From 3aa4a14ef3131025c9070dd723499b63d6c5c31b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Wed, 25 Mar 2009 15:36:36 +0000 Subject: [PATCH] move generation of session key to preauth hook. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24940 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kerberos5.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index cea925f1f..f395d0195 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1465,11 +1465,12 @@ _kdc_as_rep(krb5_context context, goto out; } - ret = krb5_generate_random_keyblock(context, sessionetype, &et.key); + ret = copy_PrincipalName(&rep.cname, &et.cname); + if (ret) + goto out; + ret = copy_Realm(&rep.crealm, &et.crealm); if (ret) goto out; - copy_PrincipalName(&rep.cname, &et.cname); - copy_Realm(&rep.crealm, &et.crealm); { time_t start; @@ -1533,8 +1534,6 @@ _kdc_as_rep(krb5_context context, et.transited.tr_type = DOMAIN_X500_COMPRESS; krb5_data_zero(&et.transited.contents); - copy_EncryptionKey(&et.key, &ek.key); - /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded * as 0 and as 0x80 (meaning indefinite length) apart, and is thus * incapable of correctly decoding SEQUENCE OF's of zero length. @@ -1607,8 +1606,8 @@ _kdc_as_rep(krb5_context context, if (pkp) { e_text = "Failed to build PK-INIT reply"; ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, - req, req_buffer, - &reply_key, rep.padata); + sessionetype, req, req_buffer, + &reply_key, &et.key, rep.padata); if (ret) goto out; ret = _kdc_add_inital_verified_cas(context, @@ -1617,8 +1616,17 @@ _kdc_as_rep(krb5_context context, &et); if (ret) goto out; - } + } else + ret = krb5_generate_random_keyblock(context, sessionetype, &et.key); +#else + ret = krb5_generate_random_keyblock(context, sessionetype, &et.key); #endif + if (ret) + goto out; + + ret = copy_EncryptionKey(&et.key, &ek.key); + if (ret) + goto out; set_salt_padata (rep.padata, ckey->salt);