From 8c21864ae36f9583a6e815edc365f591a6984744 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 27 Feb 2009 03:25:12 +0000
Subject: [PATCH] Allow weak only for windows 2000 KDCs.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24823 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/pkinit.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index a15366f5c..e46b2bb92 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -1133,6 +1133,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
     struct krb5_pk_cert *host = NULL;
     krb5_data content;
     heim_oid contentType = { 0, NULL };
+    int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
 
     if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) {
 	krb5_set_error_message(context, EINVAL,
@@ -1140,9 +1141,12 @@ pk_rd_pa_reply_enckey(krb5_context context,
 	return EINVAL;
     }
 
+    if (ctx->type == PKINIT_WIN2K)
+	flags |= HX509_CMS_UE_ALLOW_WEAK;
+
     ret = hx509_cms_unenvelope(ctx->id->hx509ctx,
 			       ctx->id->certs,
-			       HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT,
+			       flags,
 			       indata->data,
 			       indata->length,
 			       NULL,