From be8c8799d8e7cb183471e750dcc273029607a54c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Wed, 14 Nov 2007 19:56:15 +0000 Subject: [PATCH] Should pass different key usage constants depending on whether or not optional sub-session key was passed by the client for the check of authorization data. The constant is used to derive "specific key" and its values are specified in 7.5.1 of RFC4120. Patch from Andy Polyakov. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22068 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/krb5tgs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index ea57b76ca..bdf89ad1d 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1166,8 +1166,10 @@ tgs_parse_request(krb5_context context, } if (b->enc_authorization_data) { + unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; krb5_keyblock *subkey; krb5_data ad; + ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); @@ -1178,6 +1180,7 @@ tgs_parse_request(krb5_context context, goto out; } if(subkey == NULL){ + usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; ret = krb5_auth_con_getkey(context, ac, &subkey); if(ret) { krb5_auth_con_free(context, ac); @@ -1202,7 +1205,7 @@ tgs_parse_request(krb5_context context, } ret = krb5_decrypt_EncryptedData (context, crypto, - KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, + usage, b->enc_authorization_data, &ad); krb5_crypto_destroy(context, crypto);