From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 13 Feb 2018 21:33:33 +0000 (-0500)
Subject: Always use AS-REP enctype in PKINIT client
X-Git-Tag: krb5-1.17-beta1~162
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a9bd34b97ebf794b6ddbeb17c274623b445cca4;p=thirdparty%2Fkrb5.git

Always use AS-REP enctype in PKINIT client

The get_etype() callback originally only returned the AS-REP enctype
for PKINIT, but was changed for encrypted challenge to sometimes
return the enctype from etype-info.  (Encrypted challenge no longer
uses the callback; PKINIT is currently the only known consumer.)  Make
sure to always return the AS-REP enctype if an AS-REP has been
received, so that the PKINIT clpreauth module uses the correct enctype
even if the KDC sends a different enctype in etype-info in violation
of RFC 4120.

ticket: 8642
---

diff --git a/src/include/krb5/clpreauth_plugin.h b/src/include/krb5/clpreauth_plugin.h
index 0106734ad7..e47607c4a3 100644
--- a/src/include/krb5/clpreauth_plugin.h
+++ b/src/include/krb5/clpreauth_plugin.h
@@ -84,10 +84,9 @@ typedef struct krb5_clpreauth_callbacks_st {
     int vers;
 
     /*
-     * Get the enctype expected to be used to encrypt the encrypted portion of
-     * the AS_REP packet.  When handling a PREAUTH_REQUIRED error, this
-     * typically comes from etype-info2.  When handling an AS reply, it is
-     * initialized from the AS reply itself.
+     * If an AS-REP has been received, return the enctype of the AS-REP
+     * encrypted part.  Otherwise return the enctype chosen from etype-info, or
+     * the first requested enctype if no etype-info was received.
      */
     krb5_enctype (*get_etype)(krb5_context context, krb5_clpreauth_rock rock);
 
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 6b96fa135e..243a2084cf 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -428,7 +428,11 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size,
 static krb5_enctype
 get_etype(krb5_context context, krb5_clpreauth_rock rock)
 {
-    return ((krb5_init_creds_context)rock)->etype;
+    krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
+
+    if (ctx->reply != NULL)
+        return ctx->reply->enc_part.enctype;
+    return ctx->etype;
 }
 
 static krb5_keyblock *