Unfortunately, pre-1.7 krshd fails to support keyed checksums because

it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override

ticket: 1624

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 3 insertions, 1 deletions

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 7e0159aa22..67dad8cb21 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -208,7 +208,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
 	ctx->kdc_req_sumtype = tmp;
 
 	profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
-			    KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5,
+			    KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0,
 			    &tmp);
 	ctx->default_ap_req_sumtype = tmp;
 
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 3f12763fd5..64eafe3628 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -210,6 +210,8 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
 						   &cksumtype);
 	    if (retval)
 		goto cleanup_cksum;
+	    if ((*auth_context)->req_cksumtype)
+		cksumtype = (*auth_context)->req_cksumtype;
 	    if ((retval = krb5_c_make_checksum(context, 
 					       cksumtype,
 					       (*auth_context)->keyblock,