Implement [kdc] derived_keys_maxdots

kdc/default_config.c

@@ -70,6 +70,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->logf = NULL;
     c->enable_derived_keys = FALSE;
     c->derived_keys_ndots = 2;
+    c->derived_keys_maxdots = -1;
 
     c->num_kdc_processes =
         krb5_config_get_int_default(context, NULL, c->num_kdc_processes,
@@ -267,6 +268,10 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 	krb5_config_get_int_default(context, NULL, c->derived_keys_ndots,
 				    "kdc", "derived_keys_ndots", NULL);
 
+    c->derived_keys_maxdots =
+	krb5_config_get_int_default(context, NULL, c->derived_keys_maxdots,
+				    "kdc", "derived_keys_maxdots", NULL);
+
     *config = c;
 
     return 0;

kdc/kdc.h

@@ -98,6 +98,7 @@ typedef struct krb5_kdc_configuration {
 
     krb5_boolean enable_derived_keys;
     int derived_keys_ndots;
+    int derived_keys_maxdots;
 
 } krb5_kdc_configuration;
 

kdc/misc.c

@@ -142,8 +142,9 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
     char *tmp;
     const char *realm = NULL;
     int is_derived_key = 0;
-    size_t ndots = 0;
     size_t hdots;
+    size_t ndots = 0;
+    size_t maxdots = -1;
 
     flags |= HDB_F_DECRYPT;
 
@@ -167,6 +168,7 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
 	    }
 
 	    ndots = config->derived_keys_ndots;
+	    maxdots = config->derived_keys_maxdots;
 
 	    for (hdots = 0, tmp = host; tmp && *tmp; tmp++)
 		if (*tmp == '.')
@@ -192,6 +194,13 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
 	if (!tmp || !*tmp || hdots < ndots)
 	    break;
 
+	while (maxdots > 0 && hdots > maxdots) {
+		tmp = strchr(tmp, '.');
+		/* tmp != NULL because maxdots > 0 */
+		tmp++;
+		hdots--;
+	}
+
 	is_derived_key = 1;
 	krb5_free_principal(context, tmpprinc);
 	krb5_build_principal(context, &tmpprinc, strlen(realm), realm,