diff options
Diffstat (limited to 'source4/heimdal/lib/krb5/rd_cred.c')
| -rw-r--r-- | source4/heimdal/lib/krb5/rd_cred.c | 53 |
1 files changed, 39 insertions, 14 deletions
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c index 2571591e9d..ddd5866aeb 100644 --- a/source4/heimdal/lib/krb5/rd_cred.c +++ b/source4/heimdal/lib/krb5/rd_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: rd_cred.c,v 1.24 2005/07/13 08:22:50 lha Exp $"); +RCSID("$Id: rd_cred.c,v 1.25 2005/09/23 03:37:57 lha Exp $"); static krb5_error_code compare_addrs(krb5_context context, @@ -99,24 +99,49 @@ krb5_rd_cred(krb5_context context, enc_krb_cred_part_data.length = cred.enc_part.cipher.length; enc_krb_cred_part_data.data = cred.enc_part.cipher.data; } else { - if (auth_context->remote_subkey) + /* Try both subkey and session key. + * + * RFC2140 claims we should use the session key, but Heimdal + * before 0.8 used the remote subkey if it was send in the + * auth_context. + */ + + if (auth_context->remote_subkey) { ret = krb5_crypto_init(context, auth_context->remote_subkey, 0, &crypto); - else + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } + + /* + * If there was not subkey, or we failed using subkey, + * retry using the session key + */ + if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + { + ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); - /* DK: MIT rsh */ - if (ret) - goto out; - - ret = krb5_decrypt_EncryptedData(context, - crypto, - KRB5_KU_KRB_CRED, - &cred.enc_part, - &enc_krb_cred_part_data); - - krb5_crypto_destroy(context, crypto); + if (ret) + goto out; + + ret = krb5_decrypt_EncryptedData(context, + crypto, + KRB5_KU_KRB_CRED, + &cred.enc_part, + &enc_krb_cred_part_data); + + krb5_crypto_destroy(context, crypto); + } if (ret) goto out; } |