From: Greg Hudson Date: Thu, 7 Apr 2011 15:20:37 +0000 (+0000) Subject: In the authdata framework, determine which authdata sources to query X-Git-Tag: krb5-1.10-alpha1~478 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b7208a8261ed15d9e3136c75ce7c252d9717effb;p=krb5.git In the authdata framework, determine which authdata sources to query based on the module's usage flags. From r24794 in users/lhoward/moonshot-mechglue-fixes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index 3664b66d0..351762eb1 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -571,7 +571,8 @@ krb5int_authdata_verify(krb5_context kcontext, if (module->ftable->import_authdata == NULL) continue; - if (kdc_issued_authdata != NULL) { + if (kdc_issued_authdata != NULL && + (module->flags & AD_USAGE_KDC_ISSUED)) { code = krb5int_find_authdata(kcontext, kdc_issued_authdata, NULL, @@ -584,9 +585,23 @@ krb5int_authdata_verify(krb5_context kcontext, } if (authdata == NULL) { + krb5_boolean ticket_usage = FALSE; + krb5_boolean authen_usage = FALSE; + + /* + * Determine which authdata sources to interrogate based on the + * module's usage. This is important if the authdata is signed + * by the KDC with the TGT key (as the user can forge that in + * the AP-REQ). + */ + if (module->flags & (AD_USAGE_AS_REQ | AD_USAGE_TGS_REQ)) + ticket_usage = TRUE; + if (module->flags & AD_USAGE_AP_REQ) + authen_usage = TRUE; + code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, + ticket_usage ? ticket_authdata : NULL, + authen_usage ? authen_authdata : NULL, module->ad_type, &authdata); if (code != 0)