3 files changed, 67 insertions, 25 deletions

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c3c12e150..3e60282f1 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,19 @@
+Wed Jan  3 21:32:59 1996  Theodore Y. Ts'o  <tytso@dcl>
+
+	* rd_cred.c (krb5_rd_cred_basic): When the keyblock is NULL,
+		assume we're being called from the gssapi code, which
+		doesn't have access to the sender or receive address
+		information, don't check the sender address, since it
+		won't be available.
+
+	* rd_cred.c (decrypt_credencdata): When calling krb5_rd_credd(),
+		if the keyblock is null, just copy the encoded structure
+		from the "ciphertext" part of the structure and decode it.
+
+	* mk_cred.c (encrypt_credencpart):  When calling krb5_mk_cred(), if
+		the keyblock is NULL, don't encrypt it; just encode it and
+		leave it in the ciphertext area of the structure.
+
 Thu Dec 21 18:47:54 1995  Theodore Y. Ts'o  <tytso@dcl>
 
 	* rd_rep.c (krb5_rd_rep): Change use of
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index 5e399a106..6c0162dda 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -31,13 +31,24 @@ encrypt_credencpart(context, pcredpart, pkeyblock, pencdata)
     krb5_encrypt_block 	  eblock;
     krb5_data 		* scratch;
 
-    if (!valid_enctype(pkeyblock->enctype))
+    if (pkeyblock && !valid_enctype(pkeyblock->enctype))
     	return KRB5_PROG_ETYPE_NOSUPP;
 
     /* start by encoding to-be-encrypted part of the message */
     if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch)))
     	return retval;
 
+    /*
+     * If the keyblock is NULL, just copy the data from the encoded
+     * data to the ciphertext area.
+     */
+    if (pkeyblock == NULL) {
+	    pencdata->ciphertext.data = scratch->data;
+	    pencdata->ciphertext.length = scratch->length;
+	    krb5_xfree(scratch);
+	    return 0;
+    }
+
     /* put together an eblock for this encryption */
 
     pencdata->kvno = 0;
@@ -169,7 +180,9 @@ krb5_mk_ncred_basic(context, ppcreds, nppcreds, keyblock,
     credenc.ticket_info[i] = NULL;
     pcred->tickets[i] = NULL;
 
-    retval = encrypt_credencpart(context, &credenc, keyblock, &pcred->enc_part);
+    /* encrypt the credential encrypted part */
+    retval = encrypt_credencpart(context, &credenc, keyblock,
+				 &pcred->enc_part);
 
 cleanup_info_ptrs:
     free(tmp);
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index a1775f141..d515b7b60 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -23,31 +23,37 @@ decrypt_credencdata(context, pcred, pkeyblock, pcredenc)
     krb5_error_code 	  retval;
     krb5_data 		  scratch;
 
-    if (!valid_enctype(pcred->enc_part.enctype))
-    	return KRB5_PROG_ETYPE_NOSUPP;
-
-    /* put together an eblock for this decryption */
-    krb5_use_enctype(context, &eblock, pcred->enc_part.enctype);
     scratch.length = pcred->enc_part.ciphertext.length;
-    
     if (!(scratch.data = (char *)malloc(scratch.length))) 
-        return ENOMEM;
+	return ENOMEM;
+
+    if (pkeyblock != NULL) {
+	if (!valid_enctype(pcred->enc_part.enctype)) {
+	    free(scratch.data);
+	    return KRB5_PROG_ETYPE_NOSUPP;
+	}
 
-    /* do any necessary key pre-processing */
-    if ((retval = krb5_process_key(context, &eblock, pkeyblock)))
-    	goto cleanup;
+	/* put together an eblock for this decryption */
+	krb5_use_enctype(context, &eblock, pcred->enc_part.enctype);
     
-    /* call the decryption routine */
-    if ((retval = krb5_decrypt(context, 
-			       (krb5_pointer) pcred->enc_part.ciphertext.data,
-			       (krb5_pointer) scratch.data,
-			       scratch.length, &eblock, 0))) {
-      	(void)krb5_finish_key(context, &eblock);
-      	goto cleanup;
-    }
+	/* do any necessary key pre-processing */
+	if ((retval = krb5_process_key(context, &eblock, pkeyblock)))
+	    goto cleanup;
+    
+	/* call the decryption routine */
+	if ((retval = krb5_decrypt(context, 
+			   (krb5_pointer) pcred->enc_part.ciphertext.data,
+			   (krb5_pointer) scratch.data,
+			   scratch.length, &eblock, 0))) {
+	    (void)krb5_finish_key(context, &eblock);
+	    goto cleanup;
+	}
 
-    if ((retval = krb5_finish_key(context, &eblock)))
-    	goto cleanup;
+	if ((retval = krb5_finish_key(context, &eblock)))
+	    goto cleanup;
+    } else {
+	memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length);
+    }
 
     /*  now decode the decrypted stuff */
     if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart)))
@@ -92,9 +98,16 @@ krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
     if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
 	goto cleanup_cred;
 
-    if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
-        retval = KRB5KRB_AP_ERR_BADADDR;
-        goto cleanup_cred;
+    /*
+     * Only check the remote address if the KRB_CRED message was
+     * protected by encryption.  If it came in the checksum field of
+     * an init_sec_context message, skip over this check.
+     */
+    if (pkeyblock != NULL) {
+	if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
+	    retval = KRB5KRB_AP_ERR_BADADDR;
+	    goto cleanup_cred;
+	}
     }
 
     if (encpart.r_address) {