gss: expose canonical name from PAC if present

Expose canonical name via the canonical-name naming attribute.
This commit is contained in:
Luke Howard
2022-01-02 18:57:36 +11:00
parent 2a826d769f
commit 5cce73a6ef

View File

@@ -297,9 +297,27 @@ _gsskrb5_get_name_attribute(OM_uint32 *minor_status,
kdcrep->sname,
kdcrep->srealm);
} else if (ticket) {
kret = _krb5_principalname2krb5_principal(context, &p,
ticket->cname,
ticket->crealm);
krb5_data data;
krb5_pac pac = NULL;
krb5_data_zero(&data);
/* Use canonical name from PAC if available */
kret = _krb5_get_ad(context, ticket->authorization_data,
NULL, KRB5_AUTHDATA_WIN2K_PAC, &data);
if (kret == 0)
kret = krb5_pac_parse(context, data.data, data.length, &pac);
if (kret == 0)
kret = _krb5_pac_get_canon_principal(context, pac, &p);
if (kret == 0 && authenticated)
*authenticated = nameattrs->pac_verified;
else if (kret == ENOENT)
kret = _krb5_principalname2krb5_principal(context, &p,
ticket->cname,
ticket->crealm);
krb5_data_free(&data);
krb5_pac_free(context, pac);
} else
return GSS_S_UNAVAILABLE;
if (kret == 0 && value) {