Filter CAMMAC authdata from non-KDC sources

Also filter auth-indicator authdata values which aren't wrapped in
CAMMACs, although we don't normally expect to see those.

ticket: 8157

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 193b8c13658ab462db3ad5a422367dbd9d3d70cf..e06bbe630ffe77323e991bc7754a3173c59c4761 100644 (file)
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -132,6 +132,8 @@ is_kdc_issued_authdatum(krb5_context context, krb5_authdata *authdata,
         case KRB5_AUTHDATA_SIGNTICKET:
         case KRB5_AUTHDATA_KDC_ISSUED:
         case KRB5_AUTHDATA_WIN2K_PAC:
+        case KRB5_AUTHDATA_CAMMAC:
+        case KRB5_AUTHDATA_AUTH_INDICATOR:
             result = desired_type ? (desired_type == ad_types[i]) : TRUE;
             break;
         default:

diff --git a/src/lib/krb5/krb/authdata_dec.c b/src/lib/krb5/krb/authdata_dec.c
index 0a3dc14a9674c76ab4e31737b0036d27f2c685cb..80f53853f84bfdebc47cf58b3eeabbabbc023e62 100644 (file)
--- a/src/lib/krb5/krb/authdata_dec.c
+++ b/src/lib/krb5/krb/authdata_dec.c
@@ -142,6 +142,8 @@ find_authdata_1(krb5_context context, krb5_authdata *const *in_authdat,
         case KRB5_AUTHDATA_SIGNTICKET:
         case KRB5_AUTHDATA_KDC_ISSUED:
         case KRB5_AUTHDATA_WIN2K_PAC:
+        case KRB5_AUTHDATA_CAMMAC:
+        case KRB5_AUTHDATA_AUTH_INDICATOR:
             if (from_ap_req)
                 continue;
         default: