1 files changed, 15 insertions, 6 deletions

diff --git a/crypto/heimdal/lib/krb5/rd_safe.c b/crypto/heimdal/lib/krb5/rd_safe.c
index fb7cc2d..07628d9 100644
--- a/crypto/heimdal/lib/krb5/rd_safe.c
+++ b/crypto/heimdal/lib/krb5/rd_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_safe.c,v 1.19 2000/02/06 05:20:51 assar Exp $");
+RCSID("$Id: rd_safe.c,v 1.23 2001/01/19 04:25:37 assar Exp $");
 
 static krb5_error_code
 verify_checksum(krb5_context context,
@@ -65,7 +65,9 @@ verify_checksum(krb5_context context,
 			   buf_size,
 			   safe,
 			   &len);
-    krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+    if (ret)
+	goto out;
     ret = krb5_verify_checksum (context,
 				crypto,
 				KRB5_KU_KRB_SAFE_CKSUM,
@@ -144,13 +146,20 @@ krb5_rd_safe(krb5_context context,
   }
   /* XXX - check replay cache */
 
-  /* check sequence number */
+  /* check sequence number. since MIT krb5 cannot generate a sequence
+     number of zero but instead generates no sequence number, we accept that
+  */
+
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-      if (safe.safe_body.seq_number == NULL ||
-	  *safe.safe_body.seq_number != ++auth_context->remote_seqnumber) {
+      if ((safe.safe_body.seq_number == NULL
+	   && auth_context->remote_seqnumber != 0)
+	  || (safe.safe_body.seq_number != NULL
+	      && *safe.safe_body.seq_number !=
+	      auth_context->remote_seqnumber)) {
 	  ret = KRB5KRB_AP_ERR_BADORDER;
 	  goto failure;
       }
+      auth_context->remote_seqnumber++;
   }
 
   ret = verify_checksum (context, auth_context, &safe);