Use hmac-md5 checksum for PA-FOR-USER padata

The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key.  Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.

ticket: 6912
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24929 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 8 deletions

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 237950a37..57e8b92d4 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -147,7 +147,6 @@ make_pa_for_user_checksum(krb5_context context,
     krb5_int32 name_type;
     char *p;
     krb5_data data;
-    krb5_cksumtype cksumtype;
 
     data.length = 4;
     for (i = 0; i < krb5_princ_size(context, req->user); i++) {
@@ -179,13 +178,8 @@ make_pa_for_user_checksum(krb5_context context,
 
     memcpy(p, req->auth_package.data, req->auth_package.length);
 
-    code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype);
-    if (code != 0) {
-        free(data.data);
-        return code;
-    }
-
-    code = krb5_c_make_checksum(context, cksumtype, key,
+    /* Per spec, use hmac-md5 checksum regardless of key type. */
+    code = krb5_c_make_checksum(context, CKSUMTYPE_HMAC_MD5_ARCFOUR, key,
                                 KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
                                 cksum);