/* XXX if there's padata on output, something is wrong, but it's
not obviously an error */
+ /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY,
+ the AS_REP comes back encrypted in the user's longterm key
+ instead of in the SAD. If there was a SAM preauth, there
+ will be an as_key here which will be the SAD. If that fails,
+ use the gak_fct to get the password, and try again. */
+
/* XXX because etypes are handled poorly (particularly wrt SAM,
where the etype is fixed by the kdc), we may want to try
decrypt_as_reply twice. If there's an as_key available, try
krb5_enc_data enc_data;
krb5_pa_data *pa;
- /*
- * We need to use the password as part or all of the key.
- * If as_key contains info, it should be the users pass phrase.
- * If not, get the password before issuing the challenge.
- */
if (as_key->length == 0) {
if (ret = ((*gak_fct)(context, request->client,
request->ktype[0], prompter, prompter_data,
salt = NULL;
#endif
- /* XXX the server uses this fixed enctype, so we will, too. */
+ /* XXX As of the passwords-04 draft, no enctype is specified,
+ the server uses ENCTYPE_DES_CBC_MD5. In the future the
+ server should send a PA-SAM-ETYPE-INFO containing the enctype. */
ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5,
&response_data, salt, as_key);