From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 22 Jan 2015 17:45:25 +0000 (-0500)
Subject: Filter CAMMAC authdata from non-KDC sources
X-Git-Tag: krb5-1.14-alpha1~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a19109fffc70cabcabab00d00bf65ea85fd33e1a;p=thirdparty%2Fkrb5.git

Filter CAMMAC authdata from non-KDC sources

Also filter auth-indicator authdata values which aren't wrapped in
CAMMACs, although we don't normally expect to see those.

ticket: 8157
---

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 193b8c1365..e06bbe630f 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -132,6 +132,8 @@ is_kdc_issued_authdatum(krb5_context context, krb5_authdata *authdata,
         case KRB5_AUTHDATA_SIGNTICKET:
         case KRB5_AUTHDATA_KDC_ISSUED:
         case KRB5_AUTHDATA_WIN2K_PAC:
+        case KRB5_AUTHDATA_CAMMAC:
+        case KRB5_AUTHDATA_AUTH_INDICATOR:
             result = desired_type ? (desired_type == ad_types[i]) : TRUE;
             break;
         default:
diff --git a/src/lib/krb5/krb/authdata_dec.c b/src/lib/krb5/krb/authdata_dec.c
index 0a3dc14a96..80f53853f8 100644
--- a/src/lib/krb5/krb/authdata_dec.c
+++ b/src/lib/krb5/krb/authdata_dec.c
@@ -142,6 +142,8 @@ find_authdata_1(krb5_context context, krb5_authdata *const *in_authdat,
         case KRB5_AUTHDATA_SIGNTICKET:
         case KRB5_AUTHDATA_KDC_ISSUED:
         case KRB5_AUTHDATA_WIN2K_PAC:
+        case KRB5_AUTHDATA_CAMMAC:
+        case KRB5_AUTHDATA_AUTH_INDICATOR:
             if (from_ap_req)
                 continue;
         default: