diff options
author | Greg Hudson <ghudson@mit.edu> | 2021-12-11 01:25:34 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2021-12-29 11:02:04 -0500 |
commit | b2463149c88628a5107ec53a6b98d685cd756473 (patch) | |
tree | 2cb7948f4ed1afdba8b638655d687ce77106e72a /doc | |
parent | 149df661ad76ea4b5fff0de28e77a767f9355fdc (diff) | |
download | krb5-b2463149c88628a5107ec53a6b98d685cd756473.tar.gz |
Use 14 instead of 9 for unkeyed SHA-1 checksum
Although MIT krb5 had been using the value 9 for unkeyed SHA-1 since
its 1.0 release in 1996, RFC 3961 instead assigned this value to
rsa-md5-des3 (likely never used), and assigned the values 10 and 14 to
SHA-1. Heimdal and Microsoft use the value 14. Unkeyed SHA-1 almost
never appears on the wire, but has been seen in PKINIT asChecksum
fields in replies from Windows KDCs (despite the field being specified
as a keyed checksum).
Define a new symbol CKSUMTYPE_SHA1 with the value 14, and use it where
we currently use CKSUMTYPE_NIST_SHA. Continue to allow the value 9
for ABI compatibility. Remove the pkinit_clnt.c workaround as the
value 14 will now work without adjustment.
ticket: 9040 (new)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/appdev/refs/macros/index.rst | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst index 5542d9850..21619b92f 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -43,6 +43,7 @@ Public CKSUMTYPE_RSA_MD4_DES.rst CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst + CKSUMTYPE_SHA1.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst |