diff options
-rw-r--r-- | src/kdc/ChangeLog | 15 | ||||
-rw-r--r-- | src/kdc/do_as_req.c | 3 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 3 | ||||
-rw-r--r-- | src/kdc/kdc_util.c | 8 |
4 files changed, 21 insertions, 8 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 77eed4abf2..b411e1dc94 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,18 @@ +2001-10-25 Tom Yu <tlyu@mit.edu> + + * do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as if it were + always cleared. + + * do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it + were always cleared. + +2001-10-24 Tom Yu <tlyu@mit.edu> + + * kdc_util.c (select_session_keytype): Don't issue session key + enctype that is not in permitted_enctypes. + (dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5 + as if it were cleared. + 2001-10-12 Tom Yu <tlyu@mit.edu> * kdc_util.c (ktypes2str, rep_etypes2str): Clean up somewhat. diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 32263d541a..8ccada4c70 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -321,9 +321,6 @@ krb5_data **response; /* filled in with a response packet */ status = "DECRYPT_SERVER_KEY"; goto errout; } - if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) && - (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))) - encrypting_key.enctype = ENCTYPE_DES_CBC_MD5; errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); krb5_free_keyblock_contents(kdc_context, &encrypting_key); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 2a1490255b..2da823cbe1 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -579,9 +579,6 @@ tgt_again: status = "DECRYPT_SERVER_KEY"; goto cleanup; } - if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) && - (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5))) - encrypting_key.enctype = ENCTYPE_DES_CBC_MD5; errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply); krb5_free_keyblock_contents(kdc_context, &encrypting_key); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a5111f358a..5c23e349ab 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1419,13 +1419,14 @@ dbentry_supports_enctype(context, client, enctype) { /* * If it's DES_CBC_MD5, there's a bit in the attribute mask which - * checks to see if we support it. + * checks to see if we support it. For now, treat it as always + * clear. * * In theory everything's supposed to support DES_CBC_MD5, but * that's not the reality.... */ if (enctype == ENCTYPE_DES_CBC_MD5) - return isflagset(client->attributes, KRB5_KDB_SUPPORT_DESMD5); + return 0; /* * XXX we assume everything can understand DES_CBC_CRC @@ -1458,6 +1459,9 @@ select_session_keytype(context, server, nktypes, ktype) if (!valid_enctype(ktype[i])) continue; + if (!krb5_is_permitted_enctype(context, ktype[i])) + continue; + if (dbentry_supports_enctype(context, server, ktype[i])) return ktype[i]; } |