From d3d5392e05cf558757e6790b63a990e693e2e62d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 28 Nov 2005 20:43:02 +0000
Subject: [PATCH] (krb5_get_forwarded_creds): use session key for delegated
 credentials

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16300 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/get_for_creds.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c
index a061532b3..49735b175 100644
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -378,16 +378,14 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	cred.enc_part.cipher.data = buf;
 	cred.enc_part.cipher.length = buf_size;
     } else {
-	krb5_keyblock *key;
-
-	if (auth_context->local_subkey)
-	    key = auth_context->local_subkey;
-	else if (auth_context->remote_subkey)
-	    key = auth_context->remote_subkey;
-	else
-	    key = auth_context->keyblock;
+	/* 
+	 * Here older versions then 0.7.2 of Heimdal used the local or
+	 * remote subkey. That is wrong, the session key should be
+	 * used. Heimdal 0.7.2 and newer have code to try both in the
+	 * receiving end.
+	 */
 	
-	ret = krb5_crypto_init(context, key, 0, &crypto);
+	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
 	if (ret) {
 	    free(buf);
 	    free_KRB_CRED(&cred);