From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 30 Jan 2020 18:38:44 +0000 (+0100)
Subject: Always use S4U2Proxy second ticket parsed authdata
X-Git-Tag: krb5-1.19-beta1~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21d823991a81d64af460ec62a98585c85534850b;p=thirdparty%2Fkrb5.git

Always use S4U2Proxy second ticket parsed authdata

When the KDC handles an S4U2Proxy request, if the KDB module returned
parsed authdata for the header ticket and not for the second ticket,
we could erroneously pass the header ticket's parsed authdata to
handle_authdata().  Make sure we always pass the parsed authdata for
the second ticket.

[ghudson@mit.edu: added comment; rewrote commit message]

ticket: 8874 (new)
tags: pullup
target_version: 1.18
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index dfb5205795..241f34e2a8 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -331,7 +331,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         goto cleanup;
 
     if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
-        /* Do constrained delegation protocol and authorization checks */
+        /* Do constrained delegation protocol and authorization checks. */
         setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
 
         errcode = kdc_process_s4u2proxy_req(kdc_active_realm, c_flags, request,
@@ -359,6 +359,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
             goto cleanup;
 
         assert(krb5_is_tgs_principal(header_ticket->server));
+
+        /* Use the parsed authdata from the second ticket during authdata
+         * handling. */
+        krb5_db_free_authdata_info(kdc_context, ad_info);
+        ad_info = stkt_ad_info;
+        stkt_ad_info = NULL;
     }
 
     au_state->stage = ISSUE_TKT;
@@ -636,8 +642,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
                               subkey != NULL ? subkey :
                               header_ticket->enc_part2->session,
                               encrypting_key, subject_key, pkt, request,
-                              altcprinc, stkt_ad_info ? stkt_ad_info : ad_info,
-                              subject_tkt, &auth_indicators, &enc_tkt_reply);
+                              altcprinc, ad_info, subject_tkt,
+                              &auth_indicators, &enc_tkt_reply);
     if (errcode) {
         krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
                          errcode);