Fix check-des

The previous fix was incomplete. But it also finally uncovered an old check-des problem that I'd had once and which may have gotten papered over by changing the default of one of the *strongest* KDC parameters. The old problem is that we were passing the wrong enctype to _kdc_encode_reply(): we were passing the session key enctype where the ticket enc-part key's enctype was expected. The whole enctype being passed in is superfluous anyways. Let's clean that up next.
2011-10-12 01:15:13 -05:00
parent 12cd2c9cbd
commit 4c6976a6bd
1 changed files with 12 additions and 3 deletions
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -988,7 +988,7 @@ tgs_make_reply(krb5_context context,
       etype list, even if we don't want a session key with
       DES3? */
    ret = _kdc_encode_reply(context, config,
-			    &rep, &et, &ek, et.key.keytype,
+			    &rep, &et, &ek, serverkey->keytype,
 			    kvno,
 			    serverkey, 0, replykey, rk_is_subkey,
 			    e_text, reply);
@@ -1699,13 +1699,22 @@ server_lookup:
 	} else {
 	    Key *skey;
-	    ret = _kdc_get_preferred_key(context, config, server, spn,
+	    ret = _kdc_find_etype(context,
-					 &etype, &skey);
+				  config->tgs_use_strongest_session_key, FALSE,
 				  server, b->etype.val, b->etype.len, &etype,
 				  NULL);
 	    if(ret) {
 		kdc_log(context, config, 0,
 			"Server (%s) has no support for etypes", spn);
 		goto out;
 	    }
 	    ret = _kdc_get_preferred_key(context, config, server, spn,
 					 NULL, &skey);
 	    if(ret) {
 		kdc_log(context, config, 0,
 			"Server (%s) has no supported etypes", spn);
 		goto out;
 	    }
 	    ekey = &skey->key;
 	    kvno = server->entry.kvno;
 	}