From: Tom Yu Date: Thu, 9 Jun 2011 21:08:54 +0000 (+0000) Subject: pull up r24929 from trunk X-Git-Tag: krb5-1.9.2-beta1~19 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ae3f34ebcca28b009b47973af8d8a163cb9b891a;p=krb5.git pull up r24929 from trunk ------------------------------------------------------------------------ r24929 | ghudson | 2011-05-14 10:49:00 -0400 (Sat, 14 May 2011) | 11 lines ticket: 6912 subject: Use hmac-md5 checksum for PA-FOR-USER padata target_version: 1.9.2 tags: pullup The MS-S4U documentation specifies that hmac-md5 be used for PA-FOR-USER checksums; we were using the mandatory checksum type for the key. Although some other checksum types appear to be allowed by Active Directory KDCs, Richard Silverman reports that md5-des is not one of them, causing S4U2Self requests to fail for DES keys. ticket: 6912 version_fixed: 1.9.2 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24954 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index da6dd0c99..7c1b0e130 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -143,7 +143,6 @@ make_pa_for_user_checksum(krb5_context context, krb5_int32 name_type; char *p; krb5_data data; - krb5_cksumtype cksumtype; data.length = 4; for (i = 0; i < krb5_princ_size(context, req->user); i++) { @@ -175,13 +174,8 @@ make_pa_for_user_checksum(krb5_context context, memcpy(p, req->auth_package.data, req->auth_package.length); - code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype); - if (code != 0) { - free(data.data); - return code; - } - - code = krb5_c_make_checksum(context, cksumtype, key, + /* Per spec, use hmac-md5 checksum regardless of key type. */ + code = krb5_c_make_checksum(context, CKSUMTYPE_HMAC_MD5_ARCFOUR, key, KRB5_KEYUSAGE_APP_DATA_CKSUM, &data, cksum);