From c4aa2f90674da250af99f4afbb199d653d27b1af Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Tue, 30 Jul 2013 10:46:20 -0400 Subject: [PATCH] _kdc_find_etype: prefer default salt for preauth if the query is "preauth" and the caller is seeking a Key, search try to find a Key that has the default salt but do not exclude keys that have a non-default salt. Move the assignment of 'ret' and 'enctype' before the preauth default salt test. If the only key of the given type is the non-default salt key, it should be used. If the caller is not seeking a Key, do not bother with the preauth test at all since the Key itself doesn't matter and we are simply seeking an enctype. Change-Id: I7cd37c579c0bfdd88bccfbc9eb5e5f55cd1910cb --- kdc/kerberos5.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index e26099b38..6b6ea7d49 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -172,19 +172,19 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, /* check target princ support */ key = NULL; - while (ret != 0 && - hdb_next_enctype2key(context, &princ->entry, NULL, - p[i], &key) == 0) { - if (key->key.keyvalue.length == 0) { - ret = KRB5KDC_ERR_NULL_KEY; - continue; - } - if (is_preauth && !is_default_salt_p(&def_salt, key)) - continue; - enctype = p[i]; - ret = 0; - } - } + while (hdb_next_enctype2key(context, &princ->entry, NULL, + p[i], &key) == 0) { + if (key->key.keyvalue.length == 0) { + ret = KRB5KDC_ERR_NULL_KEY; + continue; + } + enctype = p[i]; + ret = 0; + if (is_preauth && ret_key != NULL && + !is_default_salt_p(&def_salt, key)) + continue; + } + } } } else { /* @@ -210,10 +210,11 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, ret = KRB5KDC_ERR_NULL_KEY; continue; } - if (is_preauth && !is_default_salt_p(&def_salt, key)) - continue; enctype = etypes[i]; ret = 0; + if (is_preauth && ret_key != NULL && + !is_default_salt_p(&def_salt, key)) + continue; } } }