[30796] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Omit KDC indicator check for S4U2Self requests

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 7 12:43:45 2020

Date: Thu, 7 May 2020 12:43:24 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202005071643.047GhOVu022616@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/183631fbf72351c2d5fc7d60b2d9fc4d09fe7465
commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465
Author: Greg Hudson <ghudson@mit.edu>
Date:   Wed May 6 16:03:13 2020 -0400

    Omit KDC indicator check for S4U2Self requests
    
    As there was no initial ticket exchange from the client for an
    S4U2Self request, the auth indicator check is inapplicable (and would
    always fail if any auth indicators are required).
    
    ticket: 8902 (new)

 src/kdc/do_tgs_req.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 241f34e..463a9c0 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
     }
     authtime = subject_tkt->times.authtime;
 
-    /* Extract auth indicators from the subject ticket, except for S4U2Self
-     * requests (where the client didn't authenticate). */
+    /* Extract and check auth indicators from the subject ticket, except for
+     * S4U2Self requests (where the client didn't authenticate). */
     if (s4u_x509_user == NULL) {
         errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
                                       &local_tgt_key, &auth_indicators);
@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
             status = "GET_AUTH_INDICATORS";
             goto cleanup;
         }
-    }
 
-    errcode = check_indicators(kdc_context, server, auth_indicators);
-    if (errcode) {
-        status = "HIGHER_AUTHENTICATION_REQUIRED";
-        goto cleanup;
+        errcode = check_indicators(kdc_context, server, auth_indicators);
+        if (errcode) {
+            status = "HIGHER_AUTHENTICATION_REQUIRED";
+            goto cleanup;
+        }
     }
 
     if (is_referral)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post