kdc: don't announce KRB5_PADATA_PKINIT_KX unless anonymous is allowed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273 Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-12-29 11:18:22 +01:00
parent 67a6eb3218
commit eb388539ec
1 changed files with 2 additions and 0 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2302,6 +2302,8 @@ _kdc_as_rep(astgs_request_t r)

 	    if (!r->armor_crypto && (pat[n].flags & PA_REQ_FAST))
 		continue;
+	    if (pat[n].type == KRB5_PADATA_PKINIT_KX && !r->config->allow_anonymous)
+		continue;
 	    if (pat[n].type == KRB5_PADATA_ENC_TIMESTAMP) {
 		if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp)
 		    continue;