diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-04-03 03:33:01 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-04-03 03:33:01 +0000 |
| commit | 6d48a7deaeed3dcb5dce55d8e9730c47512a904e (patch) | |
| tree | 5bcc45ebabcfab7ec0993fb33f79f9093a983061 /src | |
| parent | d44144bc3c86cd2e0b9dbe74f0241905201ddd23 (diff) | |
| download | krb5-6d48a7deaeed3dcb5dce55d8e9730c47512a904e.zip krb5-6d48a7deaeed3dcb5dce55d8e9730c47512a904e.tar.gz krb5-6d48a7deaeed3dcb5dce55d8e9730c47512a904e.tar.bz2 | |
Unfortunately, pre-1.7 krshd fails to support keyed checksums because
it uses the wrong API and wrong key usage. So, if the auth_context
has an explicit checksum type set, then respect that. kcmd sets such
a checksum type. Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.
* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default to md5
* mk_req_ext.c: allow auth_context to override
ticket: 1624
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/appl/bsd/kcmd.c | 2 | ||||
| -rw-r--r-- | src/config-files/krb5.conf.M | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/init_ctx.c | 2 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 2 |
4 files changed, 6 insertions, 2 deletions
diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index c4212b3..1990569 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -473,6 +473,8 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, if (krb5_auth_con_init(bsd_context, &auth_context)) goto bad2; + if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 ) + goto bad2; if (krb5_auth_con_setflags(bsd_context, auth_context, KRB5_AUTH_CONTEXT_RET_TIME)) goto bad2; diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 10b1792..2f2fbb2 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -147,7 +147,7 @@ earlier. This value is only used for DES keys; other keys use the preferred checksum type for those keys. .IP ap_req_checksum_type -This obsolete variable is not used. +If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type. .IP safe_checksum_type This allows you to set the preferred keyed-checksum type for use in KRB_SAFE diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 7e0159a..67dad8c 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -208,7 +208,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) ctx->kdc_req_sumtype = tmp; profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, &tmp); ctx->default_ap_req_sumtype = tmp; diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 3f12763..64eafe3 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -210,6 +210,8 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, &cksumtype); if (retval) goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; if ((retval = krb5_c_make_checksum(context, cksumtype, (*auth_context)->keyblock, |