From: Greg Hudson Date: Wed, 26 Aug 2020 15:15:11 +0000 (-0400) Subject: Fix KRB5_GC_CACHED for S4U2Self requests X-Git-Tag: krb5-1.19-beta1~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c770dfd7e2e5ca91fc1c450f60c2f546c0c2bd61;p=thirdparty%2Fkrb5.git Fix KRB5_GC_CACHED for S4U2Self requests In krb5_get_credentials_for_user(), always exit after the first cache check if KRB5_GC_CACHED is specified. Not making network requests with this flag is more important than finding a post-realm-discovery cached entry. If KRB5_GC_CACHED is specified without a principal name, fail immediately, as we cannot check the cache by certificate. ticket: 8942 (new) --- diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index fe15b24c23..73b59ffa84 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -665,11 +665,13 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options, /* Uncanonicalised check */ code = krb5_get_credentials(context, options | KRB5_GC_CACHED, ccache, in_creds, out_creds); - if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) - goto cleanup; - - if ((options & KRB5_GC_CACHED) && !(options & KRB5_GC_CANONICALIZE)) + if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) || + (options & KRB5_GC_CACHED)) goto cleanup; + } else if (options & KRB5_GC_CACHED) { + /* Fail immediately, since we can't check the cache by certificate. */ + code = KRB5_CC_NOTFOUND; + goto cleanup; } code = s4u_identify_user(context, in_creds, subject_cert, &realm); @@ -683,8 +685,7 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options, mcreds.client = realm; code = krb5_get_credentials(context, options | KRB5_GC_CACHED, ccache, &mcreds, out_creds); - if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) - || (options & KRB5_GC_CACHED)) + if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) goto cleanup; }