From 310a0f740c9b34205e3f8de600dd420917691495 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 1 Sep 2009 12:53:22 +0000
Subject: [PATCH] If authorization data is submitted in a TGS-REQ, be sure that
 it is not submitted again when chasing a referral, and be sure that any
 referral tickets containing submitted authorization data are marked as such
 lest they be confused with those with different or no auth data.

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22696 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/gc_frm_kdc.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index ab4d4be29d..6e4a8b4cc1 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -934,7 +934,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
     krb5_boolean old_use_conf_ktypes;
     char **hrealms;
     unsigned int referral_count, i;
-    krb5_authdata **out_supplied_authdata = NULL;
+    krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL;
 
     /* 
      * Set up client and server pointers.  Make a fresh and modifyable
@@ -960,6 +960,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 
     supplied_server = in_cred->server;
     in_cred->server=server;
+    supplied_authdata = in_cred->authdata;
 
     DUMP_PRINC("gc_from_kdc initial client", client);
     DUMP_PRINC("gc_from_kdc initial server", server);
@@ -1150,6 +1151,15 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 	    if (tgtptr == &cc_tgt)
 		krb5_free_cred_contents(context, tgtptr);
 	    tgtptr=*out_cred;
+	    /* Save requested auth data with TGT in case it ends up stored */
+	    if (supplied_authdata != NULL) {
+		/* Ensure we note TGT contains authorization data */
+		retval = krb5_copy_authdata(context,
+					    supplied_authdata,
+					    &(*out_cred)->authdata);
+		if (retval)
+		    goto cleanup;
+	    }
 	    /* Save pointer to tgt in referral_tgts. */
 	    referral_tgts[referral_count]=*out_cred;
 	    *out_cred = NULL;
@@ -1160,6 +1170,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 						&server->realm);
 	    if (retval)
 		goto cleanup;
+	    /* Don't ask for KDC to add auth data multiple times */
+	    in_cred->authdata = NULL;
 	    /*
 	     * Future work: rewrite server principal per any
 	     * supplied padata.
@@ -1263,7 +1275,6 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache,
 	retval = KRB5_PROG_ETYPE_NOSUPP;
 	goto cleanup;
     }
-
     context->use_conf_ktypes = old_use_conf_ktypes;
     retval = krb5_get_cred_via_tkt(context, tgtptr,
 				   FLAGS2OPTS(tgtptr->ticket_flags) |
@@ -1285,6 +1296,7 @@ cleanup:
 	       server);
     krb5_free_principal(context, server);
     in_cred->server = supplied_server;
+    in_cred->authdata = supplied_authdata;
     if (*out_cred && !retval) {
         /* Success: free server, swap supplied server back in. */
         krb5_free_principal (context, (*out_cred)->server);
-- 
2.47.2