From 20d1fbd114d8130a5b610eca8c13ffca429dd5bb Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 25 Oct 2001 20:25:32 +0000
Subject: [PATCH] 	* do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as
 if it were 	always cleared.

	* do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it
	were always cleared.

	* kdc_util.c (select_session_keytype): Don't issue session key
	enctype that is not in permitted_enctypes.
	(dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5
	as if it were cleared.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13857 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/ChangeLog    | 15 +++++++++++++++
 src/kdc/do_as_req.c  |  3 ---
 src/kdc/do_tgs_req.c |  3 ---
 src/kdc/kdc_util.c   |  8 ++++++--
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 77eed4abf..b411e1dc9 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,18 @@
+2001-10-25  Tom Yu  <tlyu@mit.edu>
+
+	* do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as if it were
+	always cleared.
+
+	* do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it
+	were always cleared.
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+	* kdc_util.c (select_session_keytype): Don't issue session key
+	enctype that is not in permitted_enctypes.
+	(dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5
+	as if it were cleared.
+
 2001-10-12  Tom Yu  <tlyu@mit.edu>
 
 	* kdc_util.c (ktypes2str, rep_etypes2str): Clean up somewhat.
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 32263d541..8ccada4c7 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -321,9 +321,6 @@ krb5_data **response;			/* filled in with a response packet */
 	status = "DECRYPT_SERVER_KEY";
 	goto errout;
     }
-    if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-	(isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-	encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
 	
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
     krb5_free_keyblock_contents(kdc_context, &encrypting_key);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 2a1490255..2da823cbe 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -579,9 +579,6 @@ tgt_again:
 	    status = "DECRYPT_SERVER_KEY";
 	    goto cleanup;
 	}
-	if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-	    (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-	    encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
 	errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
 					&ticket_reply);
 	krb5_free_keyblock_contents(kdc_context, &encrypting_key);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a5111f358..5c23e349a 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1419,13 +1419,14 @@ dbentry_supports_enctype(context, client, enctype)
 {
     /*
      * If it's DES_CBC_MD5, there's a bit in the attribute mask which
-     * checks to see if we support it.
+     * checks to see if we support it.  For now, treat it as always
+     * clear.
      *
      * In theory everything's supposed to support DES_CBC_MD5, but
      * that's not the reality....
      */
     if (enctype == ENCTYPE_DES_CBC_MD5)
-	return isflagset(client->attributes, KRB5_KDB_SUPPORT_DESMD5);
+	return 0;
 
     /*
      * XXX we assume everything can understand DES_CBC_CRC
@@ -1458,6 +1459,9 @@ select_session_keytype(context, server, nktypes, ktype)
 	if (!valid_enctype(ktype[i]))
 	    continue;
 
+	if (!krb5_is_permitted_enctype(context, ktype[i]))
+	    continue;
+
 	if (dbentry_supports_enctype(context, server, ktype[i]))
 	    return ktype[i];
     }
-- 
2.26.2