From e983c0f99cba07cb7c0a23cf4b8ac3aaba553c46 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Mon, 8 Feb 2010 20:55:43 +0000
Subject: [PATCH] pull up r23697 from trunk

 ------------------------------------------------------------------------
 r23697 | ghudson | 2010-02-04 22:43:54 -0500 (Thu, 04 Feb 2010) | 12 lines

 ticket: 6655
 subject: Fix cross-realm handling of AD-SIGNEDPATH
 target_version: 1.8
 tags: pullup

 Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
 Previously we were avoiding it when answering a cross-realm client,
 which was wrong.

 Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
 the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).

ticket: 6655
version_fixed: 1.8
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23708 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/kdc_authdata.c | 14 +++++++-------
 src/kdc/kdc_util.c     | 11 +++++++++++
 src/kdc/kdc_util.h     |  1 +
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 8b01ad388..50975580c 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -897,10 +897,6 @@ verify_ad_signedpath_checksum(krb5_context context,
                                   valid);
 
     krb5_free_data(context, data);
-
-    if (code == 0 && *valid == FALSE)
-        code = KRB5KRB_AP_ERR_MODIFIED;
-
     return code;
 }
 
@@ -952,8 +948,10 @@ verify_ad_signedpath(krb5_context context,
     if (code != 0)
         goto cleanup;
 
-    *pdelegated = sp->delegated;
-    sp->delegated = NULL;
+    if (*path_is_signed) {
+        *pdelegated = sp->delegated;
+        sp->delegated = NULL;
+    }
 
 cleanup:
     krb5_free_ad_signedpath(context, sp);
@@ -1179,7 +1177,9 @@ handle_signedpath_authdata (krb5_context context,
         }
     }
 
-    if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+    /* No point in including signedpath authdata for a cross-realm TGT, since
+     * it will be presented to a different KDC. */
+    if (!is_cross_tgs_principal(server->princ) &&
         !only_pac_p(context, enc_tkt_reply->authorization_data)) {
         code = make_ad_signedpath(context,
                                   for_user_princ,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 6ee96b266..281bcc8ee 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -192,6 +192,17 @@ krb5_is_tgs_principal(krb5_const_principal principal)
     return FALSE;
 }
 
+/* Returns TRUE if principal is the name of a cross-realm TGS. */
+krb5_boolean
+is_cross_tgs_principal(krb5_const_principal principal)
+{
+    return (krb5_princ_size(kdc_context, principal) >= 2 &&
+            data_eq_string(*krb5_princ_component(kdc_context, principal, 0),
+                           KRB5_TGS_NAME) &&
+            !data_eq(*krb5_princ_component(kdc_context, principal, 1),
+                     *krb5_princ_realm(kcd_context, principal)));
+}
+
 /*
  * given authentication data (provides seed for checksum), verify checksum
  * for source data.
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 96e29d906..258389508 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -42,6 +42,7 @@ krb5_error_code check_hot_list (krb5_ticket *);
 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
 krb5_boolean is_local_principal(krb5_const_principal princ1);
 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
+krb5_boolean is_cross_tgs_principal(krb5_const_principal);
 krb5_error_code
 add_to_transited (krb5_data *,
                   krb5_data *,
-- 
2.26.2