From c634146b14be9746d70d6a448e9bb2dd6f518c44 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 6 May 2019 17:45:09 +1000
Subject: [PATCH] kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.
---
 kdc/kerberos5.c | 32 +++++++++++++++++++++-----------
 kdc/krb5tgs.c   |  4 ++--
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 44840cad9..1b0d0f8df 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2242,17 +2242,27 @@ _kdc_as_rep(kdc_request_t r,
     _kdc_log_timestamp(context, config, "AS-REQ", r->et.authtime, r->et.starttime,
 		       r->et.endtime, r->et.renew_till);
 
-    /* do this as the last thing since this signs the EncTicketPart */
-    ret = _kdc_add_KRB5SignedPath(context,
-				  config,
-				  r->server,
-				  setype,
-				  r->client->entry.principal,
-				  NULL,
-				  NULL,
-				  &r->et);
-    if (ret)
-	goto out;
+    {
+	krb5_principal client_principal;
+
+	ret = _krb5_principalname2krb5_principal(context, &client_principal,
+						 rep.cname, rep.crealm);
+	if (ret)
+	    goto out;
+
+	/* do this as the last thing since this signs the EncTicketPart */
+	ret = _kdc_add_KRB5SignedPath(context,
+				      config,
+				      r->server,
+				      setype,
+				      client_principal,
+				      NULL,
+				      NULL,
+				      &r->et);
+	krb5_free_principal(context, client_principal);
+	if (ret)
+	    goto out;
+    }
 
     log_as_req(context, config, r->reply_key.keytype, setype, b);
 
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 98a4092b1..6000ac2c5 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -104,7 +104,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
 			krb5_kdc_configuration *config,
 			hdb_entry_ex *krbtgt,
 			krb5_enctype enctype,
-			krb5_principal client,
+			krb5_const_principal client,
 			krb5_const_principal server,
 			krb5_principals principals,
 			EncTicketPart *tkt)
@@ -124,7 +124,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
     {
 	KRB5SignedPathData spd;
 
-	spd.client = client;
+	spd.client = rk_UNCONST(client);
 	spd.authtime = tkt->authtime;
 	spd.delegated = principals;
 	spd.method_data = NULL;
-- 
2.11.4.GIT