(decrypt_authenticator): add an encryption `usage'. also try the old

(and wrong) usage of KRB5_KU_AP_REQ_AUTH for backwards compatibility (krb5_verify_ap_req2): new function for specifying the usage different from the default (KRB5_KU_AP_REQ_AUTH) git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9199 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-11-15 23:16:28 +00:00
parent dadda4470a
commit fd1fa8bd77
1 changed files with 34 additions and 3 deletions
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -68,7 +68,8 @@ static krb5_error_code
 decrypt_authenticator (krb5_context context,
 		       EncryptionKey *key,
 		       EncryptedData *enc_part,
-		       Authenticator *authenticator)
+		       Authenticator *authenticator,
+		       krb5_key_usage usage)
 {
    krb5_error_code ret;
    krb5_data plain;
@@ -78,6 +79,13 @@ decrypt_authenticator (krb5_context context,
    ret = krb5_crypto_init(context, key, 0, &crypto);
    if (ret)
 	return ret;
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      usage /* KRB5_KU_AP_REQ_AUTH */,
+				      enc_part,
+				      &plain);
+    /* for backwards compatibility, also try the old usage */
+    if (ret && usage == KRB5_KU_TGS_REQ_AUTH)
 	ret = krb5_decrypt_EncryptedData (context,
 					  crypto,
 					  KRB5_KU_AP_REQ_AUTH,
@@ -229,6 +237,28 @@ krb5_verify_ap_req(krb5_context context,
 		   krb5_flags flags,
 		   krb5_flags *ap_req_options,
 		   krb5_ticket **ticket)
+{
+    return krb5_verify_ap_req2 (context,
+				auth_context,
+				ap_req,
+				server,
+				keyblock,
+				flags,
+				ap_req_options,
+				ticket,
+				KRB5_KU_AP_REQ_AUTH);
+}
+
+krb5_error_code
+krb5_verify_ap_req2(krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_ap_req *ap_req,
+		    krb5_const_principal server,
+		    krb5_keyblock *keyblock,
+		    krb5_flags flags,
+		    krb5_flags *ap_req_options,
+		    krb5_ticket **ticket,
+		    krb5_key_usage usage)
 {
    krb5_ticket t;
    krb5_auth_context ac;
@@ -270,7 +300,8 @@ krb5_verify_ap_req(krb5_context context,
    ret = decrypt_authenticator (context,
 				 &t.ticket.key,
 				 &ap_req->authenticator,
-				 ac->authenticator);
+				 ac->authenticator,
+				 usage);
    if (ret)
 	goto out2;