diff options
Diffstat (limited to 'src/lib/krb5/krb/decode_kdc.c')
-rw-r--r-- | src/lib/krb5/krb/decode_kdc.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index 71e01a8..60c9838 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -48,18 +48,28 @@ krb5_decode_kdc_rep(context, enc_rep, key, dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; + krb5_keyusage usage; - if (krb5_is_as_rep(enc_rep)) + if (krb5_is_as_rep(enc_rep)) { + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); - else if (krb5_is_tgs_rep(enc_rep)) + } else if (krb5_is_tgs_rep(enc_rep)) { + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; + /* KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY would go here, except + that this client code base doesn't ever put a subkey in the + tgs_req authenticator, so the tgs_rep is never encrypted in + one. (Check send_tgs.c:krb5_send_tgs_basic(), near the top + where authent.subkey is set to 0) */ retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); - else + } else { return KRB5KRB_AP_ERR_MSG_TYPE; + } if (retval) return retval; - if (retval = krb5_kdc_rep_decrypt_proc(context, key, 0, local_dec_rep)) + if (retval = krb5_kdc_rep_decrypt_proc(context, key, &usage, + local_dec_rep)) krb5_free_kdc_rep(context, local_dec_rep); else *dec_rep = local_dec_rep; |