Fix cross-realm handling of AD-SIGNEDPATH

Avoid setting AD-SIGNEDPATH when returning a cross-realm TGT.
Previously we were avoiding it when answering a cross-realm client,
which was wrong.

Don't fail out on an invalid AD-SIGNEDPATH checksum; just don't trust
the ticket for S4U2Proxy (as if AD-SIGNEDPATH weren't present).

ticket: 6655
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23697 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 7 insertions, 7 deletions

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 8b01ad3..5097558 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -897,10 +897,6 @@ verify_ad_signedpath_checksum(krb5_context context,
                                   valid);
 
     krb5_free_data(context, data);
-
-    if (code == 0 && *valid == FALSE)
-        code = KRB5KRB_AP_ERR_MODIFIED;
-
     return code;
 }
 
@@ -952,8 +948,10 @@ verify_ad_signedpath(krb5_context context,
     if (code != 0)
         goto cleanup;
 
-    *pdelegated = sp->delegated;
-    sp->delegated = NULL;
+    if (*path_is_signed) {
+        *pdelegated = sp->delegated;
+        sp->delegated = NULL;
+    }
 
 cleanup:
     krb5_free_ad_signedpath(context, sp);
@@ -1179,7 +1177,9 @@ handle_signedpath_authdata (krb5_context context,
         }
     }
 
-    if (!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM) &&
+    /* No point in including signedpath authdata for a cross-realm TGT, since
+     * it will be presented to a different KDC. */
+    if (!is_cross_tgs_principal(server->princ) &&
         !only_pac_p(context, enc_tkt_reply->authorization_data)) {
         code = make_ad_signedpath(context,
                                   for_user_princ,