From 8350f34a05ba2cbc1ead0214eb85352f8e7805ef Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 15 May 2019 10:44:55 +1000 Subject: [PATCH] krb5: don't require krbtgt otherName match for Win2K Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. --- lib/krb5/init_creds.c | 2 ++ lib/krb5/krb5_locl.h | 1 + lib/krb5/pkinit.c | 2 ++ 3 files changed, 5 insertions(+) diff --git a/lib/krb5/init_creds.c b/lib/krb5/init_creds.c index 58734c43f..b34e3eb32 100644 --- a/lib/krb5/init_creds.c +++ b/lib/krb5/init_creds.c @@ -366,9 +366,11 @@ krb5_get_init_creds_opt_set_win2k(krb5_context context, if (req) { opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; + opt->opt_private->flags |= KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK; } else { opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK; opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; + opt->opt_private->flags &= ~KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK; } return 0; } diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h index 9e4d7164c..916ef6ed2 100644 --- a/lib/krb5/krb5_locl.h +++ b/lib/krb5/krb5_locl.h @@ -214,6 +214,7 @@ struct _krb5_get_init_creds_opt_private { #define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4 #define KRB5_INIT_CREDS_PKINIT_KX_VALID 32 +#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK 64 struct { krb5_gic_process_last_req func; void *ctx; diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index f9b6c5266..423397a91 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -784,6 +784,8 @@ _krb5_pk_mk_padata(krb5_context context, req_body->realm, "pkinit_require_krbtgt_otherName", NULL); + if (ic_flags & KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK) + ctx->require_krbtgt_otherName = FALSE; ctx->require_hostname_match = krb5_config_get_bool_default(context, NULL,