If we get a KRB5KRB_AP_ERR_BAD_INTEGRITY on a TGS req with

a key usage of KRB5_KU_TGS_REQ_AUTH, then try again with a
key usage of KRB5_KU_AP_REQ_AUTH.  This addresses an interop
issue between new kinit(1) (0.3e) and older KDCs (such as 0.3a).

Patch from assar@netbsd.org; see discussion on current-users.
This commit is contained in:
thorpej 2001-03-12 19:25:51 +00:00
parent bee147163e
commit 9ab0878e2a

View File

@ -33,7 +33,7 @@
#include <krb5_locl.h>
RCSID("$Id: get_cred.c,v 1.1.1.3 2001/02/11 13:51:44 assar Exp $");
RCSID("$Id: get_cred.c,v 1.2 2001/03/12 19:25:51 thorpej Exp $");
/*
* Take the `body' and encode it into `padata' using the credentials
@ -45,7 +45,8 @@ make_pa_tgs_req(krb5_context context,
krb5_auth_context ac,
KDC_REQ_BODY *body,
PA_DATA *padata,
krb5_creds *creds)
krb5_creds *creds,
krb5_key_usage usage)
{
u_char *buf;
size_t buf_size;
@ -83,7 +84,8 @@ make_pa_tgs_req(krb5_context context,
ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
&padata->padata_value,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
KRB5_KU_TGS_REQ_AUTH);
usage
/* KRB5_KU_TGS_REQ_AUTH */);
out:
free (buf);
if(ret)
@ -162,7 +164,8 @@ init_tgs_req (krb5_context context,
krb5_creds *krbtgt,
unsigned nonce,
krb5_keyblock **subkey,
TGS_REQ *t)
TGS_REQ *t,
krb5_key_usage usage)
{
krb5_error_code ret;
@ -266,7 +269,8 @@ init_tgs_req (krb5_context context,
ac,
&t->req_body,
t->padata->val,
krbtgt);
krbtgt,
usage);
if(ret) {
krb5_free_keyblock (context, key);
krb5_auth_con_free(context, ac);
@ -366,13 +370,14 @@ decrypt_tkt_with_subkey (krb5_context context,
}
static krb5_error_code
get_cred_kdc(krb5_context context,
get_cred_kdc_usage(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
krb5_addresses *addresses,
krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_creds *out_creds)
krb5_creds *out_creds,
krb5_key_usage usage)
{
TGS_REQ req;
krb5_data enc;
@ -407,7 +412,8 @@ get_cred_kdc(krb5_context context,
krbtgt,
nonce,
&subkey,
&req);
&req,
usage);
if(flags.b.enc_tkt_in_skey)
free_Ticket(&second_ticket);
if (ret)
@ -506,6 +512,25 @@ out:
}
static krb5_error_code
get_cred_kdc(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
krb5_addresses *addresses,
krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_creds *out_creds)
{
krb5_error_code ret;
ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
krbtgt, out_creds, KRB5_KU_TGS_REQ_AUTH);
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
krbtgt, out_creds, KRB5_KU_AP_REQ_AUTH);
return ret;
}
/* same as above, just get local addresses first */
static krb5_error_code