[30850] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix KRB5_GC_CACHED for S4U2Self requests
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 8 00:07:03 2020
Date: Tue, 8 Sep 2020 00:06:40 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202009080406.08846eMF030973@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c770dfd7e2e5ca91fc1c450f60c2f546c0c2bd61
commit c770dfd7e2e5ca91fc1c450f60c2f546c0c2bd61
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Aug 26 11:15:11 2020 -0400
Fix KRB5_GC_CACHED for S4U2Self requests
In krb5_get_credentials_for_user(), always exit after the first cache
check if KRB5_GC_CACHED is specified. Not making network requests
with this flag is more important than finding a post-realm-discovery
cached entry.
If KRB5_GC_CACHED is specified without a principal name, fail
immediately, as we cannot check the cache by certificate.
ticket: 8942 (new)
src/lib/krb5/krb/s4u_creds.c | 13 +++++++------
1 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index fe15b24..73b59ff 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -665,11 +665,13 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
/* Uncanonicalised check */
code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
ccache, in_creds, out_creds);
- if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
- goto cleanup;
-
- if ((options & KRB5_GC_CACHED) && !(options & KRB5_GC_CANONICALIZE))
+ if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) ||
+ (options & KRB5_GC_CACHED))
goto cleanup;
+ } else if (options & KRB5_GC_CACHED) {
+ /* Fail immediately, since we can't check the cache by certificate. */
+ code = KRB5_CC_NOTFOUND;
+ goto cleanup;
}
code = s4u_identify_user(context, in_creds, subject_cert, &realm);
@@ -683,8 +685,7 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
mcreds.client = realm;
code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
ccache, &mcreds, out_creds);
- if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
- || (options & KRB5_GC_CACHED))
+ if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
goto cleanup;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
