[krbdev.mit.edu #6336] enctype negotiation - etype list
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Mon Jan 12 18:58:49 EST 2009
The current enctype negotiation code on the trunk has a funny way of
coming up with the enctype list to send.
The RFC says that if the session key is in the list, it should be at
the end.
The current code looks up the enctype list, which is ordered by
preference, and scans it for the session key type. If it finds it, it
*swaps* it with the entry at the end of the list. So if the session
key type was first on the list, it's now last, and you're telling the
application server that the enctype you'd really like to use is the
one that was originally last in your preference order.
It probably should truncate the list after the session key type, if
it's found. And, just for kicks, check and see if the session key
type is first on the list and skip enctype negotiation altogether if
it is, since we can't get a more-preferred enctype in that case.
Ken
More information about the krb5-bugs
mailing list