From 8e80ddbfdb479800c8e6ef7b287d400476578f8a Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 10 Jun 2020 01:32:56 +0300 Subject: [PATCH] Interop with Heimdal KDC for S4U2Self requests [MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data if the TGT session key is of a newer enctype. Our S4U2Self client code has enforced this clause as if it were a MUST. For consistency with Microsoft and interoperability with Heimdal (which does not implement PA_S4U_X509_USER), stop enforcing this constraint. [ghudson@mit.edu: compressed code slightly; wrote commit message] ticket: 8919 (new) --- src/lib/krb5/krb/s4u_creds.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index 1f0ab85160..5c2b6ff35e 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -302,16 +302,11 @@ verify_s4u2self_reply(krb5_context context, enc_padata, KRB5_PADATA_S4U_X509_USER); - /* XXX this will break newer enctypes with a MIT 1.7 KDC */ rep_s4u_padata = krb5int_find_pa_data(context, rep_padata, KRB5_PADATA_S4U_X509_USER); - if (rep_s4u_padata == NULL) { - if (not_newer == FALSE || enc_s4u_padata != NULL) - return KRB5_KDCREP_MODIFIED; - else - return 0; - } + if (rep_s4u_padata == NULL) + return (enc_s4u_padata != NULL) ? KRB5_KDCREP_MODIFIED : 0; data.length = rep_s4u_padata->length; data.data = (char *)rep_s4u_padata->contents; -- 2.47.2