kdc: Send ETYPE-INFO2 instead of PW-SALT for validated timestamp

This matches Windows behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index a11823c217008a4fe90b9769dad70b1f047b633d..2904cd623991e419a45b67c97e706677e141d9aa 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -76,15 +76,20 @@ realloc_method_data(METHOD_DATA *md)
 }
 
 static krb5_error_code
-set_salt_padata(METHOD_DATA *md, Salt *salt)
-{
-    PA_DATA pa; /* do not free */
+get_pa_etype_info2(krb5_context context,
+                  krb5_kdc_configuration *config,
+                  METHOD_DATA *md, Key *ckey,
+                  krb5_boolean include_salt);
 
-    if (!salt)
+static krb5_error_code
+set_salt_padata(krb5_context context,
+                krb5_kdc_configuration *config,
+                METHOD_DATA *md, Key *key)
+{
+    if (!key->salt)
         return 0;
-    pa.padata_type = salt->type;
-    pa.padata_value = salt->salt;
-    return add_METHOD_DATA(md, &pa);
+
+    return get_pa_etype_info2(context, config, md, key, TRUE);
 }
 
 const PA_DATA*
@@ -783,7 +788,8 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
            goto out;
                                            
         if (ret == 0)
-            ret = set_salt_padata(r->rep.padata, k->salt);
+            ret = set_salt_padata(r->context, r->config,
+                                 r->rep.padata, k);
 
        /*
         * Success
@@ -957,7 +963,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     }
     free_PA_ENC_TS_ENC(&p);
 
-    ret = set_salt_padata(r->rep.padata, pa_key->salt);
+    ret = set_salt_padata(r->context, r->config,
+                         r->rep.padata, pa_key);
     if (ret == 0)
         ret = krb5_copy_keyblock_contents(r->context, &pa_key->key, &r->reply_key);
     if (ret)