From: Greg Hudson Date: Sun, 4 Dec 2011 22:38:36 +0000 (+0000) Subject: Set a default enctype for optimistic preauth X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=3182d224286a5673d02eedf6847bb85dafca795d;p=krb5.git Set a default enctype for optimistic preauth When the client application requests optimistic preauth for a preauth type which uses the password, we don't have an etype-info2 to interpret since we haven't talked to the KDC. So we need to guess an enctype, salt, and s2k parameters. In 1.9 and prior, encrypted timestamp contained code to use the first requested enctype in this case, but encrypted challenge did not. In 1.10 prior to this change, neither mechanism uses a reasonable default. Set a default enctype in krb5_init_creds_init so that all password-based preauth mechanisms will use a reasonable default in the optimistic preauth case. The default salt and s2k parameters for this case will be the principal-based default salt and the enctype-based default parameters. ticket: 7033 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25504 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 8351dfd30..2dd39478a 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -938,6 +938,14 @@ krb5_init_creds_init(krb5_context context, goto cleanup; } + /* + * Set a default enctype for optimistic preauth. If we're not doing + * optimistic preauth, this should ordinarily get overwritten when we + * process the etype-info2 of the preauth-required error. + */ + if (ctx->request->nktypes > 0) + ctx->etype = ctx->request->ktype[0]; + /* addresess */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST) { code = krb5_copy_addresses(context, opte->address_list,