For new encryption types and for RC4, encrypt the krb_cred message in

the initial gssapi token if credentials are being delegated.  For
consistency with Microsoft, we encrypt the credentials using the
session key not the subsession key.

Ticket: 1054

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15091 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 10 insertions, 9 deletions

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 997292fe4..b3fb0ddec 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,7 +1,7 @@
 2003-01-07  Sam Hartman  <hartmans@mit.edu>
 
 	* mk_req_ext.c (krb5_mk_req_extended): Fix logic error in checksum function handling
-	
+	(krb5_mk_req_extended): For consistency with Microsoft, never use a subkey before calling the checksum callback
 
 2003-01-06  Sam Hartman  <hartmans@mit.edu>
 
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index a6510019d..1ed14a922 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -121,6 +121,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
 	
 
     /* generate subkey if needed */
+    if (!in_data &&(*auth_context)->checksum_func) {
+	retval = (*auth_context)->checksum_func( context,
+						 *auth_context,
+						 (*auth_context)->checksum_func_data,
+						 &in_data);
+	if (retval)
+	    goto cleanup;
+    }
+
     if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
 	/* Provide some more fodder for random number code.
 	   This isn't strong cryptographically; the point here is not
@@ -140,14 +149,6 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
 	    goto cleanup;
     }
 
-    if (!in_data &&(*auth_context)->checksum_func) {
-	retval = (*auth_context)->checksum_func( context,
-						 *auth_context,
-						 (*auth_context)->checksum_func_data,
-						 &in_data);
-	if (retval)
-	    goto cleanup_cksum;
-    }
 
     if (in_data) {