svn commit: samba r21436 - in branches/SAMBA_4_0/source/heimdal/kdc: .

[metze at samba.org]

Author: metze
Date: 2007-02-18 23:27:42 +0000 (Sun, 18 Feb 2007)
New Revision: 21436

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21436

Log:
Choose the TGT session key enctype also by checking what enctypes
the krbtgt hdb entry provides.

We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)

Love: I'm not sure if this is the correct way of doing it...

metze
Modified:
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2007-02-18 22:15:50 UTC (rev 21435)
+++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2007-02-18 23:27:42 UTC (rev 21436)
@@ -1292,19 +1292,35 @@
 
     {
 	const krb5_enctype *p;
-	int i, j;
+	int i, j, y;
 
 	p = krb5_kerberos_enctypes(context);
 
 	sessionetype = ETYPE_NULL;
 
 	for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
+	    /* check it's valid */
 	    if (krb5_enctype_valid(context, p[i]) != 0)
 		continue;
-	    for (j = 0; j < b->etype.len; j++) {
+
+	    /* check if the client supports it */
+	    for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
 		if (p[i] == b->etype.val[j]) {
-		    sessionetype = p[i];
-		    break;
+		    /*
+		     * if the server (krbtgt) has explicit etypes,
+		     * check if it also supports it
+		     */
+		    if (server->entry.etypes) {
+		        for (y = 0; y < server->entry.etypes->len; y++) {
+			    if (p[i] == server->entry.etypes->val[y]) {
+			        sessionetype = p[i];
+			        break;
+			    }
+		        }
+		    } else {
+			sessionetype = p[i];
+			break;
+		    }
 		}
 	    }
 	}