From cafd935d88d9caf8a8f06a586c23aa206b587a6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 18 Sep 2006 17:30:19 +0000
Subject: [PATCH] Check the adtkt in the constrained delegation case too.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18101 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/krb5tgs.c | 42 ++++++++++++++++++++++++++++++------------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index ec39382ae..89bc7cdf2 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1491,7 +1491,7 @@ server_lookup:
     }
 
     /*
-     *
+     * Constrained delegation
      */
 
     if (client != NULL
@@ -1524,17 +1524,12 @@ server_lookup:
 
 	if (adtkt.flags.forwardable == 0) {
 	    kdc_log(context, config, 0,
-		    "missing forwardable flag on ticket for "
+		    "Missing forwardable flag on ticket for "
 		    "constrained delegation from %s to %s ", spn, cpn);
 	    ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
 	    goto out;
 	}
 
-	/*
-	 * Check that the KDC have issued this ticket
-	 */
-	require_signedpath = 1;
-
 	ret = check_constrained_delegation(context, config, client, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
@@ -1559,9 +1554,36 @@ server_lookup:
 	    goto out;
 	}
 
+	/*
+	 * Check KRB5SignedPath in authorization data and add new entry to
+	 * make sure servers can't fake a ticket to us.
+	 */
+
+	ret = check_KRB5SignedPath(context,
+				   config,
+				   krbtgt,
+				   &adtkt,
+				   &spp,
+				   1);
+	if (ret) {
+	    kdc_log(context, config, 0,
+		    "KRB5SignedPath check from service %s failed "
+		    "for delegation to %s for client %s "
+		    "from %s failed with %s",
+		    spn, str, cpn, from, krb5_get_err_text(context, ret));
+	    free(str);
+	    goto out;
+	}
+
 	kdc_log(context, config, 0, "constrained delegation for %s "
 		"from %s to %s", str, cpn, spn);
 	free(str);
+
+	/* 
+	 * Also require that the KDC have issue the service's krbtgt
+	 * used to do the request. 
+	 */
+	require_signedpath = 1;
     }
 
     /*
@@ -1591,11 +1613,7 @@ server_lookup:
 	goto out;
     }
 	
-    /*
-     * Check KRB5SignedPath in authorization data and add new entry to
-     * make sure servers can't fake a ticket to us.
-    */
-
+    /* also check the krbtgt for signature */
     ret = check_KRB5SignedPath(context,
 			       config,
 			       krbtgt,