From: | ghudson@mit.edu |
Subject: | git commit |
Use 14 instead of 9 for unkeyed SHA-1 checksum
Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1. Heimdal and Microsoft use the value 14. Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).
Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA. Continue to allow the value 9
for ABI compatibility. Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.
https://github.com/krb5/krb5/commit/b2463149c88628a5107ec53a6b98d685cd756473
Author: Greg Hudson <ghudson@mit.edu>
Commit: b2463149c88628a5107ec53a6b98d685cd756473
Branch: master
doc/appdev/refs/macros/index.rst | 1 +
src/include/krb5/krb5.hin | 6 ++++++
src/lib/crypto/crypto_tests/t_cksums.c | 2 +-
src/lib/crypto/krb/cksumtypes.c | 6 ++++++
src/lib/gssapi/mechglue/g_saslname.c | 3 +--
src/lib/krb5/os/trace.c | 2 +-
src/plugins/kdb/test/kdb_test.c | 2 +-
src/plugins/preauth/pkinit/pkinit_clnt.c | 11 ++---------
src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++--
9 files changed, 21 insertions(+), 16 deletions(-)