oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: reject referrals in capath code paths

Browse Source 
In get_cred_kdc_capath_worker() if the credentials obtained by
get_cred_kdc_address() does not exactly match the requested service
principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN.

Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1
This commit is contained in:
Nicolas Williams
2015-03-12 21:15:53 -04:00
committed by Jeffrey Altman
parent e13c0946f6
commit 4f074487b4
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/krb5/get_cred.c
View File

@@ -792,6 +792,12 @@ get_cred_kdc_capath_worker(krb5_context context,
impersonate_principal, impersonate_principal,
second_ticket, second_ticket,
*out_creds); *out_creds);
if (ret == 0
&& !krb5_principal_compare(context, in_creds->server,
(*out_creds)->server)) {
krb5_free_cred_contents(context, *out_creds);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
if (ret == 0 && ok_as_delegate == 0) if (ret == 0 && ok_as_delegate == 0)
(*out_creds)->flags.b.ok_as_delegate = 0; (*out_creds)->flags.b.ok_as_delegate = 0;