gss: Fix dst TGT deleg w/o dns_lookup_realm

Setting `dns_lookup_realm = false` in `[libdefaults]` and setting name canon rules that force the empty realm causes destination-TGT delegation to break because the client doesn't know the service's realm. Because MIT and Heimdal check that the (unauthenticated plaintext) sname/realm of the Ticket in the KDC reply matches the sname/srealm in the enc-part of the KDC reply, we know we can trust the realm of the ticket found in the ccache. So use that.
2021-12-06 16:31:18 -06:00
parent bba573f286
commit 5ace5f5a6a
1 changed files with 4 additions and 5 deletions
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -314,7 +314,6 @@ do_delegation (krb5_context context,
 	       krb5_auth_context ac,
 	       krb5_ccache ccache,
 	       krb5_creds *cred,
-	       krb5_const_principal server,
 	       krb5_data *fwd_data,
 	       uint32_t flagmask,
 	       uint32_t *flags)
@@ -330,12 +329,12 @@ do_delegation (krb5_context context,
 	goto out;

    /* We can't generally enforce server.name_type == KRB5_NT_SRV_HST */
-    if (server->name.name_string.len < 2)
+    if (cred->server->name.name_string.len < 2)
 	goto out;
-    host = krb5_principal_get_comp_string(context, server, 1);
+    host = krb5_principal_get_comp_string(context, cred->server, 1);

 #define FWDABLE 1
-    kret = krb5_fwd_tgt_creds(context, ac, host, client, server, ccache,
+    kret = krb5_fwd_tgt_creds(context, ac, host, client, cred->server, ccache,
 			      FWDABLE, fwd_data);

 out:
@@ -531,7 +530,7 @@ init_auth_restart
    if (flagmask & GSS_C_DELEG_FLAG) {
 	do_delegation (context,
 		       ctx->deleg_auth_context,
-		       ctx->ccache, ctx->kcred, ctx->target,
+		       ctx->ccache, ctx->kcred,
 		       &fwd_data, flagmask, &flags);
    }