From c770dfd7e2e5ca91fc1c450f60c2f546c0c2bd61 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 26 Aug 2020 11:15:11 -0400 Subject: [PATCH] Fix KRB5_GC_CACHED for S4U2Self requests In krb5_get_credentials_for_user(), always exit after the first cache check if KRB5_GC_CACHED is specified. Not making network requests with this flag is more important than finding a post-realm-discovery cached entry. If KRB5_GC_CACHED is specified without a principal name, fail immediately, as we cannot check the cache by certificate. ticket: 8942 (new) --- src/lib/krb5/krb/s4u_creds.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index fe15b24c23..73b59ffa84 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -665,11 +665,13 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options, /* Uncanonicalised check */ code = krb5_get_credentials(context, options | KRB5_GC_CACHED, ccache, in_creds, out_creds); - if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) - goto cleanup; - - if ((options & KRB5_GC_CACHED) && !(options & KRB5_GC_CANONICALIZE)) + if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) || + (options & KRB5_GC_CACHED)) goto cleanup; + } else if (options & KRB5_GC_CACHED) { + /* Fail immediately, since we can't check the cache by certificate. */ + code = KRB5_CC_NOTFOUND; + goto cleanup; } code = s4u_identify_user(context, in_creds, subject_cert, &realm); @@ -683,8 +685,7 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options, mcreds.client = realm; code = krb5_get_credentials(context, options | KRB5_GC_CACHED, ccache, &mcreds, out_creds); - if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) - || (options & KRB5_GC_CACHED)) + if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) goto cleanup; } -- 2.47.2