From: Isaac Boukris Date: Tue, 9 Jun 2020 22:32:56 +0000 (+0300) Subject: Interop with Heimdal KDC for S4U2Self requests X-Git-Tag: krb5-1.19-beta1~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1083%2Fhead;p=thirdparty%2Fkrb5.git Interop with Heimdal KDC for S4U2Self requests [MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data if the TGT session key is of a newer enctype. Our S4U2Self client code has enforced this clause as if it were a MUST. For consistency with Microsoft and interoperability with Heimdal (which does not implement PA_S4U_X509_USER), stop enforcing this constraint. [ghudson@mit.edu: compressed code slightly; wrote commit message] ticket: 8919 (new) --- diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index 1f0ab85160..5c2b6ff35e 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -302,16 +302,11 @@ verify_s4u2self_reply(krb5_context context, enc_padata, KRB5_PADATA_S4U_X509_USER); - /* XXX this will break newer enctypes with a MIT 1.7 KDC */ rep_s4u_padata = krb5int_find_pa_data(context, rep_padata, KRB5_PADATA_S4U_X509_USER); - if (rep_s4u_padata == NULL) { - if (not_newer == FALSE || enc_s4u_padata != NULL) - return KRB5_KDCREP_MODIFIED; - else - return 0; - } + if (rep_s4u_padata == NULL) + return (enc_s4u_padata != NULL) ? KRB5_KDCREP_MODIFIED : 0; data.length = rep_s4u_padata->length; data.data = (char *)rep_s4u_padata->contents;