diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-04-01 18:25:02 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-04-01 18:25:02 +0000 |
| commit | 56108ac2b7c7b747951614b9da99a5df1d57be6d (patch) | |
| tree | 8e828cfee52b8039c85a01444e19e5eaca3d51f8 /src/lib | |
| parent | 24c4a63e12354d797d0ab02d6b9bc2d9044f74b4 (diff) | |
Use the preferred checksum for non-DES keys in the kdc_req path and
all the time in the ap_req checksum path. This breaks code to support
DCE versions prior to 1.1 but uses the correct checksum for protocol
compatibility.
ticket: 1624
Target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 7 | ||||
| -rw-r--r-- | src/lib/krb5/krb/send_tgs.c | 16 |
2 files changed, 20 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 2cf1ddf13..3f12763fd 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -205,8 +205,13 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; if ((retval = krb5_c_make_checksum(context, - (*auth_context)->req_cksumtype, + cksumtype, (*auth_context)->keyblock, KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, in_data, &checksum))) diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 66a2422ea..73980f2cf 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -51,6 +51,7 @@ static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) { + krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; krb5_authenticator authent; @@ -63,9 +64,20 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, request.authenticator.kvno = 0; request.ap_options = 0; request.ticket = 0; - + switch (in_cred->keyblock.enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + cksumtype = context->kdc_req_sumtype; + break; + default: + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; + } + /* Generate checksum */ - if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype, + if ((retval = krb5_c_make_checksum(context, cksumtype, &in_cred->keyblock, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, in_data, &checksum))) { |