From e002ce18b764c4cfb9526f9ccb6fa3e159364b32 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Wed, 1 Sep 1999 19:57:12 +0000 Subject: [PATCH] force single-des session keys until we've got multiple-cryptosystem stuff working better git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11761 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 5 +++++ src/kdc/kdc_util.c | 30 +++++++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 20281392d..980faf7c0 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,8 @@ +1999-09-01 Ken Raeburn + + * kdc_util.c (select_session_keytype): If none of the requested + ktypes are NULL or single-DES, force des-cbc-crc. + 1999-08-18 Tom Yu * kerberos_v4.c (compat_decrypt_key): Align DES3 enctypes with diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 51d4d7807..cb18e5028 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1389,15 +1389,39 @@ select_session_keytype(context, server, nktypes, ktype) krb5_enctype *ktype; { int i; + krb5_enctype dfl = 0; for (i = 0; i < nktypes; i++) { if (!valid_enctype(ktype[i])) continue; - if (dbentry_supports_enctype(context, server, ktype[i])) - return (ktype[i]); + if (dbentry_supports_enctype(context, server, ktype[i])) { + switch (ktype[i]) { + case ENCTYPE_NULL: + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_RAW: + case ENCTYPE_DES_HMAC_SHA1: + return ktype[i]; + + default: + /* For now, too much of our code supports only + single-DES. For example, the GSSAPI Kerberos + mechanism needs to be modified. If someone tries + using other key types, force single-DES for the + session key. + + This weird way of setting it here is so that a + requested single-DES enctype listed after DES3 can + be used, and this fallback enctype will be used + only if *no* single-DES enctypes were requested. */ + dfl = ENCTYPE_DES_CBC_CRC; + break; + } + } } - return 0; + return dfl; } /* -- 2.26.2