shishi-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Instead of looking for DES tickets, use whatever ticket is available, [.

From: shishi-commit
Subject: Instead of looking for DES tickets, use whatever ticket is available, [...]
Date: Sat, 13 Dec 2003 14:14:30 +0100
Commit from jas 2003-12-13 14:14 CET 
Instead of looking for DES tickets, use whatever ticket is available,
but always use a DES session key (for interop).  This is a hack, we
should instead make enc_des.c RFC 2952 compliant and #define
DONT_ALWAYS_USE_DES to 1 in this file.  Then people that want to
interop with 2952 non-conforming telnetd can then define
DONT_ALWAYS_USE_DES to 0 and be happy, while the rest of us can enjoy
RFC compliance and better security.
Module File name Revision
inetutils libtelnet/shishi.c 1.5 >>> 1.6

inetutils/libtelnet/shishi.c   1.5 >>> 1.6
Line 147
    sprintf (tmp, "host/%s", RemoteHostName);
    memset (&hint, 0, sizeof (hint));
    hint.server = tmp;
-   /* First look specifically for DES keys to interop with non-RFC 2952
-      compliant telnetd's (i.e., many telnetd, including this one).
-      The problem is that instead of truncating overlong keys and
-      fixing the parity bits, as RFC 2952 describe, they simply reject
-      the encryption request.  See enc_des.c:fb64_session, but even
-      after fixing this implementation you would still have problems
-      talking to other implementations that aren't fixed. */
-   hint.etype = SHISHI_DES_CBC_MD5;
    tkt = shishi_tkts_get (shishi_tkts_default (shishi_handle), &hint);
-   if (!tkt)
-     {
-       /* No DES key found, just get any key and hope for the best. */
-       hint.etype = 0;
-       tkt = shishi_tkts_get (shishi_tkts_default (shishi_handle), &hint);
-     }
    free (tmp);
    if (!tkt)
      {
Line 183
    else
      ap_opts = 0;
 
+ #ifdef ENCRYPTION
+   ap_opts |= SHISHI_APOPTIONS_USE_SESSION_KEY;
+ #endif /* ENCRYPTION */
+
    type_check[0] = ap->type;
    type_check[1] = ap->way;
 
-   rc = shishi_ap_tktoptionsdata (shishi_handle, &auth_handle,
-  tkt, ap_opts, (char *) &type_check, 2);
+ #ifndef DONT_ALWAYS_USE_DES
+   /* Even if we are not using a DES key, we can still try a DES
+      session-key.  Then we can support DES_?FB64 encryption with 3DES
+      or AES keys. */
+   if (shishi_tkt_keytype_fast (tkt) != SHISHI_DES_CBC_MD5)
+     rc = shishi_ap_etype_tktoptionsdata (shishi_handle, &auth_handle,
+  SHISHI_DES_CBC_MD5,
+  tkt, ap_opts,
+  (char *) &type_check, 2);
+   else
+ #else
+     rc = shishi_ap_tktoptionsdata (shishi_handle, &auth_handle,
+    tkt, ap_opts, (char *) &type_check, 2);
+ #endif
    if (rc != SHISHI_OK)
      {
        DEBUG (("telnet: Kerberos V5: Could not make AP-REQ (%s)\r\n",


Generated by cvsreport 0.3.3-cvs

reply via email to
[Prev in Thread] Current Thread [Next in Thread]