|
From: | shishi-commit |
Subject: | Instead of looking for DES tickets, use whatever ticket is available, [...] |
Date: | Sat, 13 Dec 2003 14:14:30 +0100 |
Commit from jas | 2003-12-13 14:14 CET |
Instead of looking for DES tickets, use whatever ticket is available, but always use a DES session key (for interop). This is a hack, we should instead make enc_des.c RFC 2952 compliant and #define DONT_ALWAYS_USE_DES to 1 in this file. Then people that want to interop with 2952 non-conforming telnetd can then define DONT_ALWAYS_USE_DES to 0 and be happy, while the rest of us can enjoy RFC compliance and better security.
Module | File name | Revision | |||
---|---|---|---|---|---|
inetutils | libtelnet/shishi.c | 1.5 | >>> | 1.6 |
inetutils/libtelnet/shishi.c 1.5 >>> 1.6 |
---|
Line 147 |
sprintf (tmp, "host/%s", RemoteHostName); memset (&hint, 0, sizeof (hint)); hint.server = tmp; |
- /* First look specifically for DES keys to interop with non-RFC 2952 - compliant telnetd's (i.e., many telnetd, including this one). - The problem is that instead of truncating overlong keys and - fixing the parity bits, as RFC 2952 describe, they simply reject - the encryption request. See enc_des.c:fb64_session, but even - after fixing this implementation you would still have problems - talking to other implementations that aren't fixed. */ - hint.etype = SHISHI_DES_CBC_MD5; |
tkt = shishi_tkts_get (shishi_tkts_default (shishi_handle), &hint); |
- if (!tkt) - { - /* No DES key found, just get any key and hope for the best. */ - hint.etype = 0; - tkt = shishi_tkts_get (shishi_tkts_default (shishi_handle), &hint); - } |
free (tmp); if (!tkt) { |
Line 183 |
else ap_opts = 0; |
+ #ifdef ENCRYPTION + ap_opts |= SHISHI_APOPTIONS_USE_SESSION_KEY; + #endif /* ENCRYPTION */ + |
type_check[0] = ap->type; type_check[1] = ap->way; |
- rc = shishi_ap_tktoptionsdata (shishi_handle, &auth_handle, - tkt, ap_opts, (char *) &type_check, 2); |
+ #ifndef DONT_ALWAYS_USE_DES + /* Even if we are not using a DES key, we can still try a DES + session-key. Then we can support DES_?FB64 encryption with 3DES + or AES keys. */ + if (shishi_tkt_keytype_fast (tkt) != SHISHI_DES_CBC_MD5) + rc = shishi_ap_etype_tktoptionsdata (shishi_handle, &auth_handle, + SHISHI_DES_CBC_MD5, + tkt, ap_opts, + (char *) &type_check, 2); + else + #else + rc = shishi_ap_tktoptionsdata (shishi_handle, &auth_handle, + tkt, ap_opts, (char *) &type_check, 2); + #endif |
if (rc != SHISHI_OK) { DEBUG (("telnet: Kerberos V5: Could not make AP-REQ (%s)\r\n", |
[Prev in Thread] | Current Thread | [Next in Thread] |