krb5 commit: Fix KDC choice to send encrypted S4U_X509_USER
Greg Hudson
ghudson at mit.edu
Mon Jun 29 12:48:21 EDT 2020
https://github.com/krb5/krb5/commit/d4272f3f29ddbd6268c21be73887cd5b20326dd5
commit d4272f3f29ddbd6268c21be73887cd5b20326dd5
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jun 23 13:30:59 2020 -0400
Fix KDC choice to send encrypted S4U_X509_USER
The KDC's decision to send a PA_S4U_X509_USER entry in encrypted
padata has no connection to the client USE_REPLY_KEY_USAGE flag. Only
conditionalize on the enctype.
ticket: 8920 (new)
src/kdc/kdc_util.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index b3bca52..3f4ba32 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1400,8 +1400,7 @@ kdc_make_s4u2self_rep(krb5_context context,
* enctypes, including rc4-hmac. A forthcoming workaround for this
* includes the checksum bytes in the encrypted padata.
*/
- if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) &&
- enctype_requires_etype_info_2(enctype) == FALSE) {
+ if (enctype_requires_etype_info_2(enctype) == FALSE) {
code = k5_alloc_pa_data(KRB5_PADATA_S4U_X509_USER,
req_s4u_user->cksum.length +
rep_s4u_user.cksum.length, &pa);
More information about the cvs-krb5
mailing list