git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Sat, 11 Dec 2021 06:25:34 +0000 (01:25 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 29 Dec 2021 16:02:04 +0000 (11:02 -0500)
commit	b2463149c88628a5107ec53a6b98d685cd756473
tree	2cb7948f4ed1afdba8b638655d687ce77106e72a	tree
parent	149df661ad76ea4b5fff0de28e77a767f9355fdc	commit \| diff

Use 14 instead of 9 for unkeyed SHA-1 checksum

Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1.  Heimdal and Microsoft use the value 14.  Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).

Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA.  Continue to allow the value 9
for ABI compatibility.  Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.

ticket: 9040 (new)

doc/appdev/refs/macros/index.rst		diff \| blob \| blame \| history
src/include/krb5/krb5.hin		diff \| blob \| blame \| history
src/lib/crypto/crypto_tests/t_cksums.c		diff \| blob \| blame \| history
src/lib/crypto/krb/cksumtypes.c		diff \| blob \| blame \| history
src/lib/gssapi/mechglue/g_saslname.c		diff \| blob \| blame \| history
src/lib/krb5/os/trace.c		diff \| blob \| blame \| history
src/plugins/kdb/test/kdb_test.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_clnt.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_srv.c		diff \| blob \| blame \| history