Fix KRB5_GC_CACHED for S4U2Self requests

In krb5_get_credentials_for_user(), always exit after the first cache
check if KRB5_GC_CACHED is specified.  Not making network requests
with this flag is more important than finding a post-realm-discovery
cached entry.

If KRB5_GC_CACHED is specified without a principal name, fail
immediately, as we cannot check the cache by certificate.

ticket: 8942 (new)

1 files changed, 7 insertions, 6 deletions

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index fe15b24..73b59ff 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -665,11 +665,13 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
         /* Uncanonicalised check */
         code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
                                     ccache, in_creds, out_creds);
-        if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
-            goto cleanup;
-
-        if ((options & KRB5_GC_CACHED) && !(options & KRB5_GC_CANONICALIZE))
+        if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) ||
+            (options & KRB5_GC_CACHED))
             goto cleanup;
+    } else if (options & KRB5_GC_CACHED) {
+        /* Fail immediately, since we can't check the cache by certificate. */
+        code = KRB5_CC_NOTFOUND;
+        goto cleanup;
     }
 
     code = s4u_identify_user(context, in_creds, subject_cert, &realm);
@@ -683,8 +685,7 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
         mcreds.client = realm;
         code = krb5_get_credentials(context, options | KRB5_GC_CACHED,
                                     ccache, &mcreds, out_creds);
-        if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
-            || (options & KRB5_GC_CACHED))
+        if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
             goto cleanup;
     }