[31079] in CVS-changelog-for-Kerberos-V5
krb5 commit: Issue an error from KDC on S4U2Self failures
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Dec 5 16:05:17 2021
Date: Sun, 5 Dec 2021 16:05:11 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202112052105.1B5L5BeM012839@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/9544229ff3b6793cad39ce7d8dd2467ec2cf4f45
commit 9544229ff3b6793cad39ce7d8dd2467ec2cf4f45
Author: Andreas Schneider <asn@samba.org>
Date: Wed Oct 20 07:12:19 2021 +0200
Issue an error from KDC on S4U2Self failures
Commit 3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00 mistakenly separated
the call to kdc_process_s4u2self_req() from its error check, causing
the KDC to ignore S4U2Self padata with bad checksums. Restore the
error check so that the KDC replies with an error as intended.
[ghudson@mit.edu: removed old error check later on in the code;
rewrote commit message]
ticket: 9038 (new)
src/kdc/do_tgs_req.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 32dc65f..45837fb 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -276,6 +276,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
au_state->status = status;
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
au_state->s4u2self_user = NULL;
+ if (errcode)
+ goto cleanup;
}
/* For user-to-user and S4U2Proxy requests, decrypt the second ticket. */
@@ -295,9 +297,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
}
- if (errcode)
- goto cleanup;
-
if (s4u_x509_user != NULL && client == NULL) {
/*
* For an S4U2Self referral request (the requesting service is
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
