used. +If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 7e0159aa2..67dad8cb2 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -208,7 +208,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) ctx->kdc_req_sumtype = tmp; profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, &tmp); ctx->default_ap_req_sumtype = tmp; diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 3f12763fd..64eafe362 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -210,6 +210,8 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, &cksumtype); if (retval) goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; if ((retval = krb5_c_make_checksum(context, cksumtype, (*auth_context)->keyblock,