Allow the PAC to be passed along during cross-realm authentication.

From abartlet git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24021 ec53bebd-3082-4978-b11e-865c3cabbd6b
dankm · Nov 3, 2008 · ab630e4 · ab630e4
1 parent 6f6dee5
commit ab630e4
Showing 1 changed file with 19 additions and 25 deletions.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
@@ -1380,7 +1380,6 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
-    int cross_realm = 0;
 
     METHOD_DATA enc_pa_data;
 
@@ -1391,6 +1390,8 @@ tgs_build_reply(krb5_context context,
     char opt_str[128];
     int signedpath = 0;
 
+    Key *tkey;
+
     memset(&sessionkey, 0, sizeof(sessionkey));
     memset(&adtkt, 0, sizeof(adtkt));
     krb5_data_zero(&rspac);
@@ -1558,8 +1559,6 @@ tgs_build_reply(krb5_context context,
 
 	kdc_log(context, config, 1, "Client not found in database: %s: %s",
 		cpn, krb5_get_err_text(context, ret));
-
-	cross_realm = 1;
     }
 
     /*
@@ -1602,10 +1601,6 @@ tgs_build_reply(krb5_context context,
 	    goto out;
     }
 
-    /*
-     * Validate authoriation data
-     */
-
     /*
      * Check that service is in the same realm as the krbtgt. If it's
      * not the same, it's someone that is using a uni-directional trust
@@ -1627,27 +1622,26 @@ tgs_build_reply(krb5_context context,
 	goto out;
     }
 
-    /* check PAC if not cross realm and if there is one */
-    if (!cross_realm) {
-	Key *tkey;
+    /*
+     * Validate authoriation data
+     */
 
-	ret = hdb_enctype2key(context, &krbtgt->entry,
-			      krbtgt_etype, &tkey);
-	if(ret) {
-	    kdc_log(context, config, 0,
+    ret = hdb_enctype2key(context, &krbtgt->entry,
+			  krbtgt_etype, &tkey);
+    if(ret) {
+	kdc_log(context, config, 0,
 		    "Failed to find key for krbtgt PAC check");
-	    goto out;
-	}
+	goto out;
+    }
 
-	ret = check_PAC(context, config, cp,
-			client, server, ekey, &tkey->key,
-			tgt, &rspac, &signedpath);
-	if (ret) {
-	    kdc_log(context, config, 0,
-		    "Verify PAC failed for %s (%s) from %s with %s",
-		    spn, cpn, from, krb5_get_err_text(context, ret));
-	    goto out;
-	}
+    ret = check_PAC(context, config, cp,
+		    client, server, ekey, &tkey->key,
+		    tgt, &rspac, &signedpath);
+    if (ret) {
+	kdc_log(context, config, 0,
+		"Verify PAC failed for %s (%s) from %s with %s",
+		spn, cpn, from, krb5_get_err_text(context, ret));
+	goto out;
     }
 
     /* also check the krbtgt for signature */