r21436: Choose the TGT session key enctype also by checking what enctypes

the krbtgt hdb entry provides.

We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)

Love: I'm not sure if this is the correct way of doing it...

metze
(This used to be commit 5840f50d8954e95a7071a90a1c4dcce9ae05d77c)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bf727ee739535b99c2817e1ff124d451e7e0a248..0cac0765ca5f01d650bbdd052b537ac1ce59fade 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1292,19 +1292,35 @@ _kdc_as_rep(krb5_context context,
 
     {
        const krb5_enctype *p;
-       int i, j;
+       int i, j, y;
 
        p = krb5_kerberos_enctypes(context);
 
        sessionetype = ETYPE_NULL;
 
        for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
+           /* check it's valid */
            if (krb5_enctype_valid(context, p[i]) != 0)
                continue;
-           for (j = 0; j < b->etype.len; j++) {
+
+           /* check if the client supports it */
+           for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
                if (p[i] == b->etype.val[j]) {
-                   sessionetype = p[i];
-                   break;
+                   /*
+                    * if the server (krbtgt) has explicit etypes,
+                    * check if it also supports it
+                    */
+                   if (server->entry.etypes) {
+                       for (y = 0; y < server->entry.etypes->len; y++) {
+                           if (p[i] == server->entry.etypes->val[y]) {
+                               sessionetype = p[i];
+                               break;
+                           }
+                       }
+                   } else {
+                       sessionetype = p[i];
+                       break;
+                   }
                }
            }
        }