Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.
Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).
ticket: 6655
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697
dc483132-0cff-0310-8789-
dd5450dbe970
valid);
krb5_free_data(context, data);
-
- if (code == 0 && *valid == FALSE)
- code = KRB5KRB_AP_ERR_MODIFIED;
-
return code;
}
if (code != 0)
goto cleanup;
- *pdelegated = sp->delegated;
- sp->delegated = NULL;
+ if (*path_is_signed) {
+ *pdelegated = sp->delegated;
+ sp->delegated = NULL;
+ }
cleanup:
krb5_free_ad_signedpath(context, sp);
}
}
- if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+ /* No point in including signedpath authdata for a cross-realm TGT, since
+ * it will be presented to a different KDC. */
+ if (!is_cross_tgs_principal(server->princ) &&
!only_pac_p(context, enc_tkt_reply->authorization_data)) {
code = make_ad_signedpath(context,
for_user_princ,
return FALSE;
}
+/* Returns TRUE if principal is the name of a cross-realm TGS. */
+krb5_boolean
+is_cross_tgs_principal(krb5_const_principal principal)
+{
+ return (krb5_princ_size(kdc_context, principal) >= 2 &&
+ data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+ KRB5_TGS_NAME) &&
+ !data_eq(*krb5_princ_component(kdc_context, principal, 1),
+ *krb5_princ_realm(kcd_context, principal)));
+}
+
/*
* given authentication data (provides seed for checksum), verify checksum
* for source data.
krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
krb5_boolean is_local_principal(krb5_const_principal princ1);
krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
+krb5_boolean is_cross_tgs_principal(krb5_const_principal);
krb5_error_code
add_to_transited (krb5_data *,
krb5_data *,
projects / krb5.git / commitdiff