oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: perform AS-REQ canonicalization in kdc

Browse Source 
Mirroring the logic recently introduced in the TGS, this patch modifies the KDC
to perform client and server canonicalization itself rather than relying on the
backend to do so. Per RFC 6806, the behavior is slightly different for the AS
in that the setting of the canonicalize flag in the AS-REQ does impact the
returned names in the ticket. In order to support realm canonicalization or
other custom behavior, we allow the backend to force the KDC to canonicalize by
setting the force-canonicalize flag in the returned client or server entries.
This commit is contained in:
Luke Howard
2019-01-05 14:59:15 +11:00
parent 6bb8eaca20
commit c6232299c3
2 changed files with 17 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/hdb/common.c
View File

@@ -155,19 +155,6 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
krb5_data_free(&value);
return ret;
}
if ((flags & HDB_F_GET_ANY) && (flags & HDB_F_CANON) == 0) {
krb5_principal tmp;
/* "hard" alias: return the principal the client asked for */
ret = krb5_copy_principal(context, principal, &tmp);
if (ret) {
krb5_data_free(&value);
return ret;
}
krb5_free_principal(context, entry->entry.principal);
entry->entry.principal = tmp;
}
}
krb5_data_free(&value);
if ((flags & HDB_F_DECRYPT) && (flags & HDB_F_ALL_KVNOS)) {