krb5 commit [krb5-1.18]: Always use S4U2Proxy second ticket parsed authdata

Tue Feb 11 16:54:09 EST 2020

https://github.com/krb5/krb5/commit/91bb220f3ddfcb5b476396a92542faad8ce95e37
commit 91bb220f3ddfcb5b476396a92542faad8ce95e37
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu Jan 30 19:38:44 2020 +0100

    Always use S4U2Proxy second ticket parsed authdata
    
    When the KDC handles an S4U2Proxy request, if the KDB module returned
    parsed authdata for the header ticket and not for the second ticket,
    we could erroneously pass the header ticket's parsed authdata to
    handle_authdata().  Make sure we always pass the parsed authdata for
    the second ticket.
    
    [ghudson at mit.edu: added comment; rewrote commit message]
    
    (cherry picked from commit 21d823991a81d64af460ec62a98585c85534850b)
    
    ticket: 8874
    version_fixed: 1.18

 src/kdc/do_tgs_req.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index dfb5205..241f34e 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -331,7 +331,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         goto cleanup;
 
     if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
-        /* Do constrained delegation protocol and authorization checks */
+        /* Do constrained delegation protocol and authorization checks. */
         setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
 
         errcode = kdc_process_s4u2proxy_req(kdc_active_realm, c_flags, request,
@@ -359,6 +359,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
             goto cleanup;
 
         assert(krb5_is_tgs_principal(header_ticket->server));
+
+        /* Use the parsed authdata from the second ticket during authdata
+         * handling. */
+        krb5_db_free_authdata_info(kdc_context, ad_info);
+        ad_info = stkt_ad_info;
+        stkt_ad_info = NULL;
     }
 
     au_state->stage = ISSUE_TKT;
@@ -636,8 +642,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
                               subkey != NULL ? subkey :
                               header_ticket->enc_part2->session,
                               encrypting_key, subject_key, pkt, request,
-                              altcprinc, stkt_ad_info ? stkt_ad_info : ad_info,
-                              subject_tkt, &auth_indicators, &enc_tkt_reply);
+                              altcprinc, ad_info, subject_tkt,
+                              &auth_indicators, &enc_tkt_reply);
     if (errcode) {
         krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
                          errcode);
