[30735] in CVS-changelog-for-Kerberos-V5
krb5 commit: Always use S4U2Proxy second ticket parsed authdata
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Feb 11 11:10:03 2020
Date: Tue, 11 Feb 2020 11:09:34 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202002111609.01BG9Ywn014697@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/21d823991a81d64af460ec62a98585c85534850b
commit 21d823991a81d64af460ec62a98585c85534850b
Author: Isaac Boukris <iboukris@gmail.com>
Date: Thu Jan 30 19:38:44 2020 +0100
Always use S4U2Proxy second ticket parsed authdata
When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata(). Make sure we always pass the parsed authdata for
the second ticket.
[ghudson@mit.edu: added comment; rewrote commit message]
ticket: 8874 (new)
tags: pullup
target_version: 1.18
src/kdc/do_tgs_req.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index dfb5205..241f34e 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -331,7 +331,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
- /* Do constrained delegation protocol and authorization checks */
+ /* Do constrained delegation protocol and authorization checks. */
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
errcode = kdc_process_s4u2proxy_req(kdc_active_realm, c_flags, request,
@@ -359,6 +359,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
assert(krb5_is_tgs_principal(header_ticket->server));
+
+ /* Use the parsed authdata from the second ticket during authdata
+ * handling. */
+ krb5_db_free_authdata_info(kdc_context, ad_info);
+ ad_info = stkt_ad_info;
+ stkt_ad_info = NULL;
}
au_state->stage = ISSUE_TKT;
@@ -636,8 +642,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
encrypting_key, subject_key, pkt, request,
- altcprinc, stkt_ad_info ? stkt_ad_info : ad_info,
- subject_tkt, &auth_indicators, &enc_tkt_reply);
+ altcprinc, ad_info, subject_tkt,
+ &auth_indicators, &enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
errcode);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
