kdc: use the correct kvno number for PKINIT in the AS-REP

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index d38d041a8f57f177fa693744b5f3154d88d0fab6..f65f3653d8afb9cd9e2f2b54c9cc67852549b55d 100644 (file)
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -81,6 +81,7 @@ struct astgs_request_desc {
     int validated_pa_type;
     krb5_enctype sessionetype;
     krb5_keyblock reply_key;
+    unsigned int reply_kvno;
     krb5_keyblock session_key;
 
     /* state */

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 0eebe63930f7d87a1a8ec6ccb713b15075e9880c..ad11790b8810dd218d68b22b48f6eed11320690b 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -433,6 +433,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
        _kdc_set_e_text(r, "Failed to build PK-INIT reply");
        goto out;
     }
+    r->reply_kvno = 0;
 #if 0
     ret = _kdc_add_initial_verified_cas(r->context, r->config,
                                        pkp, &r->et);
@@ -636,6 +637,8 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
        if (ret)
            goto out;
 
+       r->reply_kvno = 0;
+
        /*
         * Success
         */
@@ -798,6 +801,12 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     if (ret)
        return ret;
 
+    if (pa_key->mkvno != NULL) {
+       r->reply_kvno = *pa_key->mkvno;
+    } else {
+       r->reply_kvno = r->client->entry.kvno;
+    }
+
     ret = krb5_enctype_to_string(r->context, pa_key->key.keytype, &str);
     if (ret)
        str = NULL;
@@ -2052,6 +2061,8 @@ _kdc_as_rep(astgs_request_t r)
        ret = krb5_copy_keyblock_contents(r->context, &ckey->key, &r->reply_key);
        if (ret)
            goto out;
+
+       r->reply_kvno = 0;
     }
 
     if (r->clientdb->hdb_auth_status) {
@@ -2399,7 +2410,7 @@ _kdc_as_rep(astgs_request_t r)
                            r->armor_crypto, req->req_body.nonce,
                            &rep, &r->et, &r->ek, setype,
                            r->server->entry.kvno, &skey->key,
-                           r->client->entry.kvno,
+                           r->reply_kvno,
                            &r->reply_key, 0, &r->e_text, r->reply);
     if (ret)
        goto out;