diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/krb/decode_kdc.c | 6 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gc_via_tkt.c | 14 | ||||
| -rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 |
3 files changed, 13 insertions, 8 deletions
diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index a75bbf266..689e2a241 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -43,17 +43,15 @@ */ krb5_error_code -krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep) +krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; - krb5_keyusage usage; if (krb5_is_as_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { return KRB5KRB_AP_ERR_MSG_TYPE; diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index e8dbd97fe..83c8026fc 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -290,9 +290,17 @@ krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, goto error_4; } - if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - subkey, &dec_rep))) - goto error_4; + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } if (dec_rep->msg_type != KRB5_TGS_REP) { retval = KRB5KRB_AP_ERR_MSG_TYPE; diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 45e5002f0..bd50fddb5 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -185,7 +185,6 @@ krb5_copy_ticket krb5_create_secure_file krb5_crypto_us_timeofday krb5_decode_authdata_container -krb5_decode_kdc_rep krb5_decode_ticket krb5_decrypt_tkt_part krb5_default_pwd_prompt1 |