kdc: Call _kdc_fast_check_armor_pac() prior to calling _kdc_check_pac()

The plugin code invoked by _kdc_check_pac() may need to access
explicit_armor_client and explicit_armor_pac, but those fields are not
set until after calling _kdc_fast_check_armor_pac(). Hence we must do
that first.

We also now call _kdc_fast_check_armor_pac() regardless of whether the
ticket was issued by the KDC or whether the server principal is the
krbtgt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 76f1210258679457b8db1c738c7a0b63e004312c..9d8387345b7c10cbaab29b37c54669954de9f49b 100644 (file)
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -1901,6 +1901,13 @@ server_lookup:
     /* flags &= ~HDB_F_SYNTHETIC_OK; */ /* `flags' is not used again below */
     priv->clientdb = clientdb;
 
+    /* Validate armor TGT before potentially including device claims */
+    if (priv->armor_ticket) {
+       ret = _kdc_fast_check_armor_pac(priv);
+       if (ret)
+           goto out;
+    }
+
     ret = _kdc_check_pac(priv, priv->client_princ, NULL,
                         priv->client, priv->server,
                         priv->krbtgt, priv->krbtgt,
@@ -2013,13 +2020,6 @@ server_lookup:
     if (kdc_issued &&
        !krb5_principal_is_krbtgt(context, priv->server->principal)) {
 
-       /* Validate armor TGT before potentially including device claims */
-       if (priv->armor_ticket) {
-           ret = _kdc_fast_check_armor_pac(priv);
-           if (ret)
-               goto out;
-       }
-
        add_ticket_sig = TRUE;
     }