[30698] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix S4U client authdata handling
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jan 16 14:09:23 2020
Date: Thu, 16 Jan 2020 14:09:05 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202001161909.00GJ95SS002216@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/ef655640db9ac51979fa4529168aa05a4a8f45e4
commit ef655640db9ac51979fa4529168aa05a4a8f45e4
Author: Isaac Boukris <iboukris@gmail.com>
Date: Thu Dec 12 03:40:04 2019 +0100
Fix S4U client authdata handling
Only send client authdata in the initial request, and note
request authdata in out_creds.
ticket: 8866 (new)
tags: pullup
target_version: 1.18
src/lib/krb5/krb/s4u_creds.c | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 8202fe9..504eb55 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -582,6 +582,10 @@ krb5_get_self_cred_from_kdc(krb5_context context,
if (code != 0)
goto cleanup;
+ /* The authdata in this referral TGT will be copied into the final
+ * credentials, so we don't need to request it again. */
+ s4u_creds.authdata = NULL;
+
/* Only include a cert in the initial request to the client realm. */
s4u_user.user_id.subject_cert = empty_data();
@@ -708,6 +712,12 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
code = 0;
}
+ /* Note the authdata we asked for in the output creds. */
+ code = krb5_copy_authdata(context, in_creds->authdata,
+ &(*out_creds)->authdata);
+ if (code)
+ goto cleanup;
+
if ((options & KRB5_GC_NO_STORE) == 0) {
code = krb5_cc_store_cred(context, ccache, *out_creds);
if (code != 0)
@@ -1042,6 +1052,10 @@ k5_get_proxy_cred_from_kdc(krb5_context context, krb5_flags options,
goto cleanup;
}
+ /* The authdata in this referral TGT will be copied into the final
+ * credentials, so we don't need to request it again. */
+ mcreds.authdata = NULL;
+
/*
* Make sure the KDC supports S4U and resource-based constrained
* delegation; otherwise we might have gotten a regular TGT referral
@@ -1112,6 +1126,11 @@ k5_get_proxy_cred_from_kdc(krb5_context context, krb5_flags options,
goto cleanup;
}
+ /* Note the authdata we asked for in the output creds. */
+ code = krb5_copy_authdata(context, in_creds->authdata, &tkt->authdata);
+ if (code)
+ goto cleanup;
+
if (!(options & KRB5_GC_NO_STORE))
(void)krb5_cc_store_cred(context, ccache, tkt);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
