From 7995bbcb24923cb42eae152892646ab6042dd7ba Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 24 Jul 2011 20:55:36 +0200 Subject: [PATCH] kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit metze Signed-off-by: Love Hörnquist Åstrand --- kdc/krb5tgs.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index b0d545508..85b0be0e2 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context, Key *tkey_check; Key *tkey_sign; + int flags = 0; memset(&sessionkey, 0, sizeof(sessionkey)); memset(&adtkt, 0, sizeof(adtkt)); @@ -1517,6 +1518,9 @@ tgs_build_reply(krb5_context context, s = b->sname; r = b->realm; + if (b->kdc_options.canonicalize) + flags |= HDB_F_CANON; + if(b->kdc_options.enc_tkt_in_skey){ Ticket *t; hdb_entry_ex *uu; @@ -1591,7 +1595,7 @@ tgs_build_reply(krb5_context context, */ server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON, + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags, NULL, NULL, &server); if(ret == HDB_ERR_NOT_FOUND_HERE) { @@ -1777,7 +1781,7 @@ server_lookup: goto out; } - ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags, NULL, &clientdb, &client); if(ret == HDB_ERR_NOT_FOUND_HERE) { /* This is OK, we are just trying to find out if they have @@ -1912,7 +1916,7 @@ server_lookup: if(rspac.data) { krb5_pac p = NULL; krb5_data_free(&rspac); - ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON, + ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags, NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client); if (ret) { const char *msg;