From 1e5013d3fee3f3a6c86a9081f3986449ed17ebe2 Mon Sep 17 00:00:00 2001
From: Karl Ramm <kcr@1ts.org>
Date: Thu, 27 Aug 2009 14:42:48 +0000
Subject: For now check incoming interrealm stuff with both keyusages because
 it turns out that derived-key stuff actually worked if you were using
 heimdal.

---
 server/kstuff.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'server/kstuff.c')

diff --git a/server/kstuff.c b/server/kstuff.c
index 65f08ca..5f9cc4f 100644
--- a/server/kstuff.c
+++ b/server/kstuff.c
@@ -561,6 +561,12 @@ ZCheckSrvAuthentication(ZNotice_t *notice,
 				Z_KEYUSAGE_CLT_CKSUM,
 				asn1_data, asn1_len);
 
+    /* XXX compatibility with unreleased interrealm krb5; drop in 3.1 */
+    if (!valid && realm)
+	valid = Z_krb5_verify_cksum(keyblock, &cksumbuf, cksumtype,
+				    Z_KEYUSAGE_SRV_CKSUM,
+				    asn1_data, asn1_len);
+
     free(asn1_data);
     krb5_auth_con_free(Z_krb5_ctx, authctx);
     krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
-- 
cgit v1.2.3