From aa5c525e71bb0b799ce49b9b024f0d45c57f1ab0 Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <roland.dowdeswell@twosigma.com>
Date: Thu, 17 Oct 2019 16:30:24 +0100
Subject: [PATCH] Implement [kdc] derived_keys_maxdots

---
 kdc/default_config.c |  5 +++++
 kdc/kdc.h            |  1 +
 kdc/misc.c           | 11 ++++++++++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/kdc/default_config.c b/kdc/default_config.c
index 3b621cec6..ea42935dc 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -70,6 +70,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->logf = NULL;
     c->enable_derived_keys = FALSE;
     c->derived_keys_ndots = 2;
+    c->derived_keys_maxdots = -1;
 
     c->num_kdc_processes =
         krb5_config_get_int_default(context, NULL, c->num_kdc_processes,
@@ -267,6 +268,10 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 	krb5_config_get_int_default(context, NULL, c->derived_keys_ndots,
 				    "kdc", "derived_keys_ndots", NULL);
 
+    c->derived_keys_maxdots =
+	krb5_config_get_int_default(context, NULL, c->derived_keys_maxdots,
+				    "kdc", "derived_keys_maxdots", NULL);
+
     *config = c;
 
     return 0;
diff --git a/kdc/kdc.h b/kdc/kdc.h
index 4c12d006d..0910d1e14 100644
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -98,6 +98,7 @@ typedef struct krb5_kdc_configuration {
 
     krb5_boolean enable_derived_keys;
     int derived_keys_ndots;
+    int derived_keys_maxdots;
 
 } krb5_kdc_configuration;
 
diff --git a/kdc/misc.c b/kdc/misc.c
index 5dc55a7fa..5bb517844 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -142,8 +142,9 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
     char *tmp;
     const char *realm = NULL;
     int is_derived_key = 0;
-    size_t ndots = 0;
     size_t hdots;
+    size_t ndots = 0;
+    size_t maxdots = -1;
 
     flags |= HDB_F_DECRYPT;
 
@@ -167,6 +168,7 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
 	    }
 
 	    ndots = config->derived_keys_ndots;
+	    maxdots = config->derived_keys_maxdots;
 
 	    for (hdots = 0, tmp = host; tmp && *tmp; tmp++)
 		if (*tmp == '.')
@@ -192,6 +194,13 @@ _fetch_it(krb5_context context, krb5_kdc_configuration *config, HDB *db,
 	if (!tmp || !*tmp || hdots < ndots)
 	    break;
 
+	while (maxdots > 0 && hdots > maxdots) {
+		tmp = strchr(tmp, '.');
+		/* tmp != NULL because maxdots > 0 */
+		tmp++;
+		hdots--;
+	}
+
 	is_derived_key = 1;
 	krb5_free_principal(context, tmpprinc);
 	krb5_build_principal(context, &tmpprinc, strlen(realm), realm,