pull up r22325 from trunk ------------------------------------------------------------------------ r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/decode_kdc.c M /trunk/src/lib/krb5/krb/gc_via_tkt.c M /trunk/src/lib/krb5/libkrb5.exports Subject: Try decrypting using session key if subkey fails in tgs rep handling ticket: 6484 Tags: pullup Target_Version: 1.7 Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. https://github.com/krb5/krb5/commit/3ed57da7e3beff1e3841f0744292476ba729fe67 Commit By: tlyu Revision: 22340 Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports