diff options
| -rw-r--r-- | doc/admin.texinfo | 3 | ||||
| -rw-r--r-- | src/config-files/krb5.conf.M | 10 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 7 | ||||
| -rw-r--r-- | src/lib/krb5/krb/send_tgs.c | 16 |
4 files changed, 25 insertions, 11 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 8f5e69e8fe..f106e2e347 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -462,7 +462,8 @@ Kerberos library. The default is @value{DefaultKDCTimesync}. An integer which specifies the type of checksum to use. Used for compatability with DCE security servers which do not support the default @value{DefaultChecksumType} used by this version of Kerberos. -The possible values and their meanings are as follows. +Note that the ap_req_checksum_type variable's value is ignored. The +kdc_req_checksum_type is only used for DES keys. The possible values and their meanings are as follows. @comment taken from krb5/src/include/krb5.h[in] @table @b diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 9115e32c91..10b1792e87 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -143,15 +143,11 @@ clock. This corrective factor is only used by the Kerberos library. For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +This obsolete variable is not used. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 2cf1ddf13b..3f12763fd5 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -205,8 +205,13 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 66a2422eaa..73980f2cf4 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -51,6 +51,7 @@ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { |