From: Greg Hudson Date: Thu, 19 Mar 2015 17:42:56 +0000 (-0400) Subject: Process TGS authdata after transited in KDC X-Git-Tag: krb5-1.14-alpha1~148 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dc19c3899a98e23378c19d91594470f7350756c;p=thirdparty%2Fkrb5.git Process TGS authdata after transited in KDC The CAMMAC authorization data container requires a checksum over the encrypted part of the issued ticket, with the CAMMAC contents substituted for the authdata field. For this to work, we must finalize the non-authdata fields of the encrypted ticket part before adding authdata. Call handle_authdata() after checking and modifying the transited field and potentially setting the transited-policy-checked flag. Also remove a redundant and inoperative conditional change to enc_tkt_reply.times.starttime which happens after the ticket is encrypted. We do the same thing right after setting up the ticket times. --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index fa88623ec4..64a78e7955 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -576,25 +576,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */ - errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt, - subkey != NULL ? subkey : - header_ticket->enc_part2->session, - &encrypting_key, /* U2U or server key */ - tgskey, - pkt, - request, - s4u_x509_user ? - s4u_x509_user->user_id.user : NULL, - subject_tkt, - &enc_tkt_reply); - if (errcode) { - krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"), - errcode); - status = "HANDLE_AUTHDATA"; - goto cleanup; - } - - /* * Only add the realm of the presented tgt to the transited list if * it is different than the local realm (cross-realm) and it is different @@ -659,6 +640,24 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, goto cleanup; } + errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt, + subkey != NULL ? subkey : + header_ticket->enc_part2->session, + &encrypting_key, /* U2U or server key */ + tgskey, + pkt, + request, + s4u_x509_user ? + s4u_x509_user->user_id.user : NULL, + subject_tkt, + &enc_tkt_reply); + if (errcode) { + krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"), + errcode); + status = "HANDLE_AUTHDATA"; + goto cleanup; + } + ticket_reply.enc_part2 = &enc_tkt_reply; /* @@ -731,11 +730,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, /* copy the time fields */ reply_encpart.times = enc_tkt_reply.times; - /* starttime is optional, and treated as authtime if not present. - so we can nuke it if it matches */ - if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) - enc_tkt_reply.times.starttime = 0; - nolrentry.lr_type = KRB5_LRQ_NONE; nolrentry.value = 0; nolrentry.magic = 0;