Cache S4U2Proxy requests by second ticket krb5_get_credentials() does not know the client principal for an S4U2Proxy request until the end, because it is in the encrypted part of the evidence ticket. However, we can check the cache by second ticket, since all S4U2Proxy requests in a cache will generally be made with the same evidence ticket. In the ccache types, allow mcreds->client and mcreds->server to be NULL (as Heimdal does) to ignore them for the purpose of matching. In krb5int_construct_matching_creds(), set mcreds->client to NULL for S4U2Proxy requests. Add a cache check to k5_get_proxy_cred_from_kdc(), and remove the cache check from krb5_get_credentials_for_proxy() and the krb5 mech's get_credentials(). In get_proxy_cred_from_kdc(), fix a bug where cross-realm S4U2Proxy would cache the evidence ticket used in the final request, rather than the original evidence ticket. [ghudson@mit.edu: debugged cache check and cross-realm caching; switched from new flag to null matching cred principals; wrote commit message] https://github.com/krb5/krb5/commit/148b317e1eb5df28dad96679cb4b8a07c62d4786 Author: Isaac Boukris Committer: Greg Hudson Commit: 148b317e1eb5df28dad96679cb4b8a07c62d4786 Branch: master src/lib/gssapi/krb5/init_sec_context.c | 61 ++++++++++++++------------------ src/lib/krb5/ccache/cc_retr.c | 13 +++---- src/lib/krb5/ccache/ccapi/stdcc_util.c | 30 ++++++++-------- src/lib/krb5/ccache/ccfns.c | 3 +- src/lib/krb5/krb/get_creds.c | 5 +++ src/lib/krb5/krb/s4u_creds.c | 58 +++++++++++++++-------------- src/tests/s4u2proxy.c | 3 ++ 7 files changed, 88 insertions(+), 85 deletions(-)