oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: always canonicalize GSS federated name

Browse Source 
When using WELLKNOWN/FEDERATED in GSS-API pre-authentication, always
replace with the cname in the AS-REP.
This commit is contained in:
Luke Howard
2021-08-15 13:50:21 +10:00
parent e840681451
commit 939cdbe4ad
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/krb5/init_creds_pw.c
View File

@@ -1489,15 +1489,17 @@ gss_pa_data_to_key(krb5_context context,
if (ret) if (ret)
goto out; goto out;
if (krb5_principal_is_federated(context, creds->client)) { if (krb5_principal_is_federated(context, ctx->cred.client)) {
/* replace the wellknown federated name with the initiator name */ /*
* The well-known federated name will be replaced with the cname
* in the AS-REP, but save the locally mapped initiator name in the
* cred for logging.
*/
krb5_free_principal(context, creds->client); krb5_free_principal(context, creds->client);
creds->client = cname; creds->client = cname;
cname = NULL; cname = NULL;
/* allow the KDC to canonicalize the name */ ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
if (ctx->flags.canonicalize)
ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
} }
out: out: