kdc: Send ETYPE-INFO2 instead of PW-SALT for validated timestamp

This matches Windows behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index f15592630e0f80e114545ad2469d7582700e8523..09fa3d018010dee534de1435863ca669315fa2c7 100644 (file)
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -76,15 +76,20 @@ realloc_method_data(METHOD_DATA *md)
 }
 
 static krb5_error_code
-set_salt_padata(METHOD_DATA *md, Salt *salt)
-{
-    PA_DATA pa; /* do not free */
+get_pa_etype_info2(krb5_context context,
+                  krb5_kdc_configuration *config,
+                  METHOD_DATA *md, Key *ckey,
+                  krb5_boolean include_salt);
 
-    if (!salt)
+static krb5_error_code
+set_salt_padata(krb5_context context,
+                krb5_kdc_configuration *config,
+                METHOD_DATA *md, Key *key)
+{
+    if (!key->salt)
         return 0;
-    pa.padata_type = salt->type;
-    pa.padata_value = salt->salt;
-    return add_METHOD_DATA(md, &pa);
+
+    return get_pa_etype_info2(context, config, md, key, TRUE);
 }
 
 const PA_DATA*
@@ -926,7 +931,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
        if (ret)
            return ret;
 
-       ret = set_salt_padata(r->rep.padata, k->salt);
+       ret = set_salt_padata(r->context, r->config, r->rep.padata, k);
        if (ret)
            return ret;
 
@@ -1187,7 +1192,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     }
     free_PA_ENC_TS_ENC(&p);
 
-    ret = set_salt_padata(r->rep.padata, pa_key->salt);
+    ret = set_salt_padata(r->context, r->config, r->rep.padata, pa_key);
     if (ret == 0)
         ret = krb5_copy_keyblock_contents(r->context, &pa_key->key, &r->reply_key);
     if (ret)