From eb08f2ecddd9f188be49f5630bac762bcfe5bb2a Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 24 Jan 2022 10:41:51 -0500
Subject: [PATCH] kdc: _kdc_find_etype if is_preauth must use long term keys

is_preauth (KFE_IS_PREAUTH is set) might require replying with
PA-ETYPE-INFO[2] which requires use of the long-term keys.
Without this change is_default_salt_p() can be called with 'key'
eq NULL.

Change-Id: I513fa768680225d4501d8b390e349a011666d90c
---
 kdc/kerberos5.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 12fa13529..c06c02599 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -266,7 +266,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
 
                 /* check target princ support */
 		key = NULL;
-                if (!(flags & KFE_USE_CLIENT) && princ->etypes) {
+                if (!is_preauth && !(flags & KFE_USE_CLIENT) && princ->etypes) {
                     /*
                      * Use the etypes list from the server's HDB entry instead
                      * of deriving it from its long-term keys.  This allows an