svn rev #24954: branches/krb5-1-9/src/lib/krb5/krb/
tlyu@MIT.EDU
tlyu at MIT.EDU
Thu Jun 9 17:08:54 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24954
Commit By: tlyu
Log Message:
ticket: 6912
version_fixed: 1.9.2
status: resolved
pull up r24929 from trunk
------------------------------------------------------------------------
r24929 | ghudson | 2011-05-14 10:49:00 -0400 (Sat, 14 May 2011) | 11 lines
ticket: 6912
subject: Use hmac-md5 checksum for PA-FOR-USER padata
target_version: 1.9.2
tags: pullup
The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key. Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.
Changed Files:
U branches/krb5-1-9/src/lib/krb5/krb/s4u_creds.c
Modified: branches/krb5-1-9/src/lib/krb5/krb/s4u_creds.c
===================================================================
--- branches/krb5-1-9/src/lib/krb5/krb/s4u_creds.c 2011-06-09 21:08:50 UTC (rev 24953)
+++ branches/krb5-1-9/src/lib/krb5/krb/s4u_creds.c 2011-06-09 21:08:54 UTC (rev 24954)
@@ -143,7 +143,6 @@
krb5_int32 name_type;
char *p;
krb5_data data;
- krb5_cksumtype cksumtype;
data.length = 4;
for (i = 0; i < krb5_princ_size(context, req->user); i++) {
@@ -175,13 +174,8 @@
memcpy(p, req->auth_package.data, req->auth_package.length);
- code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype);
- if (code != 0) {
- free(data.data);
- return code;
- }
-
- code = krb5_c_make_checksum(context, cksumtype, key,
+ /* Per spec, use hmac-md5 checksum regardless of key type. */
+ code = krb5_c_make_checksum(context, CKSUMTYPE_HMAC_MD5_ARCFOUR, key,
KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
cksum);
More information about the cvs-krb5
mailing list