Determine which authdata sources to interrogate based on the

module's usage. This is important if the authdata is signed by the KDC with the TGT key (as the user can forge that in the AP-REQ). git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/saml@22993 dc483132-0cff-0310-8789-dd5450dbe970
author: Luke Howard <lukeh@padl.com> 2009-10-23 19:39:27 +0000
committer: Luke Howard <lukeh@padl.com> 2009-10-23 19:39:27 +0000
commit: 5f9efb88a61f336c83659368c22810fa829fa650 (patch)
tree: bf679baec43a3cea20944c792b906aaa9926c7c3
parent: 4b799cf64e0be108a475a35fe1952ba041185343 (diff)
download: krb5-5f9efb88a61f336c83659368c22810fa829fa650.zip
krb5-5f9efb88a61f336c83659368c22810fa829fa650.tar.gz
krb5-5f9efb88a61f336c83659368c22810fa829fa650.tar.bz2
1 files changed, 20 insertions, 5 deletions
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index c5992ad..46da3c1 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -634,7 +634,8 @@ krb5int_authdata_verify(krb5_context kcontext,
         if (module->ftable->import_authdata == NULL)
             continue;
 
-        if (kdc_issued_authdata != NULL) {
+        if (kdc_issued_authdata != NULL &&
+            (module->flags & AD_USAGE_KDC_ISSUED)) {
             code = krb5int_find_authdata(kcontext,
                                          kdc_issued_authdata,
                                          NULL,
@@ -647,11 +648,25 @@ krb5int_authdata_verify(krb5_context kcontext,
         }
 
         if (authdata == NULL) {
+            krb5_boolean ticket_usage = FALSE;
+            krb5_boolean authen_usage = FALSE;
+
+            /*
+             * Determine which authdata sources to interrogate based on the
+             * module's usage. This is important if the authdata is signed
+             * by the KDC with the TGT key (as the user can forget that in
+             * the AP-REQ).
+             */
+            if (module->flags & (AD_USAGE_AS_REQ | AD_USAGE_TGS_REQ))
+                ticket_usage = TRUE;
+            if (module->flags & AD_USAGE_AP_REQ)
+                authen_usage = TRUE;
+
             code = krb5int_find_authdata(kcontext,
-                                        ticket_authdata,
-                                        authen_authdata,
-                                        module->ad_type,
-                                        &authdata);
+                                         ticket_usage ? ticket_authdata : NULL,
+                                         authen_usage ? authen_authdata : NULL,
+                                         module->ad_type,
+                                         &authdata);
             if (code != 0)
                 break;
         }
author	Luke Howard <lukeh@padl.com>	2009-10-23 19:39:27 +0000
committer	Luke Howard <lukeh@padl.com>	2009-10-23 19:39:27 +0000
commit	5f9efb88a61f336c83659368c22810fa829fa650 (patch)
tree	bf679baec43a3cea20944c792b906aaa9926c7c3
parent	4b799cf64e0be108a475a35fe1952ba041185343 (diff)
download	krb5-5f9efb88a61f336c83659368c22810fa829fa650.zip krb5-5f9efb88a61f336c83659368c22810fa829fa650.tar.gz krb5-5f9efb88a61f336c83659368c22810fa829fa650.tar.bz2