diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-06-26 22:56:52 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-06-26 22:56:52 +0000 |
| commit | b6a943f7197af1a5eb6bb028b9b808ec5016e30c (patch) | |
| tree | cfbb91e940dd89d0e1d46095f43c228d7d079fa0 /lib/krb5/mk_req_ext.c | |
| parent | 6f4e10db3298f6d65e1e646fe52aaafc3682b788 (diff) | |
heimdal: Vendor import f62e2f278vendor/heimdal/7.8.0-2023-06-10-f62e2f278vendor/heimdal
Heimdal 7.8.0 does not support OpenSSL 3.0. 7.9.0 will but it hasn't
been released yet. We are importing f62e2f278 for its OpenSSL 3.0
support.
Diffstat (limited to 'lib/krb5/mk_req_ext.c')
| -rw-r--r-- | lib/krb5/mk_req_ext.c | 67 |
1 files changed, 28 insertions, 39 deletions
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c index 18b16a9bf2b0..a8a07f1c718f 100644 --- a/lib/krb5/mk_req_ext.c +++ b/lib/krb5/mk_req_ext.c @@ -73,48 +73,37 @@ _krb5_mk_req_internal(krb5_context context, if (ret) goto out; - /* it's unclear what type of checksum we can use. try the best one, except: - * a) if it's configured differently for the current realm, or - * b) if the session key is des-cbc-crc + /* + * Use the default checksum type except for some interoperability cases + * with older MIT, DCE and Windows KDCs. */ - if (in_data) { - if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) { - /* this is to make DCE secd (and older MIT kdcs?) happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD4, - in_data->data, - in_data->length, - &c); - } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 || - ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 || - ac->keyblock->keytype == ETYPE_DES_CBC_MD4 || - ac->keyblock->keytype == ETYPE_DES_CBC_MD5) { - /* this is to make MS kdc happy */ - ret = krb5_create_checksum(context, - NULL, - 0, - CKSUMTYPE_RSA_MD5, - in_data->data, - in_data->length, - &c); - } else { - krb5_crypto crypto; + krb5_crypto crypto; + krb5_cksumtype checksum_type = CKSUMTYPE_NONE; + + if (ac->keyblock->keytype == ETYPE_DES_CBC_CRC) + checksum_type = CKSUMTYPE_RSA_MD4; + else if (ac->keyblock->keytype == ETYPE_DES_CBC_MD4 || + ac->keyblock->keytype == ETYPE_DES_CBC_MD5 || + ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 || + ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56) + checksum_type = CKSUMTYPE_RSA_MD5; + else + checksum_type = CKSUMTYPE_NONE; + + ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); + if (ret) + goto out; - ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto); - if (ret) - goto out; - ret = krb5_create_checksum(context, - crypto, - checksum_usage, - 0, - in_data->data, - in_data->length, - &c); - krb5_crypto_destroy(context, crypto); - } + _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM); + ret = krb5_create_checksum(context, + crypto, + checksum_usage, + checksum_type, + in_data->data, + in_data->length, + &c); + krb5_crypto_destroy(context, crypto); c_opt = &c; } else { c_opt = NULL; |