Interop with Heimdal KDC for S4U2Self requests

[MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data
if the TGT session key is of a newer enctype.  Our S4U2Self client
code has enforced this clause as if it were a MUST.  For consistency
with Microsoft and interoperability with Heimdal (which does not
implement PA_S4U_X509_USER), stop enforcing this constraint.

[ghudson@mit.edu: compressed code slightly; wrote commit message]

ticket: 8919 (new)

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 1f0ab8516015300b4763e229cfb3c41a48d16f05..5c2b6ff35e21cb555be3ee177f4b5d5b5f796562 100644 (file)
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -302,16 +302,11 @@ verify_s4u2self_reply(krb5_context context,
                                           enc_padata,
                                           KRB5_PADATA_S4U_X509_USER);
 
-    /* XXX this will break newer enctypes with a MIT 1.7 KDC */
     rep_s4u_padata = krb5int_find_pa_data(context,
                                           rep_padata,
                                           KRB5_PADATA_S4U_X509_USER);
-    if (rep_s4u_padata == NULL) {
-        if (not_newer == FALSE || enc_s4u_padata != NULL)
-            return KRB5_KDCREP_MODIFIED;
-        else
-            return 0;
-    }
+    if (rep_s4u_padata == NULL)
+        return (enc_s4u_padata != NULL) ? KRB5_KDCREP_MODIFIED : 0;
 
     data.length = rep_s4u_padata->length;
     data.data = (char *)rep_s4u_padata->contents;