From 0ea840ebfc70c8d0a2bd832d17028d5c9ce82512 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 16 Nov 2021 20:01:16 +1300
Subject: [PATCH] kdc: Check authdata in ticket rather than in request body

This matches Windows behaviour and the RFC6113 specification.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 kdc/krb5tgs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index a7a0addcf..56c62ea34 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1199,12 +1199,12 @@ next_kvno:
 	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
 	    goto out;
 	}
-
-	ret = validate_fast_ad(r, *auth_data);
-	if (ret)
-	    goto out;
     }
 
+    ret = validate_fast_ad(r, (*ticket)->ticket.authorization_data);
+    if (ret)
+	goto out;
+
     
     /*
      * Check for FAST request