From: Sam Hartman <hartmans@mit.edu>
Date: Sat, 15 Feb 2003 01:15:10 +0000 (+0000)
Subject: The client sorts the enctype list returned by etype_info ordering
X-Git-Tag: krb5-1.3-alpha1~86
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f75a3db8b492631632c8555ed41ba5daf5488aef;p=krb5.git

The client sorts the enctype list returned by etype_info ordering
enctypes that it requested or that are similar to ones it requested
first.

The KDC only includes enctypes in etype_info if they were requested by
the client.

ticket: 1006

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15191 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 346305c2e..d20710cf2 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,9 @@
+2003-02-14  Sam Hartman  <hartmans@mit.edu>
+
+	* kdc_preauth.c (request_contains_enctype): New function
+	(get_etype_info): Use it to filter out enctypes not requested by
+	the client 
+
 2003-02-08  Ken Hornstein  <kenh@cmf.nrl.navy.mil>
 
 	* Makefile.in, configure.in, fakeka.c: New file to implement
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 1087e76c0..391bcd8bc 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1,7 +1,7 @@
 /*
  * kdc/kdc_preauth.c
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -431,6 +431,18 @@ cleanup:
     return (retval);
 }
 
+static krb5_boolean
+request_contains_enctype (krb5_context context,  const krb5_kdc_req *request,
+			  krb5_enctype enctype)
+{
+    int i;
+    for (i =0; i < request->nktypes; i++)
+	if (request->ktype[i] == enctype)
+	    return 1;
+    return 0;
+}
+
+
 static krb5_error_code
 verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
 		     krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
@@ -542,6 +554,13 @@ get_etype_info(krb5_context context, krb5_kdc_req *request,
 	    db_etype = ENCTYPE_DES_CBC_CRC;
 	
 	while (1) {
+	    if (!request_contains_enctype(context,
+					  request, db_etype)) {
+		if (db_etype = ENCTYPE_DES_CBC_CRC)
+                    continue;
+                else break;
+            }
+
 	    if ((entry[i] = malloc(sizeof(krb5_etype_info_entry))) == NULL) {
 		retval = ENOMEM;
 		goto cleanup;
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index bc1588275..95da8d84a 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+2003-02-14  Sam Hartman  <hartmans@mit.edu>
+
+	* preauth2.c (krb5_do_preauth): Sort incoming etype info based on
+	preference order in request  
+
 2003-02-13  Sam Hartman  <hartmans@mit.edu>
 
 	* gic_keytab.c (krb5_get_as_key_keytab): Nathan Neulinger points
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index f99379fa2..34cb40f22 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995 by the Massachusetts Institute of Technology.  All
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.  All
  * Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -825,6 +825,76 @@ static const pa_types_t pa_types[] = {
     },
 };
 
+static void
+sort_etype_info(krb5_context  context, krb5_kdc_req *request,
+                krb5_etype_info_entry **etype_info)
+{
+/* Originally adapted from a proposed solution in ticket 1006.  This
+ * solution  is  not efficient, but implementing an efficient sort
+ * with a comparison function based on order in the kdc request would
+ * be difficult.*/
+    krb5_etype_info_entry *tmp;
+    int i, j, e;
+    krb5_boolean similar;
+
+    if (etype_info == NULL)
+	return;
+
+    /* First, move up etype_info_entries whose enctype exactly matches a
+     * requested enctype.
+     */
+    e = 0;
+    for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+    {
+	if (request->ktype[i] == etype_info[e]->etype)
+	{
+	    e++;
+	    continue;
+	}
+	for ( j = e+1 ; etype_info[j] ; j++ )
+	    if (request->ktype[i] == etype_info[j]->etype)
+		break;
+	if (etype_info[j] == NULL)
+	    continue;
+
+	tmp = etype_info[j];
+	etype_info[j] = etype_info[e];
+	etype_info[e] = tmp;
+	e++;
+    }
+
+    /* Then move up etype_info_entries whose enctype is similar to a
+     * requested enctype.
+     */
+    for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+    {
+	if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0)
+	    continue;
+
+	if (similar)
+	{
+	    e++;
+	    continue;
+	}
+	for ( j = e+1 ; etype_info[j] ; j++ )
+	{
+	    if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0)
+		continue;
+
+	    if (similar)
+		break;
+	}
+	if (etype_info[j] == NULL)
+	    continue;
+
+	tmp = etype_info[j];
+	etype_info[j] = etype_info[e];
+	etype_info[e] = tmp;
+	e++;
+    }
+}
+
+
 krb5_error_code
 krb5_do_preauth(krb5_context context,
 		krb5_kdc_req *request,
@@ -891,6 +961,7 @@ krb5_do_preauth(krb5_context context,
 		    etype_info = NULL;
 		    break;
 		}
+                sort_etype_info(context, request, etype_info);
 		salt->data = (char *) etype_info[0]->salt;
 		salt->length = etype_info[0]->length;
 		*etype = etype_info[0]->etype;