From 6710968492406e8c396dd3a51394225c44e2c0bc Mon Sep 17 00:00:00 2001
From: "Jacques A. Vidrine" <n@nectar.com>
Date: Sun, 16 Feb 2003 06:41:25 +0000
Subject: [PATCH] [Dug this out of an email I sent November 2002.]

Currently, if the AS exchange uses PA-ENC-TIMESTAMP, a Heimdal client
will transmit the AS-REQ with one PA-ENC-TIMESTAMP for every supported
encryption type.  This is bad because:

   (1) An eavesdropper collecting this information for dictionary
       attacks will have his life made easier, since he can use
       DES (rather than a stronger crypto system).
   (2) Waste of CPU cycles on client.
   (3) (Maybe) cryptanalysis is assisted by capturing ciphtertexts
       that are known to be the same plaintext encrypted with the
       same key in several algorithms (though the confounder confounds
       this).

The KDC provides the list of etypes supported in PA-ETYPE-INFO in the
KRB-ERROR reply ... let's use the first one, eh?


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11646 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/get_in_tkt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c
index 3ee4f43a0..2fe9054df 100644
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -542,10 +542,12 @@ init_as_req (krb5_context context,
 			    sp = NULL;
 			else
 			    krb5_data_zero(&salt.saltvalue);
-		    add_padata(context, a->padata, creds->client, 
+		    ret = add_padata(context, a->padata, creds->client, 
 			       key_proc, keyseed, 
 			       &preauth->val[i].info.val[j].etype, 1,
 			       sp);
+		    if (ret == 0)
+			break;
 		}
 	    }
 	}