From 4f074487b46e95c96530405950d51b950814c52c Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 12 Mar 2015 21:15:53 -0400 Subject: [PATCH] krb5: reject referrals in capath code paths In get_cred_kdc_capath_worker() if the credentials obtained by get_cred_kdc_address() does not exactly match the requested service principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN. Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1 --- lib/krb5/get_cred.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index 2d28ed47e..05d5ced16 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -792,6 +792,12 @@ get_cred_kdc_capath_worker(krb5_context context, impersonate_principal, second_ticket, *out_creds); + if (ret == 0 + && !krb5_principal_compare(context, in_creds->server, + (*out_creds)->server)) { + krb5_free_cred_contents(context, *out_creds); + ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + } if (ret == 0 && ok_as_delegate == 0) (*out_creds)->flags.b.ok_as_delegate = 0;