[16806] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #9040] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Dec 29 11:49:28 2021

From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-2399564-1640796546-1204.9040-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9040":;
Date: Wed, 29 Dec 2021 11:49:06 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


Wed Dec 29 11:49:06 2021: Request 9040 was acted upon.
 Transaction: Ticket created by ghudson@mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson@mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9040 >



Use 14 instead of 9 for unkeyed SHA-1 checksum

Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1.  Heimdal and Microsoft use the value 14.  Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).

Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA.  Continue to allow the value 9
for ABI compatibility.  Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.

https://github.com/krb5/krb5/commit/b2463149c88628a5107ec53a6b98d685cd756473
Author: Greg Hudson <ghudson@mit.edu>
Commit: b2463149c88628a5107ec53a6b98d685cd756473
Branch: master
 doc/appdev/refs/macros/index.rst         |    1 +
 src/include/krb5/krb5.hin                |    6 ++++++
 src/lib/crypto/crypto_tests/t_cksums.c   |    2 +-
 src/lib/crypto/krb/cksumtypes.c          |    6 ++++++
 src/lib/gssapi/mechglue/g_saslname.c     |    3 +--
 src/lib/krb5/os/trace.c                  |    2 +-
 src/plugins/kdb/test/kdb_test.c          |    2 +-
 src/plugins/preauth/pkinit/pkinit_clnt.c |   11 ++---------
 src/plugins/preauth/pkinit/pkinit_srv.c  |    4 ++--
 9 files changed, 21 insertions(+), 16 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
home help back first fref pref prev next nref lref last post