From 5cd79db03e143eaaa9b63a28d3f0824edb1295d2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 18 Feb 2007 23:27:42 +0000 Subject: r21436: Choose the TGT session key enctype also by checking what enctypes the krbtgt hdb entry provides. We need to make sure other KDC's with the same hdb backend data can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18) session keys.) Love: I'm not sure if this is the correct way of doing it... metze (This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c) --- source4/heimdal/kdc/kerberos5.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) (limited to 'source4/heimdal/kdc') diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index bf727ee739..0cac0765ca 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1292,19 +1292,35 @@ _kdc_as_rep(krb5_context context, { const krb5_enctype *p; - int i, j; + int i, j, y; p = krb5_kerberos_enctypes(context); sessionetype = ETYPE_NULL; for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) { + /* check it's valid */ if (krb5_enctype_valid(context, p[i]) != 0) continue; - for (j = 0; j < b->etype.len; j++) { + + /* check if the client supports it */ + for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) { if (p[i] == b->etype.val[j]) { - sessionetype = p[i]; - break; + /* + * if the server (krbtgt) has explicit etypes, + * check if it also supports it + */ + if (server->entry.etypes) { + for (y = 0; y < server->entry.etypes->len; y++) { + if (p[i] == server->entry.etypes->val[y]) { + sessionetype = p[i]; + break; + } + } + } else { + sessionetype = p[i]; + break; + } } } } -- cgit