From 56108ac2b7c7b747951614b9da99a5df1d57be6d Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 1 Apr 2009 18:25:02 +0000 Subject: Use the preferred checksum for non-DES keys in the kdc_req path and all the time in the ap_req checksum path. This breaks code to support DCE versions prior to 1.1 but uses the correct checksum for protocol compatibility. ticket: 1624 Target_version: 1.7 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970 --- src/config-files/krb5.conf.M | 10 +++------- src/lib/krb5/krb/mk_req_ext.c | 7 ++++++- src/lib/krb5/krb/send_tgs.c | 16 ++++++++++++++-- 3 files changed, 23 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 9115e32c91..10b1792e87 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -143,15 +143,11 @@ clock. This corrective factor is only used by the Kerberos library. For compatability with DCE security servers which do not support the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and -earlier. +earlier. This value is only used for DES keys; other keys use the +preferred checksum type for those keys. .IP ap_req_checksum_type -This allows you to set the checksum type used in the authenticator of -KRB_AP_REQ messages. The default value for this type is -CKSUMTYPE_RSA_MD5. For compatibility with applications linked against -DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use -the CKSUMTYPE_RSA_MD4 -instead. +This obsolete variable is not used. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 2cf1ddf13b..3f12763fd5 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -205,8 +205,13 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 66a2422eaa..73980f2cf4 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -51,6 +51,7 @@ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { -- cgit