From 1a220716768fd0ac7ade61fb35fa79bd41b59183 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sat, 16 Aug 2003 16:25:14 +0000
Subject: [PATCH] (init_tgs_req): make generation of subkey optional on
 configuration parameter [realms]realm={tgs_require_subkey=bool} defaults to
 off. The RFC1510 weakly defines the correct behavior, so old DCE secd
 apparently required the subkey to be there, and MS will use it when its
 there. But the request isn't encrypted in the subkey, so you get to choose if
 you want to talk to a MS mdc or a old DCE secd.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12550 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/get_cred.c | 38 +++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 13 deletions(-)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 9a0b08c10..817c2ef62 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -225,26 +225,37 @@ init_tgs_req (krb5_context context,
 
     {
 	krb5_auth_context ac;
-	krb5_keyblock *key;
+	krb5_keyblock *key = NULL;
 
 	ret = krb5_auth_con_init(context, &ac);
 	if(ret)
 	    goto fail;
-	ret = krb5_generate_subkey (context, &krbtgt->session, &key);
-	if (ret) {
-	    krb5_auth_con_free (context, ac);
-	    goto fail;
-	}
-	ret = krb5_auth_con_setlocalsubkey(context, ac, key);
-	if (ret) {
-	    krb5_free_keyblock (context, key);
-	    krb5_auth_con_free (context, ac);
-	    goto fail;
+
+	if (krb5_config_get_bool_default(context, NULL, FALSE,
+					 "realms",
+					 krbtgt->server->realm,
+					 "tgs_require_subkey",
+					 NULL))
+	{
+	    ret = krb5_generate_subkey (context, &krbtgt->session, &key);
+	    if (ret) {
+		krb5_auth_con_free (context, ac);
+		goto fail;
+	    }
+
+	    ret = krb5_auth_con_setlocalsubkey(context, ac, key);
+	    if (ret) {
+		if (key)
+		    krb5_free_keyblock (context, key);
+		krb5_auth_con_free (context, ac);
+		goto fail;
+	    }
 	}
 
 	ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key);
 	if (ret) {
-	    krb5_free_keyblock (context, key);
+	    if (key)
+		krb5_free_keyblock (context, key);
 	    krb5_auth_con_free (context, ac);
 	    goto fail;
 	}
@@ -256,7 +267,8 @@ init_tgs_req (krb5_context context,
 			      krbtgt,
 			      usage);
 	if(ret) {
-	    krb5_free_keyblock (context, key);
+	    if (key)
+		krb5_free_keyblock (context, key);
 	    krb5_auth_con_free(context, ac);
 	    goto fail;
 	}