svn rev #24929: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat May 14 10:49:00 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24929
Commit By: ghudson
Log Message:
ticket: 6912
subject: Use hmac-md5 checksum for PA-FOR-USER padata
target_version: 1.9.2
tags: pullup
The MS-S4U documentation specifies that hmac-md5 be used for
PA-FOR-USER checksums; we were using the mandatory checksum type for
the key. Although some other checksum types appear to be allowed by
Active Directory KDCs, Richard Silverman reports that md5-des is not
one of them, causing S4U2Self requests to fail for DES keys.
Changed Files:
U trunk/src/lib/krb5/krb/s4u_creds.c
Modified: trunk/src/lib/krb5/krb/s4u_creds.c
===================================================================
--- trunk/src/lib/krb5/krb/s4u_creds.c 2011-05-13 12:33:52 UTC (rev 24928)
+++ trunk/src/lib/krb5/krb/s4u_creds.c 2011-05-14 14:49:00 UTC (rev 24929)
@@ -147,7 +147,6 @@
krb5_int32 name_type;
char *p;
krb5_data data;
- krb5_cksumtype cksumtype;
data.length = 4;
for (i = 0; i < krb5_princ_size(context, req->user); i++) {
@@ -179,13 +178,8 @@
memcpy(p, req->auth_package.data, req->auth_package.length);
- code = krb5int_c_mandatory_cksumtype(context, key->enctype, &cksumtype);
- if (code != 0) {
- free(data.data);
- return code;
- }
-
- code = krb5_c_make_checksum(context, cksumtype, key,
+ /* Per spec, use hmac-md5 checksum regardless of key type. */
+ code = krb5_c_make_checksum(context, CKSUMTYPE_HMAC_MD5_ARCFOUR, key,
KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
cksum);
More information about the cvs-krb5
mailing list