svn rev #22160: trunk/ doc/ src/appl/bsd/ src/config-files/ src/lib/krb5/krb/

hartmans@MIT.EDU hartmans at MIT.EDU
Thu Apr 2 23:33:02 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22160
Commit By: hartmans
Log Message:
ticket: 1624

Unfortunately, pre-1.7 krshd fails to support keyed checksums because
it uses the wrong API and wrong key usage.  So, if the auth_context
has an explicit checksum type set, then respect that.  kcmd sets such
a checksum type.  Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.

* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default  to md5
* mk_req_ext.c: allow auth_context to override


Changed Files:
U   trunk/doc/admin.texinfo
U   trunk/src/appl/bsd/kcmd.c
U   trunk/src/config-files/krb5.conf.M
U   trunk/src/lib/krb5/krb/init_ctx.c
U   trunk/src/lib/krb5/krb/mk_req_ext.c
Modified: trunk/doc/admin.texinfo
===================================================================
--- trunk/doc/admin.texinfo	2009-04-02 23:30:28 UTC (rev 22159)
+++ trunk/doc/admin.texinfo	2009-04-03 03:33:01 UTC (rev 22160)
@@ -462,8 +462,8 @@
 An integer which specifies the type of checksum to use.  Used for
 compatability with DCE security servers which do not support the
 default @value{DefaultChecksumType} used by this version of Kerberos.
-Note that the ap_req_checksum_type variable's value is ignored.  The
-kdc_req_checksum_type is only used for DES keys.   The possible values and their meanings are as follows.
+The
+kdc_req_checksum_type is only used for DES keys.   The ap_req_checksum_type defaults to the preferred checksum for the encryption type being used if unset.  If set, then the selected checksum is used regardless of the type of key being used.  The possible values and their meanings are as follows.
 
 @comment taken from krb5/src/include/krb5.h[in]
 @table @b

Modified: trunk/src/appl/bsd/kcmd.c
===================================================================
--- trunk/src/appl/bsd/kcmd.c	2009-04-02 23:30:28 UTC (rev 22159)
+++ trunk/src/appl/bsd/kcmd.c	2009-04-03 03:33:01 UTC (rev 22160)
@@ -473,6 +473,8 @@
     if (krb5_auth_con_init(bsd_context, &auth_context)) 
 	goto bad2;
 
+    if (krb5_auth_con_set_req_cksumtype(bsd_context, auth_context, CKSUMTYPE_RSA_MD5) !=0 )
+	goto bad2;
     if (krb5_auth_con_setflags(bsd_context, auth_context, 
 			       KRB5_AUTH_CONTEXT_RET_TIME))
 	goto bad2;

Modified: trunk/src/config-files/krb5.conf.M
===================================================================
--- trunk/src/config-files/krb5.conf.M	2009-04-02 23:30:28 UTC (rev 22159)
+++ trunk/src/config-files/krb5.conf.M	2009-04-03 03:33:01 UTC (rev 22160)
@@ -147,7 +147,7 @@
 preferred checksum type for those keys.
 
 .IP ap_req_checksum_type 
-This obsolete variable is not used.
+If set  this variable  controls what ap-req checksum will be used in  authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used.   This can be set if backward compatibility requires a specific checksum type.
 
 .IP safe_checksum_type 
 This allows you to set the preferred keyed-checksum type for use in KRB_SAFE

Modified: trunk/src/lib/krb5/krb/init_ctx.c
===================================================================
--- trunk/src/lib/krb5/krb/init_ctx.c	2009-04-02 23:30:28 UTC (rev 22159)
+++ trunk/src/lib/krb5/krb/init_ctx.c	2009-04-03 03:33:01 UTC (rev 22160)
@@ -208,7 +208,7 @@
 	ctx->kdc_req_sumtype = tmp;
 
 	profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS,
-			    KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5,
+			    KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0,
 			    &tmp);
 	ctx->default_ap_req_sumtype = tmp;
 

Modified: trunk/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- trunk/src/lib/krb5/krb/mk_req_ext.c	2009-04-02 23:30:28 UTC (rev 22159)
+++ trunk/src/lib/krb5/krb/mk_req_ext.c	2009-04-03 03:33:01 UTC (rev 22160)
@@ -210,6 +210,8 @@
 						   &cksumtype);
 	    if (retval)
 		goto cleanup_cksum;
+	    if ((*auth_context)->req_cksumtype)
+		cksumtype = (*auth_context)->req_cksumtype;
 	    if ((retval = krb5_c_make_checksum(context, 
 					       cksumtype,
 					       (*auth_context)->keyblock,

More information about the cvs-krb5 mailing list