From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 23 Jun 2020 17:30:59 +0000 (-0400)
Subject: Fix KDC choice to send encrypted S4U_X509_USER
X-Git-Tag: krb5-1.19-beta1~59
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1089%2Fhead;p=thirdparty%2Fkrb5.git

Fix KDC choice to send encrypted S4U_X509_USER

The KDC's decision to send a PA_S4U_X509_USER entry in encrypted
padata has no connection to the client USE_REPLY_KEY_USAGE flag.  Only
conditionalize on the enctype.

ticket: 8920 (new)
---

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index b3bca52b12..3f4ba32a63 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1400,8 +1400,7 @@ kdc_make_s4u2self_rep(krb5_context context,
      * enctypes, including rc4-hmac. A forthcoming workaround for this
      * includes the checksum bytes in the encrypted padata.
      */
-    if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) &&
-        enctype_requires_etype_info_2(enctype) == FALSE) {
+    if (enctype_requires_etype_info_2(enctype) == FALSE) {
         code = k5_alloc_pa_data(KRB5_PADATA_S4U_X509_USER,
                                 req_s4u_user->cksum.length +
                                 rep_s4u_user.cksum.length, &pa);