From d4272f3f29ddbd6268c21be73887cd5b20326dd5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 23 Jun 2020 13:30:59 -0400 Subject: [PATCH] Fix KDC choice to send encrypted S4U_X509_USER The KDC's decision to send a PA_S4U_X509_USER entry in encrypted padata has no connection to the client USE_REPLY_KEY_USAGE flag. Only conditionalize on the enctype. ticket: 8920 (new) --- src/kdc/kdc_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index b3bca52b12..3f4ba32a63 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1400,8 +1400,7 @@ kdc_make_s4u2self_rep(krb5_context context, * enctypes, including rc4-hmac. A forthcoming workaround for this * includes the checksum bytes in the encrypted padata. */ - if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) && - enctype_requires_etype_info_2(enctype) == FALSE) { + if (enctype_requires_etype_info_2(enctype) == FALSE) { code = k5_alloc_pa_data(KRB5_PADATA_S4U_X509_USER, req_s4u_user->cksum.length + rep_s4u_user.cksum.length, &pa); -- 2.47.2