| commit | a2d0f8e3ee350f7db48d7bcd6eed775ff1ace6e4 | |
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | |
| Sun, 28 Jul 2013 00:02:16 +0000 (27 20:02 -0400) | ||
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | |
| Mon, 29 Jul 2013 21:59:25 +0000 (29 17:59 -0400) | ||
| tree | d758eb56ee259b7525ab0b240670dfcf70d11582 | treesnapshot (tar.gz zip) |
| parent | 2a5a96d60ec464e831274fda3e3b6653de96196f | commitdiff |
_kdc_find_etype consolidation
The 'use_strongest_session_key' block and its alternate should
have similar behavior except for the order in which the enctype
lists are processed. This patchset attempts to consolidate the
exit processing and ensure that the inner loop enctype and key
validation is the same.
Bugs fixed:
1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception()
test was applied during the client enctype loop which is only
processed for acceptable enctypes. This test is moved to the
local supported enctypes loop so as not to filter out weak keys
when the service principal has an explicit exception.
2. In the 'use_strongest_session_key' case, the possibility of an
enctype having keys with more than one salt was excluded.
3. In the 'use_strongest_session_key' case, the 'key' variable was
not reset to NULL within each loop of the client enctype list.
4. In the '!use_strongest_session_key' case, the default salt test
and is_preauth was inconsistent with the 'use_strongest_session_key'
block.
With this consolidation, if no enctype is selected and the service
principal is permitted to use 1DES, then 1DES is selected. It doesn't
matter whether 'use_strongest_session_key' is in use or not.
Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739
(cherry picked from commit 8f2d779663f4b1245cd53c3a593be94f5a616513)
The 'use_strongest_session_key' block and its alternate should
have similar behavior except for the order in which the enctype
lists are processed. This patchset attempts to consolidate the
exit processing and ensure that the inner loop enctype and key
validation is the same.
Bugs fixed:
1. In the 'use_strongest_session_key' case, the _kdc_is_weak_exception()
test was applied during the client enctype loop which is only
processed for acceptable enctypes. This test is moved to the
local supported enctypes loop so as not to filter out weak keys
when the service principal has an explicit exception.
2. In the 'use_strongest_session_key' case, the possibility of an
enctype having keys with more than one salt was excluded.
3. In the 'use_strongest_session_key' case, the 'key' variable was
not reset to NULL within each loop of the client enctype list.
4. In the '!use_strongest_session_key' case, the default salt test
and is_preauth was inconsistent with the 'use_strongest_session_key'
block.
With this consolidation, if no enctype is selected and the service
principal is permitted to use 1DES, then 1DES is selected. It doesn't
matter whether 'use_strongest_session_key' is in use or not.
Change-Id: Ib57264fc8bc23df64c70d39b4f6de48beeb54739
(cherry picked from commit 8f2d779663f4b1245cd53c3a593be94f5a616513)
| kdc/kerberos5.c | diffblobblamehistory |