Blame SOURCES/Omit-KDC-indicator-check-for-S4U2Self-requests.patch

10fa70
From 61f3943f9fc237936ed9fd098edcd8dcc43b8da7 Mon Sep 17 00:00:00 2001
10fa70
From: Greg Hudson <ghudson@mit.edu>
10fa70
Date: Wed, 6 May 2020 16:03:13 -0400
10fa70
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
10fa70
10fa70
As there was no initial ticket exchange from the client for an
10fa70
S4U2Self request, the auth indicator check is inapplicable (and would
10fa70
always fail if any auth indicators are required).
10fa70
10fa70
ticket: 8902 (new)
10fa70
(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465)
10fa70
(cherry picked from commit 442f1fa5b2e4034954a51048414cc0863b914379)
10fa70
---
10fa70
 src/kdc/do_tgs_req.c | 14 +++++++-------
10fa70
 1 file changed, 7 insertions(+), 7 deletions(-)
10fa70
10fa70
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
10fa70
index 241f34e2a..463a9c0dd 100644
10fa70
--- a/src/kdc/do_tgs_req.c
10fa70
+++ b/src/kdc/do_tgs_req.c
10fa70
@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
10fa70
     }
10fa70
     authtime = subject_tkt->times.authtime;
10fa70
 
10fa70
-    /* Extract auth indicators from the subject ticket, except for S4U2Self
10fa70
-     * requests (where the client didn't authenticate). */
10fa70
+    /* Extract and check auth indicators from the subject ticket, except for
10fa70
+     * S4U2Self requests (where the client didn't authenticate). */
10fa70
     if (s4u_x509_user == NULL) {
10fa70
         errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
10fa70
                                       &local_tgt_key, &auth_indicators);
10fa70
@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
10fa70
             status = "GET_AUTH_INDICATORS";
10fa70
             goto cleanup;
10fa70
         }
10fa70
-    }
10fa70
 
10fa70
-    errcode = check_indicators(kdc_context, server, auth_indicators);
10fa70
-    if (errcode) {
10fa70
-        status = "HIGHER_AUTHENTICATION_REQUIRED";
10fa70
-        goto cleanup;
10fa70
+        errcode = check_indicators(kdc_context, server, auth_indicators);
10fa70
+        if (errcode) {
10fa70
+            status = "HIGHER_AUTHENTICATION_REQUIRED";
10fa70
+            goto cleanup;
10fa70
+        }
10fa70
     }
10fa70
 
10fa70
     if (is_referral)