From a19109fffc70cabcabab00d00bf65ea85fd33e1a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Jan 2015 12:45:25 -0500 Subject: [PATCH] Filter CAMMAC authdata from non-KDC sources Also filter auth-indicator authdata values which aren't wrapped in CAMMACs, although we don't normally expect to see those. ticket: 8157 --- src/kdc/kdc_authdata.c | 2 ++ src/lib/krb5/krb/authdata_dec.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 193b8c1365..e06bbe630f 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -132,6 +132,8 @@ is_kdc_issued_authdatum(krb5_context context, krb5_authdata *authdata, case KRB5_AUTHDATA_SIGNTICKET: case KRB5_AUTHDATA_KDC_ISSUED: case KRB5_AUTHDATA_WIN2K_PAC: + case KRB5_AUTHDATA_CAMMAC: + case KRB5_AUTHDATA_AUTH_INDICATOR: result = desired_type ? (desired_type == ad_types[i]) : TRUE; break; default: diff --git a/src/lib/krb5/krb/authdata_dec.c b/src/lib/krb5/krb/authdata_dec.c index 0a3dc14a96..80f53853f8 100644 --- a/src/lib/krb5/krb/authdata_dec.c +++ b/src/lib/krb5/krb/authdata_dec.c @@ -142,6 +142,8 @@ find_authdata_1(krb5_context context, krb5_authdata *const *in_authdat, case KRB5_AUTHDATA_SIGNTICKET: case KRB5_AUTHDATA_KDC_ISSUED: case KRB5_AUTHDATA_WIN2K_PAC: + case KRB5_AUTHDATA_CAMMAC: + case KRB5_AUTHDATA_AUTH_INDICATOR: if (from_ap_req) continue; default: -- 2.47.2