oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss: expose canonical name from PAC if present

Browse Source 
Expose canonical name via the canonical-name naming attribute.
This commit is contained in:
Luke Howard
2022-01-02 18:57:36 +11:00
parent 2a826d769f
commit 5cce73a6ef
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/gssapi/krb5/name_attrs.c
View File

@@ -297,9 +297,27 @@ _gsskrb5_get_name_attribute(OM_uint32 *minor_status,
kdcrep->sname, kdcrep->sname,
kdcrep->srealm); kdcrep->srealm);
} else if (ticket) { } else if (ticket) {
kret = _krb5_principalname2krb5_principal(context, &p, krb5_data data;
ticket->cname, krb5_pac pac = NULL;
ticket->crealm);
krb5_data_zero(&data);
/* Use canonical name from PAC if available */
kret = _krb5_get_ad(context, ticket->authorization_data,
NULL, KRB5_AUTHDATA_WIN2K_PAC, &data);
if (kret == 0)
kret = krb5_pac_parse(context, data.data, data.length, &pac);
if (kret == 0)
kret = _krb5_pac_get_canon_principal(context, pac, &p);
if (kret == 0 && authenticated)
*authenticated = nameattrs->pac_verified;
else if (kret == ENOENT)
kret = _krb5_principalname2krb5_principal(context, &p,
ticket->cname,
ticket->crealm);
krb5_data_free(&data);
krb5_pac_free(context, pac);
} else } else
return GSS_S_UNAVAILABLE; return GSS_S_UNAVAILABLE;
if (kret == 0 && value) { if (kret == 0 && value) {