From 33247b62764f7f9aa777fe12495501062e0abe19 Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Wed, 17 Dec 1997 01:34:25 +0000
Subject: [PATCH] (tgs_check_authenticator): RFC1510 doesn't say that the
 checksum has to be keyed, even though later drafts do.  Accept unkeyed
 checksums to be compatible with MIT.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4213 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kerberos5.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 985ca0a52..a1a964155 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -996,8 +996,16 @@ tgs_check_authenticator(krb5_auth_context ac,
 	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 	goto out;
     }
-    if (!krb5_checksum_is_keyed(auth->cksum->cksumtype)
-	|| !krb5_checksum_is_collision_proof(auth->cksum->cksumtype)) {
+    /*
+     * according to RFC1510 it doesn't need to be keyed,
+     * but according to the latest draft it needs to.
+     */
+    if (
+#if 0
+!krb5_checksum_is_keyed(auth->cksum->cksumtype)
+	||
+#endif
+ !krb5_checksum_is_collision_proof(auth->cksum->cksumtype)) {
 	kdc_log(0, "Bad checksum type in authenticator: %d", 
 		auth->cksum->cksumtype);
 	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;