Issue an error from KDC on S4U2Self failures

Commit 3b163ee mistakenly separated the call to kdc_process_s4u2self_req() from its error check, causing the KDC to ignore S4U2Self padata with bad checksums. Restore the error check so that the KDC replies with an error as intended. [ghudson@mit.edu: removed old error check later on in the code; rewrote commit message] ticket: 9038 (new)
krb5 · Dec 5, 2021 · 9544229 · 9544229
1 parent f1b36bb
commit 9544229
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
@@ -276,6 +276,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         au_state->status = status;
         kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
         au_state->s4u2self_user = NULL;
+        if (errcode)
+            goto cleanup;
     }
 
     /* For user-to-user and S4U2Proxy requests, decrypt the second ticket. */
@@ -295,9 +297,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         goto cleanup;
     }
 
-    if (errcode)
-        goto cleanup;
-
     if (s4u_x509_user != NULL && client == NULL) {
         /*
          * For an S4U2Self referral request (the requesting service is