Ticket History #1473: ticket forwarding broken when TGS and app service have different enctypes

A heuristic added to the ticket-forwarding code to avoid problems
forwarding tickets to hosts without DES3 support has backfired. It
requested a forwarded ticket with the enctype of the session key for
talking to the service. However, if the session key and preferred
service key are, say, AES, but the TGS key is DES3 only, and we
(inappropriately) infer the supported key types from the KDB key
types, we'll decide that we can't get an AES TGT to forward. And
since that one enctype was specified in the list, we won't get any
other TGT either.

A better fix is probably to include the list of all supported
enctypes, but add the session key type and service key type to the
front of the list. (If they're in the client's permitted -- or should
it be supported? -- enctypes list; if not, I think other checks we do
on the client side will return an error, needlessly.) Make the two
enctypes we know the server supports be preferred, but not required.

In fact, the implementation on the server and KDC may support enctypes
the client doesn't know about, but I don't think we have any way to
express a willingness to accept a TGT with such a session key for
forward.

Ken

May want to modify get_cred_via_tkt interface to implement this; if so,
ticket 1429 might be able to take advantage of the revised API too.

pullups from trunk. if there is still a memory management bug
relating to [1429] it should be opened as a separate bug.


To generate a diff of this commit:



cvs diff -r1.68.2.2 -r1.68.2.3 krb5/doc/ChangeLog
cvs diff -r1.13.2.1 -r1.13.2.2 krb5/doc/definitions.texinfo
cvs diff -r1.24 -r1.24.2.1 krb5/doc/install.texinfo
cvs diff -r1.348.2.7 -r1.348.2.8 krb5/src/include/ChangeLog
cvs diff -r1.135.2.3 -r1.135.2.4 krb5/src/include/k5-int.h
cvs diff -r5.136.2.1 -r5.136.2.2 krb5/src/lib/crypto/ChangeLog
cvs diff -r5.9 -r5.9.2.1 krb5/src/lib/crypto/etypes.c
cvs diff -r5.4 -r5.4.2.1 krb5/src/lib/crypto/pbkdf2.c
cvs diff -r1.4.2.1 -r1.4.2.2 krb5/src/lib/crypto/aes/ChangeLog
cvs diff -r1.1 -r1.1.2.1 krb5/src/lib/crypto/aes/aes_s2k.c
cvs diff -r1.18 -r1.18.2.1 krb5/src/lib/crypto/dk/ChangeLog
cvs diff -r1.6 -r1.6.2.1 krb5/src/lib/crypto/dk/dk.h
cvs diff -r1.6 -r1.6.4.1 krb5/src/lib/crypto/dk/dk_decrypt.c
krb5/src/lib/crypto/dk/dk_encrypt.c
cvs diff -r1.19 -r1.19.2.1
krb5/src/lib/crypto/enc_provider/ChangeLog
cvs diff -r1.2 -r1.2.2.1 krb5/src/lib/crypto/enc_provider/aes.c
cvs diff -r1.88 -r1.88.2.1 krb5/src/lib/kadm5/ChangeLog
cvs diff -r1.35 -r1.35.2.1 krb5/src/lib/kadm5/alt_prof.c
cvs diff -r5.378.2.7 -r5.378.2.8 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.20 -r5.20.2.1 krb5/src/lib/krb5/krb/fwd_tgt.c
cvs diff -r5.47.2.1 -r5.47.2.2 krb5/src/lib/krb5/krb/gc_frm_kdc.c
cvs diff -r5.68 -r5.68.2.1 krb5/src/lib/krb5/krb/init_ctx.c
cvs diff -r1.72.2.1 -r1.72.2.2
krb5/src/tests/dejagnu/config/ChangeLog
cvs diff -r1.76.2.1 -r1.76.2.2
krb5/src/tests/dejagnu/config/default.exp