summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2007-02-18 23:27:42 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:48:34 -0500
commit5cd79db03e143eaaa9b63a28d3f0824edb1295d2 (patch)
treed2523193897c8de4fa3fe53cb06eceba5d5b73d6 /source4/heimdal/kdc
parent760f438553d26488c529ef8c13aa7035b6f11dca (diff)
downloadsamba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.tar.gz
samba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.tar.bz2
samba-5cd79db03e143eaaa9b63a28d3f0824edb1295d2.zip
r21436: Choose the TGT session key enctype also by checking what enctypes
the krbtgt hdb entry provides. We need to make sure other KDC's with the same hdb backend data can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18) session keys.) Love: I'm not sure if this is the correct way of doing it... metze (This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/kerberos5.c24
1 files changed, 20 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bf727ee739..0cac0765ca 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1292,19 +1292,35 @@ _kdc_as_rep(krb5_context context,
{
const krb5_enctype *p;
- int i, j;
+ int i, j, y;
p = krb5_kerberos_enctypes(context);
sessionetype = ETYPE_NULL;
for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
+ /* check it's valid */
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
- for (j = 0; j < b->etype.len; j++) {
+
+ /* check if the client supports it */
+ for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
if (p[i] == b->etype.val[j]) {
- sessionetype = p[i];
- break;
+ /*
+ * if the server (krbtgt) has explicit etypes,
+ * check if it also supports it
+ */
+ if (server->entry.etypes) {
+ for (y = 0; y < server->entry.etypes->len; y++) {
+ if (p[i] == server->entry.etypes->val[y]) {
+ sessionetype = p[i];
+ break;
+ }
+ }
+ } else {
+ sessionetype = p[i];
+ break;
+ }
}
}
}