[30828] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix KDC choice to send encrypted S4U_X509_USER
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 29 12:49:03 2020
Date: Mon, 29 Jun 2020 12:48:21 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202006291648.05TGmL0u003684@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/d4272f3f29ddbd6268c21be73887cd5b20326dd5
commit d4272f3f29ddbd6268c21be73887cd5b20326dd5
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Jun 23 13:30:59 2020 -0400
Fix KDC choice to send encrypted S4U_X509_USER
The KDC's decision to send a PA_S4U_X509_USER entry in encrypted
padata has no connection to the client USE_REPLY_KEY_USAGE flag. Only
conditionalize on the enctype.
ticket: 8920 (new)
src/kdc/kdc_util.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index b3bca52..3f4ba32 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1400,8 +1400,7 @@ kdc_make_s4u2self_rep(krb5_context context,
* enctypes, including rc4-hmac. A forthcoming workaround for this
* includes the checksum bytes in the encrypted padata.
*/
- if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) &&
- enctype_requires_etype_info_2(enctype) == FALSE) {
+ if (enctype_requires_etype_info_2(enctype) == FALSE) {
code = k5_alloc_pa_data(KRB5_PADATA_S4U_X509_USER,
req_s4u_user->cksum.length +
rep_s4u_user.cksum.length, &pa);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
