Issue an error from KDC on S4U2Self failures

Commit 3b163eed1cf1f55dd4a7bc6d6fffc34f55695b00 mistakenly separated
the call to kdc_process_s4u2self_req() from its error check, causing
the KDC to ignore S4U2Self padata with bad checksums.  Restore the
error check so that the KDC replies with an error as intended.

[ghudson@mit.edu: removed old error check later on in the code;
rewrote commit message]

ticket: 9038 (new)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 32dc65fa8ef4c7292e492bf5096fb3485f4dd6f0..45837fbe001451e8dfe67524ca63ee78fb2ef63a 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -276,6 +276,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         au_state->status = status;
         kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
         au_state->s4u2self_user = NULL;
+        if (errcode)
+            goto cleanup;
     }
 
     /* For user-to-user and S4U2Proxy requests, decrypt the second ticket. */
@@ -295,9 +297,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         goto cleanup;
     }
 
-    if (errcode)
-        goto cleanup;
-
     if (s4u_x509_user != NULL && client == NULL) {
         /*
          * For an S4U2Self referral request (the requesting service is