oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: don't require krbtgt otherName match for Win2K

Browse Source 
Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.
This commit is contained in:
Luke Howard
2019-05-15 10:44:55 +10:00
committed by Jeffrey Altman
parent c634146b14
commit 8350f34a05
3 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/init_creds.c
View File

@@ -366,9 +366,11 @@ krb5_get_init_creds_opt_set_win2k(krb5_context context,
if (req) {
opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
opt->opt_private->flags |= KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK;
} else {
opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK;
opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
opt->opt_private->flags &= ~KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK;
}
return 0;
}