oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: support for canonical name in PAC

Browse Source 
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
This commit is contained in:
Luke Howard
2021-09-23 13:39:36 +10:00
parent b3bb3ac49d
commit 0ab3b7b2dd
11 changed files with 493 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/krb5/rd_req.c
View File

@@ -1042,6 +1042,17 @@ krb5_rd_req_ctx(krb5_context context,
o->ticket->client,
o->keyblock,
NULL);
if (ret == 0 && (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)) {
krb5_error_code ret2;
krb5_principal canon_name;
ret2 = _krb5_pac_get_canon_principal(context, pac, &canon_name);
if (ret2 == 0) {
krb5_free_principal(context, o->ticket->client);
o->ticket->client = canon_name;
} else if (ret2 != ENOENT)
ret = ret2;
}
krb5_pac_free(context, pac);
if (ret)
goto out;