static krb5_error_code
_make_etype_info_entry(krb5_context context,
- krb5_kdc_req *request, krb5_key_data *client_key,
+ krb5_principal client_princ, krb5_key_data *client_key,
krb5_enctype etype, krb5_etype_info_entry **entry,
int etype_info2)
{
tmp_entry->salt = 0;
tmp_entry->s2kparams.data = NULL;
tmp_entry->s2kparams.length = 0;
- retval = get_salt_from_key(context, request->client,
- client_key, &salt);
+ retval = get_salt_from_key(context, client_princ, client_key, &salt);
if (retval)
goto fail;
if (etype_info2 && client_key->key_data_ver > 1 &&
if (request_contains_enctype(context, request, db_etype)) {
assert(etype_info2 ||
!enctype_requires_etype_info_2(db_etype));
- if ((retval = _make_etype_info_entry(context, request, client_key,
- db_etype, &entry[i], etype_info2)) != 0) {
+ retval = _make_etype_info_entry(context, client->princ, client_key,
+ db_etype, &entry[i], etype_info2);
+ if (retval != 0)
goto cleanup;
- }
entry[i+1] = 0;
i++;
}
}
if (request_contains_enctype(context, request, db_etype)) {
- if ((retval = _make_etype_info_entry(context, request,
- client_key, db_etype, &entry[i], etype_info2)) != 0) {
+ retval = _make_etype_info_entry(context, client->princ,
+ client_key, db_etype,
+ &entry[i], etype_info2);
+ if (retval != 0)
goto cleanup;
- }
entry[i+1] = 0;
i++;
}
}
entry[0] = NULL;
entry[1] = NULL;
- retval = _make_etype_info_entry(context, request,
- client_key, encrypting_key->enctype,
- entry, etype_info2);
+ retval = _make_etype_info_entry(context, client->princ, client_key,
+ encrypting_key->enctype, entry,
+ etype_info2);
if (retval)
goto cleanup;
switch (client_key->key_data_type[1]) {
case KRB5_KDB_SALTTYPE_NORMAL:
+ /*
+ * The client could infer the salt from the principal, but
+ * might use the wrong principal name if this is an alias. So
+ * it's more reliable to send an explicit salt.
+ */
+ if ((retval = krb5_principal2salt(context, client, salt)))
+ return retval;
break;
case KRB5_KDB_SALTTYPE_V4:
/* send an empty (V4) salt */
projects / krb5.git / commitdiff