From bdb3e1020c44941318a3d629148980c2a0200b84 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 23 Dec 2021 11:24:00 +1100
Subject: [PATCH] Revert "kdc: distinguish long-term key from replacing reply
 key"

This reverts commit e89848719a7455b607b84180da34236ffd100f9b.

(Reverting: typo.)
---
 kdc/kerberos5.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 5e432ab1c..a198657c6 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -980,8 +980,7 @@ struct kdc_patypes {
 #define PA_ANNOUNCE	1
 #define PA_REQ_FAST	2 /* only use inside fast */
 #define PA_SYNTHETIC_OK	4
-#define PA_REPLACE_REPLY_KEY	8   /* PA mech replaces reply key */
-#define PA_USES_LONG_TERM_KEY	16  /* PA mech uses client's long-term key */
+#define PA_REPLACE_REPLY_KEY	8
     krb5_error_code (*validate)(astgs_request_t,
 				const PA_DATA *pa,
 				struct kdc_pa_auth_status *auth_status);
@@ -1012,12 +1011,12 @@ static const struct kdc_patypes pat[] = {
     { KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL, NULL, NULL },
     { 
 	KRB5_PADATA_ENC_TIMESTAMP , "ENC-TS",
-	PA_ANNOUNCE | PA_USES_LONG_TERM_KEY,
+	PA_ANNOUNCE,
 	pa_enc_ts_validate, NULL, NULL
     },
     {
 	KRB5_PADATA_ENCRYPTED_CHALLENGE , "ENC-CHAL",
-	PA_ANNOUNCE | PA_USES_LONG_TERM_KEY | PA_REQ_FAST,
+	PA_ANNOUNCE | PA_REQ_FAST,
 	pa_enc_chal_validate, NULL, NULL
     },
     { KRB5_PADATA_REQ_ENC_PA_REP , "REQ-ENC-PA-REP", 0, NULL, NULL, NULL },
@@ -1871,17 +1870,15 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey,
 		     (long)r->pac_attributes);
 
     /*
-     * When a PA mech does not use the client's long-term key, the PAC
-     * may include the client's long-term key (encrypted in the reply key)
-     * for use by other shared secret authentication protocols, e.g. NTLM.
-     * Validate a PA mech was actually used before doing this.
+     * When a PA mech replaces the reply key, the PAC may include the
+     * client's long term key (encrypted in the reply key) for use by
+     * other shared secret authentication protocols, e.g. NTLM.
      */
 
     ret = _kdc_pac_generate(r->context,
 			    r->client,
 			    r->server,
-			    r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
-				&r->reply_key : NULL,
+			    pa_used_flag_isset(r, PA_REPLACE_REPLY_KEY) ? &r->reply_key : NULL,
 			    r->pac_attributes,
 			    &p);
     if (ret) {