For now check incoming interrealm stuff with both keyusages because it

turns out that derived-key stuff actually worked if you were using heimdal.
author: Karl Ramm <kcr@1ts.org> 2009-08-27 14:42:48 +0000
committer: Karl Ramm <kcr@1ts.org> 2009-08-27 14:42:48 +0000
commit: 1e5013d3fee3f3a6c86a9081f3986449ed17ebe2 (patch)
tree: 81863b698a574d6522e93e29af3550f31cc15a2b /server
parent: 9356c4d643c26806c5c231a86a53c57d606fef9f (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/server/kstuff.c b/server/kstuff.c
index 65f08ca..5f9cc4f 100644
--- a/server/kstuff.c
+++ b/server/kstuff.c
@@ -561,6 +561,12 @@ ZCheckSrvAuthentication(ZNotice_t *notice,
 				Z_KEYUSAGE_CLT_CKSUM,
 				asn1_data, asn1_len);
 
+    /* XXX compatibility with unreleased interrealm krb5; drop in 3.1 */
+    if (!valid && realm)
+	valid = Z_krb5_verify_cksum(keyblock, &cksumbuf, cksumtype,
+				    Z_KEYUSAGE_SRV_CKSUM,
+				    asn1_data, asn1_len);
+
     free(asn1_data);
     krb5_auth_con_free(Z_krb5_ctx, authctx);
     krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
author	Karl Ramm <kcr@1ts.org>	2009-08-27 14:42:48 +0000
committer	Karl Ramm <kcr@1ts.org>	2009-08-27 14:42:48 +0000
commit	1e5013d3fee3f3a6c86a9081f3986449ed17ebe2 (patch)
tree	81863b698a574d6522e93e29af3550f31cc15a2b /server
parent	9356c4d643c26806c5c231a86a53c57d606fef9f (diff)