Only generate a key if it's necessary
authorTheodore Tso <tytso@mit.edu>
Thu, 3 Jun 1993 00:13:29 +0000 (00:13 +0000)
committerTheodore Tso <tytso@mit.edu>
Thu, 3 Jun 1993 00:13:29 +0000 (00:13 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2554 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/get_in_tkt.c

index 315ad021ff5eeb9a172936e3340c6edc17b731fa..cf9f20365cbc7d863d83486d51e933d2c618a170 100644 (file)
@@ -131,6 +131,12 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
             * First, we get the user's key.  We assume we will need
             * it for the pre-authentication.  Actually, this could
             * possibly not be the case, but it's usually true.
+            *
+            * XXX Problem here: if we're doing preauthentication,
+            * we're getting the key before we get the KDC hit as to
+            * which salting algorithm to use; hence, we're using the
+            * default.  But if we're changing salts, because of a
+            * realm renaming, or some such, this won't work.
             */
            retval = (*key_proc)(keytype, &decrypt_key, keyseed, 0);
            if (retval)
@@ -244,11 +250,13 @@ OLDDECLARG(krb5_kdc_rep **, ret_as_reply)
 
     /* it was a kdc_rep--decrypt & check */
 
-    /* generate the key */
-    if (retval = (*key_proc)(keytype, &decrypt_key, keyseed,
-                            as_reply->padata)) {
-       krb5_free_kdc_rep(as_reply);
-       return retval;
+     /* Generate the key, if we haven't done so already. */
+    if (!decrypt_key) {
+           if (retval = (*key_proc)(keytype, &decrypt_key, keyseed,
+                                    as_reply->padata)) {
+                   krb5_free_kdc_rep(as_reply);
+                   return retval;
+           }
     }
     
     retval = (*decrypt_proc)(decrypt_key, decryptarg, as_reply);