_kdc_find_etype: prefer default salt for preauth
if the query is "preauth" and the caller is seeking a Key, search try to find a Key that has the default salt but do not exclude keys that have a non-default salt. Move the assignment of 'ret' and 'enctype' before the preauth default salt test. If the only key of the given type is the non-default salt key, it should be used. If the caller is not seeking a Key, do not bother with the preauth test at all since the Key itself doesn't matter and we are simply seeking an enctype. Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb
This commit is contained in:
Jeffrey Altman
@@ -172,19 +172,19 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
|
||||
|
||||
/* check target princ support */
|
||||
key = NULL;
|
||||
while (ret != 0 &&
|
||||
hdb_next_enctype2key(context, &princ->entry, NULL,
|
||||
p[i], &key) == 0) {
|
||||
if (key->key.keyvalue.length == 0) {
|
||||
ret = KRB5KDC_ERR_NULL_KEY;
|
||||
continue;
|
||||
}
|
||||
if (is_preauth && !is_default_salt_p(&def_salt, key))
|
||||
continue;
|
||||
enctype = p[i];
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
while (hdb_next_enctype2key(context, &princ->entry, NULL,
|
||||
p[i], &key) == 0) {
|
||||
if (key->key.keyvalue.length == 0) {
|
||||
ret = KRB5KDC_ERR_NULL_KEY;
|
||||
continue;
|
||||
}
|
||||
enctype = p[i];
|
||||
ret = 0;
|
||||
if (is_preauth && ret_key != NULL &&
|
||||
!is_default_salt_p(&def_salt, key))
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
@@ -210,10 +210,11 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
|
||||
ret = KRB5KDC_ERR_NULL_KEY;
|
||||
continue;
|
||||
}
|
||||
if (is_preauth && !is_default_salt_p(&def_salt, key))
|
||||
continue;
|
||||
enctype = etypes[i];
|
||||
ret = 0;
|
||||
if (is_preauth && ret_key != NULL &&
|
||||
!is_default_salt_p(&def_salt, key))
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user