In the authdata framework, determine which authdata sources to query

based on the module's usage flags. From r24794 in users/lhoward/moonshot-mechglue-fixes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24853 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2011-04-07 15:20:37 +0000
committer: Greg Hudson <ghudson@mit.edu> 2011-04-07 15:20:37 +0000
commit: b7208a8261ed15d9e3136c75ce7c252d9717effb (patch)
tree: e706d06dbd5718085f054520e53806ae9385becc
parent: 8b720c6a96ea21572adb9b73d23e7e8e99489bb9 (diff)
download: krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.gz
krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.xz
krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.zip
1 files changed, 18 insertions, 3 deletions
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 3664b66d08..351762eb1d 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -571,7 +571,8 @@ krb5int_authdata_verify(krb5_context kcontext,
         if (module->ftable->import_authdata == NULL)
             continue;
 
-        if (kdc_issued_authdata != NULL) {
+        if (kdc_issued_authdata != NULL &&
+            (module->flags & AD_USAGE_KDC_ISSUED)) {
             code = krb5int_find_authdata(kcontext,
                                          kdc_issued_authdata,
                                          NULL,
@@ -584,9 +585,23 @@ krb5int_authdata_verify(krb5_context kcontext,
         }
 
         if (authdata == NULL) {
+            krb5_boolean ticket_usage = FALSE;
+            krb5_boolean authen_usage = FALSE;
+
+            /*
+             * Determine which authdata sources to interrogate based on the
+             * module's usage. This is important if the authdata is signed
+             * by the KDC with the TGT key (as the user can forge that in
+             * the AP-REQ).
+             */
+            if (module->flags & (AD_USAGE_AS_REQ | AD_USAGE_TGS_REQ))
+                ticket_usage = TRUE;
+            if (module->flags & AD_USAGE_AP_REQ)
+                authen_usage = TRUE;
+
             code = krb5int_find_authdata(kcontext,
-                                         ticket_authdata,
-                                         authen_authdata,
+                                         ticket_usage ? ticket_authdata : NULL,
+                                         authen_usage ? authen_authdata : NULL,
                                          module->ad_type,
                                          &authdata);
             if (code != 0)
author	Greg Hudson <ghudson@mit.edu>	2011-04-07 15:20:37 +0000
committer	Greg Hudson <ghudson@mit.edu>	2011-04-07 15:20:37 +0000
commit	b7208a8261ed15d9e3136c75ce7c252d9717effb (patch)
tree	e706d06dbd5718085f054520e53806ae9385becc
parent	8b720c6a96ea21572adb9b73d23e7e8e99489bb9 (diff)
download	krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.gz krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.tar.xz krb5-b7208a8261ed15d9e3136c75ce7c252d9717effb.zip