[Dug this out of an email I sent November 2002.]

Currently, if the AS exchange uses PA-ENC-TIMESTAMP, a Heimdal client will transmit the AS-REQ with one PA-ENC-TIMESTAMP for every supported encryption type. This is bad because: (1) An eavesdropper collecting this information for dictionary attacks will have his life made easier, since he can use DES (rather than a stronger crypto system). (2) Waste of CPU cycles on client. (3) (Maybe) cryptanalysis is assisted by capturing ciphtertexts that are known to be the same plaintext encrypted with the same key in several algorithms (though the confounder confounds this). The KDC provides the list of etypes supported in PA-ETYPE-INFO in the KRB-ERROR reply ... let's use the first one, eh? git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11646 ec53bebd-3082-4978-b11e-865c3cabbd6b
2003-02-16 06:41:25 +00:00
parent 7005227d4a
commit 6710968492
1 changed files with 3 additions and 1 deletions
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -542,10 +542,12 @@ init_as_req (krb5_context context,
 			    sp = NULL;
 			else
 			    krb5_data_zero(&salt.saltvalue);
-		    add_padata(context, a->padata, creds->client, 
+		    ret = add_padata(context, a->padata, creds->client, 
 			       key_proc, keyseed, 
 			       &preauth->val[i].info.val[j].etype, 1,
 			       sp);
+		    if (ret == 0)
+			break;
 		}
 	    }
 	}